nettle-3.10/0000755000175000017500000000000014633602172011760 5ustar nissenissenettle-3.10/nettle-meta-armors.c0000644000175000017500000000247314633602171015651 0ustar nissenisse/* nettle-meta-armors.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_armor * const _nettle_armors[] = { &nettle_base64, &nettle_base64url, &nettle_base16, NULL }; const struct nettle_armor * const * nettle_get_armors (void) { return _nettle_armors; } nettle-3.10/configure.ac0000644000175000017500000011140114633602172014244 0ustar nissenissednl -*- mode: shell-script; sh-indentation: 2; -*- dnl Process this file with autoconf to produce a configure script. AC_INIT([nettle], [3.10], [nettle-bugs@lists.lysator.liu.se]) AC_PREREQ([2.69]) AC_CONFIG_SRCDIR([nettle-types.h]) # Needed to stop autoconf from looking for files in parent directories. AC_CONFIG_AUX_DIR([.]) AC_CONFIG_HEADERS([config.h]) LIBNETTLE_MAJOR=8 LIBNETTLE_MINOR=9 LIBHOGWEED_MAJOR=6 LIBHOGWEED_MINOR=9 dnl Note double square brackets, for extra m4 quoting. MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([[^.]]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[[^.]]*\.\([[0-9]]*\).*/\1/'` AC_SUBST([MAJOR_VERSION]) AC_SUBST([MINOR_VERSION]) AC_CANONICAL_HOST # Command line options AC_ARG_WITH(include-path, AS_HELP_STRING([--with-include-path], [A colon-separated list of directories to search for include files]),, [with_include_path='']) if test x$with_include_path != x ; then CPPFLAGS="$CPPFLAGS -I`echo $with_include_path | sed 's/:/ -I/g'`" fi AC_ARG_WITH(lib-path, AS_HELP_STRING([--with-lib-path], [A colon-separated list of directories to search for libraries]),, [with_lib_path='']) if test x$with_lib_path != x ; then LDFLAGS="$LDFLAGS -L`echo $with_lib_path | sed 's/:/ -L/g'`" fi AC_ARG_ENABLE(public-key, AS_HELP_STRING([--disable-public-key], [Disable public key algorithms]),, [enable_public_key=yes]) AC_ARG_ENABLE(assembler, AS_HELP_STRING([--disable-assembler], [Disable assembler code]),, [enable_assembler=yes]) AC_ARG_ENABLE(static, AS_HELP_STRING([--disable-static], [Do not build any static library]),, [enable_static=yes]) AC_ARG_ENABLE(shared, AS_HELP_STRING([--disable-shared], [Do not build any shared library]),, [enable_shared=yes]) AC_ARG_ENABLE(pic, AS_HELP_STRING([--disable-pic], [Do not try to compile library files as position independent code]),, [enable_pic=yes]) AC_ARG_ENABLE(openssl, AS_HELP_STRING([--disable-openssl], [Do not include openssl glue in the benchmark program]),, [enable_openssl=yes]) AC_ARG_ENABLE(gcov, AS_HELP_STRING([--enable-gcov], [Instrument for gcov (requires a modern gcc)]),, [enable_gcov=no]) AC_ARG_ENABLE(documentation, AS_HELP_STRING([--disable-documentation], [Omit building and installing the documentation. (default=auto)]),, [enable_documentation=auto]) AC_ARG_ENABLE(fat, AS_HELP_STRING([--disable-fat], [Disable fat library build]),, [enable_fat=yes]) AC_ARG_ENABLE(arm-neon, AS_HELP_STRING([--enable-arm-neon], [Enable ARM Neon assembly. (default=auto)]),, [enable_arm_neon=auto]) AC_ARG_ENABLE(arm64-crypto, AS_HELP_STRING([--enable-arm64-crypto], [Enable Arm64 crypto extension. (default=no)]),, [enable_arm64_crypto=no]) AC_ARG_ENABLE(x86-aesni, AS_HELP_STRING([--enable-x86-aesni], [Enable x86_64 aes instructions. (default=no)]),, [enable_x86_aesni=no]) AC_ARG_ENABLE(x86-sha-ni, AS_HELP_STRING([--enable-x86-sha-ni], [Enable x86_64 sha_ni instructions. (default=no)]),, [enable_x86_sha_ni=no]) AC_ARG_ENABLE(x86-pclmul, AS_HELP_STRING([--enable-x86-pclmul], [Enable x86_64 pclmulqdq instructions. (default=no)]),, [enable_x86_pclmul=no]) AC_ARG_ENABLE(power-crypto-ext, AS_HELP_STRING([--enable-power-crypto-ext], [Enable POWER crypto extensions. (default=no)]),, [enable_power_crypto_ext=no]) AC_ARG_ENABLE(power-altivec, AS_HELP_STRING([--enable-power-altivec], [Enable POWER altivec and vsx extensions. (default=no)]),, [enable_altivec=no]) AC_ARG_ENABLE(power9, AS_HELP_STRING([--enable-power9], [Enable POWER ISA v3.0. (default=no)]),, [enable_power9=no]) AC_ARG_ENABLE(s390x-vf, AS_HELP_STRING([--enable-s390x-vf], [Enable vector facility on z/Architecture. (default=no)]),, [enable_s390x_vf=no]) AC_ARG_ENABLE(s390x-msa, AS_HELP_STRING([--enable-s390x-msa], [Enable message-security assist extensions on z/Architecture. (default=no)]),, [enable_s390x_msa=no]) AC_ARG_ENABLE(extra-asserts, AS_HELP_STRING([--enable-extra-asserts], [Enable additional asserts in ECC code (incompatible side-channel tests)]),, [enable_extra_asserts=no]) AC_ARG_ENABLE(mini-gmp, AS_HELP_STRING([--enable-mini-gmp], [Enable mini-gmp, used instead of libgmp.]),, [enable_mini_gmp=no]) AC_ARG_VAR(ASM_FLAGS, [Extra flags for processing assembly source files]) if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi AC_SUBST([NETTLE_USE_MINI_GMP]) AC_SUBST([HOGWEED_EXTRA_SYMBOLS]) AH_TEMPLATE([WITH_EXTRA_ASSERTS], [Defined to enable additional asserts]) if test "$enable_extra_asserts" = yes ; then AC_DEFINE(WITH_EXTRA_ASSERTS) fi LSH_RPATH_INIT([`echo $with_lib_path | sed 's/:/ /g'` \ `echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \ /usr/local/lib /sw/local/lib /sw/lib \ /usr/gnu/lib /opt/gnu/lib /sw/gnu/lib /usr/freeware/lib /usr/pkg/lib]) # Checks for programs. AC_PROG_CC NETTLE_CHECK_IFUNC # Used by the testsuite only AC_PROG_CXX AC_LANG_PUSH(C++) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])], [IF_CXX=''], [IF_CXX='#']) AC_SUBST([IF_CXX]) AC_LANG_POP LD_VERSION_SCRIPT AC_PROG_MAKE_SET AC_PROG_RANLIB AC_CHECK_TOOL(NM, nm, strings) # Used only for the GNU-stack configure test. AC_CHECK_TOOL(OBJDUMP, objdump, false) AC_CHECK_TOOL(AR, ar, false) AC_PROG_INSTALL # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. AC_PROG_MKDIR_P AC_PROG_LN_S # Compiler tests for the build system GMP_PROG_CC_FOR_BUILD GMP_PROG_EXEEXT_FOR_BUILD # Check if valgrind is working; expected to fail in cross builds. NETTLE_PROG_VALGRIND LSH_DEPENDENCY_TRACKING if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST AC_C_INLINE AC_TYPE_UID_T AC_TYPE_SIZE_T AC_CHECK_SIZEOF(long) AC_CHECK_SIZEOF(size_t) AC_CHECK_HEADERS([openssl/evp.h openssl/ec.h openssl/rsa.h],, [enable_openssl=no break]) # For use by the testsuite AC_CHECK_HEADERS([valgrind/memcheck.h]) AC_CHECK_HEADERS([dlfcn.h]) AC_CHECK_LIB([dl], [dlopen], [AC_DEFINE([HAVE_LIBDL], 1, [Define to 1 if you have dlopen (with -ldl).])]) LSH_FUNC_ALLOCA # getenv_secure is used for fat overrides, # getline is used in the testsuite AC_CHECK_FUNCS(secure_getenv getline) ASM_WORDS_BIGENDIAN=unknown AC_C_BIGENDIAN([AC_DEFINE([WORDS_BIGENDIAN], 1) ASM_WORDS_BIGENDIAN=yes], [ASM_WORDS_BIGENDIAN=no]) AC_CACHE_CHECK([for __builtin_bswap64], nettle_cv_c_builtin_bswap64, [AC_LINK_IFELSE([AC_LANG_PROGRAM([[ #include ]], [[ uint64_t x = 17; uint64_t y = __builtin_bswap64(x); ]])], [nettle_cv_c_builtin_bswap64=yes], [nettle_cv_c_builtin_bswap64=no])]) AH_TEMPLATE([HAVE_BUILTIN_BSWAP64], [Define if __builtin_bswap64 is available]) if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then AC_DEFINE(HAVE_BUILTIN_BSWAP64) fi LSH_GCC_ATTRIBUTES # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. AC_CACHE_CHECK([for fcntl file locking], nettle_cv_fcntl_locking, [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include ]], [[ int op = F_SETLKW; struct flock fl; ]])], [nettle_cv_fcntl_locking=yes], [nettle_cv_fcntl_locking=no])]) AH_TEMPLATE([HAVE_FCNTL_LOCKING], [Define if fcntl file locking is available]) if test "x$nettle_cv_fcntl_locking" = "xyes" ; then AC_DEFINE(HAVE_FCNTL_LOCKING) fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then # mpn_zero_p was added in GMP-6.1.0 AC_CHECK_LIB(gmp, __gmpn_zero_p,, [AC_MSG_WARN( [GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable.])] enable_public_key=no) # Add -R flags needed to run programs linked with gmp LSH_RPATH_FIX fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then AC_MSG_CHECKING([for mini-gmp limb size]) # With mini-gmp, mp_limb_t is always unsigned long. AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [(sizeof(unsigned long) * CHAR_BIT)], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) else AC_MSG_CHECKING([for GMP limb size]) AC_COMPUTE_INT(nettle_cv_gmp_numb_bits, [GMP_NUMB_BITS], [#include ], [AC_MSG_FAILURE([cannot find value of GMP_NUMB_BITS])]) AC_MSG_RESULT([$nettle_cv_gmp_numb_bits bits]) fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" AC_SUBST([NUMB_BITS]) # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi AC_SUBST([GMP_NUMB_BITS]) # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard ELFV2_ABI=no # For powerpc64 W64_ABI=no # For x86_64 windows case "$host_cpu" in [x86_64 | amd64]) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *sparc*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *mips64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__mips64) || defined(__mips64__) || (defined(__sgi) && defined(__LP64__)) #error 64-bit mips #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *powerpc64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__PPC64__) #error 64-bit powerpc #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) if test "$ABI" = 64 ; then AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if _CALL_ELF == 2 #error ELFv2 ABI #endif ]], [[]])], [], [ ELFV2_ABI=yes ]) fi ;; aarch64*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__aarch64__) #error 64-bit arm #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; *s390x*) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if defined(__s390x__) #error 64-bit s390x #endif ]], [[]])], [ ABI=32 ], [ ABI=64 ]) ;; esac if test "x$ABI" != xstandard ; then AC_MSG_NOTICE([Compiler uses $ABI-bit ABI. To change, set CC.]) if test "$libdir" = '${exec_prefix}/lib' ; then # Try setting a better default case "$host_cpu:$host_os:$ABI" in *:solaris*:32|*:sunos*:32) libdir='${exec_prefix}/lib' ;; *:solaris*:64|*:sunos*:64) libdir='${exec_prefix}/lib/64' ;; # Linux conventions are a mess... According to the Linux File # Hierarchy Standard, all architectures except IA64 puts 32-bit # libraries in lib, and 64-bit in lib64. Some distributions, # e.g., Fedora and Gentoo, adhere to this standard, while at # least Debian has decided to put 64-bit libraries in lib and # 32-bit libraries in lib32. # We try to figure out the convention, except if we're cross # compiling. We use lib${ABI} if /usr/lib${ABI} exists and # appears to not be a symlink to a different name. *:linux*:32|*:linux*:64) if test "$cross_compiling" = yes ; then AC_MSG_WARN([Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib.]); dnl ' else # The dash builtin pwd tries to be "helpful" and remember # symlink names. Use -P option, and hope it's portable enough. test -d /usr/lib${ABI} \ && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ && libdir='${exec_prefix}/'"lib${ABI}" fi ;; # On freebsd, it seems 32-bit libraries are in lib32, # and 64-bit in lib. Don't know about "kfreebsd", does # it follow the Linux fhs conventions? *:freebsd*:32) libdir='${exec_prefix}/lib32' ;; *:freebsd*:64) libdir='${exec_prefix}/lib' ;; *:irix*:32) libdir='${exec_prefix}/lib32' ;; *:irix*:64) libdir='${exec_prefix}/lib64' ;; *) AC_MSG_WARN([Don't know where to install $ABI-bit libraries on this system.]); dnl ' esac AC_MSG_NOTICE([Libraries to be installed in $libdir.]) fi fi OPT_NETTLE_SOURCES="" FAT_TEST_LIST="" ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in [x86 | i?86* | k[5-8]* | pentium* | athlon]) asm_path=x86 ;; [x86_64 | amd64]) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" # For now, not enabling aesni or sha_ni, since at least # the latter appears unavailable on the gitlab test machines. FAT_TEST_LIST="vendor:intel vendor:amd" else if test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi if test "x$enable_x86_sha_ni" = xyes ; then asm_path="x86_64/sha_ni $asm_path" fi if test "x$enable_x86_pclmul" = xyes ; then asm_path="x86_64/pclmul $asm_path" fi fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) NETTLE_CHECK_ARM_NEON asm_path="arm/v6 arm" ;; esac if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi fi ;; aarch64*) if test "$ABI" = 64 ; then asm_path=arm64 if test "x$enable_fat" = xyes ; then asm_path="arm64/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm64.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none aes pmull sha1 sha2" else if test "$enable_arm64_crypto" = yes ; then asm_path="arm64/crypto $asm_path" fi fi else # As far as I understand, Neon instructions are unlikely to be # missing. It may be omitted "only for implementations # targeting specialized markets", to quote the Armv8 reference # manual. asm_path="arm/neon arm/v6 arm" fi ;; *powerpc64*) if test "$ABI" = 64 ; then GMP_ASM_POWERPC_R_REGISTERS asm_path="powerpc64" if test "x$enable_fat" = xyes ; then asm_path="powerpc64/fat $asm_path" OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none crypto_ext altivec power9" else if test "$enable_power9" = yes ; then asm_path="powerpc64/p9 $asm_path" fi if test "$enable_power_crypto_ext" = yes ; then asm_path="powerpc64/p8 $asm_path" fi if test "$enable_power_altivec" = yes ; then asm_path="powerpc64/p7 $asm_path" fi fi fi ;; *s390x*) if test "$ABI" = 64 ; then asm_path="s390x" if test "x$enable_fat" = xyes ; then asm_path="s390x/fat $asm_path" OPT_NETTLE_SOURCES="fat-s390x.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none vf msa msa_x1 msa_x2 msa_x4" else if test "$enable_s390x_vf" = yes ; then asm_path="s390x/vf $asm_path" fi if test "$enable_s390x_msa" = yes ; then asm_path="s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 $asm_path" fi fi fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ aes-invert-internal.asm \ aes128-set-encrypt-key.asm aes128-set-decrypt-key.asm \ aes128-encrypt.asm aes128-decrypt.asm \ aes192-set-encrypt-key.asm aes192-set-decrypt-key.asm \ aes192-encrypt.asm aes192-decrypt.asm \ aes256-set-encrypt-key.asm aes256-set-decrypt-key.asm \ aes256-encrypt.asm aes256-decrypt.asm \ cbc-aes128-encrypt.asm cbc-aes192-encrypt.asm \ cbc-aes256-encrypt.asm \ camellia-crypt-internal.asm \ memxor.asm memxor3.asm \ ghash-set-key.asm ghash-update.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress-n.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="cpuid.asm cpu-facility.asm \ memxor-2.asm memxor3-2.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm aes-invert-internal-2.asm \ aes128-set-encrypt-key-2.asm aes128-set-decrypt-key-2.asm \ aes128-encrypt-2.asm aes128-decrypt-2.asm \ aes192-set-encrypt-key-2.asm aes192-set-decrypt-key-2.asm \ aes192-encrypt-2.asm aes192-decrypt-2.asm \ aes256-set-encrypt-key-2.asm aes256-set-decrypt-key-2.asm \ aes256-encrypt-2.asm aes256-decrypt-2.asm \ cbc-aes128-encrypt-2.asm cbc-aes192-encrypt-2.asm cbc-aes256-encrypt-2.asm \ chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ poly1305-blocks.asm poly1305-internal-2.asm \ ghash-set-key-2.asm ghash-update-2.asm \ gcm-aes-encrypt.asm gcm-aes-encrypt-2.asm \ gcm-aes-decrypt.asm gcm-aes-decrypt-2.asm\ salsa20-2core.asm salsa20-core-internal-2.asm \ sha1-compress-2.asm sha256-compress-n-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then AC_MSG_NOTICE([Looking for assembler files in $asm_path.]) for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" AC_CONFIG_LINKS($tmp_f:$asm_dir/$tmp_f) break fi done done dnl Workaround for AC_CONFIG_LINKS, which complains if we use the dnl same destination argument $tmp_f multiple times. for tmp_n in $asm_nettle_optional_list ; do dnl Note extra pair of [] in sed expression tmp_b=`echo "$tmp_n" | sed 's/\.[[^.]]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" AC_CONFIG_LINKS($tmp_n:$asm_dir/$tmp_n) while read tmp_func ; do AC_DEFINE_UNQUOTED(HAVE_NATIVE_$tmp_func) eval HAVE_NATIVE_$tmp_func=yes done <conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else AC_MSG_WARN([nm does not list a_global_symbol at all]) fi], [AC_MSG_WARN([test program with a single global could not be compiled!?])])]) if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi AC_CACHE_CHECK([for ELF-style .type,%function pseudo-ops], [nettle_cv_asm_type_percent_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,%function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_percent_function=yes], [nettle_cv_asm_type_percent_function=no])]) dnl Needs double quote for the # character AC_CACHE_CHECK([[for ELF-style .type,#function pseudo-ops]], [nettle_cv_asm_type_hash_function], [GMP_TRY_ASSEMBLE([ .text .globl foo .type foo,#function foo: .Lend: .size foo, .Lend - foo ], [nettle_cv_asm_type_hash_function=yes], [nettle_cv_asm_type_hash_function=no])]) if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi AC_CACHE_CHECK([for COFF-style .type directive], [nettle_cv_asm_coff_type], [GMP_TRY_ASSEMBLE([ .text .globl _foo .def _foo .scl 2 .type 32 .endef _foo: ], [nettle_cv_asm_coff_type=yes], [nettle_cv_asm_coff_type=no])]) if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi AC_CACHE_CHECK([if we should use a .note.GNU-stack section], nettle_cv_asm_gnu_stack, [ # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&AS_MESSAGE_LOG_FD $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&AS_MESSAGE_LOG_FD echo "configure: failed program was:" >&AS_MESSAGE_LOG_FD cat conftest.s >&AS_MESSAGE_LOG_FD fi rm -f conftest.*]) if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi AC_CACHE_CHECK([if .align assembly directive is logarithmic], [nettle_cv_asm_align_log], [GMP_TRY_ASSEMBLE([ .align 3 ], [nettle_cv_asm_align_log=yes], [nettle_cv_asm_align_log=no])]) ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi dnl Define dnl 1. ASM_X86_ENDBR for endbr32/endbr64. dnl 2. ASM_X86_MARK_CET to add a .note.gnu.property section to mark dnl Intel CET support if needed. dnl 3. ASM_X86_MARK_CET_ALIGN to align ASM_X86_MARK_CET. AC_CACHE_CHECK([if Intel CET is enabled], [nettle_cv_asm_x86_intel_cet], [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #ifndef __CET__ #error Intel CET is not enabled #endif ]], [[]])], [nettle_cv_asm_x86_intel_cet=yes], [nettle_cv_asm_x86_intel_cet=no])]) if test "$nettle_cv_asm_x86_intel_cet" = yes; then case $ABI in 32|standard) ASM_X86_ENDBR=endbr32 ASM_X86_MARK_CET_ALIGN=2 ;; 64) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=3 ;; x32) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=2 ;; esac AC_CACHE_CHECK([if .note.gnu.property section is needed], [nettle_cv_asm_x86_gnu_property], [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #if !defined __ELF__ || !defined __CET__ #error GNU property is not needed #endif ]], [[]])], [nettle_cv_asm_x86_gnu_property=yes], [nettle_cv_asm_x86_gnu_property=no])]) else nettle_cv_asm_x86_gnu_property=no fi if test "$nettle_cv_asm_x86_gnu_property" = yes; then ASM_X86_MARK_CET=' .pushsection ".note.gnu.property", "a" .p2align ASM_X86_MARK_CET_ALIGN .long 1f - 0f .long 4f - 1f .long 5 0: .asciz "GNU" 1: .p2align ASM_X86_MARK_CET_ALIGN .long 0xc0000002 .long 3f - 2f 2: .long 3 3: .p2align ASM_X86_MARK_CET_ALIGN 4: .popsection' fi AC_SUBST(ASM_SYMBOL_PREFIX) AC_SUBST(ASM_ELF_STYLE) AC_SUBST(ASM_COFF_STYLE) AC_SUBST(ASM_TYPE_FUNCTION) AC_SUBST(ASM_TYPE_PROGBITS) AC_SUBST(ASM_MARK_NOEXEC_STACK) AC_SUBST(ASM_ALIGN_LOG) AC_SUBST(ELFV2_ABI) AC_SUBST(W64_ABI) AC_SUBST(ASM_WORDS_BIGENDIAN) AC_SUBST(EMULATOR) AC_SUBST(ASM_X86_ENDBR) AC_SUBST(ASM_X86_MARK_CET) AC_SUBST(ASM_X86_MARK_CET_ALIGN) AC_SUBST(LIBNETTLE_MAJOR) AC_SUBST(LIBNETTLE_MINOR) AC_SUBST(LIBNETTLE_FORLINK) AC_SUBST(LIBNETTLE_SONAME) AC_SUBST(LIBNETTLE_FILE) AC_SUBST(LIBNETTLE_FILE_SRC) AC_SUBST(LIBNETTLE_LINK) AC_SUBST(LIBNETTLE_LIBS) AC_SUBST(LIBHOGWEED_MAJOR) AC_SUBST(LIBHOGWEED_MINOR) AC_SUBST(LIBHOGWEED_FORLINK) AC_SUBST(LIBHOGWEED_SONAME) AC_SUBST(LIBHOGWEED_FILE) AC_SUBST(LIBHOGWEED_FILE_SRC) AC_SUBST(LIBHOGWEED_LINK) AC_SUBST(LIBHOGWEED_LIBS) AC_PATH_PROG(M4, m4, m4) AH_TEMPLATE([WITH_HOGWEED], [Defined if public key features are enabled]) if test "x$enable_public_key" = xyes ; then AC_DEFINE(WITH_HOGWEED) IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then AC_PATH_PROG(MAKEINFO, makeinfo, not-found) if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes AC_SUBST(MAKEINFO) else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else AC_MSG_ERROR([Cannot find 'makeinfo', required for documentation.]) fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi AC_SUBST(IF_HOGWEED) AC_SUBST(IF_STATIC) AC_SUBST(IF_SHARED) AC_SUBST(IF_NOT_SHARED) AC_SUBST(IF_DLOPEN_TEST) AC_SUBST(IF_DOCUMENTATION) AC_SUBST(IF_DLL) AC_SUBST(IF_MINI_GMP) OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new, [OPENSSL_LIBFLAGS='-lcrypto'], [enable_openssl=no]) fi if test x$enable_openssl = xyes ; then AC_MSG_CHECKING([if openssl supports the functions used by nettle benchmark programs]) save_LIBS="$LIBS" LIBS="$LIBS $OPENSSL_LIBFLAGS" AC_LINK_IFELSE([AC_LANG_PROGRAM([ #include #include #include ], [ EVP_MD_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *rsa_key = EVP_RSA_gen(2048); EVP_PKEY *ec_key = EVP_EC_gen("P-256"); int res = EVP_DigestSignFinal (md_ctx, NULL, NULL); ])], [ AC_MSG_RESULT([yes]) AC_DEFINE([WITH_OPENSSL], 1, [Define if you have openssl libcrypto (used for benchmarking)]) ], [ AC_MSG_RESULT([no]) enable_openssl=no ]) LIBS=$save_LIBS fi AC_SUBST(OPENSSL_LIBFLAGS) AH_BOTTOM( [#if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif ]) # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" AC_SEARCH_LIBS(clock_gettime, rt, [ AC_DEFINE([HAVE_CLOCK_GETTIME],1,[Define if clock_gettime is available])]) BENCH_LIBS="$LIBS" LIBS="$old_LIBS" AC_SUBST(BENCH_LIBS) # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi AC_CONFIG_FILES([config.make config.m4 Makefile version.h]) AC_CONFIG_FILES([tools/Makefile testsuite/Makefile examples/Makefile]) AC_CONFIG_FILES([nettle.pc hogweed.pc libnettle.map libhogweed.map]) AC_OUTPUT AC_MSG_NOTICE([summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} ]) nettle-3.10/dsa-keygen.c0000644000175000017500000000320114633602171014146 0ustar nissenisse/* dsa-keygen.c Generation of DSA keypairs Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). Currenty, we use only q_bits of 160 or 256. */ void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random) { mpz_t r; mpz_init_set(r, params->q); mpz_sub_ui(r, r, 2); nettle_mpz_random(key, random_ctx, random, r); mpz_add_ui(key, key, 1); mpz_powm(pub, params->g, key, params->p); mpz_clear (r); } nettle-3.10/asm.m40000644000175000017500000000406614633602172013010 0ustar nissenissedivert(-1) dnl FORTRAN style comment character define(`C', ` dnl')dnl dnl Disable m4 comment processing, since the default, #, is used for dnl constants on some architectures, in particular ARM. changecom()dnl dnl Including files from the srcdir define(`include_src', `include(srcdir/$1)')dnl dnl default definition, changed in fat builds define(`fat_transform', `$1') define(`C_NAME', `SYMBOL_PREFIX`'fat_transform($1)') dnl Pseudo ops define(`DECLARE_FUNC', `ifelse(ELF_STYLE,yes, `.type $1,TYPE_FUNCTION', COFF_STYLE, yes, `.def $1 .scl 2 .type 32 .endef', `')') define(`GMP_NUMB_BITS',`')dnl define(`PROLOGUE', `.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) C_NAME($1): ASM_X86_ENDBR') define(`EPILOGUE', `ifelse(ELF_STYLE,yes, `.size C_NAME($1), . - C_NAME($1)',`')') define(`m4_log2', `m4_log2_internal($1,1,0)') define(`m4_log2_internal', `ifelse($3, 10, `not-a-power-of-two', $1, $2, $3, `m4_log2_internal($1, eval(2*$2), eval(1 + $3))')') dnl Argument to ALIGN is always in bytes, and converted to a dnl logarithmic .align if necessary. define(`ALIGN', `.align ifelse(ALIGN_LOG,yes,`m4_log2($1)',$1) ') define(`IF_BE', `ifelse( WORDS_BIGENDIAN,yes,`$1', WORDS_BIGENDIAN,no,`$2', `errprint(`Unsupported endianness value',WORDS_BIGENDIAN,` ') m4exit(1)')') define(`IF_LE', `IF_BE(`$2', `$1')') dnl Struct defining macros dnl STRUCTURE(prefix) define(`STRUCTURE', `define(`SOFFSET', 0)define(`SPREFIX', `$1')')dnl dnl STRUCT(name, size) define(`STRUCT', `define(SPREFIX`_'$1, SOFFSET)dnl define(`SOFFSET', eval(SOFFSET + ($2)))')dnl dnl UCHAR(name) define(`UCHAR', `STRUCT(`$1', 1)')dnl dnl UNSIGNED(name) define(`UNSIGNED', `STRUCT(`$1', 4)')dnl dnl Offsets in aes_table define(AES_SBOX_SIZE, 256)dnl define(AES_TABLE_SIZE, 1024)dnl STRUCTURE(AES) STRUCT(SBOX, AES_SBOX_SIZE) STRUCT(TABLE0, AES_TABLE_SIZE) STRUCT(TABLE1, AES_TABLE_SIZE) STRUCT(TABLE2, AES_TABLE_SIZE) STRUCT(TABLE3, AES_TABLE_SIZE) C For 64-bit implementation STRUCTURE(P1305) STRUCT(R0, 8) STRUCT(R1, 8) STRUCT(S0, 8) STRUCT(S1, 8) STRUCT(H0, 8) STRUCT(H1, 8) STRUCT(H2, 8) divert nettle-3.10/ed448-shake256-pubkey.c0000644000175000017500000000335714633602172015607 0ustar nissenisse/* ed448-shake256-pubkey.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv) { const struct ecc_curve *ecc = &_nettle_curve448; struct sha3_256_ctx ctx; uint8_t digest[ED448_SIGNATURE_SIZE]; mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k scratch #define scratch_out (scratch + ecc->q.size) sha3_256_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed448_shake256, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); #undef k #undef scratch_out } nettle-3.10/desdata.c0000644000175000017500000001055514633602172013537 0ustar nissenisse/* desdata.c * * Generate tables used by des.c and desCode.h. * */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. * */ #include #include "desinfo.h" /* list of weak and semi-weak keys +0 +1 +2 +3 +4 +5 +6 +7 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x01 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0x01 0x1f 0x01 0x0e 0x01 0x0e 0x01 0x1f 0x1f 0x1f 0x1f 0x0e 0x0e 0x0e 0x0e 0x1f 0xe0 0x1f 0xe0 0x0e 0xf1 0x0e 0xf1 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0x01 0xe0 0x01 0xf1 0x01 0xf1 0x01 0xe0 0x1f 0xe0 0x1f 0xf1 0x0e 0xf1 0x0e 0xe0 0xe0 0xe0 0xe0 0xf1 0xf1 0xf1 0xf1 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x01 0xfe 0x1f 0xfe 0x1f 0xfe 0x0e 0xfe 0x0e 0xfe 0xe0 0xfe 0xe0 0xfe 0xf1 0xfe 0xf1 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe 0xfe */ /* key bit order in each method pair: bits 31->00 of 1st, bits 31->00 of 2nd */ /* this does not reflect the rotate of the 2nd word */ #define S(box,bit) (box*6+bit) int korder[] = { S(7, 5), S(7, 4), S(7, 3), S(7, 2), S(7, 1), S(7, 0), S(5, 5), S(5, 4), S(5, 3), S(5, 2), S(5, 1), S(5, 0), S(3, 5), S(3, 4), S(3, 3), S(3, 2), S(3, 1), S(3, 0), S(1, 5), S(1, 4), S(1, 3), S(1, 2), S(1, 1), S(1, 0), S(6, 5), S(6, 4), S(6, 3), S(6, 2), S(6, 1), S(6, 0), S(4, 5), S(4, 4), S(4, 3), S(4, 2), S(4, 1), S(4, 0), S(2, 5), S(2, 4), S(2, 3), S(2, 2), S(2, 1), S(2, 0), S(0, 5), S(0, 4), S(0, 3), S(0, 2), S(0, 1), S(0, 0), }; /* the order in which the algorithm accesses the s boxes */ int sorder[] = { 7, 5, 3, 1, 6, 4, 2, 0, }; int main(int argc, char **argv) { unsigned long d, i, j, k, l, m, n, s; /* Always at least 32 bits */ char b[256], ksr[56]; if (argc <= 1) return 1; switch ( argv[1][0] ) { default: return 1; /* * <<< make the key parity table >>> */ case 'p': printf( "/* automagically produced - do not fuss with this information */\n\n"); /* store parity information */ for ( i = 0; i < 256; i++ ) { j = i; j ^= j >> 4; /* bits 3-0 have pairs */ j ^= j << 2; /* bits 3-2 have quads */ j ^= j << 1; /* bit 3 has the entire eight (no cox) */ b[i] = 8 & ~j; /* 0 is okay and 8 is bad parity */ } /* only these characters can appear in a weak key */ b[0x01] = 1; b[0x0e] = 2; b[0x1f] = 3; b[0xe0] = 4; b[0xf1] = 5; b[0xfe] = 6; /* print it out */ for ( i = 0; i < 256; i++ ) { printf("%d,", b[i]); if ( (i & 31) == 31 ) printf("\n"); } break; /* * <<< make the key usage table >>> */ case 'r': printf("/* automagically made - do not fuss with this */\n\n"); /* KL specifies the initial key bit positions */ for (i = 0; i < 56; i++) ksr[i] = (KL[i] - 1) ^ 7; for (i = 0; i < 16; i++) { /* apply the appropriate number of left shifts */ for (j = 0; j < KS[i]; j++) { m = ksr[ 0]; n = ksr[28]; for (k = 0; k < 27; k++) ksr[k ] = ksr[k + 1], ksr[k + 28] = ksr[k + 29]; ksr[27] = m; ksr[55] = n; } /* output the key bit numbers */ for (j = 0; j < 48; j++) { m = ksr[KC[korder[j]] - 1]; m = (m / 8) * 7 + (m % 8) - 1; m = 55 - m; printf(" %2ld,", (long) m); if ((j % 12) == 11) printf("\n"); } printf("\n"); } break; /* * <<< make the keymap table >>> */ case 'k': printf("/* automagically made - do not fuss with this */\n\n"); for ( i = 0; i <= 7 ; i++ ) { s = sorder[i]; for ( d = 0; d <= 63; d++ ) { /* flip bits */ k = ((d << 5) & 32) | ((d << 3) & 16) | ((d << 1) & 8) | ((d >> 1) & 4) | ((d >> 3) & 2) | ((d >> 5) & 1) ; /* more bit twiddling */ l = ((k << 0) & 32) | /* overlap bit */ ((k << 4) & 16) | /* overlap bit */ ((k >> 1) & 15) ; /* unique bits */ /* look up s box value */ m = SB[s][l]; /* flip bits */ n = ((m << 3) & 8) | ((m << 1) & 4) | ((m >> 1) & 2) | ((m >> 3) & 1) ; /* put in correct nybble */ n <<= (s << 2); /* perform p permutation */ for ( m = j = 0; j < 32; j++ ) if ( n & (1 << (SP[j] - 1)) ) m |= (1UL << j); /* rotate right (alg keeps everything rotated by 1) */ m = (m >> 1) | ((m & 1) << 31); /* print it out */ printf(" 0x%08lx,", m); if ( ( d & 3 ) == 3 ) printf("\n"); } printf("\n"); } break; } return 0; } nettle-3.10/gcm-aes128.c0000644000175000017500000000455614633602171013704 0ustar nissenisse/* gcm-aes128.c Galois counter mode using AES128 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES128_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES128_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes128_encrypt, length, digest); } nettle-3.10/cbc.h0000644000175000017500000000562514633602172012670 0ustar nissenisse/* cbc.h Cipher block chaining mode. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CBC_H_INCLUDED #define NETTLE_CBC_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cbc_encrypt nettle_cbc_encrypt #define cbc_decrypt nettle_cbc_decrypt #define cbc_aes128_encrypt nettle_cbc_aes128_encrypt #define cbc_aes192_encrypt nettle_cbc_aes192_encrypt #define cbc_aes256_encrypt nettle_cbc_aes256_encrypt void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CBC_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CBC_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CBC_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CBC_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cbc_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) void cbc_aes128_encrypt(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_aes192_encrypt(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cbc_aes256_encrypt(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CBC_H_INCLUDED */ nettle-3.10/dsa.c0000644000175000017500000000314514633602171012675 0ustar nissenisse/* dsa.c The DSA publickey algorithm. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "dsa-internal.h" #include "bignum.h" void dsa_params_init (struct dsa_params *params) { mpz_init(params->p); mpz_init(params->q); mpz_init(params->g); } void dsa_params_clear (struct dsa_params *params) { mpz_clear(params->p); mpz_clear(params->q); mpz_clear(params->g); } void dsa_signature_init(struct dsa_signature *signature) { mpz_init(signature->r); mpz_init(signature->s); } void dsa_signature_clear(struct dsa_signature *signature) { mpz_clear(signature->r); mpz_clear(signature->s); } nettle-3.10/oaep.h0000644000175000017500000000353014633602172013056 0ustar nissenisse/* oaep.h PKCS#1 RSA-OAEP (RFC-8017). Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_OAEP_H_INCLUDED #define NETTLE_OAEP_H_INCLUDED #include "nettle-meta.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define _oaep_encode_mgf1 _nettle_oaep_encode_mgf1 #define _oaep_decode_mgf1 _nettle_oaep_decode_mgf1 int _oaep_decode_mgf1 (const uint8_t *em, size_t key_size, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message); int _oaep_encode_mgf1 (mpz_t m, size_t key_size, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t message_length, const uint8_t *message); #ifdef __cplusplus } #endif #endif /* NETTLE_OAEP_H_INCLUDED */ nettle-3.10/hmac-gosthash94.c0000644000175000017500000000412514633602171015030 0ustar nissenisse/* hmac-gosthash94.c HMAC-GOSTHASH94 message authentication code. Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_gosthash94, key_length, key); } void hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, size_t length, const uint8_t *data) { gosthash94_update(&ctx->state, length, data); } void hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_gosthash94, length, digest); } void hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_gosthash94cp, key_length, key); } void hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, size_t length, const uint8_t *data) { gosthash94cp_update(&ctx->state, length, data); } void hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_gosthash94cp, length, digest); } nettle-3.10/sha3-512.c0000644000175000017500000000337714633602171013300 0ustar nissenisse/* sha3-512.c The sha3 hash function, 512 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "nettle-write.h" void sha3_512_init (struct sha3_512_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_512_ctx, block)); } void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_sha3_update (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_512_digest(struct sha3_512_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad_hash (&ctx->state, SHA3_512_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_512_init (ctx); } nettle-3.10/chacha.h0000644000175000017500000000542714633602172013350 0ustar nissenisse/* chacha.h The ChaCha stream cipher. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_H_INCLUDED #define NETTLE_CHACHA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_set_key nettle_chacha_set_key #define chacha_set_nonce nettle_chacha_set_nonce #define chacha_set_nonce96 nettle_chacha_set_nonce96 #define chacha_set_counter nettle_chacha_set_counter #define chacha_set_counter32 nettle_chacha_set_counter32 #define chacha_crypt nettle_chacha_crypt #define chacha_crypt32 nettle_chacha_crypt32 /* Currently, only 256-bit keys are supported. */ #define CHACHA_KEY_SIZE 32 #define CHACHA_BLOCK_SIZE 64 #define CHACHA_NONCE_SIZE 8 #define CHACHA_NONCE96_SIZE 12 #define CHACHA_COUNTER_SIZE 8 #define CHACHA_COUNTER32_SIZE 4 #define _CHACHA_STATE_LENGTH 16 struct chacha_ctx { /* Indices 0-3 holds a constant (SIGMA or TAU). Indices 4-11 holds the key. Indices 12-13 holds the block counter. Indices 14-15 holds the IV: This creates the state matrix: C C C C K K K K K K K K B B I I */ uint32_t state[_CHACHA_STATE_LENGTH]; }; void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key); void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce); void chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter); void chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter); void chacha_crypt(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_crypt32(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_H_INCLUDED */ nettle-3.10/chacha-crypt.c0000644000175000017500000001640114633602171014473 0ustar nissenisse/* chacha-crypt.c The crypt function in the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2014 Niels Möller Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "chacha-internal.h" #include "macros.h" #include "memxor.h" #define CHACHA_ROUNDS 20 #if HAVE_NATIVE_chacha_4core #define _nettle_chacha_crypt_4core chacha_crypt #define _nettle_chacha_crypt32_4core chacha_crypt32 #elif HAVE_NATIVE_chacha_3core #define _nettle_chacha_crypt_3core chacha_crypt #define _nettle_chacha_crypt32_3core chacha_crypt32 #elif !(HAVE_NATIVE_fat_chacha_4core || HAVE_NATIVE_fat_chacha_3core) #define _nettle_chacha_crypt_1core chacha_crypt #define _nettle_chacha_crypt32_1core chacha_crypt32 #endif #if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core void _nettle_chacha_crypt_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[4*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS); if (length <= 4*CHACHA_BLOCK_SIZE) { uint32_t incr = 3 + (length > 3*CHACHA_BLOCK_SIZE); ctx->state[12] += incr; ctx->state[13] += (ctx->state[12] < incr); memxor3 (dst, src, x, length); return; } ctx->state[12] += 4; ctx->state[13] += (ctx->state[12] < 4); memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); length -= 4*CHACHA_BLOCK_SIZE; dst += 4*CHACHA_BLOCK_SIZE; src += 4*CHACHA_BLOCK_SIZE; } if (length > CHACHA_BLOCK_SIZE) { _nettle_chacha_2core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; ctx->state[13] += (ctx->state[12] < 2); } else { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); } memxor3 (dst, src, x, length); } #endif #if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core void _nettle_chacha_crypt_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[3*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 3; ctx->state[13] += (ctx->state[12] < 3); if (length <= 3*CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); length -= 3*CHACHA_BLOCK_SIZE; dst += 3*CHACHA_BLOCK_SIZE; src += 3*CHACHA_BLOCK_SIZE; } if (length <= CHACHA_BLOCK_SIZE) { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); } else { _nettle_chacha_3core (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; ctx->state[13] += (ctx->state[12] < 2); } memxor3 (dst, src, x, length); } #endif #if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) void _nettle_chacha_crypt_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; for (;;) { uint32_t x[_CHACHA_STATE_LENGTH]; _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ctx->state[13] += (++ctx->state[12] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; dst += CHACHA_BLOCK_SIZE; src += CHACHA_BLOCK_SIZE; } } #endif #if HAVE_NATIVE_chacha_4core || HAVE_NATIVE_fat_chacha_4core void _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[4*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS); if (length <= 4*CHACHA_BLOCK_SIZE) { ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE); memxor3 (dst, src, x, length); return; } ctx->state[12] += 4; memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE); length -= 4*CHACHA_BLOCK_SIZE; dst += 4*CHACHA_BLOCK_SIZE; src += 4*CHACHA_BLOCK_SIZE; } if (length > CHACHA_BLOCK_SIZE) { _nettle_chacha_2core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; } else { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; } memxor3 (dst, src, x, length); } #endif #if HAVE_NATIVE_chacha_3core || HAVE_NATIVE_fat_chacha_3core void _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[3*_CHACHA_STATE_LENGTH]; if (!length) return; while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 3; if (length <= 3*CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 3*CHACHA_BLOCK_SIZE); length -= 3*CHACHA_BLOCK_SIZE; dst += 3*CHACHA_BLOCK_SIZE; src += 3*CHACHA_BLOCK_SIZE; } if (length <= CHACHA_BLOCK_SIZE) { _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; } else { _nettle_chacha_3core32 (x, ctx->state, CHACHA_ROUNDS); ctx->state[12] += 2; } memxor3 (dst, src, x, length); } #endif #if !(HAVE_NATIVE_chacha_4core || HAVE_NATIVE_chacha_3core) void _nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; for (;;) { uint32_t x[_CHACHA_STATE_LENGTH]; _nettle_chacha_core (x, ctx->state, CHACHA_ROUNDS); ++ctx->state[12]; /* stopping at 2^38 length per nonce is user's responsibility */ if (length <= CHACHA_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, CHACHA_BLOCK_SIZE); length -= CHACHA_BLOCK_SIZE; dst += CHACHA_BLOCK_SIZE; src += CHACHA_BLOCK_SIZE; } } #endif nettle-3.10/buffer-init.c0000644000175000017500000000250614633602171014340 0ustar nissenisse/* buffer-init.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "buffer.h" #include "realloc.h" /* This is in a separate file so that we don't link in realloc in * programs that don't need it. */ void nettle_buffer_init(struct nettle_buffer *buffer) { nettle_buffer_init_realloc(buffer, NULL, nettle_realloc); } nettle-3.10/md2.c0000644000175000017500000001047614633602171012615 0ustar nissenisse/* md2.c The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller, Andreas Sigfridsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This code originates from the Python Cryptography Toolkit, version 1.0.1. Further hacked by Andreas Sigfridsson and Niels Möller. Original license: =================================================================== Distribute and use freely; there are no restrictions on further dissemination and usage except those imposed by the laws of your country of residence. This software is provided "as is" without warranty of fitness for use or suitability for any purpose, express or implied. Use at your own risk or not at all. =================================================================== Incorporating the code into commercial products is permitted; you do not have to make source available or contribute your changes back (though that would be nice). --amk (www.amk.ca) */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md2.h" #include "macros.h" static const uint8_t S[256] = { 41, 46, 67, 201, 162, 216, 124, 1, 61, 54, 84, 161, 236, 240, 6, 19, 98, 167, 5, 243, 192, 199, 115, 140, 152, 147, 43, 217, 188, 76, 130, 202, 30, 155, 87, 60, 253, 212, 224, 22, 103, 66, 111, 24, 138, 23, 229, 18, 190, 78, 196, 214, 218, 158, 222, 73, 160, 251, 245, 142, 187, 47, 238, 122, 169, 104, 121, 145, 21, 178, 7, 63, 148, 194, 16, 137, 11, 34, 95, 33, 128, 127, 93, 154, 90, 144, 50, 39, 53, 62, 204, 231, 191, 247, 151, 3, 255, 25, 48, 179, 72, 165, 181, 209, 215, 94, 146, 42, 172, 86, 170, 198, 79, 184, 56, 210, 150, 164, 125, 182, 118, 252, 107, 226, 156, 116, 4, 241, 69, 157, 112, 89, 100, 113, 135, 32, 134, 91, 207, 101, 230, 45, 168, 2, 27, 96, 37, 173, 174, 176, 185, 246, 28, 70, 97, 105, 52, 64, 126, 15, 85, 71, 163, 35, 221, 81, 175, 58, 195, 92, 249, 206, 186, 197, 234, 38, 44, 83, 13, 110, 133, 40, 132, 9, 211, 223, 205, 244, 65, 129, 77, 82, 106, 220, 55, 200, 108, 193, 171, 250, 36, 225, 123, 8, 12, 189, 177, 74, 120, 136, 149, 139, 227, 99, 232, 109, 233, 203, 213, 254, 59, 0, 29, 57, 242, 239, 183, 14, 102, 88, 208, 228, 166, 119, 114, 248, 235, 117, 75, 10, 49, 68, 80, 180, 143, 237, 31, 26, 219, 153, 141, 51, 159, 17, 131, 20 }; static void md2_transform(struct md2_ctx *ctx, const uint8_t *data) { unsigned i; uint8_t t; memcpy(ctx->X + 16, data, MD2_BLOCK_SIZE); for (i = 0, t = ctx->C[15]; iX[2 * MD2_BLOCK_SIZE + i] = ctx->X[i] ^ ctx->X[MD2_BLOCK_SIZE + i]; t = (ctx->C[i] ^= S[data[i]^t]); } for (i = t = 0; i< MD2_BLOCK_SIZE + 2; t = (t + i) & 0xff, i++) { unsigned j; for (j = 0; j < 3 * MD2_BLOCK_SIZE; j++) t = (ctx->X[j] ^= S[t]); } } void md2_init(struct md2_ctx *ctx) { memset(ctx, 0, sizeof(*ctx)); } void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md2_transform, (void)0); } void md2_digest(struct md2_ctx *ctx, size_t length, uint8_t *digest) { unsigned left; assert(length <= MD2_DIGEST_SIZE); left = MD2_BLOCK_SIZE - ctx->index; memset(ctx->block + ctx->index, left, left); md2_transform(ctx, ctx->block); md2_transform(ctx, ctx->C); memcpy(digest, ctx->X, length); md2_init(ctx); } nettle-3.10/dsa-gen-params.c0000644000175000017500000000537714633602171014736 0ustar nissenisse/* dsa-gen-params.c Generation of DSA parameters Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "bignum.h" #include "nettle-internal.h" #include "hogweed-internal.h" /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits) { mpz_t r; unsigned p0_bits; unsigned a; if (q_bits < 30 || p_bits < q_bits + 30) return 0; mpz_init (r); nettle_random_prime (params->q, q_bits, 0, random_ctx, random, progress_ctx, progress); if (q_bits >= (p_bits + 2)/3) _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, params->q, NULL, params->q); else { mpz_t p0, p0q; mpz_init (p0); mpz_init (p0q); p0_bits = (p_bits + 3)/2; nettle_random_prime (p0, p0_bits, 0, random_ctx, random, progress_ctx, progress); if (progress) progress (progress_ctx, 'q'); /* Generate p = 2 r q p0 + 1, such that 2^{n-1} < p < 2^n. */ mpz_mul (p0q, p0, params->q); _nettle_generate_pocklington_prime (params->p, r, p_bits, 0, random_ctx, random, p0, params->q, p0q); mpz_mul (r, r, p0); mpz_clear (p0); mpz_clear (p0q); } if (progress) progress (progress_ctx, 'p'); for (a = 2; ; a++) { mpz_set_ui (params->g, a); mpz_powm (params->g, params->g, r, params->p); if (mpz_cmp_ui (params->g, 1) != 0) break; } mpz_clear (r); if (progress) progress (progress_ctx, 'g'); return 1; } nettle-3.10/aes.h0000644000175000017500000001214514633602172012704 0ustar nissenisse/* aes.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_H_INCLUDED #define NETTLE_AES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define aes_set_encrypt_key nettle_aes_set_encrypt_key #define aes_set_decrypt_key nettle_aes_set_decrypt_key #define aes_invert_key nettle_aes_invert_key #define aes_encrypt nettle_aes_encrypt #define aes_decrypt nettle_aes_decrypt #define aes128_set_encrypt_key nettle_aes128_set_encrypt_key #define aes128_set_decrypt_key nettle_aes128_set_decrypt_key #define aes128_invert_key nettle_aes128_invert_key #define aes128_encrypt nettle_aes128_encrypt #define aes128_decrypt nettle_aes128_decrypt #define aes192_set_encrypt_key nettle_aes192_set_encrypt_key #define aes192_set_decrypt_key nettle_aes192_set_decrypt_key #define aes192_invert_key nettle_aes192_invert_key #define aes192_encrypt nettle_aes192_encrypt #define aes192_decrypt nettle_aes192_decrypt #define aes256_set_encrypt_key nettle_aes256_set_encrypt_key #define aes256_set_decrypt_key nettle_aes256_set_decrypt_key #define aes256_invert_key nettle_aes256_invert_key #define aes256_encrypt nettle_aes256_encrypt #define aes256_decrypt nettle_aes256_decrypt #define AES_BLOCK_SIZE 16 #define AES128_KEY_SIZE 16 #define AES192_KEY_SIZE 24 #define AES256_KEY_SIZE 32 #define _AES128_ROUNDS 10 #define _AES192_ROUNDS 12 #define _AES256_ROUNDS 14 struct aes128_ctx { uint32_t keys[4 * (_AES128_ROUNDS + 1)]; }; void aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key); void aes128_invert_key(struct aes128_ctx *dst, const struct aes128_ctx *src); void aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes192_ctx { uint32_t keys[4 * (_AES192_ROUNDS + 1)]; }; void aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key); void aes192_invert_key(struct aes192_ctx *dst, const struct aes192_ctx *src); void aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes256_ctx { uint32_t keys[4 * (_AES256_ROUNDS + 1)]; }; void aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key); void aes256_invert_key(struct aes256_ctx *dst, const struct aes256_ctx *src); void aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* The older nettle-2.7 AES interface is deprecated, please migrate to the newer interface where each algorithm has a fixed key size. */ /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ #define AES_MIN_KEY_SIZE AES128_KEY_SIZE #define AES_MAX_KEY_SIZE AES256_KEY_SIZE #define AES_KEY_SIZE 32 struct aes_ctx { unsigned key_size; /* In octets */ union { struct aes128_ctx ctx128; struct aes192_ctx ctx192; struct aes256_ctx ctx256; } u; }; void aes_set_encrypt_key(struct aes_ctx *ctx, size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED; void aes_set_decrypt_key(struct aes_ctx *ctx, size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED; void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) _NETTLE_ATTRIBUTE_DEPRECATED; void aes_encrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; void aes_decrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; #ifdef __cplusplus } #endif #endif /* NETTLE_AES_H_INCLUDED */ nettle-3.10/sha512-256-meta.c0000644000175000017500000000261314633602171014366 0ustar nissenisse/* sha512-256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_256 = { "sha512_256", sizeof(struct sha512_ctx), SHA512_256_DIGEST_SIZE, SHA512_256_BLOCK_SIZE, (nettle_hash_init_func *) sha512_256_init, (nettle_hash_update_func *) sha512_256_update, (nettle_hash_digest_func *) sha512_256_digest }; nettle-3.10/aes-invert-internal.c0000644000175000017500000001255314633602171016020 0ustar nissenisse/* aes-invert-internal.c Inverse key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_invert void _nettle_aes_invert_c(unsigned rounds, uint32_t *dst, const uint32_t *src); #define _nettle_aes_invert _nettle_aes_invert_c #endif /* NOTE: We don't include rotated versions of the table. */ static const uint32_t mtable[0x100] = { 0x00000000,0x0b0d090e,0x161a121c,0x1d171b12, 0x2c342438,0x27392d36,0x3a2e3624,0x31233f2a, 0x58684870,0x5365417e,0x4e725a6c,0x457f5362, 0x745c6c48,0x7f516546,0x62467e54,0x694b775a, 0xb0d090e0,0xbbdd99ee,0xa6ca82fc,0xadc78bf2, 0x9ce4b4d8,0x97e9bdd6,0x8afea6c4,0x81f3afca, 0xe8b8d890,0xe3b5d19e,0xfea2ca8c,0xf5afc382, 0xc48cfca8,0xcf81f5a6,0xd296eeb4,0xd99be7ba, 0x7bbb3bdb,0x70b632d5,0x6da129c7,0x66ac20c9, 0x578f1fe3,0x5c8216ed,0x41950dff,0x4a9804f1, 0x23d373ab,0x28de7aa5,0x35c961b7,0x3ec468b9, 0x0fe75793,0x04ea5e9d,0x19fd458f,0x12f04c81, 0xcb6bab3b,0xc066a235,0xdd71b927,0xd67cb029, 0xe75f8f03,0xec52860d,0xf1459d1f,0xfa489411, 0x9303e34b,0x980eea45,0x8519f157,0x8e14f859, 0xbf37c773,0xb43ace7d,0xa92dd56f,0xa220dc61, 0xf66d76ad,0xfd607fa3,0xe07764b1,0xeb7a6dbf, 0xda595295,0xd1545b9b,0xcc434089,0xc74e4987, 0xae053edd,0xa50837d3,0xb81f2cc1,0xb31225cf, 0x82311ae5,0x893c13eb,0x942b08f9,0x9f2601f7, 0x46bde64d,0x4db0ef43,0x50a7f451,0x5baafd5f, 0x6a89c275,0x6184cb7b,0x7c93d069,0x779ed967, 0x1ed5ae3d,0x15d8a733,0x08cfbc21,0x03c2b52f, 0x32e18a05,0x39ec830b,0x24fb9819,0x2ff69117, 0x8dd64d76,0x86db4478,0x9bcc5f6a,0x90c15664, 0xa1e2694e,0xaaef6040,0xb7f87b52,0xbcf5725c, 0xd5be0506,0xdeb30c08,0xc3a4171a,0xc8a91e14, 0xf98a213e,0xf2872830,0xef903322,0xe49d3a2c, 0x3d06dd96,0x360bd498,0x2b1ccf8a,0x2011c684, 0x1132f9ae,0x1a3ff0a0,0x0728ebb2,0x0c25e2bc, 0x656e95e6,0x6e639ce8,0x737487fa,0x78798ef4, 0x495ab1de,0x4257b8d0,0x5f40a3c2,0x544daacc, 0xf7daec41,0xfcd7e54f,0xe1c0fe5d,0xeacdf753, 0xdbeec879,0xd0e3c177,0xcdf4da65,0xc6f9d36b, 0xafb2a431,0xa4bfad3f,0xb9a8b62d,0xb2a5bf23, 0x83868009,0x888b8907,0x959c9215,0x9e919b1b, 0x470a7ca1,0x4c0775af,0x51106ebd,0x5a1d67b3, 0x6b3e5899,0x60335197,0x7d244a85,0x7629438b, 0x1f6234d1,0x146f3ddf,0x097826cd,0x02752fc3, 0x335610e9,0x385b19e7,0x254c02f5,0x2e410bfb, 0x8c61d79a,0x876cde94,0x9a7bc586,0x9176cc88, 0xa055f3a2,0xab58faac,0xb64fe1be,0xbd42e8b0, 0xd4099fea,0xdf0496e4,0xc2138df6,0xc91e84f8, 0xf83dbbd2,0xf330b2dc,0xee27a9ce,0xe52aa0c0, 0x3cb1477a,0x37bc4e74,0x2aab5566,0x21a65c68, 0x10856342,0x1b886a4c,0x069f715e,0x0d927850, 0x64d90f0a,0x6fd40604,0x72c31d16,0x79ce1418, 0x48ed2b32,0x43e0223c,0x5ef7392e,0x55fa3020, 0x01b79aec,0x0aba93e2,0x17ad88f0,0x1ca081fe, 0x2d83bed4,0x268eb7da,0x3b99acc8,0x3094a5c6, 0x59dfd29c,0x52d2db92,0x4fc5c080,0x44c8c98e, 0x75ebf6a4,0x7ee6ffaa,0x63f1e4b8,0x68fcedb6, 0xb1670a0c,0xba6a0302,0xa77d1810,0xac70111e, 0x9d532e34,0x965e273a,0x8b493c28,0x80443526, 0xe90f427c,0xe2024b72,0xff155060,0xf418596e, 0xc53b6644,0xce366f4a,0xd3217458,0xd82c7d56, 0x7a0ca137,0x7101a839,0x6c16b32b,0x671bba25, 0x5638850f,0x5d358c01,0x40229713,0x4b2f9e1d, 0x2264e947,0x2969e049,0x347efb5b,0x3f73f255, 0x0e50cd7f,0x055dc471,0x184adf63,0x1347d66d, 0xcadc31d7,0xc1d138d9,0xdcc623cb,0xd7cb2ac5, 0xe6e815ef,0xede51ce1,0xf0f207f3,0xfbff0efd, 0x92b479a7,0x99b970a9,0x84ae6bbb,0x8fa362b5, 0xbe805d9f,0xb58d5491,0xa89a4f83,0xa397468d, }; #define MIX_COLUMN(T, out, in) do { \ uint32_t _k, _nk, _t; \ _k = (in); \ _nk = T[_k & 0xff]; \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(8, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(16, _t); \ _k >>= 8; \ _t = T[_k & 0xff]; \ _nk ^= ROTL32(24, _t); \ (out) = _nk; \ } while(0) #define SWAP(a, b) \ do { uint32_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) { unsigned i; /* Transform all subkeys but the first and last. */ for (i = 4; i < 4 * rounds; i++) MIX_COLUMN (mtable, dst[i], src[i]); if (src != dst) { dst[0] = src[0]; dst[1] = src[1]; dst[2] = src[2]; dst[3] = src[3]; dst[i] = src[i]; dst[i+1] = src[i+1]; dst[i+2] = src[i+2]; dst[i+3] = src[i+3]; } } nettle-3.10/dsa.h0000644000175000017500000001300714633602172012701 0ustar nissenisse/* dsa.h The DSA publickey algorithm. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_H_INCLUDED #define NETTLE_DSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define dsa_params_init nettle_dsa_params_init #define dsa_params_clear nettle_dsa_params_clear #define dsa_signature_init nettle_dsa_signature_init #define dsa_signature_clear nettle_dsa_signature_clear #define dsa_sign nettle_dsa_sign #define dsa_verify nettle_dsa_verify #define dsa_generate_params nettle_dsa_generate_params #define dsa_generate_keypair nettle_dsa_generate_keypair #define dsa_signature_from_sexp nettle_dsa_signature_from_sexp #define dsa_keypair_to_sexp nettle_dsa_keypair_to_sexp #define dsa_keypair_from_sexp_alist nettle_dsa_keypair_from_sexp_alist #define dsa_sha1_keypair_from_sexp nettle_dsa_sha1_keypair_from_sexp #define dsa_sha256_keypair_from_sexp nettle_dsa_sha256_keypair_from_sexp #define dsa_params_from_der_iterator nettle_dsa_params_from_der_iterator #define dsa_public_key_from_der_iterator nettle_dsa_public_key_from_der_iterator #define dsa_openssl_private_key_from_der_iterator nettle_dsa_openssl_private_key_from_der_iterator #define dsa_openssl_private_key_from_der nettle_openssl_provate_key_from_der /* For FIPS approved parameters */ #define DSA_SHA1_MIN_P_BITS 512 #define DSA_SHA1_Q_OCTETS 20 #define DSA_SHA1_Q_BITS 160 #define DSA_SHA256_MIN_P_BITS 1024 #define DSA_SHA256_Q_OCTETS 32 #define DSA_SHA256_Q_BITS 256 struct dsa_params { /* Modulo */ mpz_t p; /* Group order */ mpz_t q; /* Generator */ mpz_t g; }; void dsa_params_init (struct dsa_params *params); void dsa_params_clear (struct dsa_params *params); struct dsa_signature { mpz_t r; mpz_t s; }; /* Calls mpz_init to initialize bignum storage. */ void dsa_signature_init(struct dsa_signature *signature); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_signature_clear(struct dsa_signature *signature); int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature); int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature); /* Key generation */ int dsa_generate_params(struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits); void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random); /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "dsa" */ const struct dsa_params *params, const mpz_t pub, const mpz_t priv); struct sexp_iterator; int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits); int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr); /* Keys in X.509 andd OpenSSL format. */ struct asn1_der_iterator; int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i); int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i); int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_DSA_H_INCLUDED */ nettle-3.10/aes256-encrypt.c0000644000175000017500000000323614633602171014616 0ustar nissenisse/* aes256-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_encrypt void _nettle_aes256_encrypt_c(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes256_encrypt _nettle_aes256_encrypt_c #endif void nettle_aes256_encrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES256_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-3.10/chacha-poly1305.h0000644000175000017500000000543114633602172014635 0ustar nissenisse/* chacha-poly1305.h AEAD mechanism based on chacha and poly1305. See draft-agl-tls-chacha20poly1305-04. Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_POLY1305_H_INCLUDED #define NETTLE_CHACHA_POLY1305_H_INCLUDED #include "chacha.h" #include "poly1305.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define chacha_poly1305_set_key nettle_chacha_poly1305_set_key #define chacha_poly1305_set_nonce nettle_chacha_poly1305_set_nonce #define chacha_poly1305_update nettle_chacha_poly1305_update #define chacha_poly1305_decrypt nettle_chacha_poly1305_decrypt #define chacha_poly1305_encrypt nettle_chacha_poly1305_encrypt #define chacha_poly1305_digest nettle_chacha_poly1305_digest #define CHACHA_POLY1305_BLOCK_SIZE 64 /* FIXME: Any need for 128-bit variant? */ #define CHACHA_POLY1305_KEY_SIZE 32 #define CHACHA_POLY1305_NONCE_SIZE CHACHA_NONCE96_SIZE #define CHACHA_POLY1305_DIGEST_SIZE 16 struct chacha_poly1305_ctx { struct chacha_ctx chacha; struct poly1305_ctx poly1305; union nettle_block16 s; uint64_t auth_size; uint64_t data_size; /* poly1305 block */ uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; }; void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key); void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce); void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data); void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_CHACHA_POLY1305_H_INCLUDED */ nettle-3.10/rsa-sha512-sign-tr.c0000644000175000017500000000375714633602171015306 0ustar nissenisse/* rsa-sha512-sign-tr.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/write-le32.c0000644000175000017500000000302614633602171014021 0ustar nissenisse/* write-le32.c Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) LE_WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-3.10/hmac-sha224-meta.c0000644000175000017500000000245514633602171014766 0ustar nissenisse/* hmac-sha224-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha224_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha224_set_key (ctx, SHA224_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha224 = _NETTLE_HMAC(hmac_sha224, SHA224); nettle-3.10/pkcs1-rsa-sha1.c0000644000175000017500000000546414633602171014572 0ustar nissenisse/* pkcs1-rsa-sha1.c PKCS stuff for rsa-sha1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From pkcs-1v2 * * id-sha1 OBJECT IDENTIFIER ::= * {iso(1) identified-organization(3) oiw(14) secsig(3) * algorithms(2) 26} * * The default hash function is SHA-1: * sha1Identifier ::= AlgorithmIdentifier {id-sha1, NULL} */ static const uint8_t sha1_prefix[] = { /* 15 octets prefix, 20 octets hash, total 35 */ 0x30, 33, /* SEQUENCE */ 0x30, 9, /* SEQUENCE */ 0x06, 5, /* OBJECT IDENTIFIER */ 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0, /* NULL */ 0x04, 20 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha1_encode(mpz_t m, size_t key_size, struct sha1_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { sha1_digest(hash, SHA1_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha1_prefix), sha1_prefix, SHA1_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA1_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.10/gostdsa-verify.c0000644000175000017500000000423314633602172015074 0ustar nissenisse/* gostdsa-verify.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "gmp-glue.h" int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature) { mp_limb_t size = ecc_size (pub->ecc); mp_size_t itch = 2*size + ecc_gostdsa_verify_itch (pub->ecc); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ mp_limb_t *scratch; int res; #define rp scratch #define sp (scratch + size) #define scratch_out (scratch + 2*size) if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) return 0; scratch = gmp_alloc_limbs (itch); mpz_limbs_copy (rp, signature->r, size); mpz_limbs_copy (sp, signature->s, size); res = ecc_gostdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); gmp_free_limbs (scratch, itch); return res; #undef rp #undef sp #undef scratch_out } nettle-3.10/rsa-pkcs1-sign-tr.c0000644000175000017500000000324214633602171015311 0ustar nissenisse/* rsa-pkcs1-sign-tr.c Creating timing resistant RSA signatures. Copyright (C) 2012 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" /* Side-channel resistant version of rsa_pkcs1_sign() */ int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s) { mpz_t m; int ret; mpz_init(m); ret = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear(m); return ret; } nettle-3.10/eddsa-sign.c0000644000175000017500000000670714633602172014154 0ustar nissenisse/* eddsa-sign.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc) { assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); return 5*ecc->p.size + _eddsa_compress_itch (ecc); } void _eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const uint8_t *k1, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch) { mp_size_t size; size_t nbytes; mp_limb_t q, cy; #define rp scratch #define hp (scratch + size) #define P (scratch + 2*size) #define sp (scratch + 2*size) #define hash ((uint8_t *) (scratch + 3*size)) #define scratch_out (scratch + 5*size) size = ecc->p.size; nbytes = 1 + ecc->p.bit_size / 8; eddsa->dom (ctx); eddsa->update (ctx, nbytes, k1); eddsa->update (ctx, length, msg); eddsa->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, rp, 2*nbytes, hash); ecc->mul_g (ecc, P, rp, scratch_out); _eddsa_compress (ecc, signature, P, scratch_out); eddsa->dom (ctx); eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, length, msg); eddsa->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); ecc_mod_mul (&ecc->q, sp, hp, k2, sp); ecc_mod_add (&ecc->q, sp, sp, rp); /* FIXME: Can be plain add */ if (ecc->p.bit_size == 255) { /* FIXME: Special code duplicated in ecc_curve25519_modq Define a suitable method for canonical reduction? */ /* q is slightly larger than 2^252, underflow from below mpn_submul_1 is unlikely. */ unsigned shift = 252 - GMP_NUMB_BITS * (ecc->p.size - 1); q = sp[ecc->p.size-1] >> shift; } else { unsigned shift; assert (ecc->p.bit_size == 448); /* q is slightly smaller than 2^446 */ shift = 446 - GMP_NUMB_BITS * (ecc->p.size - 1); /* Add one, then it's possible but unlikely that below mpn_submul_1 does *not* underflow. */ q = (sp[ecc->p.size-1] >> shift) + 1; } cy = mpn_submul_1 (sp, ecc->q.m, ecc->p.size, q); assert_maybe (cy < 2); cy -= mpn_cnd_add_n (cy, sp, sp, ecc->q.m, ecc->p.size); assert_maybe (cy == 0); mpn_get_base256_le (signature + nbytes, nbytes, sp, ecc->q.size); #undef rp #undef hp #undef P #undef sp #undef hash } nettle-3.10/arctwo.c0000644000175000017500000001612314633602171013425 0ustar nissenisse/* arctwo.c The cipher described in rfc2268; aka Ron's Cipher 2. Copyright (C) 2004 Simon Josefsson Copyright (C) 2003 Nikos Mavroyanopoulos Copyright (C) 2004 Free Software Foundation, Inc. Copyright (C) 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implementation was written by Nikos Mavroyanopoulos for GNUTLS * as a Libgcrypt module (gnutls/lib/x509/rc2.c) and later adapted for * direct use by Libgcrypt by Werner Koch and later adapted for direct * use by Nettle by Simon Josefsson and Niels Möller. * * The implementation here is based on Peter Gutmann's RRC.2 paper and * RFC 2268. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arctwo.h" #include "macros.h" static const uint8_t arctwo_sbox[] = { 0xd9, 0x78, 0xf9, 0xc4, 0x19, 0xdd, 0xb5, 0xed, 0x28, 0xe9, 0xfd, 0x79, 0x4a, 0xa0, 0xd8, 0x9d, 0xc6, 0x7e, 0x37, 0x83, 0x2b, 0x76, 0x53, 0x8e, 0x62, 0x4c, 0x64, 0x88, 0x44, 0x8b, 0xfb, 0xa2, 0x17, 0x9a, 0x59, 0xf5, 0x87, 0xb3, 0x4f, 0x13, 0x61, 0x45, 0x6d, 0x8d, 0x09, 0x81, 0x7d, 0x32, 0xbd, 0x8f, 0x40, 0xeb, 0x86, 0xb7, 0x7b, 0x0b, 0xf0, 0x95, 0x21, 0x22, 0x5c, 0x6b, 0x4e, 0x82, 0x54, 0xd6, 0x65, 0x93, 0xce, 0x60, 0xb2, 0x1c, 0x73, 0x56, 0xc0, 0x14, 0xa7, 0x8c, 0xf1, 0xdc, 0x12, 0x75, 0xca, 0x1f, 0x3b, 0xbe, 0xe4, 0xd1, 0x42, 0x3d, 0xd4, 0x30, 0xa3, 0x3c, 0xb6, 0x26, 0x6f, 0xbf, 0x0e, 0xda, 0x46, 0x69, 0x07, 0x57, 0x27, 0xf2, 0x1d, 0x9b, 0xbc, 0x94, 0x43, 0x03, 0xf8, 0x11, 0xc7, 0xf6, 0x90, 0xef, 0x3e, 0xe7, 0x06, 0xc3, 0xd5, 0x2f, 0xc8, 0x66, 0x1e, 0xd7, 0x08, 0xe8, 0xea, 0xde, 0x80, 0x52, 0xee, 0xf7, 0x84, 0xaa, 0x72, 0xac, 0x35, 0x4d, 0x6a, 0x2a, 0x96, 0x1a, 0xd2, 0x71, 0x5a, 0x15, 0x49, 0x74, 0x4b, 0x9f, 0xd0, 0x5e, 0x04, 0x18, 0xa4, 0xec, 0xc2, 0xe0, 0x41, 0x6e, 0x0f, 0x51, 0xcb, 0xcc, 0x24, 0x91, 0xaf, 0x50, 0xa1, 0xf4, 0x70, 0x39, 0x99, 0x7c, 0x3a, 0x85, 0x23, 0xb8, 0xb4, 0x7a, 0xfc, 0x02, 0x36, 0x5b, 0x25, 0x55, 0x97, 0x31, 0x2d, 0x5d, 0xfa, 0x98, 0xe3, 0x8a, 0x92, 0xae, 0x05, 0xdf, 0x29, 0x10, 0x67, 0x6c, 0xba, 0xc9, 0xd3, 0x00, 0xe6, 0xcf, 0xe1, 0x9e, 0xa8, 0x2c, 0x63, 0x16, 0x01, 0x3f, 0x58, 0xe2, 0x89, 0xa9, 0x0d, 0x38, 0x34, 0x1b, 0xab, 0x33, 0xff, 0xb0, 0xbb, 0x48, 0x0c, 0x5f, 0xb9, 0xb1, 0xcd, 0x2e, 0xc5, 0xf3, 0xdb, 0x47, 0xe5, 0xa5, 0x9c, 0x77, 0x0a, 0xa6, 0x20, 0x68, 0xfe, 0x7f, 0xc1, 0xad }; #define rotl16(x,n) (((x) << ((uint16_t)(n))) | ((x) >> (16 - (uint16_t)(n)))) #define rotr16(x,n) (((x) >> ((uint16_t)(n))) | ((x) << (16 - (uint16_t)(n)))) void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 0; i < 16; i++) { register unsigned j = i * 4; /* For some reason I cannot combine those steps. */ w0 += (w1 & ~w3) + (w2 & w3) + ctx->S[j]; w0 = rotl16 (w0, 1); w1 += (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w1 = rotl16 (w1, 2); w2 += (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w2 = rotl16 (w2, 3); w3 += (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w3 = rotl16 (w3, 5); if (i == 4 || i == 10) { w0 += ctx->S[w3 & 63]; w1 += ctx->S[w0 & 63]; w2 += ctx->S[w1 & 63]; w3 += ctx->S[w2 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS (length, dst, src, ARCTWO_BLOCK_SIZE) { register unsigned i; uint16_t w0, w1, w2, w3; w0 = LE_READ_UINT16 (&src[0]); w1 = LE_READ_UINT16 (&src[2]); w2 = LE_READ_UINT16 (&src[4]); w3 = LE_READ_UINT16 (&src[6]); for (i = 16; i-- > 0; ) { register unsigned j = i * 4; w3 = rotr16 (w3, 5); w3 -= (w0 & ~w2) + (w1 & w2) + ctx->S[j + 3]; w2 = rotr16 (w2, 3); w2 -= (w3 & ~w1) + (w0 & w1) + ctx->S[j + 2]; w1 = rotr16 (w1, 2); w1 -= (w2 & ~w0) + (w3 & w0) + ctx->S[j + 1]; w0 = rotr16 (w0, 1); w0 -= (w1 & ~w3) + (w2 & w3) + ctx->S[j]; if (i == 5 || i == 11) { w3 = w3 - ctx->S[w2 & 63]; w2 = w2 - ctx->S[w1 & 63]; w1 = w1 - ctx->S[w0 & 63]; w0 = w0 - ctx->S[w3 & 63]; } } LE_WRITE_UINT16 (&dst[0], w0); LE_WRITE_UINT16 (&dst[2], w1); LE_WRITE_UINT16 (&dst[4], w2); LE_WRITE_UINT16 (&dst[6], w3); } } void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb) { size_t i; /* Expanded key, treated as octets */ uint8_t S[128]; uint8_t x; assert (length >= ARCTWO_MIN_KEY_SIZE); assert (length <= ARCTWO_MAX_KEY_SIZE); assert (ekb <= 1024); for (i = 0; i < length; i++) S[i] = key[i]; /* Phase 1: Expand input key to 128 bytes */ for (i = length; i < ARCTWO_MAX_KEY_SIZE; i++) S[i] = arctwo_sbox[(S[i - length] + S[i - 1]) & 255]; S[0] = arctwo_sbox[S[0]]; /* Reduce effective key size to ekb bits, if requested by caller. */ if (ekb > 0 && ekb < 1024) { int len = (ekb + 7) >> 3; i = 128 - len; x = arctwo_sbox[S[i] & (255 >> (7 & -ekb))]; S[i] = x; while (i--) { x = arctwo_sbox[x ^ S[i + len]]; S[i] = x; } } /* Make the expanded key endian independent. */ for (i = 0; i < 64; i++) ctx->S[i] = LE_READ_UINT16(S + i * 2); } void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 8 * length); } void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key) { arctwo_set_key_ekb (ctx, length, key, 0); } void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 5, key, 40); } void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 8, key, 64); } void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 128); } void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key) { arctwo_set_key_ekb (ctx, 16, key, 1024); } nettle-3.10/rsa.h0000644000175000017500000004346414633602172012731 0ustar nissenisse/* rsa.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_H_INCLUDED #define NETTLE_RSA_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "md5.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define rsa_public_key_init nettle_rsa_public_key_init #define rsa_public_key_clear nettle_rsa_public_key_clear #define rsa_public_key_prepare nettle_rsa_public_key_prepare #define rsa_private_key_init nettle_rsa_private_key_init #define rsa_private_key_clear nettle_rsa_private_key_clear #define rsa_private_key_prepare nettle_rsa_private_key_prepare #define rsa_pkcs1_verify nettle_rsa_pkcs1_verify #define rsa_pkcs1_sign nettle_rsa_pkcs1_sign #define rsa_pkcs1_sign_tr nettle_rsa_pkcs1_sign_tr #define rsa_md5_sign nettle_rsa_md5_sign #define rsa_md5_sign_tr nettle_rsa_md5_sign_tr #define rsa_md5_verify nettle_rsa_md5_verify #define rsa_sha1_sign nettle_rsa_sha1_sign #define rsa_sha1_sign_tr nettle_rsa_sha1_sign_tr #define rsa_sha1_verify nettle_rsa_sha1_verify #define rsa_sha256_sign nettle_rsa_sha256_sign #define rsa_sha256_sign_tr nettle_rsa_sha256_sign_tr #define rsa_sha256_verify nettle_rsa_sha256_verify #define rsa_sha512_sign nettle_rsa_sha512_sign #define rsa_sha512_sign_tr nettle_rsa_sha512_sign_tr #define rsa_sha512_verify nettle_rsa_sha512_verify #define rsa_md5_sign_digest nettle_rsa_md5_sign_digest #define rsa_md5_sign_digest_tr nettle_rsa_md5_sign_digest_tr #define rsa_md5_verify_digest nettle_rsa_md5_verify_digest #define rsa_sha1_sign_digest nettle_rsa_sha1_sign_digest #define rsa_sha1_sign_digest_tr nettle_rsa_sha1_sign_digest_tr #define rsa_sha1_verify_digest nettle_rsa_sha1_verify_digest #define rsa_sha256_sign_digest nettle_rsa_sha256_sign_digest #define rsa_sha256_sign_digest_tr nettle_rsa_sha256_sign_digest_tr #define rsa_sha256_verify_digest nettle_rsa_sha256_verify_digest #define rsa_sha512_sign_digest nettle_rsa_sha512_sign_digest #define rsa_sha512_sign_digest_tr nettle_rsa_sha512_sign_digest_tr #define rsa_sha512_verify_digest nettle_rsa_sha512_verify_digest #define rsa_pss_sha256_sign_digest_tr nettle_rsa_pss_sha256_sign_digest_tr #define rsa_pss_sha256_verify_digest nettle_rsa_pss_sha256_verify_digest #define rsa_pss_sha384_sign_digest_tr nettle_rsa_pss_sha384_sign_digest_tr #define rsa_pss_sha384_verify_digest nettle_rsa_pss_sha384_verify_digest #define rsa_pss_sha512_sign_digest_tr nettle_rsa_pss_sha512_sign_digest_tr #define rsa_pss_sha512_verify_digest nettle_rsa_pss_sha512_verify_digest #define rsa_encrypt nettle_rsa_encrypt #define rsa_decrypt nettle_rsa_decrypt #define rsa_decrypt_tr nettle_rsa_decrypt_tr #define rsa_oaep_sha256_encrypt nettle_rsa_oaep_sha256_encrypt #define rsa_oaep_sha256_decrypt nettle_rsa_oaep_sha256_decrypt #define rsa_oaep_sha384_encrypt nettle_rsa_oaep_sha384_encrypt #define rsa_oaep_sha384_decrypt nettle_rsa_oaep_sha384_decrypt #define rsa_oaep_sha512_encrypt nettle_rsa_oaep_sha512_encrypt #define rsa_oaep_sha512_decrypt nettle_rsa_oaep_sha512_decrypt #define rsa_sec_decrypt nettle_rsa_sec_decrypt #define rsa_compute_root nettle_rsa_compute_root #define rsa_compute_root_tr nettle_rsa_compute_root_tr #define rsa_generate_keypair nettle_rsa_generate_keypair #define rsa_keypair_to_sexp nettle_rsa_keypair_to_sexp #define rsa_keypair_from_sexp_alist nettle_rsa_keypair_from_sexp_alist #define rsa_keypair_from_sexp nettle_rsa_keypair_from_sexp #define rsa_public_key_from_der_iterator nettle_rsa_public_key_from_der_iterator #define rsa_private_key_from_der_iterator nettle_rsa_private_key_from_der_iterator #define rsa_keypair_from_der nettle_rsa_keypair_from_der #define rsa_keypair_to_openpgp nettle_rsa_keypair_to_openpgp /* This limit is somewhat arbitrary. Technically, the smallest modulo which makes sense at all is 15 = 3*5, phi(15) = 8, size 4 bits. But for ridiculously small keys, not all odd e are possible (e.g., for 5 bits, the only possible modulo is 3*7 = 21, phi(21) = 12, and e = 3 don't work). The smallest size that makes sense with pkcs#1, and which allows RSA encryption of one byte messages, is 12 octets, 89 bits. */ #define RSA_MINIMUM_N_OCTETS 12 #define RSA_MINIMUM_N_BITS (8*RSA_MINIMUM_N_OCTETS - 7) struct rsa_public_key { /* Size of the modulo, in octets. This is also the size of all * signatures that are created or verified with this key. */ size_t size; /* Modulo */ mpz_t n; /* Public exponent */ mpz_t e; }; struct rsa_private_key { size_t size; /* d is filled in by the key generation function; otherwise it's * completely unused. */ mpz_t d; /* The two factors */ mpz_t p; mpz_t q; /* d % (p-1), i.e. a e = 1 (mod (p-1)) */ mpz_t a; /* d % (q-1), i.e. b e = 1 (mod (q-1)) */ mpz_t b; /* modular inverse of q , i.e. c q = 1 (mod p) */ mpz_t c; }; /* Signing a message works as follows: * * Store the private key in a rsa_private_key struct. * * Call rsa_private_key_prepare. This initializes the size attribute * to the length of a signature. * * Initialize a hashing context, by callling * md5_init * * Hash the message by calling * md5_update * * Create the signature by calling * rsa_md5_sign * * The signature is represented as a mpz_t bignum. This call also * resets the hashing context. * * When done with the key and signature, don't forget to call * mpz_clear. */ /* Calls mpz_init to initialize bignum storage. */ void rsa_public_key_init(struct rsa_public_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_public_key_clear(struct rsa_public_key *key); int rsa_public_key_prepare(struct rsa_public_key *key); /* Calls mpz_init to initialize bignum storage. */ void rsa_private_key_init(struct rsa_private_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void rsa_private_key_clear(struct rsa_private_key *key); int rsa_private_key_prepare(struct rsa_private_key *key); /* PKCS#1 style signatures */ int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t s); int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature); int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature); int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s); int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature); int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature); int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s); int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature); int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature); int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s); int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature); int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature); int rsa_sha512_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t s); int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature); /* Variants taking the digest as argument. */ int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s); int rsa_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s); int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature); /* PSS style signatures */ int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); /* RSA encryption, using PKCS#1 */ /* Returns 1 on success, 0 on failure, which happens if the * message is too long for the key. */ int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t cipher); /* Message must point to a buffer of size *LENGTH. KEY->size is enough * for all valid messages. On success, *LENGTH is updated to reflect * the actual length of the message. Returns 1 on success, 0 on * failure, which happens if decryption failed or if the message * didn't fit. */ int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext); /* Timing-resistant version, using randomized RSA blinding. */ int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish); /* like rsa_decrypt_tr but with additional side-channel resistance. * NOTE: the length of the final message must be known in advance. */ int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish); /* RSA encryption, using OAEP */ int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t * message, uint8_t *ciphertext); int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t * message, uint8_t *ciphertext); int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); /* Compute x, the e:th root of m. Calling it with x == m is allowed. It is required that 0 <= m < n. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m); /* Safer variant, using RSA blinding, and checking the result after CRT. It is required that 0 <= m < n. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m); /* Key generation */ /* Note that the key structs must be initialized first. */ int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, /* Desired size of modulo, in bits */ unsigned n_size, /* Desired size of public exponent, in bits. If * zero, the passed in value pub->e is used. */ unsigned e_size); #define RSA_SIGN(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_sign(key, ctx, signature) \ ) #define RSA_VERIFY(key, algorithm, ctx, length, data, signature) ( \ algorithm##_update(ctx, length, data), \ rsa_##algorithm##_verify(key, ctx, signature) \ ) /* Keys in sexp form. */ struct nettle_buffer; /* Generates a public-key expression if PRIV is NULL .*/ int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, /* NULL means "rsa" */ const struct rsa_public_key *pub, const struct rsa_private_key *priv); struct sexp_iterator; int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i); /* If PRIV is NULL, expect a public-key expression. If PUB is NULL, * expect a private key expression and ignore the parts not needed for * the public key. */ /* Keys must be initialized before calling this function, as usual. */ int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr); /* Keys in PKCS#1 format. */ struct asn1_der_iterator; int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i); int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i); /* For public keys, use PRIV == NULL */ int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data); /* OpenPGP format. Experimental interface, subject to change. */ int rsa_keypair_to_openpgp(struct nettle_buffer *buffer, const struct rsa_public_key *pub, const struct rsa_private_key *priv, /* A single user id. NUL-terminated utf8. */ const char *userid); #ifdef __cplusplus } #endif #endif /* NETTLE_RSA_H_INCLUDED */ nettle-3.10/gostdsa-vko.c0000644000175000017500000000566014633602172014374 0ustar nissenisse/* gostdsa-vko.c Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecc-internal.h" #include "gostdsa.h" /* * Shared key derivation/key agreement for GOST DSA algorithm. * It is defined in RFC 4357 Section 5.2 and RFC 7836 Section 4.3.1 * * output is 2 * curve size: * 64 bytes for 256 bit curves and 128 bytes for 512 bit ones * * Basically shared key is equal to hash(cofactor * ukm * priv * pub). This * function does multiplication. Caller should do hashing on his own. * * UKM is not a secret value (consider it as a nonce). * * For supported GOST curves cofactor is equal to 1. */ void gostdsa_vko (const struct ecc_scalar *priv, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out) { const struct ecc_curve *ecc = priv->ecc; unsigned bsize = (ecc_bit_size (ecc) + 7) / 8; mp_size_t size = ecc->p.size; mp_size_t itch = 4*size + ecc->mul_itch; mp_limb_t *scratch; if (itch < 5*size + ecc->h_to_a_itch) itch = 5*size + ecc->h_to_a_itch; assert (pub->ecc == ecc); assert (priv->ecc == ecc); assert (ukm_length <= bsize); scratch = gmp_alloc_limbs (itch); #define UKM scratch #define TEMP (scratch + 3*size) #define XYZ scratch #define TEMP_Y (scratch + 4*size) mpn_set_base256_le (UKM, size, ukm, ukm_length); /* If ukm is 0, set it to 1, otherwise the result will be allways equal to 0, * no matter what private and public keys are. See RFC 4357 referencing GOST * R 34.10-2001 (RFC 5832) Section 6.1 step 2. */ if (mpn_zero_p (UKM, size)) UKM[0] = 1; ecc_mod_mul_canonical (&ecc->q, TEMP, priv->p, UKM, TEMP); /* TEMP = UKM * priv */ ecc->mul (ecc, XYZ, TEMP, pub->p, scratch + 4*size); /* XYZ = UKM * priv * pub */ ecc->h_to_a (ecc, 0, TEMP, XYZ, scratch + 5*size); /* TEMP = XYZ */ mpn_get_base256_le (out, bsize, TEMP, size); mpn_get_base256_le (out+bsize, bsize, TEMP_Y, size); gmp_free_limbs (scratch, itch); } nettle-3.10/s390x/0000755000175000017500000000000014633602172012646 5ustar nissenissenettle-3.10/s390x/msa/0000755000175000017500000000000014633602172013426 5ustar nissenissenettle-3.10/s390x/msa/sha1-compress.asm0000644000175000017500000000534514633602172016624 0ustar nissenisseC s390x/msa/sha1-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-1 function. C The parameter block used for the KIMD-SHA-1 function has the following format: C *----------------------------------------------* C | H0 (4 bytes) | C |----------------------------------------------| C | H1 (4 bytes) | C |----------------------------------------------| C | H2 (4 bytes) | C |----------------------------------------------| C | H3 (4 bytes) | C |----------------------------------------------| C | H4 (4 bytes) | C *----------------------------------------------* .file "sha1-compress.asm" .text C SHA function code define(`SHA1_FUNCTION_CODE', `1') C Size of block define(`SHA1_BLOCK_SIZE', `64') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) PROLOGUE(nettle_sha1_compress) lghi %r0,SHA1_FUNCTION_CODE C FUNCTION_CODE lgr %r1,%r2 lgr %r4,%r3 lghi %r5,SHA1_BLOCK_SIZE 1: .long 0xb93e0004 C kimd %r0,%r4. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(nettle_sha1_compress) nettle-3.10/s390x/machine.m40000644000175000017500000000231214633602172014512 0ustar nissenisseC Register usage: define(`RA', `%r14') C Return address define(`SP', `%r15') C Stack pointer define(`STANDARD_STACK_FRAME',`160') C Dynamic stack space allocation C AP is a general register to which the allocated space is assigned C SPACE_LEN is the length of space, must be a multiple of 8 C FREE_STACK macro can be used to free the allocated space C ALLOC_STACK(AP, SPACE_LEN) define(`ALLOC_STACK', `lgr $1,SP aghi SP,-(STANDARD_STACK_FRAME+$2) stg $1,0(SP) la $1,STANDARD_STACK_FRAME (SP)') C Free allocated stack space C FREE_STACK(SPACE_LEN) define(`FREE_STACK', `aghi SP,STANDARD_STACK_FRAME+$1') C XOR contents of two areas in storage with specific length C DST: The destination area of storage C SRC: The source area of storage C LEN: The length of storage area. LEN <= 256 C TMP_ADDR: A temporary register that handles the XOR instrcution address C All parameters are general registers and cannot be assigned to C general register 0 C XOR_LEN(DST, SRC, LEN, TMP_ADDR) define(`XOR_LEN', `larl $4,18f aghi $3,-1 jm 19f ex $3,0($4) j 19f 18: xc 0(1,$1),0($2) 19:') nettle-3.10/s390x/msa_x1/0000755000175000017500000000000014633602172014036 5ustar nissenissenettle-3.10/s390x/msa_x1/aes128-set-encrypt-key.asm0000644000175000017500000000265614633602172020615 0ustar nissenisseC s390x/msa_x1/aes128-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-set-encrypt-key.asm" .text C void C aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes128_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_set_encrypt_key) nettle-3.10/s390x/msa_x1/aes128-set-decrypt-key.asm0000644000175000017500000000342014633602172020571 0ustar nissenisseC s390x/msa_x1/aes128-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-set-decrypt-key.asm" .text C void C aes128_invert_key(struct aes128_ctx *dst, const struct aes128_ctx *src) PROLOGUE(nettle_aes128_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_invert_key) C void C aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes128_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(16,%r2),0(%r3) C copy Cryptographic Key (16 bytes) br RA EPILOGUE(nettle_aes128_set_decrypt_key) nettle-3.10/s390x/msa_x1/aes128-encrypt.asm0000644000175000017500000000457314633602172017236 0ustar nissenisseC s390x/msa_x1/aes128-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-128 function. C The parameter block used for the KM-AES-128 function has the following format: C *----------------------------------------------* C | Cryptographic Key (16 bytes) | C *----------------------------------------------* .file "aes128-encrypt.asm" .text C void C aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_encrypt) lghi %r0,18 C KM function code (KM-AES-128) lgr %r1,%r2 C parameter block: byte offsets 0-15 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes128_encrypt) nettle-3.10/s390x/msa_x1/aes128-decrypt.asm0000644000175000017500000000466014633602172017221 0ustar nissenisseC s390x/msa_x1/aes128-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-128 function. C The parameter block used for the KM-AES-128 function has the following format: C *----------------------------------------------* C | Cryptographic Key (16 bytes) | C *----------------------------------------------* .file "aes128-decrypt.asm" .text C void C aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_decrypt) lghi %r0,128|18 C KM function code (KM-AES-128), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-15 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes128_decrypt) nettle-3.10/s390x/msa_x1/sha256-compress-n.asm0000644000175000017500000000616114633602172017640 0ustar nissenisseC s390x/msa_x1/sha256-compress-n.asm ifelse(` Copyright (C) 2021, 2022 Mamone Tarsha, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-256 function. C The parameter block used for the KIMD-SHA-256 function has the following format: C *----------------------------------------------* C | H0 (4 bytes) | C |----------------------------------------------| C | H1 (4 bytes) | C |----------------------------------------------| C | H2 (4 bytes) | C |----------------------------------------------| C | H3 (4 bytes) | C |----------------------------------------------| C | H4 (4 bytes) | C |----------------------------------------------| C | H5 (4 bytes) | C |----------------------------------------------| C | H6 (4 bytes) | C |----------------------------------------------| C | H7 (4 bytes) | C *----------------------------------------------* .file "sha256-compress-n.asm" .text C SHA function code define(`SHA256_FUNCTION_CODE', `2') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) PROLOGUE(_nettle_sha256_compress_n) lghi %r0,SHA256_FUNCTION_CODE C SHA-256 Function Code lgr %r1,%r2 lgr %r2, %r5 sllg %r3, %r4, 6 C 64 * block size 1: .long 0xb93e0002 C kimd %r0,%r2. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(_nettle_sha256_compress_n) nettle-3.10/s390x/README0000644000175000017500000000503314633602172013527 0ustar nissenisseRegisters Conventions[1] Register Status Use r0, r1 General purpose Volatile r2 Parameter passing and return values Volatile r3, r4, r5 Parameter passing Volatile r6 Parameter passing Saved r7 - r11 Local variables Saved r12 Local variable, commonly used as GOT pointer Saved r13 Local variable, commonly used as Literal Pool pointer Saved r14 Return address Volatile r15 Stack pointer Saved f0, f2, f4, f6 Parameter passing and return values Volatile f1, f3, f5, f7 General purpose Volatile f8 – f15 General purpose Saved Vector Register Conventions Register Use VR0 - VR7 Volatile VR8 - VR15 Bytes 0-7 are non-volatile, Bytes 8-15 are volatile VR16 - VR23 Non-volatile VR24 - VR31 Volatile General Registers[2] In addition to their use as accumulators in general arithmetic and logical operations, 15 of the 16 general registers are also used as base-address and index registers in address generation. In these cases, the registers are designated by a four-bit B field or X field in an instruction. A value of zero in the B or X field specifies that no base or index is to be applied, and, thus, general register 0 cannot be designated as containing a base address or index. Parameter passing[1] Values shorter than 64 bits are sign- or zero-extended (as appropriate) to 64 bits. Arguments not handled in the registers are passed in the parameter words of the caller’s stack frame. Dynamic stack space allocation[1] 1. After a new stack frame is acquired, and before the first dynamic space allocation, a new register, the frame pointer or FP, is set to the value of the stack pointer. 2. The amount of dynamic space to be allocated is rounded up to a multiple of 8 bytes, so that 8-byte stack alignment is maintained. 3. The stack pointer is decreased by the rounded byte count, and the address of the previous stack frame (the back chain) may be stored at the word addressed by the new stack pointer. The back chain is not necessary to restore from this allocation at the end of the function since the frame pointer can be used to restore the stack pointer. [1] http://legacy.redhat.com/pub/redhat/linux/7.1/es/os/s390x/doc/lzsabi0.pdf [2] https://www.ibm.com/support/pages/zarchitecture-principles-operation nettle-3.10/s390x/msa_x2/0000755000175000017500000000000014633602172014037 5ustar nissenissenettle-3.10/s390x/msa_x2/aes192-decrypt.asm0000644000175000017500000000466014633602172017223 0ustar nissenisseC s390x/msa_x2/aes192-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-192 function. C The parameter block used for the KM-AES-192 function has the following format: C *----------------------------------------------* C | Cryptographic Key (24 bytes) | C *----------------------------------------------* .file "aes192-decrypt.asm" .text C void C aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_decrypt) lghi %r0,128|19 C KM function code (KM-AES-192), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-23 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes192_decrypt) nettle-3.10/s390x/msa_x2/aes192-set-encrypt-key.asm0000644000175000017500000000265614633602172020617 0ustar nissenisseC s390x/msa_x2/aes192-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-set-encrypt-key.asm" .text C void C aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes192_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_set_encrypt_key) nettle-3.10/s390x/msa_x2/aes192-encrypt.asm0000644000175000017500000000457314633602172017240 0ustar nissenisseC s390x/msa_x2/aes192-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-192 function. C The parameter block used for the KM-AES-192 function has the following format: C *----------------------------------------------* C | Cryptographic Key (24 bytes) | C *----------------------------------------------* .file "aes192-encrypt.asm" .text C void C aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_encrypt) lghi %r0,19 C KM function code (KM-AES-192) lgr %r1,%r2 C parameter block: byte offsets 0-23 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes192_encrypt) nettle-3.10/s390x/msa_x2/aes256-encrypt.asm0000644000175000017500000000457314633602172017241 0ustar nissenisseC s390x/msa_x2/aes256-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-256 function. C The parameter block used for the KM-AES-256 function has the following format: C *----------------------------------------------* C | Cryptographic Key (32 bytes) | C *----------------------------------------------* .file "aes256-encrypt.asm" .text C void C aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_encrypt) lghi %r0,20 C KM function code (KM-AES-256) lgr %r1,%r2 C parameter block: byte offsets 0-31 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes256_encrypt) nettle-3.10/s390x/msa_x2/sha512-compress.asm0000644000175000017500000000615214633602172017401 0ustar nissenisseC s390x/msa_x2/sha512-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-SHA-512 function. C The parameter block used for the KIMD-SHA-512 function has the following format: C *----------------------------------------------* C | H0 (8 bytes) | C |----------------------------------------------| C | H1 (8 bytes) | C |----------------------------------------------| C | H2 (8 bytes) | C |----------------------------------------------| C | H3 (8 bytes) | C |----------------------------------------------| C | H4 (8 bytes) | C |----------------------------------------------| C | H5 (8 bytes) | C |----------------------------------------------| C | H6 (8 bytes) | C |----------------------------------------------| C | H7 (8 bytes) | C *----------------------------------------------* .file "sha512-compress.asm" .text C SHA function code define(`SHA512_FUNCTION_CODE', `3') C Size of block define(`SHA512_BLOCK_SIZE', `128') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, C const uint64_t *k) PROLOGUE(_nettle_sha512_compress) lghi %r0,SHA512_FUNCTION_CODE C SHA-512 Function Code lgr %r1,%r2 lgr %r4,%r3 lghi %r5,SHA512_BLOCK_SIZE 1: .long 0xb93e0004 C kimd %r0,%r4. perform KIMD-SHA operation on data brc 1,1b br RA EPILOGUE(_nettle_sha512_compress) nettle-3.10/s390x/msa_x2/aes192-set-decrypt-key.asm0000644000175000017500000000342014633602172020573 0ustar nissenisseC s390x/msa_x2/aes192-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-set-decrypt-key.asm" .text C void C aes192_invert_key(struct aes192_ctx *dst, const struct aes192_ctx *src) PROLOGUE(nettle_aes192_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_invert_key) C void C aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes192_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(24,%r2),0(%r3) C copy Cryptographic Key (24 bytes) br RA EPILOGUE(nettle_aes192_set_decrypt_key) nettle-3.10/s390x/msa_x2/aes256-set-encrypt-key.asm0000644000175000017500000000265614633602172020620 0ustar nissenisseC s390x/msa_x2/aes256-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-set-encrypt-key.asm" .text C void C aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes256_set_encrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_set_encrypt_key) nettle-3.10/s390x/msa_x2/aes256-decrypt.asm0000644000175000017500000000466014633602172017224 0ustar nissenisseC s390x/msa_x2/aes256-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KM (CIPHER MESSAGE) is specefied in "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C The second operand is ciphered as specified by the function code using a cryptographic C key in the parameter block, and the result is placed in the first-operand location. C This implementation uses KM-AES-256 function. C The parameter block used for the KM-AES-256 function has the following format: C *----------------------------------------------* C | Cryptographic Key (32 bytes) | C *----------------------------------------------* .file "aes256-decrypt.asm" .text C void C aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_decrypt) lghi %r0,128|20 C KM function code (KM-AES-256), enable modifier bit to perform decryption operation lgr %r1,%r2 C parameter block: byte offsets 0-31 Cryptographic Key lgr %r2,%r5 1: .long 0xb92e0042 C km %r4,%r2 brc 1,1b C safely branch back in case of partial completion br RA EPILOGUE(nettle_aes256_decrypt) nettle-3.10/s390x/msa_x2/aes256-set-decrypt-key.asm0000644000175000017500000000342014633602172020574 0ustar nissenisseC s390x/msa_x2/aes256-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-set-decrypt-key.asm" .text C void C aes256_invert_key(struct aes256_ctx *dst, const struct aes256_ctx *src) PROLOGUE(nettle_aes256_invert_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_invert_key) C void C aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) PROLOGUE(nettle_aes256_set_decrypt_key) C AES cipher functions only need the raw cryptographic key so just copy it to AES context mvc 0(32,%r2),0(%r3) C copy Cryptographic Key (32 bytes) br RA EPILOGUE(nettle_aes256_set_decrypt_key) nettle-3.10/s390x/fat/0000755000175000017500000000000014633602172013420 5ustar nissenissenettle-3.10/s390x/fat/aes192-set-decrypt-key-2.asm0000644000175000017500000000234614633602172020321 0ustar nissenisseC s390x/fat/aes192-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes192_invert_key) dnl PROLOGUE(nettle_aes192_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-set-decrypt-key.asm') nettle-3.10/s390x/fat/sha256-compress-n-2.asm0000644000175000017500000000225614633602172017362 0ustar nissenisseC s390x/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x1/sha256-compress-n.asm') nettle-3.10/s390x/fat/chacha-2core.asm0000644000175000017500000000217114633602172016342 0ustar nissenisseC s390x/fat/chacha-2core.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_2core) picked up by configure include_src(`s390x/vf/chacha-2core.asm') nettle-3.10/s390x/fat/chacha-core-internal-2.asm0000644000175000017500000000225214633602172020231 0ustar nissenisseC s390x/fat/chacha-core-internal-2.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_chacha_core) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/vf/chacha-core-internal.asm') nettle-3.10/s390x/fat/ghash-set-key-2.asm0000644000175000017500000000224614633602172016736 0ustar nissenisseC s390x/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x4/ghash-set-key.asm') nettle-3.10/s390x/fat/aes192-decrypt-2.asm0000644000175000017500000000224314633602172016736 0ustar nissenisseC s390x/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-decrypt.asm') nettle-3.10/s390x/fat/cpu-facility.asm0000644000175000017500000000402614633602172016515 0ustar nissenisseC s390x/fat/cpu-facility.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "cpu-facility.asm" .text C void _nettle_stfle(uint64_t *facility, uint64_t facility_size) PROLOGUE(_nettle_stfle) lgr %r0,%r3 C facility_size aghi %r0,-1 C facility_size - 1 .long 0xb2b02000 C stfle 0(%r2) br RA EPILOGUE(_nettle_stfle) C void _nettle_km_status(uint64_t *status) PROLOGUE(_nettle_km_status) lghi %r0,0 C query code lgr %r1,%r2 C status .long 0xb92e0022 C km %r2,%r2. Operands are ignored br RA EPILOGUE(_nettle_km_status) C void _nettle_kimd_status(uint64_t *status) PROLOGUE(_nettle_kimd_status) lghi %r0,0 C query code lgr %r1,%r2 C status .long 0xb93e0002 C kimd %r0,%r2. Operands are ignored br RA EPILOGUE(_nettle_kimd_status) nettle-3.10/s390x/fat/aes256-decrypt-2.asm0000644000175000017500000000224314633602172016737 0ustar nissenisseC s390x/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-decrypt.asm') nettle-3.10/s390x/fat/aes128-set-encrypt-key-2.asm0000644000175000017500000000227314633602172020331 0ustar nissenisseC s390x/fat/aes128-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-set-encrypt-key.asm') nettle-3.10/s390x/fat/aes192-encrypt-2.asm0000644000175000017500000000224314633602172016750 0ustar nissenisseC s390x/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-encrypt.asm') nettle-3.10/s390x/fat/ghash-update-2.asm0000644000175000017500000000224114633602172016632 0ustar nissenisseC s390x/fat/ghash-update.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x4/ghash-update.asm') nettle-3.10/s390x/fat/aes128-encrypt-2.asm0000644000175000017500000000224314633602172016747 0ustar nissenisseC s390x/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-encrypt.asm') nettle-3.10/s390x/fat/aes128-decrypt-2.asm0000644000175000017500000000224314633602172016735 0ustar nissenisseC s390x/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-decrypt.asm') nettle-3.10/s390x/fat/sha512-compress-2.asm0000644000175000017500000000225014633602172017114 0ustar nissenisseC s390x/fat/sha512-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha512_compress) picked up by configure define(`fat_transform', `$1_s390x') include_src(`s390x/msa_x2/sha512-compress.asm') nettle-3.10/s390x/fat/aes128-set-decrypt-key-2.asm0000644000175000017500000000234614633602172020320 0ustar nissenisseC s390x/fat/aes128-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes128_invert_key) dnl PROLOGUE(nettle_aes128_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x1/aes128-set-decrypt-key.asm') nettle-3.10/s390x/fat/aes192-set-encrypt-key-2.asm0000644000175000017500000000227314633602172020332 0ustar nissenisseC s390x/fat/aes192-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes192-set-encrypt-key.asm') nettle-3.10/s390x/fat/sha3-permute-2.asm0000644000175000017500000000223414633602172016577 0ustar nissenisseC s390x/fat/sha3-permute-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha3_permute) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/vf/sha3-permute.asm') nettle-3.10/s390x/fat/aes256-set-decrypt-key-2.asm0000644000175000017500000000234614633602172020322 0ustar nissenisseC s390x/fat/aes256-set-decrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(nettle_aes256_invert_key) dnl PROLOGUE(nettle_aes256_set_decrypt_key) define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-set-decrypt-key.asm') nettle-3.10/s390x/fat/aes256-encrypt-2.asm0000644000175000017500000000224314633602172016751 0ustar nissenisseC s390x/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-encrypt.asm') nettle-3.10/s390x/fat/memxor3-2.asm0000644000175000017500000000221414633602172015652 0ustar nissenisseC s390x/fat/memxor3-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_memxor3) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/vf/memxor3.asm') nettle-3.10/s390x/fat/aes256-set-encrypt-key-2.asm0000644000175000017500000000227314633602172020333 0ustar nissenisseC s390x/fat/aes256-set-encrypt-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_set_encrypt_key) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa_x2/aes256-set-encrypt-key.asm') nettle-3.10/s390x/fat/sha1-compress-2.asm0000644000175000017500000000223714633602172016752 0ustar nissenisseC s390x/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_s390x') include_src(`s390x/msa/sha1-compress.asm') nettle-3.10/s390x/fat/chacha-4core.asm0000644000175000017500000000217114633602172016344 0ustar nissenisseC s390x/fat/chacha-4core.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_4core) picked up by configure include_src(`s390x/vf/chacha-4core.asm') nettle-3.10/s390x/vf/0000755000175000017500000000000014633602172013261 5ustar nissenissenettle-3.10/s390x/vf/chacha-2core.asm0000644000175000017500000001134714633602172016210 0ustar nissenisseC s390x/vf/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C State, even elements in X, odd elements in Y define(`X0', `%v1') define(`X1', `%v2') define(`X2', `%v3') define(`X3', `%v29') define(`Y0', `%v4') define(`Y1', `%v5') define(`Y2', `%v6') define(`Y3', `%v7') C Original input state define(`S0', `%v24') define(`S1', `%v25') define(`S2', `%v26') define(`S3', `%v27') define(`S3p1', `%v28') define(`T0', `%v0') define(`BRW', `%v30') define(`EW', `%v30') define(`OW', `%v31') .file "chacha-2core.asm" .machine "z13" .text C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_2core) vzero X1 vleif X1, 1, 0 vl X3, 48(SRC) vaccf Y3, X3, X1 C Counter carry out vsldb Y3, Y3, Y3, 12 vo Y3, Y3, X1 .Lshared_entry: vaf Y3, Y3, X3 vlm X0, X2, 0(SRC) vlr S0, X0 vlr S1, X1 vlr S2, X2 vlr S3, X3 vlr S3p1, Y3 larl %r5,.Lword_even vlm EW, OW, 0(%r5) vperm Y0, X0, X0, OW C 1 1 3 3 vperm X0, X0, X0, EW C 0 0 2 2 vperm Y1, X1, X1, OW C 5 5 7 7 vperm X1, X1, X1, EW C 4 4 6 6 vperm Y2, X2, X2, OW C 9 9 11 11 vperm X2, X2, X2, EW C 8 8 10 10 vperm Y3, X3, S3p1, OW C 13 13 15 15 vperm X3, X3, S3p1, EW C 12 12 14 14 srlg ROUNDS, ROUNDS, 1 .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 vaf X0, X0, X1 vaf Y0, Y0, Y1 vx X3, X3, X0 vx Y3, Y3, Y0 verllf X3, X3, 16 verllf Y3, Y3, 16 vaf X2, X2, X3 vaf Y2, Y2, Y3 vx X1, X1, X2 vx Y1, Y1, Y2 verllf X1, X1, 12 verllf Y1, Y1, 12 vaf X0, X0, X1 vaf Y0, Y0, Y1 vx X3, X3, X0 vx Y3, Y3, Y0 verllf X3, X3, 8 verllf Y3, Y3, 8 vaf X2, X2, X3 vaf Y2, Y2, Y3 vx X1, X1, X2 vx Y1, Y1, Y2 verllf X1, X1, 7 verllf Y1, Y1, 7 vpdi X1, X1, X1, 0b0100 vpdi X2, X2, X2, 0b0100 vpdi Y2, Y2, Y2, 0b0100 vpdi Y3, Y3, Y3, 0b0100 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) vaf X0, X0, Y1 vaf Y0, Y0, X1 vx Y3, Y3, X0 vx X3, X3, Y0 verllf Y3, Y3, 16 verllf X3, X3, 16 vaf X2, X2, Y3 vaf Y2, Y2, X3 vx Y1, Y1, X2 vx X1, X1, Y2 verllf Y1, Y1, 12 verllf X1, X1, 12 vaf X0, X0, Y1 vaf Y0, Y0, X1 vx Y3, Y3, X0 vx X3, X3, Y0 verllf Y3, Y3, 8 verllf X3, X3, 8 vaf X2, X2, Y3 vaf Y2, Y2, X3 vx Y1, Y1, X2 vx X1, X1, Y2 verllf Y1, Y1, 7 verllf X1, X1, 7 vpdi X1, X1, X1, 0b0100 vpdi X2, X2, X2, 0b0100 vpdi Y2, Y2, Y2, 0b0100 vpdi Y3, Y3, Y3, 0b0100 brctg ROUNDS, .Loop vperm T0, X0, Y0, EW vperm Y0, X0, Y0, OW vperm X0, X1, Y1, EW vperm Y1, X1, Y1, OW vperm X1, X2, Y2, EW vperm Y2, X2, Y2, OW vperm X2, X3, Y3, EW vperm Y3, X3, Y3, OW vaf T0, T0, S0 vaf Y0, Y0, S0 vaf X0, X0, S1 vaf Y1, Y1, S1 vaf X1, X1, S2 vaf Y2, Y2, S2 vaf X2, X2, S3 vaf Y3, Y3, S3p1 vl BRW, 32(%r5) vperm T0, T0, T0, BRW vperm X0, X0, X0, BRW vperm X1, X1, X1, BRW vperm X2, X2, X2, BRW vperm Y0, Y0, Y0, BRW vperm Y1, Y1, Y1, BRW vperm Y2, Y2, Y2, BRW vperm Y3, Y3, Y3, BRW vstm T0, Y3, 0(DST) br RA EPILOGUE(_nettle_chacha_2core) PROLOGUE(_nettle_chacha_2core32) vzero Y3 vleif Y3, 1, 0 vl X3, 48(SRC) j .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .align 16 .Lword_even: .long 0x00010203,0x10111213,0x08090A0B,0x18191A1B .Lword_odd: .long 0x04050607,0x14151617,0x0C0D0E0F,0x1C1D1E1F .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C nettle-3.10/s390x/vf/memxor3.asm0000644000175000017500000000503614633602172015361 0ustar nissenisseC s390/vf/memxor3.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "memxor3.asm" .machine "z13" .text C void * memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) PROLOGUE(nettle_memxor3) agr %r2,%r5 agr %r3,%r5 agr %r4,%r5 Lmod: risbg %r1,%r5,60,191,0 jz L1x sgr %r3,%r1 sgr %r4,%r1 sgr %r2,%r1 aghi %r1,-1 C highest index vll %v24,%r1,0(%r3) vll %v28,%r1,0(%r4) vx %v24,%v24,%v28 vstl %v24,%r1,0(%r2) L1x: risbg %r1,%r5,58,187,0 jz L4x srlg %r1,%r1,4 C 1-block loop count 'n / 16' L1x_loop: aghi %r3,-16 aghi %r4,-16 aghi %r2,-16 vl %v24,0(%r3),0 vl %v28,0(%r4),0 vx %v24,%v24,%v28 vst %v24,0(%r2),0 brctg %r1,L1x_loop L4x: risbg %r1,%r5,0,185,0 jz Ldone srlg %r1,%r1,6 C 4-blocks loop count 'n / (16 * 4)' L4x_loop: aghi %r3,-64 aghi %r4,-64 aghi %r2,-64 vlm %v24,%v27,0(%r3),0 vlm %v28,%v31,0(%r4),0 vx %v24,%v24,%v28 vx %v25,%v25,%v29 vx %v26,%v26,%v30 vx %v27,%v27,%v31 vstm %v24,%v27,0(%r2),0 brctg %r1,L4x_loop Ldone: br RA EPILOGUE(nettle_memxor3) nettle-3.10/s390x/vf/sha3-permute.asm0000644000175000017500000002744714633602172016316 0ustar nissenisseC s390x/vf/sha3-permute.asm ifelse(` Copyright (C) 2012 Niels Möller Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`STATE', `%r2') C 25 64-bit values, 200 bytes. define(`COUNT', `%r3') define(`A00', `%r0') define(`A0102', `%v0') define(`A0304', `%v1') define(`A05', `%r4') define(`A0607', `%v2') define(`A0809', `%v3') define(`A10', `%r5') define(`A1112', `%v4') define(`A1314', `%v5') define(`A15', `%r6') define(`A1617', `%v6') define(`A1819', `%v7') define(`A20', `%r7') define(`A2122', `%v8') define(`A2324', `%v9') define(`C0', `%r8') define(`C12', `%v24') define(`C34', `%v25') define(`D0', `%r9') define(`D12', `%v26') define(`D34', `%v27') C Wide temporaries define(`W0', `%v28') define(`W1', `%v29') define(`W2', `%v30') define(`W3', `%v31') define(`TMP', `%r9') define(`T0', `%r10') define(`T1', `%r11') define(`T2', `%r12') define(`T3', `%r13') define(`RC', `%r14') .file "sha3-permute.asm" .machine "z13" .text C void C sha3_permute(struct sha3_ctx *ctx) PROLOGUE(nettle_sha3_permute) stmg %r6,%r14,48(SP) C Save non-volatile general registers ALLOC_STACK(%r1,16) C Allocate 16-byte space on stack C Save non-volatile floating point registers std %f8,0(%r1) std %f9,8(%r1) lghi COUNT,24*8 larl RC,.rc C Load address of rc data aghi RC,-8 C Load state data lg A00,0*8(STATE) vl A0102,1*8(STATE) vl A0304,3*8(STATE) lg A05,5*8(STATE) vl A0607,6*8(STATE) vl A0809,8*8(STATE) xgrk C0,A00,A05 vx C12,A0102,A0607 vx C34,A0304,A0809 lg A10,10*8(STATE) vl A1112,11*8(STATE) vl A1314,13*8(STATE) xgr C0,A10 vx C12,C12,A1112 vx C34,C34,A1314 lg A15,15*8(STATE) vl A1617,16*8(STATE) vl A1819,18*8(STATE) xgr C0,A15 vx C12,C12,A1617 vx C34,C34,A1819 lg A20,20*8(STATE) vl A2122,21*8(STATE) vl A2324,23*8(STATE) xgr C0,A20 vx C12,C12,A2122 vx C34,C34,A2324 j .Loop .align 16 .Loop: C The theta step. Combine parity bits, then xor to state. C D0 = C4 ^ (C1 <<< 1) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) C Shift the words around, putting (C0, C1) in D12, (C2, C3) in C D34, and (C4, C0) in C34. vlvgg D12,C0,0 vmrhg D12,D12,C12 C Holds C0, C1 vpdi D34,C12,C34,0b0100 C Holds C2, C3 vpdi C34,C34,D12,0b0100 C Holds C4, C0 vlgvg T0,C12,0 vlgvg D0,C34,0 rllg T0,T0,1 xgr D0,T0 verllg W0,D34,1 vx D12,D12,W0 C Done D12 verllg W1,C34,1 vx D34,D34,W1 C Done D34 xgr A00,D0 xgr A05,D0 xgr A10,D0 xgr A15,D0 xgr A20,D0 vx A0102,A0102,D12 vx A0607,A0607,D12 vx A1112,A1112,D12 vx A1617,A1617,D12 vx A2122,A2122,D12 vx A0304,A0304,D34 vx A0809,A0809,D34 vx A1314,A1314,D34 vx A1819,A1819,D34 vx A2324,A2324,D34 C theta step done, no C, D or W temporaries alive. C rho step. When doing the permutations, also C transpose the rows of matrix into temporary C coordinates to assist the chi step. C Defer pi step to the last phase. C The combined permutation + transpose gives the following C cycles (rotation counts in parenthesis) C 0 <- 0(0) C 1 <- 3(28) <- 4(27) <- 2(62) <- 1(1) C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C Do the 1,2,3,4 row. First rotate (permute), then transpose. verllg W0,A0102,1 C verllg 1 (A01) verllg W2,A0102,62 C verllg 62 (A02) verllg A0102,A0304,28 C verllg 28 (A03) verllg A0304,A0304,27 C verllg 27 (A04) vmrhg A0102,A0102,W0 vmrlg A0304,A0304,W2 C Do the 5,6,7,8,9 row. rllg A05,A05,36 vlvgg W0,A05,0 vlgvg A05,A0607,0 rllg A05,A05,44 C Done A05 verllg W1,A0607,6 verllg A0607,A0809,20 vmrlg A0607,A0607,W1 C Done A0607 verllg W1,A0809,55 vmrhg A0809,W0,W1 C Done A0809 C Do the 10,11,12,13,14 row. C Roatated using verllg with (25) later. 42 + 25 = 3 (mod 64) rllg A10,A10,42 verllg W0,A1112,10 vlvgg A1112,A10,0 vlgvg A10,A1112,1 rllg A10,A10,43 C Done A10 vmrhg A1112,A1112,A1314 verllg A1112,A1112,25 C Done A1112 verllg W2,A1314,39 vpdi A1314,W0,W2,0b0001 C Done A1314 C Do the 15,16,17,18,19 row. verllg W0,A1819,8 rllg A15,A15,41 vlvgg W1,A15,1 vlgvg A15,A1819,0 rllg A15,A15,21 C Done A15 verllg A1819,A1617,15 verllg A1617,A1617,45 vpdi A1617,A1617,W0,0b0001 C Done A1617 vmrlg A1819,A1819,W1 C Done A1819 C Do the 20,21,22,23,24 row. rllg A20,A20,18 vlvgg W0,A20,1 vlgvg A20,A2324,1 rllg A20,A20,14 C Done A20 verllg A2324,A2324,56 verllg W2,A2122,2 vmrhg A2324,A2324,W2 C Done A2324 verllg A2122,A2122,61 vmrlg A2122,A2122,W0 C Done A2122 C chi step. With the transposed matrix, applied independently C to each column. lghi TMP,-1 xgrk T0,A05,TMP ngr T0,A10 xgrk T1,A10,TMP ngr T1,A15 xgrk T2,A15,TMP ngr T2,A20 xgr A10,T2 xgrk T3,A20,TMP ngr T3,A00 xgr A15,T3 xgrk T2,A00,TMP ngr T2,A05 xgr A20,T2 xgr A00,T0 xgr A05,T1 vnc W0,A1112,A0607 vnc W1,A1617,A1112 vnc W2,A2122,A1617 vx A1112,A1112,W2 vnc W3,A0102,A2122 vx A1617,A1617,W3 vnc W2,A0607,A0102 vx A2122,A2122,W2 vx A0102,A0102,W0 vx A0607,A0607,W1 vnc W0,A1314,A0809 vnc W1,A1819,A1314 vnc W2,A2324,A1819 vx A1314,A1314,W2 vnc W3,A0304,A2324 vx A1819,A1819,W3 vnc W2,A0809,A0304 vx A2324,A2324,W2 vx A0304,A0304,W0 vx A0809,A0809,W1 C iota step. lg TMP,0(COUNT,RC) xgr A00,TMP C Deferred pi step. Transpose the matrix from the temporary C positions. The transpose gives the matrix with the C following (x,y) coordinates. C (0,0) <- (0,0), (0,2) <- (2,0), (0,4) <- (4,0) C (0,3) <- (3,0), (0,1) <- (1,0), (1,3) <- (3,1) C (1,0) <- (0,1), (1,2) <- (2,1), (1,4) <- (4,1) C (1,1) <- (1,1), (2,1) <- (1,2), (2,3) <- (3,2) C (2,0) <- (0,2), (2,2) <- (2,2), (2,4) <- (4,2) C (3,4) <- (4,3), (3,1) <- (1,3), (3,3) <- (3,3) C (3,0) <- (0,3), (3,2) <- (2,3), (4,2) <- (2,4) C (4,4) <- (4,4), (4,1) <- (1,4), (4,3) <- (3,4) C (4,0) <- (0,4) C Swap (A05, A10) <-> A0102, and (A15, A20) <-> A0304, C and also copy to C12 and C34 while at it. vlvgg C12,A05,0 vlvgg C34,A15,0 vlvgg W0,A10,0 vlvgg W1,A20,0 vlgvg A05,A0102,0 vlgvg A15,A0304,0 xgrk C0,A00,A05 xgr C0,A15 vlgvg A10,A0102,1 vlgvg A20,A0304,1 vmrhg A0102,C12,W0 vmrhg A0304,C34,W1 C Transpose (A0607, A1112) vlr W0,A0607 vmrhg A0607,A0607,A1112 xgr C0,A10 xgr C0,A20 vmrlg A1112,W0,A1112 C Transpose (A1819, A2324) vlr W0,A1819 vmrhg A1819,A1819,A2324 vx C12,A0102,A0607 vx C12,C12,A1112 vmrlg A2324,W0,A2324 C Transpose (A0809, A1314) and (A1617, A2122), and swap vlr W0,A0809 vlr W1,A1314 vx C34,A0304,A1819 vx C34,C34,A2324 vmrhg A0809,A1617,A2122 vmrlg A1314,A1617,A2122 vx C34,C34,A0809 vx C34,C34,A1314 vmrhg A1617,W0,W1 vmrlg A2122,W0,W1 ahi COUNT,-8 vx C12,C12,A1617 vx C12,C12,A2122 clijne COUNT,0,.Loop C Save state data stg A00,0*8(STATE) vst A0102,1*8(STATE) vst A0304,3*8(STATE) stg A05,5*8(STATE) vst A0607,6*8(STATE) vst A0809,8*8(STATE) stg A10,10*8(STATE) vst A1112,11*8(STATE) vst A1314,13*8(STATE) stg A15,15*8(STATE) vst A1617,16*8(STATE) vst A1819,18*8(STATE) stg A20,20*8(STATE) vst A2122,21*8(STATE) vst A2324,23*8(STATE) C Load non-volatile floating point registers ld %f8,0(%r1) ld %f9,8(%r1) FREE_STACK(16) C Deallocate stack space lmg %r6,%r14,48(SP) C Load non-volatile general registers br RA EPILOGUE(nettle_sha3_permute) .align 16 .rc: C In reverse order .quad 0x8000000080008008 .quad 0x0000000080000001 .quad 0x8000000000008080 .quad 0x8000000080008081 .quad 0x800000008000000A .quad 0x000000000000800A .quad 0x8000000000000080 .quad 0x8000000000008002 .quad 0x8000000000008003 .quad 0x8000000000008089 .quad 0x800000000000008B .quad 0x000000008000808B .quad 0x000000008000000A .quad 0x0000000080008009 .quad 0x0000000000000088 .quad 0x000000000000008A .quad 0x8000000000008009 .quad 0x8000000080008081 .quad 0x0000000080000001 .quad 0x000000000000808B .quad 0x8000000080008000 .quad 0x800000000000808A .quad 0x0000000000008082 .quad 0x0000000000000001 .size .rc,.-.rc nettle-3.10/s390x/vf/chacha-core-internal.asm0000644000175000017500000000527214633602172017740 0ustar nissenisseC s390x/vf/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C Working state define(`X0', `%v0') define(`X1', `%v1') define(`X2', `%v2') define(`X3', `%v3') C Original input state define(`S0', `%v4') define(`S1', `%v5') define(`S2', `%v6') define(`S3', `%v7') define(`BRW', `%v24') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 vaf $1, $1, $2 vx $4, $4, $1 verllf $4, $4, 16 vaf $3, $3, $4 vx $2, $2, $3 verllf $2, $2, 12 vaf $1, $1, $2 vx $4, $4, $1 verllf $4, $4, 8 vaf $3, $3, $4 vx $2, $2, $3 verllf $2, $2, 7 ') .file "chacha-core-internal.asm" .machine "z13" .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_core) vlm X0, X3, 0(SRC) vlr S0, X0 vlr S1, X1 vlr S2, X2 vlr S3, X3 srlg ROUNDS, ROUNDS, 1 .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 vsldb X1, X1, X1, 4 vsldb X2, X2, X2, 8 vsldb X3, X3, X3, 12 QROUND(X0, X1, X2, X3) C Inverse rotation vsldb X1, X1, X1, 12 vsldb X2, X2, X2, 8 vsldb X3, X3, X3, 4 brctg ROUNDS, .Loop vaf X0, X0, S0 vaf X1, X1, S1 vaf X2, X2, S2 vaf X3, X3, S3 larl %r5,.Lword_byte_reverse vl BRW, 0(%r5) vperm X0, X0, X0, BRW vperm X1, X1, X1, BRW vperm X2, X2, X2, BRW vperm X3, X3, X3, BRW vstm X0, X3, 0(DST) br RA EPILOGUE(_nettle_chacha_core) .align 16 .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C nettle-3.10/s390x/vf/chacha-4core.asm0000644000175000017500000001445714633602172016217 0ustar nissenisseC s390x/vf/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `%r2') define(`SRC', `%r3') define(`ROUNDS', `%r4') C Working state define(`BRW', `%v24') C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `%v25') define(`T1', `%v26') define(`T2', `%v27') define(`T3', `%v28') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, %v0, $1, 1, %v1, $1, 2, %v2, $1, 3, %v3, $1, 4, %v4, $1, 5, %v5, $1, 6, %v6, $1, 7, %v7, $1, 8, %v8, $1, 9, %v9, $1, 10, %v10, $1, 11, %v11, $1, 12, %v12, $1, 13, %v13, $1, 14, %v14, $1, 15, %v15)') define(`P2', `ifelse($1, 0, %v0, $1, 1, %v5, $1, 2, %v10, $1, 3, %v15, $1, 4, %v4, $1, 5, %v9, $1, 6, %v14, $1, 7, %v3, $1, 8, %v8, $1, 9, %v13, $1, 10, %v2, $1, 11, %v7, $1, 12, %v12, $1, 13, %v1, $1, 14, %v6, $1, 15, %v11)') C Main loop for round define(`QR',` vaf $1(0), $1(0), $1(1) vaf $1(4), $1(4), $1(5) vaf $1(8), $1(8), $1(9) vaf $1(12), $1(12), $1(13) vx $1(3), $1(3), $1(0) vx $1(7), $1(7), $1(4) vx $1(11), $1(11), $1(8) vx $1(15), $1(15), $1(12) verllf $1(3), $1(3), 16 verllf $1(7), $1(7), 16 verllf $1(11), $1(11), 16 verllf $1(15), $1(15), 16 vaf $1(2), $1(2), $1(3) vaf $1(6), $1(6), $1(7) vaf $1(10), $1(10), $1(11) vaf $1(14), $1(14), $1(15) vx $1(1), $1(1), $1(2) vx $1(5), $1(5), $1(6) vx $1(9), $1(9), $1(10) vx $1(13), $1(13), $1(14) verllf $1(1), $1(1), 12 verllf $1(5), $1(5), 12 verllf $1(9), $1(9), 12 verllf $1(13), $1(13), 12 vaf $1(0), $1(0), $1(1) vaf $1(4), $1(4), $1(5) vaf $1(8), $1(8), $1(9) vaf $1(12), $1(12), $1(13) vx $1(3), $1(3), $1(0) vx $1(7), $1(7), $1(4) vx $1(11), $1(11), $1(8) vx $1(15), $1(15), $1(12) verllf $1(3), $1(3), 8 verllf $1(7), $1(7), 8 verllf $1(11), $1(11), 8 verllf $1(15), $1(15), 8 vaf $1(2), $1(2), $1(3) vaf $1(6), $1(6), $1(7) vaf $1(10), $1(10), $1(11) vaf $1(14), $1(14), $1(15) vx $1(1), $1(1), $1(2) vx $1(5), $1(5), $1(6) vx $1(9), $1(9), $1(10) vx $1(13), $1(13), $1(14) verllf $1(1), $1(1), 7 verllf $1(5), $1(5), 7 verllf $1(9), $1(9), 7 verllf $1(13), $1(13), 7 ') define(`TRANSPOSE',` vmrhf T0, $1, $3 C A0 A2 B0 B2 vmrhf T1, $2, $4 C A1 A3 B1 B3 vmrlf T2, $1, $3 C C0 C2 D0 D2 vmrlf T3, $2, $4 C C1 C3 D1 D3 vmrhf $1, T0, T1 C A0 A1 A2 A3 vmrlf $2, T0, T1 C B0 B1 B2 B3 vmrhf $3, T2, T3 C C0 C2 C1 C3 vmrlf $4, T2, T3 C D0 D1 D2 D3 ') .file "chacha-4core.asm" .machine "z13" .text C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_4core) vrepif T2, 1 C Apply counter carries .Lshared_entry: C Save callee-save registers ALLOC_STACK(%r1,64) C Allocate 64-byte space on stack C Save non-volatile floating point registers std %f8,0(%r1) std %f9,8(%r1) std %f10,16(%r1) std %f11,24(%r1) std %f12,32(%r1) std %f13,40(%r1) std %f14,48(%r1) std %f15,56(%r1) larl %r5,.Lword_byte_reverse vlm BRW, T0, 0(%r5) C Load state and splat vlm %v0, %v3, 0(SRC) vrepf %v4, %v0, 1 vrepf %v8, %v0, 2 vrepf %v12, %v0, 3 vrepf %v0, %v0, 0 vrepf %v5, %v1, 1 vrepf %v9, %v1, 2 vrepf %v13, %v1, 3 vrepf %v1, %v1, 0 vrepf %v6, %v2, 1 vrepf %v10, %v2, 2 vrepf %v14, %v2, 3 vrepf %v2, %v2, 0 vrepf %v7, %v3, 1 vrepf %v11, %v3, 2 vrepf %v15, %v3, 3 vrepf %v3, %v3, 0 vaccf T1, %v3, T0 C low adds vaf %v3, %v3, T0 C compute carry-out vn T1, T1, T2 C discard carries for 32-bit counter variant vaf %v7, %v7, T1 C apply carries C Save all 4x4 of the last words. vlr T0, %v3 vlr T1, %v7 vlr T2, %v11 vlr T3, %v15 srlg ROUNDS, ROUNDS, 1 .Loop: QR(`P1') QR(`P2') brctg ROUNDS, .Loop C Add in saved original words, including counters, before C transpose. vaf %v3, %v3, T0 vaf %v7, %v7, T1 vaf %v11, %v11, T2 vaf %v15, %v15, T3 TRANSPOSE(%v0, %v4, %v8, %v12) TRANSPOSE(%v1, %v5, %v9, %v13) TRANSPOSE(%v2, %v6, %v10, %v14) TRANSPOSE(%v3, %v7, %v11, %v15) vlm T0, T2, 0(SRC) vaf %v0, %v0, T0 vaf %v4, %v4, T0 vaf %v8, %v8, T0 vaf %v12, %v12, T0 vperm %v0, %v0, %v0, BRW vperm %v4, %v4, %v4, BRW vperm %v8, %v8, %v8, BRW vperm %v12, %v12, %v12, BRW vaf %v1, %v1, T1 vaf %v5, %v5, T1 vaf %v9, %v9, T1 vaf %v13, %v13, T1 vperm %v1, %v1, %v1, BRW vperm %v5, %v5, %v5, BRW vperm %v9, %v9, %v9, BRW vperm %v13, %v13, %v13, BRW vaf %v2, %v2, T2 vaf %v6, %v6, T2 vaf %v10, %v10, T2 vaf %v14, %v14, T2 vperm %v2, %v2, %v2, BRW vperm %v6, %v6, %v6, BRW vperm %v10, %v10, %v10, BRW vperm %v14, %v14, %v14, BRW vperm %v3, %v3, %v3, BRW vperm %v7, %v7, %v7, BRW vperm %v11, %v11, %v11, BRW vperm %v15, %v15, %v15, BRW vstm %v0, %v15, 0(DST) C Restore callee-save registers ld %f8,0(%r1) ld %f9,8(%r1) ld %f10,16(%r1) ld %f11,24(%r1) ld %f12,32(%r1) ld %f13,40(%r1) ld %f14,48(%r1) ld %f15,56(%r1) FREE_STACK(64) C Deallocate stack space br RA EPILOGUE(_nettle_chacha_4core) PROLOGUE(_nettle_chacha_4core32) vzero T2 C Ignore counter carries j .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .align 16 .Lword_byte_reverse: .long 0x03020100,0x07060504,0x0B0A0908,0x0F0E0D0C .Lcnts: .long 0,1,2,3 C increments nettle-3.10/s390x/memxor.asm0000644000175000017500000000272614633602172014666 0ustar nissenisseC s390x/memxor.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "memxor.asm" .machine "z10" .text C void * memxor(void *dst, const void *src, size_t n) PROLOGUE(nettle_memxor) srlg %r5,%r4,8 clgije %r5,0,Llen L256_loop: xc 0(256,%r2),0(%r3) aghi %r2,256 aghi %r3,256 brctg %r5,L256_loop Llen: risbg %r5,%r4,56,191,0 jz Ldone XOR_LEN(%r2,%r3,%r5,%r1) Ldone: br RA EPILOGUE(nettle_memxor) nettle-3.10/s390x/msa_x4/0000755000175000017500000000000014633602172014041 5ustar nissenissenettle-3.10/s390x/msa_x4/ghash-set-key.asm0000644000175000017500000000266714633602172017227 0ustar nissenisseC s390x/msa_x4/ghash-set-key.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-set-key.asm" .text C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) PROLOGUE(_nettle_ghash_set_key) C Except for Hash Subkey (H), KIMD-GHASH function does not need C any pre-computed values so just copy H into the first element C of context table and return to the caller. mvc 0(16,%r2),0(%r3) br RA EPILOGUE(_nettle_ghash_set_key) nettle-3.10/s390x/msa_x4/ghash-update.asm0000644000175000017500000000660114633602172017120 0ustar nissenisseC s390x/msa_x4/ghash-update.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C KIMD (COMPUTE INTERMEDIATE MESSAGE DIGEST) is specefied in C "z/Architecture Principles of Operation SA22-7832-12" as follows: C A function specified by the function code in general register 0 is performed. C General register 1 contains the logical address of the leftmost byte of the parameter block in storage. C the second operand is processed as specified by the function code using an initial chaining value in C the parameter block, and the result replaces the chaining value. C This implementation uses KIMD-GHASH function. C The parameter block used for the KIMD-GHASH function has the following format: C *----------------------------------------------* C | Initial Chaining Value (16 bytes) | C |----------------------------------------------| C | Hash Subkey (16 bytes) | C *----------------------------------------------* C Size of parameter block define(`PB_SIZE', `32') .file "ghash-update.asm" .text C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) PROLOGUE(_nettle_ghash_update) C --- allocate a stack space for parameter block in addition to 16-byte buffer to handle leftover bytes --- ALLOC_STACK(%r1,PB_SIZE) C parameter block (must be general register 1) mvc 0(16,%r1),0(%r3) C copy x Initial Chaining Value field mvc 16(16,%r1),0(%r2) C copy H to Hash Subkey field lghi %r0,65 C GHASH function code (must be general register 0) lgr %r2,%r5 C location of leftmost byte of data (must not be odd-numbered general register nor be general register 0) lgr %r5,%r3 C number of bytes (must be general register of data + 1). length must be a multiple of the data block size (16). sllg %r3,%r4,4 C LEN = 16*BLOCKS 1: .long 0xb93e0002 C kimd %r0,%r2 brc 1,1b C safely branch back in case of partial completion mvc 0(16,%r5),0(%r1) C store x xc 0(PB_SIZE,%r1),0(%r1) C wipe parameter block content from stack FREE_STACK(PB_SIZE) br RA EPILOGUE(_nettle_ghash_update) nettle-3.10/ctr.h0000644000175000017500000000365014633602172012725 0ustar nissenisse/* ctr.h Counter mode, using an network byte order incremented counter, matching the testcases of NIST 800-38A. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CTR_H_INCLUDED #define NETTLE_CTR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ctr_crypt nettle_ctr_crypt void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src); #define CTR_CTX(type, size) \ { type ctx; uint8_t ctr[size]; } #define CTR_SET_COUNTER(ctx, data) \ memcpy((ctx)->ctr, (data), sizeof((ctx)->ctr)) #define CTR_CRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : ctr_crypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->ctr), (self)->ctr, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CTR_H_INCLUDED */ nettle-3.10/blowfish.c0000644000175000017500000004667514633602171013762 0ustar nissenisse/* blowfish.c The blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 2010 Simon Josefsson Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Bruce Schneier: Applied Cryptography. John Wiley & Sons, 1996. * ISBN 0-471-11709-9. Pages 336 ff. */ /* This file is derived from cipher/blowfish.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-11-23. Changes include removing the selftest, renaming u32/byte types to uint32_t/uint8_t, renaming BLOWFISH_ROUNDS to _BLOWFISH_ROUNDS (from Nettle's blowfish.h), dropping the libgcrypt wrapper functions, fixing #include's, remove support for non-16 rounds (there are no test vectors), adding FOR_BLOCK iterations, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include "blowfish.h" #include "blowfish-internal.h" #include "macros.h" /* precomputed S boxes */ const struct blowfish_ctx _nettle_blowfish_initial_ctx = { { { /* ks0 */ 0xD1310BA6, 0x98DFB5AC, 0x2FFD72DB, 0xD01ADFB7, 0xB8E1AFED, 0x6A267E96, 0xBA7C9045, 0xF12C7F99, 0x24A19947, 0xB3916CF7, 0x0801F2E2, 0x858EFC16, 0x636920D8, 0x71574E69, 0xA458FEA3, 0xF4933D7E, 0x0D95748F, 0x728EB658, 0x718BCD58, 0x82154AEE, 0x7B54A41D, 0xC25A59B5, 0x9C30D539, 0x2AF26013, 0xC5D1B023, 0x286085F0, 0xCA417918, 0xB8DB38EF, 0x8E79DCB0, 0x603A180E, 0x6C9E0E8B, 0xB01E8A3E, 0xD71577C1, 0xBD314B27, 0x78AF2FDA, 0x55605C60, 0xE65525F3, 0xAA55AB94, 0x57489862, 0x63E81440, 0x55CA396A, 0x2AAB10B6, 0xB4CC5C34, 0x1141E8CE, 0xA15486AF, 0x7C72E993, 0xB3EE1411, 0x636FBC2A, 0x2BA9C55D, 0x741831F6, 0xCE5C3E16, 0x9B87931E, 0xAFD6BA33, 0x6C24CF5C, 0x7A325381, 0x28958677, 0x3B8F4898, 0x6B4BB9AF, 0xC4BFE81B, 0x66282193, 0x61D809CC, 0xFB21A991, 0x487CAC60, 0x5DEC8032, 0xEF845D5D, 0xE98575B1, 0xDC262302, 0xEB651B88, 0x23893E81, 0xD396ACC5, 0x0F6D6FF3, 0x83F44239, 0x2E0B4482, 0xA4842004, 0x69C8F04A, 0x9E1F9B5E, 0x21C66842, 0xF6E96C9A, 0x670C9C61, 0xABD388F0, 0x6A51A0D2, 0xD8542F68, 0x960FA728, 0xAB5133A3, 0x6EEF0B6C, 0x137A3BE4, 0xBA3BF050, 0x7EFB2A98, 0xA1F1651D, 0x39AF0176, 0x66CA593E, 0x82430E88, 0x8CEE8619, 0x456F9FB4, 0x7D84A5C3, 0x3B8B5EBE, 0xE06F75D8, 0x85C12073, 0x401A449F, 0x56C16AA6, 0x4ED3AA62, 0x363F7706, 0x1BFEDF72, 0x429B023D, 0x37D0D724, 0xD00A1248, 0xDB0FEAD3, 0x49F1C09B, 0x075372C9, 0x80991B7B, 0x25D479D8, 0xF6E8DEF7, 0xE3FE501A, 0xB6794C3B, 0x976CE0BD, 0x04C006BA, 0xC1A94FB6, 0x409F60C4, 0x5E5C9EC2, 0x196A2463, 0x68FB6FAF, 0x3E6C53B5, 0x1339B2EB, 0x3B52EC6F, 0x6DFC511F, 0x9B30952C, 0xCC814544, 0xAF5EBD09, 0xBEE3D004, 0xDE334AFD, 0x660F2807, 0x192E4BB3, 0xC0CBA857, 0x45C8740F, 0xD20B5F39, 0xB9D3FBDB, 0x5579C0BD, 0x1A60320A, 0xD6A100C6, 0x402C7279, 0x679F25FE, 0xFB1FA3CC, 0x8EA5E9F8, 0xDB3222F8, 0x3C7516DF, 0xFD616B15, 0x2F501EC8, 0xAD0552AB, 0x323DB5FA, 0xFD238760, 0x53317B48, 0x3E00DF82, 0x9E5C57BB, 0xCA6F8CA0, 0x1A87562E, 0xDF1769DB, 0xD542A8F6, 0x287EFFC3, 0xAC6732C6, 0x8C4F5573, 0x695B27B0, 0xBBCA58C8, 0xE1FFA35D, 0xB8F011A0, 0x10FA3D98, 0xFD2183B8, 0x4AFCB56C, 0x2DD1D35B, 0x9A53E479, 0xB6F84565, 0xD28E49BC, 0x4BFB9790, 0xE1DDF2DA, 0xA4CB7E33, 0x62FB1341, 0xCEE4C6E8, 0xEF20CADA, 0x36774C01, 0xD07E9EFE, 0x2BF11FB4, 0x95DBDA4D, 0xAE909198, 0xEAAD8E71, 0x6B93D5A0, 0xD08ED1D0, 0xAFC725E0, 0x8E3C5B2F, 0x8E7594B7, 0x8FF6E2FB, 0xF2122B64, 0x8888B812, 0x900DF01C, 0x4FAD5EA0, 0x688FC31C, 0xD1CFF191, 0xB3A8C1AD, 0x2F2F2218, 0xBE0E1777, 0xEA752DFE, 0x8B021FA1, 0xE5A0CC0F, 0xB56F74E8, 0x18ACF3D6, 0xCE89E299, 0xB4A84FE0, 0xFD13E0B7, 0x7CC43B81, 0xD2ADA8D9, 0x165FA266, 0x80957705, 0x93CC7314, 0x211A1477, 0xE6AD2065, 0x77B5FA86, 0xC75442F5, 0xFB9D35CF, 0xEBCDAF0C, 0x7B3E89A0, 0xD6411BD3, 0xAE1E7E49, 0x00250E2D, 0x2071B35E, 0x226800BB, 0x57B8E0AF, 0x2464369B, 0xF009B91E, 0x5563911D, 0x59DFA6AA, 0x78C14389, 0xD95A537F, 0x207D5BA2, 0x02E5B9C5, 0x83260376, 0x6295CFA9, 0x11C81968, 0x4E734A41, 0xB3472DCA, 0x7B14A94A, 0x1B510052, 0x9A532915, 0xD60F573F, 0xBC9BC6E4, 0x2B60A476, 0x81E67400, 0x08BA6FB5, 0x571BE91F, 0xF296EC6B, 0x2A0DD915, 0xB6636521, 0xE7B9F9B6, 0xFF34052E, 0xC5855664, 0x53B02D5D, 0xA99F8FA1, 0x08BA4799, 0x6E85076A }, { /* ks1 */ 0x4B7A70E9, 0xB5B32944, 0xDB75092E, 0xC4192623, 0xAD6EA6B0, 0x49A7DF7D, 0x9CEE60B8, 0x8FEDB266, 0xECAA8C71, 0x699A17FF, 0x5664526C, 0xC2B19EE1, 0x193602A5, 0x75094C29, 0xA0591340, 0xE4183A3E, 0x3F54989A, 0x5B429D65, 0x6B8FE4D6, 0x99F73FD6, 0xA1D29C07, 0xEFE830F5, 0x4D2D38E6, 0xF0255DC1, 0x4CDD2086, 0x8470EB26, 0x6382E9C6, 0x021ECC5E, 0x09686B3F, 0x3EBAEFC9, 0x3C971814, 0x6B6A70A1, 0x687F3584, 0x52A0E286, 0xB79C5305, 0xAA500737, 0x3E07841C, 0x7FDEAE5C, 0x8E7D44EC, 0x5716F2B8, 0xB03ADA37, 0xF0500C0D, 0xF01C1F04, 0x0200B3FF, 0xAE0CF51A, 0x3CB574B2, 0x25837A58, 0xDC0921BD, 0xD19113F9, 0x7CA92FF6, 0x94324773, 0x22F54701, 0x3AE5E581, 0x37C2DADC, 0xC8B57634, 0x9AF3DDA7, 0xA9446146, 0x0FD0030E, 0xECC8C73E, 0xA4751E41, 0xE238CD99, 0x3BEA0E2F, 0x3280BBA1, 0x183EB331, 0x4E548B38, 0x4F6DB908, 0x6F420D03, 0xF60A04BF, 0x2CB81290, 0x24977C79, 0x5679B072, 0xBCAF89AF, 0xDE9A771F, 0xD9930810, 0xB38BAE12, 0xDCCF3F2E, 0x5512721F, 0x2E6B7124, 0x501ADDE6, 0x9F84CD87, 0x7A584718, 0x7408DA17, 0xBC9F9ABC, 0xE94B7D8C, 0xEC7AEC3A, 0xDB851DFA, 0x63094366, 0xC464C3D2, 0xEF1C1847, 0x3215D908, 0xDD433B37, 0x24C2BA16, 0x12A14D43, 0x2A65C451, 0x50940002, 0x133AE4DD, 0x71DFF89E, 0x10314E55, 0x81AC77D6, 0x5F11199B, 0x043556F1, 0xD7A3C76B, 0x3C11183B, 0x5924A509, 0xF28FE6ED, 0x97F1FBFA, 0x9EBABF2C, 0x1E153C6E, 0x86E34570, 0xEAE96FB1, 0x860E5E0A, 0x5A3E2AB3, 0x771FE71C, 0x4E3D06FA, 0x2965DCB9, 0x99E71D0F, 0x803E89D6, 0x5266C825, 0x2E4CC978, 0x9C10B36A, 0xC6150EBA, 0x94E2EA78, 0xA5FC3C53, 0x1E0A2DF4, 0xF2F74EA7, 0x361D2B3D, 0x1939260F, 0x19C27960, 0x5223A708, 0xF71312B6, 0xEBADFE6E, 0xEAC31F66, 0xE3BC4595, 0xA67BC883, 0xB17F37D1, 0x018CFF28, 0xC332DDEF, 0xBE6C5AA5, 0x65582185, 0x68AB9802, 0xEECEA50F, 0xDB2F953B, 0x2AEF7DAD, 0x5B6E2F84, 0x1521B628, 0x29076170, 0xECDD4775, 0x619F1510, 0x13CCA830, 0xEB61BD96, 0x0334FE1E, 0xAA0363CF, 0xB5735C90, 0x4C70A239, 0xD59E9E0B, 0xCBAADE14, 0xEECC86BC, 0x60622CA7, 0x9CAB5CAB, 0xB2F3846E, 0x648B1EAF, 0x19BDF0CA, 0xA02369B9, 0x655ABB50, 0x40685A32, 0x3C2AB4B3, 0x319EE9D5, 0xC021B8F7, 0x9B540B19, 0x875FA099, 0x95F7997E, 0x623D7DA8, 0xF837889A, 0x97E32D77, 0x11ED935F, 0x16681281, 0x0E358829, 0xC7E61FD6, 0x96DEDFA1, 0x7858BA99, 0x57F584A5, 0x1B227263, 0x9B83C3FF, 0x1AC24696, 0xCDB30AEB, 0x532E3054, 0x8FD948E4, 0x6DBC3128, 0x58EBF2EF, 0x34C6FFEA, 0xFE28ED61, 0xEE7C3C73, 0x5D4A14D9, 0xE864B7E3, 0x42105D14, 0x203E13E0, 0x45EEE2B6, 0xA3AAABEA, 0xDB6C4F15, 0xFACB4FD0, 0xC742F442, 0xEF6ABBB5, 0x654F3B1D, 0x41CD2105, 0xD81E799E, 0x86854DC7, 0xE44B476A, 0x3D816250, 0xCF62A1F2, 0x5B8D2646, 0xFC8883A0, 0xC1C7B6A3, 0x7F1524C3, 0x69CB7492, 0x47848A0B, 0x5692B285, 0x095BBF00, 0xAD19489D, 0x1462B174, 0x23820E00, 0x58428D2A, 0x0C55F5EA, 0x1DADF43E, 0x233F7061, 0x3372F092, 0x8D937E41, 0xD65FECF1, 0x6C223BDB, 0x7CDE3759, 0xCBEE7460, 0x4085F2A7, 0xCE77326E, 0xA6078084, 0x19F8509E, 0xE8EFD855, 0x61D99735, 0xA969A7AA, 0xC50C06C2, 0x5A04ABFC, 0x800BCADC, 0x9E447A2E, 0xC3453484, 0xFDD56705, 0x0E1E9EC9, 0xDB73DBD3, 0x105588CD, 0x675FDA79, 0xE3674340, 0xC5C43465, 0x713E38D8, 0x3D28F89E, 0xF16DFF20, 0x153E21E7, 0x8FB03D4A, 0xE6E39F2B, 0xDB83ADF7 }, { /* ks2 */ 0xE93D5A68, 0x948140F7, 0xF64C261C, 0x94692934, 0x411520F7, 0x7602D4F7, 0xBCF46B2E, 0xD4A20068, 0xD4082471, 0x3320F46A, 0x43B7D4B7, 0x500061AF, 0x1E39F62E, 0x97244546, 0x14214F74, 0xBF8B8840, 0x4D95FC1D, 0x96B591AF, 0x70F4DDD3, 0x66A02F45, 0xBFBC09EC, 0x03BD9785, 0x7FAC6DD0, 0x31CB8504, 0x96EB27B3, 0x55FD3941, 0xDA2547E6, 0xABCA0A9A, 0x28507825, 0x530429F4, 0x0A2C86DA, 0xE9B66DFB, 0x68DC1462, 0xD7486900, 0x680EC0A4, 0x27A18DEE, 0x4F3FFEA2, 0xE887AD8C, 0xB58CE006, 0x7AF4D6B6, 0xAACE1E7C, 0xD3375FEC, 0xCE78A399, 0x406B2A42, 0x20FE9E35, 0xD9F385B9, 0xEE39D7AB, 0x3B124E8B, 0x1DC9FAF7, 0x4B6D1856, 0x26A36631, 0xEAE397B2, 0x3A6EFA74, 0xDD5B4332, 0x6841E7F7, 0xCA7820FB, 0xFB0AF54E, 0xD8FEB397, 0x454056AC, 0xBA489527, 0x55533A3A, 0x20838D87, 0xFE6BA9B7, 0xD096954B, 0x55A867BC, 0xA1159A58, 0xCCA92963, 0x99E1DB33, 0xA62A4A56, 0x3F3125F9, 0x5EF47E1C, 0x9029317C, 0xFDF8E802, 0x04272F70, 0x80BB155C, 0x05282CE3, 0x95C11548, 0xE4C66D22, 0x48C1133F, 0xC70F86DC, 0x07F9C9EE, 0x41041F0F, 0x404779A4, 0x5D886E17, 0x325F51EB, 0xD59BC0D1, 0xF2BCC18F, 0x41113564, 0x257B7834, 0x602A9C60, 0xDFF8E8A3, 0x1F636C1B, 0x0E12B4C2, 0x02E1329E, 0xAF664FD1, 0xCAD18115, 0x6B2395E0, 0x333E92E1, 0x3B240B62, 0xEEBEB922, 0x85B2A20E, 0xE6BA0D99, 0xDE720C8C, 0x2DA2F728, 0xD0127845, 0x95B794FD, 0x647D0862, 0xE7CCF5F0, 0x5449A36F, 0x877D48FA, 0xC39DFD27, 0xF33E8D1E, 0x0A476341, 0x992EFF74, 0x3A6F6EAB, 0xF4F8FD37, 0xA812DC60, 0xA1EBDDF8, 0x991BE14C, 0xDB6E6B0D, 0xC67B5510, 0x6D672C37, 0x2765D43B, 0xDCD0E804, 0xF1290DC7, 0xCC00FFA3, 0xB5390F92, 0x690FED0B, 0x667B9FFB, 0xCEDB7D9C, 0xA091CF0B, 0xD9155EA3, 0xBB132F88, 0x515BAD24, 0x7B9479BF, 0x763BD6EB, 0x37392EB3, 0xCC115979, 0x8026E297, 0xF42E312D, 0x6842ADA7, 0xC66A2B3B, 0x12754CCC, 0x782EF11C, 0x6A124237, 0xB79251E7, 0x06A1BBE6, 0x4BFB6350, 0x1A6B1018, 0x11CAEDFA, 0x3D25BDD8, 0xE2E1C3C9, 0x44421659, 0x0A121386, 0xD90CEC6E, 0xD5ABEA2A, 0x64AF674E, 0xDA86A85F, 0xBEBFE988, 0x64E4C3FE, 0x9DBC8057, 0xF0F7C086, 0x60787BF8, 0x6003604D, 0xD1FD8346, 0xF6381FB0, 0x7745AE04, 0xD736FCCC, 0x83426B33, 0xF01EAB71, 0xB0804187, 0x3C005E5F, 0x77A057BE, 0xBDE8AE24, 0x55464299, 0xBF582E61, 0x4E58F48F, 0xF2DDFDA2, 0xF474EF38, 0x8789BDC2, 0x5366F9C3, 0xC8B38E74, 0xB475F255, 0x46FCD9B9, 0x7AEB2661, 0x8B1DDF84, 0x846A0E79, 0x915F95E2, 0x466E598E, 0x20B45770, 0x8CD55591, 0xC902DE4C, 0xB90BACE1, 0xBB8205D0, 0x11A86248, 0x7574A99E, 0xB77F19B6, 0xE0A9DC09, 0x662D09A1, 0xC4324633, 0xE85A1F02, 0x09F0BE8C, 0x4A99A025, 0x1D6EFE10, 0x1AB93D1D, 0x0BA5A4DF, 0xA186F20F, 0x2868F169, 0xDCB7DA83, 0x573906FE, 0xA1E2CE9B, 0x4FCD7F52, 0x50115E01, 0xA70683FA, 0xA002B5C4, 0x0DE6D027, 0x9AF88C27, 0x773F8641, 0xC3604C06, 0x61A806B5, 0xF0177A28, 0xC0F586E0, 0x006058AA, 0x30DC7D62, 0x11E69ED7, 0x2338EA63, 0x53C2DD94, 0xC2C21634, 0xBBCBEE56, 0x90BCB6DE, 0xEBFC7DA1, 0xCE591D76, 0x6F05E409, 0x4B7C0188, 0x39720A3D, 0x7C927C24, 0x86E3725F, 0x724D9DB9, 0x1AC15BB4, 0xD39EB8FC, 0xED545578, 0x08FCA5B5, 0xD83D7CD3, 0x4DAD0FC4, 0x1E50EF5E, 0xB161E6F8, 0xA28514D9, 0x6C51133C, 0x6FD5C7E7, 0x56E14EC4, 0x362ABFCE, 0xDDC6C837, 0xD79A3234, 0x92638212, 0x670EFA8E, 0x406000E0 }, { /* ks3 */ 0x3A39CE37, 0xD3FAF5CF, 0xABC27737, 0x5AC52D1B, 0x5CB0679E, 0x4FA33742, 0xD3822740, 0x99BC9BBE, 0xD5118E9D, 0xBF0F7315, 0xD62D1C7E, 0xC700C47B, 0xB78C1B6B, 0x21A19045, 0xB26EB1BE, 0x6A366EB4, 0x5748AB2F, 0xBC946E79, 0xC6A376D2, 0x6549C2C8, 0x530FF8EE, 0x468DDE7D, 0xD5730A1D, 0x4CD04DC6, 0x2939BBDB, 0xA9BA4650, 0xAC9526E8, 0xBE5EE304, 0xA1FAD5F0, 0x6A2D519A, 0x63EF8CE2, 0x9A86EE22, 0xC089C2B8, 0x43242EF6, 0xA51E03AA, 0x9CF2D0A4, 0x83C061BA, 0x9BE96A4D, 0x8FE51550, 0xBA645BD6, 0x2826A2F9, 0xA73A3AE1, 0x4BA99586, 0xEF5562E9, 0xC72FEFD3, 0xF752F7DA, 0x3F046F69, 0x77FA0A59, 0x80E4A915, 0x87B08601, 0x9B09E6AD, 0x3B3EE593, 0xE990FD5A, 0x9E34D797, 0x2CF0B7D9, 0x022B8B51, 0x96D5AC3A, 0x017DA67D, 0xD1CF3ED6, 0x7C7D2D28, 0x1F9F25CF, 0xADF2B89B, 0x5AD6B472, 0x5A88F54C, 0xE029AC71, 0xE019A5E6, 0x47B0ACFD, 0xED93FA9B, 0xE8D3C48D, 0x283B57CC, 0xF8D56629, 0x79132E28, 0x785F0191, 0xED756055, 0xF7960E44, 0xE3D35E8C, 0x15056DD4, 0x88F46DBA, 0x03A16125, 0x0564F0BD, 0xC3EB9E15, 0x3C9057A2, 0x97271AEC, 0xA93A072A, 0x1B3F6D9B, 0x1E6321F5, 0xF59C66FB, 0x26DCF319, 0x7533D928, 0xB155FDF5, 0x03563482, 0x8ABA3CBB, 0x28517711, 0xC20AD9F8, 0xABCC5167, 0xCCAD925F, 0x4DE81751, 0x3830DC8E, 0x379D5862, 0x9320F991, 0xEA7A90C2, 0xFB3E7BCE, 0x5121CE64, 0x774FBE32, 0xA8B6E37E, 0xC3293D46, 0x48DE5369, 0x6413E680, 0xA2AE0810, 0xDD6DB224, 0x69852DFD, 0x09072166, 0xB39A460A, 0x6445C0DD, 0x586CDECF, 0x1C20C8AE, 0x5BBEF7DD, 0x1B588D40, 0xCCD2017F, 0x6BB4E3BB, 0xDDA26A7E, 0x3A59FF45, 0x3E350A44, 0xBCB4CDD5, 0x72EACEA8, 0xFA6484BB, 0x8D6612AE, 0xBF3C6F47, 0xD29BE463, 0x542F5D9E, 0xAEC2771B, 0xF64E6370, 0x740E0D8D, 0xE75B1357, 0xF8721671, 0xAF537D5D, 0x4040CB08, 0x4EB4E2CC, 0x34D2466A, 0x0115AF84, 0xE1B00428, 0x95983A1D, 0x06B89FB4, 0xCE6EA048, 0x6F3F3B82, 0x3520AB82, 0x011A1D4B, 0x277227F8, 0x611560B1, 0xE7933FDC, 0xBB3A792B, 0x344525BD, 0xA08839E1, 0x51CE794B, 0x2F32C9B7, 0xA01FBAC9, 0xE01CC87E, 0xBCC7D1F6, 0xCF0111C3, 0xA1E8AAC7, 0x1A908749, 0xD44FBD9A, 0xD0DADECB, 0xD50ADA38, 0x0339C32A, 0xC6913667, 0x8DF9317C, 0xE0B12B4F, 0xF79E59B7, 0x43F5BB3A, 0xF2D519FF, 0x27D9459C, 0xBF97222C, 0x15E6FC2A, 0x0F91FC71, 0x9B941525, 0xFAE59361, 0xCEB69CEB, 0xC2A86459, 0x12BAA8D1, 0xB6C1075E, 0xE3056A0C, 0x10D25065, 0xCB03A442, 0xE0EC6E0E, 0x1698DB3B, 0x4C98A0BE, 0x3278E964, 0x9F1F9532, 0xE0D392DF, 0xD3A0342B, 0x8971F21E, 0x1B0A7441, 0x4BA3348C, 0xC5BE7120, 0xC37632D8, 0xDF359F8D, 0x9B992F2E, 0xE60B6F47, 0x0FE3F11D, 0xE54CDA54, 0x1EDAD891, 0xCE6279CF, 0xCD3E7E6F, 0x1618B166, 0xFD2C1D05, 0x848FD2C5, 0xF6FB2299, 0xF523F357, 0xA6327623, 0x93A83531, 0x56CCCD02, 0xACF08162, 0x5A75EBB5, 0x6E163697, 0x88D273CC, 0xDE966292, 0x81B949D0, 0x4C50901B, 0x71C65614, 0xE6C6C7BD, 0x327A140A, 0x45E1D006, 0xC3F27B9A, 0xC9AA53FD, 0x62A80F00, 0xBB25BFE2, 0x35BDD2F6, 0x71126905, 0xB2040222, 0xB6CBCF7C, 0xCD769C2B, 0x53113EC0, 0x1640E3D3, 0x38ABBD60, 0x2547ADF0, 0xBA38209C, 0xF746CE76, 0x77AFA1C5, 0x20756060, 0x85CBFE4E, 0x8AE88DD8, 0x7AAAF9B0, 0x4CF9AA7E, 0x1948C25C, 0x02FB8A8C, 0x01C36AE4, 0xD6EBE1F9, 0x90D4F869, 0xA65CDEA0, 0x3F09252D, 0xC208E69F, 0xB74E6132, 0xCE77E25B, 0x578FDFE3, 0x3AC372E6 } }, { /* ps */ 0x243F6A88, 0x85A308D3, 0x13198A2E, 0x03707344, 0xA4093822, 0x299F31D0, 0x082EFA98, 0xEC4E6C89, 0x452821E6, 0x38D01377, 0xBE5466CF, 0x34E90C6C, 0xC0AC29B7, 0xC97C50DD, 0x3F84D5B5, 0xB5470917, 0x9216D5D9, 0x8979FB1B } }; /* It's unfortunate to have to pick the bytes apart in the round * function. Werner's gnupg/libgcrypt code took the address of x, and * then read the individual bytes depending on the endianness. But * since xr and xl ought to live in registers, copying via memory is a * bad idea. */ #define F(c, x) \ ((( (c->s[0][(x>>24) &0xff] + c->s[1][(x>>16) & 0xff]) \ ^ c->s[2][(x>>8) & 0xff]) + c->s[3][x & 0xff]) & 0xffffffff) #define R(c, l,r,i) do { l ^= c->p[i]; r ^= F(c,l); } while(0) void _nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 0); R (ctx, xr, xl, 1); R (ctx, xl, xr, 2); R (ctx, xr, xl, 3); R (ctx, xl, xr, 4); R (ctx, xr, xl, 5); R (ctx, xl, xr, 6); R (ctx, xr, xl, 7); R (ctx, xl, xr, 8); R (ctx, xr, xl, 9); R (ctx, xl, xr, 10); R (ctx, xr, xl, 11); R (ctx, xl, xr, 12); R (ctx, xr, xl, 13); R (ctx, xl, xr, 14); R (ctx, xr, xl, 15); xl ^= ctx->p[_BLOWFISH_ROUNDS]; xr ^= ctx->p[_BLOWFISH_ROUNDS + 1]; *ret_xl = xr; *ret_xr = xl; } static void decround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr) { uint32_t xl, xr; xl = *ret_xl; xr = *ret_xr; R (ctx, xl, xr, 17); R (ctx, xr, xl, 16); R (ctx, xl, xr, 15); R (ctx, xr, xl, 14); R (ctx, xl, xr, 13); R (ctx, xr, xl, 12); R (ctx, xl, xr, 11); R (ctx, xr, xl, 10); R (ctx, xl, xr, 9); R (ctx, xr, xl, 8); R (ctx, xl, xr, 7); R (ctx, xr, xl, 6); R (ctx, xl, xr, 5); R (ctx, xr, xl, 4); R (ctx, xl, xr, 3); R (ctx, xr, xl, 2); xl ^= ctx->p[1]; xr ^= ctx->p[0]; *ret_xl = xr; *ret_xr = xl; } #undef F #undef R void blowfish_encrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); _nettle_blowfish_encround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } void blowfish_decrypt (const struct blowfish_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { FOR_BLOCKS (length, dst, src, BLOWFISH_BLOCK_SIZE) { uint32_t d1, d2; d1 = READ_UINT32(src); d2 = READ_UINT32(src+4); decround (ctx, &d1, &d2); dst[0] = (d1 >> 24) & 0xff; dst[1] = (d1 >> 16) & 0xff; dst[2] = (d1 >> 8) & 0xff; dst[3] = d1 & 0xff; dst[4] = (d2 >> 24) & 0xff; dst[5] = (d2 >> 16) & 0xff; dst[6] = (d2 >> 8) & 0xff; dst[7] = d2 & 0xff; } } int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t * key) { int i, j; uint32_t data, datal, datar; *ctx = _nettle_blowfish_initial_ctx; for (i = j = 0; i < _BLOWFISH_ROUNDS + 2; i++) { data = ((uint32_t) key[j] << 24) | ((uint32_t) key[(j+1) % length] << 16) | ((uint32_t) key[(j+2) % length] << 8) | (uint32_t) key[(j+3) % length]; ctx->p[i] ^= data; j = (j + 4) % length; } datal = datar = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { _nettle_blowfish_encround (ctx, &datal, &datar); ctx->p[i] = datal; ctx->p[i + 1] = datar; } for (j = 0; j < 4; j++) for (i = 0; i < 256; i += 2) { _nettle_blowfish_encround (ctx, &datal, &datar); ctx->s[j][i] = datal; ctx->s[j][i + 1] = datar; } /* Check for weak key. A weak key is a key in which a value in the P-array (here c) occurs more than once per table. */ for (i = 0; i < 255; i++) { for (j = i + 1; j < 256; j++) { if ((ctx->s[0][i] == ctx->s[0][j]) || (ctx->s[1][i] == ctx->s[1][j]) || (ctx->s[2][i] == ctx->s[2][j]) || (ctx->s[3][i] == ctx->s[3][j])) return 0; } } return 1; } int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key) { return blowfish_set_key (ctx, BLOWFISH128_KEY_SIZE, key); } nettle-3.10/nettle-internal.h0000644000175000017500000000625514633602172015246 0ustar nissenisse/* nettle-internal.h Misc internal definitions. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_INTERNAL_H_INCLUDED #define NETTLE_INTERNAL_H_INCLUDED #include /* Needed for alloca on bsd systems. */ #include /* For definition of NETTLE_MAX_HASH_CONTEXT_SIZE. */ #include "sha3.h" /* Temporary allocation, for systems that don't support alloca. Note * that the allocation requests should always be reasonably small, so * that they can fit on the stack. For non-alloca systems, we use a * fix maximum size + an assert. * * TMP_DECL and TMP_ALLOC allocate an array of the given type, and * take the array size (not byte size) as argument. * * TMP_DECL_ALIGN and TMP_ALLOC_ALIGN are intended for context * structs, which need proper alignment. They take the size in bytes, * and produce a void *. On systems without alloca, implemented as an * array of uint64_t, to ensure alignment. Since it is used as void * * argument, no type casts are needed. */ #if HAVE_ALLOCA # define TMP_DECL(name, type, max) type *name # define TMP_ALLOC(name, size) (name = alloca(sizeof (*name) * (size))) # define TMP_DECL_ALIGN(name, max) void *name # define TMP_ALLOC_ALIGN(name, size) (name = alloca(size)) #else /* !HAVE_ALLOCA */ # define TMP_DECL(name, type, max) type name[max] # define TMP_ALLOC(name, size) \ do { assert((size_t)(size) <= (sizeof(name) / sizeof(name[0]))); } while (0) # define TMP_DECL_ALIGN(name, max) \ uint64_t name[((max) + (sizeof(uint64_t) - 1))/ sizeof(uint64_t)] # define TMP_ALLOC_ALIGN(name, size) \ do { assert((size_t)(size) <= (sizeof(name))); } while (0) #endif /* Limits that apply to systems that don't have alloca */ #define NETTLE_MAX_HASH_BLOCK_SIZE 144 /* For sha3_224*/ #define NETTLE_MAX_HASH_DIGEST_SIZE 64 #define NETTLE_MAX_HASH_CONTEXT_SIZE (sizeof(struct sha3_224_ctx)) #define NETTLE_MAX_SEXP_ASSOC 17 #define NETTLE_MAX_CIPHER_BLOCK_SIZE 32 #define NETTLE_MAX_CIPHER_KEY_SIZE 32 /* Equivalent to x == 0, but with an expression that should compile to branch free code on all compilers. Requires that x is at most 31 bits. */ #define IS_ZERO_SMALL(x) (((uint32_t) (x) - 1U) >> 31) extern const struct nettle_hash * const _nettle_hashes[]; #endif /* NETTLE_INTERNAL_H_INCLUDED */ nettle-3.10/chacha-poly1305-meta.c0000644000175000017500000000334114633602171015551 0ustar nissenisse/* chacha-poly1305-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "chacha-poly1305.h" const struct nettle_aead nettle_chacha_poly1305 = { "chacha_poly1305", sizeof(struct chacha_poly1305_ctx), CHACHA_POLY1305_BLOCK_SIZE, CHACHA_POLY1305_KEY_SIZE, CHACHA_POLY1305_NONCE_SIZE, CHACHA_POLY1305_DIGEST_SIZE, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_key, (nettle_set_key_func *) chacha_poly1305_set_nonce, (nettle_hash_update_func *) chacha_poly1305_update, (nettle_crypt_func *) chacha_poly1305_encrypt, (nettle_crypt_func *) chacha_poly1305_decrypt, (nettle_hash_digest_func *) chacha_poly1305_digest, }; nettle-3.10/base64-encode.c0000644000175000017500000001061714633602171014447 0ustar nissenisse/* base64-encode.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base64.h" #define ENCODE(alphabet,x) ((alphabet)[0x3F & (x)]) static void encode_raw(const char *alphabet, char *dst, size_t length, const uint8_t *src) { const uint8_t *in = src + length; char *out = dst + BASE64_ENCODE_RAW_LENGTH(length); unsigned left_over = length % 3; if (left_over) { in -= left_over; *--out = '='; switch(left_over) { case 1: *--out = '='; *--out = ENCODE(alphabet, (in[0] << 4)); break; case 2: *--out = ENCODE(alphabet, (in[1] << 2)); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); break; default: abort(); } *--out = ENCODE(alphabet, (in[0] >> 2)); } while (in > src) { in -= 3; *--out = ENCODE(alphabet, (in[2])); *--out = ENCODE(alphabet, ((in[1] << 2) | (in[2] >> 6))); *--out = ENCODE(alphabet, ((in[0] << 4) | (in[1] >> 4))); *--out = ENCODE(alphabet, (in[0] >> 2)); } assert(in == src); assert(out == dst); } static const char base64_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789+/"; void base64_encode_raw(char *dst, size_t length, const uint8_t *src) { encode_raw(base64_encode_table, dst, length, src); } void base64_encode_group(char *dst, uint32_t group) { *dst++ = ENCODE(base64_encode_table, (group >> 18)); *dst++ = ENCODE(base64_encode_table, (group >> 12)); *dst++ = ENCODE(base64_encode_table, (group >> 6)); *dst++ = ENCODE(base64_encode_table, group); } void base64_encode_init(struct base64_encode_ctx *ctx) { ctx->word = ctx->bits = 0; ctx->alphabet = base64_encode_table; } /* Encodes a single byte. */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src) { unsigned done = 0; unsigned word = ctx->word << 8 | src; unsigned bits = ctx->bits + 8; while (bits >= 6) { bits -= 6; dst[done++] = ENCODE(ctx->alphabet, (word >> bits)); } ctx->bits = bits; ctx->word = word; assert(done <= 2); return done; } /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src) { size_t done = 0; size_t left = length; unsigned left_over; size_t bulk; while (ctx->bits && left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } left_over = left % 3; bulk = left - left_over; if (bulk) { assert(!(bulk % 3)); encode_raw(ctx->alphabet, dst + done, bulk, src); done += BASE64_ENCODE_RAW_LENGTH(bulk); src += bulk; left = left_over; } while (left) { left--; done += base64_encode_single(ctx, dst + done, *src++); } assert(done <= BASE64_ENCODE_LENGTH(length)); return done; } /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_SIZE */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst) { unsigned done = 0; unsigned bits = ctx->bits; if (bits) { dst[done++] = ENCODE(ctx->alphabet, (ctx->word << (6 - ctx->bits))); for (; bits < 6; bits += 2) dst[done++] = '='; ctx->bits = 0; } assert(done <= BASE64_ENCODE_FINAL_LENGTH); return done; } nettle-3.10/blowfish.h0000644000175000017500000000576714633602172013765 0ustar nissenisse/* blowfish.h Blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOWFISH_H_INCLUDED #define NETTLE_BLOWFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define blowfish_set_key nettle_blowfish_set_key #define blowfish128_set_key nettle_blowfish128_set_key #define blowfish_encrypt nettle_blowfish_encrypt #define blowfish_decrypt nettle_blowfish_decrypt #define blowfish_bcrypt_hash nettle_blowfish_bcrypt_hash #define blowfish_bcrypt_verify nettle_blowfish_bcrypt_verify #define BLOWFISH_BLOCK_SIZE 8 /* Variable key size between 64 and 448 bits. */ #define BLOWFISH_MIN_KEY_SIZE 8 #define BLOWFISH_MAX_KEY_SIZE 56 /* Default to 128 bits */ #define BLOWFISH_KEY_SIZE 16 #define BLOWFISH128_KEY_SIZE 16 #define _BLOWFISH_ROUNDS 16 #define BLOWFISH_BCRYPT_HASH_SIZE (60 + 1) /* Including null-terminator */ #define BLOWFISH_BCRYPT_BINSALT_SIZE 16 /* Binary string size */ struct blowfish_ctx { uint32_t s[4][256]; uint32_t p[_BLOWFISH_ROUNDS+2]; }; /* Returns 0 for weak keys, otherwise 1. */ int blowfish_set_key(struct blowfish_ctx *ctx, size_t length, const uint8_t *key); int blowfish128_set_key(struct blowfish_ctx *ctx, const uint8_t *key); void blowfish_encrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void blowfish_decrypt(const struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* dst parameter must point to a buffer of minimally * BLOWFISH_BCRYPT_HASH_SIZE bytes */ int blowfish_bcrypt_hash(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int log2rounds, const uint8_t *salt); int blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, size_t lenhashed, const uint8_t *hashed); #ifdef __cplusplus } #endif #endif /* NETTLE_BLOWFISH_H_INCLUDED */ nettle-3.10/sexp-format.c0000644000175000017500000001466514633602171014404 0ustar nissenisse/* sexp-format.c Writing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "sexp.h" #include "buffer.h" #include "bignum.h" static unsigned format_prefix(struct nettle_buffer *buffer, size_t length) { size_t digit = 1; unsigned prefix_length = 1; for (;;) { size_t next = digit * 10; if (next > length) break; prefix_length++; digit = next; } if (buffer) { for (; digit; length %= digit, digit /= 10) if (!NETTLE_BUFFER_PUTC(buffer, '0' + length / digit)) return 0; if (!NETTLE_BUFFER_PUTC(buffer, ':')) return 0; } return prefix_length + 1; } static size_t format_string(struct nettle_buffer *buffer, size_t length, const uint8_t *s) { unsigned prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; return prefix_length + length; } static inline size_t strlen_u8 (const uint8_t *s) { return strlen((const char*) s); } size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { unsigned nesting = 0; size_t done = 0; for (;;) switch (*format++) { default: { const char *start = format - 1; size_t length = 1 + strcspn(format, "()% \t"); size_t output_length = format_string(buffer, length, (const uint8_t *) start); if (!output_length) return 0; done += output_length; format = start + length; break; } case ' ': case '\t': break; case '\0': assert(!nesting); return done; case '(': if (buffer && !NETTLE_BUFFER_PUTC(buffer, '(')) return 0; done++; nesting++; break; case ')': assert (nesting); if (buffer && !NETTLE_BUFFER_PUTC(buffer, ')')) return 0; done++; nesting--; break; case '%': { int nul_flag = 0; if (*format == '0') { format++; nul_flag = 1; } switch (*format++) { default: abort(); case '(': case ')': /* Allow unbalanced parenthesis */ if (buffer && !NETTLE_BUFFER_PUTC(buffer, format[-1])) return 0; done++; break; case 's': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; break; } case 't': { const uint8_t *s; size_t length; size_t output_length; if (nul_flag) { s = va_arg(args, const uint8_t *); if (!s) break; length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); if (!s) break; } if (buffer && !NETTLE_BUFFER_PUTC(buffer, '[')) return 0; done++; output_length = format_string(buffer, length, s); if (!output_length) return 0; done += output_length; if (buffer && !NETTLE_BUFFER_PUTC(buffer, ']')) return 0; done++; break; } case 'l': { const uint8_t *s; size_t length; if (nul_flag) { s = va_arg(args, const uint8_t *); length = strlen_u8(s); } else { length = va_arg(args, size_t); s = va_arg(args, const uint8_t *); } if (buffer && !nettle_buffer_write(buffer, length, s)) return 0; done += length; break; } case 'i': { uint32_t x = va_arg(args, uint32_t); unsigned length; if (x < 0x80) length = 1; else if (x < 0x8000L) length = 2; else if (x < 0x800000L) length = 3; else if (x < 0x80000000L) length = 4; else length = 5; if (buffer && !(NETTLE_BUFFER_PUTC(buffer, '0' + length) && NETTLE_BUFFER_PUTC(buffer, ':'))) return 0; done += (2 + length); if (buffer) switch(length) { case 5: /* Leading byte needed for the sign. */ if (!NETTLE_BUFFER_PUTC(buffer, 0)) return 0; /* Fall through */ case 4: if (!NETTLE_BUFFER_PUTC(buffer, x >> 24)) return 0; /* Fall through */ case 3: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 16) & 0xff)) return 0; /* Fall through */ case 2: if (!NETTLE_BUFFER_PUTC(buffer, (x >> 8) & 0xff)) return 0; /* Fall through */ case 1: if (!NETTLE_BUFFER_PUTC(buffer, x & 0xff)) return 0; break; default: abort(); } break; } case 'b': { mpz_srcptr n = va_arg(args, mpz_srcptr); size_t length; unsigned prefix_length; length = nettle_mpz_sizeinbase_256_s(n); prefix_length = format_prefix(buffer, length); if (!prefix_length) return 0; done += prefix_length; if (buffer) { uint8_t *space = nettle_buffer_space(buffer, length); if (!space) return 0; nettle_mpz_get_str_256(length, space, n); } done += length; break; } } } } } size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...) { va_list args; size_t done; va_start(args, format); done = sexp_vformat(buffer, format, args); va_end(args); return done; } nettle-3.10/ccm-aes256.c0000644000175000017500000000623314633602171013674 0ustar nissenisse/* ccm-aes256.c Counter with CBC-MAC mode using AES256 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key(&ctx->cipher, key); } void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, data); } void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, dst, src); } void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes256_encrypt, length, digest); } void ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes256_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.10/desCode.h0000644000175000017500000002560614633602172013510 0ustar nissenisse/* desCode.h * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #include "des.h" /* optional customization: * the idea here is to alter the code so it will still run correctly * on any machine, but the quickest on the specific machine in mind. * note that these silly tweaks can give you a 15%-20% speed improvement * on the sparc -- it's probably even more significant on the 68000. */ /* take care of machines with incredibly few registers */ #if defined(i386) #define REGISTER /* only x, y, z will be declared register */ #else #define REGISTER register #endif /* i386 */ /* is auto inc/dec faster than 7bit unsigned indexing? */ #if defined(vax) || defined(mc68000) #define FIXR r += 32; #define FIXS s += 8; #define PREV(v,o) *--v #define NEXT(v,o) *v++ #else #define FIXR #define FIXS #define PREV(v,o) v[o] #define NEXT(v,o) v[o] #endif /* if no machine type, default is indexing, 6 registers and cheap literals */ #if !defined(i386) && !defined(vax) && !defined(mc68000) && !defined(sparc) #define vax #endif /* handle a compiler which can't reallocate registers */ /* The BYTE type is used as parameter for the encrypt/decrypt functions. * It's pretty bad to have the function prototypes depend on * a macro definition that the users of the function doesn't * know about. /Niels */ #if 0 /* didn't feel like deleting */ #define SREGFREE ; s = (uint8_t *) D #define DEST s #define D m0 #define BYTE uint32_t #else #define SREGFREE #define DEST d #define D d #define BYTE uint8_t #endif /* handle constants in the optimal way for 386 & vax */ /* 386: we declare 3 register variables (see above) and use 3 more variables; * vax: we use 6 variables, all declared register; * we assume address literals are cheap & unrestricted; * we assume immediate constants are cheap & unrestricted. */ #if defined(i386) || defined(vax) #define MQ0 des_bigmap #define MQ1 (des_bigmap + 64) #define MQ2 (des_bigmap + 128) #define MQ3 (des_bigmap + 192) #define HQ0(z) /* z |= 0x01000000L; */ #define HQ2(z) /* z |= 0x03000200L; */ #define LQ0(z) 0xFCFC & z #define LQ1(z) 0xFCFC & z #define LQ2(z) 0xFCFC & z #define LQ3(z) 0xFCFC & z #define SQ 16 #define MS0 des_keymap #define MS1 (des_keymap + 64) #define MS2 (des_keymap + 128) #define MS3 (des_keymap + 192) #define MS4 (des_keymap + 256) #define MS5 (des_keymap + 320) #define MS6 (des_keymap + 384) #define MS7 (des_keymap + 448) #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK #define SETQUICK #define REGSMALL #define SETSMALL #endif /* defined(i386) || defined(vax) */ /* handle constants in the optimal way for mc68000 */ /* in addition to the core 6 variables, we declare 3 registers holding constants * and 4 registers holding address literals. * at most 6 data values and 5 address values are actively used at once. * we assume address literals are so expensive we never use them; * we assume constant index offsets > 127 are expensive, so they are not used. * we assume all constants are expensive and put them in registers, * including shift counts greater than 8. */ #if defined(mc68000) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ k1 #define MS0 m0 #define MS1 m0 #define MS2 m1 #define MS3 m1 #define MS4 m2 #define MS5 m2 #define MS6 m3 #define MS7 m3 #define HS(z) z |= k0; #define LS0(z) k1 & z #define LS1(z) k2 & z #define LS2(z) k1 & z #define LS3(z) k2 & z #define REGQUICK \ register uint32_t k0, k1; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; k1 = 16 \ /*k2 = 28 to speed up ROL */ \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t k0, k1, k2; \ register uint32_t *m0, *m1, *m2, *m3; #define SETSMALL \ ; k0 = 0x01000100L \ ; k1 = 0x0FC \ ; k2 = 0x1FC \ ; m0 = des_keymap \ ; m1 = m0 + 128 \ ; m2 = m1 + 128 \ ; m3 = m2 + 128 #endif /* defined(mc68000) */ /* handle constants in the optimal way for sparc */ /* in addition to the core 6 variables, we either declare: * 4 registers holding address literals and 1 register holding a constant, or * 8 registers holding address literals. * up to 14 register variables are declared (sparc has %i0-%i5, %l0-%l7). * we assume address literals are so expensive we never use them; * we assume any constant with >10 bits is expensive and put it in a register, * and any other is cheap and is coded in-line. */ #if defined(sparc) #define MQ0 m0 #define MQ1 m1 #define MQ2 m2 #define MQ3 m3 #define HQ0(z) #define HQ2(z) #define LQ0(z) k0 & z #define LQ1(z) k0 & z #define LQ2(z) k0 & z #define LQ3(z) k0 & z #define SQ 16 #define MS0 m0 #define MS1 m1 #define MS2 m2 #define MS3 m3 #define MS4 m4 #define MS5 m5 #define MS6 m6 #define MS7 m7 #define HS(z) #define LS0(z) 0xFC & z #define LS1(z) 0xFC & z #define LS2(z) 0xFC & z #define LS3(z) 0xFC & z #define REGQUICK \ register uint32_t k0; \ register uint32_t *m0, *m1, *m2, *m3; #define SETQUICK \ ; k0 = 0xFCFC \ ; m0 = des_bigmap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 #define REGSMALL \ register uint32_t *m0, *m1, *m2, *m3, *m4, *m5, *m6, *m7; #define SETSMALL \ ; m0 = des_keymap \ ; m1 = m0 + 64 \ ; m2 = m1 + 64 \ ; m3 = m2 + 64 \ ; m4 = m3 + 64 \ ; m5 = m4 + 64 \ ; m6 = m5 + 64 \ ; m7 = m6 + 64 #endif /* defined(sparc) */ /* some basic stuff */ /* generate addresses from a base and an index */ /* FIXME: This is used only as *ADD(msi,lsi(z)) or *ADD(mqi,lqi(z)). * Why not use plain indexing instead? /Niels */ #define ADD(b,x) (uint32_t *) ((uint8_t *)b + (x)) /* low level rotate operations */ #define NOP(d,c,o) #define ROL(d,c,o) d = d << c | d >> o #define ROR(d,c,o) d = d >> c | d << o #define ROL1(d) ROL(d, 1, 31) #define ROR1(d) ROR(d, 1, 31) /* elementary swap for doing IP/FP */ #define SWAP(x,y,m,b) \ z = ((x >> b) ^ y) & m; \ x ^= z << b; \ y ^= z /* the following macros contain all the important code fragments */ /* load input data, then setup special registers holding constants */ #define TEMPQUICK(LOAD) \ REGQUICK \ LOAD() \ SETQUICK #define TEMPSMALL(LOAD) \ REGSMALL \ LOAD() \ SETSMALL /* load data */ #define LOADDATA(x,y) \ FIXS \ y = PREV(s, 7); y<<= 8; \ y |= PREV(s, 6); y<<= 8; \ y |= PREV(s, 5); y<<= 8; \ y |= PREV(s, 4); \ x = PREV(s, 3); x<<= 8; \ x |= PREV(s, 2); x<<= 8; \ x |= PREV(s, 1); x<<= 8; \ x |= PREV(s, 0) \ SREGFREE /* load data without initial permutation and put into efficient position */ #define LOADCORE() \ LOADDATA(x, y); \ ROR1(x); \ ROR1(y) /* load data, do the initial permutation and put into efficient position */ #define LOADFIPS() \ LOADDATA(y, x); \ SWAP(x, y, 0x0F0F0F0FL, 004); \ SWAP(y, x, 0x0000FFFFL, 020); \ SWAP(x, y, 0x33333333L, 002); \ SWAP(y, x, 0x00FF00FFL, 010); \ ROR1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROR1(y) /* core encryption/decryption operations */ /* S box mapping and P perm */ #define KEYMAPSMALL(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hs(z) \ x ^= *ADD(ms3, ls3(z)); \ z>>= 8; \ x ^= *ADD(ms2, ls2(z)); \ z>>= 8; \ x ^= *ADD(ms1, ls1(z)); \ z>>= 8; \ x ^= *ADD(ms0, ls0(z)) /* alternate version: use 64k of tables */ #define KEYMAPQUICK(x,z,mq0,mq1,hq,lq0,lq1,sq,ms0,ms1,ms2,ms3,hs,ls0,ls1,ls2,ls3)\ hq(z) \ x ^= *ADD(mq0, lq0(z)); \ z>>= sq; \ x ^= *ADD(mq1, lq1(z)) /* apply 24 key bits and do the odd s boxes */ #define S7S1(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ KEYMAP(x,z,MQ0,MQ1,HQ0,LQ0,LQ1,SQ,MS0,MS1,MS2,MS3,HS,LS0,LS1,LS2,LS3) /* apply 24 key bits and do the even s boxes */ #define S6S0(x,y,z,r,m,KEYMAP,LOAD) \ z = LOAD(r, m); \ z ^= y; \ ROL(z, 4, 28); \ KEYMAP(x,z,MQ2,MQ3,HQ2,LQ2,LQ3,SQ,MS4,MS5,MS6,MS7,HS,LS0,LS1,LS2,LS3) /* actual iterations. equivalent except for UPDATE & swapping m and n */ #define ENCR(x,y,z,r,m,n,KEYMAP) \ S7S1(x,y,z,r,m,KEYMAP,NEXT); \ S6S0(x,y,z,r,n,KEYMAP,NEXT) #define DECR(x,y,z,r,m,n,KEYMAP) \ S6S0(x,y,z,r,m,KEYMAP,PREV); \ S7S1(x,y,z,r,n,KEYMAP,PREV) /* write out result in correct byte order */ #define SAVEDATA(x,y) \ NEXT(DEST, 0) = x; x>>= 8; \ NEXT(DEST, 1) = x; x>>= 8; \ NEXT(DEST, 2) = x; x>>= 8; \ NEXT(DEST, 3) = x; \ NEXT(DEST, 4) = y; y>>= 8; \ NEXT(DEST, 5) = y; y>>= 8; \ NEXT(DEST, 6) = y; y>>= 8; \ NEXT(DEST, 7) = y /* write out result */ #define SAVECORE() \ ROL1(x); \ ROL1(y); \ SAVEDATA(y, x) /* do final permutation and write out result */ #define SAVEFIPS() \ ROL1(x); \ z = (x ^ y) & 0x55555555L; \ y ^= z; \ x ^= z; \ ROL1(y); \ SWAP(x, y, 0x00FF00FFL, 010); \ SWAP(y, x, 0x33333333L, 002); \ SWAP(x, y, 0x0000FFFFL, 020); \ SWAP(y, x, 0x0F0F0F0FL, 004); \ SAVEDATA(x, y) /* the following macros contain the encryption/decryption skeletons */ #define ENCRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ ENCR(x,y,z,r, 0, 1,KEYMAP); \ ENCR(y,x,z,r, 2, 3,KEYMAP); \ ENCR(x,y,z,r, 4, 5,KEYMAP); \ ENCR(y,x,z,r, 6, 7,KEYMAP); \ ENCR(x,y,z,r, 8, 9,KEYMAP); \ ENCR(y,x,z,r,10,11,KEYMAP); \ ENCR(x,y,z,r,12,13,KEYMAP); \ ENCR(y,x,z,r,14,15,KEYMAP); \ ENCR(x,y,z,r,16,17,KEYMAP); \ ENCR(y,x,z,r,18,19,KEYMAP); \ ENCR(x,y,z,r,20,21,KEYMAP); \ ENCR(y,x,z,r,22,23,KEYMAP); \ ENCR(x,y,z,r,24,25,KEYMAP); \ ENCR(y,x,z,r,26,27,KEYMAP); \ ENCR(x,y,z,r,28,29,KEYMAP); \ ENCR(y,x,z,r,30,31,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } #define DECRYPT(NAME, TEMP, LOAD, KEYMAP, SAVE) \ \ void \ NAME(REGISTER BYTE *D, \ REGISTER const uint32_t *r, \ REGISTER const uint8_t *s) \ { \ register uint32_t x, y, z; \ \ /* declare temps & load data */ \ TEMP(LOAD); \ \ /* do the 16 iterations */ \ FIXR \ DECR(x,y,z,r,31,30,KEYMAP); \ DECR(y,x,z,r,29,28,KEYMAP); \ DECR(x,y,z,r,27,26,KEYMAP); \ DECR(y,x,z,r,25,24,KEYMAP); \ DECR(x,y,z,r,23,22,KEYMAP); \ DECR(y,x,z,r,21,20,KEYMAP); \ DECR(x,y,z,r,19,18,KEYMAP); \ DECR(y,x,z,r,17,16,KEYMAP); \ DECR(x,y,z,r,15,14,KEYMAP); \ DECR(y,x,z,r,13,12,KEYMAP); \ DECR(x,y,z,r,11,10,KEYMAP); \ DECR(y,x,z,r, 9, 8,KEYMAP); \ DECR(x,y,z,r, 7, 6,KEYMAP); \ DECR(y,x,z,r, 5, 4,KEYMAP); \ DECR(x,y,z,r, 3, 2,KEYMAP); \ DECR(y,x,z,r, 1, 0,KEYMAP); \ \ /* save result */ \ SAVE(); \ \ return; \ } nettle-3.10/des3.c0000644000175000017500000000415514633602171012766 0ustar nissenisse/* des3.c Triple DES cipher. Three key encrypt-decrypt-encrypt. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "des.h" /* It's possible to make some more general pipe construction, like the * lsh/src/cascade.c, but as in practice it's never used for anything * like triple DES, it's not worth the effort. */ /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key) { unsigned i; int is_good = 1; for (i = 0; i<3; i++, key += DES_KEY_SIZE) if (!des_set_key(&ctx->des[i], key)) is_good = 0; return is_good; } void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_encrypt(&ctx->des[0], length, dst, src); des_decrypt(&ctx->des[1], length, dst, dst); des_encrypt(&ctx->des[2], length, dst, dst); } void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { des_decrypt(&ctx->des[2], length, dst, src); des_encrypt(&ctx->des[1], length, dst, dst); des_decrypt(&ctx->des[0], length, dst, dst); } nettle-3.10/serpent-set-key.c0000644000175000017500000002402014633602171015160 0ustar nissenisse/* serpent-set-key.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011, 2014 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* Magic number, used during generating of the subkeys. */ #define PHI 0x9E3779B9 /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* FIXME: Except when used within the key schedule, the inputs are not used after the substitution, and hence we could allow them to be destroyed. Can this freedom be used to optimize the sboxes? */ #define SBOX0(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08, t09; \ type t11, t12, t13, t14, t15, t17, t01; \ t01 = b ^ c ; \ t02 = a | d ; \ t03 = a ^ b ; \ z = t02 ^ t01; \ t05 = c | z ; \ t06 = a ^ d ; \ t07 = b | c ; \ t08 = d & t05; \ t09 = t03 & t07; \ y = t09 ^ t08; \ t11 = t09 & y ; \ t12 = c ^ d ; \ t13 = t07 ^ t11; \ t14 = b & t06; \ t15 = t06 ^ t13; \ w = ~ t15; \ t17 = w ^ t14; \ x = t12 ^ t17; \ } while (0) #define SBOX1(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t10, t11, t12, t13, t16, t17, t01; \ t01 = a | d ; \ t02 = c ^ d ; \ t03 = ~ b ; \ t04 = a ^ c ; \ t05 = a | t03; \ t06 = d & t04; \ t07 = t01 & t02; \ t08 = b | t06; \ y = t02 ^ t05; \ t10 = t07 ^ t08; \ t11 = t01 ^ t10; \ t12 = y ^ t11; \ t13 = b & d ; \ z = ~ t10; \ x = t13 ^ t12; \ t16 = t10 | x ; \ t17 = t05 & t16; \ w = c ^ t17; \ } while (0) #define SBOX2(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t05, t06, t07, t08; \ type t09, t10, t12, t13, t14, t01; \ t01 = a | c ; \ t02 = a ^ b ; \ t03 = d ^ t01; \ w = t02 ^ t03; \ t05 = c ^ w ; \ t06 = b ^ t05; \ t07 = b | t05; \ t08 = t01 & t06; \ t09 = t03 ^ t07; \ t10 = t02 | t09; \ x = t10 ^ t08; \ t12 = a | d ; \ t13 = t09 ^ x ; \ t14 = b ^ t13; \ z = ~ t09; \ y = t12 ^ t14; \ } while (0) #define SBOX3(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t07, t08; \ type t09, t10, t11, t13, t14, t15, t01; \ t01 = a ^ c ; \ t02 = a | d ; \ t03 = a & d ; \ t04 = t01 & t02; \ t05 = b | t03; \ t06 = a & b ; \ t07 = d ^ t04; \ t08 = c | t06; \ t09 = b ^ t07; \ t10 = d & t05; \ t11 = t02 ^ t10; \ z = t08 ^ t09; \ t13 = d | z ; \ t14 = a | t07; \ t15 = b & t13; \ y = t08 ^ t11; \ w = t14 ^ t15; \ x = t05 ^ t04; \ } while (0) #define SBOX4(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09; \ type t10, t11, t12, t13, t14, t15, t16, t01; \ t01 = a | b ; \ t02 = b | c ; \ t03 = a ^ t02; \ t04 = b ^ d ; \ t05 = d | t03; \ t06 = d & t01; \ z = t03 ^ t06; \ t08 = z & t04; \ t09 = t04 & t05; \ t10 = c ^ t06; \ t11 = b & c ; \ t12 = t04 ^ t08; \ t13 = t11 | t03; \ t14 = t10 ^ t09; \ t15 = a & t05; \ t16 = t11 | t12; \ y = t13 ^ t08; \ x = t15 ^ t16; \ w = ~ t14; \ } while (0) #define SBOX5(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09; \ type t10, t11, t12, t13, t14, t01; \ t01 = b ^ d ; \ t02 = b | d ; \ t03 = a & t01; \ t04 = c ^ t02; \ t05 = t03 ^ t04; \ w = ~ t05; \ t07 = a ^ t01; \ t08 = d | w ; \ t09 = b | t05; \ t10 = d ^ t08; \ t11 = b | t07; \ t12 = t03 | w ; \ t13 = t07 | t10; \ t14 = t01 ^ t11; \ y = t09 ^ t13; \ x = t07 ^ t08; \ z = t12 ^ t14; \ } while (0) #define SBOX6(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t07, t08, t09, t10; \ type t11, t12, t13, t15, t17, t18, t01; \ t01 = a & d ; \ t02 = b ^ c ; \ t03 = a ^ d ; \ t04 = t01 ^ t02; \ t05 = b | c ; \ x = ~ t04; \ t07 = t03 & t05; \ t08 = b & x ; \ t09 = a | c ; \ t10 = t07 ^ t08; \ t11 = b | d ; \ t12 = c ^ t11; \ t13 = t09 ^ t10; \ y = ~ t13; \ t15 = x & t03; \ z = t12 ^ t07; \ t17 = a ^ b ; \ t18 = y ^ t15; \ w = t17 ^ t18; \ } while (0) #define SBOX7(type, a, b, c, d, w, x, y, z) \ do { \ type t02, t03, t04, t05, t06, t08, t09, t10; \ type t11, t13, t14, t15, t16, t17, t01; \ t01 = a & c ; \ t02 = ~ d ; \ t03 = a & t02; \ t04 = b | t01; \ t05 = a & b ; \ t06 = c ^ t04; \ z = t03 ^ t06; \ t08 = c | z ; \ t09 = d | t05; \ t10 = a ^ t08; \ t11 = t04 & z ; \ x = t09 ^ t10; \ t13 = b ^ x ; \ t14 = t01 ^ x ; \ t15 = c ^ t05; \ t16 = t11 | t13; \ t17 = t02 | t14; \ w = t15 ^ t17; \ y = a ^ t16; \ } while (0) /* Key schedule */ /* Note: Increments k */ #define KS_RECURRENCE(w, i, k) \ do { \ uint32_t _wn = (w)[(i)] ^ (w)[((i)+3)&7] ^ w[((i)+5)&7] \ ^ w[((i)+7)&7] ^ PHI ^ (k)++; \ ((w)[(i)] = ROTL32(11, _wn)); \ } while (0) /* Note: Increments k four times and keys once */ #define KS(keys, s, w, i, k) \ do { \ KS_RECURRENCE(w, (i), (k)); \ KS_RECURRENCE(w, (i)+1, (k)); \ KS_RECURRENCE(w, (i)+2, (k)); \ KS_RECURRENCE(w, (i)+3, (k)); \ SBOX##s(uint32_t, w[(i)],w[(i)+1],w[(i)+2],w[(i)+3], \ (*keys)[0],(*keys)[1],(*keys)[2],(*keys)[3]); \ (keys)++; \ } while (0) /* Pad user key and convert to an array of 8 uint32_t. */ static void serpent_key_pad (const uint8_t *key, unsigned int key_length, uint32_t *w) { unsigned int i; assert (key_length <= SERPENT_MAX_KEY_SIZE); for (i = 0; key_length >= 4; key_length -=4, key += 4) w[i++] = LE_READ_UINT32(key); if (i < 8) { /* Key must be padded according to the Serpent specification. "aabbcc" -> "aabbcc0100...00" -> 0x01ccbbaa. */ uint32_t pad = 0x01; while (key_length > 0) pad = pad << 8 | key[--key_length]; w[i++] = pad; while (i < 8) w[i++] = 0; } } /* Initialize CONTEXT with the key KEY of LENGTH bytes. */ void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t * key) { uint32_t w[8]; uint32_t (*keys)[4]; unsigned k; serpent_key_pad (key, length, w); /* Derive the 33 subkeys from KEY and store them in SUBKEYS. We do the recurrence in the key schedule using W as a circular buffer of just 8 uint32_t. */ /* FIXME: Would be better to invoke SBOX with scalar variables as arguments, no arrays. To do that, unpack w into separate variables, use temporary variables as the SBOX destination. */ keys = ctx->keys; k = 0; for (;;) { KS(keys, 3, w, 0, k); if (k == 132) break; KS(keys, 2, w, 4, k); KS(keys, 1, w, 0, k); KS(keys, 0, w, 4, k); KS(keys, 7, w, 0, k); KS(keys, 6, w, 4, k); KS(keys, 5, w, 0, k); KS(keys, 4, w, 4, k); } assert (keys == ctx->keys + 33); } void serpent128_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT128_KEY_SIZE, key); } void serpent192_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT192_KEY_SIZE, key); } void serpent256_set_key (struct serpent_ctx *ctx, const uint8_t *key) { serpent_set_key (ctx, SERPENT256_KEY_SIZE, key); } nettle-3.10/umac96.c0000644000175000017500000000657114633602171013240 0ustar nissenisse/* umac96.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 3); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC96_BLOCK(ctx, block) do { \ uint64_t __umac96_y[3]; \ _nettle_umac_nh_n (__umac96_y, 3, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac96_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac96_y[2] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, __umac96_y); \ } while (0) void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC96_BLOCK, (void)0); } void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[4]; unsigned i; assert (length > 0); assert (length <= 12); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[3]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 3, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 3, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 3, ctx->count); for (i = 0; i < 3; i++) tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.10/camellia256-crypt.c0000644000175000017500000000316514633602171015273 0ustar nissenisse/* camellia256-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _nettle_camellia_crypt(_CAMELLIA256_NKEYS, ctx->keys, &_nettle_camellia_table, length, dst, src); } nettle-3.10/dsa-sha256-sign.c0000644000175000017500000000362014633602171014637 0ustar nissenisse/* dsa-sha256-sign.c The DSA publickey algorithm, using SHA-256 (FIPS186-3). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha256_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature) { return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, SHA256_DIGEST_SIZE, digest, signature); } int dsa_sha256_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, struct dsa_signature *signature) { uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, sizeof(digest), digest, signature); } nettle-3.10/sha1-meta.c0000644000175000017500000000222714633602171013706 0ustar nissenisse/* sha1-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha1.h" const struct nettle_hash nettle_sha1 = _NETTLE_HASH(sha1, SHA1); nettle-3.10/hmac-md5-meta.c0000644000175000017500000000243014633602171014441 0ustar nissenisse/* hmac-md5-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_md5_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_md5_set_key (ctx, MD5_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_md5 = _NETTLE_HMAC(hmac_md5, MD5); nettle-3.10/twofish-meta.c0000644000175000017500000000320314633602171014530 0ustar nissenisse/* twofish-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "twofish.h" #define TWOFISH(bits) { \ "twofish" #bits, \ sizeof(struct twofish_ctx), \ TWOFISH_BLOCK_SIZE, \ TWOFISH ## bits ## _KEY_SIZE, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_set_key_func *) twofish ## bits ## _set_key, \ (nettle_cipher_func *) twofish_encrypt, \ (nettle_cipher_func *) twofish_decrypt \ } const struct nettle_cipher nettle_twofish128 = TWOFISH(128); const struct nettle_cipher nettle_twofish192 = TWOFISH(192); const struct nettle_cipher nettle_twofish256 = TWOFISH(256); nettle-3.10/rsa-sha1-sign-tr.c0000644000175000017500000000372114633602171015126 0ustar nissenisse/* rsa-sha1-sign-tr.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha1_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/ocb.h0000644000175000017500000001366314633602172012705 0ustar nissenisse/* ocb.h OCB AEAD mode, RFC 7253 Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_OCB_H_INCLUDED #define NETTLE_OCB_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ocb_set_key nettle_ocb_set_key #define ocb_set_nonce nettle_ocb_set_nonce #define ocb_update nettle_ocb_update #define ocb_encrypt nettle_ocb_encrypt #define ocb_decrypt nettle_ocb_decrypt #define ocb_digest nettle_ocb_digest #define ocb_encrypt_message nettle_ocb_encrypt_message #define ocb_decrypt_message nettle_ocb_decrypt_message #define ocb_aes128_set_encrypt_key nettle_ocb_aes128_set_encrypt_key #define ocb_aes128_set_decrypt_key nettle_ocb_aes128_set_decrypt_key #define ocb_aes128_set_nonce nettle_ocb_aes128_set_nonce #define ocb_aes128_update nettle_ocb_aes128_update #define ocb_aes128_encrypt nettle_ocb_aes128_encrypt #define ocb_aes128_decrypt nettle_ocb_aes128_decrypt #define ocb_aes128_digest nettle_ocb_aes128_digest #define ocb_aes128_encrypt_message nettle_ocb_aes128_encrypt_message #define ocb_aes128_decrypt_message nettle_ocb_aes128_decrypt_message #define OCB_BLOCK_SIZE 16 #define OCB_DIGEST_SIZE 16 #define OCB_MAX_NONCE_SIZE 15 struct ocb_key { /* L_*, L_$ and L_0, and one reserved entry */ union nettle_block16 L[4]; }; struct ocb_ctx { /* Initial offset, Offset_0 in the spec. */ union nettle_block16 initial; /* Offset, updated per block. */ union nettle_block16 offset; /* Authentication for the associated data */ union nettle_block16 sum; /* Authentication for the message */ union nettle_block16 checksum; /* Count of processed blocks. */ size_t data_count; size_t message_count; }; void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f); void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce); void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data); void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src); void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); void ocb_encrypt_message (const struct ocb_key *ocb_key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ocb_decrypt_message (const struct ocb_key *ocb_key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* OCB-AES */ /* This struct represents an expanded key for ocb-aes encryption. For decryption, a separate decryption context is needed as well. */ struct ocb_aes128_encrypt_key { struct ocb_key ocb; struct aes128_ctx encrypt; }; void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb, const uint8_t *key); void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb, struct aes128_ctx *decrypt, const uint8_t *key); void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce); void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data); void ocb_aes128_encrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src); void ocb_aes128_decrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src); void ocb_aes128_digest(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *digest); void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_OCB_H_INCLUDED */ nettle-3.10/ecc-gostdsa-sign.c0000644000175000017500000000522614633602172015263 0ustar nissenisse/* ecc-gostdsa-sign.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "dsa-internal.h" #include "ecc-internal.h" /* Low-level GOST DSA signing */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc_mul_g. */ return ECC_GOSTDSA_SIGN_ITCH (ecc->p.size); } /* NOTE: Caller should check if r or s is zero. */ void ecc_gostdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { #define P scratch #define hp (scratch + 4*ecc->p.size) #define tp (scratch + 2*ecc->p.size) #define t2p scratch /* Procedure, according to GOST 34.10. q denotes the group order. 1. k <-- uniformly random, 0 < k < q 2. C <-- (c_x, c_y) = k g 3. r <-- c_x mod q 4. s <-- (r*z + k*h) mod q. */ ecc_mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); /* Process hash digest */ _nettle_gostdsa_hash (hp, ecc->q.bit_size, length, digest); if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); ecc_mod_mul (&ecc->q, tp, rp, zp, tp); ecc_mod_mul (&ecc->q, t2p, kp, hp, t2p); ecc_mod_add (&ecc->q, sp, tp, t2p); /* Also reduce mod ecc->q. It should already be < 2*ecc->q, * so one subtraction should suffice. */ *scratch = mpn_sub_n (tp, sp, ecc->q.m, ecc->p.size); cnd_copy (is_zero_limb (*scratch), sp, tp, ecc->p.size); #undef P #undef hp #undef tp #undef t2p } nettle-3.10/twofish.h0000644000175000017500000000523514633602172013621 0ustar nissenisse/* twofish.h The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Twofish is a 128-bit block cipher that accepts a variable-length * key up to 256 bits, designed by Bruce Schneier and others. See * http://www.counterpane.com/twofish.html for details. */ #ifndef NETTLE_TWOFISH_H_INCLUDED #define NETTLE_TWOFISH_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define twofish_set_key nettle_twofish_set_key #define twofish128_set_key nettle_twofish128_set_key #define twofish192_set_key nettle_twofish192_set_key #define twofish256_set_key nettle_twofish256_set_key #define twofish_encrypt nettle_twofish_encrypt #define twofish_decrypt nettle_twofish_decrypt #define TWOFISH_BLOCK_SIZE 16 /* Variable key size between 128 and 256 bits. But the only valid * values are 16 (128 bits), 24 (192 bits) and 32 (256 bits). */ #define TWOFISH_MIN_KEY_SIZE 16 #define TWOFISH_MAX_KEY_SIZE 32 #define TWOFISH_KEY_SIZE 32 #define TWOFISH128_KEY_SIZE 16 #define TWOFISH192_KEY_SIZE 24 #define TWOFISH256_KEY_SIZE 32 struct twofish_ctx { uint32_t keys[40]; uint32_t s_box[4][256]; }; void twofish_set_key(struct twofish_ctx *ctx, size_t length, const uint8_t *key); void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key); void twofish_encrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void twofish_decrypt(const struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_TWOFISH_H_INCLUDED */ nettle-3.10/cast128_sboxes.h0000644000175000017500000006275414633602172014717 0ustar nissenisse/* * CAST-128 in C * Written by Steve Reid * 100% Public Domain - no warranty * Released 1997.10.11 */ static const uint32_t cast_sbox1[256] = { 0x30FB40D4, 0x9FA0FF0B, 0x6BECCD2F, 0x3F258C7A, 0x1E213F2F, 0x9C004DD3, 0x6003E540, 0xCF9FC949, 0xBFD4AF27, 0x88BBBDB5, 0xE2034090, 0x98D09675, 0x6E63A0E0, 0x15C361D2, 0xC2E7661D, 0x22D4FF8E, 0x28683B6F, 0xC07FD059, 0xFF2379C8, 0x775F50E2, 0x43C340D3, 0xDF2F8656, 0x887CA41A, 0xA2D2BD2D, 0xA1C9E0D6, 0x346C4819, 0x61B76D87, 0x22540F2F, 0x2ABE32E1, 0xAA54166B, 0x22568E3A, 0xA2D341D0, 0x66DB40C8, 0xA784392F, 0x004DFF2F, 0x2DB9D2DE, 0x97943FAC, 0x4A97C1D8, 0x527644B7, 0xB5F437A7, 0xB82CBAEF, 0xD751D159, 0x6FF7F0ED, 0x5A097A1F, 0x827B68D0, 0x90ECF52E, 0x22B0C054, 0xBC8E5935, 0x4B6D2F7F, 0x50BB64A2, 0xD2664910, 0xBEE5812D, 0xB7332290, 0xE93B159F, 0xB48EE411, 0x4BFF345D, 0xFD45C240, 0xAD31973F, 0xC4F6D02E, 0x55FC8165, 0xD5B1CAAD, 0xA1AC2DAE, 0xA2D4B76D, 0xC19B0C50, 0x882240F2, 0x0C6E4F38, 0xA4E4BFD7, 0x4F5BA272, 0x564C1D2F, 0xC59C5319, 0xB949E354, 0xB04669FE, 0xB1B6AB8A, 0xC71358DD, 0x6385C545, 0x110F935D, 0x57538AD5, 0x6A390493, 0xE63D37E0, 0x2A54F6B3, 0x3A787D5F, 0x6276A0B5, 0x19A6FCDF, 0x7A42206A, 0x29F9D4D5, 0xF61B1891, 0xBB72275E, 0xAA508167, 0x38901091, 0xC6B505EB, 0x84C7CB8C, 0x2AD75A0F, 0x874A1427, 0xA2D1936B, 0x2AD286AF, 0xAA56D291, 0xD7894360, 0x425C750D, 0x93B39E26, 0x187184C9, 0x6C00B32D, 0x73E2BB14, 0xA0BEBC3C, 0x54623779, 0x64459EAB, 0x3F328B82, 0x7718CF82, 0x59A2CEA6, 0x04EE002E, 0x89FE78E6, 0x3FAB0950, 0x325FF6C2, 0x81383F05, 0x6963C5C8, 0x76CB5AD6, 0xD49974C9, 0xCA180DCF, 0x380782D5, 0xC7FA5CF6, 0x8AC31511, 0x35E79E13, 0x47DA91D0, 0xF40F9086, 0xA7E2419E, 0x31366241, 0x051EF495, 0xAA573B04, 0x4A805D8D, 0x548300D0, 0x00322A3C, 0xBF64CDDF, 0xBA57A68E, 0x75C6372B, 0x50AFD341, 0xA7C13275, 0x915A0BF5, 0x6B54BFAB, 0x2B0B1426, 0xAB4CC9D7, 0x449CCD82, 0xF7FBF265, 0xAB85C5F3, 0x1B55DB94, 0xAAD4E324, 0xCFA4BD3F, 0x2DEAA3E2, 0x9E204D02, 0xC8BD25AC, 0xEADF55B3, 0xD5BD9E98, 0xE31231B2, 0x2AD5AD6C, 0x954329DE, 0xADBE4528, 0xD8710F69, 0xAA51C90F, 0xAA786BF6, 0x22513F1E, 0xAA51A79B, 0x2AD344CC, 0x7B5A41F0, 0xD37CFBAD, 0x1B069505, 0x41ECE491, 0xB4C332E6, 0x032268D4, 0xC9600ACC, 0xCE387E6D, 0xBF6BB16C, 0x6A70FB78, 0x0D03D9C9, 0xD4DF39DE, 0xE01063DA, 0x4736F464, 0x5AD328D8, 0xB347CC96, 0x75BB0FC3, 0x98511BFB, 0x4FFBCC35, 0xB58BCF6A, 0xE11F0ABC, 0xBFC5FE4A, 0xA70AEC10, 0xAC39570A, 0x3F04442F, 0x6188B153, 0xE0397A2E, 0x5727CB79, 0x9CEB418F, 0x1CACD68D, 0x2AD37C96, 0x0175CB9D, 0xC69DFF09, 0xC75B65F0, 0xD9DB40D8, 0xEC0E7779, 0x4744EAD4, 0xB11C3274, 0xDD24CB9E, 0x7E1C54BD, 0xF01144F9, 0xD2240EB1, 0x9675B3FD, 0xA3AC3755, 0xD47C27AF, 0x51C85F4D, 0x56907596, 0xA5BB15E6, 0x580304F0, 0xCA042CF1, 0x011A37EA, 0x8DBFAADB, 0x35BA3E4A, 0x3526FFA0, 0xC37B4D09, 0xBC306ED9, 0x98A52666, 0x5648F725, 0xFF5E569D, 0x0CED63D0, 0x7C63B2CF, 0x700B45E1, 0xD5EA50F1, 0x85A92872, 0xAF1FBDA7, 0xD4234870, 0xA7870BF3, 0x2D3B4D79, 0x42E04198, 0x0CD0EDE7, 0x26470DB8, 0xF881814C, 0x474D6AD7, 0x7C0C5E5C, 0xD1231959, 0x381B7298, 0xF5D2F4DB, 0xAB838653, 0x6E2F1E23, 0x83719C9E, 0xBD91E046, 0x9A56456E, 0xDC39200C, 0x20C8C571, 0x962BDA1C, 0xE1E696FF, 0xB141AB08, 0x7CCA89B9, 0x1A69E783, 0x02CC4843, 0xA2F7C579, 0x429EF47D, 0x427B169C, 0x5AC9F049, 0xDD8F0F00, 0x5C8165BF }; static const uint32_t cast_sbox2[256] = { 0x1F201094, 0xEF0BA75B, 0x69E3CF7E, 0x393F4380, 0xFE61CF7A, 0xEEC5207A, 0x55889C94, 0x72FC0651, 0xADA7EF79, 0x4E1D7235, 0xD55A63CE, 0xDE0436BA, 0x99C430EF, 0x5F0C0794, 0x18DCDB7D, 0xA1D6EFF3, 0xA0B52F7B, 0x59E83605, 0xEE15B094, 0xE9FFD909, 0xDC440086, 0xEF944459, 0xBA83CCB3, 0xE0C3CDFB, 0xD1DA4181, 0x3B092AB1, 0xF997F1C1, 0xA5E6CF7B, 0x01420DDB, 0xE4E7EF5B, 0x25A1FF41, 0xE180F806, 0x1FC41080, 0x179BEE7A, 0xD37AC6A9, 0xFE5830A4, 0x98DE8B7F, 0x77E83F4E, 0x79929269, 0x24FA9F7B, 0xE113C85B, 0xACC40083, 0xD7503525, 0xF7EA615F, 0x62143154, 0x0D554B63, 0x5D681121, 0xC866C359, 0x3D63CF73, 0xCEE234C0, 0xD4D87E87, 0x5C672B21, 0x071F6181, 0x39F7627F, 0x361E3084, 0xE4EB573B, 0x602F64A4, 0xD63ACD9C, 0x1BBC4635, 0x9E81032D, 0x2701F50C, 0x99847AB4, 0xA0E3DF79, 0xBA6CF38C, 0x10843094, 0x2537A95E, 0xF46F6FFE, 0xA1FF3B1F, 0x208CFB6A, 0x8F458C74, 0xD9E0A227, 0x4EC73A34, 0xFC884F69, 0x3E4DE8DF, 0xEF0E0088, 0x3559648D, 0x8A45388C, 0x1D804366, 0x721D9BFD, 0xA58684BB, 0xE8256333, 0x844E8212, 0x128D8098, 0xFED33FB4, 0xCE280AE1, 0x27E19BA5, 0xD5A6C252, 0xE49754BD, 0xC5D655DD, 0xEB667064, 0x77840B4D, 0xA1B6A801, 0x84DB26A9, 0xE0B56714, 0x21F043B7, 0xE5D05860, 0x54F03084, 0x066FF472, 0xA31AA153, 0xDADC4755, 0xB5625DBF, 0x68561BE6, 0x83CA6B94, 0x2D6ED23B, 0xECCF01DB, 0xA6D3D0BA, 0xB6803D5C, 0xAF77A709, 0x33B4A34C, 0x397BC8D6, 0x5EE22B95, 0x5F0E5304, 0x81ED6F61, 0x20E74364, 0xB45E1378, 0xDE18639B, 0x881CA122, 0xB96726D1, 0x8049A7E8, 0x22B7DA7B, 0x5E552D25, 0x5272D237, 0x79D2951C, 0xC60D894C, 0x488CB402, 0x1BA4FE5B, 0xA4B09F6B, 0x1CA815CF, 0xA20C3005, 0x8871DF63, 0xB9DE2FCB, 0x0CC6C9E9, 0x0BEEFF53, 0xE3214517, 0xB4542835, 0x9F63293C, 0xEE41E729, 0x6E1D2D7C, 0x50045286, 0x1E6685F3, 0xF33401C6, 0x30A22C95, 0x31A70850, 0x60930F13, 0x73F98417, 0xA1269859, 0xEC645C44, 0x52C877A9, 0xCDFF33A6, 0xA02B1741, 0x7CBAD9A2, 0x2180036F, 0x50D99C08, 0xCB3F4861, 0xC26BD765, 0x64A3F6AB, 0x80342676, 0x25A75E7B, 0xE4E6D1FC, 0x20C710E6, 0xCDF0B680, 0x17844D3B, 0x31EEF84D, 0x7E0824E4, 0x2CCB49EB, 0x846A3BAE, 0x8FF77888, 0xEE5D60F6, 0x7AF75673, 0x2FDD5CDB, 0xA11631C1, 0x30F66F43, 0xB3FAEC54, 0x157FD7FA, 0xEF8579CC, 0xD152DE58, 0xDB2FFD5E, 0x8F32CE19, 0x306AF97A, 0x02F03EF8, 0x99319AD5, 0xC242FA0F, 0xA7E3EBB0, 0xC68E4906, 0xB8DA230C, 0x80823028, 0xDCDEF3C8, 0xD35FB171, 0x088A1BC8, 0xBEC0C560, 0x61A3C9E8, 0xBCA8F54D, 0xC72FEFFA, 0x22822E99, 0x82C570B4, 0xD8D94E89, 0x8B1C34BC, 0x301E16E6, 0x273BE979, 0xB0FFEAA6, 0x61D9B8C6, 0x00B24869, 0xB7FFCE3F, 0x08DC283B, 0x43DAF65A, 0xF7E19798, 0x7619B72F, 0x8F1C9BA4, 0xDC8637A0, 0x16A7D3B1, 0x9FC393B7, 0xA7136EEB, 0xC6BCC63E, 0x1A513742, 0xEF6828BC, 0x520365D6, 0x2D6A77AB, 0x3527ED4B, 0x821FD216, 0x095C6E2E, 0xDB92F2FB, 0x5EEA29CB, 0x145892F5, 0x91584F7F, 0x5483697B, 0x2667A8CC, 0x85196048, 0x8C4BACEA, 0x833860D4, 0x0D23E0F9, 0x6C387E8A, 0x0AE6D249, 0xB284600C, 0xD835731D, 0xDCB1C647, 0xAC4C56EA, 0x3EBD81B3, 0x230EABB0, 0x6438BC87, 0xF0B5B1FA, 0x8F5EA2B3, 0xFC184642, 0x0A036B7A, 0x4FB089BD, 0x649DA589, 0xA345415E, 0x5C038323, 0x3E5D3BB9, 0x43D79572, 0x7E6DD07C, 0x06DFDF1E, 0x6C6CC4EF, 0x7160A539, 0x73BFBE70, 0x83877605, 0x4523ECF1 }; static const uint32_t cast_sbox3[256] = { 0x8DEFC240, 0x25FA5D9F, 0xEB903DBF, 0xE810C907, 0x47607FFF, 0x369FE44B, 0x8C1FC644, 0xAECECA90, 0xBEB1F9BF, 0xEEFBCAEA, 0xE8CF1950, 0x51DF07AE, 0x920E8806, 0xF0AD0548, 0xE13C8D83, 0x927010D5, 0x11107D9F, 0x07647DB9, 0xB2E3E4D4, 0x3D4F285E, 0xB9AFA820, 0xFADE82E0, 0xA067268B, 0x8272792E, 0x553FB2C0, 0x489AE22B, 0xD4EF9794, 0x125E3FBC, 0x21FFFCEE, 0x825B1BFD, 0x9255C5ED, 0x1257A240, 0x4E1A8302, 0xBAE07FFF, 0x528246E7, 0x8E57140E, 0x3373F7BF, 0x8C9F8188, 0xA6FC4EE8, 0xC982B5A5, 0xA8C01DB7, 0x579FC264, 0x67094F31, 0xF2BD3F5F, 0x40FFF7C1, 0x1FB78DFC, 0x8E6BD2C1, 0x437BE59B, 0x99B03DBF, 0xB5DBC64B, 0x638DC0E6, 0x55819D99, 0xA197C81C, 0x4A012D6E, 0xC5884A28, 0xCCC36F71, 0xB843C213, 0x6C0743F1, 0x8309893C, 0x0FEDDD5F, 0x2F7FE850, 0xD7C07F7E, 0x02507FBF, 0x5AFB9A04, 0xA747D2D0, 0x1651192E, 0xAF70BF3E, 0x58C31380, 0x5F98302E, 0x727CC3C4, 0x0A0FB402, 0x0F7FEF82, 0x8C96FDAD, 0x5D2C2AAE, 0x8EE99A49, 0x50DA88B8, 0x8427F4A0, 0x1EAC5790, 0x796FB449, 0x8252DC15, 0xEFBD7D9B, 0xA672597D, 0xADA840D8, 0x45F54504, 0xFA5D7403, 0xE83EC305, 0x4F91751A, 0x925669C2, 0x23EFE941, 0xA903F12E, 0x60270DF2, 0x0276E4B6, 0x94FD6574, 0x927985B2, 0x8276DBCB, 0x02778176, 0xF8AF918D, 0x4E48F79E, 0x8F616DDF, 0xE29D840E, 0x842F7D83, 0x340CE5C8, 0x96BBB682, 0x93B4B148, 0xEF303CAB, 0x984FAF28, 0x779FAF9B, 0x92DC560D, 0x224D1E20, 0x8437AA88, 0x7D29DC96, 0x2756D3DC, 0x8B907CEE, 0xB51FD240, 0xE7C07CE3, 0xE566B4A1, 0xC3E9615E, 0x3CF8209D, 0x6094D1E3, 0xCD9CA341, 0x5C76460E, 0x00EA983B, 0xD4D67881, 0xFD47572C, 0xF76CEDD9, 0xBDA8229C, 0x127DADAA, 0x438A074E, 0x1F97C090, 0x081BDB8A, 0x93A07EBE, 0xB938CA15, 0x97B03CFF, 0x3DC2C0F8, 0x8D1AB2EC, 0x64380E51, 0x68CC7BFB, 0xD90F2788, 0x12490181, 0x5DE5FFD4, 0xDD7EF86A, 0x76A2E214, 0xB9A40368, 0x925D958F, 0x4B39FFFA, 0xBA39AEE9, 0xA4FFD30B, 0xFAF7933B, 0x6D498623, 0x193CBCFA, 0x27627545, 0x825CF47A, 0x61BD8BA0, 0xD11E42D1, 0xCEAD04F4, 0x127EA392, 0x10428DB7, 0x8272A972, 0x9270C4A8, 0x127DE50B, 0x285BA1C8, 0x3C62F44F, 0x35C0EAA5, 0xE805D231, 0x428929FB, 0xB4FCDF82, 0x4FB66A53, 0x0E7DC15B, 0x1F081FAB, 0x108618AE, 0xFCFD086D, 0xF9FF2889, 0x694BCC11, 0x236A5CAE, 0x12DECA4D, 0x2C3F8CC5, 0xD2D02DFE, 0xF8EF5896, 0xE4CF52DA, 0x95155B67, 0x494A488C, 0xB9B6A80C, 0x5C8F82BC, 0x89D36B45, 0x3A609437, 0xEC00C9A9, 0x44715253, 0x0A874B49, 0xD773BC40, 0x7C34671C, 0x02717EF6, 0x4FEB5536, 0xA2D02FFF, 0xD2BF60C4, 0xD43F03C0, 0x50B4EF6D, 0x07478CD1, 0x006E1888, 0xA2E53F55, 0xB9E6D4BC, 0xA2048016, 0x97573833, 0xD7207D67, 0xDE0F8F3D, 0x72F87B33, 0xABCC4F33, 0x7688C55D, 0x7B00A6B0, 0x947B0001, 0x570075D2, 0xF9BB88F8, 0x8942019E, 0x4264A5FF, 0x856302E0, 0x72DBD92B, 0xEE971B69, 0x6EA22FDE, 0x5F08AE2B, 0xAF7A616D, 0xE5C98767, 0xCF1FEBD2, 0x61EFC8C2, 0xF1AC2571, 0xCC8239C2, 0x67214CB8, 0xB1E583D1, 0xB7DC3E62, 0x7F10BDCE, 0xF90A5C38, 0x0FF0443D, 0x606E6DC6, 0x60543A49, 0x5727C148, 0x2BE98A1D, 0x8AB41738, 0x20E1BE24, 0xAF96DA0F, 0x68458425, 0x99833BE5, 0x600D457D, 0x282F9350, 0x8334B362, 0xD91D1120, 0x2B6D8DA0, 0x642B1E31, 0x9C305A00, 0x52BCE688, 0x1B03588A, 0xF7BAEFD5, 0x4142ED9C, 0xA4315C11, 0x83323EC5, 0xDFEF4636, 0xA133C501, 0xE9D3531C, 0xEE353783 }; static const uint32_t cast_sbox4[256] = { 0x9DB30420, 0x1FB6E9DE, 0xA7BE7BEF, 0xD273A298, 0x4A4F7BDB, 0x64AD8C57, 0x85510443, 0xFA020ED1, 0x7E287AFF, 0xE60FB663, 0x095F35A1, 0x79EBF120, 0xFD059D43, 0x6497B7B1, 0xF3641F63, 0x241E4ADF, 0x28147F5F, 0x4FA2B8CD, 0xC9430040, 0x0CC32220, 0xFDD30B30, 0xC0A5374F, 0x1D2D00D9, 0x24147B15, 0xEE4D111A, 0x0FCA5167, 0x71FF904C, 0x2D195FFE, 0x1A05645F, 0x0C13FEFE, 0x081B08CA, 0x05170121, 0x80530100, 0xE83E5EFE, 0xAC9AF4F8, 0x7FE72701, 0xD2B8EE5F, 0x06DF4261, 0xBB9E9B8A, 0x7293EA25, 0xCE84FFDF, 0xF5718801, 0x3DD64B04, 0xA26F263B, 0x7ED48400, 0x547EEBE6, 0x446D4CA0, 0x6CF3D6F5, 0x2649ABDF, 0xAEA0C7F5, 0x36338CC1, 0x503F7E93, 0xD3772061, 0x11B638E1, 0x72500E03, 0xF80EB2BB, 0xABE0502E, 0xEC8D77DE, 0x57971E81, 0xE14F6746, 0xC9335400, 0x6920318F, 0x081DBB99, 0xFFC304A5, 0x4D351805, 0x7F3D5CE3, 0xA6C866C6, 0x5D5BCCA9, 0xDAEC6FEA, 0x9F926F91, 0x9F46222F, 0x3991467D, 0xA5BF6D8E, 0x1143C44F, 0x43958302, 0xD0214EEB, 0x022083B8, 0x3FB6180C, 0x18F8931E, 0x281658E6, 0x26486E3E, 0x8BD78A70, 0x7477E4C1, 0xB506E07C, 0xF32D0A25, 0x79098B02, 0xE4EABB81, 0x28123B23, 0x69DEAD38, 0x1574CA16, 0xDF871B62, 0x211C40B7, 0xA51A9EF9, 0x0014377B, 0x041E8AC8, 0x09114003, 0xBD59E4D2, 0xE3D156D5, 0x4FE876D5, 0x2F91A340, 0x557BE8DE, 0x00EAE4A7, 0x0CE5C2EC, 0x4DB4BBA6, 0xE756BDFF, 0xDD3369AC, 0xEC17B035, 0x06572327, 0x99AFC8B0, 0x56C8C391, 0x6B65811C, 0x5E146119, 0x6E85CB75, 0xBE07C002, 0xC2325577, 0x893FF4EC, 0x5BBFC92D, 0xD0EC3B25, 0xB7801AB7, 0x8D6D3B24, 0x20C763EF, 0xC366A5FC, 0x9C382880, 0x0ACE3205, 0xAAC9548A, 0xECA1D7C7, 0x041AFA32, 0x1D16625A, 0x6701902C, 0x9B757A54, 0x31D477F7, 0x9126B031, 0x36CC6FDB, 0xC70B8B46, 0xD9E66A48, 0x56E55A79, 0x026A4CEB, 0x52437EFF, 0x2F8F76B4, 0x0DF980A5, 0x8674CDE3, 0xEDDA04EB, 0x17A9BE04, 0x2C18F4DF, 0xB7747F9D, 0xAB2AF7B4, 0xEFC34D20, 0x2E096B7C, 0x1741A254, 0xE5B6A035, 0x213D42F6, 0x2C1C7C26, 0x61C2F50F, 0x6552DAF9, 0xD2C231F8, 0x25130F69, 0xD8167FA2, 0x0418F2C8, 0x001A96A6, 0x0D1526AB, 0x63315C21, 0x5E0A72EC, 0x49BAFEFD, 0x187908D9, 0x8D0DBD86, 0x311170A7, 0x3E9B640C, 0xCC3E10D7, 0xD5CAD3B6, 0x0CAEC388, 0xF73001E1, 0x6C728AFF, 0x71EAE2A1, 0x1F9AF36E, 0xCFCBD12F, 0xC1DE8417, 0xAC07BE6B, 0xCB44A1D8, 0x8B9B0F56, 0x013988C3, 0xB1C52FCA, 0xB4BE31CD, 0xD8782806, 0x12A3A4E2, 0x6F7DE532, 0x58FD7EB6, 0xD01EE900, 0x24ADFFC2, 0xF4990FC5, 0x9711AAC5, 0x001D7B95, 0x82E5E7D2, 0x109873F6, 0x00613096, 0xC32D9521, 0xADA121FF, 0x29908415, 0x7FBB977F, 0xAF9EB3DB, 0x29C9ED2A, 0x5CE2A465, 0xA730F32C, 0xD0AA3FE8, 0x8A5CC091, 0xD49E2CE7, 0x0CE454A9, 0xD60ACD86, 0x015F1919, 0x77079103, 0xDEA03AF6, 0x78A8565E, 0xDEE356DF, 0x21F05CBE, 0x8B75E387, 0xB3C50651, 0xB8A5C3EF, 0xD8EEB6D2, 0xE523BE77, 0xC2154529, 0x2F69EFDF, 0xAFE67AFB, 0xF470C4B2, 0xF3E0EB5B, 0xD6CC9876, 0x39E4460C, 0x1FDA8538, 0x1987832F, 0xCA007367, 0xA99144F8, 0x296B299E, 0x492FC295, 0x9266BEAB, 0xB5676E69, 0x9BD3DDDA, 0xDF7E052F, 0xDB25701C, 0x1B5E51EE, 0xF65324E6, 0x6AFCE36C, 0x0316CC04, 0x8644213E, 0xB7DC59D0, 0x7965291F, 0xCCD6FD43, 0x41823979, 0x932BCDF6, 0xB657C34D, 0x4EDFD282, 0x7AE5290C, 0x3CB9536B, 0x851E20FE, 0x9833557E, 0x13ECF0B0, 0xD3FFB372, 0x3F85C5C1, 0x0AEF7ED2 }; static const uint32_t cast_sbox5[256] = { 0x7EC90C04, 0x2C6E74B9, 0x9B0E66DF, 0xA6337911, 0xB86A7FFF, 0x1DD358F5, 0x44DD9D44, 0x1731167F, 0x08FBF1FA, 0xE7F511CC, 0xD2051B00, 0x735ABA00, 0x2AB722D8, 0x386381CB, 0xACF6243A, 0x69BEFD7A, 0xE6A2E77F, 0xF0C720CD, 0xC4494816, 0xCCF5C180, 0x38851640, 0x15B0A848, 0xE68B18CB, 0x4CAADEFF, 0x5F480A01, 0x0412B2AA, 0x259814FC, 0x41D0EFE2, 0x4E40B48D, 0x248EB6FB, 0x8DBA1CFE, 0x41A99B02, 0x1A550A04, 0xBA8F65CB, 0x7251F4E7, 0x95A51725, 0xC106ECD7, 0x97A5980A, 0xC539B9AA, 0x4D79FE6A, 0xF2F3F763, 0x68AF8040, 0xED0C9E56, 0x11B4958B, 0xE1EB5A88, 0x8709E6B0, 0xD7E07156, 0x4E29FEA7, 0x6366E52D, 0x02D1C000, 0xC4AC8E05, 0x9377F571, 0x0C05372A, 0x578535F2, 0x2261BE02, 0xD642A0C9, 0xDF13A280, 0x74B55BD2, 0x682199C0, 0xD421E5EC, 0x53FB3CE8, 0xC8ADEDB3, 0x28A87FC9, 0x3D959981, 0x5C1FF900, 0xFE38D399, 0x0C4EFF0B, 0x062407EA, 0xAA2F4FB1, 0x4FB96976, 0x90C79505, 0xB0A8A774, 0xEF55A1FF, 0xE59CA2C2, 0xA6B62D27, 0xE66A4263, 0xDF65001F, 0x0EC50966, 0xDFDD55BC, 0x29DE0655, 0x911E739A, 0x17AF8975, 0x32C7911C, 0x89F89468, 0x0D01E980, 0x524755F4, 0x03B63CC9, 0x0CC844B2, 0xBCF3F0AA, 0x87AC36E9, 0xE53A7426, 0x01B3D82B, 0x1A9E7449, 0x64EE2D7E, 0xCDDBB1DA, 0x01C94910, 0xB868BF80, 0x0D26F3FD, 0x9342EDE7, 0x04A5C284, 0x636737B6, 0x50F5B616, 0xF24766E3, 0x8ECA36C1, 0x136E05DB, 0xFEF18391, 0xFB887A37, 0xD6E7F7D4, 0xC7FB7DC9, 0x3063FCDF, 0xB6F589DE, 0xEC2941DA, 0x26E46695, 0xB7566419, 0xF654EFC5, 0xD08D58B7, 0x48925401, 0xC1BACB7F, 0xE5FF550F, 0xB6083049, 0x5BB5D0E8, 0x87D72E5A, 0xAB6A6EE1, 0x223A66CE, 0xC62BF3CD, 0x9E0885F9, 0x68CB3E47, 0x086C010F, 0xA21DE820, 0xD18B69DE, 0xF3F65777, 0xFA02C3F6, 0x407EDAC3, 0xCBB3D550, 0x1793084D, 0xB0D70EBA, 0x0AB378D5, 0xD951FB0C, 0xDED7DA56, 0x4124BBE4, 0x94CA0B56, 0x0F5755D1, 0xE0E1E56E, 0x6184B5BE, 0x580A249F, 0x94F74BC0, 0xE327888E, 0x9F7B5561, 0xC3DC0280, 0x05687715, 0x646C6BD7, 0x44904DB3, 0x66B4F0A3, 0xC0F1648A, 0x697ED5AF, 0x49E92FF6, 0x309E374F, 0x2CB6356A, 0x85808573, 0x4991F840, 0x76F0AE02, 0x083BE84D, 0x28421C9A, 0x44489406, 0x736E4CB8, 0xC1092910, 0x8BC95FC6, 0x7D869CF4, 0x134F616F, 0x2E77118D, 0xB31B2BE1, 0xAA90B472, 0x3CA5D717, 0x7D161BBA, 0x9CAD9010, 0xAF462BA2, 0x9FE459D2, 0x45D34559, 0xD9F2DA13, 0xDBC65487, 0xF3E4F94E, 0x176D486F, 0x097C13EA, 0x631DA5C7, 0x445F7382, 0x175683F4, 0xCDC66A97, 0x70BE0288, 0xB3CDCF72, 0x6E5DD2F3, 0x20936079, 0x459B80A5, 0xBE60E2DB, 0xA9C23101, 0xEBA5315C, 0x224E42F2, 0x1C5C1572, 0xF6721B2C, 0x1AD2FFF3, 0x8C25404E, 0x324ED72F, 0x4067B7FD, 0x0523138E, 0x5CA3BC78, 0xDC0FD66E, 0x75922283, 0x784D6B17, 0x58EBB16E, 0x44094F85, 0x3F481D87, 0xFCFEAE7B, 0x77B5FF76, 0x8C2302BF, 0xAAF47556, 0x5F46B02A, 0x2B092801, 0x3D38F5F7, 0x0CA81F36, 0x52AF4A8A, 0x66D5E7C0, 0xDF3B0874, 0x95055110, 0x1B5AD7A8, 0xF61ED5AD, 0x6CF6E479, 0x20758184, 0xD0CEFA65, 0x88F7BE58, 0x4A046826, 0x0FF6F8F3, 0xA09C7F70, 0x5346ABA0, 0x5CE96C28, 0xE176EDA3, 0x6BAC307F, 0x376829D2, 0x85360FA9, 0x17E3FE2A, 0x24B79767, 0xF5A96B20, 0xD6CD2595, 0x68FF1EBF, 0x7555442C, 0xF19F06BE, 0xF9E0659A, 0xEEB9491D, 0x34010718, 0xBB30CAB8, 0xE822FE15, 0x88570983, 0x750E6249, 0xDA627E55, 0x5E76FFA8, 0xB1534546, 0x6D47DE08, 0xEFE9E7D4 }; static const uint32_t cast_sbox6[256] = { 0xF6FA8F9D, 0x2CAC6CE1, 0x4CA34867, 0xE2337F7C, 0x95DB08E7, 0x016843B4, 0xECED5CBC, 0x325553AC, 0xBF9F0960, 0xDFA1E2ED, 0x83F0579D, 0x63ED86B9, 0x1AB6A6B8, 0xDE5EBE39, 0xF38FF732, 0x8989B138, 0x33F14961, 0xC01937BD, 0xF506C6DA, 0xE4625E7E, 0xA308EA99, 0x4E23E33C, 0x79CBD7CC, 0x48A14367, 0xA3149619, 0xFEC94BD5, 0xA114174A, 0xEAA01866, 0xA084DB2D, 0x09A8486F, 0xA888614A, 0x2900AF98, 0x01665991, 0xE1992863, 0xC8F30C60, 0x2E78EF3C, 0xD0D51932, 0xCF0FEC14, 0xF7CA07D2, 0xD0A82072, 0xFD41197E, 0x9305A6B0, 0xE86BE3DA, 0x74BED3CD, 0x372DA53C, 0x4C7F4448, 0xDAB5D440, 0x6DBA0EC3, 0x083919A7, 0x9FBAEED9, 0x49DBCFB0, 0x4E670C53, 0x5C3D9C01, 0x64BDB941, 0x2C0E636A, 0xBA7DD9CD, 0xEA6F7388, 0xE70BC762, 0x35F29ADB, 0x5C4CDD8D, 0xF0D48D8C, 0xB88153E2, 0x08A19866, 0x1AE2EAC8, 0x284CAF89, 0xAA928223, 0x9334BE53, 0x3B3A21BF, 0x16434BE3, 0x9AEA3906, 0xEFE8C36E, 0xF890CDD9, 0x80226DAE, 0xC340A4A3, 0xDF7E9C09, 0xA694A807, 0x5B7C5ECC, 0x221DB3A6, 0x9A69A02F, 0x68818A54, 0xCEB2296F, 0x53C0843A, 0xFE893655, 0x25BFE68A, 0xB4628ABC, 0xCF222EBF, 0x25AC6F48, 0xA9A99387, 0x53BDDB65, 0xE76FFBE7, 0xE967FD78, 0x0BA93563, 0x8E342BC1, 0xE8A11BE9, 0x4980740D, 0xC8087DFC, 0x8DE4BF99, 0xA11101A0, 0x7FD37975, 0xDA5A26C0, 0xE81F994F, 0x9528CD89, 0xFD339FED, 0xB87834BF, 0x5F04456D, 0x22258698, 0xC9C4C83B, 0x2DC156BE, 0x4F628DAA, 0x57F55EC5, 0xE2220ABE, 0xD2916EBF, 0x4EC75B95, 0x24F2C3C0, 0x42D15D99, 0xCD0D7FA0, 0x7B6E27FF, 0xA8DC8AF0, 0x7345C106, 0xF41E232F, 0x35162386, 0xE6EA8926, 0x3333B094, 0x157EC6F2, 0x372B74AF, 0x692573E4, 0xE9A9D848, 0xF3160289, 0x3A62EF1D, 0xA787E238, 0xF3A5F676, 0x74364853, 0x20951063, 0x4576698D, 0xB6FAD407, 0x592AF950, 0x36F73523, 0x4CFB6E87, 0x7DA4CEC0, 0x6C152DAA, 0xCB0396A8, 0xC50DFE5D, 0xFCD707AB, 0x0921C42F, 0x89DFF0BB, 0x5FE2BE78, 0x448F4F33, 0x754613C9, 0x2B05D08D, 0x48B9D585, 0xDC049441, 0xC8098F9B, 0x7DEDE786, 0xC39A3373, 0x42410005, 0x6A091751, 0x0EF3C8A6, 0x890072D6, 0x28207682, 0xA9A9F7BE, 0xBF32679D, 0xD45B5B75, 0xB353FD00, 0xCBB0E358, 0x830F220A, 0x1F8FB214, 0xD372CF08, 0xCC3C4A13, 0x8CF63166, 0x061C87BE, 0x88C98F88, 0x6062E397, 0x47CF8E7A, 0xB6C85283, 0x3CC2ACFB, 0x3FC06976, 0x4E8F0252, 0x64D8314D, 0xDA3870E3, 0x1E665459, 0xC10908F0, 0x513021A5, 0x6C5B68B7, 0x822F8AA0, 0x3007CD3E, 0x74719EEF, 0xDC872681, 0x073340D4, 0x7E432FD9, 0x0C5EC241, 0x8809286C, 0xF592D891, 0x08A930F6, 0x957EF305, 0xB7FBFFBD, 0xC266E96F, 0x6FE4AC98, 0xB173ECC0, 0xBC60B42A, 0x953498DA, 0xFBA1AE12, 0x2D4BD736, 0x0F25FAAB, 0xA4F3FCEB, 0xE2969123, 0x257F0C3D, 0x9348AF49, 0x361400BC, 0xE8816F4A, 0x3814F200, 0xA3F94043, 0x9C7A54C2, 0xBC704F57, 0xDA41E7F9, 0xC25AD33A, 0x54F4A084, 0xB17F5505, 0x59357CBE, 0xEDBD15C8, 0x7F97C5AB, 0xBA5AC7B5, 0xB6F6DEAF, 0x3A479C3A, 0x5302DA25, 0x653D7E6A, 0x54268D49, 0x51A477EA, 0x5017D55B, 0xD7D25D88, 0x44136C76, 0x0404A8C8, 0xB8E5A121, 0xB81A928A, 0x60ED5869, 0x97C55B96, 0xEAEC991B, 0x29935913, 0x01FDB7F1, 0x088E8DFA, 0x9AB6F6F5, 0x3B4CBF9F, 0x4A5DE3AB, 0xE6051D35, 0xA0E1D855, 0xD36B4CF1, 0xF544EDEB, 0xB0E93524, 0xBEBB8FBD, 0xA2D762CF, 0x49C92F54, 0x38B5F331, 0x7128A454, 0x48392905, 0xA65B1DB8, 0x851C97BD, 0xD675CF2F }; static const uint32_t cast_sbox7[256] = { 0x85E04019, 0x332BF567, 0x662DBFFF, 0xCFC65693, 0x2A8D7F6F, 0xAB9BC912, 0xDE6008A1, 0x2028DA1F, 0x0227BCE7, 0x4D642916, 0x18FAC300, 0x50F18B82, 0x2CB2CB11, 0xB232E75C, 0x4B3695F2, 0xB28707DE, 0xA05FBCF6, 0xCD4181E9, 0xE150210C, 0xE24EF1BD, 0xB168C381, 0xFDE4E789, 0x5C79B0D8, 0x1E8BFD43, 0x4D495001, 0x38BE4341, 0x913CEE1D, 0x92A79C3F, 0x089766BE, 0xBAEEADF4, 0x1286BECF, 0xB6EACB19, 0x2660C200, 0x7565BDE4, 0x64241F7A, 0x8248DCA9, 0xC3B3AD66, 0x28136086, 0x0BD8DFA8, 0x356D1CF2, 0x107789BE, 0xB3B2E9CE, 0x0502AA8F, 0x0BC0351E, 0x166BF52A, 0xEB12FF82, 0xE3486911, 0xD34D7516, 0x4E7B3AFF, 0x5F43671B, 0x9CF6E037, 0x4981AC83, 0x334266CE, 0x8C9341B7, 0xD0D854C0, 0xCB3A6C88, 0x47BC2829, 0x4725BA37, 0xA66AD22B, 0x7AD61F1E, 0x0C5CBAFA, 0x4437F107, 0xB6E79962, 0x42D2D816, 0x0A961288, 0xE1A5C06E, 0x13749E67, 0x72FC081A, 0xB1D139F7, 0xF9583745, 0xCF19DF58, 0xBEC3F756, 0xC06EBA30, 0x07211B24, 0x45C28829, 0xC95E317F, 0xBC8EC511, 0x38BC46E9, 0xC6E6FA14, 0xBAE8584A, 0xAD4EBC46, 0x468F508B, 0x7829435F, 0xF124183B, 0x821DBA9F, 0xAFF60FF4, 0xEA2C4E6D, 0x16E39264, 0x92544A8B, 0x009B4FC3, 0xABA68CED, 0x9AC96F78, 0x06A5B79A, 0xB2856E6E, 0x1AEC3CA9, 0xBE838688, 0x0E0804E9, 0x55F1BE56, 0xE7E5363B, 0xB3A1F25D, 0xF7DEBB85, 0x61FE033C, 0x16746233, 0x3C034C28, 0xDA6D0C74, 0x79AAC56C, 0x3CE4E1AD, 0x51F0C802, 0x98F8F35A, 0x1626A49F, 0xEED82B29, 0x1D382FE3, 0x0C4FB99A, 0xBB325778, 0x3EC6D97B, 0x6E77A6A9, 0xCB658B5C, 0xD45230C7, 0x2BD1408B, 0x60C03EB7, 0xB9068D78, 0xA33754F4, 0xF430C87D, 0xC8A71302, 0xB96D8C32, 0xEBD4E7BE, 0xBE8B9D2D, 0x7979FB06, 0xE7225308, 0x8B75CF77, 0x11EF8DA4, 0xE083C858, 0x8D6B786F, 0x5A6317A6, 0xFA5CF7A0, 0x5DDA0033, 0xF28EBFB0, 0xF5B9C310, 0xA0EAC280, 0x08B9767A, 0xA3D9D2B0, 0x79D34217, 0x021A718D, 0x9AC6336A, 0x2711FD60, 0x438050E3, 0x069908A8, 0x3D7FEDC4, 0x826D2BEF, 0x4EEB8476, 0x488DCF25, 0x36C9D566, 0x28E74E41, 0xC2610ACA, 0x3D49A9CF, 0xBAE3B9DF, 0xB65F8DE6, 0x92AEAF64, 0x3AC7D5E6, 0x9EA80509, 0xF22B017D, 0xA4173F70, 0xDD1E16C3, 0x15E0D7F9, 0x50B1B887, 0x2B9F4FD5, 0x625ABA82, 0x6A017962, 0x2EC01B9C, 0x15488AA9, 0xD716E740, 0x40055A2C, 0x93D29A22, 0xE32DBF9A, 0x058745B9, 0x3453DC1E, 0xD699296E, 0x496CFF6F, 0x1C9F4986, 0xDFE2ED07, 0xB87242D1, 0x19DE7EAE, 0x053E561A, 0x15AD6F8C, 0x66626C1C, 0x7154C24C, 0xEA082B2A, 0x93EB2939, 0x17DCB0F0, 0x58D4F2AE, 0x9EA294FB, 0x52CF564C, 0x9883FE66, 0x2EC40581, 0x763953C3, 0x01D6692E, 0xD3A0C108, 0xA1E7160E, 0xE4F2DFA6, 0x693ED285, 0x74904698, 0x4C2B0EDD, 0x4F757656, 0x5D393378, 0xA132234F, 0x3D321C5D, 0xC3F5E194, 0x4B269301, 0xC79F022F, 0x3C997E7E, 0x5E4F9504, 0x3FFAFBBD, 0x76F7AD0E, 0x296693F4, 0x3D1FCE6F, 0xC61E45BE, 0xD3B5AB34, 0xF72BF9B7, 0x1B0434C0, 0x4E72B567, 0x5592A33D, 0xB5229301, 0xCFD2A87F, 0x60AEB767, 0x1814386B, 0x30BCC33D, 0x38A0C07D, 0xFD1606F2, 0xC363519B, 0x589DD390, 0x5479F8E6, 0x1CB8D647, 0x97FD61A9, 0xEA7759F4, 0x2D57539D, 0x569A58CF, 0xE84E63AD, 0x462E1B78, 0x6580F87E, 0xF3817914, 0x91DA55F4, 0x40A230F3, 0xD1988F35, 0xB6E318D2, 0x3FFA50BC, 0x3D40F021, 0xC3C0BDAE, 0x4958C24C, 0x518F36B2, 0x84B1D370, 0x0FEDCE83, 0x878DDADA, 0xF2A279C7, 0x94E01BE8, 0x90716F4B, 0x954B8AA3 }; static const uint32_t cast_sbox8[256] = { 0xE216300D, 0xBBDDFFFC, 0xA7EBDABD, 0x35648095, 0x7789F8B7, 0xE6C1121B, 0x0E241600, 0x052CE8B5, 0x11A9CFB0, 0xE5952F11, 0xECE7990A, 0x9386D174, 0x2A42931C, 0x76E38111, 0xB12DEF3A, 0x37DDDDFC, 0xDE9ADEB1, 0x0A0CC32C, 0xBE197029, 0x84A00940, 0xBB243A0F, 0xB4D137CF, 0xB44E79F0, 0x049EEDFD, 0x0B15A15D, 0x480D3168, 0x8BBBDE5A, 0x669DED42, 0xC7ECE831, 0x3F8F95E7, 0x72DF191B, 0x7580330D, 0x94074251, 0x5C7DCDFA, 0xABBE6D63, 0xAA402164, 0xB301D40A, 0x02E7D1CA, 0x53571DAE, 0x7A3182A2, 0x12A8DDEC, 0xFDAA335D, 0x176F43E8, 0x71FB46D4, 0x38129022, 0xCE949AD4, 0xB84769AD, 0x965BD862, 0x82F3D055, 0x66FB9767, 0x15B80B4E, 0x1D5B47A0, 0x4CFDE06F, 0xC28EC4B8, 0x57E8726E, 0x647A78FC, 0x99865D44, 0x608BD593, 0x6C200E03, 0x39DC5FF6, 0x5D0B00A3, 0xAE63AFF2, 0x7E8BD632, 0x70108C0C, 0xBBD35049, 0x2998DF04, 0x980CF42A, 0x9B6DF491, 0x9E7EDD53, 0x06918548, 0x58CB7E07, 0x3B74EF2E, 0x522FFFB1, 0xD24708CC, 0x1C7E27CD, 0xA4EB215B, 0x3CF1D2E2, 0x19B47A38, 0x424F7618, 0x35856039, 0x9D17DEE7, 0x27EB35E6, 0xC9AFF67B, 0x36BAF5B8, 0x09C467CD, 0xC18910B1, 0xE11DBF7B, 0x06CD1AF8, 0x7170C608, 0x2D5E3354, 0xD4DE495A, 0x64C6D006, 0xBCC0C62C, 0x3DD00DB3, 0x708F8F34, 0x77D51B42, 0x264F620F, 0x24B8D2BF, 0x15C1B79E, 0x46A52564, 0xF8D7E54E, 0x3E378160, 0x7895CDA5, 0x859C15A5, 0xE6459788, 0xC37BC75F, 0xDB07BA0C, 0x0676A3AB, 0x7F229B1E, 0x31842E7B, 0x24259FD7, 0xF8BEF472, 0x835FFCB8, 0x6DF4C1F2, 0x96F5B195, 0xFD0AF0FC, 0xB0FE134C, 0xE2506D3D, 0x4F9B12EA, 0xF215F225, 0xA223736F, 0x9FB4C428, 0x25D04979, 0x34C713F8, 0xC4618187, 0xEA7A6E98, 0x7CD16EFC, 0x1436876C, 0xF1544107, 0xBEDEEE14, 0x56E9AF27, 0xA04AA441, 0x3CF7C899, 0x92ECBAE6, 0xDD67016D, 0x151682EB, 0xA842EEDF, 0xFDBA60B4, 0xF1907B75, 0x20E3030F, 0x24D8C29E, 0xE139673B, 0xEFA63FB8, 0x71873054, 0xB6F2CF3B, 0x9F326442, 0xCB15A4CC, 0xB01A4504, 0xF1E47D8D, 0x844A1BE5, 0xBAE7DFDC, 0x42CBDA70, 0xCD7DAE0A, 0x57E85B7A, 0xD53F5AF6, 0x20CF4D8C, 0xCEA4D428, 0x79D130A4, 0x3486EBFB, 0x33D3CDDC, 0x77853B53, 0x37EFFCB5, 0xC5068778, 0xE580B3E6, 0x4E68B8F4, 0xC5C8B37E, 0x0D809EA2, 0x398FEB7C, 0x132A4F94, 0x43B7950E, 0x2FEE7D1C, 0x223613BD, 0xDD06CAA2, 0x37DF932B, 0xC4248289, 0xACF3EBC3, 0x5715F6B7, 0xEF3478DD, 0xF267616F, 0xC148CBE4, 0x9052815E, 0x5E410FAB, 0xB48A2465, 0x2EDA7FA4, 0xE87B40E4, 0xE98EA084, 0x5889E9E1, 0xEFD390FC, 0xDD07D35B, 0xDB485694, 0x38D7E5B2, 0x57720101, 0x730EDEBC, 0x5B643113, 0x94917E4F, 0x503C2FBA, 0x646F1282, 0x7523D24A, 0xE0779695, 0xF9C17A8F, 0x7A5B2121, 0xD187B896, 0x29263A4D, 0xBA510CDF, 0x81F47C9F, 0xAD1163ED, 0xEA7B5965, 0x1A00726E, 0x11403092, 0x00DA6D77, 0x4A0CDD61, 0xAD1F4603, 0x605BDFB0, 0x9EEDC364, 0x22EBE6A8, 0xCEE7D28A, 0xA0E736A0, 0x5564A6B9, 0x10853209, 0xC7EB8F37, 0x2DE705CA, 0x8951570F, 0xDF09822B, 0xBD691A6C, 0xAA12E4F2, 0x87451C0F, 0xE0F6A27A, 0x3ADA4819, 0x4CF1764F, 0x0D771C2B, 0x67CDB156, 0x350D8384, 0x5938FA0F, 0x42399EF3, 0x36997B07, 0x0E84093D, 0x4AA93E61, 0x8360D87B, 0x1FA98B0C, 0x1149382C, 0xE97625A5, 0x0614D1B7, 0x0E25244B, 0x0C768347, 0x589E8D82, 0x0D2059D1, 0xA466BB1E, 0xF8DA0A82, 0x04F19130, 0xBA6E4EC0, 0x99265164, 0x1EE7230D, 0x50B2AD80, 0xEAEE6801, 0x8DB2A283, 0xEA8BF59E }; nettle-3.10/gcm-aes128-meta.c0000644000175000017500000000342614633602171014623 0ustar nissenisse/* gcm-aes128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes128_set_nonce_wrapper; static void gcm_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes128 = { "gcm_aes128", sizeof(struct gcm_aes128_ctx), GCM_BLOCK_SIZE, AES128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes128_set_key, (nettle_set_key_func *) gcm_aes128_set_key, gcm_aes128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes128_update, (nettle_crypt_func *) gcm_aes128_encrypt, (nettle_crypt_func *) gcm_aes128_decrypt, (nettle_hash_digest_func *) gcm_aes128_digest, }; nettle-3.10/arm64/0000755000175000017500000000000014633602172012711 5ustar nissenissenettle-3.10/arm64/chacha-2core.asm0000644000175000017500000001305014633602172015631 0ustar nissenisseC arm64/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state define(`ROT24', `v0') define(`T0', `v16') C State, even elements in X, odd elements in Y define(`X0', `v17') define(`X1', `v18') define(`X2', `v19') define(`X3', `v20') define(`Y0', `v21') define(`Y1', `v22') define(`Y2', `v23') define(`Y3', `v24') C Original input state define(`S0', `v25') define(`S1', `v26') define(`S2', `v27') define(`S3', `v28') define(`S3p1', `v29') define(`TMP0', `v30') define(`TMP1', `v31') C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_2core) eor X1.16b, X1.16b, X1.16b mov w3, #1 mov X1.s[0], w3 add x3, SRC, #48 ld1 {X3.4s}, [x3] add Y3.4s, X3.4s, X1.4s cmhi Y3.4s, X3.4s, Y3.4s ext Y3.16b, Y3.16b, Y3.16b, #12 orr Y3.16b, Y3.16b, X1.16b .Lshared_entry: adr x3, .Lrot24 ld1 {ROT24.4s},[x3] add Y3.4s, Y3.4s, X3.4s C Load state ld1 {X0.4s,X1.4s,X2.4s}, [SRC] mov S0.16b, X0.16b mov S1.16b, X1.16b mov S2.16b, X2.16b mov S3.16b, X3.16b mov S3p1.16b, Y3.16b trn2 Y0.4s, X0.4s, X0.4s C 1 1 3 3 trn1 X0.4s, X0.4s, X0.4s C 0 0 2 2 trn2 Y1.4s, X1.4s, X1.4s C 5 5 7 7 trn1 X1.4s, X1.4s, X1.4s C 4 4 6 6 trn2 Y2.4s, X2.4s, X2.4s C 9 9 11 11 trn1 X2.4s, X2.4s, X2.4s C 8 8 10 10 trn2 Y3.4s, X3.4s, S3p1.4s C 13 13 15 15 trn1 X3.4s, X3.4s, S3p1.4s C 12 12 14 14 .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 add X0.4s, X0.4s, X1.4s add Y0.4s, Y0.4s, Y1.4s eor X3.16b, X3.16b, X0.16b eor Y3.16b, Y3.16b, Y0.16b rev32 X3.8h, X3.8h rev32 Y3.8h, Y3.8h add X2.4s, X2.4s, X3.4s add Y2.4s, Y2.4s, Y3.4s eor TMP0.16b, X1.16b, X2.16b eor TMP1.16b, Y1.16b, Y2.16b ushr X1.4s, TMP0.4s, #20 ushr Y1.4s, TMP1.4s, #20 sli X1.4s, TMP0.4s, #12 sli Y1.4s, TMP1.4s, #12 add X0.4s, X0.4s, X1.4s add Y0.4s, Y0.4s, Y1.4s eor X3.16b, X3.16b, X0.16b eor Y3.16b, Y3.16b, Y0.16b tbl X3.16b, {X3.16b}, ROT24.16b tbl Y3.16b, {Y3.16b}, ROT24.16b add X2.4s, X2.4s, X3.4s add Y2.4s, Y2.4s, Y3.4s eor TMP0.16b, X1.16b, X2.16b eor TMP1.16b, Y1.16b, Y2.16b ushr X1.4s, TMP0.4s, #25 ushr Y1.4s, TMP1.4s, #25 sli X1.4s, TMP0.4s, #7 sli Y1.4s, TMP1.4s, #7 ext X1.16b, X1.16b, X1.16b, #8 ext X2.16b, X2.16b, X2.16b, #8 ext Y2.16b, Y2.16b, Y2.16b, #8 ext Y3.16b, Y3.16b, Y3.16b, #8 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) add X0.4s, X0.4s, Y1.4s add Y0.4s, Y0.4s, X1.4s eor Y3.16b, Y3.16b, X0.16b eor X3.16b, X3.16b, Y0.16b rev32 Y3.8h, Y3.8h rev32 X3.8h, X3.8h add X2.4s, X2.4s, Y3.4s add Y2.4s, Y2.4s, X3.4s eor TMP0.16b, Y1.16b, X2.16b eor TMP1.16b, X1.16b, Y2.16b ushr Y1.4s, TMP0.4s, #20 ushr X1.4s, TMP1.4s, #20 sli Y1.4s, TMP0.4s, #12 sli X1.4s, TMP1.4s, #12 add X0.4s, X0.4s, Y1.4s add Y0.4s, Y0.4s, X1.4s eor Y3.16b, Y3.16b, X0.16b eor X3.16b, X3.16b, Y0.16b tbl Y3.16b, {Y3.16b}, ROT24.16b tbl X3.16b, {X3.16b}, ROT24.16b add X2.4s, X2.4s, Y3.4s add Y2.4s, Y2.4s, X3.4s eor TMP0.16b, Y1.16b, X2.16b eor TMP1.16b, X1.16b, Y2.16b ushr Y1.4s, TMP0.4s, #25 ushr X1.4s, TMP1.4s, #25 sli Y1.4s, TMP0.4s, #7 sli X1.4s, TMP1.4s, #7 ext X1.16b, X1.16b, X1.16b, #8 ext X2.16b, X2.16b, X2.16b, #8 ext Y2.16b, Y2.16b, Y2.16b, #8 ext Y3.16b, Y3.16b, Y3.16b, #8 subs ROUNDS, ROUNDS, #2 b.ne .Loop trn1 T0.4s, X0.4s, Y0.4s trn2 Y0.4s, X0.4s, Y0.4s trn1 X0.4s, X1.4s, Y1.4s trn2 Y1.4s, X1.4s, Y1.4s trn1 X1.4s, X2.4s, Y2.4s trn2 Y2.4s, X2.4s, Y2.4s trn1 X2.4s, X3.4s, Y3.4s trn2 Y3.4s, X3.4s, Y3.4s add T0.4s, T0.4s, S0.4s add Y0.4s, Y0.4s, S0.4s add X0.4s, X0.4s, S1.4s add Y1.4s, Y1.4s, S1.4s add X1.4s, X1.4s, S2.4s add Y2.4s, Y2.4s, S2.4s add X2.4s, X2.4s, S3.4s add Y3.4s, Y3.4s, S3p1.4s st1 {T0.16b,X0.16b,X1.16b,X2.16b}, [DST], #64 st1 {Y0.16b,Y1.16b,Y2.16b,Y3.16b}, [DST] ret EPILOGUE(_nettle_chacha_2core) PROLOGUE(_nettle_chacha_2core32) eor Y3.16b, Y3.16b, Y3.16b C {0,0,...,0} mov w3, #1 mov Y3.s[0], w3 C {1,0,...,0} add x3, SRC, #48 ld1 {X3.4s}, [x3] b .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .align 4 .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-3.10/arm64/machine.m40000644000175000017500000000400014633602172014551 0ustar nissenisseC Get 32-bit floating-point register from vector register C SFP(VR) define(`SFP',``s'substr($1,1,len($1))') C Get 128-bit floating-point register from vector register C QFP(VR) define(`QFP',``q'substr($1,1,len($1))') C AES encryption round of 1-block C AESE_ROUND_1B(BLOCK, KEY) define(`AESE_ROUND_1B', m4_assert_numargs(2)` aese $1.16b,$2.16b aesmc $1.16b,$1.16b ') C AES last encryption round of 1-block C AESE_LAST_ROUND_1B(BLOCK, KEY0, KEY1) define(`AESE_LAST_ROUND_1B', m4_assert_numargs(3)` aese $1.16b,$2.16b eor $1.16b,$1.16b,$3.16b ') C AES decryption round of 1-block C AESD_ROUND_1B(BLOCK, KEY) define(`AESD_ROUND_1B', m4_assert_numargs(2)` aesd $1.16b,$2.16b aesimc $1.16b,$1.16b ') C AES last decryption round of 1-block C AESD_LAST_ROUND_1B(BLOCK, KEY0, KEY1) define(`AESD_LAST_ROUND_1B', m4_assert_numargs(3)` aesd $1.16b,$2.16b eor $1.16b,$1.16b,$3.16b ') C AES encryption round of 4-blocks C AESE_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY) define(`AESE_ROUND_4B', m4_assert_numargs(5)` AESE_ROUND_1B($1,$5) AESE_ROUND_1B($2,$5) AESE_ROUND_1B($3,$5) AESE_ROUND_1B($4,$5) ') C AES last encryption round of 4-blocks C AESE_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1) define(`AESE_LAST_ROUND_4B', m4_assert_numargs(6)` AESE_LAST_ROUND_1B($1,$5,$6) AESE_LAST_ROUND_1B($2,$5,$6) AESE_LAST_ROUND_1B($3,$5,$6) AESE_LAST_ROUND_1B($4,$5,$6) ') C AES decryption round of 4-blocks C AESD_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY) define(`AESD_ROUND_4B', m4_assert_numargs(5)` AESD_ROUND_1B($1,$5) AESD_ROUND_1B($2,$5) AESD_ROUND_1B($3,$5) AESD_ROUND_1B($4,$5) ') C AES last decryption round of 4-blocks C AESD_LAST_ROUND_4B(BLOCK0, BLOCK1, BLOCK2, BLOCK3, KEY0, KEY1) define(`AESD_LAST_ROUND_4B', m4_assert_numargs(6)` AESD_LAST_ROUND_1B($1,$5,$6) AESD_LAST_ROUND_1B($2,$5,$6) AESD_LAST_ROUND_1B($3,$5,$6) AESD_LAST_ROUND_1B($4,$5,$6) ') nettle-3.10/arm64/README0000644000175000017500000001153114633602172013572 0ustar nissenisseGeneral-purpose Registers[1] There are thirty-one, 64-bit, general-purpose (integer) registers visible to the A64 instruction set; these are labeled r0-r30. In a 64-bit context these registers are normally referred to using the names x0-x30; in a 32-bit context the registers are specified by using w0-w30. Additionally, a stack-pointer register, SP, can be used with a restricted number of instructions. The first eight registers, r0-r7, are used to pass argument values into a subroutine and to return result values from a function. Software developers creating platform-independent code are advised to avoid using r18 if at all possible. Most compilers provide a mechanism to prevent specific registers from being used for general allocation; portable hand-coded assembler should avoid it entirely. It should not be assumed that treating the register as callee-saved will be sufficient to satisfy the requirements of the platform. Virtualization code must, of course, treat the register as they would any other resource provided to the virtual machine. A subroutine invocation must preserve the contents of the registers r19-r29 and SP. All 64 bits of each value stored in r19-r29 must be preserved, even when using the ILP32 data model. SIMD and Floating-Point Registers[1] Unlike in AArch32, in AArch64 the 128-bit and 64-bit views of a SIMD and Floating-Point register do not overlap multiple registers in a narrower view, so q1, d1 and s1 all refer to the same entry in the register bank. The first eight registers, v0-v7, are used to pass argument values into a subroutine and to return result values from a function. They may also be used to hold intermediate values within a routine (but, in general, only between subroutine calls). Registers v8-v15 must be preserved by a callee across subroutine calls; the remaining registers (v0-v7, v16-v31) do not need to be preserved (or should be preserved by the caller). Additionally, only the bottom 64 bits of each value stored in v8-v15 need to be preserved. Endianness Similar to arm, aarch64 can run with little-endian or big-endian memory accesses. Endianness is handled exclusively on load and store operations. Register layout and operation behaviour is identical in both modes. When writing SIMD code, endianness interaction with vector loads and stores may exhibit seemingly unintuitive behaviour, particularly when mixing normal and vector load/store operations. See [2] for a good overview, particularly into the pitfalls of using ldr/str vs. ld1/st1. For example, ld1 {v1.2d,v2.2d},[x0] will load v1 and v2 with elements of a one-dimensional vector from consecutive memory locations. So v1.d[0] will be read from x0+0, v1.d[1] from x0+8 (bytes) and v2.d[0] from x0+16 and v2.d[1] from x0+24. That'll be the same in LE and BE mode because it is the structure of the vector prescribed by the load operation. Endianness will be applied to the individual doublewords but the order in which they're loaded from memory and in which they're put into d[0] and d[1] won't change. Another way is to explicitly load a vector of bytes using ld1 {v1.16b, v2.16b},[x0]. This will load x0+0 into v1.b[0], x0+1 (byte) into v1.b[1] and so forth. This load (or store) is endianness-neutral and behaves identical in LE and BE mode. Care must however be taken when switching views onto the registers: d[0] is mapped onto b[0] through b[7] and b[0] will be the least significant byte in d[0] and b[7] will be MSB. This layout is also the same in both memory endianness modes. ld1 {v1.16b}, however, will always load a vector of bytes with eight elements as consecutive bytes from memory into b[0] through b[7]. When accessed trough d[0] this will only appear as the expected doubleword-sized number if it was indeed stored little-endian in memory. Something similar happens when loading a vector of doublewords (ld1 {v1.2d},[x0]) and then accessing individual bytes of it. Bytes will only be at the expected indices if the doublewords are indeed stored in current memory endianness in memory. Therefore it is most intuitive to use the appropriate vector element width for the data being loaded or stored to apply the necessary endianness correction. Finally, ldr/str are not vector operations. When used to load a 128bit quadword, they will apply endianness to the whole quadword. Therefore particular care must be taken if the loaded data is then to be regarded as elements of e.g. a doubleword vector. Indicies may appear reversed on big-endian systems (because they are). Hardware-accelerated SHA Instructions The SHA optimized cores are implemented using SHA hashing instructions added to AArch64 in crypto extensions. The repository [3] illustrates using those instructions for optimizing SHA hashing functions. [1] https://github.com/ARM-software/abi-aa/releases/download/2020Q4/aapcs64.pdf [2] https://llvm.org/docs/BigEndianNEON.html [3] https://github.com/noloader/SHA-Intrinsics nettle-3.10/arm64/fat/0000755000175000017500000000000014633602172013463 5ustar nissenissenettle-3.10/arm64/fat/sha256-compress-n-2.asm0000644000175000017500000000225714633602172017426 0ustar nissenisseC arm64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/sha256-compress-n.asm') nettle-3.10/arm64/fat/ghash-set-key-2.asm0000644000175000017500000000224414633602172016777 0ustar nissenisseC arm64/fat/ghash-set-key.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/ghash-set-key.asm') nettle-3.10/arm64/fat/aes192-decrypt-2.asm0000644000175000017500000000224314633602172017001 0ustar nissenisseC arm64/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes192-decrypt.asm') nettle-3.10/arm64/fat/aes256-decrypt-2.asm0000644000175000017500000000224314633602172017002 0ustar nissenisseC arm64/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes256-decrypt.asm') nettle-3.10/arm64/fat/aes192-encrypt-2.asm0000644000175000017500000000224314633602172017013 0ustar nissenisseC arm64/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes192-encrypt.asm') nettle-3.10/arm64/fat/ghash-update-2.asm0000644000175000017500000000224114633602172016675 0ustar nissenisseC arm64/fat/ghash-update.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_arm64') include_src(`arm64/crypto/ghash-update.asm') nettle-3.10/arm64/fat/aes128-encrypt-2.asm0000644000175000017500000000224314633602172017012 0ustar nissenisseC arm64/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes128-encrypt.asm') nettle-3.10/arm64/fat/aes128-decrypt-2.asm0000644000175000017500000000224314633602172017000 0ustar nissenisseC arm64/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes128-decrypt.asm') nettle-3.10/arm64/fat/aes256-encrypt-2.asm0000644000175000017500000000224314633602172017014 0ustar nissenisseC arm64/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/aes256-encrypt.asm') nettle-3.10/arm64/fat/sha1-compress-2.asm0000644000175000017500000000224314633602172017012 0ustar nissenisseC arm64/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_arm64') include_src(`arm64/crypto/sha1-compress.asm') nettle-3.10/arm64/crypto/0000755000175000017500000000000014633602172014231 5ustar nissenissenettle-3.10/arm64/crypto/aes192-decrypt.asm0000644000175000017500000000616414633602172017416 0ustar nissenisseC arm64/crypto/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') C void C aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K12) AESD_ROUND_4B(S0,S1,S2,S3,K11) AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K12) AESD_ROUND_1B(S0,K11) AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes192_decrypt) nettle-3.10/arm64/crypto/ghash-set-key.asm0000644000175000017500000001415314633602172017410 0ustar nissenisseC arm64/crypto/ghash-set-key.asm ifelse(` Copyright (C) 2020 Niels Möller and Mamone Tarsha Copyright (C) 2021 Michael Weiser This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-set-key.asm" .arch armv8-a+crypto .text C common SIMD register usage: define(`POLY', `v6') C temporary register that assist the reduction procedure define(`T', `v7') C permenant register that hold the 16-byte result of pmull define(`F', `v16') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`F1', `v17') C permenant register that hold the 16-byte result of pmull define(`R', `v18') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`R1', `v19') C common macros: C long multiply of six 64-bit polynomials and sum C R = (in.l × param2.l) + (in.h × param2.h) C F = (in.l × param3.l) + (in.h × param3.h) C PMUL(in, param1, param2) define(`PMUL', m4_assert_numargs(3)` pmull F.1q,$3.1d,$1.1d pmull2 F1.1q,$3.2d,$1.2d pmull R.1q,$2.1d,$1.1d pmull2 R1.1q,$2.2d,$1.2d eor F.16b,F.16b,F1.16b eor R.16b,R.16b,R1.16b ') C Reduce 'R' and 'F' values to 128-bit output C REDUCTION(out) define(`REDUCTION', m4_assert_numargs(1)` pmull T.1q,F.1d,POLY.1d eor R.16b,R.16b,T.16b ext R.16b,R.16b,R.16b,#8 eor $1.16b,F.16b,R.16b ') C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) C This function populates the gcm table as the following layout C ******************************************************************************* C | H1M = (H1 div x⁶⁴)||((H1 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H1L = (H1 mod x⁶⁴)||(((H1 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H1 div x⁶⁴) | C | | C | H2M = (H2 div x⁶⁴)||((H2 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H2L = (H2 mod x⁶⁴)||(((H2 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H2 div x⁶⁴) | C | | C | H3M = (H3 div x⁶⁴)||((H3 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H3L = (H3 mod x⁶⁴)||(((H3 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H3 div x⁶⁴) | C | | C | H4M = (H3 div x⁶⁴)||((H4 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H4L = (H3 mod x⁶⁴)||(((H4 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H4 div x⁶⁴) | C ******************************************************************************* C Register usage: define(`CTX', `x0') define(`KEY', `x1') define(`EMSB', `v0') define(`B', `v1') define(`H', `v2') define(`H2', `v3') define(`H3', `v4') define(`H4', `v5') define(`Hp', `v20') define(`Hl', `v21') define(`Hm', `v22') define(`H1M', `v23') define(`H1L', `v24') define(`H2M', `v25') define(`H2L', `v26') define(`H3M', `v27') define(`H3L', `v28') define(`H4M', `v29') define(`H4L', `v30') C PMUL_PARAM(in, param1, param2) define(`PMUL_PARAM', m4_assert_numargs(3)` pmull2 Hp.1q,$1.2d,POLY.2d eor Hm.16b,$1.16b,Hp.16b ext $2.16b,Hm.16b,$1.16b,#8 ext $3.16b,$1.16b,Hm.16b,#8 ext $2.16b,$2.16b,$2.16b,#8 ') PROLOGUE(_nettle_ghash_set_key) ld1 {H.2d},[KEY] C we treat data as big-endian doublewords for processing. Since there is no C endianness-neutral MSB-first load operation we need to restore our desired C byte order on little-endian systems. The same holds true for DATA below C but not our own internal precalculated CTX (see below). IF_LE(` rev64 H.16b,H.16b ') C --- calculate H = H × x mod R(X); R(X) = (x¹²⁸+x¹²⁷+x¹²⁶+x¹²¹+1) --- dup EMSB.16b,H.b[7] mov x1,#0xC200000000000000 mov x2,#1 mov POLY.d[0],x1 mov POLY.d[1],x2 sshr EMSB.16b,EMSB.16b,#7 and EMSB.16b,EMSB.16b,POLY.16b ushr B.2d,H.2d,#63 and B.16b,B.16b,POLY.16b ext B.16b,B.16b,B.16b,#8 shl H.2d,H.2d,#1 orr H.16b,H.16b,B.16b eor H.16b,H.16b,EMSB.16b dup POLY.2d,POLY.d[0] C --- calculate H^2 = H × H --- PMUL_PARAM(H,H1M,H1L) PMUL(H,H1M,H1L) REDUCTION(H2) PMUL_PARAM(H2,H2M,H2L) C we store to the table as doubleword-vectors in current memory endianness C because it's our own strictly internal data structure and what ghash_update C can most naturally use st1 {H1M.2d,H1L.2d,H2M.2d,H2L.2d},[CTX],#64 C --- calculate H^3 = H^1 × H^2 --- PMUL(H2,H1M,H1L) REDUCTION(H3) PMUL_PARAM(H3,H3M,H3L) C --- calculate H^4 = H^2 × H^2 --- PMUL(H2,H2M,H2L) REDUCTION(H4) PMUL_PARAM(H4,H4M,H4L) st1 {H3M.2d,H3L.2d,H4M.2d,H4L.2d},[CTX] ret EPILOGUE(_nettle_ghash_set_key) nettle-3.10/arm64/crypto/ghash-update.asm0000644000175000017500000001114714633602172017311 0ustar nissenisseC arm64/crypto/ghash-update.asm ifelse(` Copyright (C) 2020 Niels Möller and Mamone Tarsha Copyright (C) 2021 Michael Weiser This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ghash-update.asm" .arch armv8-a+crypto .text C common SIMD register usage: define(`POLY', `v6') C temporary register that assist the reduction procedure define(`T', `v7') C permenant register that hold the 16-byte result of pmull define(`F', `v16') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`F1', `v17') C permenant register that hold the 16-byte result of pmull define(`R', `v18') C permenant register that hold the 16-byte result of pmull2, C its value is accumulated on 'F' register immediately define(`R1', `v19') C common macros: C long multiply of six 64-bit polynomials and sum C R = (in.l × param2.l) + (in.h × param2.h) C F = (in.l × param3.l) + (in.h × param3.h) C PMUL(in, param1, param2) define(`PMUL', m4_assert_numargs(3)` pmull F.1q,$3.1d,$1.1d pmull2 F1.1q,$3.2d,$1.2d pmull R.1q,$2.1d,$1.1d pmull2 R1.1q,$2.2d,$1.2d eor F.16b,F.16b,F1.16b eor R.16b,R.16b,R1.16b ') C Reduce 'R' and 'F' values to 128-bit output C REDUCTION(out) define(`REDUCTION', m4_assert_numargs(1)` pmull T.1q,F.1d,POLY.1d eor R.16b,R.16b,T.16b ext R.16b,R.16b,R.16b,#8 eor $1.16b,F.16b,R.16b ') C register usage: define(`CTX', `x0') define(`X', `x1') define(`BLOCKS', `x2') define(`DATA', `x3') define(`D', `v0') define(`C0', `v1') define(`C1', `v2') define(`C2', `v3') define(`C3', `v4') define(`R2', `v20') define(`F2', `v21') define(`R3', `v22') define(`F3', `v23') define(`H1M', `v24') define(`H1L', `v25') define(`H2M', `v26') define(`H2L', `v27') define(`H3M', `v28') define(`H3L', `v29') define(`H4M', `v30') define(`H4L', `v31') C PMUL_SUM(in, param1, param2) define(`PMUL_SUM', m4_assert_numargs(3)` pmull F2.1q,$3.1d,$1.1d pmull2 F3.1q,$3.2d,$1.2d pmull R2.1q,$2.1d,$1.1d pmull2 R3.1q,$2.2d,$1.2d eor F2.16b,F2.16b,F3.16b eor R2.16b,R2.16b,R3.16b eor F.16b,F.16b,F2.16b eor R.16b,R.16b,R2.16b ') C const uint8_t *_ghash_update (const struct gcm_key *key, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) PROLOGUE(_nettle_ghash_update) mov x4,#0xC200000000000000 mov POLY.d[0],x4 ld1 {D.2d},[X] IF_LE(` rev64 D.16b,D.16b ') ands x4,BLOCKS,#-4 b.eq L1_block add x5,CTX,#64 ld1 {H1M.2d,H1L.2d,H2M.2d,H2L.2d},[CTX] ld1 {H3M.2d,H3L.2d,H4M.2d,H4L.2d},[x5] L4_blocks_loop: ld1 {C0.2d,C1.2d,C2.2d,C3.2d},[DATA],#64 IF_LE(` rev64 C0.16b,C0.16b rev64 C1.16b,C1.16b rev64 C2.16b,C2.16b rev64 C3.16b,C3.16b ') eor C0.16b,C0.16b,D.16b PMUL(C1,H3M,H3L) PMUL_SUM(C2,H2M,H2L) PMUL_SUM(C3,H1M,H1L) PMUL_SUM(C0,H4M,H4L) REDUCTION(D) subs x4,x4,#4 b.ne L4_blocks_loop L1_block: ands BLOCKS,BLOCKS,#3 b.eq Lghash_done ld1 {H1M.2d,H1L.2d},[CTX] L1_block_loop: ld1 {C0.2d},[DATA],#16 IF_LE(` rev64 C0.16b,C0.16b ') eor C0.16b,C0.16b,D.16b PMUL(C0,H1M,H1L) REDUCTION(D) subs BLOCKS, BLOCKS, #1 b.ne L1_block_loop Lghash_done: IF_LE(` rev64 D.16b,D.16b ') st1 {D.2d},[X] mov x0, DATA ret EPILOGUE(_nettle_ghash_update) nettle-3.10/arm64/crypto/aes192-encrypt.asm0000644000175000017500000000616414633602172017430 0ustar nissenisseC arm64/crypto/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes192-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') C void C aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes192_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_ROUND_4B(S0,S1,S2,S3,K9) AESE_ROUND_4B(S0,S1,S2,S3,K10) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K11,K12) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_ROUND_1B(S0,K9) AESE_ROUND_1B(S0,K10) AESE_LAST_ROUND_1B(S0,K11,K12) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes192_encrypt) nettle-3.10/arm64/crypto/aes256-encrypt.asm0000644000175000017500000000644614633602172017434 0ustar nissenisseC arm64/crypto/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') define(`K13', `v29') define(`K14', `v30') C void C aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s,K13.4s,K14.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_ROUND_4B(S0,S1,S2,S3,K9) AESE_ROUND_4B(S0,S1,S2,S3,K10) AESE_ROUND_4B(S0,S1,S2,S3,K11) AESE_ROUND_4B(S0,S1,S2,S3,K12) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K13,K14) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_ROUND_1B(S0,K9) AESE_ROUND_1B(S0,K10) AESE_ROUND_1B(S0,K11) AESE_ROUND_1B(S0,K12) AESE_LAST_ROUND_1B(S0,K13,K14) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes256_encrypt) nettle-3.10/arm64/crypto/sha1-compress.asm0000644000175000017500000001614114633602172017423 0ustar nissenisseC arm64/crypto/sha1-compress.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C This implementation uses the SHA-1 instructions of Armv8 crypto C extension. C SHA1C: SHA1 hash update (choose) C SHA1H: SHA1 fixed rotate C SHA1M: SHA1 hash update (majority) C SHA1P: SHA1 hash update (parity) C SHA1SU0: SHA1 schedule update 0 C SHA1SU1: SHA1 schedule update 1 .file "sha1-compress.asm" .arch armv8-a+crypto .text C Register usage: define(`STATE', `x0') define(`INPUT', `x1') define(`CONST0', `v0') define(`CONST1', `v1') define(`CONST2', `v2') define(`CONST3', `v3') define(`MSG0', `v4') define(`MSG1', `v5') define(`MSG2', `v6') define(`MSG3', `v7') define(`ABCD', `v16') define(`ABCD_SAVED', `v17') define(`E0', `v18') define(`E0_SAVED', `v19') define(`E1', `v20') define(`TMP', `v21') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) PROLOGUE(nettle_sha1_compress) C Initialize constants mov w2,#0x7999 movk w2,#0x5A82,lsl #16 dup CONST0.4s,w2 mov w2,#0xEBA1 movk w2,#0x6ED9,lsl #16 dup CONST1.4s,w2 mov w2,#0xBCDC movk w2,#0x8F1B,lsl #16 dup CONST2.4s,w2 mov w2,#0xC1D6 movk w2,#0xCA62,lsl #16 dup CONST3.4s,w2 C Load state add x2,STATE,#16 movi E0.4s,#0 ld1 {ABCD.4s},[STATE] ld1 {E0.s}[0],[x2] C Save state mov ABCD_SAVED.16b,ABCD.16b mov E0_SAVED.16b,E0.16b C Load message ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT] C Reverse for little endian rev32 MSG0.16b,MSG0.16b rev32 MSG1.16b,MSG1.16b rev32 MSG2.16b,MSG2.16b rev32 MSG3.16b,MSG3.16b C Rounds 0-3 add TMP.4s,MSG0.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 4-7 add TMP.4s,MSG1.4s,CONST0.4s sha1h SFP(E0),SFP(ABCD) sha1c QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 8-11 add TMP.4s,MSG2.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 12-15 add TMP.4s,MSG3.4s,CONST0.4s sha1h SFP(E0),SFP(ABCD) sha1c QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 16-19 add TMP.4s,MSG0.4s,CONST0.4s sha1h SFP(E1),SFP(ABCD) sha1c QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 20-23 add TMP.4s,MSG1.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 24-27 add TMP.4s,MSG2.4s,CONST1.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 28-31 add TMP.4s,MSG3.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 32-35 add TMP.4s,MSG0.4s,CONST1.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 36-39 add TMP.4s,MSG1.4s,CONST1.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 40-43 add TMP.4s,MSG2.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 44-47 add TMP.4s,MSG3.4s,CONST2.4s sha1h SFP(E0),SFP(ABCD) sha1m QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 48-51 add TMP.4s,MSG0.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 52-55 add TMP.4s,MSG1.4s,CONST2.4s sha1h SFP(E0),SFP(ABCD) sha1m QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s sha1su0 MSG1.4s,MSG2.4s,MSG3.4s C Rounds 56-59 add TMP.4s,MSG2.4s,CONST2.4s sha1h SFP(E1),SFP(ABCD) sha1m QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG1.4s,MSG0.4s sha1su0 MSG2.4s,MSG3.4s,MSG0.4s C Rounds 60-63 add TMP.4s,MSG3.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG2.4s,MSG1.4s sha1su0 MSG3.4s,MSG0.4s,MSG1.4s C Rounds 64-67 add TMP.4s,MSG0.4s,CONST3.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s sha1su1 MSG3.4s,MSG2.4s sha1su0 MSG0.4s,MSG1.4s,MSG2.4s C Rounds 68-71 add TMP.4s,MSG1.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s sha1su1 MSG0.4s,MSG3.4s C Rounds 72-75 add TMP.4s,MSG2.4s,CONST3.4s sha1h SFP(E1),SFP(ABCD) sha1p QFP(ABCD),SFP(E0),TMP.4s C Rounds 76-79 add TMP.4s,MSG3.4s,CONST3.4s sha1h SFP(E0),SFP(ABCD) sha1p QFP(ABCD),SFP(E1),TMP.4s C Combine state add E0.4s,E0.4s,E0_SAVED.4s add ABCD.4s,ABCD.4s,ABCD_SAVED.4s C Store state st1 {ABCD.4s},[STATE] st1 {E0.s}[0],[x2] ret EPILOGUE(nettle_sha1_compress) nettle-3.10/arm64/crypto/aes128-encrypt.asm0000644000175000017500000000564214633602172017427 0ustar nissenisseC arm64/crypto/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-encrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') C void C aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_encrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESE_ROUND_4B(S0,S1,S2,S3,K0) AESE_ROUND_4B(S0,S1,S2,S3,K1) AESE_ROUND_4B(S0,S1,S2,S3,K2) AESE_ROUND_4B(S0,S1,S2,S3,K3) AESE_ROUND_4B(S0,S1,S2,S3,K4) AESE_ROUND_4B(S0,S1,S2,S3,K5) AESE_ROUND_4B(S0,S1,S2,S3,K6) AESE_ROUND_4B(S0,S1,S2,S3,K7) AESE_ROUND_4B(S0,S1,S2,S3,K8) AESE_LAST_ROUND_4B(S0,S1,S2,S3,K9,K10) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESE_ROUND_1B(S0,K0) AESE_ROUND_1B(S0,K1) AESE_ROUND_1B(S0,K2) AESE_ROUND_1B(S0,K3) AESE_ROUND_1B(S0,K4) AESE_ROUND_1B(S0,K5) AESE_ROUND_1B(S0,K6) AESE_ROUND_1B(S0,K7) AESE_ROUND_1B(S0,K8) AESE_LAST_ROUND_1B(S0,K9,K10) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes128_encrypt) nettle-3.10/arm64/crypto/aes128-decrypt.asm0000644000175000017500000000564214633602172017415 0ustar nissenisseC arm64/crypto/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes128-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') C void C aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes128_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes128_decrypt) nettle-3.10/arm64/crypto/aes256-decrypt.asm0000644000175000017500000000644614633602172017422 0ustar nissenisseC arm64/crypto/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "aes256-decrypt.asm" .arch armv8-a+crypto .text C Register usage: define(`KEYS', `x0') define(`LENGTH', `x1') define(`DST', `x2') define(`SRC', `x3') define(`S0', `v0') define(`S1', `v1') define(`S2', `v2') define(`S3', `v3') define(`K0', `v16') define(`K1', `v17') define(`K2', `v18') define(`K3', `v19') define(`K4', `v20') define(`K5', `v21') define(`K6', `v22') define(`K7', `v23') define(`K8', `v24') define(`K9', `v25') define(`K10', `v26') define(`K11', `v27') define(`K12', `v28') define(`K13', `v29') define(`K14', `v30') C void C aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) PROLOGUE(nettle_aes256_decrypt) ld1 {K0.4s,K1.4s,K2.4s,K3.4s},[KEYS],#64 ld1 {K4.4s,K5.4s,K6.4s,K7.4s},[KEYS],#64 ld1 {K8.4s,K9.4s,K10.4s,K11.4s},[KEYS],#64 ld1 {K12.4s,K13.4s,K14.4s},[KEYS] ands x4,LENGTH,#-64 b.eq L1B L4B_loop: ld1 {S0.16b,S1.16b,S2.16b,S3.16b},[SRC],#64 AESD_ROUND_4B(S0,S1,S2,S3,K14) AESD_ROUND_4B(S0,S1,S2,S3,K13) AESD_ROUND_4B(S0,S1,S2,S3,K12) AESD_ROUND_4B(S0,S1,S2,S3,K11) AESD_ROUND_4B(S0,S1,S2,S3,K10) AESD_ROUND_4B(S0,S1,S2,S3,K9) AESD_ROUND_4B(S0,S1,S2,S3,K8) AESD_ROUND_4B(S0,S1,S2,S3,K7) AESD_ROUND_4B(S0,S1,S2,S3,K6) AESD_ROUND_4B(S0,S1,S2,S3,K5) AESD_ROUND_4B(S0,S1,S2,S3,K4) AESD_ROUND_4B(S0,S1,S2,S3,K3) AESD_ROUND_4B(S0,S1,S2,S3,K2) AESD_LAST_ROUND_4B(S0,S1,S2,S3,K1,K0) st1 {S0.16b,S1.16b,S2.16b,S3.16b},[DST],#64 subs x4,x4,#64 b.ne L4B_loop and LENGTH,LENGTH,#63 L1B: cbz LENGTH,Ldone L1B_loop: ld1 {S0.16b},[SRC],#16 AESD_ROUND_1B(S0,K14) AESD_ROUND_1B(S0,K13) AESD_ROUND_1B(S0,K12) AESD_ROUND_1B(S0,K11) AESD_ROUND_1B(S0,K10) AESD_ROUND_1B(S0,K9) AESD_ROUND_1B(S0,K8) AESD_ROUND_1B(S0,K7) AESD_ROUND_1B(S0,K6) AESD_ROUND_1B(S0,K5) AESD_ROUND_1B(S0,K4) AESD_ROUND_1B(S0,K3) AESD_ROUND_1B(S0,K2) AESD_LAST_ROUND_1B(S0,K1,K0) st1 {S0.16b},[DST],#16 subs LENGTH,LENGTH,#16 b.ne L1B_loop Ldone: ret EPILOGUE(nettle_aes256_decrypt) nettle-3.10/arm64/crypto/sha256-compress-n.asm0000644000175000017500000001651614633602172020040 0ustar nissenisseC arm64/crypto/sha256-compress-n.asm ifelse(` Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C This implementation uses the SHA-256 instructions of Armv8 crypto C extension. C SHA256H: SHA256 hash update (part 1) C SHA256H2: SHA256 hash update (part 2) C SHA256SU0: SHA256 schedule update 0 C SHA256SU1: SHA256 schedule update 1 .file "sha256-compress-n.asm" .arch armv8-a+crypto .text C Register usage: define(`STATE', `x0') define(`K', `x1') define(`BLOCKS', `x2') define(`INPUT', `x3') define(`MSG0', `v0') define(`MSG1', `v1') define(`MSG2', `v2') define(`MSG3', `v3') define(`STATE0', `v4') define(`STATE1', `v5') define(`CONST', `v6') define(`TMP', `v7') define(`STATE0_SAVED', `v16') define(`STATE1_SAVED', `v17') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) PROLOGUE(_nettle_sha256_compress_n) cbz BLOCKS, .Lend C Load state ld1 {STATE0.4s,STATE1.4s},[STATE] .Loop: C Save state mov STATE0_SAVED.16b,STATE0.16b mov STATE1_SAVED.16b,STATE1.16b C Load message ld1 {MSG0.16b,MSG1.16b,MSG2.16b,MSG3.16b},[INPUT],#64 C Reverse for little endian rev32 MSG0.16b,MSG0.16b rev32 MSG1.16b,MSG1.16b rev32 MSG2.16b,MSG2.16b rev32 MSG3.16b,MSG3.16b C Rounds 0-3 ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(STATE0_SAVED),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 4-7 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 8-11 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 12-15 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 16-19 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 20-23 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 24-27 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 28-31 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 32-35 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256su0 MSG0.4s,MSG1.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG0.4s,MSG2.4s,MSG3.4s C Rounds 36-39 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256su0 MSG1.4s,MSG2.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG1.4s,MSG3.4s,MSG0.4s C Rounds 40-43 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256su0 MSG2.4s,MSG3.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG2.4s,MSG0.4s,MSG1.4s C Rounds 44-47 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG3.4s,CONST.4s sha256su0 MSG3.4s,MSG0.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s sha256su1 MSG3.4s,MSG1.4s,MSG2.4s C Rounds 48-51 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG0.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 52-55 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG1.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 56-59 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K],#16 add CONST.4s,MSG2.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Rounds 60-63 mov TMP.16b,STATE0.16b ld1 {CONST.4s},[K] add CONST.4s,MSG3.4s,CONST.4s sha256h QFP(STATE0),QFP(STATE1),CONST.4s sha256h2 QFP(STATE1),QFP(TMP),CONST.4s C Combine state add STATE0.4s,STATE0.4s,STATE0_SAVED.4s add STATE1.4s,STATE1.4s,STATE1_SAVED.4s subs BLOCKS, BLOCKS, #1 sub K, K, #240 b.ne .Loop C Store state st1 {STATE0.4s,STATE1.4s},[STATE] .Lend: mov x0, INPUT ret EPILOGUE(_nettle_sha256_compress_n) nettle-3.10/arm64/chacha-core-internal.asm0000644000175000017500000000555214633602172017371 0ustar nissenisseC arm64/chacha-core-internal.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') C Original input state define(`S0', `v4') define(`S1', `v5') define(`S2', `v6') define(`S3', `v7') define(`ROT24', `v16') define(`TMP', `v17') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 add $1.4s, $1.4s, $2.4s eor $4.16b, $4.16b, $1.16b rev32 $4.8h, $4.8h add $3.4s, $3.4s, $4.4s eor TMP.16b, $2.16b, $3.16b ushr $2.4s, TMP.4s, #20 sli $2.4s, TMP.4s, #12 add $1.4s, $1.4s, $2.4s eor $4.16b, $4.16b, $1.16b tbl $4.16b, {$4.16b}, ROT24.16b add $3.4s, $3.4s, $4.4s eor TMP.16b, $2.16b, $3.16b ushr $2.4s, TMP.4s, #25 sli $2.4s, TMP.4s, #7 ') .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_core) adr x3, .Lrot24 ld1 {ROT24.4s},[x3] ld1 {X0.4s,X1.4s,X2.4s,X3.4s}, [SRC] mov S0.16b, X0.16b mov S1.16b, X1.16b mov S2.16b, X2.16b mov S3.16b, X3.16b .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 ext X1.16b, X1.16b, X1.16b, #4 ext X2.16b, X2.16b, X2.16b, #8 ext X3.16b, X3.16b, X3.16b, #12 QROUND(X0, X1, X2, X3) ext X1.16b, X1.16b, X1.16b, #12 ext X2.16b, X2.16b, X2.16b, #8 ext X3.16b, X3.16b, X3.16b, #4 subs ROUNDS, ROUNDS, #2 b.ne .Loop add X0.4s, X0.4s, S0.4s add X1.4s, X1.4s, S1.4s add X2.4s, X2.4s, S2.4s add X3.4s, X3.4s, S3.4s st1 {X0.16b,X1.16b,X2.16b,X3.16b}, [DST] ret EPILOGUE(_nettle_chacha_core) .align 4 .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-3.10/arm64/chacha-4core.asm0000644000175000017500000001522114633602172015635 0ustar nissenisseC arm64/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `x0') define(`SRC', `x1') define(`ROUNDS', `x2') C Working state C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `v0') define(`T1', `v1') define(`T2', `v2') define(`T3', `v3') define(`TMP0', `v4') define(`TMP1', `v5') define(`TMP2', `v6') define(`TMP3', `v7') define(`ROT24', `v8') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, v16, $1, 1, v17, $1, 2, v18, $1, 3, v19, $1, 4, v20, $1, 5, v21, $1, 6, v22, $1, 7, v23, $1, 8, v24, $1, 9, v25, $1, 10, v26, $1, 11, v27, $1, 12, v28, $1, 13, v29, $1, 14, v30, $1, 15, v31)') define(`P2', `ifelse($1, 0, v16, $1, 1, v21, $1, 2, v26, $1, 3, v31, $1, 4, v20, $1, 5, v25, $1, 6, v30, $1, 7, v19, $1, 8, v24, $1, 9, v29, $1, 10, v18, $1, 11, v23, $1, 12, v28, $1, 13, v17, $1, 14, v22, $1, 15, v27)') C Main loop for round define(`QR',` add $1(0).4s, $1(0).4s, $1(1).4s add $1(4).4s, $1(4).4s, $1(5).4s add $1(8).4s, $1(8).4s, $1(9).4s add $1(12).4s, $1(12).4s, $1(13).4s eor $1(3).16b, $1(3).16b, $1(0).16b eor $1(7).16b, $1(7).16b, $1(4).16b eor $1(11).16b, $1(11).16b, $1(8).16b eor $1(15).16b, $1(15).16b, $1(12).16b rev32 $1(3).8h, $1(3).8h rev32 $1(7).8h, $1(7).8h rev32 $1(11).8h, $1(11).8h rev32 $1(15).8h, $1(15).8h add $1(2).4s, $1(2).4s, $1(3).4s add $1(6).4s, $1(6).4s, $1(7).4s add $1(10).4s, $1(10).4s, $1(11).4s add $1(14).4s, $1(14).4s, $1(15).4s eor TMP0.16b, $1(1).16b, $1(2).16b eor TMP1.16b, $1(5).16b, $1(6).16b eor TMP2.16b, $1(9).16b, $1(10).16b eor TMP3.16b, $1(13).16b, $1(14).16b ushr $1(1).4s, TMP0.4s, #20 ushr $1(5).4s, TMP1.4s, #20 ushr $1(9).4s, TMP2.4s, #20 ushr $1(13).4s, TMP3.4s, #20 sli $1(1).4s, TMP0.4s, #12 sli $1(5).4s, TMP1.4s, #12 sli $1(9).4s, TMP2.4s, #12 sli $1(13).4s, TMP3.4s, #12 add $1(0).4s, $1(0).4s, $1(1).4s add $1(4).4s, $1(4).4s, $1(5).4s add $1(8).4s, $1(8).4s, $1(9).4s add $1(12).4s, $1(12).4s, $1(13).4s eor $1(3).16b, $1(3).16b, $1(0).16b eor $1(7).16b, $1(7).16b, $1(4).16b eor $1(11).16b, $1(11).16b, $1(8).16b eor $1(15).16b, $1(15).16b, $1(12).16b tbl $1(3).16b, {$1(3).16b}, ROT24.16b tbl $1(7).16b, {$1(7).16b}, ROT24.16b tbl $1(11).16b, {$1(11).16b}, ROT24.16b tbl $1(15).16b, {$1(15).16b}, ROT24.16b add $1(2).4s, $1(2).4s, $1(3).4s add $1(6).4s, $1(6).4s, $1(7).4s add $1(10).4s, $1(10).4s, $1(11).4s add $1(14).4s, $1(14).4s, $1(15).4s eor TMP0.16b, $1(1).16b, $1(2).16b eor TMP1.16b, $1(5).16b, $1(6).16b eor TMP2.16b, $1(9).16b, $1(10).16b eor TMP3.16b, $1(13).16b, $1(14).16b ushr $1(1).4s, TMP0.4s, #25 ushr $1(5).4s, TMP1.4s, #25 ushr $1(9).4s, TMP2.4s, #25 ushr $1(13).4s, TMP3.4s, #25 sli $1(1).4s, TMP0.4s, #7 sli $1(5).4s, TMP1.4s, #7 sli $1(9).4s, TMP2.4s, #7 sli $1(13).4s, TMP3.4s, #7 ') define(`TRANSPOSE',` zip1 T0.4s, $1.4s, $3.4s C A0 A2 B0 B2 zip1 T1.4s, $2.4s, $4.4s C A1 A3 B1 B3 zip2 T2.4s, $1.4s, $3.4s C C0 C2 D0 D2 zip2 T3.4s, $2.4s, $4.4s C C1 C3 D1 D3 zip1 $1.4s, T0.4s, T1.4s C A0 A1 A2 A3 zip2 $2.4s, T0.4s, T1.4s C B0 B1 B2 B3 zip1 $3.4s, T2.4s, T3.4s C C0 C2 C1 C3 zip2 $4.4s, T2.4s, T3.4s C D0 D1 D2 D3 ') C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_4core) mov w3, #1 dup TMP2.4s, w3 C Apply counter carries .Lshared_entry: C Save callee-save registers fmov x3, d8 adr x4, .Lcnts ld1 {TMP3.4s,ROT24.4s},[x4] C Load state and splat ld1 {v16.4s,v17.4s,v18.4s,v19.4s}, [SRC] dup v20.4s, v16.s[1] dup v24.4s, v16.s[2] dup v28.4s, v16.s[3] dup v16.4s, v16.s[0] dup v21.4s, v17.s[1] dup v25.4s, v17.s[2] dup v29.4s, v17.s[3] dup v17.4s, v17.s[0] dup v22.4s, v18.s[1] dup v26.4s, v18.s[2] dup v30.4s, v18.s[3] dup v18.4s, v18.s[0] dup v23.4s, v19.s[1] dup v27.4s, v19.s[2] dup v31.4s, v19.s[3] dup v19.4s, v19.s[0] add v19.4s, v19.4s, TMP3.4s C low adds cmhi TMP1.4s, TMP3.4s, v19.4s C compute carry-out and TMP1.16b, TMP1.16b, TMP2.16b C discard carries for 32-bit counter variant add v23.4s, v23.4s, TMP1.4s C apply carries C Save all 4x4 of the last words. mov T0.16b, v19.16b mov T1.16b, v23.16b mov T2.16b, v27.16b mov T3.16b, v31.16b .Loop: QR(`P1') QR(`P2') subs ROUNDS, ROUNDS, #2 b.ne .Loop C Add in saved original words, including counters, before C transpose. add v19.4s, v19.4s, T0.4s add v23.4s, v23.4s, T1.4s add v27.4s, v27.4s, T2.4s add v31.4s, v31.4s, T3.4s TRANSPOSE(v16, v20,v24, v28) TRANSPOSE(v17, v21, v25, v29) TRANSPOSE(v18, v22, v26, v30) TRANSPOSE(v19, v23, v27, v31) ld1 {T0.4s,T1.4s,T2.4s}, [SRC] add v16.4s, v16.4s, T0.4s add v20.4s, v20.4s, T0.4s add v24.4s, v24.4s, T0.4s add v28.4s, v28.4s, T0.4s add v17.4s, v17.4s, T1.4s add v21.4s, v21.4s, T1.4s add v25.4s, v25.4s, T1.4s add v29.4s, v29.4s, T1.4s add v18.4s, v18.4s, T2.4s add v22.4s, v22.4s, T2.4s add v26.4s, v26.4s, T2.4s add v30.4s, v30.4s, T2.4s st1 {v16.16b,v17.16b,v18.16b,v19.16b}, [DST], #64 st1 {v20.16b,v21.16b,v22.16b,v23.16b}, [DST], #64 st1 {v24.16b,v25.16b,v26.16b,v27.16b}, [DST], #64 st1 {v28.16b,v29.16b,v30.16b,v31.16b}, [DST] C Restore callee-save registers fmov d8, x3 ret EPILOGUE(_nettle_chacha_4core) PROLOGUE(_nettle_chacha_4core32) eor TMP2.16b, TMP2.16b, TMP2.16b C Ignore counter carries b .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .align 4 .Lcnts: .long 0,1,2,3 C increments .Lrot24: .long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f nettle-3.10/aclocal.m40000644000175000017500000003657114633602172013634 0ustar nissenissednl Choose cc flags for compiling position independent code AC_DEFUN([LSH_CCPIC], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_MSG_CHECKING(CCPIC) AC_CACHE_VAL(lsh_cv_sys_ccpic,[ if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[return 0;]])], [lsh_cv_sys_ccpic="$CCPIC"], [lsh_cv_sys_ccpic='']) CFLAGS="$OLD_CFLAGS" ]) CCPIC="$lsh_cv_sys_ccpic" AC_MSG_RESULT($CCPIC)]) dnl LSH_PATH_ADD(path-id, directory) AC_DEFUN([LSH_PATH_ADD], [AC_MSG_CHECKING($2) ac_exists=no if test -d "$2/." ; then ac_real_dir=`cd $2 && pwd` if test -n "$ac_real_dir" ; then ac_exists=yes for old in $1_REAL_DIRS ; do ac_found=no if test x$ac_real_dir = x$old ; then ac_found=yes; break; fi done if test $ac_found = yes ; then AC_MSG_RESULT(already added) else AC_MSG_RESULT(added) # LDFLAGS="$LDFLAGS -L $2" $1_REAL_DIRS="$ac_real_dir [$]$1_REAL_DIRS" $1_DIRS="$2 [$]$1_DIRS" fi fi fi if test $ac_exists = no ; then AC_MSG_RESULT(not found) fi ]) dnl LSH_RPATH_ADD(dir) AC_DEFUN([LSH_RPATH_ADD], [LSH_PATH_ADD(RPATH_CANDIDATE, $1)]) dnl LSH_RPATH_INIT(candidates) AC_DEFUN([LSH_RPATH_INIT], [AC_REQUIRE([AC_CANONICAL_HOST])dnl AC_MSG_CHECKING([for -R flag]) RPATHFLAG='' case "$host_os" in osf1*) RPATHFLAG="-rpath " ;; irix6.*|irix5.*) RPATHFLAG="-rpath " ;; solaris*) if test "$TCC" = "yes"; then # tcc doesn't know about -R RPATHFLAG="-Wl,-R," else RPATHFLAG=-R fi ;; linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac if test x$RPATHFLAG = x ; then AC_MSG_RESULT(none) else AC_MSG_RESULT([using $RPATHFLAG]) fi RPATH_CANDIDATE_REAL_DIRS='' RPATH_CANDIDATE_DIRS='' AC_MSG_RESULT([Searching for libraries]) for d in $1 ; do LSH_RPATH_ADD($d) done ]) dnl Try to execute a main program, and if it fails, try adding some dnl -R flag. dnl LSH_RPATH_FIX AC_DEFUN([LSH_RPATH_FIX], [if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then ac_success=no AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv) { return 0; }]])], [ac_success=yes], [ac_success=no], [:]) if test $ac_success = no ; then AC_MSG_CHECKING([Running simple test program failed. Trying -R flags]) dnl echo RPATH_CANDIDATE_DIRS = $RPATH_CANDIDATE_DIRS ac_remaining_dirs='' ac_rpath_save_LDFLAGS="$LDFLAGS" for d in $RPATH_CANDIDATE_DIRS ; do if test $ac_success = yes ; then ac_remaining_dirs="$ac_remaining_dirs $d" else LDFLAGS="$RPATHFLAG$d $LDFLAGS" dnl echo LDFLAGS = $LDFLAGS AC_RUN_IFELSE([AC_LANG_SOURCE([[int main(int argc, char **argv) { return 0; }]])], [ac_success=yes ac_rpath_save_LDFLAGS="$LDFLAGS" AC_MSG_RESULT([adding $RPATHFLAG$d]) ], [ac_remaining_dirs="$ac_remaining_dirs $d"], [:]) LDFLAGS="$ac_rpath_save_LDFLAGS" fi done RPATH_CANDIDATE_DIRS=$ac_remaining_dirs fi if test $ac_success = no ; then AC_MSG_RESULT(failed) fi fi ]) dnl LSH_GCC_ATTRIBUTES dnl Check for gcc's __attribute__ construction AC_DEFUN([LSH_GCC_ATTRIBUTES], [AC_CACHE_CHECK(for __attribute__, lsh_cv_c_attribute, [ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } ]], [[]])], [lsh_cv_c_attribute=yes], [lsh_cv_c_attribute=no])]) AH_TEMPLATE([HAVE_GCC_ATTRIBUTE], [Define if the compiler understands __attribute__]) if test "x$lsh_cv_c_attribute" = "xyes"; then AC_DEFINE(HAVE_GCC_ATTRIBUTE) fi AH_BOTTOM( [#if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif ])]) # Check for alloca, and include the standard blurb in config.h AC_DEFUN([LSH_FUNC_ALLOCA], [AC_FUNC_ALLOCA AC_CHECK_HEADERS([malloc.h]) AH_BOTTOM( [/* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif ])]) dnl LSH_DEPENDENCY_TRACKING dnl Defines compiler flags DEP_FLAGS to generate dependency dnl information, and DEP_PROCESS that is any shell commands needed for dnl massaging the dependency information further. Dependencies are dnl generated as a side effect of compilation. Dependency files dnl themselves are not treated as targets. AC_DEFUN([LSH_DEPENDENCY_TRACKING], [AC_ARG_ENABLE(dependency_tracking, AS_HELP_STRING([--disable-dependency-tracking], [Disable dependency tracking. Dependency tracking doesn't work with BSD make]),, [enable_dependency_tracking=yes]) DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[[!0-9.]]2.*) enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled, gcc-3.x is needed]) ;; *) DEP_FLAGS='-MT $[]@ -MD -MP -MF $[]@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no AC_MSG_WARN([Dependency tracking disabled]) fi fi AC_SUBST([DEP_FLAGS]) AC_SUBST([DEP_PROCESS])]) dnl GMP_TRY_ASSEMBLE(asm-code,[action-success][,action-fail]) dnl ---------------------------------------------------------- dnl Attempt to assemble the given code. dnl Do "action-success" if this succeeds, "action-fail" if not. dnl dnl conftest.o and conftest.out are available for inspection in dnl "action-success". If either action does a "break" out of a loop then dnl an explicit "rm -f conftest*" will be necessary. dnl dnl This is not unlike AC_COMPILE_IFELSE, but there's no default includes or dnl anything in "asm-code", everything wanted must be given explicitly. AC_DEFUN([GMP_TRY_ASSEMBLE], [cat >conftest.s <&AS_MESSAGE_LOG_FD ifelse([$2],,:,[$2]) else cat conftest.out >&AS_MESSAGE_LOG_FD echo "configure: failed program was:" >&AS_MESSAGE_LOG_FD cat conftest.s >&AS_MESSAGE_LOG_FD ifelse([$3],,:,[$3]) fi rm -f conftest* ]) dnl GMP_PROG_CC_FOR_BUILD dnl --------------------- dnl Establish CC_FOR_BUILD, a C compiler for the build system. dnl dnl If CC_FOR_BUILD is set then it's expected to work, likewise the old dnl style HOST_CC, otherwise some likely candidates are tried, the same as dnl configfsf.guess. AC_DEFUN([GMP_PROG_CC_FOR_BUILD], [AC_REQUIRE([AC_PROG_CC]) if test -n "$CC_FOR_BUILD"; then GMP_PROG_CC_FOR_BUILD_WORKS($CC_FOR_BUILD,, [AC_MSG_ERROR([Specified CC_FOR_BUILD doesn't seem to work])]) elif test -n "$HOST_CC"; then GMP_PROG_CC_FOR_BUILD_WORKS($HOST_CC, [CC_FOR_BUILD=$HOST_CC], [AC_MSG_ERROR([Specified HOST_CC doesn't seem to work])]) else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do GMP_PROG_CC_FOR_BUILD_WORKS($i, [CC_FOR_BUILD=$i break]) done if test -z "$CC_FOR_BUILD"; then AC_MSG_ERROR([Cannot find a build system compiler]) fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi AC_ARG_VAR(CC_FOR_BUILD,[build system C compiler]) AC_SUBST(CC_FOR_BUILD) ]) dnl GMP_PROG_CC_FOR_BUILD_WORKS(cc/cflags[,[action-if-good][,action-if-bad]]) dnl ------------------------------------------------------------------------- dnl See if the given cc/cflags works on the build system. dnl dnl It seems easiest to just use the default compiler output, rather than dnl figuring out the .exe or whatever at this stage. AC_DEFUN([GMP_PROG_CC_FOR_BUILD_WORKS], [AC_MSG_CHECKING([build system compiler $1]) # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&AS_MESSAGE_LOG_FD 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe AC_MSG_RESULT($cc_for_build_works) if test "$cc_for_build_works" = yes; then ifelse([$2],,:,[$2]) else ifelse([$3],,:,[$3]) fi ]) dnl GMP_PROG_EXEEXT_FOR_BUILD dnl ------------------------- dnl Determine EXEEXT_FOR_BUILD, the build system executable suffix. dnl dnl The idea is to find what "-o conftest$foo" will make it possible to run dnl the program with ./conftest. On Unix-like systems this is of course dnl nothing, for DOS it's ".exe", or for a strange RISC OS foreign file dnl system cross compile it can be ",ff8" apparently. Not sure if the dnl latter actually applies to a build-system executable, maybe it doesn't, dnl but it won't hurt to try. AC_DEFUN([GMP_PROG_EXEEXT_FOR_BUILD], [AC_REQUIRE([GMP_PROG_CC_FOR_BUILD]) AC_CACHE_CHECK([for build system executable suffix], gmp_cv_prog_exeext_for_build, [if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&AS_MESSAGE_LOG_FD; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then AC_MSG_ERROR([Cannot determine executable suffix]) fi fi ]) AC_SUBST(EXEEXT_FOR_BUILD,$gmp_cv_prog_exeext_for_build) ]) dnl NETTLE_CHECK_ARM_NEON dnl --------------------- dnl Check if ARM Neon instructions should be used. dnl Obeys enable_arm_neon, which should be set earlier. AC_DEFUN([NETTLE_CHECK_ARM_NEON], [if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then dnl Check if compiler/assembler accepts it, dnl without an explicit .fpu neon directive. AC_CACHE_CHECK([if assembler accepts Neon instructions], nettle_cv_asm_arm_neon, [GMP_TRY_ASSEMBLE([ .text foo: vmlal.u32 q1, d0, d1 ], [nettle_cv_asm_arm_neon=yes], [nettle_cv_asm_arm_neon=no])]) enable_arm_neon="$nettle_cv_asm_arm_neon" else AC_MSG_CHECKING([if /proc/cpuinfo claims neon support]) if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi AC_MSG_RESULT($enable_arm_neon) fi fi ]) dnl NETTLE_CHECK_IFUNC dnl ------------------ dnl Check if __attribute__ ((ifunc(...))) works AC_DEFUN([NETTLE_CHECK_IFUNC], [AC_REQUIRE([AC_PROG_CC]) AC_CACHE_CHECK([for ifunc support], nettle_cv_link_ifunc, [AC_LINK_IFELSE([AC_LANG_PROGRAM([ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); ],[ return foo(0); ])], [nettle_cv_link_ifunc=yes], [nettle_cv_link_ifunc=no])]) AH_TEMPLATE([HAVE_LINK_IFUNC], [Define if compiler and linker supports __attribute__ ifunc]) if test "x$nettle_cv_link_ifunc" = xyes ; then AC_DEFINE(HAVE_LINK_IFUNC) fi ]) # ld-version-script.m4 serial 3 dnl Copyright (C) 2008-2014 Free Software Foundation, Inc. dnl This file is free software; the Free Software Foundation dnl gives unlimited permission to copy and/or distribute it, dnl with or without modifications, as long as this notice is preserved. dnl From Simon Josefsson # FIXME: The test below returns a false positive for mingw # cross-compiles, 'local:' statements does not reduce number of # exported symbols in a DLL. Use --disable-ld-version-script to work # around the problem. # gl_LD_VERSION_SCRIPT # -------------------- # Check if LD supports linker scripts, and define automake conditional # HAVE_LD_VERSION_SCRIPT if so. AC_DEFUN([LD_VERSION_SCRIPT], [ AC_ARG_ENABLE([ld-version-script], AS_HELP_STRING([--enable-ld-version-script], [enable linker version script (default is enabled when possible)]), [have_ld_version_script=$enableval], []) if test -z "$have_ld_version_script"; then AC_MSG_CHECKING([if LD -Wl,--version-script works]) save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map < conftest.map <&AS_MESSAGE_LOG_FD; then nettle_cv_prog_valgrind=yes else nettle_cv_prog_valgrind=no fi], [nettle_cv_prog_valgrind=no])]) if test "$nettle_cv_prog_valgrind" = yes ; then IF_VALGRIND='' else IF_VALGRIND='#' fi AC_SUBST(IF_VALGRIND) ]) nettle-3.10/shake256.c0000644000175000017500000000315014633602171013452 0ustar nissenisse/* shake256.c The SHAKE256 hash function, arbitrary length output. Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" void sha3_256_shake (struct sha3_256_ctx *ctx, size_t length, uint8_t *dst) { _nettle_sha3_shake (&ctx->state, sizeof (ctx->block), ctx->block, ctx->index, length, dst); sha3_256_init (ctx); } void sha3_256_shake_output (struct sha3_256_ctx *ctx, size_t length, uint8_t *digest) { ctx->index = _nettle_sha3_shake_output (&ctx->state, sizeof (ctx->block), ctx->block, ctx->index, length, digest); } nettle-3.10/ecc-add-thh.c0000644000175000017500000000641414633602171014171 0ustar nissenisse/* ecc-add-thh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, in homogeneous coordinates */ void ecc_add_thh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-add-2008-bbjlp): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D, mul C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) A = z1*z2 mul A, C, E, T B = A^2 sqr A, B, C, E, T F = B - E A, B, C, E, F, T G = B + E A, C, F, G, T x3 = A*F*T 2 mul A, C, G y3 = A*G*(D+C) 2 mul F, G z3 = F*G mul 11M + S We have different sign for E, hence swapping F and G, because our ecc->b corresponds to -b above. */ #define T scratch #define E (scratch + 1*ecc->p.size) #define F E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_mul (&ecc->p, B, z1, z2, x3); ecc_mod_mul (&ecc->p, T, T, B, x3); ecc_mod_mul (&ecc->p, C, C, B, x3); ecc_mod_sqr (&ecc->p, B, B, x3); ecc_mod_add (&ecc->p, x3, B, E); ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-3.10/rsa-pkcs1-verify.c0000644000175000017500000000267014633602171015236 0ustar nissenisse/* rsa-pkcs1-sign.c PKCS#1 version 1.5 signatures. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_pkcs1_verify(const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t s) { int res; mpz_t m; mpz_init (m); res = (pkcs1_rsa_digest_encode (m, key->size, length, digest_info) && _rsa_verify (key, m, s)); mpz_clear(m); return res; } nettle-3.10/ccm.h0000644000175000017500000002305714633602172012702 0ustar nissenisse/* ccm.h Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby Contributed to GNU Nettle by Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NIST SP800-38C doesn't specify the particular formatting and * counter generation algorithm for CCM, but it does include an * example algorithm. This example has become the de-factor standard, * and has been adopted by both the IETF and IEEE across a wide * variety of protocols. */ #ifndef NETTLE_CCM_H_INCLUDED #define NETTLE_CCM_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ccm_set_nonce nettle_ccm_set_nonce #define ccm_update nettle_ccm_update #define ccm_encrypt nettle_ccm_encrypt #define ccm_decrypt nettle_ccm_decrypt #define ccm_digest nettle_ccm_digest #define ccm_encrypt_message nettle_ccm_encrypt_message #define ccm_decrypt_message nettle_ccm_decrypt_message #define ccm_aes128_set_key nettle_ccm_aes128_set_key #define ccm_aes128_set_nonce nettle_ccm_aes128_set_nonce #define ccm_aes128_update nettle_ccm_aes128_update #define ccm_aes128_encrypt nettle_ccm_aes128_encrypt #define ccm_aes128_decrypt nettle_ccm_aes128_decrypt #define ccm_aes128_digest nettle_ccm_aes128_digest #define ccm_aes128_encrypt_message nettle_ccm_aes128_encrypt_message #define ccm_aes128_decrypt_message nettle_ccm_aes128_decrypt_message #define ccm_aes192_set_key nettle_ccm_aes192_set_key #define ccm_aes192_set_nonce nettle_ccm_aes192_set_nonce #define ccm_aes192_update nettle_ccm_aes192_update #define ccm_aes192_encrypt nettle_ccm_aes192_encrypt #define ccm_aes192_decrypt nettle_ccm_aes192_decrypt #define ccm_aes192_digest nettle_ccm_aes192_digest #define ccm_aes192_encrypt_message nettle_ccm_aes192_encrypt_message #define ccm_aes192_decrypt_message nettle_ccm_aes192_decrypt_message #define ccm_aes256_set_key nettle_ccm_aes256_set_key #define ccm_aes256_set_nonce nettle_ccm_aes256_set_nonce #define ccm_aes256_update nettle_ccm_aes256_update #define ccm_aes256_encrypt nettle_ccm_aes256_encrypt #define ccm_aes256_decrypt nettle_ccm_aes256_decrypt #define ccm_aes256_digest nettle_ccm_aes256_digest #define ccm_aes256_encrypt_message nettle_ccm_aes256_encrypt_message #define ccm_aes256_decrypt_message nettle_ccm_aes256_decrypt_message /* For CCM, the block size of the block cipher shall be 128 bits. */ #define CCM_BLOCK_SIZE 16 #define CCM_DIGEST_SIZE 16 #define CCM_MIN_NONCE_SIZE 7 #define CCM_MAX_NONCE_SIZE 14 /* Maximum cleartext message size, as a function of the nonce size N. The length field is L octets, with L = 15 - N, and then the maximum size M = 2^{8L} - 1. */ #define CCM_MAX_MSG_SIZE(N) \ ((sizeof(size_t) + (N) <= 15) \ ? ~(size_t) 0 \ : ((size_t) 1 << (8*(15 - N))) - 1) /* Per-message state */ struct ccm_ctx { union nettle_block16 ctr; /* Counter for CTR encryption. */ union nettle_block16 tag; /* CBC-MAC message tag. */ /* Length of data processed by the CBC-MAC modulus the block size */ unsigned int blength; }; /* * CCM mode requires the adata and message lengths when building the IV, which * prevents streaming processing and it incompatible with the AEAD API. */ void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data); void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* * All-in-one encryption and decryption API: * tlength = sizeof(digest) * mlength = sizeof(cleartext) * clength = sizeof(ciphertext) = mlength + tlength * * The ciphertext will contain the encrypted payload with the message digest * appended to the end. */ void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); /* * The decryption function will write the plaintext to dst and parse the digest * from the final tlength bytes of the ciphertext. If the digest matched the * value computed during decryption then this will return 1, or it will return * 0 if the digest was invalid. */ int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-128 */ struct ccm_aes128_ctx { struct ccm_ctx ccm; struct aes128_ctx cipher; }; void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key); void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest); /* FIXME: For next API/ABI break: first argument should be const struct aes128_ctx *, and similarly for other ccm_*_message functions below. */ void ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); struct ccm_aes192_ctx { struct ccm_ctx ccm; struct aes192_ctx cipher; }; /* CCM Mode with AES-192 */ void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key); void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest); void ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); /* CCM Mode with AES-256 */ struct ccm_aes256_ctx { struct ccm_ctx ccm; struct aes256_ctx cipher; }; void ccm_aes256_set_key(struct ccm_aes256_ctx *ctx, const uint8_t *key); void ccm_aes256_set_nonce(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen); void ccm_aes256_update(struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data); void ccm_aes256_encrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_decrypt(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void ccm_aes256_digest(struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest); void ccm_aes256_encrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src); int ccm_aes256_decrypt_message(struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CCM_H_INCLUDED */ nettle-3.10/nettle-meta-aeads.c0000644000175000017500000000266314633602171015424 0ustar nissenisse/* nettle-meta-aeads.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_aead * const _nettle_aeads[] = { &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_gcm_sm4, &nettle_eax_aes128, &nettle_chacha_poly1305, NULL }; const struct nettle_aead * const * nettle_get_aeads (void) { return _nettle_aeads; } nettle-3.10/ecc-curve25519.c0000644000175000017500000002110714633602171014406 0ustar nissenisse/* ecc-curve25519.c Arithmetic and tables for curve25519, Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-curve25519.h" #define PHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 255) #if HAVE_NATIVE_ecc_curve25519_modp #define ecc_curve25519_modp _nettle_ecc_curve25519_modp void ecc_curve25519_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #if PHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_curve25519_modp(const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t hi, cy; cy = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, (mp_limb_t) 19 << PHIGH_BITS); hi = xp[ECC_LIMB_SIZE-1]; cy = (cy << PHIGH_BITS) + (hi >> (GMP_NUMB_BITS - PHIGH_BITS)); rp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, 19 * cy); } #endif /* HAVE_NATIVE_ecc_curve25519_modp */ #define QHIGH_BITS (GMP_NUMB_BITS * ECC_LIMB_SIZE - 252) #if QHIGH_BITS == 0 #error Unsupported limb size */ #endif static void ecc_curve25519_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t n; mp_limb_t cy; /* n is the offset where we add in the next term */ for (n = ECC_LIMB_SIZE; n-- > 0;) { cy = mpn_submul_1 (xp + n, q->B_shifted, ECC_LIMB_SIZE, xp[n + ECC_LIMB_SIZE]); /* Top limb of mBmodq_shifted is zero, so we get cy == 0 or 1 */ assert_maybe (cy < 2); mpn_cnd_add_n (cy, xp+n, xp+n, q->m, ECC_LIMB_SIZE); } cy = mpn_submul_1 (xp, q->m, ECC_LIMB_SIZE, xp[ECC_LIMB_SIZE-1] >> (GMP_NUMB_BITS - QHIGH_BITS)); assert_maybe (cy < 2); mpn_cnd_add_n (cy, rp, xp, q->m, ECC_LIMB_SIZE); } /* Computes a^{(p-5)/8} = a^{2^{252}-3} mod m. Needs 4 * n scratch space. */ static void ecc_mod_pow_252m3 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a7 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* a^{2^252 - 3} = a^{(p-5)/8}, using the addition chain 2^252 - 3 = 1 + (2^252-4) = 1 + 4 (2^250-1) = 1 + 4 (2^125+1)(2^125-1) = 1 + 4 (2^125+1)(1+2(2^124-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^62-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(2^31-1)) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^28-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^14-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(2^7-1))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^6-1)))) = 1 + 4 (2^125+1)(1+2(2^62+1)(2^31+1)(7+8(2^14+1)(2^7+1)(1+2(2^3+1)*7))) */ ecc_mod_pow_2kp1 (m, a7, ap, 1, tp); /* a^3 */ ecc_mod_sqr (m, a7, a7, tp); /* a^6 */ ecc_mod_mul (m, a7, a7, ap, tp); /* a^7 */ ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^63 = a^{2^6-1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7-2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14-1}*/ ecc_mod_pow_2kp1 (m, rp, t0, 14, tp); /* a^{2^28-1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^29-2} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^30-4} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^31-8} */ ecc_mod_mul (m, rp, rp, a7, tp); /* a^{2^31-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 31, tp); /* a^{2^62-1} */ ecc_mod_pow_2kp1 (m, rp, t0, 62, tp); /* a^{2^124-1}*/ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^125-2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^125-1} */ ecc_mod_pow_2kp1 (m, t0, rp, 125, tp);/* a^{2^250-1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^251-2} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^252-4} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^252-3} */ #undef a7 #undef t0 #undef tp } /* Scratch as for ecc_mod_pow_252m3 above. */ #define ECC_25519_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_curve25519_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain p - 2 = 2^{255} - 21 = 1 + 2 (1 + 4 (2^{252}-3)) */ ecc_mod_pow_252m3 (p, rp, ap, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_mul (p, rp, ap, rp, scratch); ecc_mod_sqr (p, rp, rp, scratch); ecc_mod_mul (p, rp, ap, rp, scratch); } static int ecc_curve25519_zero_p (const struct ecc_modulo *p, mp_limb_t *xp) { /* First, reduce to < 2p. */ #if PHIGH_BITS > 0 mp_limb_t hi = xp[ECC_LIMB_SIZE-1]; xp[ECC_LIMB_SIZE-1] = (hi & (GMP_NUMB_MASK >> PHIGH_BITS)) + sec_add_1 (xp, xp, ECC_LIMB_SIZE - 1, 19 * (hi >> (GMP_NUMB_BITS - PHIGH_BITS))); #endif return ecc_mod_zero_p (p, xp); } /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero on failure. We use the e = 2 special case of the Shanks-Tonelli algorithm (see http://www.math.vt.edu/people/brown/doc/sqrts.pdf, or Henri Cohen, Computational Algebraic Number Theory, 1.5.1). To avoid a separate inversion, we also use a trick of djb's, to compute the candidate root as x = (u/v)^{(p+3)/8} = u v^3 (u v^7)^{(p-5)/8}. */ #if ECC_SQRT_E != 2 #error Broken curve25519 parameters #endif /* Needs 2*n space + scratch for ecc_mod_pow_252m3. */ #define ECC_25519_SQRT_RATIO_ITCH (6*ECC_LIMB_SIZE) static int ecc_curve25519_sqrt_ratio(const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch) { int pos, neg; #define uv3 scratch #define uv7 (scratch + ECC_LIMB_SIZE) #define v2 uv7 #define uv uv3 #define v4 uv7 #define scratch_out (scratch + 2 * ECC_LIMB_SIZE) #define x2 scratch #define vx2 (scratch + ECC_LIMB_SIZE) #define t0 (scratch + 2*ECC_LIMB_SIZE) /* Live values */ ecc_mod_sqr (p, v2, vp, scratch_out); /* v2 */ ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv, v2 */ ecc_mod_mul (p, uv3, uv, v2, scratch_out); /* uv3, v2 */ ecc_mod_sqr (p, v4, v2, scratch_out); /* uv3, v4 */ ecc_mod_mul (p, uv7, uv3, v4, scratch_out); /* uv7 */ ecc_mod_pow_252m3 (p, rp, uv7, scratch_out); /* uv3, uv7p */ ecc_mod_mul (p, rp, rp, uv3, scratch_out); /* none */ /* Check sign. If square root exists, have v x^2 = ±u */ ecc_mod_sqr (p, x2, rp, t0); ecc_mod_mul (p, vx2, x2, vp, t0); ecc_mod_add (p, t0, vx2, up); neg = ecc_curve25519_zero_p (p, t0); ecc_mod_sub (p, t0, up, vx2); pos = ecc_curve25519_zero_p (p, t0); ecc_mod_mul (p, t0, rp, ecc_sqrt_z, t0); cnd_copy (neg, rp, t0, ECC_LIMB_SIZE); return pos | neg; #undef uv3 #undef uv7 #undef v2 #undef uv #undef v4 #undef scratch_out #undef x2 #undef vx2 #undef t0 } const struct ecc_curve _nettle_curve25519 = { { 255, ECC_LIMB_SIZE, ECC_BMODP_SIZE, 0, ECC_25519_INV_ITCH, 0, ECC_25519_SQRT_RATIO_ITCH, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, NULL, ecc_pp1h, ecc_curve25519_modp, ecc_curve25519_modp, ecc_curve25519_inv, NULL, ecc_curve25519_sqrt_ratio, }, { 253, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_mBmodq_shifted, /* Use q - 2^{252} instead. */ ecc_Bm2q, NULL, ecc_qp1h, ecc_curve25519_modq, ecc_curve25519_modq, ecc_mod_inv, NULL, NULL, }, 0, /* No redc */ ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_TH_ITCH (ECC_LIMB_SIZE), ECC_ADD_THH_ITCH (ECC_LIMB_SIZE), ECC_DUP_TH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_25519_INV_ITCH), ecc_add_th, ecc_add_thh, ecc_dup_th, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, ecc_b, /* Edwards curve constant. */ ecc_unit, ecc_table }; nettle-3.10/sec-sub-1.c0000644000175000017500000000256014633602171013625 0ustar nissenisse/* sec-sub-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a; a = ap[i]; rp[i] = a - b; b = a < b; } return b; } nettle-3.10/rsa-sha256-sign.c0000644000175000017500000000340614633602171014657 0ustar nissenisse/* rsa-sha256-sign.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign(const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha256_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha256_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha256_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.10/pgp.h0000644000175000017500000001430114633602172012716 0ustar nissenisse/* pgp.h PGP related functions. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PGP_H_INCLUDED #define NETTLE_PGP_H_INCLUDED #include #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define pgp_put_uint32 nettle_pgp_put_uint32 #define pgp_put_uint16 nettle_pgp_put_uint16 #define pgp_put_mpi nettle_pgp_put_mpi #define pgp_put_string nettle_pgp_put_string #define pgp_put_length nettle_pgp_put_length #define pgp_put_header nettle_pgp_put_header #define pgp_put_header_length nettle_pgp_put_header_length #define pgp_sub_packet_start nettle_pgp_sub_packet_start #define pgp_put_sub_packet nettle_pgp_put_sub_packet #define pgp_sub_packet_end nettle_pgp_sub_packet_end #define pgp_put_public_rsa_key nettle_pgp_put_public_rsa_key #define pgp_put_rsa_sha1_signature nettle_pgp_put_rsa_sha1_signature #define pgp_put_userid nettle_pgp_put_userid #define pgp_crc24 nettle_pgp_crc24 #define pgp_armor nettle_pgp_armor struct nettle_buffer; struct rsa_public_key; struct rsa_private_key; struct sha1_ctx; int pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i); int pgp_put_uint16(struct nettle_buffer *buffer, unsigned i); int pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x); int pgp_put_string(struct nettle_buffer *buffer, unsigned length, const uint8_t *s); int pgp_put_length(struct nettle_buffer *buffer, unsigned length); int pgp_put_header(struct nettle_buffer *buffer, unsigned tag, unsigned length); void pgp_put_header_length(struct nettle_buffer *buffer, /* start of the header */ unsigned start, unsigned field_size); unsigned pgp_sub_packet_start(struct nettle_buffer *buffer); int pgp_put_sub_packet(struct nettle_buffer *buffer, unsigned type, unsigned length, const uint8_t *data); void pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start); int pgp_put_public_rsa_key(struct nettle_buffer *, const struct rsa_public_key *key, time_t timestamp); int pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer, const struct rsa_private_key *key, const uint8_t *keyid, unsigned type, struct sha1_ctx *hash); int pgp_put_userid(struct nettle_buffer *buffer, unsigned length, const uint8_t *name); uint32_t pgp_crc24(unsigned length, const uint8_t *data); int pgp_armor(struct nettle_buffer *buffer, const char *tag, unsigned length, const uint8_t *data); /* Values that can be passed to pgp_put_header when the size of the * length field, but not the length itself, is known. Also the minimum length * for the given field size. */ enum pgp_lengths { PGP_LENGTH_ONE_OCTET = 0, PGP_LENGTH_TWO_OCTETS = 192, PGP_LENGTH_FOUR_OCTETS = 8384, }; enum pgp_public_key_algorithm { PGP_RSA = 1, PGP_RSA_ENCRYPT = 2, PGP_RSA_SIGN = 3, PGP_EL_GAMAL_ENCRYPT = 16, PGP_DSA = 17, PGP_EL_GAMAL = 20, }; enum pgp_symmetric_algorithm { PGP_PLAINTEXT = 0, PGP_IDEA = 1, PGP_3DES = 2, PGP_CAST5 = 3, PGP_BLOWFISH = 4, PGP_SAFER_SK = 5, PGP_AES128 = 7, PGP_AES192 = 8, PGP_AES256 = 9, }; enum pgp_compression_algorithm { PGP_UNCOMPRESSED = 0, PGP_ZIP = 1, PGP_ZLIB = 2, }; enum pgp_hash_algorithm { PGP_MD5 = 1, PGP_SHA1 = 2, PGP_RIPEMD = 3, PGP_MD2 = 5, PGP_TIGER192 = 6, PGP_HAVAL = 7, }; enum pgp_tag { PGP_TAG_PUBLIC_SESSION_KEY = 1, PGP_TAG_SIGNATURE = 2, PGP_TAG_SYMMETRIC_SESSION_KEY = 3, PGP_TAG_ONE_PASS_SIGNATURE = 4, PGP_TAG_SECRET_KEY = 5, PGP_TAG_PUBLIC_KEY = 6, PGP_TAG_SECRET_SUBKEY = 7, PGP_TAG_COMPRESSED = 8, PGP_TAG_ENCRYPTED = 9, PGP_TAG_MARKER = 10, PGP_TAG_LITERAL = 11, PGP_TAG_TRUST = 12, PGP_TAG_USERID = 13, PGP_TAG_PUBLIC_SUBKEY = 14, }; enum pgp_signature_type { PGP_SIGN_BINARY = 0, PGP_SIGN_TEXT = 1, PGP_SIGN_STANDALONE = 2, PGP_SIGN_CERTIFICATION = 0x10, PGP_SIGN_CERTIFICATION_PERSONA = 0x11, PGP_SIGN_CERTIFICATION_CASUAL = 0x12, PGP_SIGN_CERTIFICATION_POSITIVE = 0x13, PGP_SIGN_SUBKEY = 0x18, PGP_SIGN_KEY = 0x1f, PGP_SIGN_REVOCATION = 0x20, PGP_SIGN_REVOCATION_SUBKEY = 0x28, PGP_SIGN_REVOCATION_CERTIFICATE = 0x30, PGP_SIGN_TIMESTAMP = 0x40, }; enum pgp_subpacket_tag { PGP_SUBPACKET_CREATION_TIME = 2, PGP_SUBPACKET_SIGNATURE_EXPIRATION_TIME = 3, PGP_SUBPACKET_EXPORTABLE_CERTIFICATION = 4, PGP_SUBPACKET_TRUST_SIGNATURE = 5, PGP_SUBPACKET_REGULAR_EXPRESSION = 6, PGP_SUBPACKET_REVOCABLE = 7, PGP_SUBPACKET_KEY_EXPIRATION_TIME = 9, PGP_SUBPACKET_PLACEHOLDER = 10 , PGP_SUBPACKET_PREFERRED_SYMMETRIC_ALGORITHMS = 11, PGP_SUBPACKET_REVOCATION_KEY = 12, PGP_SUBPACKET_ISSUER_KEY_ID = 16, PGP_SUBPACKET_NOTATION_DATA = 20, PGP_SUBPACKET_PREFERRED_HASH_ALGORITHMS = 21, PGP_SUBPACKET_PREFERRED_COMPRESSION_ALGORITHMS = 22, PGP_SUBPACKET_KEY_SERVER_PREFERENCES = 23, PGP_SUBPACKET_PREFERRED_KEY_SERVER = 24, PGP_SUBPACKET_PRIMARY_USER_ID = 25, PGP_SUBPACKET_POLICY_URL = 26, PGP_SUBPACKET_KEY_FLAGS = 27, PGP_SUBPACKET_SIGNERS_USER_ID = 28, PGP_SUBPACKET_REASON_FOR_REVOCATION = 29, }; #ifdef __cplusplus } #endif #endif /* NETTLE_PGP_H_INCLUDED */ nettle-3.10/rsa-md5-sign-tr.c0000644000175000017500000000372314633602171014761 0ustar nissenisse/* rsa-md5-sign-tr.c Signatures using RSA and MD5. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_md5_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/gmp-glue.c0000644000175000017500000001415014633602171013641 0ustar nissenisse/* gmp-glue.c Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gmp-glue.h" #if NETTLE_USE_MINI_GMP mp_limb_t mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { mp_limb_t cy, mask; mp_size_t i; mask = -(mp_limb_t) (cnd != 0); for (i = 0, cy = 0; i < n; i++) { mp_limb_t rl = ap[i] + cy; mp_limb_t bl = bp[i] & mask; cy = (rl < cy); rl += bl; cy += (rl < bl); rp[i] = rl; } return cy; } mp_limb_t mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n) { mp_limb_t cy, mask; mp_size_t i; mask = -(mp_limb_t) (cnd != 0); for (i = 0, cy = 0; i < n; i++) { mp_limb_t al = ap[i]; mp_limb_t bl = bp[i] & mask; mp_limb_t sl; sl = al - cy; cy = (al < cy) + (sl < bl); sl -= bl; rp[i] = sl; } return cy; } void mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n) { volatile mp_limb_t mask = - (mp_limb_t) (cnd != 0); mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t a, b, t; a = ap[i]; b = bp[i]; t = (a ^ b) & mask; ap[i] = a ^ t; bp[i] = b ^ t; } } /* Copy the k'th element of the table out tn elements, each of size rn. Always read complete table. Similar to gmp's mpn_tabselect. */ void mpn_sec_tabselect (volatile mp_limb_t *rp, volatile const mp_limb_t *table, mp_size_t rn, unsigned tn, unsigned k) { volatile const mp_limb_t *end = table + tn * rn; volatile const mp_limb_t *p; mp_size_t i; assert (k < tn); for (p = table; p < end; p += rn, k--) { mp_limb_t mask = - (mp_limb_t) (k == 0); for (i = 0; i < rn; i++) rp[i] = (~mask & rp[i]) | (mask & p[i]); } } #endif /* NETTLE_USE_MINI_GMP */ int sec_zero_p (const mp_limb_t *ap, mp_size_t n) { volatile mp_limb_t w; mp_size_t i; for (i = 0, w = 0; i < n; i++) w |= ap[i]; return is_zero_limb (w); } /* Additional convenience functions. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n) { mp_size_t xn = mpz_size (x); assert (xn <= n); mpn_copyi (xp, mpz_limbs_read (x), xn); if (xn < n) mpn_zero (xp + xn, n - xn); } void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn) { mpn_copyi (mpz_limbs_write (r, xn), xp, xn); mpz_limbs_finish (r, xn); } void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = xn, out = bits = 0; xi > 0 && rn > 0; ) { mp_limb_t in = xp[--xi]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn) { size_t xi; mp_limb_t out; unsigned bits; for (xi = 0, out = bits = 0; xi < xn && rn > 0; ) { mp_limb_t in = xp[xi++]; out |= (in << bits) & GMP_NUMB_MASK; bits += 8; if (bits >= GMP_NUMB_BITS) { *rp++ = out; rn--; bits -= GMP_NUMB_BITS; out = in >> (8 - bits); } } if (rn > 0) { *rp++ = out; if (--rn > 0) mpn_zero (rp, rn); } } void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { rp[--rn] = in; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; rp[--rn] = old | (in << bits); in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { rp[--rn] = in; in >>= 8; } } void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn) { unsigned bits; mp_limb_t in; for (bits = in = 0; xn > 0 && rn > 0; ) { if (bits >= 8) { *rp++ = in; rn--; in >>= 8; bits -= 8; } else { uint8_t old = in; in = *xp++; xn--; *rp++ = old | (in << bits); rn--; in >>= (8 - bits); bits += GMP_NUMB_BITS - 8; } } while (rn > 0) { *rp++ = in; rn--; in >>= 8; } } mp_limb_t * gmp_alloc_limbs (mp_size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions (&alloc_func, NULL, NULL); return (mp_limb_t *) alloc_func ( (size_t) n * sizeof(mp_limb_t)); } void gmp_free_limbs (mp_limb_t *p, mp_size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n * sizeof(mp_limb_t)); } void * gmp_alloc(size_t n) { void *(*alloc_func)(size_t); assert (n > 0); mp_get_memory_functions(&alloc_func, NULL, NULL); return alloc_func (n); } void gmp_free(void *p, size_t n) { void (*free_func)(void *, size_t); assert (n > 0); assert (p != 0); mp_get_memory_functions (NULL, NULL, &free_func); free_func (p, (size_t) n); } nettle-3.10/realloc.h0000644000175000017500000000241714633602172013556 0ustar nissenisse/* realloc.h Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_REALLOC_H_INCLUDED #define NETTLE_REALLOC_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif nettle_realloc_func nettle_realloc; nettle_realloc_func nettle_xrealloc; #ifdef __cplusplus } #endif #endif /* NETTLE_REALLOC_H_INCLUDED */ nettle-3.10/ecc-scalar.c0000644000175000017500000000334714633602171014127 0ustar nissenisse/* ecc-scalar.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc) { s->ecc = ecc; s->p = gmp_alloc_limbs (ecc->p.size); } void ecc_scalar_clear (struct ecc_scalar *s) { gmp_free_limbs (s->p, s->ecc->p.size); } int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z) { mp_size_t size = s->ecc->p.size; mpz_t t; if (mpz_sgn (z) <= 0 || mpz_cmp (z, mpz_roinit_n(t, s->ecc->q.m, size)) >= 0) return 0; mpz_limbs_copy (s->p, z, size); return 1; } void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z) { mpz_set_n (z, s->p, s->ecc->p.size); } nettle-3.10/eddsa-decompress.c0000644000175000017500000000611614633602172015352 0ustar nissenisse/* eddsa-decompress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc) { return 4*ecc->p.size + ecc->p.sqrt_ratio_itch; } int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch) { mp_limb_t sign, cy; mp_size_t nlimbs; size_t nbytes; int res; #define xp p #define yp (p + ecc->p.size) #define y2 scratch #define vp (scratch + ecc->p.size) #define up scratch #define tp (scratch + 2*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) nbytes = 1 + ecc->p.bit_size / 8; /* By RFC 8032, sign bit is always the most significant bit of the last byte. */ sign = cp[nbytes-1] >> 7; /* May need an extra limb. */ nlimbs = (nbytes * 8 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS; assert (nlimbs <= ecc->p.size + 1); mpn_set_base256_le (scratch, nlimbs, cp, nbytes); /* Clear out the sign bit */ scratch[nlimbs - 1] &= ((mp_limb_t) 1 << ((nbytes * 8 - 1) % GMP_NUMB_BITS)) - 1; mpn_copyi (yp, scratch, ecc->p.size); /* Check range. */ if (nlimbs > ecc->p.size) res = is_zero_limb (scratch[nlimbs - 1]); else res = 1; /* For a valid input, y < p, so subtraction should underflow. */ res &= mpn_sub_n (scratch, scratch, ecc->p.m, ecc->p.size); ecc_mod_sqr (&ecc->p, y2, yp, y2); ecc_mod_mul (&ecc->p, vp, y2, ecc->b, vp); ecc_mod_sub (&ecc->p, vp, vp, ecc->unit); /* The sign is different between curve25519 and curve448. */ if (ecc->p.bit_size == 255) ecc_mod_sub (&ecc->p, up, ecc->unit, y2); else ecc_mod_sub (&ecc->p, up, y2, ecc->unit); res &= ecc->p.sqrt_ratio (&ecc->p, tp, up, vp, scratch_out); cy = mpn_sub_n (xp, tp, ecc->p.m, ecc->p.size); cnd_copy (cy, xp, tp, ecc->p.size); sign ^= xp[0] & 1; mpn_sub_n (tp, ecc->p.m, xp, ecc->p.size); cnd_copy (sign, xp, tp, ecc->p.size); /* Fails if the square root is zero but (original) sign was 1 */ res &= mpn_sub_n (tp, xp, ecc->p.m, ecc->p.size); return res; } nettle-3.10/ecc-mul-g.c0000644000175000017500000000574414633602171013706 0ustar nissenisse/* ecc-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_jja call. Current total is 8 * ecc->p.size, at most 576 bytes. */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; int is_zero; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; mpn_zero (r, 3*ecc->p.size); for (i = k, is_zero = 1; i-- > 0; ) { ecc_dup_jj (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned bit_index; int bits_is_zero; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } mpn_sec_tabselect (tp, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 2*ecc->p.size, 1<p.size); cnd_copy (is_zero, r + 2*ecc->p.size, ecc->unit, ecc->p.size); ecc_add_jja (ecc, tp, r, tp, scratch_out); bits_is_zero = IS_ZERO_SMALL (bits); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero or bits_is_zero. */ cnd_copy (1 - (bits_is_zero | is_zero), r, tp, 3*ecc->p.size); is_zero &= bits_is_zero; } } #undef tp #undef scratch_out } nettle-3.10/ecc-dup-jj.c0000644000175000017500000000646614633602171014060 0ustar nissenisse/* ecc-dup-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0, correct! */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables delta = z^2 sqr delta gamma = y^2 sqr delta, gamma z' = (y+z)^2-gamma-delta sqr delta, gamma alpha = 3*(x-delta)*(x+delta) mul gamma, beta, alpha beta = x*gamma mul gamma, beta, alpha x' = alpha^2-8*beta sqr gamma, beta, alpha y' = alpha*(4*beta-x')-8*gamma^2 mul, sqr */ #define gamma scratch #define delta (scratch + ecc->p.size) #define alpha delta #define beta (scratch + 2*ecc->p.size) #define sum (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, gamma, y1, gamma); /* x, y, z, gamma */ ecc_mod_sqr (&ecc->p, delta, z1, delta); /* x, y, z, gamma, delta */ ecc_mod_add (&ecc->p, sum, z1, y1); /* x, gamma, delta, s */ ecc_mod_sqr (&ecc->p, sum, sum, y2); /* Can use y-z as scratch */ ecc_mod_sub (&ecc->p, z2, sum, delta); /* x, z, gamma, delta */ ecc_mod_sub (&ecc->p, z2, z2, gamma); ecc_mod_mul (&ecc->p, beta, x1, gamma, beta); /* x, z, gamma, delta, beta */ ecc_mod_add (&ecc->p, sum, x1, delta); /* x, sum, z', gamma, delta, beta */ ecc_mod_sub (&ecc->p, delta, x1, delta); /* sum, z', gamma, delta, beta */ /* This multiplication peaks the storage need; can use x-y for scratch. */ ecc_mod_mul (&ecc->p, alpha, sum, delta, x2); /* z', gamma, alpha, beta */ ecc_mod_mul_1 (&ecc->p, alpha, alpha, 3); ecc_mod_mul_1 (&ecc->p, y2, beta, 4); /* From now on, can use beta as scratch. */ ecc_mod_sqr (&ecc->p, x2, alpha, beta); /* alpha^2 */ ecc_mod_submul_1 (&ecc->p, x2, y2, 2); /* alpha^2 - 8 beta */ ecc_mod_sub (&ecc->p, y2, y2, x2); /* 4 beta - x' */ ecc_mod_mul (&ecc->p, y2, y2, alpha, beta); ecc_mod_sqr (&ecc->p, gamma, gamma, beta); ecc_mod_submul_1 (&ecc->p, y2, gamma, 8); } nettle-3.10/examples/0000755000175000017500000000000014633602172013576 5ustar nissenissenettle-3.10/examples/rsa-encrypt-test0000755000175000017500000000072114633602172016750 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-encrypt$EXEEXT ] ; then if $EMULATOR ./rsa-encrypt$EXEEXT -r rsa-decrypt$EXEEXT testkey.pub < "$data" > testciphertext ; then : else exit 1 fi if $EMULATOR ./rsa-decrypt$EXEEXT testkey < testciphertext > testcleartext ; then : else exit 1 fi if cmp "$data" testcleartext ; then exit 0 else exit 1 fi else exit 77 fi nettle-3.10/examples/teardown-env0000755000175000017500000000017614633602172016141 0ustar nissenisse#! /bin/sh rm -rf testkey testkey.pub testsignature testsignature2 \ testdata testtmp \ testciphertext testcleartext nettle-3.10/examples/setup-env0000755000175000017500000000020514633602172015447 0ustar nissenisse#! /bin/sh set -e if [ -x rsa-keygen$EXEEXT ] ; then $EMULATOR ./rsa-keygen$EXEEXT -r rsa-decrypt$EXEEXT -o testkey || exit 1 fi nettle-3.10/examples/rsa-session.h0000644000175000017500000000327314633602172016222 0ustar nissenisse/* Session key definitions for the rsa-encrypt and rsa-decrypt programs. */ #ifndef NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #define NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED #include "aes.h" #include "cbc.h" #include "hmac.h" #define RSA_VERSION 1 /* Encryption program using the following file format: uint32_t version = 1; uint32_t nsize; uint8_t x[nsize]; uint8_t encrypted[n]; uint8_t hmac[SHA1_DIGEST_SIZE]; where x is the data uint32_t version = 1; uint8_t aes_key[AES_KEY_SIZE]; uint8_t iv[AES_BLOCK_SIZE]; uint8_t hmac_key[SHA1_DIGEST_SIZE]; of size (4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) = 72 bytes, encrypted using rsa-pkcs1. The cleartext input is encrypted using aes256-cbc. The final block is padded as | data | random octets | padding length | where the last octet is the padding length, a number between 1 and AES_BLOCK_SIZE (inclusive). */ struct rsa_session { struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; struct hmac_sha1_ctx hmac; struct yarrow256_ctx yarrow; }; struct rsa_session_info { /* Version followed by aes key, iv and mac key */ uint8_t key[4 + AES256_KEY_SIZE + AES_BLOCK_SIZE + SHA1_DIGEST_SIZE]; }; #define SESSION_VERSION(s) ((s)->key) #define SESSION_AES_KEY(s) ((s)->key + 4) #define SESSION_IV(s) ((s)->key + 4 + AES256_KEY_SIZE) #define SESSION_HMAC_KEY(s) ((s)->key + 4 + AES256_KEY_SIZE + AES_BLOCK_SIZE) void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key); #endif /* NETTLE_EXAMPLES_RSA_SESSION_H_INCLUDED */ nettle-3.10/examples/rsa-keygen.c0000644000175000017500000001107514633602172016013 0ustar nissenisse/* rsa-keygen.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "buffer.h" #include "rsa.h" #include "sexp.h" #include "yarrow.h" #include "io.h" #include "getopt.h" #define DEFAULT_KEYSIZE 2048 #define ESIZE 30 static void progress(void *ctx, int c) { (void) ctx; fputc(c, stderr); } static unsigned long uint_arg (char c, const char *arg) { unsigned long val; char *end; val = strtoul(arg, &end, 0); if (*arg == '\0' || *end != '\0') { werror ("Invalid integer argument for -%c option.\n", c); exit (EXIT_FAILURE); } return val; } int main(int argc, char **argv) { struct yarrow256_ctx yarrow; struct rsa_public_key pub; struct rsa_private_key priv; int c; char *pub_name = NULL; const char *priv_name = NULL; const char *random_name = NULL; struct nettle_buffer pub_buffer; struct nettle_buffer priv_buffer; unsigned long key_size = DEFAULT_KEYSIZE; unsigned long key_e = 0; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:e:s:", options, NULL)) != -1) switch (c) { case 'o': priv_name = optarg; break; case 'r': random_name = optarg; break; case 's': key_size = uint_arg ('s', optarg); break; case 'e': key_e = uint_arg ('e', optarg); break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } if (!priv_name) { werror("No filename provided.\n"); return EXIT_FAILURE; } pub_name = xalloc(strlen(priv_name) + 5); sprintf(pub_name, "%s.pub", priv_name); /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (key_e) mpz_set_ui (pub.e, key_e); if (!rsa_generate_keypair (&pub, &priv, (void *) &yarrow, (nettle_random_func *) yarrow256_random, NULL, progress, key_size, key_e == 0 ? ESIZE : 0)) { werror("Key generation failed.\n"); return EXIT_FAILURE; } nettle_buffer_init(&priv_buffer); nettle_buffer_init(&pub_buffer); if (!rsa_keypair_to_sexp(&pub_buffer, "rsa-pkcs1-sha1", &pub, NULL)) { werror("Formatting public key failed.\n"); return EXIT_FAILURE; } if (!rsa_keypair_to_sexp(&priv_buffer, "rsa-pkcs1-sha1", &pub, &priv)) { werror("Formatting private key failed.\n"); return EXIT_FAILURE; } if (!write_file(pub_name, pub_buffer.size, pub_buffer.contents)) { werror("Failed to write public key: %s\n", strerror(errno)); return EXIT_FAILURE; } /* NOTE: This doesn't set up paranoid access restrictions on the * private key file, like a serious key generation tool would do. */ if (!write_file(priv_name, priv_buffer.size, priv_buffer.contents)) { werror("Failed to write private key: %s\n", strerror(errno)); return EXIT_FAILURE; } nettle_buffer_clear(&priv_buffer); nettle_buffer_clear(&pub_buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); free (pub_name); return EXIT_SUCCESS; } nettle-3.10/examples/rsa-sign.c0000644000175000017500000000405414633602172015470 0ustar nissenisse/* rsa-sign.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include /* string.h must be included before gmp.h */ #include "rsa.h" #include "io.h" int main(int argc, char **argv) { struct rsa_private_key key; struct sha1_ctx hash; mpz_t s; if (argc != 2) { werror("Usage: rsa-sign PRIVATE-KEY < file\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } mpz_init(s); if (!rsa_sha1_sign(&key, &hash, s)) { werror("RSA key too small\n"); return 0; } if (!mpz_out_str(stdout, 16, s)) { werror("Failed writing signature: %s\n", strerror(errno)); return 0; } putchar('\n'); mpz_clear(s); rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-3.10/examples/ecc-benchmark.c0000644000175000017500000001744114633602172016433 0ustar nissenisse/* ecc-benchmark.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include "timing.h" #include "../ecc.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #define BENCH_INTERVAL 0.1 static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static mp_limb_t * xalloc_limbs (mp_size_t size) { return xalloc (size * sizeof(mp_limb_t)); } /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } #if !NETTLE_USE_MINI_GMP static int modinv_gcd (const struct ecc_curve *ecc, mp_limb_t *rp, mp_limb_t *ap, mp_limb_t *tp) { mp_size_t size = ecc->p.size; mp_limb_t *up = tp; mp_limb_t *vp = tp + size+1; mp_limb_t *gp = tp + 2*(size+1); mp_limb_t *sp = tp + 3*(size+1); mp_size_t gn, sn; mpn_copyi (up, ap, size); mpn_copyi (vp, ecc->p.m, size); gn = mpn_gcdext (gp, sp, &sn, up, size, vp, size); if (gn != 1 || gp[0] != 1) return 0; if (sn < 0) mpn_sub (sp, ecc->p.m, size, sp, -sn); else if (sn < size) /* Zero-pad. */ mpn_zero (sp + sn, size - sn); mpn_copyi (rp, sp, size); return 1; } #endif struct ecc_ctx { const struct ecc_curve *ecc; mp_limb_t *rp; mp_limb_t *ap; mp_limb_t *bp; mp_limb_t *tp; }; static void bench_modp (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.mod (&ctx->ecc->p, ctx->rp, ctx->rp); } static void bench_reduce (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->p.reduce (&ctx->ecc->p, ctx->rp, ctx->rp); } static void bench_modq (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp, ctx->ap, 2*ctx->ecc->p.size); ctx->ecc->q.mod(&ctx->ecc->q, ctx->rp, ctx->rp); } static void bench_pinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->p.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); } static void bench_qinv (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->q.invert (&ctx->ecc->p, ctx->rp, ctx->ap, ctx->tp); } #if !NETTLE_USE_MINI_GMP static void bench_modinv_gcd (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; mpn_copyi (ctx->rp + ctx->ecc->p.size, ctx->ap, ctx->ecc->p.size); modinv_gcd (ctx->ecc, ctx->rp, ctx->rp + ctx->ecc->p.size, ctx->tp); } #endif #ifdef mpn_sec_powm static void bench_modinv_powm (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; const struct ecc_curve *ecc = ctx->ecc; mp_size_t size = ecc->p.size; mpn_sub_1 (ctx->rp + size, ecc->p.m, size, 2); mpn_sec_powm (ctx->rp, ctx->ap, size, ctx->rp + size, ecc->p.bit_size, ecc->p.m, size, ctx->tp); } #endif static void bench_dup_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->dup (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_add_hh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->add_hh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_add_hhh (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->add_hhh (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } static void bench_mul_g (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul_g (ctx->ecc, ctx->rp, ctx->ap, ctx->tp); } static void bench_mul_a (void *p) { struct ecc_ctx *ctx = (struct ecc_ctx *) p; ctx->ecc->mul (ctx->ecc, ctx->rp, ctx->ap, ctx->bp, ctx->tp); } #if NETTLE_USE_MINI_GMP static void mpn_random (mp_limb_t *xp, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) xp[i] = rand(); } #endif static void bench_curve (const struct ecc_curve *ecc) { struct ecc_ctx ctx; double modp, reduce, modq, pinv, qinv, modinv_gcd, modinv_powm, dup_hh, add_hh, add_hhh, mul_g, mul_a; mp_limb_t mask; mp_size_t itch; ctx.ecc = ecc; ctx.rp = xalloc_limbs (3*ecc->p.size); ctx.ap = xalloc_limbs (3*ecc->p.size); ctx.bp = xalloc_limbs (3*ecc->p.size); itch = ecc->mul_itch; #ifdef mpn_sec_powm { mp_size_t powm_itch = mpn_sec_powm_itch (ecc->p.size, ecc->p.bit_size, ecc->p.size); if (powm_itch > itch) itch = powm_itch; } #endif ctx.tp = xalloc_limbs (itch); mpn_random (ctx.ap, 3*ecc->p.size); mpn_random (ctx.bp, 3*ecc->p.size); mask = (~(mp_limb_t) 0) >> (ecc->p.size * GMP_NUMB_BITS - ecc->p.bit_size); ctx.ap[ecc->p.size - 1] &= mask; ctx.ap[2*ecc->p.size - 1] &= mask; ctx.ap[3*ecc->p.size - 1] &= mask; ctx.bp[ecc->p.size - 1] &= mask; ctx.bp[2*ecc->p.size - 1] &= mask; ctx.bp[3*ecc->p.size - 1] &= mask; modp = time_function (bench_modp, &ctx); reduce = time_function (bench_reduce, &ctx); modq = time_function (bench_modq, &ctx); pinv = time_function (bench_pinv, &ctx); qinv = time_function (bench_qinv, &ctx); #if !NETTLE_USE_MINI_GMP modinv_gcd = time_function (bench_modinv_gcd, &ctx); #else modinv_gcd = 0; #endif #ifdef mpn_sec_powm modinv_powm = time_function (bench_modinv_powm, &ctx); #else modinv_powm = 0; #endif dup_hh = time_function (bench_dup_hh, &ctx); add_hh = time_function (bench_add_hh, &ctx); add_hhh = time_function (bench_add_hhh, &ctx); mul_g = time_function (bench_mul_g, &ctx); mul_a = time_function (bench_mul_a, &ctx); free (ctx.rp); free (ctx.ap); free (ctx.bp); free (ctx.tp); printf ("%4d %6.4f %6.4f %6.4f %6.2f %6.2f %6.3f %6.2f %6.3f %6.3f %6.3f %6.1f %6.1f\n", ecc->p.bit_size, 1e6 * modp, 1e6 * reduce, 1e6 * modq, 1e6 * pinv, 1e6 * qinv, 1e6 * modinv_gcd, 1e6 * modinv_powm, 1e6 * dup_hh, 1e6 * add_hh, 1e6 * add_hhh, 1e6 * mul_g, 1e6 * mul_a); } const struct ecc_curve * const curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_curve25519, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_curve448, &_nettle_secp_521r1, &_nettle_gost_gc256b, &_nettle_gost_gc512a, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc UNUSED, char **argv UNUSED) { unsigned i; time_init(); printf ("%4s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s %6s (us)\n", "size", "modp", "reduce", "modq", "pinv", "qinv", "mi_gcd", "mi_pow", "dup_hh", "add_hh", "ad_hhh", "mul_g", "mul_a"); for (i = 0; i < numberof (curves); i++) bench_curve (curves[i]); return EXIT_SUCCESS; } nettle-3.10/examples/Makefile.in0000644000175000017500000001116514633602172015647 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. OPENSSL_LIBFLAGS = @OPENSSL_LIBFLAGS@ BENCH_LIBS = @BENCH_LIBS@ -lm HOGWEED_TARGETS = rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT) \ rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT) \ random-prime$(EXEEXT) \ hogweed-benchmark$(EXEEXT) ecc-benchmark$(EXEEXT) ENC_TARGETS = base16enc$(EXEEXT) base16dec$(EXEEXT) \ base64enc$(EXEEXT) base64dec$(EXEEXT) TARGETS = nettle-benchmark$(EXEEXT) \ $(ENC_TARGETS) @IF_HOGWEED@ $(HOGWEED_TARGETS) SOURCES = nettle-benchmark.c hogweed-benchmark.c ecc-benchmark.c \ random-prime.c \ nettle-openssl.c \ io.c read_rsa_key.c \ rsa-encrypt.c rsa-decrypt.c rsa-keygen.c rsa-sign.c rsa-verify.c \ base16enc.c base16dec.c base64enc.c base64dec.c timing.c GETOPT_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) TS_ALL = rsa-sign-test rsa-verify-test rsa-encrypt-test DISTFILES= $(SOURCES) Makefile.in $(TS_ALL) setup-env teardown-env \ io.h rsa-session.h timing.h all: $(TARGETS) %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) ../non-nettle.$(OBJEXT): ( cd .. && $(MAKE) non-nettle.$(OBJEXT)) # For Solaris and BSD make, we have to use an explicit rule for each executable random-prime$(EXEEXT): random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) random-prime.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o random-prime$(EXEEXT) rsa-keygen$(EXEEXT): rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-keygen.$(OBJEXT) io.$(OBJEXT) $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-keygen$(EXEEXT) rsa-sign$(EXEEXT): rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-sign.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-sign$(EXEEXT) rsa-verify$(EXEEXT): rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-verify.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-verify$(EXEEXT) rsa-encrypt$(EXEEXT): rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(GETOPT_OBJS) $(LINK) rsa-encrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ $(GETOPT_OBJS) \ -lhogweed -lnettle $(LIBS) -o rsa-encrypt$(EXEEXT) rsa-decrypt$(EXEEXT): rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) $(LINK) rsa-decrypt.$(OBJEXT) io.$(OBJEXT) read_rsa_key.$(OBJEXT) \ -lhogweed -lnettle $(LIBS) -o rsa-decrypt$(EXEEXT) base16enc$(EXEEXT): base16enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base16enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16enc$(EXEEXT) base16dec$(EXEEXT): base16dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base16dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base16dec$(EXEEXT) base64enc$(EXEEXT): base64enc.$(OBJEXT) io.$(OBJEXT) $(LINK) base64enc.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64enc$(EXEEXT) base64dec$(EXEEXT): base64dec.$(OBJEXT) io.$(OBJEXT) $(LINK) base64dec.$(OBJEXT) io.$(OBJEXT) \ -lnettle $(LIBS) -o base64dec$(EXEEXT) BENCH_OBJS = nettle-benchmark.$(OBJEXT) nettle-openssl.$(OBJEXT) \ $(GETOPT_OBJS) ../non-nettle.$(OBJEXT) timing.$(OBJEXT) nettle-benchmark$(EXEEXT): $(BENCH_OBJS) $(LINK) $(BENCH_OBJS) -lnettle $(BENCH_LIBS) $(OPENSSL_LIBFLAGS) -o nettle-benchmark$(EXEEXT) ECC_BENCH_OBJS = ecc-benchmark.$(OBJEXT) timing.$(OBJEXT) ecc-benchmark$(EXEEXT): $(ECC_BENCH_OBJS) $(LINK) $(ECC_BENCH_OBJS) -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) \ -o ecc-benchmark$(EXEEXT) HOGWEED_BENCH_OBJS = hogweed-benchmark.$(OBJEXT) timing.$(OBJEXT) hogweed-benchmark$(EXEEXT): $(HOGWEED_BENCH_OBJS) $(LINK) $(HOGWEED_BENCH_OBJS) \ -lhogweed -lnettle $(BENCH_LIBS) $(LIBS) $(OPENSSL_LIBFLAGS) \ -o hogweed-benchmark$(EXEEXT) $(TARGETS) : io.$(OBJEXT) ../libnettle.stamp $(HOGWEED_TARGETS): ../libhogweed.stamp check: $(TS_ALL) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ "$(top_srcdir)"/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status examples/$@ install uninstall: true # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -include $(SOURCES:.c=.$(OBJEXT).d) nettle-3.10/examples/rsa-verify-test0000755000175000017500000000124014633602172016565 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-verify$EXEEXT ] ; then $EMULATOR ./rsa-sign$EXEEXT testkey < "$data" > testsignature \ && $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature < "$data" \ || exit 1; # Try modifying the data sed s/128/129/ < "$data" >testdata if $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature < testdata 2>/dev/null; then exit 1 fi # Try modifying the signature sed s/1/2/ testsignature2 if $EMULATOR ./rsa-verify$EXEEXT testkey.pub testsignature2 < "$data" 2>/dev/null; then exit 1; fi exit 0 else exit 77 fi nettle-3.10/examples/rsa-sign-test0000755000175000017500000000037514633602172016231 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi data="$srcdir/nettle-benchmark.c" if [ -x rsa-sign$EXEEXT ] ; then if $EMULATOR ./rsa-sign$EXEEXT testkey < "$data" > testsignature ; then exit 0; else exit 1 fi else exit 77 fi nettle-3.10/examples/timing.c0000644000175000017500000000522414633602172015234 0ustar nissenisse/* timing.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "timing.h" #include #include #include #include #include #include #if HAVE_CLOCK_GETTIME && defined CLOCK_PROCESS_CPUTIME_ID #define TRY_CLOCK_GETTIME 1 struct timespec cgt_start; static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static int cgt_works_p(void) { struct timespec now; return clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &now) == 0; } static void cgt_time_start(void) { if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &cgt_start) < 0) die("clock_gettime failed: %s\n", strerror(errno)); } static double cgt_time_end(void) { struct timespec end; if (clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &end) < 0) die("clock_gettime failed: %s\n", strerror(errno)); return end.tv_sec - cgt_start.tv_sec + 1e-9 * (end.tv_nsec - cgt_start.tv_nsec); } #endif /* !HAVE_CLOCK_GETTIME */ static clock_t clock_start; static void clock_time_start(void) { clock_start = clock(); } static double clock_time_end(void) { return (double) (clock() - (clock_start)) / CLOCKS_PER_SEC; } void (*time_start)(void) = clock_time_start; double (*time_end)(void) = clock_time_end; void time_init(void) { /* Choose timing function */ #if TRY_CLOCK_GETTIME if (cgt_works_p()) { time_start = cgt_time_start; time_end = cgt_time_end; } else { fprintf(stderr, "clock_gettime not working, falling back to clock\n"); time_start = clock_time_start; time_end = clock_time_end; } #endif } nettle-3.10/examples/nettle-openssl.c0000644000175000017500000002150314633602172016717 0ustar nissenisse/* nettle-openssl.c Glue that's used only by the benchmark, and subject to change. Copyright (C) 2002, 2017 Niels Möller Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif /* Openssl glue, for comparative benchmarking only */ #if WITH_OPENSSL #include #include #include "non-nettle.h" #include "md5.h" #include "sha1.h" /* We use Openssl's EVP api for all openssl ciphers. This API selects platform-specific implementations if appropriate, e.g., using x86 AES-NI instructions. */ struct openssl_cipher_ctx { EVP_CIPHER_CTX *evp; }; /* We use Openssl's EVP api for all openssl hashes. This API selects platform-specific implementations if appropriate, e.g., using x86 AES-NI instructions. */ struct openssl_hash_ctx { EVP_MD_CTX *evp; }; static void openssl_evp_set_encrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; int ret; ctx->evp = EVP_CIPHER_CTX_new(); ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 1); assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_set_decrypt_key(void *p, const uint8_t *key, const EVP_CIPHER *cipher) { struct openssl_cipher_ctx *ctx = p; int ret; ctx->evp = EVP_CIPHER_CTX_new(); ret = EVP_CipherInit_ex(ctx->evp, cipher, NULL, key, NULL, 0); assert(ret == 1); EVP_CIPHER_CTX_set_padding(ctx->evp, 0); } static void openssl_evp_encrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_decrypt(const void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_set_nonce(void *p, const uint8_t *nonce) { const struct openssl_cipher_ctx *ctx = p; int ret = EVP_CipherInit_ex(ctx->evp, NULL, NULL, NULL, nonce, -1); assert(ret == 1); } static void openssl_evp_update(void *p, size_t length, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, NULL, &len, src, length); assert(ret == 1); } /* This will work for encryption only! */ static void openssl_evp_gcm_digest(void *p, size_t length, uint8_t *dst) { const struct openssl_cipher_ctx *ctx = p; int ret = EVP_CIPHER_CTX_ctrl(ctx->evp, EVP_CTRL_GCM_GET_TAG, length, dst); assert(ret == 1); } static void openssl_evp_aead_encrypt(void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_EncryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } static void openssl_evp_aead_decrypt(void *p, size_t length, uint8_t *dst, const uint8_t *src) { const struct openssl_cipher_ctx *ctx = p; int len; int ret = EVP_DecryptUpdate(ctx->evp, dst, &len, src, length); assert(ret == 1); } /* AES */ static nettle_set_key_func openssl_aes128_set_encrypt_key; static nettle_set_key_func openssl_aes128_set_decrypt_key; static nettle_set_key_func openssl_aes192_set_encrypt_key; static nettle_set_key_func openssl_aes192_set_decrypt_key; static nettle_set_key_func openssl_aes256_set_encrypt_key; static nettle_set_key_func openssl_aes256_set_decrypt_key; static void openssl_aes128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_ecb()); } static void openssl_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes192_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_ecb()); } static void openssl_aes256_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_ecb()); } static void openssl_aes256_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_ecb()); } const struct nettle_cipher nettle_openssl_aes128 = { "openssl aes128", sizeof(struct openssl_cipher_ctx), 16, 16, openssl_aes128_set_encrypt_key, openssl_aes128_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes192 = { "openssl aes192", sizeof(struct openssl_cipher_ctx), 16, 24, openssl_aes192_set_encrypt_key, openssl_aes192_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; const struct nettle_cipher nettle_openssl_aes256 = { "openssl aes256", sizeof(struct openssl_cipher_ctx), 16, 32, openssl_aes256_set_encrypt_key, openssl_aes256_set_decrypt_key, openssl_evp_encrypt, openssl_evp_decrypt }; /* AES-GCM */ static void openssl_gcm_aes128_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_128_gcm()); } static void openssl_gcm_aes128_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_128_gcm()); } static void openssl_gcm_aes192_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_192_gcm()); } static void openssl_gcm_aes192_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_192_gcm()); } static void openssl_gcm_aes256_set_encrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_encrypt_key(ctx, key, EVP_aes_256_gcm()); } static void openssl_gcm_aes256_set_decrypt_key(void *ctx, const uint8_t *key) { openssl_evp_set_decrypt_key(ctx, key, EVP_aes_256_gcm()); } const struct nettle_aead nettle_openssl_gcm_aes128 = { "openssl gcm_aes128", sizeof(struct openssl_cipher_ctx), 16, 16, 12, 16, openssl_gcm_aes128_set_encrypt_key, openssl_gcm_aes128_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; const struct nettle_aead nettle_openssl_gcm_aes192 = { "openssl gcm_aes192", sizeof(struct openssl_cipher_ctx), 16, 24, 12, 16, openssl_gcm_aes192_set_encrypt_key, openssl_gcm_aes192_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; const struct nettle_aead nettle_openssl_gcm_aes256 = { "openssl gcm_aes256", sizeof(struct openssl_cipher_ctx), 16, 32, 12, 16, openssl_gcm_aes256_set_encrypt_key, openssl_gcm_aes256_set_decrypt_key, openssl_evp_set_nonce, openssl_evp_update, openssl_evp_aead_encrypt, openssl_evp_aead_decrypt, openssl_evp_gcm_digest }; /* Hash functions */ static void openssl_hash_update(void *p, size_t length, const uint8_t *src) { struct openssl_hash_ctx *ctx = p; EVP_DigestUpdate(ctx->evp, src, length); } #define OPENSSL_HASH(NAME, name) \ static void \ openssl_##name##_init(void *p) \ { \ struct openssl_hash_ctx *ctx = p; \ if ((ctx->evp = EVP_MD_CTX_new()) == NULL) \ return; \ \ EVP_DigestInit(ctx->evp, EVP_##name()); \ } \ \ static void \ openssl_##name##_digest(void *p, \ size_t length, uint8_t *dst) \ { \ struct openssl_hash_ctx *ctx = p; \ assert(length == NAME##_DIGEST_SIZE); \ \ EVP_DigestFinal(ctx->evp, dst, NULL); \ EVP_DigestInit(ctx->evp, EVP_##name()); \ } \ \ const struct nettle_hash \ nettle_openssl_##name = { \ "openssl " #name, sizeof(struct openssl_hash_ctx), \ NAME##_DIGEST_SIZE, NAME##_BLOCK_SIZE, \ openssl_##name##_init, \ openssl_hash_update, \ openssl_##name##_digest \ }; OPENSSL_HASH(MD5, md5) OPENSSL_HASH(SHA1, sha1) #endif /* WITH_OPENSSL */ nettle-3.10/examples/read_rsa_key.c0000644000175000017500000000301214633602172016366 0ustar nissenisse/* read_rsa_key.c Used by the rsa example programs. Copyright (C) 2002, 2007 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "io.h" #include "rsa.h" /* Split out from io.c, since it depends on hogweed. */ int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv) { unsigned length; uint8_t *buffer; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = rsa_keypair_from_sexp(pub, priv, 0, length, buffer); free(buffer); return res; } nettle-3.10/examples/io.c0000644000175000017500000000720314633602172014353 0ustar nissenisse/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include /* For errno and strerror */ #include #include #include "io.h" #define RANDOM_DEVICE "/dev/urandom" #define BUFSIZE 1000 int quiet_flag = 0; void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } void werror(const char *format, ...) { if (!quiet_flag) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } } size_t read_file(const char *name, size_t max_size, uint8_t **contents) { size_t size, done; uint8_t *buffer; FILE *f; f = fopen(name, "rb"); if (!f) { werror("Opening `%s' failed: %s\n", name, strerror(errno)); return 0; } size = 100; for (buffer = NULL, done = 0;; size *= 2) { uint8_t *p; if (max_size && size > max_size) size = max_size; /* Space for terminating NUL */ p = realloc(buffer, size + 1); if (!p) { fail: fclose(f); free(buffer); *contents = NULL; return 0; } buffer = p; done += fread(buffer + done, 1, size - done, f); if (done < size) { /* Short count means EOF or read error */ if (ferror(f)) { fprintf (stderr, "Reading `%s' failed: %s\n", name, strerror(errno)); goto fail; } if (done == 0) /* Treat empty file as error */ goto fail; break; } if (size == max_size) break; } fclose(f); /* NUL-terminate the data. */ buffer[done] = '\0'; *contents = buffer; return done; } int write_data(FILE *f, size_t size, const void *buffer) { size_t res = fwrite(buffer, 1, size, f); return res == size; } int write_file(const char *name, size_t size, const void *buffer) { FILE *f = fopen(name, "wb"); int res; if (!f) return 0; res = write_data(f, size, buffer); return fclose(f) == 0 && res; } int simple_random(struct yarrow256_ctx *ctx, const char *name) { unsigned length; uint8_t *buffer; if (name) length = read_file(name, 0, &buffer); else length = read_file(RANDOM_DEVICE, 20, &buffer); if (!length) return 0; yarrow256_seed(ctx, length, buffer); free(buffer); return 1; } int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } nettle-3.10/examples/rsa-encrypt.c0000644000175000017500000001322414633602172016213 0ustar nissenisse/* rsa-encrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "bignum.h" #include "buffer.h" #include "macros.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" #include "getopt.h" void rsa_session_set_encrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes256_set_encrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int write_uint32(FILE *f, uint32_t n) { uint8_t buffer[4]; WRITE_UINT32(buffer, n); return write_data(f, sizeof(buffer), buffer); } static int write_version(FILE *f) { return write_uint32(f, 1); } static int write_bignum(FILE *f, mpz_t x) { unsigned size = nettle_mpz_sizeinbase_256_u(x); uint8_t *p; int res; if (!write_uint32(f, size)) return 0; p = xalloc(size); nettle_mpz_get_str_256(size, p, x); res = write_data(f, size, p); free(p); return res; } #define BLOCK_SIZE (AES_BLOCK_SIZE * 100) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BLOCK_SIZE + SHA1_DIGEST_SIZE]; for (;;) { size_t size = fread(buffer, 1, BLOCK_SIZE, in); hmac_sha1_update(&ctx->hmac, size, buffer); if (size < BLOCK_SIZE) { unsigned leftover; unsigned padding; if (ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } leftover = size % AES_BLOCK_SIZE; padding = AES_BLOCK_SIZE - leftover; assert (size + padding <= BLOCK_SIZE); if (padding > 1) yarrow256_random(&ctx->yarrow, padding - 1, buffer + size); size += padding; buffer[size - 1] = padding; CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); assert (size + SHA1_DIGEST_SIZE <= sizeof(buffer)); hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, buffer + size); size += SHA1_DIGEST_SIZE; if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } return 1; } CBC_ENCRYPT(&ctx->aes, aes256_encrypt, size, buffer, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } } static void usage (FILE *out) { fprintf (out, "Usage: rsa-encrypt [OPTIONS] PUBLIC-KEY < cleartext\n" "Options:\n" " -r, --random=FILE seed file for randomness generator\n" " --help display this help\n"); } int main(int argc, char **argv) { struct rsa_session ctx; struct rsa_session_info info; struct rsa_public_key key; mpz_t x; int c; const char *random_name = NULL; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "o:r:", options, NULL)) != -1) switch (c) { case 'r': random_name = optarg; break; case '?': return EXIT_FAILURE; case OPT_HELP: usage(stdout); return EXIT_SUCCESS; default: abort(); } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[0], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&ctx.yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&ctx.yarrow, random_name)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } WRITE_UINT32(SESSION_VERSION(&info), RSA_VERSION); yarrow256_random(&ctx.yarrow, sizeof(info.key) - 4, info.key + 4); rsa_session_set_encrypt_key(&ctx, &info); #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif write_version(stdout); mpz_init(x); if (!rsa_encrypt(&key, &ctx.yarrow, (nettle_random_func *) yarrow256_random, sizeof(info.key), info.key, x)) { werror("RSA encryption failed.\n"); return EXIT_FAILURE; } write_bignum(stdout, x); mpz_clear (x); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-3.10/examples/base64dec.c0000644000175000017500000000571114633602172015506 0ustar nissenisse/* base64dec -- an decoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE64_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-64 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base64 context for decoding: */ struct base64_decode_ctx b64_ctx; /* Init the context: */ base64_decode_init(&b64_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base64_decode_update(&b64_ctx, &decoded_bytes, result, nbytes, buffer)) { werror ("Error decoding input (not base64?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, decoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base64_decode_final(&b64_ctx)) { werror ("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-3.10/examples/rsa-decrypt.c0000644000175000017500000001271714633602172016207 0ustar nissenisse/* rsa-decrypt.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #ifdef WIN32 #include #endif /* string.h must be included before gmp.h */ #include "aes.h" #include "bignum.h" #include "buffer.h" #include "cbc.h" #include "hmac.h" #include "macros.h" #include "memops.h" #include "rsa.h" #include "yarrow.h" #include "io.h" #include "rsa-session.h" void rsa_session_set_decrypt_key(struct rsa_session *ctx, const struct rsa_session_info *key) { const uint8_t *aes_key = SESSION_AES_KEY(key); const uint8_t *iv = SESSION_IV(key); const uint8_t *hmac_key = SESSION_HMAC_KEY(key); aes256_set_decrypt_key(&ctx->aes.ctx, aes_key); CBC_SET_IV(&ctx->aes, iv); hmac_sha1_set_key(&ctx->hmac, SHA1_DIGEST_SIZE, hmac_key); } static int read_uint32(FILE *f, uint32_t *n) { uint8_t buf[4]; if (fread(buf, 1, sizeof(buf), f) != sizeof(buf)) return 0; *n = READ_UINT32(buf); return 1; } static int read_version(FILE *f) { uint32_t version; return read_uint32(f, &version) && version == RSA_VERSION; } static int read_bignum(FILE *f, mpz_t x) { uint32_t size; if (read_uint32(f, &size) && size < 1000) { uint8_t *p = xalloc(size); if (fread(p, 1, size, f) != size) { free(p); return 0; } nettle_mpz_set_str_256_u(x, size, p); free(p); return 1; } return 0; } #define BUF_SIZE (100 * AES_BLOCK_SIZE) /* Trailing data that needs special processing */ #define BUF_FINAL (AES_BLOCK_SIZE + SHA1_DIGEST_SIZE) static int process_file(struct rsa_session *ctx, FILE *in, FILE *out) { uint8_t buffer[BUF_SIZE + BUF_FINAL]; uint8_t digest[SHA1_DIGEST_SIZE]; size_t size; unsigned padding; size = fread(buffer, 1, BUF_FINAL, in); if (size < BUF_FINAL) { if (ferror(in)) werror("Reading input failed: %s\n", strerror(errno)); else werror("Unexpected EOF on input.\n"); return 0; } do { size = fread(buffer + BUF_FINAL, 1, BUF_SIZE, in); if (size < BUF_SIZE && ferror(in)) { werror("Reading input failed: %s\n", strerror(errno)); return 0; } if (size % AES_BLOCK_SIZE != 0) { werror("Unexpected EOF on input.\n"); return 0; } if (size) { CBC_DECRYPT(&ctx->aes, aes256_decrypt, size, buffer, buffer); hmac_sha1_update(&ctx->hmac, size, buffer); if (!write_data(out, size, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } memmove(buffer, buffer + size, BUF_FINAL); } } while (size == BUF_SIZE); /* Decrypt final block */ CBC_DECRYPT(&ctx->aes, aes256_decrypt, AES_BLOCK_SIZE, buffer, buffer); padding = buffer[AES_BLOCK_SIZE - 1]; if (padding > AES_BLOCK_SIZE) { werror("Decryption failed: Invalid padding.\n"); return 0; } if (padding < AES_BLOCK_SIZE) { unsigned leftover = AES_BLOCK_SIZE - padding; hmac_sha1_update(&ctx->hmac, leftover, buffer); if (!write_data(out, leftover, buffer)) { werror("Writing output failed: %s\n", strerror(errno)); return 0; } } hmac_sha1_digest(&ctx->hmac, SHA1_DIGEST_SIZE, digest); if (!memeql_sec(digest, buffer + AES_BLOCK_SIZE, SHA1_DIGEST_SIZE)) { werror("Decryption failed: Invalid mac.\n"); return 0; } return 1; } int main(int argc, char **argv) { struct rsa_private_key key; struct rsa_session ctx; struct rsa_session_info session; size_t length; mpz_t x; mpz_init(x); if (argc != 2) { werror("Usage: rsa-decrypt PRIVATE-KEY < ciphertext\n"); return EXIT_FAILURE; } rsa_private_key_init(&key); if (!read_rsa_key(argv[1], NULL, &key)) { werror("Invalid key\n"); return EXIT_FAILURE; } #ifdef WIN32 _setmode(0, O_BINARY); _setmode(1, O_BINARY); #endif if (!read_version(stdin)) { werror("Bad version number in input file.\n"); return EXIT_FAILURE; } if (!read_bignum(stdin, x)) { werror("Bad rsa header in input file.\n"); return EXIT_FAILURE; } length = sizeof(session.key); if (!rsa_decrypt(&key, &length, session.key, x) || length != sizeof(session.key)) { werror("Failed to decrypt rsa header in input file.\n"); return EXIT_FAILURE; } mpz_clear(x); rsa_session_set_decrypt_key(&ctx, &session); if (!process_file(&ctx, stdin, stdout)) return EXIT_FAILURE; rsa_private_key_clear(&key); return EXIT_SUCCESS; } nettle-3.10/examples/timing.h0000644000175000017500000000232414633602172015237 0ustar nissenisse/* timing.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_TIMING_H_INCLUDED #define NETTLE_EXAMPLES_TIMING_H_INCLUDED void time_init(void); extern void (*time_start)(void); extern double (*time_end)(void); #endif /* NETTLE_EXAMPLES_TIMING_H_INCLUDED */ nettle-3.10/examples/rsa-verify.c0000644000175000017500000000444514633602172016040 0ustar nissenisse/* rsa-verify.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "rsa.h" #include "io.h" static int read_signature(const char *name, mpz_t s) { uint8_t *buffer; unsigned length; int res; length = read_file(name, 0, &buffer); if (!length) return 0; res = (mpz_set_str(s, (const char *) buffer, 16) == 0); free(buffer); return res; } int main(int argc, char **argv) { struct rsa_public_key key; struct sha1_ctx hash; mpz_t s; if (argc != 3) { werror("Usage: rsa-verify PUBLIC-KEY SIGNATURE-FILE < FILE\n"); return EXIT_FAILURE; } rsa_public_key_init(&key); if (!read_rsa_key(argv[1], &key, NULL)) { werror("Invalid key\n"); return EXIT_FAILURE; } mpz_init(s); if (!read_signature(argv[2], s)) { werror("Failed to read signature file `%s'\n", argv[2]); return EXIT_FAILURE; } sha1_init(&hash); if (!hash_file(&nettle_sha1, &hash, stdin)) { werror("Failed reading stdin: %s\n", strerror(errno)); return 0; } if (!rsa_sha1_verify(&key, &hash, s)) { werror("Invalid signature!\n"); return EXIT_FAILURE; } mpz_clear(s); rsa_public_key_clear(&key); return EXIT_SUCCESS; } nettle-3.10/examples/io.h0000644000175000017500000000415314633602172014361 0ustar nissenisse/* io.c Miscellaneous functions used by the example programs. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EXAMPLES_IO_H_INCLUDED #define NETTLE_EXAMPLES_IO_H_INCLUDED #include "nettle-meta.h" #include "yarrow.h" #include extern int quiet_flag; void * xalloc(size_t size); void werror(const char *format, ...) PRINTF_STYLE(1, 2); /* If size is > 0, read at most that many bytes. If size == 0, read * until EOF. Allocates the buffer dynamically. An empty file is * treated as an error; return value is zero, and no space is * allocated. The returned data is NUL-terminated, for convenience. */ size_t read_file(const char *name, size_t size, uint8_t **buffer); int write_file(const char *name, size_t size, const void *data); int write_data(FILE *f, size_t size, const void *data); int simple_random(struct yarrow256_ctx *ctx, const char *name); int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f); #if WITH_HOGWEED struct rsa_public_key; struct rsa_private_key; int read_rsa_key(const char *name, struct rsa_public_key *pub, struct rsa_private_key *priv); #endif /* WITH_HOGWEED */ #endif /* NETTLE_EXAMPLES_IO_H_INCLUDED */ nettle-3.10/examples/random-prime.c0000644000175000017500000000632614633602172016343 0ustar nissenisse/* random-prime.c Command line tool for prime generation. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "bignum.h" #include "yarrow.h" #include "io.h" #include "getopt.h" static void usage(void) { fprintf(stderr, "Usage: random-prime [OPTIONS] bits\n\n" "Options:\n" " --help Display this message.\n" " -v, --verbose Display timing information.\n" " -r, --random FILE Random data to use for seeding.\n"); } int main(int argc, char **argv) { long bits; mpz_t p; struct yarrow256_ctx yarrow; int verbose = 0; const char *random_file = NULL; int c; char *arg_end; clock_t start; clock_t end; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "verbose", no_argument, NULL, 'v' }, { "random", required_argument, NULL, 'r' }, { NULL, 0, NULL, 0} }; while ( (c = getopt_long(argc, argv, "vr:", options, NULL)) != -1) switch (c) { case 'v': verbose = 1; break; case 'r': random_file = optarg; break; case OPT_HELP: usage(); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } argc -= optind; argv += optind; if (argc != 1) { usage(); return EXIT_FAILURE; } bits = strtol(argv[0], &arg_end, 0); if (*arg_end || bits < 0) { fprintf(stderr, "Invalid number.\n"); return EXIT_FAILURE; } if (bits < 3) { fprintf(stderr, "Bitsize must be at least 3.\n"); return EXIT_FAILURE; } /* NOTE: No sources */ yarrow256_init(&yarrow, 0, NULL); /* Read some data to seed the generator */ if (!simple_random(&yarrow, random_file)) { werror("Initialization of randomness generator failed.\n"); return EXIT_FAILURE; } mpz_init(p); start = clock(); nettle_random_prime(p, bits, 0, &yarrow, (nettle_random_func *) yarrow256_random, NULL, NULL); end = clock(); mpz_out_str(stdout, 10, p); printf("\n"); if (verbose) fprintf(stderr, "time: %.3g s\n", (double)(end - start) / CLOCKS_PER_SEC); return EXIT_SUCCESS; } nettle-3.10/examples/base64enc.c0000644000175000017500000000565414633602172015526 0ustar nissenisse/* base64enc -- an encoder for base64 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base64.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 54 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE64_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { struct base64_encode_ctx b64_ctx; /* Init the context: */ base64_encode_init(&b64_ctx); #ifdef WIN32 _setmode(0, O_BINARY); #endif for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" is the result vector: */ char result[ENCODED_SIZE + BASE64_ENCODE_FINAL_LENGTH + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ encoded_bytes = base64_encode_update(&b64_ctx, result, nbytes, buffer); if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } encoded_bytes += base64_encode_final(&b64_ctx,result + encoded_bytes); result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is written */ result[encoded_bytes++] = '\n'; if (!write_data (stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-3.10/examples/nettle-benchmark.c0000644000175000017500000005625014633602172017175 0ustar nissenisse/* nettle-benchmark.c Tests the performance of the various algorithms. Copyright (C) 2001, 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include #include "timing.h" #include "aes.h" #include "arcfour.h" #include "blowfish.h" #include "cast128.h" #include "cbc.h" #include "ctr.h" #include "des.h" #include "eax.h" #include "gcm.h" #include "ghash-internal.h" #include "memxor.h" #include "salsa20.h" #include "salsa20-internal.h" #include "serpent.h" #include "sha1.h" #include "sha2.h" #include "sha3.h" #include "sm4.h" #include "twofish.h" #include "umac.h" #include "cmac.h" #include "poly1305.h" #include "hmac.h" #include "nettle-meta.h" #include "nettle-internal.h" #include "non-nettle.h" #include "getopt.h" static double frequency = 0.0; /* Process BENCH_BLOCK bytes at a time, for BENCH_INTERVAL seconds. */ #define BENCH_BLOCK 10240 #define BENCH_INTERVAL 0.1 /* FIXME: Proper configure test for rdtsc? */ #ifndef WITH_CYCLE_COUNTER # if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) # define WITH_CYCLE_COUNTER 1 # else # define WITH_CYCLE_COUNTER 0 # endif #endif #if WITH_CYCLE_COUNTER # if defined(__i386__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__ volatile ("xorl %%eax,%%eax\n" \ "movl %%ebx, %%edi\n" \ "cpuid\n" \ "rdtsc\n" \ "movl %%edi, %%ebx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%edi", "%ecx", "cc") # elif defined(__x86_64__) #define GET_CYCLE_COUNTER(hi, lo) \ __asm__ volatile ("xorl %%eax,%%eax\n" \ "mov %%rbx, %%r10\n" \ "cpuid\n" \ "rdtsc\n" \ "mov %%r10, %%rbx\n" \ : "=a" (lo), "=d" (hi) \ : /* No inputs. */ \ : "%r10", "%rcx", "cc") # endif #define BENCH_ITERATIONS 10 #endif static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static double overhead = 0.0; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls - overhead; } struct bench_memxor_info { void *dst; const void *src; const void *other; }; static void bench_memxor(void *arg) { struct bench_memxor_info *info = arg; memxor (info->dst, info->src, BENCH_BLOCK); } static void bench_memxor3(void *arg) { struct bench_memxor_info *info = arg; memxor3 (info->dst, info->src, info->other, BENCH_BLOCK); } struct bench_hash_info { void *ctx; nettle_hash_update_func *update; const uint8_t *data; }; static void bench_hash(void *arg) { struct bench_hash_info *info = arg; info->update(info->ctx, BENCH_BLOCK, info->data); } struct bench_cipher_info { void *ctx; nettle_cipher_func *crypt; uint8_t *data; }; static void bench_cipher(void *arg) { struct bench_cipher_info *info = arg; info->crypt(info->ctx, BENCH_BLOCK, info->data, info->data); } struct bench_cbc_info { void *ctx; nettle_cipher_func *crypt; const uint8_t *src; uint8_t *dst; unsigned block_size; uint8_t *iv; }; static void bench_cbc_encrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_encrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } static void bench_cbc_decrypt(void *arg) { struct bench_cbc_info *info = arg; cbc_decrypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } static void bench_ctr(void *arg) { struct bench_cbc_info *info = arg; ctr_crypt(info->ctx, info->crypt, info->block_size, info->iv, BENCH_BLOCK, info->dst, info->src); } struct bench_aead_info { void *ctx; nettle_crypt_func *crypt; nettle_hash_update_func *update; uint8_t *data; }; static void bench_aead_crypt(void *arg) { const struct bench_aead_info *info = arg; info->crypt (info->ctx, BENCH_BLOCK, info->data, info->data); } static void bench_aead_update(void *arg) { const struct bench_aead_info *info = arg; info->update (info->ctx, BENCH_BLOCK, info->data); } /* Set data[i] = floor(sqrt(i)) */ static void init_data(uint8_t *data) { unsigned i,j; for (i = j = 0; i 0.0 ? " cycles/byte cycles/block" : ""); } static void display(const char *name, const char *mode, unsigned block_size, double time) { printf("%18s %12s %7.2f", name, mode, BENCH_BLOCK / (time * 1048576.0)); if (frequency > 0.0) { printf(" %11.2f", time * frequency / BENCH_BLOCK); if (block_size > 0) printf(" %12.2f", time * frequency * block_size / BENCH_BLOCK); } printf("\n"); } static void * xalloc(size_t size) { void *p = malloc(size); if (!p) die("Virtual memory exhausted.\n"); return p; } static void time_memxor(void) { struct bench_memxor_info info; unsigned long src[BENCH_BLOCK / sizeof(long) + 2]; unsigned long other[BENCH_BLOCK / sizeof(long) + 2]; unsigned long dst[BENCH_BLOCK / sizeof(long) + 1]; info.src = src; info.dst = dst; display ("memxor", "aligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = (const char *) src + 1; display ("memxor", "unaligned", sizeof(unsigned long), time_function(bench_memxor, &info)); info.src = src; info.other = other; display ("memxor3", "aligned", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 1; display ("memxor3", "unaligned01", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.src = (const char *) src + 1; display ("memxor3", "unaligned11", sizeof(unsigned long), time_function(bench_memxor3, &info)); info.other = (const char *) other + 2; display ("memxor3", "unaligned12", sizeof(unsigned long), time_function(bench_memxor3, &info)); } static void time_hash(const struct nettle_hash *hash) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; info.ctx = xalloc(hash->context_size); info.update = hash->update; info.data = data; init_data(data); hash->init(info.ctx); display(hash->name, "update", hash->block_size, time_function(bench_hash, &info)); free(info.ctx); } static void time_umac(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t key[UMAC_KEY_SIZE]; init_key (sizeof(key), key); umac32_set_key (&ctx32, key); info.ctx = &ctx32; info.update = (nettle_hash_update_func *) umac32_update; info.data = data; display("umac32", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac64_set_key (&ctx64, key); info.ctx = &ctx64; info.update = (nettle_hash_update_func *) umac64_update; info.data = data; display("umac64", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac96_set_key (&ctx96, key); info.ctx = &ctx96; info.update = (nettle_hash_update_func *) umac96_update; info.data = data; display("umac96", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); umac128_set_key (&ctx128, key); info.ctx = &ctx128; info.update = (nettle_hash_update_func *) umac128_update; info.data = data; display("umac128", "update", UMAC_BLOCK_SIZE, time_function(bench_hash, &info)); } static void time_cmac(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct cmac_aes128_ctx ctx; uint8_t key[AES128_KEY_SIZE]; init_key (sizeof(key), key); cmac_aes128_set_key (&ctx, key); info.ctx = &ctx; info.update = (nettle_hash_update_func *) cmac_aes128_update; info.data = data; display("cmac-aes128", "update", AES_BLOCK_SIZE, time_function(bench_hash, &info)); } static void time_poly1305_aes(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hash_info info; struct poly1305_aes_ctx ctx; uint8_t key[POLY1305_AES_KEY_SIZE]; init_key (sizeof(key), key); poly1305_aes_set_key (&ctx, key); info.ctx = &ctx; info.update = (nettle_hash_update_func *) poly1305_aes_update; info.data = data; display("poly1305-aes", "update", 1024, time_function(bench_hash, &info)); } struct bench_hmac_info { void *ctx; nettle_hash_update_func *update; nettle_hash_digest_func *digest; size_t length; size_t digest_length; const uint8_t *data; }; static void bench_hmac(void *arg) { struct bench_hmac_info *info = arg; uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; size_t pos, length; length = info->length; for (pos = 0; pos < BENCH_BLOCK; pos += length) { size_t single = pos + length < BENCH_BLOCK ? length : BENCH_BLOCK - pos; info->update(info->ctx, single, info->data + pos); info->digest(info->ctx, info->digest_length, digest); } } static const struct { size_t length; const char *msg; } hmac_tests[] = { { 64, "64 bytes" }, { 256, "256 bytes" }, { 1024, "1024 bytes" }, { 4096, "4096 bytes" }, { BENCH_BLOCK, "single msg" }, { 0, NULL }, }; static void time_hmac_md5(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_md5_ctx md5_ctx; unsigned int pos; init_data(data); info.data = data; hmac_md5_set_key(&md5_ctx, MD5_BLOCK_SIZE, data); info.ctx = &md5_ctx; info.update = (nettle_hash_update_func *) hmac_md5_update; info.digest = (nettle_hash_digest_func *) hmac_md5_digest; info.digest_length = MD5_DIGEST_SIZE; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-md5", hmac_tests[pos].msg, MD5_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha1(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha1_ctx sha1_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha1_set_key(&sha1_ctx, SHA1_BLOCK_SIZE, data); info.ctx = &sha1_ctx; info.update = (nettle_hash_update_func *) hmac_sha1_update; info.digest = (nettle_hash_digest_func *) hmac_sha1_digest; info.digest_length = SHA1_DIGEST_SIZE; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha1", hmac_tests[pos].msg, SHA1_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha256(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha256_ctx sha256_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha256_set_key(&sha256_ctx, SHA256_BLOCK_SIZE, data); info.ctx = &sha256_ctx; info.update = (nettle_hash_update_func *) hmac_sha256_update; info.digest = (nettle_hash_digest_func *) hmac_sha256_digest; info.digest_length = SHA256_DIGEST_SIZE; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha256", hmac_tests[pos].msg, SHA256_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static void time_hmac_sha512(void) { static uint8_t data[BENCH_BLOCK]; struct bench_hmac_info info; struct hmac_sha512_ctx sha512_ctx; unsigned int pos; init_data(data); info.data = data; hmac_sha512_set_key(&sha512_ctx, SHA512_BLOCK_SIZE, data); info.ctx = &sha512_ctx; info.update = (nettle_hash_update_func *) hmac_sha512_update; info.digest = (nettle_hash_digest_func *) hmac_sha512_digest; info.digest_length = SHA512_DIGEST_SIZE; for (pos = 0; hmac_tests[pos].length != 0; pos++) { info.length = hmac_tests[pos].length; display("hmac-sha512", hmac_tests[pos].msg, SHA512_BLOCK_SIZE, time_function(bench_hmac, &info)); } } static int prefix_p(const char *prefix, const char *s) { size_t i; for (i = 0; prefix[i]; i++) if (prefix[i] != s[i]) return 0; return 1; } static int block_cipher_p(const struct nettle_cipher *cipher) { /* Don't use nettle cbc and ctr for openssl ciphers. */ return cipher->block_size > 0 && !prefix_p("openssl", cipher->name); } static void time_cipher(const struct nettle_cipher *cipher) { void *ctx = xalloc(cipher->context_size); uint8_t *key = xalloc(cipher->key_size); static uint8_t src_data[BENCH_BLOCK]; static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); init_data(src_data); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_encrypt_key(ctx, key); display(cipher->name, "ECB encrypt", cipher->block_size, time_function(bench_cipher, &info)); } { struct bench_cipher_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.data = data; init_key(cipher->key_size, key); cipher->set_decrypt_key(ctx, key); display(cipher->name, "ECB decrypt", cipher->block_size, time_function(bench_cipher, &info)); } if (block_cipher_p(cipher)) { uint8_t *iv = xalloc(cipher->block_size); /* Do CBC mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CBC encrypt", cipher->block_size, time_function(bench_cbc_encrypt, &info)); } { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->decrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_decrypt_key(ctx, key); display(cipher->name, "CBC decrypt", cipher->block_size, time_function(bench_cbc_decrypt, &info)); memset(iv, 0, cipher->block_size); info.src = data; display(cipher->name, " (in-place)", cipher->block_size, time_function(bench_cbc_decrypt, &info)); } /* Do CTR mode */ { struct bench_cbc_info info; info.ctx = ctx; info.crypt = cipher->encrypt; info.src = src_data; info.dst = data; info.block_size = cipher->block_size; info.iv = iv; memset(iv, 0, cipher->block_size); cipher->set_encrypt_key(ctx, key); display(cipher->name, "CTR", cipher->block_size, time_function(bench_ctr, &info)); memset(iv, 0, cipher->block_size); info.src = data; display(cipher->name, " (in-place)", cipher->block_size, time_function(bench_ctr, &info)); } free(iv); } free(ctx); free(key); } static void time_aead(const struct nettle_aead *aead) { void *ctx = xalloc(aead->context_size); uint8_t *key = xalloc(aead->key_size); uint8_t *nonce = xalloc(aead->nonce_size); static uint8_t data[BENCH_BLOCK]; printf("\n"); init_data(data); if (aead->set_nonce) init_nonce (aead->nonce_size, nonce); { /* Decent initializers are a GNU extension, so don't use it here. */ struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->encrypt; info.data = data; init_key(aead->key_size, key); aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "encrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } if (aead->decrypt) { struct bench_aead_info info; info.ctx = ctx; info.crypt = aead->decrypt; info.data = data; init_key(aead->key_size, key); aead->set_decrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "decrypt", aead->block_size, time_function(bench_aead_crypt, &info)); } if (aead->update) { struct bench_aead_info info; info.ctx = ctx; info.update = aead->update; info.data = data; aead->set_encrypt_key(ctx, key); if (aead->set_nonce) aead->set_nonce (ctx, nonce); display(aead->name, "update", aead->block_size, time_function(bench_aead_update, &info)); } free(ctx); free(key); free(nonce); } /* Try to get accurate cycle times for assembler functions. */ #if WITH_CYCLE_COUNTER static int compare_double(const void *ap, const void *bp) { double a = *(const double *) ap; double b = *(const double *) bp; if (a < b) return -1; else if (a > b) return 1; else return 0; } #define TIME_CYCLES(t, code) do { \ double tc_count[5]; \ uint32_t tc_start_lo, tc_start_hi, tc_end_lo, tc_end_hi; \ unsigned tc_i, tc_j; \ for (tc_j = 0; tc_j < 5; tc_j++) \ { \ tc_i = 0; \ GET_CYCLE_COUNTER(tc_start_hi, tc_start_lo); \ for (; tc_i < BENCH_ITERATIONS; tc_i++) \ { code; } \ \ GET_CYCLE_COUNTER(tc_end_hi, tc_end_lo); \ \ tc_end_hi -= (tc_start_hi + (tc_start_lo > tc_end_lo)); \ tc_end_lo -= tc_start_lo; \ \ tc_count[tc_j] = ldexp(tc_end_hi, 32) + tc_end_lo; \ } \ qsort(tc_count, 5, sizeof(double), compare_double); \ (t) = tc_count[2] / BENCH_ITERATIONS; \ } while (0) static void bench_sha1_compress(void) { uint32_t state[_SHA1_DIGEST_LENGTH]; uint8_t data[SHA1_BLOCK_SIZE]; double t; TIME_CYCLES (t, nettle_sha1_compress(state, data)); printf("sha1_compress: %.2f cycles\n", t); } static void bench_salsa20_core(void) { uint32_t state[_SALSA20_INPUT_LENGTH]; double t; TIME_CYCLES (t, _nettle_salsa20_core(state, state, 20)); printf("salsa20_core: %.2f cycles\n", t); } static void bench_sha3_permute(void) { struct sha3_state state; double t; TIME_CYCLES (t, sha3_permute (&state)); printf("sha3_permute: %.2f cycles (%.2f / round)\n", t, t / 24.0); } static void bench_ghash_update(void) { struct gcm_key key; union nettle_block16 state; const uint8_t data[160]; double t; TIME_CYCLES (t, _ghash_update (&key, &state, 10, data)); printf("ghash_update: %.2f cycles / block\n", t / 10.0); } #else #define bench_sha1_compress() #define bench_salsa20_core() #define bench_sha3_permute() #define bench_ghash_update() #endif #if WITH_OPENSSL # define OPENSSL(x) x, #else # define OPENSSL(x) #endif int main(int argc, char **argv) { unsigned i; int c; const char *alg; const struct nettle_hash *hashes[] = { &nettle_md2, &nettle_md4, &nettle_md5, OPENSSL(&nettle_openssl_md5) &nettle_sha1, OPENSSL(&nettle_openssl_sha1) &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_ripemd160, &nettle_gosthash94, &nettle_gosthash94cp, &nettle_streebog256, &nettle_streebog512, &nettle_sm3, NULL }; const struct nettle_cipher *ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, OPENSSL(&nettle_openssl_aes128) OPENSSL(&nettle_openssl_aes192) OPENSSL(&nettle_openssl_aes256) &nettle_blowfish128, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, &nettle_des, &nettle_des3, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, &nettle_sm4, NULL }; const struct nettle_aead *aeads[] = { /* Stream ciphers */ &nettle_arcfour128, &nettle_salsa20, &nettle_salsa20r12, &nettle_chacha, /* CBC encrypt */ &nettle_cbc_aes128, &nettle_cbc_aes192, &nettle_cbc_aes256, /* Proper AEAD algorithme. */ &nettle_gcm_aes128, &nettle_gcm_aes192, &nettle_gcm_aes256, OPENSSL(&nettle_openssl_gcm_aes128) OPENSSL(&nettle_openssl_gcm_aes192) OPENSSL(&nettle_openssl_gcm_aes256) &nettle_gcm_camellia128, &nettle_gcm_camellia256, &nettle_eax_aes128, &nettle_chacha_poly1305, &nettle_ocb_aes128, NULL }; enum { OPT_HELP = 300 }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "clock-frequency", required_argument, NULL, 'f' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "f:", options, NULL)) != -1) switch (c) { case 'f': frequency = atof(optarg); if (frequency > 0.0) break; /* Fall through */ case OPT_HELP: printf("Usage: nettle-benchmark [-f clock frequency] [alg...]\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; default: abort(); } time_init(); bench_sha1_compress(); bench_salsa20_core(); bench_sha3_permute(); bench_ghash_update(); printf("\n"); header(); do { alg = argv[optind]; if (!alg || strstr ("memxor", alg)) { time_memxor(); printf("\n"); } for (i = 0; hashes[i]; i++) if (!alg || strstr(hashes[i]->name, alg)) time_hash(hashes[i]); if (!alg || strstr ("umac", alg)) time_umac(); if (!alg || strstr ("cmac", alg)) time_cmac(); if (!alg || strstr ("poly1305-aes", alg)) time_poly1305_aes(); for (i = 0; ciphers[i]; i++) if (!alg || strstr(ciphers[i]->name, alg)) time_cipher(ciphers[i]); for (i = 0; aeads[i]; i++) if (!alg || strstr(aeads[i]->name, alg)) time_aead(aeads[i]); if (!alg || strstr ("hmac-md5", alg)) time_hmac_md5(); if (!alg || strstr ("hmac-sha1", alg)) time_hmac_sha1(); if (!alg || strstr ("hmac-sha256", alg)) time_hmac_sha256(); if (!alg || strstr ("hmac-sha512", alg)) time_hmac_sha512(); optind++; } while (alg && argv[optind]); return 0; } nettle-3.10/examples/hogweed-benchmark.c0000644000175000017500000006216714633602172017330 0ustar nissenisse/* hogweed-benchmark.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include #include #include "timing.h" #include "dsa.h" #include "rsa.h" #include "eddsa.h" #include "gostdsa.h" #include "curve25519.h" #include "curve448.h" #include "nettle-meta.h" #include "sexp.h" #include "knuth-lfib.h" #include "../ecdsa.h" #include "../ecc-internal.h" #include "../gmp-glue.h" #if WITH_OPENSSL #include #include #include #endif #define BENCH_INTERVAL 0.1 static void NORETURN PRINTF_STYLE(1,2) die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } static void * xalloc (size_t size) { void *p = malloc (size); if (!p) { fprintf (stderr, "Virtual memory exhausted\n"); abort (); } return p; } static uint8_t * hash_string (const struct nettle_hash *hash, const char *s) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); hash->init (ctx); hash->update (ctx, strlen(s), (const uint8_t *) s); hash->digest (ctx, hash->digest_size, digest); free (ctx); return digest; } struct alg { const char *name; unsigned size; void *(*init) (unsigned size); void (*sign) (void *); void (*verify)(void *); void (*clear) (void *); }; /* Returns second per function call */ static double time_function(void (*f)(void *arg), void *arg) { unsigned ncalls; double elapsed; /* Warm up */ f(arg); for (ncalls = 10 ;;) { unsigned i; time_start(); for (i = 0; i < ncalls; i++) f(arg); elapsed = time_end(); if (elapsed > BENCH_INTERVAL) break; else if (elapsed < BENCH_INTERVAL / 10) ncalls *= 10; else ncalls *= 2; } return elapsed / ncalls; } static void bench_alg (const struct alg *alg) { double sign; double verify; void *ctx; ctx = alg->init(alg->size); if (ctx == NULL) { printf("%16s %4d N/A\n", alg->name, alg->size); return; } sign = time_function (alg->sign, ctx); verify = time_function (alg->verify, ctx); alg->clear (ctx); printf("%16s %4d %9.4f %9.4f\n", alg->name, alg->size, 1e-3/sign, 1e-3/verify); } struct rsa_ctx { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; uint8_t *digest; mpz_t s; }; static void * bench_rsa_init (unsigned size) { unsigned char rsa1024[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjEyOToA90+K5EmjbFJBeJD" " xP2KD2Df+0Twc9425uB+vhqTrVijtd2PnwEQDfR2VoducgkKcXJzYYyCNILQJbFAi2Km/sD" " jImERBqDtaI217Ze+tOKEmImexYTAgFuqEptp2F3M4DqgRQ7s/3nJQ/bPE5Hfi1OZhJSShu" " I80ATTU4fUgrPspKDE6ZTM6AQABKSgxOmQxMjk6APAhKckzvxxkWfHJOpXDACWnaSKcbbvo" " vtWK3pGr/F2ya7CrLtE+uOx5F1sLs9G+/7flCy5k4uNILIYg4VTirZ1zQ8fNKPrjK1VMRls" " JiRRU/0VAs9d7HdncJfs6rbvRQbCRSRYURo4hWir3Lq8V3UUQVBprc4dO+uWmplvwQ5qxKS" " gxOnA2NToA+8aIVkdbk8Jg8dJOuzc7m/hZnwkKSs6eVDw4N/2T0CJKGJYT+B3Ct+fPkxhUR" " ggd2DQ9OpkTra7SXHTNkzdPVSkoMTpxNjU6APt11P8vXNnGYF0OC/cPsR8zhSYuFmtRuX6G" " ES+DdG0VCU07UeNQkok1UoW5sXqY0IGr1jkJq8AMSgKoNbLQ6w8pKDE6YTY0Ohzkxsan/8F" " wQDHgQbrIduXKVXaj0fONzKu8EXOTfUAYf0pdBsOlnq/+QVsPIrS6v7oNHK253YFEG84SdX" " kcktUpKDE6YjY1OgCR+cRtY3RWY+f6/TWK9gwPndv03xpasLWrMm71ky1aSbT9pasS9+opR" " tAiGzthfSbFsBiLQgb3VOr+AeIybT+XKSgxOmM2NDojigqARWN5u1CVDVuD2L2ManpoGiM6" " kQ6FaJjqRjxeRRKFrQxGJa9tM1hqStxokC1oJidgaOLGnn60iwzToug9KSkp}"; unsigned char rsa2048[] = "{KDExOnByaXZhdGUta2V5KDE0OnJzYS1wa2NzMS1zaGExKDE6bjI1NzoAtxWXiglIdunDK48" " 8I0vW0wTqnh/riW9pLk8n1F8MUPBFdhvkkl0bDQqSJPUvSHy+w4fLVwcEzeI4qFyo3b2Avz" " JK20MFbt/WfHD1TbxuK8rNqXyqmqjJ9vgjtV9nPzAz7CM9ogs3/RJHpcfZPQF15ifizleUZ" " aQT0GAXHZL7cePj10yGI2u3hgTkokVzdNC/1T34guKYpErg0pt0B/KejWpsFTb84z3tkR+B" " YVx07p/OoByZwoABgncS/uALl31fRS8jyJ2JqUiZOqe7XoO9hkDHYNCWUGUfNGQ7ZgVp9+e" " NQpracSjrp6Jnrj7r/oxJUx5ZDVNi18AzQadE/oKOrSkoMTplMzoBAAEpKDE6ZDI1NjogBT" " C5vaHk2kF+LtDvw2XRBj0aZq7FHK0ioklvBSicR0l+vKYfSxVeFIk22YLphJfAjtFraRjYA" " Uaze3E1Rt1rkxoweupKV++lWAQvElOaaR/LErirz/Vysjdck1D1ZjLOi+NNofSq2DWbsvY1" " iznZhQRP3lVf6XBls0iXrYs4gb0pBZqXLQW+j9Ihx6eantf1/6ZMKPgCkzcAZ0ABsCfaFSg" " ouNCzilblsgFEspEbb8QqrNQoStS3F/gMwWgDsr3+vQzBqt+7ykWoCJ9wctbYy9kEPq+hX3" " GP0hG6HdS81r9E8pgdf3wloNNMzYUHwn7poXGpOi8tG0pmR56TqD/BKSgxOnAxMjk6AN4AJ" " TiGPm9We2ga3Y0jpTfA3mWpUbhYgaXYLWA1/riniwq16fqxRIkWQT/O2KKpBVe6WSvNYq9u" " lM8N6bdPtDytJs6AOXy0X5vtJ953ZYVMhHbhmUxhIL9I+s0O1+LxMF8b9U4CrFyaTxd8Un/" " FXP1BvYJRrkoup6HYvOlGx36lKSgxOnExMjk6ANMfrfH6z/3o7K56aW6kSiloDDbKZQ0+W5" " 8LzP2ZOBLf6LX6jLhN3olU1Z0KGTM0S/1AxvwGjuRqhu+LcOJ7oUCUH3uusR5c5nSnArYPq" " +0wbco4BQngot/HmGN7U0EDsIWqPt/qoa/b8bCk+TOwJlknNq/PnZU26SPj48XS05lpKSgx" " OmExMjk6AJM2n3gLNW3ZeH5BindkktQU9qWNkV5geqDCaNyrEZ3bpI1WsrEGSj9p3Zz1ipz" " a3msdbLJqQS26c72WKUzg8tFltR0s1HJInjolGtIgdNbfNdwrn9+RbQjL2VyPokOg0wXO4W" " 14wlmqDhax33dRJmfe50964MvaglkGA8fhorrtKSgxOmIxMjk6AKMe+vrX2xRHf3dfxU5jS" " ZmsdqNuxZzx7UB5kazvUU/kCJ1yNH/CSoq5LULkpovVgFDwV84qEwWQ+SjkCBg1hWWsDJc3" " ZkobZUQENigM+72LiYiQt/PlyHI2eRuEEdNN0nm0DFhdpQeHXLoq/RBerYJ8tdgpBYxgnMn" " KLhaOykbhKSgxOmMxMjg6MVlKj2bjb7qFQVkLO1OPg28jSrtRpnQCR+qegN4ZmNam/qbest" " 8yn0JQ6gxX7PvP382+jx7uHHWHYYqPq/Flf8gqtOOcjqS5TJgVHz3F3xHWquo1ZofGtCMro" " Dd2c0xjRjIVGvLV6Ngs+HRdljRav40vRpTyEoEdlzHBQiILesopKSk=}"; struct rsa_ctx *ctx; struct sexp_iterator i; int res; ctx = xalloc(sizeof(*ctx)); rsa_public_key_init (&ctx->pub); rsa_private_key_init (&ctx->key); mpz_init (ctx->s); knuth_lfib_init (&ctx->lfib, 1); /* NOTE: Base64-decodes the strings in-place */ if (size == 1024) res = sexp_transport_iterator_first (&i, sizeof(rsa1024) - 1, rsa1024); else if (size == 2048) res = sexp_transport_iterator_first (&i, sizeof(rsa2048) - 1, rsa2048); else die ("Internal error.\n"); if (! (res && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "rsa-pkcs1-sha1") && rsa_keypair_from_sexp_alist (&ctx->pub, &ctx->key, 0, &i))) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha256, "foo"); rsa_sha256_sign_digest (&ctx->key, ctx->digest, ctx->s); return ctx; } static void bench_rsa_sign (void *p) { struct rsa_ctx *ctx = p; mpz_t s; mpz_init (s); rsa_sha256_sign_digest (&ctx->key, ctx->digest, s); mpz_clear (s); } static void bench_rsa_sign_tr (void *p) { struct rsa_ctx *ctx = p; mpz_t s; mpz_init (s); rsa_sha256_sign_digest_tr (&ctx->pub, &ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, ctx->digest, s); mpz_clear (s); } static void bench_rsa_verify (void *p) { struct rsa_ctx *ctx = p; if (! rsa_sha256_verify_digest (&ctx->pub, ctx->digest, ctx->s)) die ("Internal error, rsa_sha256_verify_digest failed.\n"); } static void bench_rsa_clear (void *p) { struct rsa_ctx *ctx = p; rsa_public_key_clear (&ctx->pub); rsa_private_key_clear (&ctx->key); mpz_clear (ctx->s); free (ctx->digest); free (ctx); } struct dsa_ctx { struct dsa_params params; mpz_t pub; mpz_t key; struct knuth_lfib_ctx lfib; struct dsa_signature s; uint8_t *digest; }; static void * bench_dsa_init (unsigned size) { struct dsa_ctx *ctx; struct sexp_iterator i; unsigned char dsa1024[] = "{KDExOnByaXZhdGUta2V5KDM6ZHNhKDE6cDEyOToA2q4hOXEClLMXXMOl9xaPcGC/GeGmCMv" " VCaaW0uWc50DvvmJDPQPdCehyfZr/1dv2UDbx06TC7ls/IFd+BsDzGBRxqIQ44J20cn+0gt" " NMIXAocE1QhCCFaT5gXrk8zMlqBEGaP3RdpgxNanEXkTj2Wma8r1GtrLX3HPafio62jicpK" " DE6cTIxOgDN9pcW3exdVAesC9WsxwCGoJK24ykoMTpnMTI5OgCJr9DmKdiE0WJZB7HACESv" " Tpg1qZgc8E15byQ+OsHUyOTRrJRTcrgKZJW7dFRJ9cXmyi7XYCd3bJtu/2HRHLY1vd4qMvU" " 7Y8x08ooCoABGV7nGqcmdQfEho1OY6TZh2NikmPKZLeur3PZFpcZ8Dl+KVWtwC55plNC7Om" " iAQy8MaCkoMTp5MTI5OgDakk0LOUQwzOKt9FHOBmBKrWsvTm7549eScTUqH4OMm3btjUsXz" " MmlqEe+imwQCOW/AE3Xw9pXZeETWK0jlLe8k5vnKcNskerFwZ1eQKtOPPQty8IqQ9PEfF6B" " 0oVQiJg2maHUDWFnDkIBd7ZR1z8FnZMUxH9mH4kEUo6YQgtCdykoMTp4MjA6cOl3ijiiMjI" " pesFD8jxESWb2mn8pKSk=}"; ctx = xalloc(sizeof(*ctx)); dsa_params_init (&ctx->params); mpz_init (ctx->pub); mpz_init (ctx->key); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 1); if (size != 1024) die ("Internal error.\n"); if (! (sexp_transport_iterator_first (&i, sizeof(dsa1024) - 1, dsa1024) && sexp_iterator_check_type (&i, "private-key") && sexp_iterator_check_type (&i, "dsa") && dsa_keypair_from_sexp_alist (&ctx->params, ctx->pub, ctx->key, 0, DSA_SHA1_Q_BITS, &i)) ) die ("Internal error.\n"); ctx->digest = hash_string (&nettle_sha1, "foo"); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s); return ctx; } static void bench_dsa_sign (void *p) { struct dsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); dsa_sign (&ctx->params, ctx->key, &ctx->lfib, (nettle_random_func *)knuth_lfib_random, SHA1_DIGEST_SIZE, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_dsa_verify (void *p) { struct dsa_ctx *ctx = p; if (! dsa_verify (&ctx->params, ctx->pub, SHA1_DIGEST_SIZE, ctx->digest, &ctx->s)) die ("Internal error, dsa_sha1_verify_digest failed.\n"); } static void bench_dsa_clear (void *p) { struct dsa_ctx *ctx = p; dsa_params_clear (&ctx->params); mpz_clear (ctx->pub); mpz_clear (ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } struct ecdsa_ctx { struct ecc_point pub; struct ecc_scalar key; struct knuth_lfib_ctx lfib; unsigned digest_size; uint8_t *digest; struct dsa_signature s; }; static void * bench_ecdsa_init (unsigned size) { struct ecdsa_ctx *ctx; const struct ecc_curve *ecc; const char *xs; const char *ys; const char *zs; mpz_t x, y, z; ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 17); switch (size) { case 192: ecc = &_nettle_secp_192r1; xs = "8e8e07360350fb6b7ad8370cfd32fa8c6bba785e6e200599"; ys = "7f82ddb58a43d59ff8dc66053002b918b99bd01bd68d6736"; zs = "f2e620e086d658b4b507996988480917640e4dc107808bdd"; ctx->digest = hash_string (&nettle_sha1, "abc"); ctx->digest_size = 20; break; case 224: ecc = &_nettle_secp_224r1; xs = "993bf363f4f2bc0f255f22563980449164e9c894d9efd088d7b77334"; ys = "b75fff9849997d02d135140e4d0030944589586e22df1fc4b629082a"; zs = "cdfd01838247f5de3cc70b688418046f10a2bfaca6de9ec836d48c27"; ctx->digest = hash_string (&nettle_sha224, "abc"); ctx->digest_size = 28; break; /* From RFC 4754 */ case 256: ecc = &_nettle_secp_256r1; xs = "2442A5CC 0ECD015F A3CA31DC 8E2BBC70 BF42D60C BCA20085 E0822CB0 4235E970"; ys = "6FC98BD7 E50211A4 A27102FA 3549DF79 EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D"; zs = "DC51D386 6A15BACD E33D96F9 92FCA99D A7E6EF09 34E70975 59C27F16 14C88A7F"; ctx->digest = hash_string (&nettle_sha256, "abc"); ctx->digest_size = 32; break; case 384: ecc = &_nettle_secp_384r1; xs = "96281BF8 DD5E0525 CA049C04 8D345D30 82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922"; ys = "447688BA 94708EB6 E2E4D59F 6AB6D7ED FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA"; zs = "0BEB6466 34BA8773 5D77AE48 09A0EBEA 865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F"; ctx->digest = hash_string (&nettle_sha384, "abc"); ctx->digest_size = 48; break; case 521: ecc = &_nettle_secp_521r1; xs = "0151518F 1AF0F563 517EDD54 85190DF9 5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018 8901CECD 650699C9 B5E456AE A5ADD190" "52A8"; ys = "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF 6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF 4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643"; zs = "0065FDA3 409451DC AB0A0EAD 45495112 A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1"; ctx->digest = hash_string (&nettle_sha512, "abc"); ctx->digest_size = 64; break; default: die ("Internal error.\n"); } ecc_point_init (&ctx->pub, ecc); ecc_scalar_init (&ctx->key, ecc); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); mpz_init_set_str (z, zs, 16); ecc_point_set (&ctx->pub, x, y); ecc_scalar_set (&ctx->key, z); mpz_clear (x); mpz_clear (y); mpz_clear (z); ecdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); return ctx; } static void bench_ecdsa_sign (void *p) { struct ecdsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); ecdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_ecdsa_verify (void *p) { struct ecdsa_ctx *ctx = p; if (! ecdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) die ("Internal error, ecdsa_verify failed.\n"); } static void bench_ecdsa_clear (void *p) { struct ecdsa_ctx *ctx = p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } struct eddsa_ctx { uint8_t pub[ED448_KEY_SIZE]; uint8_t key[ED448_KEY_SIZE]; uint8_t signature[ED448_SIGNATURE_SIZE]; void (*sign)(const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int (*verify)(const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); }; static void * bench_eddsa_init (unsigned size) { struct knuth_lfib_ctx lfib; struct eddsa_ctx *ctx; knuth_lfib_init (&lfib, 17); ctx = xalloc (sizeof(*ctx)); switch (size) { case 255: ctx->sign = ed25519_sha512_sign; ctx->verify = ed25519_sha512_verify; knuth_lfib_random (&lfib, ED25519_KEY_SIZE, ctx->key); ed25519_sha512_public_key (ctx->pub, ctx->key); break; case 448: ctx->sign = ed448_shake256_sign; ctx->verify = ed448_shake256_verify; knuth_lfib_random (&lfib, ED448_KEY_SIZE, ctx->key); ed448_shake256_public_key (ctx->pub, ctx->key); break; default: abort (); } ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); return ctx; } static void bench_eddsa_sign (void *p) { struct eddsa_ctx *ctx = p; ctx->sign (ctx->pub, ctx->key, 3, (const uint8_t *) "abc", ctx->signature); } static void bench_eddsa_verify (void *p) { struct eddsa_ctx *ctx = p; if (!ctx->verify (ctx->pub, 3, (const uint8_t *) "abc", ctx->signature)) die ("Internal error, eddsa_verify failed.\n"); } static void bench_eddsa_clear (void *p) { free (p); } static void * bench_gostdsa_init (unsigned size) { struct ecdsa_ctx *ctx; const struct ecc_curve *ecc; const char *xs; const char *ys; const char *zs; mpz_t x, y, z; ctx = xalloc (sizeof(*ctx)); dsa_signature_init (&ctx->s); knuth_lfib_init (&ctx->lfib, 17); switch (size) { case 256: ecc = &_nettle_gost_gc256b; xs = "971566ceda436ee7678f7e07e84ebb7217406c0b4747aa8fd2ab1453c3d0dfba"; ys = "ad58736965949f8e59830f8de20fc6c0d177f6ab599874f1e2e24ff71f9ce643"; zs = "bfcf1d623e5cdd3032a7c6eabb4a923c46e43d640ffeaaf2c3ed39a8fa399924"; ctx->digest = hash_string (&nettle_sha256, "abc"); ctx->digest_size = 32; break; case 512: ecc = &_nettle_gost_gc512a; xs = "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40"; ys = "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73"; zs = "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B"; ctx->digest = hash_string (&nettle_sha512, "abc"); ctx->digest_size = 64; break; default: die ("Internal error.\n"); } ecc_point_init (&ctx->pub, ecc); ecc_scalar_init (&ctx->key, ecc); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); mpz_init_set_str (z, zs, 16); ecc_point_set (&ctx->pub, x, y); ecc_scalar_set (&ctx->key, z); mpz_clear (x); mpz_clear (y); mpz_clear (z); gostdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &ctx->s); return ctx; } static void bench_gostdsa_sign (void *p) { struct ecdsa_ctx *ctx = p; struct dsa_signature s; dsa_signature_init (&s); gostdsa_sign (&ctx->key, &ctx->lfib, (nettle_random_func *) knuth_lfib_random, ctx->digest_size, ctx->digest, &s); dsa_signature_clear (&s); } static void bench_gostdsa_verify (void *p) { struct ecdsa_ctx *ctx = p; if (! gostdsa_verify (&ctx->pub, ctx->digest_size, ctx->digest, &ctx->s)) die ("Internal error, _gostdsa_verify failed.\n"); } static void bench_gostdsa_clear (void *p) { struct ecdsa_ctx *ctx = p; ecc_point_clear (&ctx->pub); ecc_scalar_clear (&ctx->key); dsa_signature_clear (&ctx->s); free (ctx->digest); free (ctx); } #if WITH_OPENSSL struct openssl_ctx { EVP_PKEY *key; const EVP_MD *md; EVP_MD_CTX *md_ctx; unsigned char *signature; size_t sig_alloc; size_t sig_size; }; static void * bench_openssl_init (EVP_PKEY *key, const EVP_MD *md) { struct openssl_ctx *ctx = xalloc (sizeof (*ctx)); if (!key) die ("OpenSSL key eneration failed.\n"); ctx->key = key; ctx->md = md; ctx->md_ctx = EVP_MD_CTX_new(); if (!ctx->md_ctx) die ("OpenSSL EVP_MD_CTX_create failed."); if (EVP_DigestSignInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestSignInit failed."); if (EVP_DigestSignUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestSignUpdate failed."); if (EVP_DigestSignFinal (ctx->md_ctx, NULL, &ctx->sig_alloc) <= 0) die ("OpenSSL EVP_DigestSignFinal (... NULL ...) failed.\n"); ctx->signature = xalloc (ctx->sig_alloc); ctx->sig_size = ctx->sig_alloc; if (EVP_DigestSignFinal (ctx->md_ctx, ctx->signature, &ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestSignFinal failed.\n"); return ctx; } static void * bench_openssl_rsa_init (unsigned size) { /* Always uses e = 65537? */ return bench_openssl_init (EVP_RSA_gen(size), EVP_sha256()); } static void bench_openssl_sign (void *p) { struct openssl_ctx *ctx = p; if (EVP_DigestSignInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestSignInit failed."); if (EVP_DigestSignUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestSignUpdate failed."); ctx->sig_size = ctx->sig_alloc; if (EVP_DigestSignFinal (ctx->md_ctx, ctx->signature, &ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestSignFinal failed.\n"); } static void bench_openssl_verify (void *p) { const struct openssl_ctx *ctx = p; if (EVP_DigestVerifyInit (ctx->md_ctx, NULL, ctx->md, NULL, ctx->key) <= 0) die ("OpenSSL EVP_DigestVerifyInit failed.\n"); if (EVP_DigestVerifyUpdate (ctx->md_ctx, "foo", 3) <= 0) die ("OpenSSL EVP_DigestVerifyUpdate failed."); if (EVP_DigestVerifyFinal (ctx->md_ctx, ctx->signature, ctx->sig_size) <= 0) die ("OpenSSL EVP_DigestVerifyFinal failed.\n"); } static void bench_openssl_clear (void *p) { struct openssl_ctx *ctx = p; EVP_PKEY_free (ctx->key); EVP_MD_CTX_free (ctx->md_ctx); free (ctx->signature); free (ctx); } static void * bench_openssl_ecdsa_init (unsigned size) { struct openssl_ctx *ctx = xalloc (sizeof (*ctx)); switch (size) { case 192: /* Larger hash is truncated? */ return bench_openssl_init (EVP_EC_gen ("P-192"), EVP_sha256()); case 224: return bench_openssl_init (EVP_EC_gen ("P-224"), EVP_sha224()); case 256: return bench_openssl_init (EVP_EC_gen ("P-256"), EVP_sha256()); case 384: return bench_openssl_init (EVP_EC_gen ("P-384"), EVP_sha384()); case 521: return bench_openssl_init (EVP_EC_gen ("P-521"), EVP_sha512()); default: die ("Internal error.\n"); } } #endif struct curve_ctx { uint8_t x[CURVE448_SIZE]; uint8_t s[CURVE448_SIZE]; void (*mul_g)(uint8_t *q, const uint8_t *n); void (*mul)(uint8_t *q, const uint8_t *n, const uint8_t *p); }; static void * bench_curve_init (unsigned size) { struct knuth_lfib_ctx lfib; struct curve_ctx *ctx = xalloc (sizeof (*ctx)); knuth_lfib_init (&lfib, 17); switch (size) { case 255: ctx->mul = curve25519_mul; ctx->mul_g = curve25519_mul_g; knuth_lfib_random (&lfib, CURVE25519_SIZE, ctx->s); break; case 448: ctx->mul = curve448_mul; ctx->mul_g = curve448_mul_g; knuth_lfib_random (&lfib, CURVE448_SIZE, ctx->s); break; default: abort (); } ctx->mul_g (ctx->x, ctx->s); return ctx; } static void bench_curve_mul_g (void *p) { struct curve_ctx *ctx = p; uint8_t q[CURVE448_SIZE]; ctx->mul_g (q, ctx->s); } static void bench_curve_mul (void *p) { struct curve_ctx *ctx = p; uint8_t q[CURVE448_SIZE]; ctx->mul (q, ctx->s, ctx->x); } static void bench_curve_clear (void *p) { free (p); } struct alg alg_list[] = { { "rsa", 1024, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa", 2048, bench_rsa_init, bench_rsa_sign, bench_rsa_verify, bench_rsa_clear }, { "rsa-tr", 1024, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, { "rsa-tr", 2048, bench_rsa_init, bench_rsa_sign_tr, bench_rsa_verify, bench_rsa_clear }, #if WITH_OPENSSL { "rsa (openssl)", 1024, bench_openssl_rsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "rsa (openssl)", 2048, bench_openssl_rsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, #endif { "dsa", 1024, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #if 0 { "dsa",2048, bench_dsa_init, bench_dsa_sign, bench_dsa_verify, bench_dsa_clear }, #endif { "ecdsa", 192, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 224, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 256, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 384, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, { "ecdsa", 521, bench_ecdsa_init, bench_ecdsa_sign, bench_ecdsa_verify, bench_ecdsa_clear }, #if WITH_OPENSSL { "ecdsa (openssl)", 192, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 224, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 256, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 384, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, { "ecdsa (openssl)", 521, bench_openssl_ecdsa_init, bench_openssl_sign, bench_openssl_verify, bench_openssl_clear }, #endif { "eddsa", 255, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, { "eddsa", 448, bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify, bench_eddsa_clear }, { "curve", 255, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear}, { "curve", 448, bench_curve_init, bench_curve_mul_g, bench_curve_mul, bench_curve_clear }, { "gostdsa", 256, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, { "gostdsa", 512, bench_gostdsa_init, bench_gostdsa_sign, bench_gostdsa_verify, bench_gostdsa_clear }, }; #define numberof(x) (sizeof (x) / sizeof ((x)[0])) int main (int argc, char **argv) { const char *filter = NULL; unsigned i; if (argc > 1) filter = argv[1]; time_init(); printf ("%16s %4s %9s %9s\n", "name", "size", "sign/ms", "verify/ms"); for (i = 0; i < numberof(alg_list); i++) if (!filter || strstr (alg_list[i].name, filter)) bench_alg (&alg_list[i]); return EXIT_SUCCESS; } nettle-3.10/examples/base16enc.c0000644000175000017500000000543714633602172015522 0ustar nissenisse/* base16enc -- an encoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" /* The number of bytes read in each iteration, we do one line at a time: */ #define CHUNK_SIZE 36 /* The *maximum* size of an encoded chunk: */ #define ENCODED_SIZE BASE16_ENCODE_LENGTH(CHUNK_SIZE) /* * Reads bytes from standard input and writes base64-encoded * on standard output. */ int main(int argc UNUSED, char **argv UNUSED) { #ifdef WIN32 _setmode(0, O_BINARY); #endif /* There is no context to initialize. */ for (;;) { /* "buffer" will hold the bytes from disk: */ uint8_t buffer[CHUNK_SIZE]; /* "result" will hold bytes before output: */ char result[ENCODED_SIZE + 1]; unsigned nbytes; /* Number of bytes read from stdin */ int encoded_bytes; /* Total number of bytes encoded per iteration */ nbytes = fread(buffer,1,CHUNK_SIZE,stdin); /* We overwrite result with more data */ base16_encode_update(result, nbytes, buffer); encoded_bytes = BASE16_ENCODE_LENGTH(nbytes); result[encoded_bytes++] = '\n'; if (nbytes < CHUNK_SIZE) { if (ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (!write_data (stdout, encoded_bytes, result) || fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } return EXIT_SUCCESS; } /* The result vector is printed */ if (!write_data(stdout, encoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } } } nettle-3.10/examples/base16dec.c0000644000175000017500000000571714633602172015511 0ustar nissenisse/* base16dec -- an decoder for base16 Copyright (C) 2006, 2012 Jeronimo Pellegrini, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #ifdef WIN32 #include #endif #include "base16.h" #include "io.h" #define CHUNK_SIZE 16392 /* The maximum number of bytes generated for each chunk: */ #define DECODED_SIZE BASE16_DECODE_LENGTH(CHUNK_SIZE) /* * Reads base-16 encoded from stdin, writes decoded to stdout. */ int main(int argc UNUSED, char **argv UNUSED) { /* "buffer" will hold the bytes from disk: */ char * buffer = xalloc (CHUNK_SIZE); /* "result" will hold bytes before output: */ uint8_t * result = xalloc (DECODED_SIZE); /* We need a Base16 context for decoding: */ struct base16_decode_ctx b16_ctx; /* Init the context: */ base16_decode_init (&b16_ctx); #ifdef WIN32 _setmode(1, O_BINARY); #endif for (;;) { int nbytes; /* Number of bytes read frmo disk at each iteration */ size_t decoded_bytes; /* Bytes actually generated at each iteration */ nbytes = fread(buffer, 1, CHUNK_SIZE, stdin); if (nbytes < CHUNK_SIZE && ferror(stdin)) { werror ("Error reading file: %s\n", strerror(errno)); return EXIT_FAILURE; } /* Decodes one chunk: */ if (!base16_decode_update(&b16_ctx, &decoded_bytes, result, nbytes, buffer)) { werror ("Error decoding input (not base16?)\n"); return EXIT_FAILURE; } if (!write_data (stdout, decoded_bytes, result)) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } if (nbytes < CHUNK_SIZE) { /* Check if decoding finalized OK: */ if (!base16_decode_final(&b16_ctx)) { werror("Decoding did not finish properly.\n"); return EXIT_FAILURE; } break; } } if (fflush (stdout) != 0) { werror ("Error writing file: %s\n", strerror(errno)); return EXIT_FAILURE; } free (buffer); free (result); return EXIT_SUCCESS; } nettle-3.10/hmac-md5.c0000644000175000017500000000300014633602171013507 0ustar nissenisse/* hmac-md5.c HMAC-MD5 message authentication code. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_md5, key_length, key); } void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data) { md5_update(&ctx->state, length, data); } void hmac_md5_digest(struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_md5, length, digest); } nettle-3.10/ccm.c0000644000175000017500000002123214633602171012665 0ustar nissenisse/* ccm.c Counter with CBC-MAC mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ccm.h" #include "ctr.h" #include "memops.h" #include "nettle-internal.h" #include "macros.h" /* * The format of the CCM IV (for both CTR and CBC-MAC) is: flags | nonce | count * flags = 1 octet * nonce = N octets * count >= 1 octet * * such that: * sizeof(flags) + sizeof(nonce) + sizeof(count) == 1 block */ #define CCM_FLAG_L 0x07 #define CCM_FLAG_M 0x38 #define CCM_FLAG_ADATA 0x40 #define CCM_FLAG_RESERVED 0x80 #define CCM_FLAG_GET_L(_x_) (((_x_) & CCM_FLAG_L) + 1) #define CCM_FLAG_SET_L(_x_) (((_x_) - 1) & CCM_FLAG_L) #define CCM_FLAG_SET_M(_x_) ((((_x_) - 2) << 2) & CCM_FLAG_M) #define CCM_OFFSET_FLAGS 0 #define CCM_OFFSET_NONCE 1 #define CCM_L_SIZE(_nlen_) (CCM_BLOCK_SIZE - CCM_OFFSET_NONCE - (_nlen_)) /* * The data input to the CBC-MAC: L(a) | adata | padding | plaintext | padding * * blength is the length of data that has been added to the CBC-MAC modulus the * cipher block size. If the value of blength is non-zero then some data has * been XOR'ed into the CBC-MAC, and we will need to pad the block (XOR with 0), * and iterate the cipher one more time. * * The end of adata is detected implicitly by the first call to the encrypt() * and decrypt() functions, and will call ccm_pad() to insert the padding if * necessary. Because of the underlying CTR encryption, the encrypt() and * decrypt() functions must be called with a multiple of the block size and * therefore blength should be zero on all but the first call. * * Likewise, the end of the plaintext is implicitly determined by the first call * to the digest() function, which will pad if the final CTR encryption was not * a multiple of the block size. */ static void ccm_pad(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f) { if (ctx->blength) f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); ctx->blength = 0; } static void ccm_build_iv(uint8_t *iv, size_t noncelen, const uint8_t *nonce, uint8_t flags, size_t count) { unsigned int i; /* Sanity check the nonce length. */ assert(noncelen >= CCM_MIN_NONCE_SIZE); assert(noncelen <= CCM_MAX_NONCE_SIZE); /* Generate the IV */ iv[CCM_OFFSET_FLAGS] = flags | CCM_FLAG_SET_L(CCM_L_SIZE(noncelen)); memcpy(&iv[CCM_OFFSET_NONCE], nonce, noncelen); for (i=(CCM_BLOCK_SIZE - 1); i >= (CCM_OFFSET_NONCE + noncelen); i--) { iv[i] = count & 0xff; count >>= 8; } /* Ensure the count was not truncated. */ assert(!count); } void ccm_set_nonce(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { /* Generate the IV for the CTR and CBC-MAC */ ctx->blength = 0; ccm_build_iv(ctx->tag.b, length, nonce, CCM_FLAG_SET_M(taglen), msglen); ccm_build_iv(ctx->ctr.b, length, nonce, 0, 1); /* If no auth data, encrypt B0 and skip L(a) */ if (!authlen) { f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); return; } /* Encrypt B0 (with the adata flag), and input L(a) to the CBC-MAC. */ ctx->tag.b[CCM_OFFSET_FLAGS] |= CCM_FLAG_ADATA; f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); #if SIZEOF_SIZE_T > 4 if (authlen >= (0x01ULL << 32)) { /* Encode L(a) as 0xff || 0xff || <64-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 56) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 48) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 40) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 32) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } else #endif if (authlen >= ((0x1ULL << 16) - (0x1ULL << 8))) { /* Encode L(a) as 0xff || 0xfe || <32-bit integer> */ ctx->tag.b[ctx->blength++] ^= 0xff; ctx->tag.b[ctx->blength++] ^= 0xfe; ctx->tag.b[ctx->blength++] ^= (authlen >> 24) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 16) & 0xff; } ctx->tag.b[ctx->blength++] ^= (authlen >> 8) & 0xff; ctx->tag.b[ctx->blength++] ^= (authlen >> 0) & 0xff; } void ccm_update(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { const uint8_t *end = data + length; /* If we don't have enough to fill a block, save the data for later. */ if ((ctx->blength + length) < CCM_BLOCK_SIZE) { memxor(&ctx->tag.b[ctx->blength], data, length); ctx->blength += length; return; } /* Process a partially filled block. */ if (ctx->blength) { memxor(&ctx->tag.b[ctx->blength], data, CCM_BLOCK_SIZE - ctx->blength); data += (CCM_BLOCK_SIZE - ctx->blength); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); } /* Process full blocks. */ while ((data + CCM_BLOCK_SIZE) < end) { memxor(ctx->tag.b, data, CCM_BLOCK_SIZE); f(cipher, CCM_BLOCK_SIZE, ctx->tag.b, ctx->tag.b); data += CCM_BLOCK_SIZE; } /* while */ /* Save leftovers for later. */ ctx->blength = (end - data); if (ctx->blength) memxor(&ctx->tag.b, data, ctx->blength); } /* * Because of the underlying CTR mode encryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_encrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, src); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); } /* * Because of the underlying CTR mode decryption, when called multiple times * the data in intermediate calls must be provided in multiples of the block * size. */ void ccm_decrypt(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, dst, src); ccm_pad(ctx, cipher, f); ccm_update(ctx, cipher, f, length, dst); } void ccm_digest(struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { int i = CCM_BLOCK_SIZE - CCM_FLAG_GET_L(ctx->ctr.b[CCM_OFFSET_FLAGS]); assert(length <= CCM_BLOCK_SIZE); while (i < CCM_BLOCK_SIZE) ctx->ctr.b[i++] = 0; ccm_pad(ctx, cipher, f); ctr_crypt(cipher, f, CCM_BLOCK_SIZE, ctx->ctr.b, length, digest, ctx->tag.b); } void ccm_encrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t *tag = dst + (clength-tlength); assert(clength >= tlength); ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, clength-tlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_encrypt(&ctx, cipher, f, clength-tlength, dst, src); ccm_digest(&ctx, cipher, f, tlength, tag); } int ccm_decrypt_message(const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { struct ccm_ctx ctx; uint8_t tag[CCM_BLOCK_SIZE]; ccm_set_nonce(&ctx, cipher, f, nlength, nonce, alength, mlength, tlength); ccm_update(&ctx, cipher, f, alength, adata); ccm_decrypt(&ctx, cipher, f, mlength, dst, src); ccm_digest(&ctx, cipher, f, tlength, tag); return memeql_sec(tag, src + mlength, tlength); } nettle-3.10/siv-gcm-aes256.c0000644000175000017500000000353114633602171014475 0ustar nissenisse/* siv-gcm-aes256.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "siv-gcm.h" void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { struct aes256_ctx ctr_ctx; siv_gcm_encrypt_message (&nettle_aes256, ctx, &ctr_ctx, nlength, nonce, alength, adata, clength, dst, src); } int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { struct aes256_ctx ctr_ctx; return siv_gcm_decrypt_message (&nettle_aes256, ctx, &ctr_ctx, nlength, nonce, alength, adata, mlength, dst, src); } nettle-3.10/poly1305.h0000644000175000017500000000604114633602172013426 0ustar nissenisse/* poly1305.h Poly1305 message authentication code. Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_POLY1305_H_INCLUDED #define NETTLE_POLY1305_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define poly1305_aes_set_key nettle_poly1305_aes_set_key #define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce #define poly1305_aes_update nettle_poly1305_aes_update #define poly1305_aes_digest nettle_poly1305_aes_digest /* Low level functions/macros for the poly1305 construction. */ #define POLY1305_BLOCK_SIZE 16 struct poly1305_ctx { /* Key, 128-bit value and some cached multiples. */ union { uint32_t r32[6]; uint64_t r64[3]; } r; uint32_t s32[3]; /* State, represented as words of 26, 32 or 64 bits, depending on implementation. */ /* High bits first, to maintain alignment. */ uint32_t hh; union { uint32_t h32[4]; uint64_t h64[2]; } h; }; /* poly1305-aes */ #define POLY1305_AES_KEY_SIZE 32 #define POLY1305_AES_DIGEST_SIZE 16 #define POLY1305_AES_NONCE_SIZE 16 struct poly1305_aes_ctx { /* Keep aes context last, to make it possible to use a general poly1305_update if other variants are added. */ struct poly1305_ctx pctx; uint8_t block[POLY1305_BLOCK_SIZE]; unsigned index; uint8_t nonce[POLY1305_BLOCK_SIZE]; struct aes128_ctx aes; }; /* Also initialize the nonce to zero. */ void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce); /* Update is not aes-specific, but since this is the only implemented variant, we need no more general poly1305_update. */ void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data); /* Also increments the nonce */ void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_POLY1305_H_INCLUDED */ nettle-3.10/ed25519-sha512-pubkey.c0000644000175000017500000000332014633602172015416 0ustar nissenisse/* ed25519-sha512-pubkey.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv) { const struct ecc_curve *ecc = &_nettle_curve25519; struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; mp_size_t itch = ecc->q.size + _eddsa_public_key_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k scratch #define scratch_out (scratch + ecc->q.size) sha512_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k); _eddsa_public_key (ecc, k, pub, scratch_out); gmp_free_limbs (scratch, itch); #undef k #undef scratch_out } nettle-3.10/non-nettle.h0000644000175000017500000000615614633602172014224 0ustar nissenisse/* non-nettle.h Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_NON_NETTLE_H_INCLUDED #define NETTLE_NON_NETTLE_H_INCLUDED #include "nettle-meta.h" #include "ocb.h" #include "aes.h" /* Doesn't quite fit with the other algorithms, because of the weak * keys. Weak keys are not reported, the functions will simply crash * if you try to use a weak key. */ extern const struct nettle_cipher nettle_des; extern const struct nettle_cipher nettle_des3; extern const struct nettle_cipher nettle_blowfish128; extern const struct nettle_cipher nettle_unified_aes128; extern const struct nettle_cipher nettle_unified_aes192; extern const struct nettle_cipher nettle_unified_aes256; /* Stream ciphers treated as aead algorithms with no authentication. */ extern const struct nettle_aead nettle_arcfour128; extern const struct nettle_aead nettle_chacha; extern const struct nettle_aead nettle_salsa20; extern const struct nettle_aead nettle_salsa20r12; /* All-in-one CBC encrypt functinos treated as AEAD with no authentication and no decrypt method. */ extern const struct nettle_aead nettle_cbc_aes128; extern const struct nettle_aead nettle_cbc_aes192; extern const struct nettle_aead nettle_cbc_aes256; extern const struct nettle_aead nettle_openssl_gcm_aes128; extern const struct nettle_aead nettle_openssl_gcm_aes192; extern const struct nettle_aead nettle_openssl_gcm_aes256; /* Glue to openssl, for comparative benchmarking. Code in * examples/nettle-openssl.c. */ extern const struct nettle_cipher nettle_openssl_aes128; extern const struct nettle_cipher nettle_openssl_aes192; extern const struct nettle_cipher nettle_openssl_aes256; extern const struct nettle_hash nettle_openssl_md5; extern const struct nettle_hash nettle_openssl_sha1; /* OCB-declarations to be moved to a public header file, once it's settled which nonce and tag sizes to use. */ #define OCB_NONCE_SIZE 12 struct ocb_aes128_ctx { struct ocb_ctx ocb; struct ocb_aes128_encrypt_key key; struct aes128_ctx decrypt; }; extern const struct nettle_aead nettle_ocb_aes128; #endif /* NETTLE_NON_NETTLE_H_INCLUDED */ nettle-3.10/aes-encrypt-table.c0000644000175000017500000003537114633602171015453 0ustar nissenisse/* aes-encrypt-table.c Encryption table for the aes/rijndael block cipher. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" /* Tables are assembled using little-endian byte order, including the * pre-rotated variants. Generated by aesdata.c. * * Note that AES is byte order agnostic, we only need to be consistent * and use the same byteorder when processing key, cleartext and * ciphertext bytes. * * Little-endian means that the first row of the AES state arrays * occupy the least significant byte of the words, which is also * consistent with the row numbering. */ const struct aes_table _nettle_aes_encrypt_table = { /* sbox */ { 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5, 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0, 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc, 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a, 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0, 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b, 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85, 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5, 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17, 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88, 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c, 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9, 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6, 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e, 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94, 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68, 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16, }, { /* dtable */ { 0xa56363c6,0x847c7cf8,0x997777ee,0x8d7b7bf6, 0x0df2f2ff,0xbd6b6bd6,0xb16f6fde,0x54c5c591, 0x50303060,0x03010102,0xa96767ce,0x7d2b2b56, 0x19fefee7,0x62d7d7b5,0xe6abab4d,0x9a7676ec, 0x45caca8f,0x9d82821f,0x40c9c989,0x877d7dfa, 0x15fafaef,0xeb5959b2,0xc947478e,0x0bf0f0fb, 0xecadad41,0x67d4d4b3,0xfda2a25f,0xeaafaf45, 0xbf9c9c23,0xf7a4a453,0x967272e4,0x5bc0c09b, 0xc2b7b775,0x1cfdfde1,0xae93933d,0x6a26264c, 0x5a36366c,0x413f3f7e,0x02f7f7f5,0x4fcccc83, 0x5c343468,0xf4a5a551,0x34e5e5d1,0x08f1f1f9, 0x937171e2,0x73d8d8ab,0x53313162,0x3f15152a, 0x0c040408,0x52c7c795,0x65232346,0x5ec3c39d, 0x28181830,0xa1969637,0x0f05050a,0xb59a9a2f, 0x0907070e,0x36121224,0x9b80801b,0x3de2e2df, 0x26ebebcd,0x6927274e,0xcdb2b27f,0x9f7575ea, 0x1b090912,0x9e83831d,0x742c2c58,0x2e1a1a34, 0x2d1b1b36,0xb26e6edc,0xee5a5ab4,0xfba0a05b, 0xf65252a4,0x4d3b3b76,0x61d6d6b7,0xceb3b37d, 0x7b292952,0x3ee3e3dd,0x712f2f5e,0x97848413, 0xf55353a6,0x68d1d1b9,0x00000000,0x2cededc1, 0x60202040,0x1ffcfce3,0xc8b1b179,0xed5b5bb6, 0xbe6a6ad4,0x46cbcb8d,0xd9bebe67,0x4b393972, 0xde4a4a94,0xd44c4c98,0xe85858b0,0x4acfcf85, 0x6bd0d0bb,0x2aefefc5,0xe5aaaa4f,0x16fbfbed, 0xc5434386,0xd74d4d9a,0x55333366,0x94858511, 0xcf45458a,0x10f9f9e9,0x06020204,0x817f7ffe, 0xf05050a0,0x443c3c78,0xba9f9f25,0xe3a8a84b, 0xf35151a2,0xfea3a35d,0xc0404080,0x8a8f8f05, 0xad92923f,0xbc9d9d21,0x48383870,0x04f5f5f1, 0xdfbcbc63,0xc1b6b677,0x75dadaaf,0x63212142, 0x30101020,0x1affffe5,0x0ef3f3fd,0x6dd2d2bf, 0x4ccdcd81,0x140c0c18,0x35131326,0x2fececc3, 0xe15f5fbe,0xa2979735,0xcc444488,0x3917172e, 0x57c4c493,0xf2a7a755,0x827e7efc,0x473d3d7a, 0xac6464c8,0xe75d5dba,0x2b191932,0x957373e6, 0xa06060c0,0x98818119,0xd14f4f9e,0x7fdcdca3, 0x66222244,0x7e2a2a54,0xab90903b,0x8388880b, 0xca46468c,0x29eeeec7,0xd3b8b86b,0x3c141428, 0x79dedea7,0xe25e5ebc,0x1d0b0b16,0x76dbdbad, 0x3be0e0db,0x56323264,0x4e3a3a74,0x1e0a0a14, 0xdb494992,0x0a06060c,0x6c242448,0xe45c5cb8, 0x5dc2c29f,0x6ed3d3bd,0xefacac43,0xa66262c4, 0xa8919139,0xa4959531,0x37e4e4d3,0x8b7979f2, 0x32e7e7d5,0x43c8c88b,0x5937376e,0xb76d6dda, 0x8c8d8d01,0x64d5d5b1,0xd24e4e9c,0xe0a9a949, 0xb46c6cd8,0xfa5656ac,0x07f4f4f3,0x25eaeacf, 0xaf6565ca,0x8e7a7af4,0xe9aeae47,0x18080810, 0xd5baba6f,0x887878f0,0x6f25254a,0x722e2e5c, 0x241c1c38,0xf1a6a657,0xc7b4b473,0x51c6c697, 0x23e8e8cb,0x7cdddda1,0x9c7474e8,0x211f1f3e, 0xdd4b4b96,0xdcbdbd61,0x868b8b0d,0x858a8a0f, 0x907070e0,0x423e3e7c,0xc4b5b571,0xaa6666cc, 0xd8484890,0x05030306,0x01f6f6f7,0x120e0e1c, 0xa36161c2,0x5f35356a,0xf95757ae,0xd0b9b969, 0x91868617,0x58c1c199,0x271d1d3a,0xb99e9e27, 0x38e1e1d9,0x13f8f8eb,0xb398982b,0x33111122, 0xbb6969d2,0x70d9d9a9,0x898e8e07,0xa7949433, 0xb69b9b2d,0x221e1e3c,0x92878715,0x20e9e9c9, 0x49cece87,0xff5555aa,0x78282850,0x7adfdfa5, 0x8f8c8c03,0xf8a1a159,0x80898909,0x170d0d1a, 0xdabfbf65,0x31e6e6d7,0xc6424284,0xb86868d0, 0xc3414182,0xb0999929,0x772d2d5a,0x110f0f1e, 0xcbb0b07b,0xfc5454a8,0xd6bbbb6d,0x3a16162c, }, #if !AES_SMALL { 0x6363c6a5,0x7c7cf884,0x7777ee99,0x7b7bf68d, 0xf2f2ff0d,0x6b6bd6bd,0x6f6fdeb1,0xc5c59154, 0x30306050,0x01010203,0x6767cea9,0x2b2b567d, 0xfefee719,0xd7d7b562,0xabab4de6,0x7676ec9a, 0xcaca8f45,0x82821f9d,0xc9c98940,0x7d7dfa87, 0xfafaef15,0x5959b2eb,0x47478ec9,0xf0f0fb0b, 0xadad41ec,0xd4d4b367,0xa2a25ffd,0xafaf45ea, 0x9c9c23bf,0xa4a453f7,0x7272e496,0xc0c09b5b, 0xb7b775c2,0xfdfde11c,0x93933dae,0x26264c6a, 0x36366c5a,0x3f3f7e41,0xf7f7f502,0xcccc834f, 0x3434685c,0xa5a551f4,0xe5e5d134,0xf1f1f908, 0x7171e293,0xd8d8ab73,0x31316253,0x15152a3f, 0x0404080c,0xc7c79552,0x23234665,0xc3c39d5e, 0x18183028,0x969637a1,0x05050a0f,0x9a9a2fb5, 0x07070e09,0x12122436,0x80801b9b,0xe2e2df3d, 0xebebcd26,0x27274e69,0xb2b27fcd,0x7575ea9f, 0x0909121b,0x83831d9e,0x2c2c5874,0x1a1a342e, 0x1b1b362d,0x6e6edcb2,0x5a5ab4ee,0xa0a05bfb, 0x5252a4f6,0x3b3b764d,0xd6d6b761,0xb3b37dce, 0x2929527b,0xe3e3dd3e,0x2f2f5e71,0x84841397, 0x5353a6f5,0xd1d1b968,0x00000000,0xededc12c, 0x20204060,0xfcfce31f,0xb1b179c8,0x5b5bb6ed, 0x6a6ad4be,0xcbcb8d46,0xbebe67d9,0x3939724b, 0x4a4a94de,0x4c4c98d4,0x5858b0e8,0xcfcf854a, 0xd0d0bb6b,0xefefc52a,0xaaaa4fe5,0xfbfbed16, 0x434386c5,0x4d4d9ad7,0x33336655,0x85851194, 0x45458acf,0xf9f9e910,0x02020406,0x7f7ffe81, 0x5050a0f0,0x3c3c7844,0x9f9f25ba,0xa8a84be3, 0x5151a2f3,0xa3a35dfe,0x404080c0,0x8f8f058a, 0x92923fad,0x9d9d21bc,0x38387048,0xf5f5f104, 0xbcbc63df,0xb6b677c1,0xdadaaf75,0x21214263, 0x10102030,0xffffe51a,0xf3f3fd0e,0xd2d2bf6d, 0xcdcd814c,0x0c0c1814,0x13132635,0xececc32f, 0x5f5fbee1,0x979735a2,0x444488cc,0x17172e39, 0xc4c49357,0xa7a755f2,0x7e7efc82,0x3d3d7a47, 0x6464c8ac,0x5d5dbae7,0x1919322b,0x7373e695, 0x6060c0a0,0x81811998,0x4f4f9ed1,0xdcdca37f, 0x22224466,0x2a2a547e,0x90903bab,0x88880b83, 0x46468cca,0xeeeec729,0xb8b86bd3,0x1414283c, 0xdedea779,0x5e5ebce2,0x0b0b161d,0xdbdbad76, 0xe0e0db3b,0x32326456,0x3a3a744e,0x0a0a141e, 0x494992db,0x06060c0a,0x2424486c,0x5c5cb8e4, 0xc2c29f5d,0xd3d3bd6e,0xacac43ef,0x6262c4a6, 0x919139a8,0x959531a4,0xe4e4d337,0x7979f28b, 0xe7e7d532,0xc8c88b43,0x37376e59,0x6d6ddab7, 0x8d8d018c,0xd5d5b164,0x4e4e9cd2,0xa9a949e0, 0x6c6cd8b4,0x5656acfa,0xf4f4f307,0xeaeacf25, 0x6565caaf,0x7a7af48e,0xaeae47e9,0x08081018, 0xbaba6fd5,0x7878f088,0x25254a6f,0x2e2e5c72, 0x1c1c3824,0xa6a657f1,0xb4b473c7,0xc6c69751, 0xe8e8cb23,0xdddda17c,0x7474e89c,0x1f1f3e21, 0x4b4b96dd,0xbdbd61dc,0x8b8b0d86,0x8a8a0f85, 0x7070e090,0x3e3e7c42,0xb5b571c4,0x6666ccaa, 0x484890d8,0x03030605,0xf6f6f701,0x0e0e1c12, 0x6161c2a3,0x35356a5f,0x5757aef9,0xb9b969d0, 0x86861791,0xc1c19958,0x1d1d3a27,0x9e9e27b9, 0xe1e1d938,0xf8f8eb13,0x98982bb3,0x11112233, 0x6969d2bb,0xd9d9a970,0x8e8e0789,0x949433a7, 0x9b9b2db6,0x1e1e3c22,0x87871592,0xe9e9c920, 0xcece8749,0x5555aaff,0x28285078,0xdfdfa57a, 0x8c8c038f,0xa1a159f8,0x89890980,0x0d0d1a17, 0xbfbf65da,0xe6e6d731,0x424284c6,0x6868d0b8, 0x414182c3,0x999929b0,0x2d2d5a77,0x0f0f1e11, 0xb0b07bcb,0x5454a8fc,0xbbbb6dd6,0x16162c3a, },{ 0x63c6a563,0x7cf8847c,0x77ee9977,0x7bf68d7b, 0xf2ff0df2,0x6bd6bd6b,0x6fdeb16f,0xc59154c5, 0x30605030,0x01020301,0x67cea967,0x2b567d2b, 0xfee719fe,0xd7b562d7,0xab4de6ab,0x76ec9a76, 0xca8f45ca,0x821f9d82,0xc98940c9,0x7dfa877d, 0xfaef15fa,0x59b2eb59,0x478ec947,0xf0fb0bf0, 0xad41ecad,0xd4b367d4,0xa25ffda2,0xaf45eaaf, 0x9c23bf9c,0xa453f7a4,0x72e49672,0xc09b5bc0, 0xb775c2b7,0xfde11cfd,0x933dae93,0x264c6a26, 0x366c5a36,0x3f7e413f,0xf7f502f7,0xcc834fcc, 0x34685c34,0xa551f4a5,0xe5d134e5,0xf1f908f1, 0x71e29371,0xd8ab73d8,0x31625331,0x152a3f15, 0x04080c04,0xc79552c7,0x23466523,0xc39d5ec3, 0x18302818,0x9637a196,0x050a0f05,0x9a2fb59a, 0x070e0907,0x12243612,0x801b9b80,0xe2df3de2, 0xebcd26eb,0x274e6927,0xb27fcdb2,0x75ea9f75, 0x09121b09,0x831d9e83,0x2c58742c,0x1a342e1a, 0x1b362d1b,0x6edcb26e,0x5ab4ee5a,0xa05bfba0, 0x52a4f652,0x3b764d3b,0xd6b761d6,0xb37dceb3, 0x29527b29,0xe3dd3ee3,0x2f5e712f,0x84139784, 0x53a6f553,0xd1b968d1,0x00000000,0xedc12ced, 0x20406020,0xfce31ffc,0xb179c8b1,0x5bb6ed5b, 0x6ad4be6a,0xcb8d46cb,0xbe67d9be,0x39724b39, 0x4a94de4a,0x4c98d44c,0x58b0e858,0xcf854acf, 0xd0bb6bd0,0xefc52aef,0xaa4fe5aa,0xfbed16fb, 0x4386c543,0x4d9ad74d,0x33665533,0x85119485, 0x458acf45,0xf9e910f9,0x02040602,0x7ffe817f, 0x50a0f050,0x3c78443c,0x9f25ba9f,0xa84be3a8, 0x51a2f351,0xa35dfea3,0x4080c040,0x8f058a8f, 0x923fad92,0x9d21bc9d,0x38704838,0xf5f104f5, 0xbc63dfbc,0xb677c1b6,0xdaaf75da,0x21426321, 0x10203010,0xffe51aff,0xf3fd0ef3,0xd2bf6dd2, 0xcd814ccd,0x0c18140c,0x13263513,0xecc32fec, 0x5fbee15f,0x9735a297,0x4488cc44,0x172e3917, 0xc49357c4,0xa755f2a7,0x7efc827e,0x3d7a473d, 0x64c8ac64,0x5dbae75d,0x19322b19,0x73e69573, 0x60c0a060,0x81199881,0x4f9ed14f,0xdca37fdc, 0x22446622,0x2a547e2a,0x903bab90,0x880b8388, 0x468cca46,0xeec729ee,0xb86bd3b8,0x14283c14, 0xdea779de,0x5ebce25e,0x0b161d0b,0xdbad76db, 0xe0db3be0,0x32645632,0x3a744e3a,0x0a141e0a, 0x4992db49,0x060c0a06,0x24486c24,0x5cb8e45c, 0xc29f5dc2,0xd3bd6ed3,0xac43efac,0x62c4a662, 0x9139a891,0x9531a495,0xe4d337e4,0x79f28b79, 0xe7d532e7,0xc88b43c8,0x376e5937,0x6ddab76d, 0x8d018c8d,0xd5b164d5,0x4e9cd24e,0xa949e0a9, 0x6cd8b46c,0x56acfa56,0xf4f307f4,0xeacf25ea, 0x65caaf65,0x7af48e7a,0xae47e9ae,0x08101808, 0xba6fd5ba,0x78f08878,0x254a6f25,0x2e5c722e, 0x1c38241c,0xa657f1a6,0xb473c7b4,0xc69751c6, 0xe8cb23e8,0xdda17cdd,0x74e89c74,0x1f3e211f, 0x4b96dd4b,0xbd61dcbd,0x8b0d868b,0x8a0f858a, 0x70e09070,0x3e7c423e,0xb571c4b5,0x66ccaa66, 0x4890d848,0x03060503,0xf6f701f6,0x0e1c120e, 0x61c2a361,0x356a5f35,0x57aef957,0xb969d0b9, 0x86179186,0xc19958c1,0x1d3a271d,0x9e27b99e, 0xe1d938e1,0xf8eb13f8,0x982bb398,0x11223311, 0x69d2bb69,0xd9a970d9,0x8e07898e,0x9433a794, 0x9b2db69b,0x1e3c221e,0x87159287,0xe9c920e9, 0xce8749ce,0x55aaff55,0x28507828,0xdfa57adf, 0x8c038f8c,0xa159f8a1,0x89098089,0x0d1a170d, 0xbf65dabf,0xe6d731e6,0x4284c642,0x68d0b868, 0x4182c341,0x9929b099,0x2d5a772d,0x0f1e110f, 0xb07bcbb0,0x54a8fc54,0xbb6dd6bb,0x162c3a16, },{ 0xc6a56363,0xf8847c7c,0xee997777,0xf68d7b7b, 0xff0df2f2,0xd6bd6b6b,0xdeb16f6f,0x9154c5c5, 0x60503030,0x02030101,0xcea96767,0x567d2b2b, 0xe719fefe,0xb562d7d7,0x4de6abab,0xec9a7676, 0x8f45caca,0x1f9d8282,0x8940c9c9,0xfa877d7d, 0xef15fafa,0xb2eb5959,0x8ec94747,0xfb0bf0f0, 0x41ecadad,0xb367d4d4,0x5ffda2a2,0x45eaafaf, 0x23bf9c9c,0x53f7a4a4,0xe4967272,0x9b5bc0c0, 0x75c2b7b7,0xe11cfdfd,0x3dae9393,0x4c6a2626, 0x6c5a3636,0x7e413f3f,0xf502f7f7,0x834fcccc, 0x685c3434,0x51f4a5a5,0xd134e5e5,0xf908f1f1, 0xe2937171,0xab73d8d8,0x62533131,0x2a3f1515, 0x080c0404,0x9552c7c7,0x46652323,0x9d5ec3c3, 0x30281818,0x37a19696,0x0a0f0505,0x2fb59a9a, 0x0e090707,0x24361212,0x1b9b8080,0xdf3de2e2, 0xcd26ebeb,0x4e692727,0x7fcdb2b2,0xea9f7575, 0x121b0909,0x1d9e8383,0x58742c2c,0x342e1a1a, 0x362d1b1b,0xdcb26e6e,0xb4ee5a5a,0x5bfba0a0, 0xa4f65252,0x764d3b3b,0xb761d6d6,0x7dceb3b3, 0x527b2929,0xdd3ee3e3,0x5e712f2f,0x13978484, 0xa6f55353,0xb968d1d1,0x00000000,0xc12ceded, 0x40602020,0xe31ffcfc,0x79c8b1b1,0xb6ed5b5b, 0xd4be6a6a,0x8d46cbcb,0x67d9bebe,0x724b3939, 0x94de4a4a,0x98d44c4c,0xb0e85858,0x854acfcf, 0xbb6bd0d0,0xc52aefef,0x4fe5aaaa,0xed16fbfb, 0x86c54343,0x9ad74d4d,0x66553333,0x11948585, 0x8acf4545,0xe910f9f9,0x04060202,0xfe817f7f, 0xa0f05050,0x78443c3c,0x25ba9f9f,0x4be3a8a8, 0xa2f35151,0x5dfea3a3,0x80c04040,0x058a8f8f, 0x3fad9292,0x21bc9d9d,0x70483838,0xf104f5f5, 0x63dfbcbc,0x77c1b6b6,0xaf75dada,0x42632121, 0x20301010,0xe51affff,0xfd0ef3f3,0xbf6dd2d2, 0x814ccdcd,0x18140c0c,0x26351313,0xc32fecec, 0xbee15f5f,0x35a29797,0x88cc4444,0x2e391717, 0x9357c4c4,0x55f2a7a7,0xfc827e7e,0x7a473d3d, 0xc8ac6464,0xbae75d5d,0x322b1919,0xe6957373, 0xc0a06060,0x19988181,0x9ed14f4f,0xa37fdcdc, 0x44662222,0x547e2a2a,0x3bab9090,0x0b838888, 0x8cca4646,0xc729eeee,0x6bd3b8b8,0x283c1414, 0xa779dede,0xbce25e5e,0x161d0b0b,0xad76dbdb, 0xdb3be0e0,0x64563232,0x744e3a3a,0x141e0a0a, 0x92db4949,0x0c0a0606,0x486c2424,0xb8e45c5c, 0x9f5dc2c2,0xbd6ed3d3,0x43efacac,0xc4a66262, 0x39a89191,0x31a49595,0xd337e4e4,0xf28b7979, 0xd532e7e7,0x8b43c8c8,0x6e593737,0xdab76d6d, 0x018c8d8d,0xb164d5d5,0x9cd24e4e,0x49e0a9a9, 0xd8b46c6c,0xacfa5656,0xf307f4f4,0xcf25eaea, 0xcaaf6565,0xf48e7a7a,0x47e9aeae,0x10180808, 0x6fd5baba,0xf0887878,0x4a6f2525,0x5c722e2e, 0x38241c1c,0x57f1a6a6,0x73c7b4b4,0x9751c6c6, 0xcb23e8e8,0xa17cdddd,0xe89c7474,0x3e211f1f, 0x96dd4b4b,0x61dcbdbd,0x0d868b8b,0x0f858a8a, 0xe0907070,0x7c423e3e,0x71c4b5b5,0xccaa6666, 0x90d84848,0x06050303,0xf701f6f6,0x1c120e0e, 0xc2a36161,0x6a5f3535,0xaef95757,0x69d0b9b9, 0x17918686,0x9958c1c1,0x3a271d1d,0x27b99e9e, 0xd938e1e1,0xeb13f8f8,0x2bb39898,0x22331111, 0xd2bb6969,0xa970d9d9,0x07898e8e,0x33a79494, 0x2db69b9b,0x3c221e1e,0x15928787,0xc920e9e9, 0x8749cece,0xaaff5555,0x50782828,0xa57adfdf, 0x038f8c8c,0x59f8a1a1,0x09808989,0x1a170d0d, 0x65dabfbf,0xd731e6e6,0x84c64242,0xd0b86868, 0x82c34141,0x29b09999,0x5a772d2d,0x1e110f0f, 0x7bcbb0b0,0xa8fc5454,0x6dd6bbbb,0x2c3a1616, }, #endif /* !AES_SMALL */ } }; nettle-3.10/salsa20-internal.h0000644000175000017500000000356514633602172015221 0ustar nissenisse/* salsa20-internal.h The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SALSA20_INTERNAL_H_INCLUDED #define NETTLE_SALSA20_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "salsa20.h" void _nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_salsa20_crypt(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); /* Functions available only in some configurations */ void _nettle_salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_SALSA20_INTERNAL_H_INCLUDED */ nettle-3.10/chacha-set-nonce.c0000644000175000017500000000427214633602171015230 0ustar nissenisse/* chacha-set-nonce.c Setting the nonce the ChaCha stream cipher. Based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergon Copyright (C) 2012 Simon Josefsson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: ChaCha specification (doc id: 4027b5256e17b9796842e6d0f68b0b5e) and reference implementation dated 2008.01.20 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "chacha.h" #include "macros.h" void chacha_set_nonce(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = 0; ctx->state[14] = LE_READ_UINT32(nonce + 0); ctx->state[15] = LE_READ_UINT32(nonce + 4); } void chacha_set_nonce96(struct chacha_ctx *ctx, const uint8_t *nonce) { ctx->state[12] = 0; ctx->state[13] = LE_READ_UINT32(nonce + 0); ctx->state[14] = LE_READ_UINT32(nonce + 4); ctx->state[15] = LE_READ_UINT32(nonce + 8); } void chacha_set_counter(struct chacha_ctx *ctx, const uint8_t *counter) { ctx->state[12] = LE_READ_UINT32(counter + 0); ctx->state[13] = LE_READ_UINT32(counter + 4); } void chacha_set_counter32(struct chacha_ctx *ctx, const uint8_t *counter) { ctx->state[12] = LE_READ_UINT32(counter + 0); } nettle-3.10/ecc-add-th.c0000644000175000017500000000643014633602171014017 0ustar nissenisse/* ecc-add-th.c Copyright (C) 2014, 2017 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on a twisted Edwards curve, with result and first point in homogeneous coordinates. */ void ecc_add_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#addition-madd-2008-bbjlp Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)*(x2+y2) mul C, D, T - C - D E = b*C*D 2 mul C, E, T (Replace C <-- D+C) B = z1^2 sqr B, C, E, T F = B - E B, C, E, F, T G = B + E C, F, G, T x3 = z1 * F * T 2 mul C, F, G, T y3 = z1*G*(D+C) 2 mul F, G z3 = F*G mul 10M + 1S We have different sign for E, hence swapping F and G, because our ecc->b corresponds to -b above. */ #define T scratch #define E (scratch + 1*ecc->p.size) #define F E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, T, T, z1, x3); ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_add (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, C, C, z1, x3); ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ ecc_mod_add (&ecc->p, x3, B, E); ecc_mod_sub (&ecc->p, F, B, E); /* C, T, F */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, F, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, F, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-3.10/aes128-meta.c0000644000175000017500000000265514633602171014062 0ustar nissenisse/* aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes128 = { "aes128", sizeof(struct aes128_ctx), AES_BLOCK_SIZE, AES128_KEY_SIZE, (nettle_set_key_func *) aes128_set_encrypt_key, (nettle_set_key_func *) aes128_set_decrypt_key, (nettle_cipher_func *) aes128_encrypt, (nettle_cipher_func *) aes128_decrypt }; nettle-3.10/sparc64/0000755000175000017500000000000014633602172013242 5ustar nissenissenettle-3.10/sparc64/aes-decrypt-internal.asm0000644000175000017500000000670114633602172020002 0ustar nissenisseC sparc64/aes-decrypt-internal.asm ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`sparc64/aes.m4') C Arguments define(`ROUNDS',`%i0') define(`KEYS', `%i1') define(`T', `%i2') define(`LENGTH',`%i3') define(`DST', `%i4') define(`SRC', `%i5') C AES state, two copies for unrolling define(`W0', `%l0') define(`W1', `%l1') define(`W2', `%l2') define(`W3', `%l3') define(`X0', `%l4') define(`X1', `%l5') define(`X2', `%l6') define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 define(`KEY', `%o4') define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(`FRAME_SIZE', 192) .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_decrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC sub KEY, 32, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(4, W0, W3, W2, W1, KEY, X0) AES_ROUND(5, W1, W0, W3, W2, KEY, X1) AES_ROUND(6, W2, W1, W0, W3, KEY, X2) AES_ROUND(7, W3, W2, W1, W0, KEY, X3) C Transform X -> W AES_ROUND(0, X0, X3, X2, X1, KEY, W0) AES_ROUND(1, X1, X0, X3, X2, KEY, W1) AES_ROUND(2, X2, X1, X0, X3, KEY, W2) AES_ROUND(3, X3, X2, X1, X0, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop sub KEY, 32, KEY C Penultimate round AES_ROUND(4, W0, W3, W2, W1, KEY, X0) AES_ROUND(5, W1, W0, W3, W2, KEY, X1) AES_ROUND(6, W2, W1, W0, W3, KEY, X2) AES_ROUND(7, W3, W2, W1, W0, KEY, X3) C Final round AES_FINAL_ROUND(0, T, X0, X3, X2, X1, KEY, DST) AES_FINAL_ROUND(1, T, X1, X0, X3, X2, KEY, DST) AES_FINAL_ROUND(2, T, X2, X1, X0, X3, KEY, DST) AES_FINAL_ROUND(3, T, X3, X2, X1, X0, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_decrypt) nettle-3.10/sparc64/aes.m40000644000175000017500000000412614633602172014257 0ustar nissenisseC Used as temporaries by the AES macros define(`TMP1', `%g1') define(`TMP2', `%g2') define(`TMP3', `%g3') C Loop invariants used by AES_ROUND define(`T0', `%o0') define(`T1', `%o1') define(`T2', `%o2') define(`T3', `%o3') C AES_LOAD(i, src, key, res) define(`AES_LOAD', ` ldub [$2 + 4*$1], $4 ldub [$2 + 4*$1 + 1], TMP1 ldub [$2 + 4*$1 + 2], TMP2 sll TMP1, 8, TMP1 or $4, TMP1, $4 ldub [$2 + 4*$1+3], TMP1 sll TMP2, 16, TMP2 or $4, TMP2, $4 sll TMP1, 24, TMP1 C Get subkey ld [$3 + 4*$1], TMP2 or $4, TMP1, $4 xor $4, TMP2, $4')dnl C AES_ROUND(i, a, b, c, d, key, res) C Computes one word of the AES round C FIXME: Could use registers pointing directly to the four tables C FIXME: Needs better instruction scheduling, and perhaps more temporaries C Alternatively, we can use a single table and some rotations define(`AES_ROUND', ` and $2, 0xff, TMP1 C 0 srl $3, 6, TMP2 C 1 sll TMP1, 2, TMP1 C 0 and TMP2, 0x3fc, TMP2 C 1 ld [T0 + TMP1], $7 C 0 E0 srl $4, 14, TMP1 C 2 ld [T1 + TMP2], TMP2 C 1 and TMP1, 0x3fc, TMP1 C 2 xor $7, TMP2, $7 C 1 E1 srl $5, 22, TMP2 C 3 ld [T2 + TMP1], TMP1 C 2 and TMP2, 0x3fc, TMP2 C 3 xor $7, TMP1, $7 C 2 E2 ld [$6 + 4*$1], TMP1 C 4 ld [T3 + TMP2], TMP2 C 3 xor $7, TMP1, $7 C 4 E4 xor $7, TMP2, $7 C 3 E3 ')dnl C AES_FINAL_ROUND(i, T, a, b, c, d, key, dst) C Compute one word in the final round function. Output is converted to C octets and stored at dst. Relies on AES_SBOX being zero. define(`AES_FINAL_ROUND', ` C Load subkey ld [$7 + 4*$1], TMP3 and $3, 0xff, TMP1 C 0 srl $4, 8, TMP2 C 1 ldub [T + TMP1], TMP1 C 0 and TMP2, 0xff, TMP2 C 1 xor TMP3, TMP1, TMP1 C 0 ldub [T + TMP2], TMP2 C 1 stb TMP1, [$8 + 4*$1] C 0 E0 srl $5, 16, TMP1 C 2 srl TMP3, 8, TMP3 C 1 and TMP1, 0xff, TMP1 C 2 xor TMP3, TMP2, TMP2 C 1 ldub [T + TMP1], TMP1 C 2 stb TMP2, [$8 + 4*$1 + 1] C 1 E1 srl $6, 24, TMP2 C 3 srl TMP3, 8, TMP3 C 2 ldub [T + TMP2], TMP2 C 3 xor TMP3, TMP1, TMP1 C 2 srl TMP3, 8, TMP3 C 3 stb TMP1, [$8 + 4*$1 + 2] C 2 E2 xor TMP3, TMP2, TMP2 C 3 stb TMP2, [$8 + 4*$1 + 3] C 3 E3 ') nettle-3.10/sparc64/machine.m40000644000175000017500000000015314633602172015107 0ustar nissenissedefine(`BIAS', 2047) C Magic stack bias for the Sparc64 ABI .register %g2,#scratch .register %g3,#scratch nettle-3.10/sparc64/aes-encrypt-internal.asm0000644000175000017500000000734614633602172020022 0ustar nissenisseC sparc64/aes-encrypt-internal.asm ifelse(` Copyright (C) 2002, 2005, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`sparc64/aes.m4') C Arguments define(`ROUNDS',`%i0') define(`KEYS', `%i1') define(`T', `%i2') define(`LENGTH',`%i3') define(`DST', `%i4') define(`SRC', `%i5') C AES state, two copies for unrolling define(`W0', `%l0') define(`W1', `%l1') define(`W2', `%l2') define(`W3', `%l3') define(`X0', `%l4') define(`X1', `%l5') define(`X2', `%l6') define(`X3', `%l7') C %o0-%03 are used for loop invariants T0-T3 define(`KEY', `%o4') define(`COUNT', `%o5') C %g1, %g2, %g3 are TMP1, TMP2 and TMP3 C The sparc64 stack frame looks like C C %fp - 8: OS-dependent link field C %fp - 16: OS-dependent link field C %fp - 192: OS register save area (22*8 == 176 bytes) define(`FRAME_SIZE', 192) .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .section ".text" .align 16 .proc 020 PROLOGUE(_nettle_aes_encrypt) save %sp, -FRAME_SIZE, %sp cmp LENGTH, 0 be .Lend C Loop invariants add T, AES_TABLE0, T0 add T, AES_TABLE1, T1 add T, AES_TABLE2, T2 add T, AES_TABLE3, T3 C Must be even, and includes the final round srl ROUNDS, 1, ROUNDS C Last two rounds handled specially sub ROUNDS, 1, ROUNDS .Lblock_loop: C Read src, and add initial subkey mov KEYS, KEY AES_LOAD(0, SRC, KEY, W0) AES_LOAD(1, SRC, KEY, W1) AES_LOAD(2, SRC, KEY, W2) AES_LOAD(3, SRC, KEY, W3) mov ROUNDS, COUNT add SRC, 16, SRC add KEY, 16, KEY .Lround_loop: C The AES_ROUND macro uses T0,... T3 C Transform W -> X AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) C Transform X -> W AES_ROUND(4, X0, X1, X2, X3, KEY, W0) AES_ROUND(5, X1, X2, X3, X0, KEY, W1) AES_ROUND(6, X2, X3, X0, X1, KEY, W2) AES_ROUND(7, X3, X0, X1, X2, KEY, W3) subcc COUNT, 1, COUNT bne .Lround_loop add KEY, 32, KEY C Penultimate round AES_ROUND(0, W0, W1, W2, W3, KEY, X0) AES_ROUND(1, W1, W2, W3, W0, KEY, X1) AES_ROUND(2, W2, W3, W0, W1, KEY, X2) AES_ROUND(3, W3, W0, W1, W2, KEY, X3) add KEY, 16, KEY C Final round AES_FINAL_ROUND(0, T, X0, X1, X2, X3, KEY, DST) AES_FINAL_ROUND(1, T, X1, X2, X3, X0, KEY, DST) AES_FINAL_ROUND(2, T, X2, X3, X0, X1, KEY, DST) AES_FINAL_ROUND(3, T, X3, X0, X1, X2, KEY, DST) subcc LENGTH, 16, LENGTH bne .Lblock_loop add DST, 16, DST .Lend: ret restore EPILOGUE(_nettle_aes_encrypt) C Stats for AES 128 on sellafield.lysator.liu.se (UE450, 296 MHz) C 1. nettle-1.13 C-code (nettle-1.13 assembler was broken for sparc64) C 2. New C-code C 3. New assembler code (basically the same as for sparc32) C MB/s cycles/block C 1 0.8 5781 C 2 1.8 2460 C 3 8.2 548 nettle-3.10/aes-decrypt-internal.c0000644000175000017500000000557614633602171016172 0ustar nissenisse/* aes-decrypt-internal.c Decryption function for the aes/rijndael block cipher. Copyright 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_decrypt void _nettle_aes_decrypt_c(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); #define _nettle_aes_decrypt _nettle_aes_decrypt_c #endif void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; const uint32_t *p; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1, p = keys - 4; i < rounds; i++, p -= 4) { t0 = AES_ROUND(T, w0, w3, w2, w1, p[0]); t1 = AES_ROUND(T, w1, w0, w3, w2, p[1]); t2 = AES_ROUND(T, w2, w1, w0, w3, p[2]); t3 = AES_ROUND(T, w3, w2, w1, w0, p[3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w3, w2, w1, p[0]); t1 = AES_FINAL_ROUND(T, w1, w0, w3, w2, p[1]); t2 = AES_FINAL_ROUND(T, w2, w1, w0, w3, p[2]); t3 = AES_FINAL_ROUND(T, w3, w2, w1, w0, p[3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } nettle-3.10/aes192-set-encrypt-key.c0000644000175000017500000000274614633602171016201 0ustar nissenisse/* aes192-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_set_encrypt_key void _nettle_aes192_set_encrypt_key_c(struct aes192_ctx *ctx, const uint8_t *key); # define nettle_aes192_set_encrypt_key _nettle_aes192_set_encrypt_key_c #endif void nettle_aes192_set_encrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES192_ROUNDS, AES192_KEY_SIZE / 4, ctx->keys, key); } nettle-3.10/siv-cmac-aes256.c0000644000175000017500000000424614633602171014636 0ustar nissenisse/* siv-cmac-aes256.c AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" void siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key) { siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes256, key); } void siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes256, &ctx->ctr_cipher, nlength, nonce, alength, adata, clength, dst, src); } int siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes256, &ctx->ctr_cipher, nlength, nonce, alength, adata, mlength, dst, src); } nettle-3.10/gcm-sm4-meta.c0000644000175000017500000000341314633602171014317 0ustar nissenisse/* gcm-sm4-meta.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_sm4_set_nonce_wrapper; static void gcm_sm4_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_sm4_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_sm4 = { "gcm_sm4", sizeof(struct gcm_sm4_ctx), GCM_BLOCK_SIZE, SM4_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_sm4_set_key, (nettle_set_key_func *) gcm_sm4_set_key, gcm_sm4_set_nonce_wrapper, (nettle_hash_update_func *) gcm_sm4_update, (nettle_crypt_func *) gcm_sm4_encrypt, (nettle_crypt_func *) gcm_sm4_decrypt, (nettle_hash_digest_func *) gcm_sm4_digest, }; nettle-3.10/cmac-aes128.c0000644000175000017500000000310514633602171014026 0ustar nissenisse/* cmac-aes128.c CMAC using AES128 as the underlying cipher. Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key) { CMAC128_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void cmac_aes128_update (struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data) { CMAC128_UPDATE (ctx, aes128_encrypt, length, data); } void cmac_aes128_digest(struct cmac_aes128_ctx *ctx, size_t length, uint8_t *digest) { CMAC128_DIGEST(ctx, aes128_encrypt, length, digest); } nettle-3.10/ecc-secp384r1.c0000644000175000017500000002320614633602171014312 0ustar nissenisse/* ecc-secp384r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp384r1.h" #if HAVE_NATIVE_ecc_secp384r1_modp #define ecc_secp384r1_modp _nettle_ecc_secp384r1_modp void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #elif GMP_NUMB_BITS == 32 /* Use that 2^{384} = 2^{128} + 2^{96} - 2^{32} + 1, and eliminate 256 bits at a time. We can get carry == 2 in the first iteration, and I think *only* in the first iteration. */ /* p is 12 limbs, and B^12 - p = B^4 + B^3 - B + 1. We can eliminate almost 8 at a time. Do only 7, to avoid additional carry propagation, followed by 5. */ static void ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy, bw; /* Reduce from 24 to 17 limbs. */ cy = mpn_add_n (xp + 4, xp + 4, xp + 16, 8); cy = sec_add_1 (xp + 12, xp + 12, 3, cy); bw = mpn_sub_n (xp + 5, xp + 5, xp + 16, 8); bw = sec_sub_1 (xp + 13, xp + 13, 3, bw); cy += mpn_add_n (xp + 7, xp + 7, xp + 16, 8); cy = sec_add_1 (xp + 15, xp + 15, 1, cy); cy += mpn_add_n (xp + 8, xp + 8, xp + 16, 8); assert (bw <= cy); cy -= bw; assert (cy <= 2); xp[16] = cy; /* Reduce from 17 to 12 limbs */ cy = mpn_add_n (xp, xp, xp + 12, 5); cy = sec_add_1 (xp + 5, xp + 5, 3, cy); bw = mpn_sub_n (xp + 1, xp + 1, xp + 12, 5); bw = sec_sub_1 (xp + 6, xp + 6, 6, bw); cy += mpn_add_n (xp + 3, xp + 3, xp + 12, 5); cy = sec_add_1 (xp + 8, xp + 8, 1, cy); cy += mpn_add_n (xp + 4, xp + 4, xp + 12, 5); cy = sec_add_1 (xp + 9, xp + 9, 3, cy); assert (cy >= bw); cy -= bw; assert (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, p->B, ECC_LIMB_SIZE); assert (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 6 limbs, and B^6 - p = B^2 + 2^32 (B - 1) + 1. Eliminate 3 (almost 4) limbs at a time. */ static void ecc_secp384r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t tp[6]; mp_limb_t cy; /* Reduce from 12 to 9 limbs */ tp[0] = 0; /* FIXME: Could use mpn_sub_nc */ mpn_copyi (tp + 1, xp + 8, 3); tp[4] = xp[11] - mpn_sub_n (tp, tp, xp + 8, 4); tp[5] = mpn_lshift (tp, tp, 5, 32); cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); cy = sec_add_1 (xp + 6, xp + 6, 2, cy); cy += mpn_add_n (xp + 2, xp + 2, tp, 6); cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); assert_maybe (cy <= 2); xp[8] = cy; /* Reduce from 9 to 6 limbs */ tp[0] = 0; mpn_copyi (tp + 1, xp + 6, 2); tp[3] = xp[8] - mpn_sub_n (tp, tp, xp + 6, 3); tp[4] = mpn_lshift (tp, tp, 4, 32); cy = mpn_add_n (xp, xp, xp + 6, 3); cy = sec_add_1 (xp + 3, xp + 3, 2, cy); cy += mpn_add_n (xp, xp, tp, 5); cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); cy = sec_add_1 (xp + 5, xp + 5, 1, cy); assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, xp, xp, p->B, ECC_LIMB_SIZE); assert_maybe (cy == 0); mpn_copyi (rp, xp, ECC_LIMB_SIZE); } #else #define ecc_secp384r1_modp ecc_mod #endif /* Computes a^{2^{288} -2^{32} - 1} mod m. Also produces the intermediate value a^{2^{30} - 1}. Needs 5*ECC_LIMB_SIZE scratch. */ static void ecc_mod_pow_288m32m1 (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *a30m1, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for 2^{288} - 2^{32} - 1: 2^2 - 1 = 1 + 2 2^4 - 1 = (2^2 + 1) * (2^2 - 1) 2^5 - 1 = 1 + 2(2^4 - 1) 2^{10} - 1 = (2^5 + 1) (2^5 - 1) 2^{15} - 1 = 2^5 (2^{10} - 1) + (2^5-1) 2^{30} - 1 = (2^{15} + 1) (2^{15} - 1) 2^{32} - 4 = 2^2 (2^{30} - 1) 2^{32} - 1 = (2^{32} - 4) + 3 2^{60} - 1 = 2^{28}(2^{32} - 4) + (2^{30} - 1) 2^{120} - 1 = (2^{60} + 1) (2^{60} - 1) 2^{240} - 1 = (2^{120} + 1)(2^{120} - 1) 2^{255} - 1 = 2^{15} (2^{240} - 1) + 2^{15} - 1 2^{288} - 2^{32} - 1 = 2^{33} (2^{255} - 1) + 2^{32} - 1 Total 287 squarings, and 12 multiplies. The specific sqr/mul schedule is from Routine 3.2.12 of "Mathematical routines for the NIST prime elliptic curves", April 5, 2010, author unknown. */ #define t0 scratch #define a3 (scratch + ECC_LIMB_SIZE) #define a5m1 a30m1 #define a15m1 (scratch + 2*ECC_LIMB_SIZE) #define a32m1 a3 #define tp (scratch + 3*ECC_LIMB_SIZE) ecc_mod_sqr (m, t0, ap, tp); /* a^2 */ ecc_mod_mul (m, a3, t0, ap, tp); /* a^3 */ ecc_mod_pow_2kp1 (m, rp, a3, 2, tp); /* a^(2^4 - 1) */ ecc_mod_sqr (m, t0, rp, tp); /* a^(2^5 - 2) */ ecc_mod_mul (m, a5m1, t0, ap, tp); /* a^(2^5 - 1) */ ecc_mod_pow_2kp1 (m, t0, a5m1, 5, tp); /* a^(2^10 - 1) */ ecc_mod_pow_2k_mul (m, a15m1, t0, 5, a5m1, tp); /* a^(2^15 - 1) a5m1*/ ecc_mod_pow_2kp1 (m, a30m1, a15m1, 15, tp); /* a^(2^30 - 1) */ ecc_mod_pow_2k (m, t0, a30m1, 2, tp); /* a^(2^32 - 4) */ ecc_mod_mul (m, a32m1, t0, a3, tp); /* a^(2^32 - 1) a3 */ ecc_mod_pow_2k_mul (m, rp, t0, 28, a30m1, tp); /* a^(2^60 - 1) a32m4 */ ecc_mod_pow_2kp1 (m, t0, rp, 60, tp); /* a^(2^120 - 1) */ ecc_mod_pow_2kp1 (m, rp, t0, 120, tp); /* a^(2^240 - 1) */ ecc_mod_pow_2k_mul (m, t0, rp, 15, a15m1, tp); /* a^(2^255 - 1) a15m1 */ ecc_mod_pow_2k_mul (m, rp, t0, 33, a32m1, tp); /* a^(2^288 - 2^32 - 1) a32m1 */ #undef t0 #undef a3 #undef a5m1 #undef a15m1 #undef a32m1 #undef tp } #define ECC_SECP384R1_INV_ITCH (6*ECC_LIMB_SIZE) static void ecc_secp384r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for p - 2 = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3 Start with a^{2^{288} - 2^{32} - 1} and then use 2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 = 2^{94} (2^{288} - 2^{32} - 1) + 2^{30} - 1 2^{384} - 2^{128} - 2^{96} + 2^{32} - 3 = 2^2 (2^{382} - 2^{126} - 2^{94} + 2^{30} - 1) + 1 This addition chain needs 96 additional squarings and 2 multiplies, for a total of 383 squarings and 14 multiplies. */ #define a30m1 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_pow_288m32m1 (p, rp, a30m1, ap, tp); ecc_mod_pow_2k_mul (p, rp, rp, 94, a30m1, tp); /* a^{2^{382} - 2^{126} - 2^{94} + 2^{30} - 1 */ ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); #undef a30m1 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 384 #error Unsupported limb size #endif #define ECC_SECP384R1_SQRT_ITCH (6*ECC_LIMB_SIZE) static int ecc_secp384r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p384 using the identity: sqrt(c) = c^(2^382 − 2^126 - 2^94 + 2^30) (mod P-384) which can be seen as a special case of Tonelli-Shanks with e=1. Starting with a^{2^{288} - 2^{32} - 1} and then use 2^352 - 2^96 - 2^64 + 1 = 2^64 (2^{288} - 2^{32} - 1) + 1 2^382 − 2^126 - 2^94 + 2^30 = 2^30 (2^352 - 2^96 - 2^64 + 1) An additional 94 squarings and 2 multiplies, for a total of for a total of 381 squarings and 14 multiplies. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_pow_288m32m1 (m, rp, t0, cp, tp); ecc_mod_pow_2k_mul (m, t0, rp, 64, cp, tp); /* c^(2^352 - 2^96 - 2^64 + 1) */ ecc_mod_pow_2k (m, rp, t0, 30, tp); /* c^(2^382 - 2^126 - 2^94 + 2^30) */ ecc_mod_sqr (m, t0, rp, tp); ecc_mod_sub (m, t0, t0, cp); return ecc_mod_zero_p (m, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_384r1 = { { 384, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP384R1_INV_ITCH, ECC_SECP384R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp384r1_modp, ecc_secp384r1_modp, ecc_secp384r1_inv, ecc_secp384r1_sqrt, NULL, }, { 384, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP384R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_384r1(void) { return &_nettle_secp_384r1; } nettle-3.10/umac-l2.c0000644000175000017500000000661514633602171013373 0ustar nissenisse/* umac-l2.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "bswap-internal.h" /* Same mask applied to low and high halves */ #define KEY_MASK 0x01ffffffUL void _nettle_umac_l2_init (unsigned size, uint32_t *k) { unsigned i; for (i = 0; i < size; i++) { uint32_t w = k[i]; w = bswap32_if_le (w); k[i] = w & KEY_MASK; } } void _nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m) { uint64_t *prev = state + 2*n; unsigned i; if (count == 0) memcpy (prev, m, n * sizeof(*m)); else if (count == 1) for (i = 0; i < n; i++, key += 6) { uint64_t y = _nettle_umac_poly64 (key[0], key[1], 1, prev[i]); state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], y, m[i]); } else if (count < UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++, key += 6) state[2*i+1] = _nettle_umac_poly64 (key[0], key[1], state[2*i+1], m[i]); else if (count % 2 == 0) { if (count == UMAC_POLY64_BLOCKS) for (i = 0, key += 2; i < n; i++, key += 6) { uint64_t y = state[2*i+1]; if (y >= UMAC_P64) y -= UMAC_P64; state[2*i] = 0; state[2*i+1] = 1; _nettle_umac_poly128 (key, state + 2*i, 0, y); } memcpy (prev, m, n * sizeof(*m)); } else for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, prev[i], m[i]); } void _nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count) { uint64_t *prev = state + 2*n; unsigned i; assert (count > 0); if (count == 1) for (i = 0; i < n; i++) { *state++ = 0; *state++ = *prev++; } else if (count <= UMAC_POLY64_BLOCKS) for (i = 0; i < n; i++) { uint64_t y; *state++ = 0; y = *state; if (y >= UMAC_P64) y -= UMAC_P64; *state++ = y; } else { uint64_t pad = (uint64_t) 1 << 63; if (count % 2 == 1) for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, prev[i], pad); else for (i = 0, key += 2; i < n; i++, key += 6) _nettle_umac_poly128 (key, state + 2*i, pad, 0); for (i = 0; i < n; i++, state += 2) { uint64_t yh, yl; yh = state[0]; yl = state[1]; if (yh == UMAC_P128_HI && yl >= UMAC_P128_LO) { state[0] = 0; state[1] = yl - UMAC_P128_LO; } } } } nettle-3.10/cast128-meta.c0000644000175000017500000000262314633602171014237 0ustar nissenisse/* cast128-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "cast128.h" const struct nettle_cipher nettle_cast128 = { "cast128", sizeof(struct cast128_ctx), CAST128_BLOCK_SIZE, CAST128_KEY_SIZE, (nettle_set_key_func *) cast128_set_key, (nettle_set_key_func *) cast128_set_key, (nettle_cipher_func *) cast128_encrypt, (nettle_cipher_func *) cast128_decrypt }; nettle-3.10/hmac-sha512.c0000644000175000017500000000306014633602171014033 0ustar nissenisse/* hmac-sha512.c HMAC-SHA512 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha512, key_length, key); } void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data) { sha512_update(&ctx->state, length, data); } void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha512, length, digest); } nettle-3.10/fat-s390x.c0000644000175000017500000004424414633602172013572 0ustar nissenisse/* fat-s390x.c Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # include # endif #endif #include "nettle-types.h" #include "memxor.h" #include "aes-internal.h" #include "chacha-internal.h" #include "ghash-internal.h" #include "fat-setup.h" /* Max number of doublewords returned by STFLE */ #define FACILITY_DOUBLEWORDS_MAX 3 #define FACILITY_INDEX(bit) ((bit) / 64) /* STFLE and cipher query store doublewords as bit-reversed. reverse facility bit or function code in doubleword */ #define FACILITY_BIT(bit) (1ULL << (63 - (bit) % 64)) /* Define from arch/s390/include/asm/elf.h in Linux kernel */ #ifndef HWCAP_S390_STFLE #define HWCAP_S390_STFLE 4 #endif /* Facility bits */ #define FAC_VF 129 /* vector facility */ #define FAC_MSA 17 /* message-security assist */ #define FAC_MSA_X4 77 /* message-security-assist extension 4 */ /* Function codes */ #define AES_128_CODE 18 #define AES_192_CODE 19 #define AES_256_CODE 20 #define SHA_1_CODE 1 #define SHA_256_CODE 2 #define SHA_512_CODE 3 #define GHASH_CODE 65 struct s390x_features { int have_vector_facility; int have_km_aes128; int have_km_aes192; int have_km_aes256; int have_kimd_sha_1; int have_kimd_sha_256; int have_kimd_sha_512; int have_kimd_ghash; }; void _nettle_stfle(uint64_t *facility, uint64_t facility_size); void _nettle_km_status(uint64_t *status); void _nettle_kimd_status(uint64_t *status); #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_s390x_features (struct s390x_features *features) { features->have_vector_facility = 0; features->have_km_aes128 = 0; features->have_km_aes192 = 0; features->have_km_aes256 = 0; features->have_kimd_sha_1 = 0; features->have_kimd_sha_256 = 0; features->have_kimd_sha_512 = 0; features->have_kimd_ghash = 0; const char *s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "vf", 2)) features->have_vector_facility = 1; else if (MATCH (s, length, "msa", 3)) features->have_kimd_sha_1 = 1; else if (MATCH (s, length, "msa_x1", 6)) { features->have_km_aes128 = 1; features->have_kimd_sha_256 = 1; } else if (MATCH (s, length, "msa_x2", 6)) { features->have_km_aes192 = 1; features->have_km_aes256 = 1; features->have_kimd_sha_512 = 1; } else if (MATCH (s, length, "msa_x4", 6)) features->have_kimd_ghash = 1; if (!sep) break; s = sep + 1; } else { #if USE_GETAUXVAL unsigned long hwcap = getauxval(AT_HWCAP); if (hwcap & HWCAP_S390_STFLE) { uint64_t facilities[FACILITY_DOUBLEWORDS_MAX] = {0}; _nettle_stfle(facilities, FACILITY_DOUBLEWORDS_MAX); if (facilities[FACILITY_INDEX(FAC_VF)] & FACILITY_BIT(FAC_VF)) features->have_vector_facility = 1; if (facilities[FACILITY_INDEX(FAC_MSA)] & FACILITY_BIT(FAC_MSA)) { uint64_t query_status[2] = {0}; _nettle_km_status(query_status); if (query_status[FACILITY_INDEX(AES_128_CODE)] & FACILITY_BIT(AES_128_CODE)) features->have_km_aes128 = 1; if (query_status[FACILITY_INDEX(AES_192_CODE)] & FACILITY_BIT(AES_192_CODE)) features->have_km_aes192 = 1; if (query_status[FACILITY_INDEX(AES_256_CODE)] & FACILITY_BIT(AES_256_CODE)) features->have_km_aes256 = 1; memset(query_status, 0, sizeof(query_status)); _nettle_kimd_status(query_status); if (query_status[FACILITY_INDEX(SHA_1_CODE)] & FACILITY_BIT(SHA_1_CODE)) features->have_kimd_sha_1 = 1; if (query_status[FACILITY_INDEX(SHA_256_CODE)] & FACILITY_BIT(SHA_256_CODE)) features->have_kimd_sha_256 = 1; if (query_status[FACILITY_INDEX(SHA_512_CODE)] & FACILITY_BIT(SHA_512_CODE)) features->have_kimd_sha_512 = 1; } if (facilities[FACILITY_INDEX(FAC_MSA_X4)] & FACILITY_BIT(FAC_MSA_X4)) { uint64_t query_status[2] = {0}; _nettle_kimd_status(query_status); if (query_status[FACILITY_INDEX(GHASH_CODE)] & FACILITY_BIT(GHASH_CODE)) features->have_kimd_ghash = 1; } } #endif } } /* MEMXOR3 */ DECLARE_FAT_FUNC(nettle_memxor3, memxor3_func) DECLARE_FAT_FUNC_VAR(memxor3, memxor3_func, c) DECLARE_FAT_FUNC_VAR(memxor3, memxor3_func, s390x) /* AES128 */ DECLARE_FAT_FUNC(nettle_aes128_set_encrypt_key, aes128_set_key_func) DECLARE_FAT_FUNC_VAR(aes128_set_encrypt_key, aes128_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_set_encrypt_key, aes128_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_set_decrypt_key, aes128_set_key_func) DECLARE_FAT_FUNC_VAR(aes128_set_decrypt_key, aes128_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_set_decrypt_key, aes128_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_invert_key, aes128_invert_key_func) DECLARE_FAT_FUNC_VAR(aes128_invert_key, aes128_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes128_invert_key, aes128_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, s390x) /* AES192 */ DECLARE_FAT_FUNC(nettle_aes192_set_encrypt_key, aes192_set_key_func) DECLARE_FAT_FUNC_VAR(aes192_set_encrypt_key, aes192_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_set_encrypt_key, aes192_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_set_decrypt_key, aes192_set_key_func) DECLARE_FAT_FUNC_VAR(aes192_set_decrypt_key, aes192_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_set_decrypt_key, aes192_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_invert_key, aes192_invert_key_func) DECLARE_FAT_FUNC_VAR(aes192_invert_key, aes192_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes192_invert_key, aes192_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, s390x) /* AES256 */ DECLARE_FAT_FUNC(nettle_aes256_set_encrypt_key, aes256_set_key_func) DECLARE_FAT_FUNC_VAR(aes256_set_encrypt_key, aes256_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_set_encrypt_key, aes256_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_set_decrypt_key, aes256_set_key_func) DECLARE_FAT_FUNC_VAR(aes256_set_decrypt_key, aes256_set_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_set_decrypt_key, aes256_set_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_invert_key, aes256_invert_key_func) DECLARE_FAT_FUNC_VAR(aes256_invert_key, aes256_invert_key_func, c) DECLARE_FAT_FUNC_VAR(aes256_invert_key, aes256_invert_key_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, s390x) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, s390x) /* GHASH */ DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, s390x) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, s390x) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, s390x) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, s390x) DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, s390x) DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, s390x) DECLARE_FAT_FUNC(_nettle_chacha_core, chacha_core_func) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, c); DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, s390x); DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 4core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 4core) static void CONSTRUCTOR fat_init (void) { struct s390x_features features; int verbose; get_s390x_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; /* MEMXOR3 */ if (features.have_vector_facility) { if (verbose) fprintf (stderr, "libnettle: enabling vector facility code.\n"); nettle_memxor3_vec = _nettle_memxor3_s390x; nettle_sha3_permute_vec = _nettle_sha3_permute_s390x; _nettle_chacha_core_vec = _nettle_chacha_core_s390x; nettle_chacha_crypt_vec = _nettle_chacha_crypt_4core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_4core; } else { nettle_memxor3_vec = _nettle_memxor3_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_chacha_core_vec = _nettle_chacha_core_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } /* AES128 */ if (features.have_km_aes128) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES128 EBC mode.\n"); nettle_aes128_set_encrypt_key_vec = _nettle_aes128_set_encrypt_key_s390x; nettle_aes128_set_decrypt_key_vec = _nettle_aes128_set_decrypt_key_s390x; nettle_aes128_invert_key_vec = _nettle_aes128_invert_key_s390x; nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_s390x; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_s390x; } else { nettle_aes128_set_encrypt_key_vec = _nettle_aes128_set_encrypt_key_c; nettle_aes128_set_decrypt_key_vec = _nettle_aes128_set_decrypt_key_c; nettle_aes128_invert_key_vec = _nettle_aes128_invert_key_c; nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; } /* AES192 */ if (features.have_km_aes192) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES192 EBC mode.\n"); nettle_aes192_set_encrypt_key_vec = _nettle_aes192_set_encrypt_key_s390x; nettle_aes192_set_decrypt_key_vec = _nettle_aes192_set_decrypt_key_s390x; nettle_aes192_invert_key_vec = _nettle_aes192_invert_key_s390x; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_s390x; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_s390x; } else { nettle_aes192_set_encrypt_key_vec = _nettle_aes192_set_encrypt_key_c; nettle_aes192_set_decrypt_key_vec = _nettle_aes192_set_decrypt_key_c; nettle_aes192_invert_key_vec = _nettle_aes192_invert_key_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; } /* AES256 */ if (features.have_km_aes256) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES256 EBC mode.\n"); nettle_aes256_set_encrypt_key_vec = _nettle_aes256_set_encrypt_key_s390x; nettle_aes256_set_decrypt_key_vec = _nettle_aes256_set_decrypt_key_s390x; nettle_aes256_invert_key_vec = _nettle_aes256_invert_key_s390x; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_s390x; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_s390x; } else { nettle_aes256_set_encrypt_key_vec = _nettle_aes256_set_encrypt_key_c; nettle_aes256_set_decrypt_key_vec = _nettle_aes256_set_decrypt_key_c; nettle_aes256_invert_key_vec = _nettle_aes256_invert_key_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; } /* GHASH */ if (features.have_kimd_ghash) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated GHASH.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_s390x; _nettle_ghash_update_vec = _nettle_ghash_update_s390x; } else { _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; } /* SHA1 */ if (features.have_kimd_sha_1) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA1 compress code.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_s390x; } else { nettle_sha1_compress_vec = _nettle_sha1_compress_c; } /* SHA256 */ if (features.have_kimd_sha_256) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA256 compress code.\n"); _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_s390x; } else { _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } /* SHA512 */ if (features.have_kimd_sha_512) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated SHA512 compress code.\n"); _nettle_sha512_compress_vec = _nettle_sha512_compress_s390x; } else { _nettle_sha512_compress_vec = _nettle_sha512_compress_c; } } /* MEMXOR3 */ DEFINE_FAT_FUNC(nettle_memxor3, void *, (void *dst_in, const void *a_in, const void *b_in, size_t n), (dst_in, a_in, b_in, n)) /* AES128 */ DEFINE_FAT_FUNC(nettle_aes128_set_encrypt_key, void, (struct aes128_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes128_set_decrypt_key, void, (struct aes128_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes128_invert_key, void, (struct aes128_ctx *dst, const struct aes128_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* AES192 */ DEFINE_FAT_FUNC(nettle_aes192_set_encrypt_key, void, (struct aes192_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes192_set_decrypt_key, void, (struct aes192_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes192_invert_key, void, (struct aes192_ctx *dst, const struct aes192_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* AES256 */ DEFINE_FAT_FUNC(nettle_aes256_set_encrypt_key, void, (struct aes256_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes256_set_decrypt_key, void, (struct aes256_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(nettle_aes256_invert_key, void, (struct aes256_ctx *dst, const struct aes256_ctx *src), (dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) /* GHASH */ DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) /* SHA1 */ DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) /* SHA256 */ DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) /* SHA512 */ DEFINE_FAT_FUNC(_nettle_sha512_compress, void, (uint64_t *state, const uint8_t *input, const uint64_t *k), (state, input, k)) /* SHA3 */ DEFINE_FAT_FUNC(nettle_sha3_permute, void, (struct sha3_state *state), (state)) DEFINE_FAT_FUNC(_nettle_chacha_core, void, (uint32_t *dst, const uint32_t *src, unsigned rounds), (dst, src, rounds)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) nettle-3.10/sexp.c0000644000175000017500000002047014633602171013105 0ustar nissenisse/* sexp.c Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "macros.h" #include "nettle-internal.h" /* Initializes the iterator, but one has to call next to get to the * first element. */ static void sexp_iterator_init(struct sexp_iterator *iterator, unsigned length, const uint8_t *input) { iterator->length = length; iterator->buffer = input; iterator->pos = 0; iterator->level = 0; iterator->type = SEXP_END; /* Value doesn't matter */ iterator->display_length = 0; iterator->display = NULL; iterator->atom_length = 0; iterator->atom = NULL; } #define EMPTY(i) ((i)->pos == (i)->length) #define NEXT(i) ((i)->buffer[(i)->pos++]) static int sexp_iterator_simple(struct sexp_iterator *iterator, size_t *size, const uint8_t **string) { unsigned length = 0; uint8_t c; if (EMPTY(iterator)) return 0; c = NEXT(iterator); if (EMPTY(iterator)) return 0; if (c >= '1' && c <= '9') do { length = length * 10 + (c - '0'); if (length > (iterator->length - iterator->pos)) return 0; if (EMPTY(iterator)) return 0; c = NEXT(iterator); } while (c >= '0' && c <= '9'); else if (c == '0') /* There can be only one */ c = NEXT(iterator); else return 0; if (c != ':') return 0; *size = length; *string = iterator->buffer + iterator->pos; iterator->pos += length; return 1; } /* All these functions return 1 on success, 0 on failure */ /* Look at the current position in the data. Sets iterator->type, and * ignores the old value. */ static int sexp_iterator_parse(struct sexp_iterator *iterator) { iterator->start = iterator->pos; if (EMPTY(iterator)) { if (iterator->level) return 0; iterator->type = SEXP_END; return 1; } switch (iterator->buffer[iterator->pos]) { case '(': /* A list */ iterator->type = SEXP_LIST; return 1; case ')': if (!iterator->level) return 0; iterator->pos++; iterator->type = SEXP_END; return 1; case '[': /* Atom with display type */ iterator->pos++; if (!sexp_iterator_simple(iterator, &iterator->display_length, &iterator->display)) return 0; if (EMPTY(iterator) || NEXT(iterator) != ']') return 0; break; default: /* Must be either a decimal digit or a syntax error. * Errors are detected by sexp_iterator_simple. */ iterator->display_length = 0; iterator->display = NULL; break; } iterator->type = SEXP_ATOM; return sexp_iterator_simple(iterator, &iterator->atom_length, &iterator->atom); } int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input) { sexp_iterator_init(iterator, length, input); return sexp_iterator_parse(iterator); } int sexp_iterator_next(struct sexp_iterator *iterator) { switch (iterator->type) { case SEXP_END: return 1; case SEXP_LIST: /* Skip this list */ return sexp_iterator_enter_list(iterator) && sexp_iterator_exit_list(iterator); case SEXP_ATOM: /* iterator->pos should already point at the start of the next * element. */ return sexp_iterator_parse(iterator); } /* If we get here, we have a bug. */ abort(); } /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator) { if (iterator->type != SEXP_LIST) return 0; if (EMPTY(iterator) || NEXT(iterator) != '(') /* Internal error */ abort(); iterator->level++; return sexp_iterator_parse(iterator); } /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator) { if (!iterator->level) return 0; while(iterator->type != SEXP_END) if (!sexp_iterator_next(iterator)) return 0; iterator->level--; return sexp_iterator_parse(iterator); } #if 0 /* What's a reasonable interface for this? */ int sexp_iterator_exit_lists(struct sexp_iterator *iterator, unsigned level) { assert(iterator->level >= level); while (iterator->level > level) if (!sexp_iterator_exit_list(iterator)) return 0; return 1; } #endif const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length) { size_t start = iterator->start; if (!sexp_iterator_next(iterator)) return 0; *length = iterator->start - start; return iterator->buffer + start; } int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x) { if (iterator->type == SEXP_ATOM && !iterator->display && iterator->atom_length && iterator->atom[0] < 0x80) { size_t length = iterator->atom_length; const uint8_t *p = iterator->atom; /* Skip leading zeros. */ while(length && !*p) { length--; p++; } switch(length) { case 0: *x = 0; break; case 1: *x = p[0]; break; case 2: *x = READ_UINT16(p); break; case 3: *x = READ_UINT24(p); break; case 4: *x = READ_UINT32(p); break; default: return 0; } return sexp_iterator_next(iterator); } return 0; } int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type) { return (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display && strlen(type) == iterator->atom_length && !memcmp(type, iterator->atom, iterator->atom_length) && sexp_iterator_next(iterator)); } const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types) { if (sexp_iterator_enter_list(iterator) && iterator->type == SEXP_ATOM && !iterator->display) { unsigned i; for (i = 0; iatom_length && !memcmp(types[i], iterator->atom, iterator->atom_length)) return sexp_iterator_next(iterator) ? types[i] : NULL; } return NULL; } int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values) { TMP_DECL(found, int, NETTLE_MAX_SEXP_ASSOC); unsigned nfound; unsigned i; TMP_ALLOC(found, nkeys); for (i = 0; itype) { case SEXP_LIST: if (!sexp_iterator_enter_list(iterator)) return 0; if (iterator->type == SEXP_ATOM && !iterator->display) { /* Compare to the given keys */ for (i = 0; iatom_length && !memcmp(keys[i], iterator->atom, iterator->atom_length)) { if (found[i]) /* We don't allow duplicates */ return 0; /* Advance to point to value */ if (!sexp_iterator_next(iterator)) return 0; found[i] = 1; nfound++; /* Record this position. */ values[i] = *iterator; break; } } } if (!sexp_iterator_exit_list(iterator)) return 0; break; case SEXP_ATOM: /* Just ignore */ if (!sexp_iterator_next(iterator)) return 0; break; case SEXP_END: return sexp_iterator_exit_list(iterator) && (nfound == nkeys); default: abort(); } } } nettle-3.10/rsa-sha1-sign.c0000644000175000017500000000340214633602171014477 0ustar nissenisse/* rsa-sha1-sign.c Signatures using RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_sign(const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha1_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha1_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha1_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.10/rsa-sec-decrypt.c0000644000175000017500000000450114633602171015130 0ustar nissenisse/* rsa-sec-decrypt.c RSA decryption, using randomized RSA blinding to be more resistant to side-channel attacks like timing attacks or cache based memory access measurements. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1-internal.h" #include "rsa-internal.h" #include "gmp-glue.h" int rsa_sec_decrypt(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); int res; /* First check that input is in range. */ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) return 0; TMP_GMP_ALLOC (m, mpz_size(pub->n)); TMP_GMP_ALLOC (em, key->size); /* We need a copy because m can be shorter than key_size, * but _rsa_sec_compute_root_tr expect all inputs to be * normalized to a key_size long buffer length */ mpz_limbs_copy(m, gibberish, mpz_size(pub->n)); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, mpz_size(pub->n)); res &= _pkcs1_sec_decrypt (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-3.10/salsa20-crypt.c0000644000175000017500000000263114633602171014531 0ustar nissenisse/* salsa20-crypt.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "salsa20-internal.h" void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; _nettle_salsa20_crypt (ctx, 20, length, c, m); } nettle-3.10/block-internal.h0000644000175000017500000001350014633602172015034 0ustar nissenisse/* block-internal.h Internal implementations of nettle_blockZ-related functions. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOCK_INTERNAL_H_INCLUDED #define NETTLE_BLOCK_INTERNAL_H_INCLUDED #include #include "nettle-types.h" #include "bswap-internal.h" #include "memxor.h" static inline void block16_zero (union nettle_block16 *r) { static const union nettle_block16 zero_block; *r = zero_block; } static inline void block16_set (union nettle_block16 *r, const union nettle_block16 *x) { r->u64[0] = x->u64[0]; r->u64[1] = x->u64[1]; } static inline void block16_xor (union nettle_block16 *r, const union nettle_block16 *x) { r->u64[0] ^= x->u64[0]; r->u64[1] ^= x->u64[1]; } static inline void block16_xor3 (union nettle_block16 *r, const union nettle_block16 *x, const union nettle_block16 *y) { r->u64[0] = x->u64[0] ^ y->u64[0]; r->u64[1] = x->u64[1] ^ y->u64[1]; } static inline void block16_xor_bytes (union nettle_block16 *r, const union nettle_block16 *x, const uint8_t *bytes) { memxor3 (r->b, x->b, bytes, 16); } static inline void block8_xor (union nettle_block8 *r, const union nettle_block8 *x) { r->u64 ^= x->u64; } static inline void block8_xor3 (union nettle_block8 *r, const union nettle_block8 *x, const union nettle_block8 *y) { r->u64 = x->u64 ^ y->u64; } static inline void block8_xor_bytes (union nettle_block8 *r, const union nettle_block8 *x, const uint8_t *bytes) { memxor3 (r->b, x->b, bytes, 8); } /* Do a foreign-endianness shift of data */ #define LSHIFT_ALIEN_UINT64(x) \ ((((x) & UINT64_C(0x7f7f7f7f7f7f7f7f)) << 1) | \ (((x) & UINT64_C(0x8080808080808080)) >> 15)) #define RSHIFT_ALIEN_UINT64(x) \ ((((x) & UINT64_C(0xfefefefefefefefe)) >> 1) | \ (((x) & UINT64_C(0x0001010101010101)) << 15)) /* Two typical defining polynoms */ #define BLOCK16_POLY (UINT64_C(0x87)) #define BLOCK8_POLY (UINT64_C(0x1b)) #define GHASH_POLY (UINT64_C(0xE1)) /* Galois multiplications by 2: * functions differ in shifting right or left, big- or little- endianness * and by defining polynom. * r == x is allowed. */ #if WORDS_BIGENDIAN static inline void block16_mulx_be (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = src->u64[0] >> 63; dst->u64[0] = (src->u64[0] << 1) | (src->u64[1] >> 63); dst->u64[1] = (src->u64[1] << 1) ^ (BLOCK16_POLY & -carry); } static inline void block16_mulx_le (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = (src->u64[1] & 0x80) >> 7; dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) | ((src->u64[0] & 0x80) << 49); dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) ^ ((BLOCK16_POLY << 56) & -carry); } static inline void block8_mulx_be (union nettle_block8 *dst, const union nettle_block8 *src) { uint64_t carry = src->u64 >> 63; dst->u64 = (src->u64 << 1) ^ (BLOCK8_POLY & -carry); } static inline void block16_mulx_ghash (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t mask; /* Shift uses big-endian representation. */ mask = - (x->u64[1] & 1); r->u64[1] = (x->u64[1] >> 1) | ((x->u64[0] & 1) << 63); r->u64[0] = (x->u64[0] >> 1) ^ (mask & (GHASH_POLY << 56)); } #else /* !WORDS_BIGENDIAN */ static inline void block16_mulx_be (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = (src->u64[0] & 0x80) >> 7; dst->u64[0] = LSHIFT_ALIEN_UINT64(src->u64[0]) | ((src->u64[1] & 0x80) << 49); dst->u64[1] = LSHIFT_ALIEN_UINT64(src->u64[1]) ^ ((BLOCK16_POLY << 56) & -carry); } static inline void block16_mulx_le (union nettle_block16 *dst, const union nettle_block16 *src) { uint64_t carry = src->u64[1] >> 63; dst->u64[1] = (src->u64[1] << 1) | (src->u64[0] >> 63); dst->u64[0] = (src->u64[0] << 1) ^ (BLOCK16_POLY & -carry); } static inline void block8_mulx_be (union nettle_block8 *dst, const union nettle_block8 *src) { uint64_t carry = (src->u64 & 0x80) >> 7; dst->u64 = LSHIFT_ALIEN_UINT64(src->u64) ^ ((BLOCK8_POLY << 56) & -carry); } static inline void block16_mulx_ghash (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t mask; /* Shift uses big-endian representation. */ mask = - ((x->u64[1] >> 56) & 1); r->u64[1] = RSHIFT_ALIEN_UINT64(x->u64[1]) | ((x->u64[0] >> 49) & 0x80); r->u64[0] = RSHIFT_ALIEN_UINT64(x->u64[0]) ^ (mask & GHASH_POLY); } #endif /* ! WORDS_BIGENDIAN */ /* Reverse bytes in X and store the result in R. This supports in-place operation (R and X can overlap). */ static inline void block16_bswap (union nettle_block16 *r, const union nettle_block16 *x) { uint64_t t = nettle_bswap64 (x->u64[0]); r->u64[0] = nettle_bswap64 (x->u64[1]); r->u64[1] = t; } #endif /* NETTLE_BLOCK_INTERNAL_H_INCLUDED */ nettle-3.10/xts.h0000644000175000017500000000761714633602172012762 0ustar nissenisse/* xts.h XEX-based tweaked-codebook mode with ciphertext stealing (XTS) Copyright (C) 2005 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_XTS_H_INCLUDED #define NETTLE_XTS_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define xts_encrypt_message nettle_xts_encrypt_message #define xts_decrypt_message nettle_xts_decrypt_message #define xts_aes128_set_encrypt_key nettle_xts_aes128_set_encrypt_key #define xts_aes128_set_decrypt_key nettle_xts_aes128_set_decrypt_key #define xts_aes128_encrypt_message nettle_xts_aes128_encrypt_message #define xts_aes128_decrypt_message nettle_xts_aes128_decrypt_message #define xts_aes256_set_encrypt_key nettle_xts_aes256_set_encrypt_key #define xts_aes256_set_decrypt_key nettle_xts_aes256_set_decrypt_key #define xts_aes256_encrypt_message nettle_xts_aes256_encrypt_message #define xts_aes256_decrypt_message nettle_xts_aes256_decrypt_message #define XTS_BLOCK_SIZE 16 void xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); /* XTS Mode with AES-128 */ struct xts_aes128_key { struct aes128_ctx cipher; struct aes128_ctx tweak_cipher; }; void xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key); void xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key); void xts_aes128_encrypt_message(const struct xts_aes128_key *xtskey, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_aes128_decrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); /* XTS Mode with AES-256 */ struct xts_aes256_key { struct aes256_ctx cipher; struct aes256_ctx tweak_cipher; }; void xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key); void xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key); void xts_aes256_encrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); void xts_aes256_decrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_XTS_H_INCLUDED */ nettle-3.10/rsa-sec-compute-root.c0000644000175000017500000001335014633602171016115 0ustar nissenisse/* rsa-sec-compute-root.c Side-channel silent RSA root computation. Copyright (C) 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" #if !NETTLE_USE_MINI_GMP #define MAX(a, b) ((a) > (b) ? (a) : (b)) /* Like mpn_sec_mul_itch, monotonously increasing in operand sizes. */ static mp_size_t sec_mul_itch (mp_size_t an, mp_size_t bn) { if (an >= bn) return mpn_sec_mul_itch (an, bn); else return mpn_sec_mul_itch (bn, an); } /* Writes an + bn limbs to the rp area */ static void sec_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, mp_limb_t *scratch) { if (an >= bn) mpn_sec_mul (rp, ap, an, bp, bn, scratch); else mpn_sec_mul (rp, bp, bn, ap, an, scratch); } static mp_size_t sec_mod_mul_itch (mp_size_t an, mp_size_t bn, mp_size_t mn) { mp_size_t mul_itch = sec_mul_itch (an, bn); mp_size_t mod_itch = mpn_sec_div_r_itch (an + bn, mn); return MAX(mul_itch, mod_itch); } /* Sets r <-- a b % m. Needs space for an + bn limbs at rp. It is required than an + bn >= mn. */ static void sec_mod_mul (mp_limb_t *rp, const mp_limb_t *ap, mp_size_t an, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (an + bn >= mn); sec_mul (rp, ap, an, bp, bn, scratch); mpn_sec_div_r (rp, an + bn, mp, mn, scratch); } static mp_size_t sec_powm_itch (mp_size_t bn, mp_size_t en, mp_size_t mn) { mp_size_t mod_itch = bn + mpn_sec_div_r_itch (bn, mn); mp_size_t pow_itch = mn + mpn_sec_powm_itch (mn, en * GMP_NUMB_BITS, mn); return MAX (mod_itch, pow_itch); } /* Sets r <-- b ^ e % m. Performs an initial reduction b mod m, and requires bn >= mn. */ static void sec_powm (mp_limb_t *rp, const mp_limb_t *bp, mp_size_t bn, const mp_limb_t *ep, mp_size_t en, const mp_limb_t *mp, mp_size_t mn, mp_limb_t *scratch) { assert (bn >= mn); assert (en <= mn); mpn_copyi (scratch, bp, bn); mpn_sec_div_r (scratch, bn, mp, mn, scratch + bn); mpn_sec_powm (rp, scratch, mn, ep, en * GMP_NUMB_BITS, mp, mn, scratch + mn); } mp_size_t _rsa_sec_compute_root_itch (const struct rsa_private_key *key) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_size_t powm_p_itch = sec_powm_itch (nn, an, pn); mp_size_t powm_q_itch = sec_powm_itch (nn, bn, qn); mp_size_t mod_mul_itch = cn + MAX(pn, qn) + sec_mod_mul_itch (MAX(pn, qn), cn, pn); mp_size_t mul_itch = sec_mul_itch (qn, pn); mp_size_t add_1_itch = mpn_sec_add_1_itch (nn - qn); /* pn + qn for the product q * r_mod_p' */ mp_size_t itch = pn + qn + MAX (mul_itch, add_1_itch); itch = MAX (itch, powm_p_itch); itch = MAX (itch, powm_q_itch); itch = MAX (itch, mod_mul_itch); /* pn + qn for the r_mod_p and r_mod_q temporaries. */ return pn + qn + itch; } void _rsa_sec_compute_root (const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch) { mp_size_t nn = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (key->size); /* The common case is pn = qn. This function would be simpler if we * could require that pn >= qn. */ const mp_limb_t *pp = mpz_limbs_read (key->p); const mp_limb_t *qp = mpz_limbs_read (key->q); mp_size_t pn = mpz_size (key->p); mp_size_t qn = mpz_size (key->q); mp_size_t an = mpz_size (key->a); mp_size_t bn = mpz_size (key->b); mp_size_t cn = mpz_size (key->c); mp_limb_t *r_mod_p = scratch; mp_limb_t *r_mod_q = scratch + pn; mp_limb_t *scratch_out = r_mod_q + qn; mp_limb_t cy; assert (pn <= nn); assert (qn <= nn); assert (an <= pn); assert (bn <= qn); assert (cn <= pn); /* Compute r_mod_p = m^d % p = (m%p)^a % p */ sec_powm (r_mod_p, mp, nn, mpz_limbs_read (key->a), an, pp, pn, scratch_out); /* Compute r_mod_q = m^d % q = (m%q)^b % q */ sec_powm (r_mod_q, mp, nn, mpz_limbs_read (key->b), bn, qp, qn, scratch_out); /* Set r_mod_p' = r_mod_p * c % p - r_mod_q * c % p . */ sec_mod_mul (scratch_out, r_mod_p, pn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + pn); mpn_copyi (r_mod_p, scratch_out, pn); sec_mod_mul (scratch_out, r_mod_q, qn, mpz_limbs_read (key->c), cn, pp, pn, scratch_out + cn + qn); cy = mpn_sub_n (r_mod_p, r_mod_p, scratch_out, pn); mpn_cnd_add_n (cy, r_mod_p, r_mod_p, pp, pn); /* Finally, compute x = r_mod_q + q r_mod_p' */ sec_mul (scratch_out, qp, qn, r_mod_p, pn, scratch_out + pn + qn); cy = mpn_add_n (rp, scratch_out, r_mod_q, qn); mpn_sec_add_1 (rp + qn, scratch_out + qn, nn - qn, cy, scratch_out + pn + qn); } #endif nettle-3.10/dsa-sign.c0000644000175000017500000000520614633602171013633 0ustar nissenisse/* dsa-sign.c The DSA publickey algorithm. Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa.h" #include "dsa-internal.h" #include "bignum.h" #include "gmp-glue.h" int dsa_sign(const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature) { mpz_t k; mpz_t h; mpz_t tmp; unsigned bit_size; unsigned limb_size; int res; /* Check that p is odd, so that invalid keys don't result in a crash inside mpz_powm_sec. */ if (mpz_even_p (params->p)) return 0; /* Select k, 0q); mpz_sub_ui(tmp, tmp, 1); mpz_init(k); nettle_mpz_random(k, random_ctx, random, tmp); mpz_add_ui(k, k, 1); /* Compute r = (g^k (mod p)) (mod q) */ mpz_powm_sec(tmp, params->g, k, params->p); mpz_fdiv_r(signature->r, tmp, params->q); /* Compute hash */ bit_size = mpz_sizeinbase(params->q, 2); limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE(bit_size); mpz_init(h); _nettle_dsa_hash (mpz_limbs_write (h, limb_size), bit_size, digest_size, digest); mpz_limbs_finish (h, limb_size); /* Compute k^-1 (mod q) */ if (mpz_invert(k, k, params->q)) { /* Compute signature s = k^-1 (h + xr) (mod q) */ mpz_mul(tmp, signature->r, x); mpz_fdiv_r(tmp, tmp, params->q); mpz_add(tmp, tmp, h); mpz_mul(tmp, tmp, k); mpz_fdiv_r(signature->s, tmp, params->q); res = 1; } else /* What do we do now? The key is invalid. */ res = 0; mpz_clear(k); mpz_clear(h); mpz_clear(tmp); return res; } nettle-3.10/memxor.c0000644000175000017500000000776414633602171013450 0ustar nissenisse/* memxor.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor_common_alignment (word_t *dst, const word_t *src, size_t n) { /* FIXME: Require n > 0? */ /* FIXME: Unroll four times, like memcmp? Probably not worth the effort. */ if (n & 1) { n--; dst[n] ^= src[n]; } while (n >= 2) { n -= 2; dst[n+1] ^= src[n+1]; dst[n] ^= src[n]; } } /* XOR *un-aligned* src-area onto aligned dst area. n is number of words, not bytes. Assumes we can read complete words at the start and end of the src operand. */ static void memxor_different_alignment (word_t *dst, const unsigned char *src, size_t n) { int shl, shr; const word_t *src_word; unsigned offset = ALIGN_OFFSET (src); word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); src_word = (const word_t *) ((uintptr_t) src & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &src_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; /* FIXME: Eliminate this shift? */ #endif /* Do n-1 regular iterations */ if (n & 1) s1 = s0; else { n--; s1 = src_word[n]; dst[n] ^= MERGE (s1, shl, s0, shr); } assert (n & 1); while (n > 2) { n -= 2; s0 = src_word[n+1]; dst[n+1] ^= MERGE(s0, shl, s1, shr); s1 = src_word[n]; /* FIXME: Overread on last iteration */ dst[n] ^= MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, src, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; /* FIXME: eliminate shift? */ #endif /* !WORDS_BIGENDIAN */ dst[0] ^= MERGE(s0, shl, s1, shr); } /* Performance, Intel SU1400 (x86_64): 0.25 cycles/byte aligned, 0.45 cycles/byte unaligned. */ /* XOR LEN bytes starting at SRCADDR onto DESTADDR. Result undefined if the source overlaps with the destination. Return DESTADDR. */ void * memxor(void *dst_in, const void *src_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *src = src_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned offset; size_t nwords; /* There are at least some bytes to compare. No need to test for N == 0 in this alignment loop. */ for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] ^= src[n]; } offset = ALIGN_OFFSET(src + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (offset) memxor_different_alignment ((word_t *) (dst+n), src+n, nwords); else memxor_common_alignment ((word_t *) (dst+n), (const word_t *) (src+n), nwords); } while (n > 0) { n--; dst[n] ^= src[n]; } return dst; } nettle-3.10/sm4-meta.c0000644000175000017500000000261514633602171013556 0ustar nissenisse/* sm4-meta.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sm4.h" const struct nettle_cipher nettle_sm4 = { "sm4", sizeof(struct sm4_ctx), SM4_BLOCK_SIZE, SM4_KEY_SIZE, (nettle_set_key_func *) sm4_set_encrypt_key, (nettle_set_key_func *) sm4_set_decrypt_key, (nettle_cipher_func *) sm4_crypt, (nettle_cipher_func *) sm4_crypt }; nettle-3.10/ecc-gostdsa-verify.c0000644000175000017500000000653414633602172015632 0ustar nissenisse/* ecc-gostdsa-verify.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "dsa-internal.h" #include "ecc-internal.h" /* Low-level GOST DSA verify */ static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { return !mpn_zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } mp_size_t ecc_gostdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc_mul_a call. */ return 5*ecc->p.size + ECC_MUL_A_ITCH (ecc->p.size); } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_gostdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { /* Procedure, according to GOST R 34.10. q denotes the group order. 1. Check 0 < r, s < q. 2. v <-- h^{-1} (mod q) 3. z1 <-- s * v (mod q) 4. z2 <-- -r * v (mod q) 5. R = u1 G + u2 Y 6. Signature is valid if R_x = r (mod q). */ #define hp (scratch) #define vp (scratch + ecc->p.size) #define z1 (scratch + 3*ecc->p.size) #define z2 (scratch + 4*ecc->p.size) #define P1 (scratch + 4*ecc->p.size) #define P2 (scratch) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) return 0; _nettle_gostdsa_hash (hp, ecc->q.bit_size, length, digest); if (mpn_zero_p (hp, ecc->p.size)) mpn_add_1 (hp, hp, ecc->p.size, 1); /* Compute v */ ecc->q.invert (&ecc->q, vp, hp, vp + ecc->p.size); /* z1 = s / h, P1 = z1 * G */ ecc_mod_mul_canonical (&ecc->q, z1, sp, vp, z1); /* z2 = - r / h, P2 = z2 * Y */ mpn_sub_n (hp, ecc->q.m, rp, ecc->p.size); ecc_mod_mul_canonical (&ecc->q, z2, hp, vp, z2); /* Total storage: 5*ecc->p.size + ECC_MUL_A_ITCH */ ecc_mul_a (ecc, P2, z2, pp, z2 + ecc->p.size); /* Total storage: 7*ecc->p.size + ECC_MUL_G_ITCH */ ecc_mul_g (ecc, P1, z1, P1 + 3*ecc->p.size); /* Total storage: 6*ecc->p.size + ECC_ADD_JJJ_ITCH */ if (!ecc_nonsec_add_jjj (ecc, P1, P1, P2, P1 + 3*ecc->p.size)) return 0; /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, P2, P1, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P2, ecc->p.size) == 0); #undef P2 #undef P1 #undef z2 #undef z1 #undef hp #undef vp } nettle-3.10/m4-utils.m40000644000175000017500000004120114633602172013676 0ustar nissenissedivert(-1) dnl dnl m4 macros for gmp assembly code, shared by all CPUs. From gmp/mpn/asm-defs.m4 dnl Copyright 1999-2006, 2011 Free Software Foundation, Inc. dnl This file is part of the GNU MP Library. dnl dnl The GNU MP Library is free software; you can redistribute it and/or modify dnl it under the terms of either: dnl dnl * the GNU Lesser General Public License as published by the Free dnl Software Foundation; either version 3 of the License, or (at your dnl option) any later version. dnl dnl or dnl dnl * the GNU General Public License as published by the Free Software dnl Foundation; either version 2 of the License, or (at your option) any dnl later version. dnl dnl or both in parallel, as here. dnl dnl The GNU MP Library is distributed in the hope that it will be useful, but dnl WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY dnl or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License dnl for more details. dnl dnl You should have received copies of the GNU General Public License and the dnl GNU Lesser General Public License along with the GNU MP Library. If not, dnl see https://www.gnu.org/licenses/. dnl These macros are designed for use with any m4 and have been used on dnl GNU, FreeBSD, NetBSD, OpenBSD and SysV. dnl dnl GNU m4 and OpenBSD 2.7 m4 will give filenames and line numbers in error dnl messages. dnl dnl dnl Macros: dnl dnl Most new m4 specific macros have an "m4_" prefix to emphasise they're dnl m4 expansions. But new defining things like deflit() and defreg() are dnl named like the builtin define(), and forloop() is named following the dnl GNU m4 example on which it's based. dnl dnl GNU m4 with the -P option uses "m4_" as a prefix for builtins, but that dnl option isn't going to be used, so there's no conflict or confusion. dnl dnl dnl Comments in output: dnl dnl The m4 comment delimiters are left at # and \n, the normal assembler dnl commenting for most CPUs. m4 passes comment text through without dnl expanding macros in it, which is generally a good thing since it stops dnl unexpected expansions and possible resultant errors. dnl dnl But note that when a quoted string is being read, a # isn't special, so dnl apostrophes in comments in quoted strings must be avoided or they'll be dnl interpreted as a closing quote mark. But when the quoted text is dnl re-read # will still act like a normal comment, suppressing macro dnl expansion. dnl dnl For example, dnl dnl # apostrophes in comments that're outside quotes are ok dnl # and using macro names like PROLOGUE is ok too dnl ... dnl ifdef(`PIC',` dnl # but apostrophes aren't ok inside quotes dnl # ^--wrong dnl ... dnl # though macro names like PROLOGUE are still ok dnl ... dnl ') dnl dnl If macro expansion in a comment is wanted, use `#' in the .asm (ie. a dnl quoted hash symbol), which will turn into # in the .s but get dnl expansions done on that line. This can make the .s more readable to dnl humans, but it won't make a blind bit of difference to the assembler. dnl dnl All the above applies, mutatis mutandis, when changecom() is used to dnl select @ ! ; or whatever other commenting. dnl dnl dnl Variations in m4 affecting gmp: dnl dnl $# - When a macro is called as "foo" with no brackets, BSD m4 sets $# dnl to 1, whereas GNU or SysV m4 set it to 0. In all cases though dnl "foo()" sets $# to 1. This is worked around in various places. dnl dnl len() - When "len()" is given an empty argument, BSD m4 evaluates to dnl nothing, whereas GNU, SysV, and the new OpenBSD, evaluate to 0. dnl See m4_length() below which works around this. dnl dnl translit() - GNU m4 accepts character ranges like A-Z, and the new dnl OpenBSD m4 does under option -g, but basic BSD and SysV don't. dnl dnl popdef() - in BSD and SysV m4 popdef() takes multiple arguments and dnl pops each, but GNU m4 only takes one argument. dnl dnl push back - BSD m4 has some limits on the amount of text that can be dnl pushed back. The limit is reasonably big and so long as macros dnl don't gratuitously duplicate big arguments it isn't a problem. dnl Normally an error message is given, but sometimes it just hangs. dnl dnl eval() &,|,^ - GNU and SysV m4 have bitwise operators &,|,^ available, dnl but BSD m4 doesn't (contrary to what the man page suggests) and dnl instead ^ is exponentiation. dnl dnl eval() ?: - The C ternary operator "?:" is available in BSD m4, but not dnl in SysV or GNU m4 (as of GNU m4 1.4 and betas of 1.5). dnl dnl eval() -2^31 - BSD m4 has a bug where an eval() resulting in -2^31 dnl (ie. -2147483648) gives "-(". Using -2147483648 within an dnl expression is ok, it just can't be a final result. "-(" will of dnl course upset parsing, with all sorts of strange effects. dnl dnl eval() <<,>> - SysV m4 doesn't support shift operators in eval() (on dnl Solaris 7 /usr/xpg4/m4 has them but /usr/ccs/m4 doesn't). See dnl m4_lshift() and m4_rshift() below for workarounds. dnl dnl ifdef() - OSF 4.0 m4 considers a macro defined to a zero value `0' or dnl `00' etc as not defined. See m4_ifdef below for a workaround. dnl dnl m4wrap() sequence - in BSD m4, m4wrap() replaces any previous m4wrap() dnl string, in SysV m4 it appends to it, and in GNU m4 it prepends. dnl See m4wrap_prepend() below which brings uniformity to this. dnl dnl m4wrap() 0xFF - old versions of BSD m4 store EOF in a C "char" under an dnl m4wrap() and on systems where char is unsigned by default a dnl spurious 0xFF is output. This has been observed on recent Cray dnl Unicos Alpha, Apple MacOS X, and HPUX 11 systems. An autoconf dnl test is used to check for this, see the m4wrap handling below. It dnl might work to end the m4wrap string with a dnl to consume the dnl 0xFF, but that probably induces the offending m4's to read from an dnl already closed "FILE *", which could be bad on a glibc style dnl stdio. dnl dnl __file__,__line__ - GNU m4 and OpenBSD 2.7 m4 provide these, and dnl they're used here to make error messages more informative. GNU m4 dnl gives an unhelpful "NONE 0" in an m4wrap(), but that's worked dnl around. dnl dnl __file__ quoting - OpenBSD m4, unlike GNU m4, doesn't quote the dnl filename in __file__, so care should be taken that no macro has dnl the same name as a file, or an unwanted expansion will occur when dnl printing an error or warning. dnl dnl changecom() - BSD m4 changecom doesn't quite work like the man page dnl suggests, in particular "changecom" or "changecom()" doesn't dnl disable the comment feature, and multi-character comment sequences dnl don't seem to work. If the default `#' and newline aren't dnl suitable it's necessary to change it to something else, dnl eg. changecom(;). dnl dnl OpenBSD 2.6 m4 - in this m4, eval() rejects decimal constants containing dnl an 8 or 9, making it pretty much unusable. The bug is confined to dnl version 2.6 (it's not in 2.5, and was fixed in 2.7). dnl dnl SunOS /usr/bin/m4 - this m4 lacks a number of desired features, dnl including $# and $@, defn(), m4exit(), m4wrap(), pushdef(), dnl popdef(). /usr/5bin/m4 is a SysV style m4 which should always be dnl available, and "configure" will reject /usr/bin/m4 in favour of dnl /usr/5bin/m4 (if necessary). dnl dnl The sparc code actually has modest m4 requirements currently and dnl could manage with /usr/bin/m4, but there's no reason to put our dnl macros through contortions when /usr/5bin/m4 is available or GNU dnl m4 can be installed. dnl -------------------------------------------------------------------------- dnl Basic error handling things. dnl Usage: m4_dollarhash_1_if_noparen_p dnl dnl Expand to 1 if a call "foo" gives $# set to 1 (as opposed to 0 like GNU dnl and SysV m4 give). define(m4_dollarhash_1_if_noparen_test,`$#') define(m4_dollarhash_1_if_noparen_p, eval(m4_dollarhash_1_if_noparen_test==1)) undefine(`m4_dollarhash_1_if_noparen_test') define(m4_error, `errprint($@ )m4exit(1)') dnl Usage: m4_assert_numargs(num) dnl dnl Put this unquoted on a line on its own at the start of a macro dnl definition to add some code to check that num many arguments get passed dnl to the macro. For example, dnl dnl define(foo, dnl m4_assert_numargs(2) dnl `something `$1' and `$2' blah blah') dnl dnl Then a call like foo(one,two,three) will provoke an error like dnl dnl file:10: foo expected 2 arguments, got 3 arguments dnl dnl Here are some calls and how many arguments they're interpreted as passing. dnl dnl foo(abc,def) 2 dnl foo(xyz) 1 dnl foo() 0 dnl foo -1 dnl dnl The -1 for no parentheses at all means a macro that's meant to be used dnl that way can be checked with m4_assert_numargs(-1). For example, dnl dnl define(SPECIAL_SUFFIX, dnl m4_assert_numargs(-1) dnl `ifdef(`FOO',`_foo',`_bar')') dnl dnl But as an alternative see also deflit() below where parenthesized dnl expressions following a macro are passed through to the output. dnl dnl Note that in BSD m4 there's no way to differentiate calls "foo" and dnl "foo()", so in BSD m4 the distinction between the two isn't enforced. dnl (In GNU and SysV m4 it can be checked, and is.) dnl m4_assert_numargs is able to check its own arguments by calling dnl assert_numargs_internal directly. dnl dnl m4_doublequote($`'0) expands to ``$0'', whereas ``$`'0'' would expand dnl to `$`'0' and do the wrong thing, and likewise for $1. The same is dnl done in other assert macros. dnl dnl $`#' leaves $# in the new macro being defined, and stops # being dnl interpreted as a comment character. dnl dnl `dnl ' means an explicit dnl isn't necessary when m4_assert_numargs is dnl used. The space means that if there is a dnl it'll still work. dnl Usage: m4_doublequote(x) expands to ``x'' define(m4_doublequote, `m4_assert_numargs_internal(`$0',1,$#,len(`$1'))``$1''') define(m4_assert_numargs, `m4_assert_numargs_internal(`$0',1,$#,len(`$1'))dnl `m4_assert_numargs_internal'(m4_doublequote($`'0),$1,$`#',`len'(m4_doublequote($`'1)))`dnl '') dnl Called: m4_assert_numargs_internal(`macroname',wantargs,$#,len(`$1')) define(m4_assert_numargs_internal, `m4_assert_numargs_internal_check(`$1',`$2',m4_numargs_count(`$3',`$4'))') dnl Called: m4_assert_numargs_internal_check(`macroname',wantargs,gotargs) dnl dnl If m4_dollarhash_1_if_noparen_p (BSD m4) then gotargs can be 0 when it dnl should be -1. If wantargs is -1 but gotargs is 0 and the two can't be dnl distinguished then it's allowed to pass. dnl define(m4_assert_numargs_internal_check, `ifelse(eval($2 == $3 || ($2==-1 && $3==0 && m4_dollarhash_1_if_noparen_p)),0, `m4_error(`$1 expected 'm4_Narguments(`$2')`, got 'm4_Narguments(`$3') )')') dnl Called: m4_numargs_count($#,len(`$1')) dnl If $#==0 then -1 args, if $#==1 but len(`$1')==0 then 0 args, otherwise dnl $# args. define(m4_numargs_count, `ifelse($1,0, -1, `ifelse(eval($1==1 && $2-0==0),1, 0, $1)')') dnl Usage: m4_Narguments(N) dnl "$1 argument" or "$1 arguments" with the plural according to $1. define(m4_Narguments, `$1 argument`'ifelse(`$1',1,,s)') dnl -------------------------------------------------------------------------- dnl Additional error checking things. dnl Usage: m4_assert_onearg() dnl dnl Put this, unquoted, at the start of a macro definition to add some code dnl to check that one argument is passed to the macro, but with that dnl argument allowed to be empty. For example, dnl dnl define(foo, dnl m4_assert_onearg() dnl `blah blah $1 blah blah') dnl dnl Calls "foo(xyz)" or "foo()" are accepted. A call "foo(xyz,abc)" fails. dnl A call "foo" fails too, but BSD m4 can't detect this case (GNU and SysV dnl m4 can). define(m4_assert_onearg, m4_assert_numargs(0) `m4_assert_onearg_internal'(m4_doublequote($`'0),$`#')`dnl ') dnl Called: m4_assert_onearg(`macroname',$#) define(m4_assert_onearg_internal, `ifelse($2,1,, `m4_error(`$1 expected 1 argument, got 'm4_Narguments(`$2') )')') dnl -------------------------------------------------------------------------- dnl Various generic m4 things. dnl Usage: m4_unquote(macro) dnl dnl Allow the argument text to be re-evaluated. This is useful for "token dnl pasting" like m4_unquote(foo`'bar). define(m4_unquote, m4_assert_onearg() `$1') dnl Usage: m4_length(string) dnl dnl Determine the length of a string. This is the same as len(), but dnl always expands to a number, working around the BSD len() which dnl evaluates to nothing given an empty argument. define(m4_length, m4_assert_onearg() `eval(len(`$1')-0)') dnl Usage: m4_incr_or_decr(n,last) dnl dnl Do an incr(n) or decr(n), whichever is in the direction of "last". dnl Both n and last must be numbers of course. define(m4_incr_or_decr, m4_assert_numargs(2) `ifelse(eval($1<$2),1,incr($1),decr($1))') dnl Usage: forloop(i, first, last, statement) dnl dnl Based on GNU m4 examples/forloop.m4, but extended. dnl dnl statement is expanded repeatedly, with i successively defined as dnl dnl first, first+1, ..., last-1, last dnl dnl Or if first > last, then it's dnl dnl first, first-1, ..., last+1, last dnl dnl If first == last, then one expansion is done. dnl dnl A pushdef/popdef of i is done to preserve any previous definition (or dnl lack of definition). first and last are eval()ed and so can be dnl expressions. dnl dnl forloop_first is defined to 1 on the first iteration, 0 on the rest. dnl forloop_last is defined to 1 on the last iteration, 0 on the others. dnl Nested forloops are allowed, in which case forloop_first and dnl forloop_last apply to the innermost loop that's open. dnl dnl A simple example, dnl dnl forloop(i, 1, 2*2+1, `dnl dnl iteration number i ... ifelse(forloop_first,1,FIRST) dnl ') dnl "i" and "statement" are carefully quoted, but "first" and "last" are dnl just plain numbers once eval()ed. define(`forloop', m4_assert_numargs(4) `pushdef(`$1',eval(`$2'))dnl pushdef(`forloop_first',1)dnl pushdef(`forloop_last',0)dnl forloop_internal(`$1',eval(`$3'),`$4')`'dnl popdef(`forloop_first')dnl popdef(`forloop_last')dnl popdef(`$1')') dnl Called: forloop_internal(`var',last,statement) define(`forloop_internal', m4_assert_numargs(3) `ifelse($1,$2, `define(`forloop_last',1)$3', `$3`'dnl define(`forloop_first',0)dnl define(`$1',m4_incr_or_decr($1,$2))dnl forloop_internal(`$1',$2,`$3')')') dnl Usage: deflit(name,value) dnl dnl Like define(), but "name" expands like a literal, rather than taking dnl arguments. For example "name(%eax)" expands to "value(%eax)". dnl dnl Limitations: dnl dnl $ characters in the value part must have quotes to stop them looking dnl like macro parameters. For example, deflit(reg,`123+$`'4+567'). See dnl defreg() below for handling simple register definitions like $7 etc. dnl dnl "name()" is turned into "name", unfortunately. In GNU and SysV m4 an dnl error is generated when this happens, but in BSD m4 it will happen dnl silently. The problem is that in BSD m4 $# is 1 in both "name" or dnl "name()", so there's no way to differentiate them. Because we want dnl plain "name" to turn into plain "value", we end up with "name()" dnl turning into plain "value" too. dnl dnl "name(foo)" will lose any whitespace after commas in "foo", for example dnl "disp(%eax, %ecx)" would become "128(%eax,%ecx)". dnl dnl These parentheses oddities shouldn't matter in assembler text, but if dnl they do the suggested workaround is to write "name ()" or "name (foo)" dnl to stop the parentheses looking like a macro argument list. If a space dnl isn't acceptable in the output, then write "name`'()" or "name`'(foo)". dnl The `' is stripped when read, but again stops the parentheses looking dnl like parameters. dnl Quoting for deflit_emptyargcheck is similar to m4_assert_numargs. The dnl stuff in the ifelse gives a $#, $1 and $@ evaluated in the new macro dnl created, not in deflit. define(deflit, m4_assert_numargs(2) `define(`$1', `deflit_emptyargcheck'(``$1'',$`#',m4_doublequote($`'1))`dnl $2`'dnl ifelse(eval($'`#>1 || m4_length('m4_doublequote($`'1)`)!=0),1,($'`@))')') dnl Called: deflit_emptyargcheck(macroname,$#,`$1') define(deflit_emptyargcheck, `ifelse(eval($2==1 && !m4_dollarhash_1_if_noparen_p && m4_length(`$3')==0),1, `m4_error(`dont use a deflit as $1() because it loses the brackets (see deflit in asm-defs.m4 for more information) ')')') divert`'dnl nettle-3.10/xts.c0000644000175000017500000001267214633602171012751 0ustar nissenisse/* xts.c XEX-based tweaked-codebook mode with ciphertext stealing (XTS) Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "xts.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" #include "block-internal.h" static void check_length(size_t length, uint8_t *dst) { assert(length >= XTS_BLOCK_SIZE); /* asserts may be compiled out, try to save the user by zeroing the dst in * case the buffer contains sensitive data (like the clear text for inplace * encryption) */ if (length < XTS_BLOCK_SIZE) memset(dst, '\0', length); } /* works also for inplace encryption/decryption */ void xts_encrypt_message(const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { union nettle_block16 T; union nettle_block16 P; check_length(length, dst); encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); /* the zeroth power of alpha is the initial ciphertext value itself, so we * skip shifting and do it at the end of each block operation instead */ for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) { memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C */ /* shift T for next block if any */ if (length > XTS_BLOCK_SIZE) block16_mulx_le(&T, &T); } /* if the last block is partial, handle via stealing */ if (length) { /* S Holds the real C(n-1) (Whole last block to steal from) */ union nettle_block16 S; memxor3(P.b, src, T.b, XTS_BLOCK_SIZE); /* P -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, S.b, P.b); /* CC */ memxor(S.b, T.b, XTS_BLOCK_SIZE); /* CC -> S */ /* shift T for next block */ block16_mulx_le(&T, &T); length -= XTS_BLOCK_SIZE; src += XTS_BLOCK_SIZE; memxor3(P.b, src, T.b, length); /* P |.. */ /* steal ciphertext to complete block */ memxor3(P.b + length, S.b + length, T.b + length, XTS_BLOCK_SIZE - length); /* ..| S_2 -> PP */ encf(enc_ctx, XTS_BLOCK_SIZE, dst, P.b); /* CC */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* CC -> C(n-1) */ /* Do this after we read src so inplace operations do not break */ dst += XTS_BLOCK_SIZE; memcpy(dst, S.b, length); /* S_1 -> C(n) */ } } void xts_decrypt_message(const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { union nettle_block16 T; union nettle_block16 C; check_length(length, dst); encf(twk_ctx, XTS_BLOCK_SIZE, T.b, tweak); for (;length >= 2 * XTS_BLOCK_SIZE || length == XTS_BLOCK_SIZE; length -= XTS_BLOCK_SIZE, src += XTS_BLOCK_SIZE, dst += XTS_BLOCK_SIZE) { memxor3(C.b, src, T.b, XTS_BLOCK_SIZE); /* c -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P */ /* shift T for next block if any */ if (length > XTS_BLOCK_SIZE) block16_mulx_le(&T, &T); } /* if the last block is partial, handle via stealing */ if (length) { union nettle_block16 T1; /* S Holds the real P(n) (with part of stolen ciphertext) */ union nettle_block16 S; /* we need the last T(n) and save the T(n-1) for later */ block16_mulx_le(&T1, &T); memxor3(C.b, src, T1.b, XTS_BLOCK_SIZE); /* C -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, S.b, C.b); /* PP */ memxor(S.b, T1.b, XTS_BLOCK_SIZE); /* PP -> S */ /* process next block (Pn-1) */ length -= XTS_BLOCK_SIZE; src += XTS_BLOCK_SIZE; /* Prepare C, P holds the real P(n) */ memxor3(C.b, src, T.b, length); /* C_1 |.. */ memxor3(C.b + length, S.b + length, T.b + length, XTS_BLOCK_SIZE - length); /* ..| S_2 -> CC */ decf(dec_ctx, XTS_BLOCK_SIZE, dst, C.b); /* PP */ memxor(dst, T.b, XTS_BLOCK_SIZE); /* PP -> P(n-1) */ /* Do this after we read src so inplace operations do not break */ dst += XTS_BLOCK_SIZE; memcpy(dst, S.b, length); /* S_1 -> P(n) */ } } nettle-3.10/rsa-keygen.c0000644000175000017500000001132214633602171014167 0ustar nissenisse/* rsa-keygen.c Generation of RSA keypairs Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #ifndef DEBUG # define DEBUG 0 #endif #if DEBUG # include #endif int rsa_generate_keypair(struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned n_size, unsigned e_size) { mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; if (e_size) { /* We should choose e randomly. Is the size reasonable? */ if ((e_size < 16) || (e_size >= n_size) ) return 0; } else { /* We have a fixed e. Check that it makes sense */ /* It must be odd */ if (!mpz_tstbit(pub->e, 0)) return 0; /* And 3 or larger */ if (mpz_cmp_ui(pub->e, 3) < 0) return 0; /* And size less than n */ if (mpz_sizeinbase(pub->e, 2) >= n_size) return 0; } if (n_size < RSA_MINIMUM_N_BITS) return 0; mpz_init(p1); mpz_init(q1); mpz_init(phi); mpz_init(tmp); /* Generate primes */ for (;;) { /* Generate p, such that gcd(p-1, e) = 1 */ for (;;) { nettle_random_prime(key->p, (n_size+1)/2, 1, random_ctx, random, progress_ctx, progress); mpz_sub_ui(p1, key->p, 1); /* If e was given, we must choose p such that p-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, p1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } if (progress) progress(progress_ctx, '\n'); /* Generate q, such that gcd(q-1, e) = 1 */ for (;;) { nettle_random_prime(key->q, n_size/2, 1, random_ctx, random, progress_ctx, progress); mpz_sub_ui(q1, key->q, 1); /* If e was given, we must choose q such that q-1 has no factors in * common with e. */ if (e_size) break; mpz_gcd(tmp, pub->e, q1); if (mpz_cmp_ui(tmp, 1) == 0) break; else if (progress) progress(progress_ctx, 'c'); } /* Now we have the primes. Is the product of the right size? */ mpz_mul(pub->n, key->p, key->q); assert (mpz_sizeinbase(pub->n, 2) == n_size); if (progress) progress(progress_ctx, '\n'); /* c = q^{-1} (mod p) */ if (mpz_invert(key->c, key->q, key->p)) /* This should succeed everytime. But if it doesn't, * we try again. */ break; else if (progress) progress(progress_ctx, '?'); } mpz_mul(phi, p1, q1); /* If we didn't have a given e, generate one now. */ if (e_size) { int retried = 0; for (;;) { nettle_mpz_random_size(pub->e, random_ctx, random, e_size); /* Make sure it's odd and that the most significant bit is * set */ mpz_setbit(pub->e, 0); mpz_setbit(pub->e, e_size - 1); /* Needs gmp-3, or inverse might be negative. */ if (mpz_invert(key->d, pub->e, phi)) break; if (progress) progress(progress_ctx, 'e'); retried = 1; } if (retried && progress) progress(progress_ctx, '\n'); } else { /* Must always succeed, as we already that e * doesn't have any common factor with p-1 or q-1. */ int res = mpz_invert(key->d, pub->e, phi); assert(res); } /* Done! Almost, we must compute the auxillary private values. */ /* a = d % (p-1) */ mpz_fdiv_r(key->a, key->d, p1); /* b = d % (q-1) */ mpz_fdiv_r(key->b, key->d, q1); /* c was computed earlier */ pub->size = key->size = (n_size + 7) / 8; assert(pub->size >= RSA_MINIMUM_N_OCTETS); mpz_clear(p1); mpz_clear(q1); mpz_clear(phi); mpz_clear(tmp); return 1; } nettle-3.10/x86_64/0000755000175000017500000000000014633602172012716 5ustar nissenissenettle-3.10/x86_64/aes-decrypt-internal.asm0000644000175000017500000000653314633602172017461 0ustar nissenisseC x86_64/aes-decrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`TA',`%r10d') define(`TB',`%r11d') define(`TC',`%r12d') C Input argument define(`ROUNDS', `%rdi') define(`KEYS', `%rsi') define(`PARAM_TABLE', `%rdx') define(`PARAM_LENGTH',`%rcx') define(`DST', `%r8') define(`SRC', `%r9') define(`TABLE', `%r13') define(`LENGTH',`%r14') define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(`TMP',`%rbp') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds stored at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) sub $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SD,SC,SB, TA, TMP) AES_ROUND(TABLE, SB,SA,SD,SC, TB, TMP) AES_ROUND(TABLE, SC,SB,SA,SD, TC, TMP) AES_ROUND(TABLE, SD,SC,SB,SA, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD sub $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SA,SD,SC, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SB,SA,SD, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SC,SB,SA, TABLE, SD, TMP) C Inverse S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store decrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_decrypt) nettle-3.10/x86_64/aes.m40000644000175000017500000000552414633602172013736 0ustar nissenissednl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(`LREG',`ifelse( $1, %eax, %al, $1, %ebx, %bl, $1, %ecx, %cl, $1, %edx, %dl, $1, %esi, %sil, $1, %edi, %dil, $1, %ebp, %bpl, $1, %esp, %spl, $1, %r8d, %r8b, $1, %r9d, %r9b, $1, %r10d, %r10b, $1, %r11d, %r11b, $1, %r12d, %r12b, $1, %r13d, %r13b, $1, %r14d, %r14b, $1, %r15d, %r15b)')dnl define(`HREG',`ifelse( $1, %eax, %ah, $1, %ebx, %bh, $1, %ecx, %ch, $1, %edx, %dh, error)') define(`XREG',`ifelse( $1, %rax, %eax, $1, %rbx, %ebx, $1, %rcx, %ecx, $1, %rdx, %edx, $1, %rsi, %esi, $1, %rdi, %edi, $1, %rbp, %ebp, $1, %rsp, %esp, $1, %r8, %r8d, $1, %r9, %r9d, $1, %r10,%r10d, $1, %r11,%r11d, $1, %r12,%r12d, $1, %r13,%r13d, $1, %r14,%r14d, $1, %r15,%r15d)')dnl dnl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(`AES_ROUND', ` movzb LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzb HREG($3), XREG($7) xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,XREG($7) shr `$'16,$7 and `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,XREG($7) shr `$'24,$7 xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. Leaves result in $6. Also dnl performs the first substitution step, on the least significant dnl byte, and rotates 8 bits. define(`AES_FINAL_ROUND', ` movzb LREG($1),$7 movzbl ($5, $7), $6 movl $2,XREG($7) andl `$'0x0000ff00,XREG($7) orl XREG($7), $6 movl $3,XREG($7) andl `$'0x00ff0000,XREG($7) orl XREG($7), $6 movl $4,XREG($7) andl `$'0xff000000,XREG($7) orl XREG($7), $6 roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, tmp) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(`AES_SUBST_BYTE', ` movzb LREG($1),$6 movb ($5, $6),LREG($1) roll `$'8,$1 movzb LREG($2),$6 movb ($5, $6),LREG($2) roll `$'8,$2 movzb LREG($3),$6 movb ($5, $6),LREG($3) roll `$'8,$3 movzb LREG($4),$6 movb ($5, $6),LREG($4) roll `$'8,$4')dnl nettle-3.10/x86_64/ecc-secp224r1-modp.asm0000644000175000017500000000532614633602172016540 0ustar nissenisseC x86_64/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" GMP_NUMB_BITS(64) define(`RP', `%rsi') define(`XP', `%rdx') define(`T0', `%rdi') C Overlaps unused modulo input define(`T1', `%rcx') define(`H0', `%rax') define(`H1', `%r8') define(`H2', `%r9') define(`F0', `%rsi') C Overlaps RP define(`F1', `%r10') define(`F2', `%r11') C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) PROLOGUE(_nettle_ecc_secp224r1_modp) W64_ENTRY(3, 0) push RP mov 48(XP), H0 mov 56(XP), H1 C Set (F2,F1,F0) <-- (H1,H0) << 32 mov H0, F0 mov H0, F1 shl $32, F0 shr $32, F1 mov H1, F2 mov H1, T0 shl $32, T0 shr $32, F2 or T0, F1 xor H2, H2 mov 16(XP), T0 mov 24(XP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 C No further borrow adc 32(XP), H0 adc 40(XP), H1 adc $0, H2 C Set (F2,F1,F0) <-- (H2,H1,H0) << 32 C To free registers, add in T1, T0 as soon as H0, H1 have been copied mov H0, F0 mov H0, F1 add T0, H0 mov H1, F2 mov H1, T0 adc T1, H1 mov H2, T1 adc $0, H2 C Shift 32 bits shl $32, F0 shr $32, F1 shl $32, T0 shr $32, F2 shl $32, T1 or T0, F1 or T1, F2 mov (XP), T0 mov 8(XP), T1 sub F0, T0 sbb F1, T1 sbb F2, H0 sbb $0, H1 sbb $0, H2 C We now have H2, H1, H0, T1, T0, with 33 bits left to reduce C Set F0 <-- (H2, H1) >> 32 C Set (F2,F1) <-- (H2, H1 & 0xffffffff00000000) C H1 <-- H1 & 0xffffffff mov H1, F0 mov H1, F1 mov H2, F2 movl XREG(H1), XREG(H1) C Clears high 32 bits sub H1, F1 C Clears low 32 bits shr $32, F0 shl $32, H2 or H2, F0 sub F0, T0 sbb $0, F1 sbb $0, F2 add F1, T1 adc F2, H0 adc $0, H1 pop RP mov T0, (RP) mov T1, 8(RP) mov H0, 16(RP) mov H1, 24(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-3.10/x86_64/salsa20-2core.asm0000644000175000017500000001435214633602172015702 0ustar nissenisseC x86_64/salsa20-2core.asm ifelse(` Copyright (C) 2012, 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') C State, even elements in X, odd elements in Y define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`T0', `%xmm8') define(`T1', `%xmm9') define(`T2', `%xmm10') define(`T3', `%xmm11') define(`M0011', `%xmm12') include_src(`x86_64/salsa20.m4') .text ALIGN(16) C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_salsa20_2core) W64_ENTRY(3, 13) movups (SRC), T0 C [0, 1, 2, 3] movups 16(SRC), T1 C [4, 5, 6, 7] movups 32(SRC), T2 C [8, 9, 10, 11] movups 48(SRC), T3 C [12, 13, 14, 15] pshufd $0xa0, T0, X0 C X0: [0,0,2,2] pshufd $0xf5, T0, Y3 C Y3: [1,1,3,3] pshufd $0xa0, T1, X1 C X1: [4,4,6,6] pshufd $0xf5, T1, Y0 C Y0: [5,5,7,7] pshufd $0xa0, T2, X2 C X2: [8,8,10,10] pshufd $0xf5, T2, Y1 C Y1: [9,9,11,11] pshufd $0xa0, T3, X3 C [12,12,14,14] pshufd $0xf5, T3, Y2 C [13,13,15,15] C Complicated counter increment. Could be done with C mov $1, %eax; movd %eax, TMP; paddq T2, TMP C earlier, but then it gets more complicated to construct X2 and Y1. mov $1, %eax movd %eax, T0 C [1,0,0,0] pshufd $0x51, T0, T0 C [0,1,0,0] pxor T1, T1 paddd T0, X2 pcmpeqd X2, T1 pand T0, T1 paddd T1, Y1 C Load mask registers mov $-1, %eax movd %eax, M0011 pshufd $0x09, M0011, M0011 C 01 01 00 00 C Swap, to get C X0: 0 10 Y0: 5 15 C X1: 4 14 Y1: 9 3 C X2: 8 2 Y2: 13 7 C X3: 12 6 Y3: 1 11 SWAP(X0, X2, M0011) SWAP(X1, X3, M0011) SWAP(Y0, Y2, M0011) SWAP(Y1, Y3, M0011) shrl $1, XREG(COUNT) ALIGN(16) .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 movaps X0, T0 paddd X3, T0 movaps T0, T1 movaps Y0, T2 pslld $7, T0 paddd Y3, T2 psrld $25, T1 movaps T2, T3 pxor T0, X1 pslld $7, T2 pxor T1, X1 psrld $25, T3 movaps X0, T0 pxor T2, Y1 paddd X1, T0 pxor T3, Y1 movaps T0, T1 movaps Y0, T2 pslld $9, T0 paddd Y1, T2 psrld $23, T1 movaps T2, T3 pxor T0, X2 pslld $9, T2 pxor T1, X2 psrld $23, T3 movaps X1, T0 pxor T2, Y2 paddd X2, T0 pxor T3, Y2 movaps T0, T1 movaps Y1, T2 pslld $13, T0 paddd Y2, T2 psrld $19, T1 movaps T2, T3 pxor T0, X3 pslld $13, T2 pxor T1, X3 psrld $19, T3 movaps X2, T0 pxor T2, Y3 paddd X3, T0 pxor T3, Y3 movaps T0, T1 movaps Y2, T2 pslld $18, T0 paddd Y3, T2 psrld $14, T1 movaps T2, T3 pxor T0, X0 pslld $18, T2 pxor T1, X0 psrld $14, T3 pxor T2, Y0 pxor T3, Y0 C Register layout: C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) pshufd $0x4e, Y1, Y1 C 10 11 00 01 pshufd $0x4e, X2, X2 pshufd $0x4e, Y2, Y2 pshufd $0x4e, X3, X3 movaps X0, T0 paddd Y1, T0 movaps T0, T1 movaps Y0, T2 pslld $7, T0 paddd X1, T2 psrld $25, T1 movaps T2, T3 pxor T0, Y3 pslld $7, T2 pxor T1, Y3 psrld $25, T3 movaps Y3, T0 pxor T2, X3 paddd X0, T0 pxor T3, X3 movaps T0, T1 movaps X3, T2 pslld $9, T0 paddd Y0, T2 psrld $23, T1 movaps T2, T3 pxor T0, X2 pslld $9, T2 pxor T1, X2 psrld $23, T3 movaps X2, T0 pxor T2, Y2 paddd Y3, T0 pxor T3, Y2 movaps T0, T1 movaps Y2, T2 pslld $13, T0 paddd X3, T2 psrld $19, T1 movaps T2, T3 pxor T0, Y1 pslld $13, T2 pxor T1, Y1 psrld $19, T3 movaps Y1, T0 pxor T2, X1 paddd X2, T0 pxor T3, X1 movaps T0, T1 movaps X1, T2 pslld $18, T0 paddd Y2, T2 psrld $14, T1 movaps T2, T3 pxor T0, X0 pslld $18, T2 pxor T1, X0 psrld $14, T3 pxor T2, Y0 pxor T3, Y0 pshufd $0x4e, Y1, Y1 C 10 11 00 01 pshufd $0x4e, X2, X2 pshufd $0x4e, Y2, Y2 pshufd $0x4e, X3, X3 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0011) SWAP(Y0, Y2, M0011) SWAP(Y1, Y3, M0011) movaps X0, T0 punpckldq Y3, X0 C [A0, A1, B0, B1] punpckhdq Y3, T0 C [A2, A3, B2, B3] movaps X0, Y3 punpcklqdq T0, X0 C [A0, A1, A2, A3] punpckhqdq T0, Y3 C [B0, B1, B2, B3] movups (SRC), T0 paddd T0, X0 paddd T0, Y3 movaps X1, T1 punpckldq Y0, X1 C [A4, A5, B4, B5] punpckhdq Y0, T1 C [A6, A7, B6, B7] movaps X1, Y0 punpcklqdq T1, X1 C [A4, A5, A6, A7] punpckhqdq T1, Y0 C [B4, B5, B6, B7] movups 16(SRC), T1 paddd T1, X1 paddd T1, Y0 movaps X2, T2 punpckldq Y1, X2 C [A8, A9, B8, B9] punpckhdq Y1, T2 C [A10, A11, B10, B11] movaps X2, Y1 punpcklqdq T2, X2 C [A8, A9, A10, A11] punpckhqdq T2, Y1 C [B8, B9, B10, B11] movups 32(SRC), T2 paddd T2, X2 mov $1, %eax movd %eax, M0011 paddq M0011, T2 paddd T2, Y1 movaps X3, T3 punpckldq Y2, X3 C [A12, A13, B12, B13] punpckhdq Y2, T3 C [A14, A15, B14, B15] movaps X3, Y2 punpcklqdq T3, X3 C [A12, A13, A14, A15] punpckhqdq T3, Y2 C [B12, B13, B14, B15] movups 48(SRC), T3 paddd T3, X3 paddd T3, Y2 movups X0,(DST) movups X1,16(DST) movups X2,32(DST) movups X3,48(DST) movups Y3,64(DST) movups Y0,80(DST) movups Y1,96(DST) movups Y2,112(DST) W64_EXIT(3, 13) ret EPILOGUE(_nettle_salsa20_2core) nettle-3.10/x86_64/machine.m40000644000175000017500000000675114633602172014575 0ustar nissenisseC OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(`OFFSET', `ifelse($1,0,,eval(4*$1))') C OFFSET64(i) C Expands to 8*i, or to the empty string if i is zero define(`OFFSET64', `ifelse($1,0,,eval(8*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 64-bit register. define(`LREG',`ifelse( $1, %rax, %al, $1, %rbx, %bl, $1, %rcx, %cl, $1, %rdx, %dl, $1, %rsi, %sil, $1, %rdi, %dil, $1, %rbp, %bpl, $1, %r8, %r8b, $1, %r9, %r9b, $1, %r10, %r10b, $1, %r11, %r11b, $1, %r12, %r12b, $1, %r13, %r13b, $1, %r14, %r14b, $1, %r15, %r15b)')dnl define(`HREG',`ifelse( $1, %rax, %ah, $1, %rbx, %bh, $1, %rcx, %ch, $1, %rdx, %dh)')dnl define(`WREG',`ifelse( $1, %rax, %ax, $1, %rbx, %bx, $1, %rcx, %cx, $1, %rdx, %dx, $1, %rsi, %si, $1, %rdi, %di, $1, %rbp, %bp, $1, %r8, %r8w, $1, %r9, %r9w, $1, %r10, %r10w, $1, %r11, %r11w, $1, %r12, %r12w, $1, %r13, %r13w, $1, %r14, %r14w, $1, %r15, %r15w)')dnl define(`XREG',`ifelse( $1, %rax, %eax, $1, %rbx, %ebx, $1, %rcx, %ecx, $1, %rdx, %edx, $1, %rsi, %esi, $1, %rdi, %edi, $1, %rbp, %ebp, $1, %r8, %r8d, $1, %r9, %r9d, $1, %r10, %r10d, $1, %r11, %r11d, $1, %r12, %r12d, $1, %r13, %r13d, $1, %r14, %r14d, $1, %r15, %r15d)')dnl dnl W64_ENTRY(nargs, xmm_used) define(`W64_ENTRY', ` ifelse(W64_ABI,yes,` dnl unconditionally push %rdi, making %rsp 16-byte aligned push %rdi dnl Save %xmm6, ..., if needed ifelse(eval($2 > 6), 1, ` sub `$'eval(16*($2 - 6)), %rsp movdqa %xmm6, 0(%rsp) ') ifelse(eval($2 > 7), 1, ` movdqa %xmm7, 16(%rsp) ') ifelse(eval($2 > 8), 1, ` movdqa %xmm8, 32(%rsp) ') ifelse(eval($2 > 9), 1, ` movdqa %xmm9, 48(%rsp) ') ifelse(eval($2 > 10), 1, ` movdqa %xmm10, 64(%rsp) ') ifelse(eval($2 > 11), 1, ` movdqa %xmm11, 80(%rsp) ') ifelse(eval($2 > 12), 1, ` movdqa %xmm12, 96(%rsp) ') ifelse(eval($2 > 13), 1, ` movdqa %xmm13, 112(%rsp) ') ifelse(eval($2 > 14), 1, ` movdqa %xmm14, 128(%rsp) ') ifelse(eval($2 > 15), 1, ` movdqa %xmm15, 144(%rsp) ') dnl Move around arguments ifelse(eval($1 >= 1), 1, ` mov %rcx, %rdi ') ifelse(eval($1 >= 2), 1, ` dnl NOTE: Breaks 16-byte %rsp alignment push %rsi mov %rdx, %rsi ') ifelse(eval($1 >= 3), 1, ` mov %r8, %rdx ') ifelse(eval($1 >= 4), 1, ` mov %r9, %rcx ') ifelse(eval($1 >= 5), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+56),56)(%rsp), %r8 ') ifelse(eval($1 >= 6), 1, ` mov ifelse(eval($2 > 6), 1, eval(16*($2-6)+64),64)(%rsp), %r9 ') ') ') dnl W64_EXIT(nargs, xmm_used) define(`W64_EXIT', ` ifelse(W64_ABI,yes,` ifelse(eval($1 >= 2), 1, ` pop %rsi ') ifelse(eval($2 > 15), 1, ` movdqa 144(%rsp), %xmm15 ') ifelse(eval($2 > 14), 1, ` movdqa 128(%rsp), %xmm14 ') ifelse(eval($2 > 13), 1, ` movdqa 112(%rsp), %xmm13 ') ifelse(eval($2 > 12), 1, ` movdqa 96(%rsp), %xmm12 ') ifelse(eval($2 > 11), 1, ` movdqa 80(%rsp), %xmm11 ') ifelse(eval($2 > 10), 1, ` movdqa 64(%rsp), %xmm10 ') ifelse(eval($2 > 9), 1, ` movdqa 48(%rsp), %xmm9 ') ifelse(eval($2 > 8), 1, ` movdqa 32(%rsp), %xmm8 ') ifelse(eval($2 > 7), 1, ` movdqa 16(%rsp), %xmm7 ') ifelse(eval($2 > 6), 1, ` movdqa (%rsp), %xmm6 add `$'eval(16*($2 - 6)), %rsp ') pop %rdi ') ') nettle-3.10/x86_64/ecc-curve25519-modp.asm0000644000175000017500000000413614633602172016643 0ustar nissenisseC x86_64/ecc-curve25519-modp.asm ifelse(` Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve25519-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') C Overlaps with mul register define(`U0', `%rdi') C Overlaps unused modulo input define(`U1', `%rcx') define(`U2', `%r8') define(`U3', `%r9') define(`T0', `%r10') define(`T1', `%r11') define(`M', `%rbx') PROLOGUE(_nettle_ecc_curve25519_modp) W64_ENTRY(3, 0) push %rbx push RP mov XP, RP C First fold the limbs affecting bit 255 mov 56(RP), %rax mov $38, M mul M mov 24(RP), U3 xor T0, T0 add %rax, U3 adc %rdx, T0 mov 40(RP), %rax C Do this early as possible mul M add U3, U3 adc T0, T0 shr U3 C Undo shift, clear high bit C Fold the high limb again, together with RP[5] imul $19, T0 mov (RP), U0 mov 8(RP), U1 mov 16(RP), U2 add T0, U0 adc %rax, U1 mov 32(RP), %rax adc %rdx, U2 adc $0, U3 C Fold final two limbs, RP[4] and RP[6] mul M mov %rax, T0 mov 48(RP), %rax mov %rdx, T1 mul M pop RP add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc %rax, U2 mov U2, 16(RP) adc %rdx, U3 mov U3, 24(RP) pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_curve25519_modp) nettle-3.10/x86_64/camellia-crypt-internal.asm0000644000175000017500000000777714633602172020162 0ustar nissenisseC x86_64/camellia-crypt-internal.asm ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Performance, cycles per block C C Intel SU4100 C C asm C Camellia-128 415 347 C Camellia-256 543 461 C Register usage: define(`NKEYS', `%rdi') define(`KEYS', `%rsi') define(`TABLE', `%rdx') define(`LENGTH', `%rcx') define(`DST', `%r8') define(`SRC', `%r9') C Camellia state define(`I0', `%rax') define(`I1', `%rbx') C callee-save define(`KEY', `%r13') C callee-save define(`TMP', `%rbp') C callee-save define(`CNT', `%r10') define(`IL', `%r11') define(`IR', `%r12') C callee-save define(`SP1110', `(TABLE,$1,4)') define(`SP0222', `1024(TABLE,$1,4)') define(`SP3033', `2048(TABLE,$1,4)') define(`SP4404', `3072(TABLE,$1,4)') C ROUND(x, y, key-offset) define(`ROUND', ` C Byte 0,1 movzbl LREG($1), XREG(TMP) movl SP1110(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP4404(TMP), XREG(IR) ror `$'32, $1 C Byte 4,5 movzbl LREG($1), XREG(TMP) movl SP4404(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IL) rol `$'16, $1 C Byte 2,3 movzbl LREG($1), XREG(TMP) xorl SP3033(TMP), XREG(IR) movzbl HREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IR) ror `$'32, $1 C Byte 6,7 movzbl LREG($1), XREG(TMP) xorl SP0222(TMP), XREG(IL) movzbl HREG($1), XREG(TMP) xorl SP1110(TMP), XREG(IL) ror `$'16, $1 C 76543210 xorl XREG(IL), XREG(IR) rorl `$'8, XREG(IL) xorl XREG(IR), XREG(IL) shl `$'32, IR or IL, IR xor $3(KEY), $2 xor IR, $2 ') C FL(x, key-offset) define(`FL', ` mov $1, TMP shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl `$'32, TMP xor TMP, $1 ') C FLINV(x0, key-offset) define(`FLINV', ` movl $2(KEY), XREG(TMP) orl XREG($1), XREG(TMP) shl `$'32, TMP xor TMP, $1 mov $1, TMP shr `$'32, TMP andl $2 + 4(KEY), XREG(TMP) roll `$'1, XREG(TMP) C xorl XREG(TMP), XREG($1) xor TMP, $1 ') .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) W64_ENTRY(6, 0) test LENGTH, LENGTH jz .Lend push %rbx push %rbp push %r12 push %r13 sub $8, NKEYS .Lblock_loop: C Load data, note that we'll happily do unaligned loads mov (SRC), I0 bswap I0 mov 8(SRC), I1 bswap I1 add $16, SRC mov XREG(NKEYS), XREG(CNT) mov KEYS, KEY C Whitening using first subkey xor (KEY), I0 add $8, KEY ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) .Lround_loop: add $64, KEY FL(I0, -16) FLINV(I1, -8) ROUND(I0, I1, 0) ROUND(I1, I0, 8) ROUND(I0, I1, 16) ROUND(I1, I0, 24) ROUND(I0, I1, 32) ROUND(I1, I0, 40) sub $8, CNT ja .Lround_loop bswap I0 mov I0, 8(DST) xor 48(KEY), I1 bswap I1 mov I1, (DST) add $16, DST sub $16, LENGTH ja .Lblock_loop pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_camellia_crypt) nettle-3.10/x86_64/ghash-update.asm0000644000175000017500000000476214633602172016003 0ustar nissenisseC x86_64/ghash-update.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`KEY', `%rdi') define(`XP', `%rsi') define(`BLOCKS', `%rdx') define(`SRC', `%rcx') define(`CNT', `%rax') define(`KEY32', `%r8') define(`X', `%xmm0') define(`R', `%xmm1') define(`M0', `%xmm2') define(`M1', `%xmm3') define(`M2', `%xmm4') define(`M3', `%xmm5') define(`T0', `%xmm6') define(`T1', `%xmm7') .file "ghash-update.asm" C const uint8_t *_ghash_update (const struct gcm_key *key, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) .text ALIGN(16) PROLOGUE(_nettle_ghash_update) W64_ENTRY(4, 8) sub $1, BLOCKS movups (XP), X jc .Ldone C Table offset corresponding to 32 bits. lea 1024(KEY), KEY32 ALIGN(16) .Lblock_loop: C Unaligned input movups (SRC), M0 pxor M0, X pxor R, R mov $992, CNT ALIGN(16) .Loop_bit: movdqa X, M3 psrad $31, M3 pshufd $0x00, M3, M0 pshufd $0x55, M3, M1 pshufd $0xaa, M3, M2 pshufd $0xff, M3, M3 pslld $1, X C Tabulated values are only 8-byte aligned, and therefore C can't be used as memory operands to pand. It would be nice C if we could force 16-byte alignment on nettle_block16, using C C11 alignas. movups (KEY, CNT), T0 movups (KEY32, CNT), T1 pand T0, M0 pand T1, M1 movups 16(KEY, CNT), T0 movups 16(KEY32, CNT), T1 pand T0, M2 pand T1, M3 pxor M0, M1 pxor M2, M3 pxor M1, R pxor M3, R sub $32, CNT jnc .Loop_bit movaps R, X add $16, SRC sub $1, BLOCKS jnc .Lblock_loop .Ldone: movups X, (XP) mov SRC, %rax W64_EXIT(4, 8) ret EPILOGUE(_nettle_ghash_update) nettle-3.10/x86_64/README0000644000175000017500000000271314633602172013601 0ustar nissenisseABI, according to http://www.x86-64.org/documentation/abi-0.99.pdf: Up to 6 integer and pointer arguments are passed in registers. Nine registers, %rax, %rcx, %rdx, %rsi, %rdi and %r8-%r11 can be used freely. Integers and pointers are returned in %rax. At entry, it is required that %rsp == 8 (mod 16). Registers May be Argument clobbered number %rax Y %rbx %rcx Y 4 %rdx Y 3 %rbp %rsi Y 2 %rdi Y 1 %rsp (SP) %r8 Y 5 %r9 Y 6 %r10 Y %r11 Y %r12 %r13 %r14 %r15 W64 ABI, according to http://msdn.microsoft.com/en-us/library/9z1stfyw.aspx: Registers May be Argument clobbered number %rax Y %rbx %rcx Y 1 %rdx Y 2 %rbp %rsi %rdi %rsp (SP) %r8 Y 3 %r9 Y 4 %r10 Y %r11 Y %r12 %r13 %r14 %r15 Additional arguments are passed on the stack. "backing store" on the stack for the four register arguments is also required. %xmm6 to %xmm15 are callee-saved. The "long" type is just 32 bits. If we have six arguments, and push the additional callee-save registers %rdi and %rsi on the stack, we get a stack frame like 64(%rsp): Sixth argument 56(%rsp): Fifth argument 48(%rsp): Space for fourth argument 40(%rsp): Space for third argument 32(%rsp): Space for second argument 24(%rsp): Space for first argument 16(%rsp): Return address 8(%rsp) : Saved %rdi (%rsp): Saved %rsi If, in addition, we use more than 6 %xmm registers, we push them *after* %rdi (but before %rsi), so that they are stored at 16-byte aligned addresses. nettle-3.10/x86_64/ecc-curve448-modp.asm0000644000175000017500000000522314633602172016473 0ustar nissenisseC x86_64/ecc-curve448-modp.asm ifelse(` Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve448-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`X0', `%rax') define(`X1', `%rbx') define(`X2', `%rcx') define(`X3', `%rbp') define(`X4', `%rdi') define(`X5', `%r8') define(`X6', `%r9') define(`X7', `%r10') define(`T0', `%r11') define(`T1', `%r12') define(`T2', `%r13') PROLOGUE(_nettle_ecc_curve448_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 C First load the values to be shifted by 32. mov 88(XP), X1 mov X1, X0 mov 96(XP), X2 mov X1, T0 mov 104(XP), X3 mov X2, T1 mov 56(XP), X4 mov X3, T2 mov 64(XP), X5 mov 72(XP), X6 mov 80(XP), X7 C Multiply by 2^32 shl $32, X0 shrd $32, X2, X1 shrd $32, X3, X2 shrd $32, X4, X3 shrd $32, X5, X4 shrd $32, X6, X5 shrd $32, X7, X6 shr $32, X7 C Multiply by 2 add T0, T0 adc T1, T1 adc T2, T2 adc $0, X7 C Main additions add 56(XP), X0 adc 64(XP), X1 adc 72(XP), X2 adc 80(XP), X3 adc T0, X4 adc T1, X5 adc T2, X6 adc $0, X7 add (XP), X0 adc 8(XP), X1 adc 16(XP), X2 adc 24(XP), X3 adc 32(XP), X4 adc 40(XP), X5 adc 48(XP), X6 adc $0, X7 C X7 wraparound mov X7, T0 mov X7, T1 shl $32, T0 shr $32, T1 xor T2, T2 add X7, X0 adc $0, X1 adc $0, X2 adc T0, X3 adc T1, X4 adc $0, X5 adc $0, X6 adc $0, T2 C Final carry wraparound. Carry T2 > 0 only if C X6 is zero, so carry is absorbed. mov T2, T0 shl $32, T0 add T2, X0 mov X0, (RP) adc $0, X1 mov X1, 8(RP) adc $0, X2 mov X2, 16(RP) adc T0, X3 mov X3, 24(RP) adc $0, X4 mov X4, 32(RP) adc $0, X5 mov X5, 40(RP) adc $0, X6 mov X6, 48(RP) pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_curve448_modp) nettle-3.10/x86_64/sha1-compress.asm0000644000175000017500000001732114633602172016111 0ustar nissenisseC x86_64/sha1-compress.asm ifelse(` Copyright (C) 2004, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage. KVALUE and INPUT share a register. define(`SA',`%eax')dnl define(`SB',`%r8d')dnl define(`SC',`%ecx')dnl define(`SD',`%edx')dnl define(`SE',`%r9d')dnl define(`DATA',`%rsp')dnl define(`T1',`%r10d')dnl define(`T2',`%r11d')dnl define(`KVALUE', `%esi')dnl C Arguments define(`STATE',`%rdi')dnl define(`INPUT',`%rsi')dnl C Constants define(`K1VALUE', ``$'0x5A827999')dnl C Rounds 0-19 define(`K2VALUE', ``$'0x6ED9EBA1')dnl C Rounds 20-39 define(`K3VALUE', ``$'0x8F1BBCDC')dnl C Rounds 40-59 define(`K4VALUE', ``$'0xCA62C1D6')dnl C Rounds 60-79 C Reads the input into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(`SWAP', ` movl OFFSET($1)(INPUT), $2 bswap $2 movl $2, OFFSET($1) (DATA) ')dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & y) | (z & (x | y)) C = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C expand(i) is the expansion function C C W[i] = (W[i - 16] ^ W[i - 14] ^ W[i - 8] ^ W[i - 3]) <<< 1 C C where W[i] is stored in DATA[i mod 16]. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(`ROUND_F1', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 andl $2, T2 xorl $4, T2 roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll `$'5, T1 addl T1, $5 addl T2, $5 ') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(`ROUND_F1_NOEXP', ` movl $4, T2 xorl $3, T2 movl $1, T1 andl $2, T2 addl OFFSET($6) (DATA), $5 xorl $4, T2 addl T2, $5 roll `$'30, $2 roll `$'5, T1 addl T1, $5 addl KVALUE, $5 ') dnl ROUND_F2(a, b, c, d, e, i) define(`ROUND_F2', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 xorl $3, T2 xorl $2, T2 roll `$'30, $2 addl T1, $5 addl KVALUE, $5 movl $1, T1 roll `$'5, T1 addl T1, $5 addl T2, $5 ') dnl ROUND_F3(a, b, c, d, e, i) define(`ROUND_F3', ` movl OFFSET(eval($6 % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xorl OFFSET(eval(($6 + 13) % 16)) (DATA), T1 roll `$'1, T1 movl T1, OFFSET(eval($6 % 16)) (DATA) movl $4, T2 andl $3, T2 addl T1, $5 addl KVALUE, $5 movl $4, T1 xorl $3, T1 andl $2, T1 addl T2, $5 roll `$'30, $2 movl $1, T2 roll `$'5, T2 addl T1, $5 addl T2, $5 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 0) sub $64, %rsp C %rsp = W C Load and byteswap data SWAP( 0, SA) SWAP( 1, SB) SWAP( 2, SC) SWAP( 3, SD) SWAP( 4, SA) SWAP( 5, SB) SWAP( 6, SC) SWAP( 7, SD) SWAP( 8, SA) SWAP( 9, SB) SWAP(10, SC) SWAP(11, SD) SWAP(12, SA) SWAP(13, SB) SWAP(14, SC) SWAP(15, SD) C Load the state vector movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl K1VALUE, KVALUE ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) ROUND_F1(SE, SA, SB, SC, SD, 16) ROUND_F1(SD, SE, SA, SB, SC, 17) ROUND_F1(SC, SD, SE, SA, SB, 18) ROUND_F1(SB, SC, SD, SE, SA, 19) movl K2VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 20) ROUND_F2(SE, SA, SB, SC, SD, 21) ROUND_F2(SD, SE, SA, SB, SC, 22) ROUND_F2(SC, SD, SE, SA, SB, 23) ROUND_F2(SB, SC, SD, SE, SA, 24) ROUND_F2(SA, SB, SC, SD, SE, 25) ROUND_F2(SE, SA, SB, SC, SD, 26) ROUND_F2(SD, SE, SA, SB, SC, 27) ROUND_F2(SC, SD, SE, SA, SB, 28) ROUND_F2(SB, SC, SD, SE, SA, 29) ROUND_F2(SA, SB, SC, SD, SE, 30) ROUND_F2(SE, SA, SB, SC, SD, 31) ROUND_F2(SD, SE, SA, SB, SC, 32) ROUND_F2(SC, SD, SE, SA, SB, 33) ROUND_F2(SB, SC, SD, SE, SA, 34) ROUND_F2(SA, SB, SC, SD, SE, 35) ROUND_F2(SE, SA, SB, SC, SD, 36) ROUND_F2(SD, SE, SA, SB, SC, 37) ROUND_F2(SC, SD, SE, SA, SB, 38) ROUND_F2(SB, SC, SD, SE, SA, 39) movl K3VALUE, KVALUE ROUND_F3(SA, SB, SC, SD, SE, 40) ROUND_F3(SE, SA, SB, SC, SD, 41) ROUND_F3(SD, SE, SA, SB, SC, 42) ROUND_F3(SC, SD, SE, SA, SB, 43) ROUND_F3(SB, SC, SD, SE, SA, 44) ROUND_F3(SA, SB, SC, SD, SE, 45) ROUND_F3(SE, SA, SB, SC, SD, 46) ROUND_F3(SD, SE, SA, SB, SC, 47) ROUND_F3(SC, SD, SE, SA, SB, 48) ROUND_F3(SB, SC, SD, SE, SA, 49) ROUND_F3(SA, SB, SC, SD, SE, 50) ROUND_F3(SE, SA, SB, SC, SD, 51) ROUND_F3(SD, SE, SA, SB, SC, 52) ROUND_F3(SC, SD, SE, SA, SB, 53) ROUND_F3(SB, SC, SD, SE, SA, 54) ROUND_F3(SA, SB, SC, SD, SE, 55) ROUND_F3(SE, SA, SB, SC, SD, 56) ROUND_F3(SD, SE, SA, SB, SC, 57) ROUND_F3(SC, SD, SE, SA, SB, 58) ROUND_F3(SB, SC, SD, SE, SA, 59) movl K4VALUE, KVALUE ROUND_F2(SA, SB, SC, SD, SE, 60) ROUND_F2(SE, SA, SB, SC, SD, 61) ROUND_F2(SD, SE, SA, SB, SC, 62) ROUND_F2(SC, SD, SE, SA, SB, 63) ROUND_F2(SB, SC, SD, SE, SA, 64) ROUND_F2(SA, SB, SC, SD, SE, 65) ROUND_F2(SE, SA, SB, SC, SD, 66) ROUND_F2(SD, SE, SA, SB, SC, 67) ROUND_F2(SC, SD, SE, SA, SB, 68) ROUND_F2(SB, SC, SD, SE, SA, 69) ROUND_F2(SA, SB, SC, SD, SE, 70) ROUND_F2(SE, SA, SB, SC, SD, 71) ROUND_F2(SD, SE, SA, SB, SC, 72) ROUND_F2(SC, SD, SE, SA, SB, 73) ROUND_F2(SB, SC, SD, SE, SA, 74) ROUND_F2(SA, SB, SC, SD, SE, 75) ROUND_F2(SE, SA, SB, SC, SD, 76) ROUND_F2(SD, SE, SA, SB, SC, 77) ROUND_F2(SC, SD, SE, SA, SB, 78) ROUND_F2(SB, SC, SD, SE, SA, 79) C Update the state vector addl SA, (STATE) addl SB, 4(STATE) addl SC, 8(STATE) addl SD, 12(STATE) addl SE, 16(STATE) add $64, %rsp W64_EXIT(2, 0) ret EPILOGUE(nettle_sha1_compress) nettle-3.10/x86_64/aesni/0000755000175000017500000000000014633602172014015 5ustar nissenissenettle-3.10/x86_64/aesni/cbc-aes128-encrypt.asm0000644000175000017500000000474714633602172017745 0ustar nissenisseC x86_64/aesni/cbc-aes128-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`BLOCK', `%xmm12') .file "cbc-aes128-encrypt.asm" C nettle_cbc_aes128_encrypt(struct cbc_aes128_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes128_encrypt) W64_ENTRY(5, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0, X pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenclast KEY10, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 13) ret EPILOGUE(nettle_cbc_aes128_encrypt) nettle-3.10/x86_64/aesni/aes192-decrypt.asm0000644000175000017500000000602714633602172017200 0ustar nissenisseC x86_64/aesni/aes192-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`Y', `%xmm14') .file "aes192-decrypt.asm" C nettle_aes192_decrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes192_decrypt) W64_ENTRY(4, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 192(CTX), KEY0 movups 176(CTX), KEY1 movups 160(CTX), KEY2 movups 144(CTX), KEY3 movups 128(CTX), KEY4 movups 112(CTX), KEY5 movups 96(CTX), KEY6 movups 80(CTX), KEY7 movups 64(CTX), KEY8 movups 48(CTX), KEY9 movups 32(CTX), KEY10 movups 16(CTX), KEY11 movups (CTX), KEY12 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY7, X aesdec KEY8, X aesdec KEY9, X aesdec KEY10, X aesdec KEY11, X aesdeclast KEY12, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY7, X aesdec KEY7, Y aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdec KEY10, X aesdec KEY10, Y aesdec KEY11, X aesdec KEY11, Y aesdeclast KEY12, X aesdeclast KEY12, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 15) ret EPILOGUE(nettle_aes192_decrypt) nettle-3.10/x86_64/aesni/cbc-aes192-encrypt.asm0000644000175000017500000000515514633602172017740 0ustar nissenisseC x86_64/aesni/cbc-aes192-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`BLOCK', `%xmm14') .file "cbc-aes192-encrypt.asm" C nettle_cbc_aes192_encrypt(struct cbc_aes192_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes192_encrypt) W64_ENTRY(5, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0, X pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenclast KEY12, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 15) ret EPILOGUE(nettle_cbc_aes192_encrypt) nettle-3.10/x86_64/aesni/aes192-encrypt.asm0000644000175000017500000000602714633602172017212 0ustar nissenisseC x86_64/aesni/aes192-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`KEY11', `%xmm11') define(`KEY12', `%xmm12') define(`X', `%xmm13') define(`Y', `%xmm14') .file "aes192-encrypt.asm" C nettle_aes192_encrypt(const struct aes192_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes192_encrypt) W64_ENTRY(4, 15) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenclast KEY12, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY7, X aesenc KEY7, Y aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenc KEY10, X aesenc KEY10, Y aesenc KEY11, X aesenc KEY11, Y aesenclast KEY12, X aesenclast KEY12, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 15) ret EPILOGUE(nettle_aes192_encrypt) nettle-3.10/x86_64/aesni/aes256-encrypt.asm0000644000175000017500000000643714633602172017220 0ustar nissenisseC x86_64/aesni/aes256-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`Y', `%xmm15') .file "aes256-encrypt.asm" C nettle_aes256_encrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes256_encrypt) W64_ENTRY(4, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0_7 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups 208(CTX), KEY13 movups 224(CTX), KEY14 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0_7, X movups 112(CTX), KEY0_7 aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY0_7, X movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenc KEY12, X aesenc KEY13, X aesenclast KEY14, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0_7, X pxor KEY0_7, Y movups 112(CTX), KEY0_7 aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY0_7, X aesenc KEY0_7, Y movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenc KEY10, X aesenc KEY10, Y aesenc KEY11, X aesenc KEY11, Y aesenc KEY12, X aesenc KEY12, Y aesenc KEY13, X aesenc KEY13, Y aesenclast KEY14, X aesenclast KEY14, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 16) ret EPILOGUE(nettle_aes256_encrypt) nettle-3.10/x86_64/aesni/aes128-encrypt.asm0000644000175000017500000000551514633602172017212 0ustar nissenisseC x86_64/aesni/aes128-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`Y', `%xmm12') .file "aes128-encrypt.asm" C nettle_aes128_encrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes128_encrypt) W64_ENTRY(4, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 112(CTX), KEY7 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY7, X aesenc KEY8, X aesenc KEY9, X aesenclast KEY10, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesenc KEY1, X aesenc KEY1, Y aesenc KEY2, X aesenc KEY2, Y aesenc KEY3, X aesenc KEY3, Y aesenc KEY4, X aesenc KEY4, Y aesenc KEY5, X aesenc KEY5, Y aesenc KEY6, X aesenc KEY6, Y aesenc KEY7, X aesenc KEY7, Y aesenc KEY8, X aesenc KEY8, Y aesenc KEY9, X aesenc KEY9, Y aesenclast KEY10, X aesenclast KEY10, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 13) ret EPILOGUE(nettle_aes128_encrypt) nettle-3.10/x86_64/aesni/aes128-decrypt.asm0000644000175000017500000000551514633602172017200 0ustar nissenisseC x86_64/aesni/aes128-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY7', `%xmm7') define(`KEY8', `%xmm8') define(`KEY9', `%xmm9') define(`KEY10', `%xmm10') define(`X', `%xmm11') define(`Y', `%xmm12') .file "aes128-decrypt.asm" C nettle_aes128_decrypt(const struct aes128_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes128_decrypt) W64_ENTRY(4, 13) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 160(CTX), KEY0 movups 144(CTX), KEY1 movups 128(CTX), KEY2 movups 112(CTX), KEY3 movups 96(CTX), KEY4 movups 80(CTX), KEY5 movups 64(CTX), KEY6 movups 48(CTX), KEY7 movups 32(CTX), KEY8 movups 16(CTX), KEY9 movups (CTX), KEY10 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0, X aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY7, X aesdec KEY8, X aesdec KEY9, X aesdeclast KEY10, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0, X pxor KEY0, Y aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY7, X aesdec KEY7, Y aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdeclast KEY10, X aesdeclast KEY10, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 13) ret EPILOGUE(nettle_aes128_decrypt) nettle-3.10/x86_64/aesni/cbc-aes256-encrypt.asm0000644000175000017500000000537314633602172017743 0ustar nissenisseC x86_64/aesni/cbc-aes256-encrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`IV', `%rsi') define(`LENGTH',`%rdx') define(`DST', `%rcx') define(`SRC', `%r8') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`BLOCK', `%xmm15') .file "cbc-aes256-encrypt.asm" C nettle_cbc_aes256_encrypt(struct cbc_aes256_ctx *ctx, C uint8_t *iv, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_cbc_aes256_encrypt) W64_ENTRY(5, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups (CTX), KEY0_7 movups 16(CTX), KEY1 movups 32(CTX), KEY2 movups 48(CTX), KEY3 movups 64(CTX), KEY4 movups 80(CTX), KEY5 movups 96(CTX), KEY6 movups 128(CTX), KEY8 movups 144(CTX), KEY9 movups 160(CTX), KEY10 movups 176(CTX), KEY11 movups 192(CTX), KEY12 movups 208(CTX), KEY13 movups 224(CTX), KEY14 movups (IV), X .Lblock_loop: movups (SRC), BLOCK C Cleartext block pxor KEY0_7, X movups 112(CTX), KEY0_7 pxor BLOCK, X aesenc KEY1, X aesenc KEY2, X aesenc KEY3, X aesenc KEY4, X aesenc KEY5, X aesenc KEY6, X aesenc KEY0_7, X movups (CTX), KEY0_7 aesenc KEY8, X aesenc KEY9, X aesenc KEY10, X aesenc KEY11, X aesenc KEY12, X aesenc KEY13, X aesenclast KEY14, X movups X, (DST) add $16, SRC add $16, DST dec LENGTH jnz .Lblock_loop movups X, (IV) .Lend: W64_EXIT(5, 16) ret EPILOGUE(nettle_cbc_aes256_encrypt) nettle-3.10/x86_64/aesni/aes256-decrypt.asm0000644000175000017500000000644614633602172017206 0ustar nissenisseC x86_64/aesni/aes256-decrypt.asm ifelse(` Copyright (C) 2015, 2018, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument define(`CTX', `%rdi') define(`LENGTH',`%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`KEY0_7', `%xmm0') define(`KEY1', `%xmm1') define(`KEY2', `%xmm2') define(`KEY3', `%xmm3') define(`KEY4', `%xmm4') define(`KEY5', `%xmm5') define(`KEY6', `%xmm6') define(`KEY8', `%xmm7') define(`KEY9', `%xmm8') define(`KEY10', `%xmm9') define(`KEY11', `%xmm10') define(`KEY12', `%xmm11') define(`KEY13', `%xmm12') define(`KEY14', `%xmm13') define(`X', `%xmm14') define(`Y', `%xmm15') .file "aes256-decrypt.asm" C nettle_aes256_decrypt(const struct aes256_ctx *ctx, C size_t length, uint8_t *dst, C const uint8_t *src); .text ALIGN(16) PROLOGUE(nettle_aes256_decrypt) W64_ENTRY(4, 16) shr $4, LENGTH test LENGTH, LENGTH jz .Lend movups 224(CTX), KEY0_7 movups 208(CTX), KEY1 movups 192(CTX), KEY2 movups 176(CTX), KEY3 movups 160(CTX), KEY4 movups 144(CTX), KEY5 movups 128(CTX), KEY6 movups 96(CTX), KEY8 movups 80(CTX), KEY9 movups 64(CTX), KEY10 movups 48(CTX), KEY11 movups 32(CTX), KEY12 movups 16(CTX), KEY13 movups (CTX), KEY14 shr LENGTH jnc .Lblock_loop movups (SRC), X pxor KEY0_7, X movups 112(CTX), KEY0_7 aesdec KEY1, X aesdec KEY2, X aesdec KEY3, X aesdec KEY4, X aesdec KEY5, X aesdec KEY6, X aesdec KEY0_7, X movups 224(CTX), KEY0_7 aesdec KEY8, X aesdec KEY9, X aesdec KEY10, X aesdec KEY11, X aesdec KEY12, X aesdec KEY13, X aesdeclast KEY14, X movups X, (DST) add $16, SRC add $16, DST test LENGTH, LENGTH jz .Lend .Lblock_loop: movups (SRC), X movups 16(SRC), Y pxor KEY0_7, X pxor KEY0_7, Y movups 112(CTX), KEY0_7 aesdec KEY1, X aesdec KEY1, Y aesdec KEY2, X aesdec KEY2, Y aesdec KEY3, X aesdec KEY3, Y aesdec KEY4, X aesdec KEY4, Y aesdec KEY5, X aesdec KEY5, Y aesdec KEY6, X aesdec KEY6, Y aesdec KEY0_7, X aesdec KEY0_7, Y movups 224(CTX), KEY0_7 aesdec KEY8, X aesdec KEY8, Y aesdec KEY9, X aesdec KEY9, Y aesdec KEY10, X aesdec KEY10, Y aesdec KEY11, X aesdec KEY11, Y aesdec KEY12, X aesdec KEY12, Y aesdec KEY13, X aesdec KEY13, Y aesdeclast KEY14, X aesdeclast KEY14, Y movups X, (DST) movups Y, 16(DST) add $32, SRC add $32, DST dec LENGTH jnz .Lblock_loop .Lend: W64_EXIT(4, 16) ret EPILOGUE(nettle_aes256_decrypt) nettle-3.10/x86_64/serpent.m40000644000175000017500000000462014633602172014642 0ustar nissenisseC x86_64/serpent.m4 ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C WROL(count, w) define(`WROL', ` movdqa $2, T0 pslld `$'$1, $2 psrld `$'eval(32 - $1), T0 por T0, $2 ') C Note: Diagrams use little-endian representation, with least C significant word to the left. C Transpose values from: C +----+----+----+----+ C x0: | a0 | a1 | a2 | a3 | C x1: | b0 | b1 | b2 | b3 | C x2: | c0 | c1 | c2 | c3 | C x3: | d0 | d1 | d2 | d3 | C +----+----+----+----+ C To: C +----+----+----+----+ C x0: | a0 | b0 | c0 | d0 | C x1: | a1 | b1 | c1 | d1 | C x2: | a2 | b2 | c2 | d2 | C x3: | a3 | b3 | c3 | d3 | C +----+----+----+----+ define(`WTRANSPOSE', ` movdqa $1, T0 punpcklqdq $3, T0 C |a0 a1 c0 c1| punpckhqdq $3, $1 C |a2 a3 c2 c3| pshufd `$'0xd8, T0, T0 C |a0 c0 a1 c1| pshufd `$'0xd8, $1, T1 C |a2 c2 a3 c3| movdqa $2, T2 punpcklqdq $4, T2 C |b0 b1 d0 11| punpckhqdq $4, $2 C |b2 b3 d2 d3| pshufd `$'0xd8, T2, T2 C |b0 d0 b1 d1| pshufd `$'0xd8, $2, T3 C |b2 d2 b3 d3| movdqa T0, $1 punpckldq T2, $1 C |a0 b0 c0 d0| movdqa T0, $2 punpckhdq T2, $2 C |a1 b1 c1 d1| movdqa T1, $3 punpckldq T3, $3 C |a2 b2 c2 d2| movdqa T1, $4 punpckhdq T3, $4 C |a3 b3 c3 d3| ') C FIXME: Arrange 16-byte alignment, so we can use movaps? define(`WKEYXOR', ` movups $1(CTX, CNT), T0 pshufd `$'0x55, T0, T1 pshufd `$'0xaa, T0, T2 pxor T1, $3 pxor T2, $4 pshufd `$'0xff, T0, T1 pshufd `$'0x00, T0, T0 pxor T1, $5 pxor T0, $2 ') nettle-3.10/x86_64/ecc-secp192r1-modp.asm0000644000175000017500000000367014633602172016544 0ustar nissenisseC x86_64/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`T0', `%rdi') C Overlaps unused modulo input define(`T1', `%rcx') define(`T2', `%rax') define(`T3', `%r8') define(`H', `%r9') define(`C1', `%r10') define(`C2', `%r11') C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text ALIGN(16) PROLOGUE(_nettle_ecc_secp192r1_modp) W64_ENTRY(3, 0) mov 16(XP), T2 mov 24(XP), T3 mov 40(XP), H xor C1, C1 xor C2, C2 add H, T2 adc H, T3 C Carry to be added in at T1 and T2 setc LREG(C2) mov 8(XP), T1 mov 32(XP), H adc H, T1 adc H, T2 C Carry to be added in at T0 and T1 setc LREG(C1) mov (XP), T0 adc T3, T0 adc T3, T1 adc $0, C2 C Add in C1 and C2 add C1, T1 adc C2, T2 setc LREG(C1) C Fold final carry. adc $0, T0 adc C1, T1 adc $0, T2 mov T0, (RP) mov T1, 8(RP) mov T2, 16(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-3.10/x86_64/memxor3.asm0000644000175000017500000001157214633602172015020 0ustar nissenisseC x86_64/memxor3.asm ifelse(` Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`DST', `%rax') C Originally in %rdi define(`AP', `%rsi') define(`BP', `%rdx') define(`N', `%r10') define(`TMP', `%r8') define(`TMP2', `%r9') define(`CNT', `%rdi') define(`S0', `%r11') define(`S1', `%rdi') C Overlaps with CNT define(`USE_SSE2', `no') .file "memxor3.asm" .text C memxor3(void *dst, const void *a, const void *b, size_t n) C %rdi %rsi %rdx %rcx ALIGN(16) PROLOGUE(nettle_memxor3) W64_ENTRY(4, 0) C %cl needed for shift count, so move away N mov %rcx, N .Lmemxor3_entry: test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifelse(USE_SSE2, yes, ` cmp $16, N jnc .Lsse2_case ') C Check for the case that AP and BP have the same alignment, C but different from DST. mov AP, TMP sub BP, TMP test $7, TMP jnz .Lno_shift_case mov AP, %rcx sub DST, %rcx and $7, %rcx jz .Lno_shift_case sub %rcx, AP sub %rcx, BP shl $3, %rcx C Unrolling, with aligned values alternating in S0 and S1 test $8, N jnz .Lshift_odd mov (AP, N), S1 xor (BP, N), S1 jmp .Lshift_next .Lshift_odd: mov -8(AP, N), S1 mov (AP, N), S0 xor -8(BP, N), S1 xor (BP, N), S0 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, -8(DST, N) sub $8, N jz .Ldone jmp .Lshift_next ALIGN(16) .Lshift_loop: mov 8(AP, N), S0 xor 8(BP, N), S0 mov S0, TMP shr %cl, TMP neg %cl shl %cl, S1 neg %cl or S1, TMP mov TMP, 8(DST, N) mov (AP, N), S1 xor (BP, N), S1 mov S1, TMP shr %cl, TMP neg %cl shl %cl, S0 neg %cl or S0, TMP mov TMP, (DST, N) .Lshift_next: sub $16, N C FIXME: Handle the case N == 16 specially, C like in the non-shifted case? C ja .Lshift_loop C jz .Ldone jnc .Lshift_loop add $15, N jnc .Ldone shr $3, %rcx add %rcx, AP add %rcx, BP jmp .Lfinal_loop .Lno_shift_case: C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(AP, N), TMP mov (AP, N), TMP2 xor 8(BP, N), TMP xor (BP, N), TMP2 mov TMP, 8(DST, N) mov TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(AP, N), TMP xor 8(BP, N), TMP mov TMP, 8(DST, N) .Lone_word: mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (AP, N), LREG(TMP) xorb (BP, N), LREG(TMP) movb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ifelse(USE_SSE2, yes, ` .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (AP, N), TMP xor (BP, N), TMP mov TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (AP, N), %xmm0 movdqu (BP, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (AP), %xmm0 movdqu (BP), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) C ENTRY might have been 3 args, too, but it doesn't matter for the exit W64_EXIT(4, 0) ret ') EPILOGUE(nettle_memxor3) nettle-3.10/x86_64/umac-nh-n.asm0000644000175000017500000001253714633602172015213 0ustar nissenisseC x86_64/umac-nh-n.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`OUT', `%rdi') define(`ITERS', `%rsi') define(`KEY', `%rdx') define(`LENGTH', `%rcx') define(`MSG', `%r8') define(`XM0', `%xmm0') define(`XM1', `%xmm1') define(`XM2', `%xmm2') define(`XM3', `%xmm3') define(`XK0', `%xmm4') define(`XK1', `%xmm5') define(`XK2', `%xmm6') define(`XK3', `%xmm7') define(`XT0', `%xmm8') define(`XT1', `%xmm9') define(`XT2', `%xmm10') define(`XT3', `%xmm11') define(`XY0', `%xmm12') define(`XY1', `%xmm13') C Copy [0,1,2,3] to [1,1,3,3] define(`HI2LO', `pshufd `$'0xf5,') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh-n.asm" C umac_nh_n(uint64_t *out, unsigned n, const uint32_t *key, C unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh_n) W64_ENTRY(5, 14) pxor XY0, XY0 cmp $3, ITERS jc .Lnh2 je .Lnh3 .Lnh4: movups (KEY), XK0 movups 16(KEY), XT2 movups 32(KEY), XK2 lea 48(KEY), KEY C Leave XK2 untouched, and put permuted keys in XK0, XK1, XT2, XT3 movaps XK0, XT0 movaps XK0, XK1 punpcklqdq XT2, XK0 C [0,1,4,5] punpckhqdq XT2, XK1 C [2,3,6,7] movaps XT2, XT3 punpcklqdq XK2, XT2 C [4,5, 8, 9] punpckhqdq XK2, XT3 C [6,7,10,11] movaps XY0, XY1 .Loop4: movups (MSG), XT0 movups 16(MSG), XT1 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] paddd XM0, XK0 paddd XM1, XK1 paddd XM2, XT2 paddd XM3, XT3 HI2LO XK0, XT0 HI2LO XT2, XT1 pmuludq XK0, XT2 pmuludq XT0, XT1 paddq XT2, XY0 paddq XT1, XY0 HI2LO XK1, XT0 HI2LO XT3, XT1 pmuludq XK1, XT3 pmuludq XT0, XT1 paddq XT3, XY0 paddq XT1, XY0 movaps XK2, XK0 movaps XK2, XK1 movups (KEY), XT2 movups 16(KEY), XK2 punpcklqdq XT2, XK0 C [ 8, 9,12,13] punpckhqdq XT2, XK1 C [10,11,14,15] movaps XT2, XT3 punpcklqdq XK2, XT2 C [12,13,16,17] punpckhqdq XK2, XT3 C [14,15,18,19] paddd XK0, XM0 paddd XK1, XM1 paddd XT2, XM2 paddd XT3, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY1 paddq XT1, XY1 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY1 paddq XT1, XY1 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop4 movups XY0, (OUT) movups XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh3: movups (KEY), XK0 movups 16(KEY), XK1 movaps XY0, XY1 .Loop3: lea 32(KEY), KEY movups (MSG), XT0 movups 16(MSG), XT1 movups (KEY), XK2 movups 16(KEY), XK3 pshufd $0xee, XT1, XM3 C [6,7,6,7] pshufd $0x44, XT1, XM2 C [4,5,4,5] pshufd $0xee, XT0, XM1 C [2,3,2,3] pshufd $0x44, XT0, XM0 C [0,1,0,1] C Iteration 2 paddd XK2, XT0 paddd XK3, XT1 HI2LO XT0, XT2 HI2LO XT1, XT3 pmuludq XT0, XT1 pmuludq XT2, XT3 paddq XT1, XY1 paddq XT3, XY1 C Iteration 0,1 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG movaps XK2, XK0 movaps XK3, XK1 ja .Loop3 pshufd $0xe, XY1, XT0 paddq XT0, XY1 movups XY0, (OUT) movlpd XY1, 16(OUT) W64_EXIT(5, 14) ret .Lnh2: C Explode message as [0,1,0,1] [2,3,2,3] [4,5,4,5] [6,7, 6, 7] C Interleave keys as [0,1,4,5] [2,3,6,7] [4,5,8,9] [7,8,10,11] movups (KEY), XK0 lea 16(KEY), KEY .Loop2: movups (MSG), XM0 movups 16(MSG), XM1 pshufd $0xee, XM1, XM3 C [6,7,6,7] pshufd $0x44, XM1, XM2 C [4,5,4,5] pshufd $0xee, XM0, XM1 C [2,3,2,3] pshufd $0x44, XM0, XM0 C [0,1,0,1] movups (KEY), XK1 movups 16(KEY), XK2 movaps XK0, XT0 punpcklqdq XK1, XK0 C [0,1,4,5] punpckhqdq XK1, XT0 C [2,3,6,7] paddd XK0, XM0 paddd XT0, XM1 movaps XK2, XK0 movaps XK1, XT0 punpcklqdq XK2, XK1 C [4,5,8,9] punpckhqdq XK2, XT0 C [6,7,10,11] paddd XK1, XM2 paddd XT0, XM3 HI2LO XM0, XT0 HI2LO XM2, XT1 pmuludq XM0, XM2 pmuludq XT0, XT1 paddq XM2, XY0 paddq XT1, XY0 HI2LO XM1, XT0 HI2LO XM3, XT1 pmuludq XM1, XM3 pmuludq XT0, XT1 paddq XM3, XY0 paddq XT1, XY0 subl $32, XREG(LENGTH) lea 32(MSG), MSG lea 32(KEY), KEY ja .Loop2 movups XY0, (OUT) .Lend: W64_EXIT(5, 14) ret EPILOGUE(_nettle_umac_nh_n) nettle-3.10/x86_64/sha3-permute.asm0000644000175000017500000002465014633602172015744 0ustar nissenisseC x86_64/sha3-permute.asm ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`CTX', `%rdi') C 25 64-bit values, 200 bytes. define(`COUNT', `%r8') C Avoid clobbering %rsi, for W64. define(`A00', `%rax') define(`A0102', `%xmm0') define(`A0304', `%xmm1') define(`A05', `%rcx') define(`A0607', `%xmm2') define(`A0809', `%xmm3') define(`A10', `%rdx') define(`A1112', `%xmm4') define(`A1314', `%xmm5') define(`A15', `%rbp') define(`A1617', `%xmm6') define(`A1819', `%xmm7') define(`A20', `%r9') define(`A2122', `%xmm8') define(`A2324', `%xmm9') define(`C0', `%r10') define(`C12', `%xmm10') define(`C34', `%xmm11') define(`D0', `%r11') define(`D12', `%xmm12') define(`D34', `%xmm13') C Wide temporaries define(`W0', `%xmm14') define(`W1', `%xmm15') define(`W2', `%xmm12') C Overlap D12 define(`W3', `%xmm13') C Overlap D34 define(`T0', `%r12') define(`T1', `%r13') define(`T2', `%r11') C Overlap D0 define(`T3', `%r10') C Overlap C0 define(`RC', `%r14') define(`OFFSET', `ifelse($1,0,,eval(8*$1))') define(`STATE', `OFFSET($1)(CTX)') define(`SWAP64', `pshufd `$'0x4e,') define(`DIRECT_MOVQ', `no') C MOVQ(src, dst), for moves between a general register and an xmm C register. ifelse(DIRECT_MOVQ, yes, ` C movq calls that are equal to the corresponding movd, C where the Apple assembler requires them to be written as movd. define(`MOVQ', `movd $1, $2') ', ` C Moving via (cached) memory is generally faster. define(`MOVQ', ` movq $1, (CTX) movq (CTX), $2 ')') C ROTL64(rot, register, temp) C Caller needs to or together the result. define(`ROTL64', ` movdqa $2, $3 psllq `$'$1, $2 psrlq `$'eval(64-$1), $3 ') .file "sha3-permute.asm" C sha3_permute(struct sha3_state *ctx) .text ALIGN(16) PROLOGUE(nettle_sha3_permute) W64_ENTRY(1, 16) push %rbp push %r12 push %r13 push %r14 movl $24, XREG(COUNT) lea .rc-8(%rip), RC movq STATE(0), A00 movups STATE(1), A0102 movups STATE(3), A0304 movq A00, C0 movq STATE(5), A05 movdqa A0102, C12 movups STATE(6), A0607 movdqa A0304, C34 movups STATE(8), A0809 xorq A05, C0 movq STATE(10), A10 pxor A0607, C12 movups STATE(11), A1112 pxor A0809, C34 movups STATE(13), A1314 xorq A10, C0 movq STATE(15), A15 pxor A1112, C12 movups STATE(16), A1617 pxor A1314, C34 movups STATE(18), A1819 xorq A15, C0 movq STATE(20), A20 pxor A1617, C12 movups STATE(21), A2122 pxor A1819, C34 movups STATE(23), A2324 xorq A20, C0 pxor A2122, C12 pxor A2324, C34 ALIGN(16) .Loop: C The theta step. Combine parity bits, then xor to state. C D0 = C4 ^ (C1 <<< 1) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) C Shift the words around, putting (C0, C1) in D12, (C2, C3) in C D34, and (C4, C0) in C34. C Notes on "unpack" instructions: C punpckhqdq 01, 23 gives 31 C punpcklqdq 01, 23 gives 20 SWAP64 C34, C34 C Holds C4, C3 movdqa C12, D34 MOVQ(C0, D12) punpcklqdq C12, D12 C Holds C0, C1 punpckhqdq C34, D34 C Holds C2, C3 punpcklqdq D12, C34 C Holds C4, C0 MOVQ(C34, D0) MOVQ(C12, T0) rolq $1, T0 xorq T0, D0 C Can use C12 as temporary movdqa D34, W0 movdqa D34, W1 psllq $1, W0 psrlq $63, W1 pxor W0, D12 pxor W1, D12 C Done D12 movdqa C34, C12 psrlq $63, C34 psllq $1, C12 pxor C34, D34 pxor C12, D34 C Done D34 xorq D0, A00 xorq D0, A05 xorq D0, A10 xorq D0, A15 xorq D0, A20 pxor D12, A0102 pxor D12, A0607 pxor D12, A1112 pxor D12, A1617 pxor D12, A2122 pxor D34, A0304 pxor D34, A0809 pxor D34, A1314 pxor D34, A1819 pxor D34, A2324 C theta step done, no C, D or W temporaries alive. C rho and pi steps. When doing the permutations, also C transpose the matrix. C The combined permutation + transpose gives the following C cycles (rotation counts in parenthesis) C 0 <- 0(0) C 1 <- 3(28) <- 4(27) <- 2(62) <- 1(1) C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C Do the 1,2,3,4 row. First rotate, then permute. movdqa A0102, W0 movdqa A0102, W1 movdqa A0102, W2 psllq $1, A0102 psrlq $63, W0 psllq $62, W1 por A0102, W0 C rotl 1 (A01) psrlq $2, W2 por W1, W2 C rotl 62 (A02) movdqa A0304, A0102 movdqa A0304, W1 psllq $28, A0102 psrlq $36, W1 por W1, A0102 C rotl 28 (A03) movdqa A0304, W1 psllq $27, A0304 psrlq $37, W1 por W1, A0304 C rotl 27 (A04) punpcklqdq W0, A0102 punpckhqdq W2, A0304 C 5 <- 6(44) <- 9(20) <- 8(55) <- 5(36) C 7 <- 7(6) C __ _______ C _ L' ` L_ __` C |5| |6|7| |8|9| C `-_________-^`-^ rolq $36, A05 MOVQ(A05, W0) MOVQ(A0607, A05) rolq $44, A05 C Done A05 ROTL64(6, A0607, W1) por A0607, W1 movdqa A0809, A0607 ROTL64(20, A0607, W2) por W2, A0607 punpckhqdq W1, A0607 C Done A0607 ROTL64(55, A0809, W1) por A0809, W1 movdqa W0, A0809 punpcklqdq W1, A0809 C Done 0809 C 10 <- 12(43) <- 13(25) <- 11(10) <- 10(3) C 14 <- 14(39) C _____ ___ C __L' __`_L_ `_____ C |10| |11|12| |13|14| C `-___-^`-______-^ C rolq $42, A10 C 42 + 25 = 3 (mod 64) SWAP64 A1112, W0 MOVQ(A10, A1112) MOVQ(W0, A10) rolq $43, A10 C Done A10 punpcklqdq A1314, A1112 ROTL64(25, A1112, W1) por W1, A1112 C Done A1112 ROTL64(39, A1314, W2) por A1314, W2 ROTL64(10, W0, A1314) por W0, A1314 punpckhqdq W2, A1314 C Done A1314 C 15 <- 18(21) <- 17(15) <- 19(8) <- 15(41) C 16 <- 16(45) C _____________ C / _______ C _L' ____L' | `_ C |15| |16|17| |18|19| C \ `_____-^ ^ C \_________________/ SWAP64 A1819, W0 rolq $41, A15 MOVQ(A15, W1) MOVQ(A1819, A15) rolq $21, A15 C Done A15 SWAP64 A1617, A1819 ROTL64(45, A1617, W2) por W2, A1617 ROTL64(8, W0, W3) por W3, W0 punpcklqdq W0, A1617 C Done A1617 ROTL64(15, A1819, W2) por W2, A1819 punpcklqdq W1, A1819 C Done A1819 C 20 <- 24(14) <- 21(2) <- 22(61) <- 20(18) C 23 <- 23(56) C _______________ C / \ C _L' _L'\_ ___`_ C |20| |21|22| |23|24| C \ `__ ^________-^ C \_______/ rolq $18, A20 MOVQ(A20, W0) SWAP64 A2324, W1 movd W1, A20 rolq $14, A20 C Done A20 ROTL64(56, A2324, W1) por W1, A2324 movdqa A2122, W2 ROTL64(2, W2, W1) por W1, W2 punpcklqdq W2, A2324 C Done A2324 ROTL64(61, A2122, W1) por W1, A2122 psrldq $8, A2122 punpcklqdq W0, A2122 C Done A2122 C chi step. With the transposed matrix, applied independently C to each column. movq A05, T0 notq T0 andq A10, T0 movq A10, T1 notq T1 andq A15, T1 movq A15, T2 notq T2 andq A20, T2 xorq T2, A10 movq A20, T3 notq T3 andq A00, T3 xorq T3, A15 movq A00, T2 notq T2 andq A05, T2 xorq T2, A20 xorq T0, A00 xorq T1, A05 movdqa A0607, W0 pandn A1112, W0 movdqa A1112, W1 pandn A1617, W1 movdqa A1617, W2 pandn A2122, W2 pxor W2, A1112 movdqa A2122, W3 pandn A0102, W3 pxor W3, A1617 movdqa A0102, W2 pandn A0607, W2 pxor W2, A2122 pxor W0, A0102 pxor W1, A0607 movdqa A0809, W0 pandn A1314, W0 movdqa A1314, W1 pandn A1819, W1 movdqa A1819, W2 pandn A2324, W2 pxor W2, A1314 movdqa A2324, W3 pandn A0304, W3 pxor W3, A1819 movdqa A0304, W2 pandn A0809, W2 pxor W2, A2324 pxor W0, A0304 pxor W1, A0809 xorq (RC, COUNT, 8), A00 C Transpose. C Swap (A05, A10) <-> A0102, and (A15, A20) <-> A0304, C and also copy to C12 and C34 while at it. MOVQ(A05, C12) MOVQ(A15, C34) MOVQ(A10, W0) MOVQ(A20, W1) movq A00, C0 punpcklqdq W0, C12 punpcklqdq W1, C34 MOVQ(A0102, A05) MOVQ(A0304, A15) psrldq $8, A0102 psrldq $8, A0304 xorq A05, C0 xorq A15, C0 MOVQ(A0102, A10) MOVQ(A0304, A20) movdqa C12, A0102 movdqa C34, A0304 C Transpose (A0607, A1112) movdqa A0607, W0 punpcklqdq A1112, A0607 xorq A10, C0 xorq A20, C0 punpckhqdq W0, A1112 SWAP64 A1112, A1112 C Transpose (A1819, A2324) movdqa A1819, W0 punpcklqdq A2324, A1819 pxor A0607, C12 pxor A1112, C12 punpckhqdq W0, A2324 SWAP64 A2324, A2324 C Transpose (A0809, A1314) and (A1617, A2122), and swap movdqa A0809, W0 movdqa A1314, W1 movdqa A1617, A0809 movdqa A2122, A1314 pxor A1819, C34 pxor A2324, C34 punpcklqdq A2122, A0809 punpckhqdq A1617, A1314 SWAP64 A1314, A1314 movdqa W0, A1617 movdqa W1, A2122 pxor A0809, C34 pxor A1314, C34 punpcklqdq W1, A1617 punpckhqdq W0, A2122 SWAP64 A2122, A2122 decl XREG(COUNT) pxor A1617, C12 pxor A2122, C12 jnz .Loop movq A00, STATE(0) movups A0102, STATE(1) movups A0304, STATE(3) movq A05, STATE(5) movups A0607, STATE(6) movups A0809, STATE(8) movq A10, STATE(10) movups A1112, STATE(11) movups A1314, STATE(13) movq A15, STATE(15) movups A1617, STATE(16) movups A1819, STATE(18) movq A20, STATE(20) movups A2122, STATE(21) movups A2324, STATE(23) pop %r14 pop %r13 pop %r12 pop %rbp W64_EXIT(1, 16) ret EPILOGUE(nettle_sha3_permute) ALIGN(16) .rc: C In reverse order .quad 0x8000000080008008 .quad 0x0000000080000001 .quad 0x8000000000008080 .quad 0x8000000080008081 .quad 0x800000008000000A .quad 0x000000000000800A .quad 0x8000000000000080 .quad 0x8000000000008002 .quad 0x8000000000008003 .quad 0x8000000000008089 .quad 0x800000000000008B .quad 0x000000008000808B .quad 0x000000008000000A .quad 0x0000000080008009 .quad 0x0000000000000088 .quad 0x000000000000008A .quad 0x8000000000008009 .quad 0x8000000080008081 .quad 0x0000000080000001 .quad 0x000000000000808B .quad 0x8000000080008000 .quad 0x800000000000808A .quad 0x0000000000008082 .quad 0x0000000000000001 nettle-3.10/x86_64/pclmul/0000755000175000017500000000000014633602172014212 5ustar nissenissenettle-3.10/x86_64/pclmul/ghash-set-key.asm0000644000175000017500000000542414633602172017372 0ustar nissenisseC x86_64/ghash-set-key.asm ifelse(` Copyright (C) 2022 Niels Möller Copyright (C) 2023 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Common registers define(`CTX', `%rdi') define(`KEY', `%rsi') define(`P', `%xmm0') define(`BSWAP', `%xmm1') define(`H', `%xmm2') define(`D', `%xmm3') define(`T', `%xmm4') define(`R', `%xmm5') define(`M', `%xmm6') define(`F', `%xmm7') define(`MASK', `%xmm7') C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) PROLOGUE(_nettle_ghash_set_key) W64_ENTRY(2, 8) movdqa .Lpolynomial(%rip), P movdqa .Lbswap(%rip), BSWAP movups (KEY), H pshufb BSWAP, H C Multiply by x mod P, which is a left shift. movdqa H, T psllq $1, T psrlq $63, H C 127 --> 64, 63 --> 0 pshufd $0xaa, H, MASK C 64 --> (96, 64, 32, 0) pslldq $8, H C 0 --> 64 por T, H pxor T, T psubd MASK, T C All-ones if bit 127 was set pand P, T pxor T, H movups H, (CTX) C Set D = x^{-64} H = {H0, H1} + P1 H0 movdqa H, T pshufd $0x4e, H, D C Swap H0, H1 pclmullqhqdq P, T pxor T, D movups D, 16(CTX) movdqa H, M movdqa H, F movdqa H, T pclmulhqlqdq H, T C H0 * M1 pclmulhqhqdq H, M C H1 * M1 pclmullqlqdq D, F C D0 * M0 pclmullqhqdq D, H C D1 * M0 pxor T, F pxor M, H pshufd $0x4e, F, T C Swap halves of F pxor T, H pclmullqhqdq P, F pxor F, H movups H, 32(CTX) C Set D2 = x^{-64} H^2 = {H0, H1} + P1 H0 pshufd $0x4e, H, D C Swap H0, H1 pclmullqhqdq P, H pxor H, D movups D, 48(CTX) W64_EXIT(2, 8) ret EPILOGUE(_nettle_ghash_set_key) RODATA C The GCM polynomial is x^{128} + x^7 + x^2 + x + 1, C but in bit-reversed representation, that is C P = x^{128}+ x^{127} + x^{126} + x^{121} + 1 C We will mainly use the middle part, C P1 = (P + a + x^{128}) / x^64 = x^{563} + x^{62} + x^{57} ALIGN(16) .Lpolynomial: .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xC2 .Lbswap: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 nettle-3.10/x86_64/pclmul/ghash-update.asm0000644000175000017500000001100414633602172017262 0ustar nissenisseC x86_64/ghash-update.asm ifelse(` Copyright (C) 2022 Niels Möller Copyright (C) 2023 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Common registers define(`CTX', `%rdi') define(`X', `%rsi') define(`BLOCKS', `%rdx') define(`DATA', `%rcx') define(`P', `%xmm0') define(`BSWAP', `%xmm1') define(`H', `%xmm2') define(`D', `%xmm3') define(`H2', `%xmm4') define(`D2', `%xmm5') define(`T', `%xmm6') define(`R', `%xmm7') define(`M', `%xmm8') define(`F', `%xmm9') define(`T2', `%xmm10') define(`R2', `%xmm11') define(`M2', `%xmm12') define(`F2', `%xmm13') C Use pclmulqdq, doing one 64x64 --> 127 bit carry-less multiplication, C with source operands being selected from the halves of two 128-bit registers. C Variants: C pclmullqlqdq low half of both src and destination C pclmulhqlqdq low half of src register, high half of dst register C pclmullqhqdq high half of src register, low half of dst register C pclmulhqhqdq high half of both src and destination C To do a single block, M0, M1, we need to compute C C R = M0 D1 + M1 H1 C F = M0 D0 + M1 H0 C C Corresponding to x^{-127} M H = R + x^{-64} F C C Split F as F = F1 + x^64 F0, then the final reduction is C C R + x^{-64} F = R + P1 F0 + x^{64} F0 + F1 C C In all, 5 pclmulqdq. If we we have enough registers to interleave two blocks, C final reduction is needed only once, so 9 pclmulqdq for two blocks, etc. C C We need one register each for D and H, one for P1, one each for accumulating F C and R. That uses 5 out of the 16 available xmm registers. If we interleave C blocks, we need additionan D ang H registers (for powers of the key) and the C additional message word, but we could perhaps interlave as many as 4, with two C registers left for temporaries. C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) PROLOGUE(_nettle_ghash_update) W64_ENTRY(4, 14) movdqa .Lpolynomial(%rip), P movdqa .Lbswap(%rip), BSWAP movups (CTX), H movups 16(CTX), D movups 32(CTX), H2 movups 48(CTX), D2 movups (X), R pshufb BSWAP, R mov BLOCKS, %rax shr $1, %rax jz .L1_block .Loop: movups (DATA), M pshufb BSWAP, M pxor M, R movdqa R, M movdqa R, F movdqa R, T pclmullqlqdq D2, F C {D^2}0 * M1_0 pclmullqhqdq D2, R C {D^2}1 * M1_0 pclmulhqlqdq H2, T C {H^2}0 * M1_1 pclmulhqhqdq H2, M C {H^2}1 * M1_1 movups 16(DATA), M2 pshufb BSWAP, M2 movdqa M2, R2 movdqa M2, F2 movdqa M2, T2 pclmullqlqdq D, F2 C D0 * M2_0 pclmullqhqdq D, R2 C D1 * M2_0 pclmulhqlqdq H, T2 C H0 * M2_1 pclmulhqhqdq H, M2 C H1 * M2_1 pxor T, F pxor M, R pxor T2, F2 pxor M2, R2 pxor F2, F pxor R2, R pshufd $0x4e, F, T C Swap halves of F pxor T, R pclmullqhqdq P, F pxor F, R add $32, DATA dec %rax jnz .Loop .L1_block: test $1, BLOCKS jz .Ldone movups (DATA), M pshufb BSWAP, M pxor M, R movdqa R, M movdqa R, F movdqa R, T pclmullqlqdq D, F C D0 * M0 pclmullqhqdq D, R C D1 * M0 pclmulhqlqdq H, T C H0 * M1 pclmulhqhqdq H, M C H1 * M1 pxor T, F pxor M, R pshufd $0x4e, F, T C Swap halves of F pxor T, R pclmullqhqdq P, F pxor F, R add $16, DATA .Ldone: pshufb BSWAP, R movups R, (X) mov DATA, %rax W64_EXIT(4, 14) ret EPILOGUE(_nettle_ghash_update) RODATA C The GCM polynomial is x^{128} + x^7 + x^2 + x + 1, C but in bit-reversed representation, that is C P = x^{128}+ x^{127} + x^{126} + x^{121} + 1 C We will mainly use the middle part, C P1 = (P + a + x^{128}) / x^64 = x^{563} + x^{62} + x^{57} ALIGN(16) .Lpolynomial: .byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xC2 .Lbswap: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 nettle-3.10/x86_64/poly1305-blocks.asm0000644000175000017500000000515214633602172016172 0ustar nissenisseC x86_64/poly1305-blocks.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "poly1305-blocks.asm" define(`CTX', `%rdi') C First argument to all functions define(`BLOCKS', `%rsi') define(`MP_PARAM', `%rdx') C Moved to MP, to not collide with mul instruction. define(`MP', `%r8') C May clobber, both with unix and windows conventions. define(`T0', `%rbx') define(`T1', `%rcx') define(`H0', `%rbp') define(`H1', `%r9') define(`H2', `%r10') define(`F0', `%r11') define(`F1', `%r12') C const uint8_t * C _nettle_poly1305_blocks (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m) PROLOGUE(_nettle_poly1305_blocks) W64_ENTRY(3, 0) mov MP_PARAM, MP test BLOCKS, BLOCKS jz .Lend push %rbx push %rbp push %r12 mov P1305_H0 (CTX), H0 mov P1305_H1 (CTX), H1 mov P1305_H2 (CTX), H2 ALIGN(16) .Loop: mov (MP), T0 mov 8(MP), T1 add $16, MP add H0, T0 adc H1, T1 adc $1, H2 mov P1305_R1 (CTX), %rax mul T0 C R1*T0 mov %rax, F0 mov %rdx, F1 mov T0, %rax C Last use of T0 input mov P1305_R0 (CTX), T0 mul T0 C R0*T0 mov %rax, H0 mov %rdx, H1 mov T1, %rax mul T0 C R0*T1 add %rax, F0 adc %rdx, F1 mov P1305_S1 (CTX), T0 mov T1, %rax C Last use of T1 input mul T0 C S1*T1 add %rax, H0 adc %rdx, H1 mov H2, %rax mul T0 C S1*H2 add %rax, F0 adc %rdx, F1 mov H2, T0 and $3, H2 shr $2, T0 mov P1305_S0 (CTX), %rax mul T0 C S0*(H2 >> 2) add %rax, H0 adc %rdx, H1 imul P1305_R0 (CTX), H2 C R0*(H2 & 3) add F0, H1 adc F1, H2 dec BLOCKS jnz .Loop mov H0, P1305_H0 (CTX) mov H1, P1305_H1 (CTX) mov H2, P1305_H2 (CTX) pop %r12 pop %rbp pop %rbx .Lend: mov MP, %rax W64_EXIT(3, 0) ret EPILOGUE(_nettle_poly1305_blocks) nettle-3.10/x86_64/salsa20-core-internal.asm0000644000175000017500000000507414633602172017433 0ustar nissenisseC x86_64/salsa20-core-internal.asm ifelse(` Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`T0', `%xmm4') define(`T1', `%xmm5') define(`M0101', `%xmm6') define(`M0110', `%xmm7') define(`M0011', `%xmm8') include_src(`x86_64/salsa20.m4') C _salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_salsa20_core) W64_ENTRY(3, 9) C Load mask registers mov $-1, %eax movd %eax, M0101 pshufd $0x09, M0101, M0011 C 01 01 00 00 pshufd $0x41, M0101, M0110 C 01 00 00 01 pshufd $0x22, M0101, M0101 C 01 00 01 00 movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 C The original rows are now diagonals. SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) SWAP(X1, X3, M0110) SWAP(X0, X2, M0011) shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 C 11 00 01 10 (least sign. left) pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x39, X3, X3 C 01 10 11 00 QROUND(X0, X3, X2, X1) C Inverse rotation of the rows pshufd $0x39, X1, X1 C 01 10 11 00 pshufd $0x4e, X2, X2 C 10 11 00 01 pshufd $0x93, X3, X3 C 11 00 01 10 decl XREG(COUNT) jnz .Loop SWAP(X0, X2, M0011) SWAP(X1, X3, M0110) SWAP(X0, X1, M0101) SWAP(X2, X3, M0101) movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 9) ret EPILOGUE(_nettle_salsa20_core) nettle-3.10/x86_64/fat/0000755000175000017500000000000014633602172013470 5ustar nissenissenettle-3.10/x86_64/fat/cbc-aes192-encrypt-2.asm0000644000175000017500000000226014633602172017544 0ustar nissenisseC x86_64/fat/cbc_aes192-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes192-encrypt.asm') nettle-3.10/x86_64/fat/cbc-aes128-encrypt-2.asm0000644000175000017500000000226014633602172017543 0ustar nissenisseC x86_64/fat/cbc-aes128-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes128-encrypt.asm') nettle-3.10/x86_64/fat/sha256-compress-n-2.asm0000644000175000017500000000216114633602172017425 0ustar nissenisseC x86_64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_sha_ni') include_src(`x86_64/sha_ni/sha256-compress-n.asm') nettle-3.10/x86_64/fat/cbc-aes256-encrypt-2.asm0000644000175000017500000000226014633602172017545 0ustar nissenisseC x86_64/fat/cbc_aes256-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_cbc_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/cbc-aes256-encrypt.asm') nettle-3.10/x86_64/fat/ghash-update.asm0000644000175000017500000000223414633602172016545 0ustar nissenisseC x86_64/fat/ghash-update.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_table') include_src(`x86_64/ghash-update.asm') nettle-3.10/x86_64/fat/cpuid.asm0000644000175000017500000000265514633602172015306 0ustar nissenisseC x86_64/fat/cpuid.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Input argument C cpuid input: %edi C output pointer: %rsi .file "cpuid.asm" C void _nettle_cpuid(uint32_t in, uint32_t *out) .text ALIGN(16) PROLOGUE(_nettle_cpuid) W64_ENTRY(2, 0) push %rbx movl %edi, %eax xorl %ecx, %ecx C Information we need use ecx = 0 cpuid mov %eax, (%rsi) mov %ebx, 4(%rsi) mov %ecx, 8(%rsi) mov %edx, 12(%rsi) pop %rbx W64_EXIT(2, 0) ret EPILOGUE(_nettle_cpuid) nettle-3.10/x86_64/fat/ghash-set-key-2.asm0000644000175000017500000000225114633602172017002 0ustar nissenisseC x86_64/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_pclmul') include_src(`x86_64/pclmul/ghash-set-key.asm') nettle-3.10/x86_64/fat/sha1-compress.asm0000644000175000017500000000214114633602172016655 0ustar nissenisseC x86_64/fat/sha1-compress.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_x86_64') include_src(`x86_64/sha1-compress.asm') nettle-3.10/x86_64/fat/aes192-decrypt-2.asm0000644000175000017500000000224414633602172017007 0ustar nissenisseC x86_64/fat/aes192-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes192-decrypt.asm') nettle-3.10/x86_64/fat/aes256-decrypt-2.asm0000644000175000017500000000224414633602172017010 0ustar nissenisseC x86_64/fat/aes256-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes256-decrypt.asm') nettle-3.10/x86_64/fat/aes192-encrypt-2.asm0000644000175000017500000000224414633602172017021 0ustar nissenisseC x86_64/fat/aes192-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes192_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes192-encrypt.asm') nettle-3.10/x86_64/fat/ghash-update-2.asm0000644000175000017500000000224614633602172016707 0ustar nissenisseC x86_64/fat/ghash-update-2.asm ifelse(` Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_pclmul') include_src(`x86_64/pclmul/ghash-update.asm') nettle-3.10/x86_64/fat/aes128-encrypt-2.asm0000644000175000017500000000224414633602172017020 0ustar nissenisseC x86_64/fat/aes128-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes128-encrypt.asm') nettle-3.10/x86_64/fat/aes128-decrypt-2.asm0000644000175000017500000000224414633602172017006 0ustar nissenisseC x86_64/fat/aes128-decrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes128_decrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes128-decrypt.asm') nettle-3.10/x86_64/fat/memxor-2.asm0000644000175000017500000000215614633602172015644 0ustar nissenisseC x86_64/fat/memxor-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_sse2') define(`USE_SSE2', `yes') include_src(`x86_64/memxor.asm') nettle-3.10/x86_64/fat/aes256-encrypt-2.asm0000644000175000017500000000224414633602172017022 0ustar nissenisseC x86_64/fat/aes256-encrypt.asm ifelse(` Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_aes256_encrypt) picked up by configure define(`fat_transform', `_$1_aesni') include_src(`x86_64/aesni/aes256-encrypt.asm') nettle-3.10/x86_64/fat/sha1-compress-2.asm0000644000175000017500000000215214633602172017016 0ustar nissenisseC x86_64/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_sha_ni') include_src(`x86_64/sha_ni/sha1-compress.asm') nettle-3.10/x86_64/fat/memxor.asm0000644000175000017500000000212414633602172015500 0ustar nissenisseC x86_64/fat/memxor.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `_$1_x86_64') include_src(`x86_64/memxor.asm') nettle-3.10/x86_64/fat/sha256-compress-n.asm0000644000175000017500000000215014633602172017264 0ustar nissenisseC x86_64/fat/sha256-compress-n.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_x86_64') include_src(`x86_64/sha256-compress-n.asm') nettle-3.10/x86_64/aes-encrypt-internal.asm0000644000175000017500000000651614633602172017474 0ustar nissenisseC x86_64/aes-encrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/aes.m4') C Register usage: C AES state, use two of them define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`TA',`%r10d') define(`TB',`%r11d') define(`TC',`%r12d') C Input argument define(`ROUNDS', `%rdi') define(`KEYS', `%rsi') define(`PARAM_TABLE', `%rdx') define(`PARAM_LENGTH',`%rcx') define(`DST', `%r8') define(`SRC', `%r9') define(`TABLE', `%r13') define(`LENGTH',`%r14') define(`KEY', `%r15') C Must correspond to an old-style register, for movzb from %ah--%dh to C work. define(`TMP',`%rbp') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) W64_ENTRY(6, 0) test PARAM_LENGTH, PARAM_LENGTH jz .Lend C save all registers that need to be saved push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 subl $1, XREG(ROUNDS) push ROUNDS C Rounds at (%rsp) mov PARAM_TABLE, TABLE mov PARAM_LENGTH, LENGTH shr $4, LENGTH .Lblock_loop: mov KEYS, KEY AES_LOAD(SA, SB, SC, SD, SRC, KEY) add $16, SRC C Increment src pointer movl (%rsp), XREG(ROUNDS) add $16, KEY C point to next key ALIGN(16) .Lround_loop: AES_ROUND(TABLE, SA,SB,SC,SD, TA, TMP) AES_ROUND(TABLE, SB,SC,SD,SA, TB, TMP) AES_ROUND(TABLE, SC,SD,SA,SB, TC, TMP) AES_ROUND(TABLE, SD,SA,SB,SC, SD, TMP) movl TA, SA movl TB, SB movl TC, SC xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD add $16, KEY C point to next key decl XREG(ROUNDS) jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, TABLE, TA, TMP) AES_FINAL_ROUND(SB,SC,SD,SA, TABLE, TB, TMP) AES_FINAL_ROUND(SC,SD,SA,SB, TABLE, TC, TMP) AES_FINAL_ROUND(SD,SA,SB,SC, TABLE, SD, TMP) C S-box substitution mov $3, XREG(ROUNDS) .Lsubst: AES_SUBST_BYTE(TA,TB,TC,SD, TABLE, TMP) decl XREG(ROUNDS) jnz .Lsubst C Add last subkey, and store encrypted data AES_STORE(TA,TB,TC,SD, KEY, DST) add $16, DST dec LENGTH jnz .Lblock_loop lea 8(%rsp), %rsp C Drop ROUNDS pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx .Lend: W64_EXIT(6, 0) ret EPILOGUE(_nettle_aes_encrypt) nettle-3.10/x86_64/sha512-compress.asm0000644000175000017500000001107014633602172016253 0ustar nissenisseC x86_64/sha512-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha512-compress.asm" define(`STATE', `%rdi') define(`INPUT', `%rsi') define(`K', `%rdx') define(`SA', `%rax') define(`SB', `%rbx') define(`SC', `%rcx') define(`SD', `%r8') define(`SE', `%r9') define(`SF', `%r10') define(`SG', `%r11') define(`SH', `%r12') define(`T0', `%r13') define(`T1', `%rdi') C Overlap STATE define(`COUNT', `%r14') define(`W', `%r15') define(`EXPN', ` mov OFFSET64($1)(%rsp), W mov OFFSET64(eval(($1 + 14) % 16))(%rsp), T0 mov T0, T1 shr `$'6, T0 rol `$'3, T1 xor T1, T0 rol `$'42, T1 xor T1, T0 add T0, W mov OFFSET64(eval(($1 + 1) % 16))(%rsp), T0 mov T0, T1 shr `$'7, T0 rol `$'56, T1 xor T1, T0 rol `$'7, T1 xor T1, T0 add T0, W add OFFSET64(eval(($1 + 9) % 16))(%rsp), W mov W, OFFSET64($1)(%rsp) ') C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` mov $5, T0 mov $5, T1 rol `$'23, T0 rol `$'46, T1 xor T0, T1 rol `$'27, T0 xor T0, T1 add W, $8 add T1, $8 mov $7, T0 xor $6, T0 and $5, T0 xor $7, T0 add OFFSET64($9)(K,COUNT,8), $8 add T0, $8 add $8, $4 mov $1, T0 mov $1, T1 rol `$'25, T0 rol `$'30, T1 xor T0, T1 rol `$'11, T0 xor T0, T1 add T1, $8 mov $1, T0 mov $1, T1 and $2, T0 xor $2, T1 add T0, $8 and $3, T1 add T1, $8 ') define(`NOEXPN', ` mov OFFSET64($1)(INPUT, COUNT, 8), W bswap W mov W, OFFSET64($1)(%rsp, COUNT, 8) ') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text ALIGN(16) PROLOGUE(_nettle_sha512_compress) W64_ENTRY(3, 0) sub $184, %rsp mov %rbx, 128(%rsp) mov STATE, 136(%rsp) C Save state, to free a register mov %rbp, 144(%rsp) mov %r12, 152(%rsp) mov %r13, 160(%rsp) mov %r14, 168(%rsp) mov %r15, 176(%rsp) mov (STATE), SA mov 8(STATE), SB mov 16(STATE), SC mov 24(STATE), SD mov 32(STATE), SE mov 40(STATE), SF mov 48(STATE), SG mov 56(STATE), SH xor COUNT, COUNT ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) add $8, COUNT cmp $16, COUNT jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) add $16, COUNT cmp $80, COUNT jne .Loop2 mov 136(%rsp), STATE add SA, (STATE) add SB, 8(STATE) add SC, 16(STATE) add SD, 24(STATE) add SE, 32(STATE) add SF, 40(STATE) add SG, 48(STATE) add SH, 56(STATE) mov 128(%rsp), %rbx mov 144(%rsp), %rbp mov 152(%rsp), %r12 mov 160(%rsp), %r13 mov 168(%rsp),%r14 mov 176(%rsp),%r15 add $184, %rsp W64_EXIT(3, 0) ret EPILOGUE(_nettle_sha512_compress) nettle-3.10/x86_64/chacha-core-internal.asm0000644000175000017500000000504014633602172017366 0ustar nissenisseC x86_64/chacha-core-internal.asm ifelse(` Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`DST', `%rdi') define(`SRC', `%rsi') define(`COUNT', `%rdx') define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`T0', `%xmm4') define(`T1', `%xmm5') define(`USE_PSHUFW', `yes') C ROTL_BY_16(REG, TMP) ifelse(USE_PSHUFW, `yes', ` define(`ROTL_BY_16', ` pshufhw `$'0xb1, $1, $1 pshuflw `$'0xb1, $1, $1 ')', ` define(`ROTL_BY_16', ` pslld `$'16, $1 psrld `$'16, $2 por $2, $1 ') ') C QROUND(x0, x1, x2, x3) define(`QROUND', ` paddd $2, $1 pxor $1, $4 movaps $4, T0 ROTL_BY_16($4, T0) paddd $4, $3 pxor $3, $2 movaps $2, T0 pslld `$'12, $2 psrld `$'20, T0 por T0, $2 paddd $2, $1 pxor $1, $4 movaps $4, T0 pslld `$'8, $4 psrld `$'24, T0 por T0, $4 paddd $4, $3 pxor $3, $2 movaps $2, T0 pslld `$'7, $2 psrld `$'25, T0 por T0, $2 ') C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) .text ALIGN(16) PROLOGUE(_nettle_chacha_core) W64_ENTRY(3, 6) movups (SRC), X0 movups 16(SRC), X1 movups 32(SRC), X2 movups 48(SRC), X3 shrl $1, XREG(COUNT) ALIGN(16) .Loop: QROUND(X0, X1, X2, X3) pshufd $0x39, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x93, X3, X3 QROUND(X0, X1, X2, X3) pshufd $0x93, X1, X1 pshufd $0x4e, X2, X2 pshufd $0x39, X3, X3 decl XREG(COUNT) jnz .Loop movups (SRC), T0 movups 16(SRC), T1 paddd T0, X0 paddd T1, X1 movups X0,(DST) movups X1,16(DST) movups 32(SRC), T0 movups 48(SRC), T1 paddd T0, X2 paddd T1, X3 movups X2,32(DST) movups X3,48(DST) W64_EXIT(3, 6) ret EPILOGUE(_nettle_chacha_core) nettle-3.10/x86_64/sha_ni/0000755000175000017500000000000014633602172014157 5ustar nissenissenettle-3.10/x86_64/sha_ni/sha1-compress.asm0000644000175000017500000000723214633602172017352 0ustar nissenisseC x86_64/sha_ni/sha1-compress.asm ifelse(` Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage. C Arguments define(`STATE',`%rdi')dnl define(`INPUT',`%rsi')dnl define(`MSG0',`%xmm0') define(`MSG1',`%xmm1') define(`MSG2',`%xmm2') define(`MSG3',`%xmm3') define(`ABCD',`%xmm4') define(`E0',`%xmm5') define(`E1',`%xmm6') define(`ABCD_ORIG', `%xmm7') define(`E_ORIG', `%xmm8') define(`SWAP_MASK',`%xmm9') C QROUND(M0, M1, M2, M3, E0, E1, TYPE) define(`QROUND', ` sha1nexte $1, $5 movdqa ABCD, $6 sha1msg2 $1, $2 sha1rnds4 `$'$7, $5, ABCD sha1msg1 $1, $4 pxor $1, $3 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *input) .text ALIGN(16) .Lswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved W64_ENTRY(2, 10) movups (STATE), ABCD movd 16(STATE), E0 movups (INPUT), MSG0 movdqa .Lswap_mask(%rip), SWAP_MASK pshufd $0x1b, ABCD, ABCD pshufd $0x1b, E0, E0 movdqa ABCD, ABCD_ORIG movdqa E0, E_ORIG pshufb SWAP_MASK, MSG0 paddd MSG0, E0 movdqa ABCD, E1 sha1rnds4 $0, E0, ABCD C Rounds 0-3 movups 16(INPUT), MSG1 pshufb SWAP_MASK, MSG1 sha1nexte MSG1, E1 movdqa ABCD, E0 sha1rnds4 $0, E1, ABCD C Rounds 4-7 sha1msg1 MSG1, MSG0 movups 32(INPUT), MSG2 pshufb SWAP_MASK, MSG2 sha1nexte MSG2, E0 movdqa ABCD, E1 sha1rnds4 $0, E0, ABCD C Rounds 8-11 sha1msg1 MSG2, MSG1 pxor MSG2, MSG0 movups 48(INPUT), MSG3 pshufb SWAP_MASK, MSG3 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 0) C Rounds 12-15 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 0) C Rounds 16-19 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 20-23 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 1) C Rounds 24-27 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 1) C Rounds 28-31 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 1) C Rounds 32-35 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 1) C Rounds 36-39 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 40-43 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 2) C Rounds 44-47 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 2) C Rounds 48-51 QROUND(MSG1, MSG2, MSG3, MSG0, E1, E0, 2) C Rounds 52-55 QROUND(MSG2, MSG3, MSG0, MSG1, E0, E1, 2) C Rounds 56-59 QROUND(MSG3, MSG0, MSG1, MSG2, E1, E0, 3) C Rounds 60-63 QROUND(MSG0, MSG1, MSG2, MSG3, E0, E1, 3) C Rounds 64-67 sha1nexte MSG1, E1 movdqa ABCD, E0 sha1msg2 MSG1, MSG2 sha1rnds4 $3, E1, ABCD C Rounds 68-71 pxor MSG1, MSG3 sha1nexte MSG2, E0 movdqa ABCD, E1 sha1msg2 MSG2, MSG3 sha1rnds4 $3, E0, ABCD C Rounds 72-75 sha1nexte MSG3, E1 movdqa ABCD, E0 sha1rnds4 $3, E1, ABCD C Rounds 76-79 sha1nexte E_ORIG, E0 paddd ABCD_ORIG, ABCD pshufd $0x1b, ABCD, ABCD movups ABCD, (STATE) pshufd $0x1b, E0, E0 movd E0, 16(STATE) W64_EXIT(2, 10) ret EPILOGUE(nettle_sha1_compress) nettle-3.10/x86_64/sha_ni/sha256-compress-n.asm0000644000175000017500000001046214633602172017760 0ustar nissenisseC x86_64/sha_ni/sha256-compress-n.asm ifelse(` Copyright (C) 2018, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" define(`STATE', `%rdi') define(`K', `%rsi') define(`BLOCKS', `%rdx') define(`INPUT', `%rcx') define(`MSGK',`%xmm0') C Implicit operand of sha256rnds2 define(`MSG0',`%xmm1') define(`MSG1',`%xmm2') define(`MSG2',`%xmm3') define(`MSG3',`%xmm4') define(`ABEF',`%xmm5') define(`CDGH',`%xmm6') define(`ABEF_ORIG',`%xmm7') define(`CDGH_ORIG', `%xmm8') define(`SWAP_MASK',`%xmm9') define(`TMP', `%xmm10') C QROUND(M0, M1, M2, M3, R) define(`QROUND', ` movdqa eval($5*4)(K), MSGK paddd $1, MSGK sha256rnds2 ABEF, CDGH pshufd `$'0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF movdqa $1, TMP palignr `$'4, $4, TMP paddd TMP, $2 sha256msg2 $1, $2 sha256msg1 $1, $4 ') C FIXME: Do something more clever, taking the pshufd into account. C TRANSPOSE(ABCD, EFGH, scratch) --> untouched, ABEF, CDGH define(`TRANSPOSE', ` movdqa $2, $3 punpckhqdq $1, $2 punpcklqdq $1, $3 ') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) .text ALIGN(16) .Lswap_mask: .byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12 PROLOGUE(_nettle_sha256_compress_n) W64_ENTRY(4, 11) test BLOCKS, BLOCKS jz .Lend movups (STATE), TMP movups 16(STATE), ABEF pshufd $0x1b, TMP, TMP pshufd $0x1b, ABEF, ABEF TRANSPOSE(TMP, ABEF, CDGH) movdqa .Lswap_mask(%rip), SWAP_MASK .Loop: movups (INPUT), MSG0 pshufb SWAP_MASK, MSG0 movdqa ABEF, ABEF_ORIG movdqa CDGH, CDGH_ORIG movdqa (K), MSGK paddd MSG0, MSGK sha256rnds2 ABEF, CDGH C Round 0-1 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 2-3 movups 16(INPUT), MSG1 pshufb SWAP_MASK, MSG1 movdqa 16(K), MSGK paddd MSG1, MSGK sha256rnds2 ABEF, CDGH C Round 4-5 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 6-7 sha256msg1 MSG1, MSG0 movups 32(INPUT), MSG2 pshufb SWAP_MASK, MSG2 movdqa 32(K), MSGK paddd MSG2, MSGK sha256rnds2 ABEF, CDGH C Round 8-9 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 10-11 sha256msg1 MSG2, MSG1 movups 48(INPUT), MSG3 pshufb SWAP_MASK, MSG3 QROUND(MSG3, MSG0, MSG1, MSG2, 12) C Round 12-15 QROUND(MSG0, MSG1, MSG2, MSG3, 16) QROUND(MSG1, MSG2, MSG3, MSG0, 20) QROUND(MSG2, MSG3, MSG0, MSG1, 24) QROUND(MSG3, MSG0, MSG1, MSG2, 28) QROUND(MSG0, MSG1, MSG2, MSG3, 32) QROUND(MSG1, MSG2, MSG3, MSG0, 36) QROUND(MSG2, MSG3, MSG0, MSG1, 40) QROUND(MSG3, MSG0, MSG1, MSG2, 44) QROUND(MSG0, MSG1, MSG2, MSG3, 48) movdqa 208(K), MSGK paddd MSG1, MSGK sha256rnds2 ABEF, CDGH C Round 52-53 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 54-55 movdqa MSG1, TMP palignr $4, MSG0, TMP paddd TMP, MSG2 sha256msg2 MSG1, MSG2 movdqa 224(K), MSGK paddd MSG2, MSGK sha256rnds2 ABEF, CDGH C Round 56-57 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 58-59 movdqa MSG2, TMP palignr $4, MSG1, TMP paddd TMP, MSG3 sha256msg2 MSG2, MSG3 movdqa 240(K), MSGK paddd MSG3, MSGK sha256rnds2 ABEF, CDGH C Round 60-61 pshufd $0xe, MSGK, MSGK sha256rnds2 CDGH, ABEF C Round 62-63 paddd ABEF_ORIG, ABEF paddd CDGH_ORIG, CDGH add $64, INPUT dec BLOCKS jnz .Loop TRANSPOSE(ABEF, CDGH, TMP) pshufd $0x1b, CDGH, CDGH pshufd $0x1b, TMP, TMP movups CDGH, 0(STATE) movups TMP, 16(STATE) .Lend: mov INPUT, %rax W64_EXIT(4, 11) ret EPILOGUE(_nettle_sha256_compress_n) nettle-3.10/x86_64/salsa20.m40000644000175000017500000000143014633602172014423 0ustar nissenisseC Needs T0 and T1 C QROUND(x0, x1, x2, x3) define(`QROUND', ` movaps $4, T0 C 0 paddd $1, T0 C 1 movaps T0, T1 C 2 pslld `$'7, T0 C 2 psrld `$'25, T1 C 3 pxor T0, $2 C 3 pxor T1, $2 C 4 movaps $1, T0 C 0 paddd $2, T0 C 5 movaps T0, T1 C 6 pslld `$'9, T0 C 6 psrld `$'23, T1 C 7 pxor T0, $3 C 7 pxor T1, $3 C 8 movaps $2, T0 C 0 paddd $3, T0 C 9 movaps T0, T1 C 10 pslld `$'13, T0 C 10 psrld `$'19, T1 C 11 pxor T0, $4 C 11 pxor T1, $4 C 12 movaps $3, T0 C 0 paddd $4, T0 C 13 movaps T0, T1 C 14 pslld `$'18, T0 C 14 psrld `$'14, T1 C 15 pxor T0, $1 C 15 pxor T1, $1 C 16 ') C SWAP(x0, x1, mask) C Swaps bits in x0 and x1, with bits selected by the mask define(`SWAP', ` movaps $1, T0 pxor $2, $1 pand $3, $1 pxor $1, $2 pxor T0, $1 ') nettle-3.10/x86_64/poly1305-internal.asm0000644000175000017500000001023114633602172016523 0ustar nissenisseC x86_64/poly1305-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "poly1305-internal.asm" C Registers mainly used by poly1305_block define(`CTX', `%rdi') C First argument to all functions define(`KEY', `%rsi') define(`MASK',` %r8') C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) .text ALIGN(16) PROLOGUE(_nettle_poly1305_set_key) W64_ENTRY(2,0) mov $0x0ffffffc0fffffff, MASK mov (KEY), %rax and MASK, %rax and $-4, MASK mov %rax, P1305_R0 (CTX) imul $5, %rax mov %rax, P1305_S0 (CTX) C 5*R0 mov 8(KEY), %rax and MASK, %rax mov %rax, P1305_R1 (CTX) shr $2, %rax imul $5, %rax mov %rax, P1305_S1 (CTX) C 5*(R1>>2) xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov %rax, P1305_H2 (CTX) W64_EXIT(2,0) ret undefine(`KEY') undefine(`MASK') EPILOGUE(_nettle_poly1305_set_key) define(`T0', `%rcx') define(`T1', `%rsi') C Overlaps message input pointer. define(`T2', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`F0', `%r11') define(`F1', `%r12') C First accumulate the independent products C C {H1,H0} = R0 T0 + S1 T1 + S0 (T2 >> 2) C {F1,F0} = R1 T0 + R0 T1 + S1 T2 C T = R0 * (T2 & 3) C C Then add together as C C +--+--+--+ C |T |H1|H0| C +--+--+--+ C + |F1|F0| C --+--+--+--+ C |H2|H1|H0| C +--+--+--+ C _poly1305_block (struct poly1305_ctx *ctx, const uint8_t m[16], unsigned hi) PROLOGUE(_nettle_poly1305_block) W64_ENTRY(3, 0) push %r12 mov (%rsi), T0 mov 8(%rsi), T1 mov XREG(%rdx), XREG(T2) C Also zero extends add P1305_H0 (CTX), T0 adc P1305_H1 (CTX), T1 adc P1305_H2 (CTX), T2 mov P1305_R1 (CTX), %rax mul T0 C R1*T0 mov %rax, F0 mov %rdx, F1 mov T0, %rax C Last use of T0 input mov P1305_R0 (CTX), T0 mul T0 C R0*T0 mov %rax, H0 mov %rdx, H1 mov T1, %rax mul T0 C R0*T1 add %rax, F0 adc %rdx, F1 mov P1305_S1 (CTX), T0 mov T1, %rax C Last use of T1 input mul T0 C S1*T1 add %rax, H0 adc %rdx, H1 mov T2, %rax mul T0 C S1*T2 add %rax, F0 adc %rdx, F1 mov $3, XREG(T1) and T2, T1 shr $2, T2 mov P1305_S0 (CTX), %rax mul T2 C S0*(T2 >> 2) add %rax, H0 adc %rdx, H1 imul P1305_R0 (CTX), T1 C R0*(T2 & 3) add F0, H1 adc T1, F1 mov H0, P1305_H0 (CTX) mov H1, P1305_H1 (CTX) mov F1, P1305_H2 (CTX) pop %r12 W64_EXIT(3, 0) ret EPILOGUE(_nettle_poly1305_block) undefine(`T0') undefine(`T1') undefine(`T2') undefine(`H0') undefine(`H1') undefine(`F0') undefine(`F1') C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) define(`S', `%rsi') define(`T0', `%rcx') define(`T1', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`F0', `%r11') define(`F1', `%rrd') C Overlaps CTX PROLOGUE(_nettle_poly1305_digest) W64_ENTRY(2, 0) mov P1305_H0 (CTX), H0 mov P1305_H1 (CTX), H1 mov P1305_H2 (CTX), F0 xor XREG(%rax), XREG(%rax) mov %rax, P1305_H0 (CTX) mov %rax, P1305_H1 (CTX) mov %rax, P1305_H2 (CTX) mov $3, XREG(%rax) and XREG(F0), XREG(%rax) shr $2, F0 imul $5, F0 add F0, H0 adc $0, H1 adc $0, XREG(%rax) C Add 5, use result if >= 2^130 mov $5, T0 xor T1, T1 add H0, T0 adc H1, T1 adc $-4, XREG(%rax) C Carry if %rax + c >= 4 cmovc T0, H0 cmovc T1, H1 add H0, (S) adc H1, 8(S) W64_EXIT(2, 0) ret EPILOGUE(_nettle_poly1305_digest) nettle-3.10/x86_64/serpent-decrypt.asm0000644000175000017500000002452114633602172016554 0ustar nissenisseC x86_64/serpent-decrypt.asm ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies define(`x0', `%eax') define(`x1', `%ebx') define(`x2', `%ebp') define(`x3', `%r8d') define(`y0', `%r9d') define(`y1', `%r10d') define(`y2', `%r11d') define(`y3', `%r12d') C Quadruple block serpent state, two copies define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`MINUS1', `%xmm8') define(`T0', `%xmm9') define(`T1', `%xmm10') define(`T2', `%xmm11') define(`T3', `%xmm12') C Arguments define(`CTX', `%rdi') define(`N', `%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`CNT', `%r13') define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(`SBOX0I', ` mov $1, $5 xor $3, $5 mov $1, $7 or $2, $7 mov $3, $6 xor $4, $6 xor $6, $7 and $3, $6 or $2, $3 xor $4, $2 or $1, $6 and $3, $2 xor $2, $6 or $7, $1 xor $6, $1 mov $7, $2 and $1, $2 not $7 or $7, $4 xor $3, $4 mov $1, $8 xor $4, $8 or $4, $2 xor $2, $5 ') define(`SBOX1I', ` mov $2, $6 or $4, $6 xor $3, $6 mov $1, $8 xor $2, $8 mov $1, $5 or $6, $5 and $8, $5 xor $5, $2 xor $6, $8 and $4, $2 mov $1, $7 and $3, $7 or $7, $6 or $4, $7 xor $5, $7 not $7 xor $2, $6 xor $6, $5 xor $3, $5 or $7, $1 xor $1, $5 ') define(`SBOX2I', ` mov $1, $5 xor $4, $5 mov $3, $7 xor $4, $7 mov $2, $6 or $7, $6 xor $6, $5 mov $4, $6 or $5, $6 and $2, $6 not $4 mov $1, $8 or $3, $8 and $8, $7 xor $7, $6 and $2, $8 and $3, $1 or $4, $1 xor $1, $8 and $8, $3 xor $1, $3 mov $5, $7 xor $6, $7 xor $3, $7 ') define(`SBOX3I', ` mov $3, $8 or $4, $8 mov $2, $5 and $8, $5 mov $1, $7 or $4, $7 mov $3, $6 xor $7, $6 xor $6, $5 xor $1, $4 xor $4, $8 xor $2, $7 and $6, $7 xor $4, $7 xor $1, $6 or $5, $4 and $4, $6 xor $2, $6 and $7, $1 or $2, $1 xor $1, $8 ') define(`SBOX4I', ` mov $3, $6 xor $4, $6 mov $3, $7 or $4, $7 xor $2, $7 or $4, $2 mov $1, $5 xor $7, $5 xor $7, $4 and $1, $7 xor $7, $6 xor $1, $7 or $3, $7 and $2, $1 mov $1, $8 xor $4, $8 not $1 or $6, $1 xor $1, $5 xor $2, $1 xor $1, $7 ') define(`SBOX5I', ` mov $1, $6 and $4, $6 mov $3, $8 xor $6, $8 mov $2, $5 and $8, $5 mov $1, $7 xor $4, $7 xor $2, $4 xor $7, $5 and $1, $3 and $5, $1 or $2, $3 xor $5, $6 xor $3, $6 mov $5, $7 or $6, $7 xor $8, $7 xor $4, $7 not $2 or $1, $2 xor $2, $8 ') define(`SBOX6I', ` mov $1, $7 xor $3, $7 not $3 mov $2, $5 xor $4, $5 mov $1, $6 or $3, $6 xor $5, $6 mov $2, $8 and $7, $8 or $4, $8 or $3, $4 or $2, $3 and $1, $3 mov $3, $5 xor $8, $5 not $5 and $7, $8 xor $3, $8 xor $6, $1 xor $1, $8 and $5, $2 xor $2, $7 xor $4, $7 ') define(`SBOX7I', ` mov $1, $8 and $2, $8 mov $2, $7 xor $4, $7 or $8, $7 mov $1, $6 or $4, $6 and $3, $6 xor $6, $7 or $3, $8 mov $1, $5 or $2, $5 and $4, $5 xor $5, $8 xor $2, $5 mov $4, $6 xor $8, $6 not $6 or $5, $6 xor $3, $5 xor $1, $6 or $6, $4 xor $4, $5 ') define(`LTI', ` rol `$'10, $3 rol `$'27, $1 mov $2, TMP32 shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 xor $2, $1 xor $4, $1 rol `$'25, $4 rol `$'31, $2 mov $1, TMP32 shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 xor $1, $2 xor $3, $2 rol `$'29, $3 rol `$'19, $1 ') define(`PNOT', ` pxor MINUS1, $1 ') define(`WSBOX0I', ` movdqa $1, $5 pxor $3, $5 movdqa $1, $7 por $2, $7 movdqa $3, $6 pxor $4, $6 pxor $6, $7 pand $3, $6 por $2, $3 pxor $4, $2 por $1, $6 pand $3, $2 pxor $2, $6 por $7, $1 pxor $6, $1 movdqa $7, $2 pand $1, $2 PNOT($7) por $7, $4 pxor $3, $4 movdqa $1, $8 pxor $4, $8 por $4, $2 pxor $2, $5 ') define(`WSBOX1I', ` movdqa $2, $6 por $4, $6 pxor $3, $6 movdqa $1, $8 pxor $2, $8 movdqa $1, $5 por $6, $5 pand $8, $5 pxor $5, $2 pxor $6, $8 pand $4, $2 movdqa $1, $7 pand $3, $7 por $7, $6 por $4, $7 pxor $5, $7 PNOT($7) pxor $2, $6 pxor $6, $5 pxor $3, $5 por $7, $1 pxor $1, $5 ') define(`WSBOX2I', ` movdqa $1, $5 pxor $4, $5 movdqa $3, $7 pxor $4, $7 movdqa $2, $6 por $7, $6 pxor $6, $5 movdqa $4, $6 por $5, $6 pand $2, $6 PNOT($4) movdqa $1, $8 por $3, $8 pand $8, $7 pxor $7, $6 pand $2, $8 pand $3, $1 por $4, $1 pxor $1, $8 pand $8, $3 pxor $1, $3 movdqa $5, $7 pxor $6, $7 pxor $3, $7 ') define(`WSBOX3I', ` movdqa $3, $8 por $4, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 por $4, $7 movdqa $3, $6 pxor $7, $6 pxor $6, $5 pxor $1, $4 pxor $4, $8 pxor $2, $7 pand $6, $7 pxor $4, $7 pxor $1, $6 por $5, $4 pand $4, $6 pxor $2, $6 pand $7, $1 por $2, $1 pxor $1, $8 ') define(`WSBOX4I', ` movdqa $3, $6 pxor $4, $6 movdqa $3, $7 por $4, $7 pxor $2, $7 por $4, $2 movdqa $1, $5 pxor $7, $5 pxor $7, $4 pand $1, $7 pxor $7, $6 pxor $1, $7 por $3, $7 pand $2, $1 movdqa $1, $8 pxor $4, $8 PNOT($1) por $6, $1 pxor $1, $5 pxor $2, $1 pxor $1, $7 ') define(`WSBOX5I', ` movdqa $1, $6 pand $4, $6 movdqa $3, $8 pxor $6, $8 movdqa $2, $5 pand $8, $5 movdqa $1, $7 pxor $4, $7 pxor $2, $4 pxor $7, $5 pand $1, $3 pand $5, $1 por $2, $3 pxor $5, $6 pxor $3, $6 movdqa $5, $7 por $6, $7 pxor $8, $7 pxor $4, $7 PNOT($2) por $1, $2 pxor $2, $8 ') define(`WSBOX6I', ` movdqa $1, $7 pxor $3, $7 PNOT($3) movdqa $2, $5 pxor $4, $5 movdqa $1, $6 por $3, $6 pxor $5, $6 movdqa $2, $8 pand $7, $8 por $4, $8 por $3, $4 por $2, $3 pand $1, $3 movdqa $3, $5 pxor $8, $5 PNOT($5) pand $7, $8 pxor $3, $8 pxor $6, $1 pxor $1, $8 pand $5, $2 pxor $2, $7 pxor $4, $7 ') define(`WSBOX7I', ` movdqa $1, $8 pand $2, $8 movdqa $2, $7 pxor $4, $7 por $8, $7 movdqa $1, $6 por $4, $6 pand $3, $6 pxor $6, $7 por $3, $8 movdqa $1, $5 por $2, $5 pand $4, $5 pxor $5, $8 pxor $2, $5 movdqa $4, $6 pxor $8, $6 PNOT($6) por $5, $6 pxor $3, $5 pxor $1, $6 por $6, $4 pxor $4, $5 ') define(`WLTI', ` WROL(10, $3) WROL(27, $1) movdqa $2, T0 pslld `$'7, T0 pxor $4, $3 pxor T0, $3 pxor $2, $1 pxor $4, $1 WROL(25, $4) WROL(31, $2) movdqa $1, T0 pslld `$'3, T0 pxor $3, $4 pxor T0, $4 pxor $1, $2 pxor $3, $2 WROL(29, $3) WROL(19, $1) ') .file "serpent-decrypt.asm" C serpent_decrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_decrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0,X1,X2,X3) mov $384, CNT C FIXME: CNT known, no index register needed WKEYXOR(128, X0,X1,X2,X3) jmp .Lwround_start ALIGN(16) .Lwround_loop: WLTI(X0,X1,X2,X3) .Lwround_start: WSBOX7I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX6I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX5I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX4I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX3I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX2I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WLTI(X0,X1,X2,X3) WSBOX1I(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WLTI(Y0,Y1,Y2,Y3) WSBOX0I(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WKEYXOR(, X0,X1,X2,X3) sub $128, CNT jnc .Lwround_loop WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 xor 512(CTX), x0 xor 516(CTX), x1 xor 520(CTX), x2 xor 524(CTX), x3 mov $384, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LTI(x0,x1,x2,x3) .Lround_start: SBOX7I(x0,x1,x2,x3, y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX6I(y0,y1,y2,y3, x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX5I(x0,x1,x2,x3, y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX4I(y0,y1,y2,y3, x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX3I(x0,x1,x2,x3, y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX2I(y0,y1,y2,y3, x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 LTI(x0,x1,x2,x3) SBOX1I(x0,x1,x2,x3, y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 LTI(y0,y1,y2,y3) SBOX0I(y0,y1,y2,y3, x0,x1,x2,x3) xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 sub $128, CNT jnc .Lround_loop movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret EPILOGUE(nettle_serpent_decrypt) nettle-3.10/x86_64/umac-nh.asm0000644000175000017500000000371214633602172014753 0ustar nissenisseC x86_64/umac-nh.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`KEY', `%rdi') define(`LENGTH', `%rsi') define(`MSG', `%rdx') define(`XA', `%xmm0') define(`XB', `%xmm1') define(`XK0', `%xmm2') define(`XK1', `%xmm3') define(`XY', `%xmm4') define(`XT0', `%xmm5') define(`XT1', `%xmm6') C FIXME: Would be nice if we could force the key array to be 16-byte C aligned. .file "umac-nh.asm" C umac_nh(const uint32_t *key, unsigned length, const uint8_t *msg) .text ALIGN(16) PROLOGUE(_nettle_umac_nh) W64_ENTRY(3, 7) pxor XY, XY .Loop: movups (KEY), XK0 movups 16(KEY), XK1 movups (MSG), XA movups 16(MSG), XB paddd XK0, XA paddd XK1, XB pshufd $0x31, XA, XT0 pshufd $0x31, XB, XT1 pmuludq XT0, XT1 paddq XT1, XY pmuludq XA, XB paddq XB, XY C Length is only 32 bits subl $32, XREG(LENGTH) lea 32(KEY), KEY lea 32(MSG), MSG ja .Loop pshufd $0xe, XY, XT0 paddq XT0, XY C Really a movq, but write as movd to please Apple's assembler movd XY, %rax W64_EXIT(3, 7) ret EPILOGUE(_nettle_umac_nh) nettle-3.10/x86_64/memxor.asm0000644000175000017500000000637614633602172014743 0ustar nissenisseC x86_64/memxor.asm ifelse(` Copyright (C) 2010, 2014, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`DST', `%rax') C Originally in %rdi define(`SRC', `%rsi') define(`N', `%rdx') define(`TMP', `%r8') define(`TMP2', `%r9') define(`CNT', `%rdi') define(`S0', `%r11') define(`S1', `%rdi') C Overlaps with CNT define(`USE_SSE2', `no') .file "memxor.asm" .text C memxor(void *dst, const void *src, size_t n) C %rdi %rsi %rdx ALIGN(16) PROLOGUE(nettle_memxor) W64_ENTRY(3, 0) test N, N C Get number of unaligned bytes at the end C %rdi is used as CNT, %rax as DST and as return value mov %rdi, %rax jz .Ldone add N, CNT and $7, CNT jz .Laligned cmp $8, N jc .Lfinal_next C FIXME: Instead of this loop, could try cmov with memory C destination, as a sequence of one 8-bit, one 16-bit and one C 32-bit operations. (Except that cmov can't do 8-bit ops, so C that step has to use a conditional). .Lalign_loop: sub $1, N movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) sub $1, CNT jnz .Lalign_loop .Laligned: ifdef(`USE_SSE2', ` cmp $16, N jnc .Lsse2_case ') C Next destination word is -8(DST, N) C Setup for unrolling test $8, N jz .Lword_next sub $8, N jz .Lone_word mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lword_next ALIGN(16) .Lword_loop: mov 8(SRC, N), TMP mov (SRC, N), TMP2 xor TMP, 8(DST, N) xor TMP2, (DST, N) .Lword_next: sub $16, N ja .Lword_loop C Not zero and no carry jnz .Lfinal C Final operation is word aligned mov 8(SRC, N), TMP xor TMP, 8(DST, N) .Lone_word: mov (SRC, N), TMP xor TMP, (DST, N) W64_EXIT(3, 0) ret .Lfinal: add $15, N .Lfinal_loop: movb (SRC, N), LREG(TMP) xorb LREG(TMP), (DST, N) .Lfinal_next: sub $1, N jnc .Lfinal_loop .Ldone: W64_EXIT(3, 0) ret ifdef(`USE_SSE2', ` .Lsse2_case: lea (DST, N), TMP test $8, TMP jz .Lsse2_next sub $8, N mov (SRC, N), TMP xor TMP, (DST, N) jmp .Lsse2_next ALIGN(16) .Lsse2_loop: movdqu (SRC, N), %xmm0 movdqa (DST, N), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST, N) .Lsse2_next: sub $16, N ja .Lsse2_loop C FIXME: See if we can do a full word first, before the C byte-wise final loop. jnz .Lfinal C Final operation is aligned movdqu (SRC), %xmm0 movdqa (DST), %xmm1 pxor %xmm0, %xmm1 movdqa %xmm1, (DST) W64_EXIT(3, 0) ret ') EPILOGUE(nettle_memxor) nettle-3.10/x86_64/sha256-compress-n.asm0000644000175000017500000001205314633602172016515 0ustar nissenisseC x86_64/sha256-compress-n.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" define(`STATE', `%rdi') define(`K', `%rsi') define(`BLOCKS', `%rdx') define(`INPUT', `%rcx') define(`STATE_SAVED', `64(%rsp)') define(`SA', `%eax') define(`SB', `%ebx') define(`SC', `%ebp') define(`SD', `%r8d') define(`SE', `%r9d') define(`SF', `%r10d') define(`SG', `%r11d') define(`SH', `%r12d') define(`T0', `%r13d') define(`T1', `%r14d') define(`COUNT', `%rdi') C Overlap STATE define(`W', `%r15d') define(`EXPN', ` movl OFFSET($1)(%rsp), W movl OFFSET(eval(($1 + 14) % 16))(%rsp), T0 movl T0, T1 shrl `$'10, T0 roll `$'13, T1 xorl T1, T0 roll `$'2, T1 xorl T1, T0 addl T0, W movl OFFSET(eval(($1 + 1) % 16))(%rsp), T0 movl T0, T1 shrl `$'3, T0 roll `$'14, T1 xorl T1, T0 roll `$'11, T1 xorl T1, T0 addl T0, W addl OFFSET(eval(($1 + 9) % 16))(%rsp), W movl W, OFFSET($1)(%rsp) ') C ROUND(A,B,C,D,E,F,G,H,K) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` movl $5, T0 movl $5, T1 roll `$'7, T0 roll `$'21, T1 xorl T0, T1 roll `$'19, T0 xorl T0, T1 addl W, $8 addl T1, $8 movl $7, T0 xorl $6, T0 andl $5, T0 xorl $7, T0 addl OFFSET($9)(K,COUNT,4), $8 addl T0, $8 addl $8, $4 movl $1, T0 movl $1, T1 roll `$'10, T0 roll `$'19, T1 xorl T0, T1 roll `$'20, T0 xorl T0, T1 addl T1, $8 movl $1, T0 movl $1, T1 andl $2, T0 xorl $2, T1 addl T0, $8 andl $3, T1 addl T1, $8 ') define(`NOEXPN', ` movl OFFSET($1)(INPUT, COUNT, 4), W bswapl W movl W, OFFSET($1)(%rsp, COUNT, 4) ') C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) .text ALIGN(16) PROLOGUE(_nettle_sha256_compress_n) W64_ENTRY(4, 0) test BLOCKS, BLOCKS jz .Lend sub $120, %rsp mov STATE, STATE_SAVED C Save state, to free a register mov %rbx, 72(%rsp) mov %rbp, 80(%rsp) mov %r12, 88(%rsp) mov %r13, 96(%rsp) mov %r14, 104(%rsp) mov %r15, 112(%rsp) movl (STATE), SA movl 4(STATE), SB movl 8(STATE), SC movl 12(STATE), SD movl 16(STATE), SE movl 20(STATE), SF movl 24(STATE), SG movl 28(STATE), SH .Loop_block: xorl XREG(COUNT), XREG(COUNT) ALIGN(16) .Loop1: NOEXPN(0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) NOEXPN(1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) NOEXPN(2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) NOEXPN(3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) NOEXPN(4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) NOEXPN(5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) NOEXPN(6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) NOEXPN(7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) addl $8, XREG(COUNT) cmpl $16, XREG(COUNT) jne .Loop1 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH,8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG,9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF,10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE,11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD,12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC,13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB,14) EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA,15) addl $16, XREG(COUNT) cmpl $64, XREG(COUNT) jne .Loop2 mov STATE_SAVED, STATE addl (STATE), SA addl 4(STATE), SB addl 8(STATE), SC addl 12(STATE), SD addl 16(STATE), SE addl 20(STATE), SF addl 24(STATE), SG addl 28(STATE), SH movl SA, (STATE) movl SB, 4(STATE) movl SC, 8(STATE) movl SD, 12(STATE) movl SE, 16(STATE) movl SF, 20(STATE) movl SG, 24(STATE) movl SH, 28(STATE) add $64, INPUT dec BLOCKS jnz .Loop_block mov 72(%rsp), %rbx mov 80(%rsp), %rbp mov 88(%rsp), %r12 mov 96(%rsp), %r13 mov 104(%rsp),%r14 mov 112(%rsp),%r15 add $120, %rsp .Lend: mov INPUT, %rax W64_EXIT(4, 0) ret EPILOGUE(_nettle_sha256_compress_n) nettle-3.10/x86_64/ecc-secp384r1-modp.asm0000644000175000017500000001021314633602172016536 0ustar nissenisseC x86_64/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" C Input arguments: C %rdi (unused) define(`RP', `%rsi') define(`XP', `%rdx') define(`D5', `%rax') define(`T0', `%rbx') define(`T1', `%rcx') define(`T2', `%rdi') define(`T3', `%rbp') define(`T4', `%rsi') define(`T5', `%r8') define(`H0', `%r9') define(`H1', `%r10') define(`H2', `%r11') define(`H3', `%r12') define(`H4', `%r13') define(`H5', `%r14') define(`C2', `%r15') define(`C0', H5) C Overlap define(`TMP', XP) C Overlap C void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) PROLOGUE(_nettle_ecc_secp384r1_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 push %r14 push %r15 push RP C Output pointer C First get top 2 limbs, which need folding twice. C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. C We handle the terms as follow: C C B^6: Folded immediatly. C C B^4: Delayed, added in in the next folding. C C 2^32(B-1) B^4: Low half limb delayed until the next C folding. Top 1.5 limbs subtracted and shifter now, resulting C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added C in. mov 80(XP), H4 mov 88(XP), H5 C Shift right 32 bits, into H1, H0 mov H4, H0 mov H5, H1 mov H5, D5 shr $32, H1 shl $32, D5 shr $32, H0 or D5, H0 C H1 H0 C - H1 H0 C -------- C H1 H0 D5 mov H0, D5 neg D5 sbb H1, H0 sbb $0, H1 xor C2, C2 add H4, H0 adc H5, H1 adc $0, C2 C Add in to high part add 48(XP), H0 adc 56(XP), H1 adc $0, C2 C Do C2 later C +1 term mov (XP), T0 add H0, T0 mov 8(XP), T1 adc H1, T1 mov 16(XP), T2 mov 64(XP), H2 adc H2, T2 mov 24(XP), T3 mov 72(XP), H3 adc H3, T3 mov 32(XP), T4 adc H4, T4 mov 40(XP), T5 adc H5, T5 sbb C0, C0 neg C0 C FIXME: Switch sign of C0? C +B^2 term add H0, T2 adc H1, T3 adc H2, T4 adc H3, T5 adc $0, C0 C Shift left, including low half of H4 mov H3, TMP shl $32, H4 shr $32, TMP or TMP, H4 mov H2, TMP shl $32, H3 shr $32, TMP or TMP, H3 mov H1, TMP shl $32, H2 shr $32, TMP or TMP, H2 mov H0, TMP shl $32, H1 shr $32, TMP or TMP, H1 shl $32, H0 C H4 H3 H2 H1 H0 0 C - H4 H3 H2 H1 H0 C --------------- C H4 H3 H2 H1 H0 TMP mov H0, TMP neg TMP sbb H1, H0 sbb H2, H1 sbb H3, H2 sbb H4, H3 sbb $0, H4 add TMP, T0 adc H0, T1 adc H1, T2 adc H2, T3 adc H3, T4 adc H4, T5 adc $0, C0 C Remains to add in C2 and C0 C Set H1, H0 = (2^96 - 2^32 + 1) C0 mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 C Set H3, H2 = (2^96 - 2^32 + 1) C2 mov C2, H2 mov C2, H3 shl $32, H3 sub H3, H2 sbb $0, H3 add C0, H2 C No carry. Could use lea trick xor C0, C0 add H0, T0 adc H1, T1 adc H2, T2 adc H3, T3 adc C2, T4 adc D5, T5 C Value delayed from initial folding adc $0, C0 C Use sbb and switch sign? C Final unlikely carry mov C0, H0 mov C0, H1 shl $32, H1 sub H1, H0 sbb $0, H1 pop XP C Original RP argument add H0, T0 mov T0, (XP) adc H1, T1 mov T1, 8(XP) adc C0, T2 mov T2, 16(XP) adc $0, T3 mov T3, 24(XP) adc $0, T4 mov T4, 32(XP) adc $0, T5 mov T5, 40(XP) pop %r15 pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-3.10/x86_64/ecc-secp521r1-modp.asm0000644000175000017500000000540114633602172016532 0ustar nissenisseC x86_64/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" GMP_NUMB_BITS(64) define(`RP', `%rsi') define(`XP', `%rdx') define(`U0', `%rax') define(`U1', `%rbx') define(`U2', `%rcx') define(`U3', `%rbp') define(`U4', `%rdi') define(`U5', `%r8') define(`U6', `%r9') define(`U7', `%r10') define(`U8', `%r11') define(`U9', `%r12') define(`T0', `%r13') define(`T1', `%r14') PROLOGUE(_nettle_ecc_secp521r1_modp) W64_ENTRY(3, 0) push %rbx push %rbp push %r12 push %r13 push %r14 C Read top 17 limbs, shift left 55 bits mov 72(XP), U1 mov U1, U0 shl $55, U0 shr $9, U1 mov 80(XP), U2 mov U2, T0 shr $9, U2 shl $55, T0 or T0, U1 mov 88(XP), U3 mov U3, T0 shr $9, U3 shl $55, T0 or T0, U2 mov 96(XP), U4 mov U4, T0 shr $9, U4 shl $55, T0 or T0, U3 mov 104(XP), U5 mov U5, T0 shr $9, U5 shl $55, T0 or T0, U4 mov 112(XP), U6 mov U6, T0 shr $9, U6 shl $55, T0 or T0, U5 mov 120(XP), U7 mov U7, T0 shr $9, U7 shl $55, T0 or T0, U6 mov 128(XP), U8 mov U8, T0 shr $9, U8 shl $55, T0 or T0, U7 mov 136(XP), U9 mov U9, T0 shr $9, U9 shl $55, T0 or T0, U8 add (XP), U0 adc 8(XP), U1 adc 16(XP), U2 adc 24(XP), U3 adc 32(XP), U4 adc 40(XP), U5 adc 48(XP), U6 adc 56(XP), U7 adc 64(XP), U8 adc $0, U9 C Top limbs are . Keep low 9 bits of 8, and fold the C top bits (at most 65 bits). mov U8, T0 shr $9, T0 and $0x1ff, U8 mov U9, T1 shl $55, U9 shr $9, T1 or U9, T0 add T0, U0 mov U0, (RP) adc T1, U1 mov U1, 8(RP) adc $0, U2 mov U2, 16(RP) adc $0, U3 mov U3, 24(RP) adc $0, U4 mov U4, 32(RP) adc $0, U5 mov U5, 40(RP) adc $0, U6 mov U6, 48(RP) adc $0, U7 mov U7, 56(RP) adc $0, U8 mov U8, 64(RP) pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-3.10/x86_64/ecc-secp256r1-redc.asm0000644000175000017500000000514414633602172016521 0ustar nissenisseC x86_64/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2013, 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp256r1-redc.asm" define(`RP', `%rsi') define(`XP', `%rdx') define(`U0', `%rdi') C Overlaps unused modulo input define(`U1', `%rcx') define(`U2', `%rax') define(`U3', `%r8') define(`F0', `%r9') define(`F1', `%r10') define(`F2', `%r11') define(`F3', `%rdx') C Overlap XP, used only in final carry folding C FOLD(x), sets (x,F2,F1,F0 ) <-- (x << 192) - (x << 160) + (x << 128) + (x << 32) define(`FOLD', ` mov $1, F0 mov $1, F1 mov $1, F2 shl `$'32, F0 shr `$'32, F1 sub F0, F2 sbb F1, $1 ') C FOLDC(x), sets (x,F2,F1,F0) <-- ((x+c) << 192) - (x << 160) + (x << 128) + (x << 32) define(`FOLDC', ` mov $1, F0 mov $1, F1 mov $1, F2 adc `$'0, $1 C May overflow, but final result will not. shl `$'32, F0 shr `$'32, F1 sub F0, F2 sbb F1, $1 ') PROLOGUE(_nettle_ecc_secp256r1_redc) W64_ENTRY(3, 0) mov (XP), U0 FOLD(U0) mov 8(XP), U1 mov 16(XP), U2 mov 24(XP), U3 add F0, U1 adc F1, U2 adc F2, U3 adc 32(XP), U0 FOLDC(U1) add F0, U2 adc F1, U3 adc F2, U0 adc 40(XP), U1 FOLDC(U2) add F0, U3 adc F1, U0 adc F2, U1 adc 48(XP), U2 FOLDC(U3) add F0, U0 adc F1, U1 adc F2, U2 adc 56(XP), U3 C Sum, including carry, is < 2^{256} + p. C If carry, we need to add in 2^{256} mod p = 2^{256} - p C = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> C and this addition can not overflow. sbb F2, F2 mov F2, F0 mov F2, F1 mov XREG(F2), XREG(F3) neg F0 shl $32, F1 and $-2, XREG(F3) add F0, U0 mov U0, (RP) adc F1, U1 mov U1, 8(RP) adc F2, U2 mov U2, 16(RP) adc F3, U3 mov U3, 24(RP) W64_EXIT(3, 0) ret EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-3.10/x86_64/serpent-encrypt.asm0000644000175000017500000003002714633602172016564 0ustar nissenisseC x86_64/serpent-encrypt.asm ifelse(` Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86_64/serpent.m4') C Register usage: C Single block serpent state, two copies define(`x0', `%eax') define(`x1', `%ebx') define(`x2', `%ebp') define(`x3', `%r8d') define(`y0', `%r9d') define(`y1', `%r10d') define(`y2', `%r11d') define(`y3', `%r12d') C Quadruple block serpent state, two copies define(`X0', `%xmm0') define(`X1', `%xmm1') define(`X2', `%xmm2') define(`X3', `%xmm3') define(`Y0', `%xmm4') define(`Y1', `%xmm5') define(`Y2', `%xmm6') define(`Y3', `%xmm7') define(`MINUS1', `%xmm8') define(`T0', `%xmm9') define(`T1', `%xmm10') define(`T2', `%xmm11') define(`T3', `%xmm12') C Arguments define(`CTX', `%rdi') define(`N', `%rsi') define(`DST', `%rdx') define(`SRC', `%rcx') define(`CNT', `%r13') define(`TMP32', `%r14d') C SBOX macros. Inputs $1 - $4 (destroyed), outputs $5 - $8 define(`SBOX0', ` mov $2, $8 C y3 = x1 ^ x2 xor $3, $8 mov $1, $5 C y0 = x0 | x3 or $4, $5 mov $1, $6 C y1 = x0 ^ x1 xor $2, $6 xor $5, $8 C y3 ^= y0 mov $3, $7 C y2 = x2 | y3 or $8, $7 xor $4, $1 C x0 ^= x3 and $4, $7 C y2 &= x3 xor $3, $4 C x3 ^= x2 or $2, $3 C x2 |= x1 mov $6, $5 C y0 = y1 & x2 and $3, $5 xor $5, $7 C y2 ^= y0 and $7, $5 C y0 &= y2 xor $3, $5 C y0 ^= x2 and $1, $2 C x1 &= x0 xor $1, $5 C y0 ^= x0 not $5 C y0 = ~y0 mov $5, $6 C y1 = y0 ^ x1 xor $2, $6 xor $4, $6 C y1 ^= x3 ') define(`SBOX1', ` mov $1, $6 C y1 = x0 | x3 or $4, $6 mov $3, $7 C y2 = x2 ^ x3 xor $4, $7 mov $2, $5 C y0 = ~x1 not $5 mov $1, $8 C y3 = x0 ^ x2 xor $3, $8 or $1, $5 C y0 |= x0 and $4, $8 C y3 &= x3 mov $6, $1 C x0 = y1 & y2 and $7, $1 or $2, $8 C y3 |= x1 xor $5, $7 C y2 ^= y0 xor $1, $8 C y3 ^= x0 mov $6, $1 C x0 = y1 ^ y3 xor $8, $1 xor $7, $1 C x0 ^= y2 mov $2, $6 C y1 = x1 & x3 and $4, $6 xor $1, $6 C y1 ^= x0 mov $6, $4 C x3 = y1 | y3 or $8, $4 not $8 C y3 = ~y3 and $4, $5 C y0 &= x3 xor $3, $5 C y0 ^= x2 ') define(`SBOX2', ` mov $1, $7 C y2 = x1 | x2 or $3, $7 mov $1, $6 xor $2, $6 mov $4, $8 xor $7, $8 mov $6, $5 xor $8, $5 or $1, $4 xor $5, $3 mov $2, $1 xor $3, $1 or $2, $3 and $7, $1 xor $3, $8 or $8, $6 xor $1, $6 mov $8, $7 xor $6, $7 xor $2, $7 not $8 xor $4, $7 ') define(`SBOX3', ` mov $1, $6 xor $3, $6 mov $1, $5 or $4, $5 mov $1, $8 and $4, $8 and $5, $6 or $2, $8 mov $1, $7 and $2, $7 or $3, $7 mov $4, $3 xor $6, $3 xor $8, $6 or $3, $1 xor $2, $3 and $4, $8 xor $8, $5 mov $7, $8 xor $3, $8 xor $5, $7 or $8, $4 and $4, $2 mov $1, $5 xor $2, $5 ') define(`SBOX4', ` mov $1, $8 or $2, $8 mov $2, $7 or $3, $7 xor $1, $7 and $4, $8 mov $2, $5 xor $4, $5 or $7, $4 and $4, $1 and $3, $2 xor $8, $3 xor $7, $8 or $2, $7 mov $8, $6 and $5, $6 xor $6, $7 xor $5, $6 or $2, $6 xor $1, $6 and $4, $5 xor $3, $5 not $5 ') define(`SBOX5', ` mov $2, $5 or $4, $5 xor $3, $5 mov $2, $3 xor $4, $3 mov $1, $7 xor $3, $7 and $3, $1 xor $1, $5 mov $2, $8 or $7, $8 or $5, $2 not $5 or $5, $1 xor $3, $8 xor $1, $8 mov $4, $6 or $5, $6 xor $6, $4 xor $7, $6 or $4, $7 xor $2, $7 ') define(`SBOX6', ` mov $1, $5 xor $4, $5 mov $1, $6 and $4, $6 mov $1, $7 or $3, $7 or $2, $4 xor $3, $4 xor $2, $1 mov $2, $8 or $3, $8 xor $2, $3 and $5, $8 xor $3, $6 not $6 and $6, $5 and $6, $2 xor $8, $2 xor $4, $8 xor $2, $7 not $7 xor $7, $5 xor $1, $5 ') define(`SBOX7', ` mov $1, $5 and $3, $5 mov $2, $8 or $5, $8 C t04 xor $3, $8 mov $4, $6 not $6 C t02 and $1, $6 xor $6, $8 mov $3, $6 or $8, $6 xor $1, $6 mov $1, $7 and $2, $7 xor $7, $3 or $4, $7 xor $7, $6 mov $2, $7 or $5, $7 C t04 and $8, $7 xor $6, $2 or $2, $7 xor $1, $7 xor $6, $5 not $4 C t02 or $4, $5 xor $3, $5 ') define(`LT', ` rol `$'13, $1 rol `$'3, $3 xor $1, $2 xor $3, $2 mov $1, TMP32 shl `$'3, TMP32 xor $3, $4 xor TMP32, $4 rol $2 rol `$'7, $4 xor $2, $1 xor $4, $1 mov $2, TMP32 shl `$'7, TMP32 xor $4, $3 xor TMP32, $3 rol `$'5, $1 rol `$'22, $3 ') C Parallel operation on four blocks at a time. C pnot instruction is missing. For lack of a spare register, XOR with C constant in memory. define(`PNOT', ` pxor MINUS1, $1 ') define(`WSBOX0', ` movdqa $2, $8 C y3 = x1 ^ x2 pxor $3, $8 movdqa $1, $5 C y0 = x0 | x3 por $4, $5 movdqa $1, $6 C y1 = x0 ^ x1 pxor $2, $6 pxor $5, $8 C y3 ^= y0 movdqa $3, $7 C y2 = x2 | y3 por $8, $7 pxor $4, $1 C x0 ^= x3 pand $4, $7 C y2 &= x3 pxor $3, $4 C x3 ^= x2 por $2, $3 C x2 |= x1 movdqa $6, $5 C y0 = y1 & x2 pand $3, $5 pxor $5, $7 C y2 ^= y0 pand $7, $5 C y0 &= y2 pxor $3, $5 C y0 ^= x2 pand $1, $2 C x1 &= x0 pxor $1, $5 C y0 ^= x0 PNOT($5) C y0 = ~y0 movdqa $5, $6 C y1 = y0 ^ x1 pxor $2, $6 pxor $4, $6 C y1 ^= x3 ') define(`WSBOX1', ` movdqa $1, $6 C y1 = x0 | x3 por $4, $6 movdqa $3, $7 C y2 = x2 ^ x3 pxor $4, $7 movdqa $2, $5 C y0 = ~x1 PNOT($5) movdqa $1, $8 C y3 = x0 ^ x2 pxor $3, $8 por $1, $5 C y0 |= x0 pand $4, $8 C y3 &= x3 movdqa $6, $1 C x0 = y1 & y2 pand $7, $1 por $2, $8 C y3 |= x1 pxor $5, $7 C y2 ^= y0 pxor $1, $8 C y3 ^= x0 movdqa $6, $1 C x0 = y1 ^ y3 pxor $8, $1 pxor $7, $1 C x0 ^= y2 movdqa $2, $6 C y1 = x1 & x3 pand $4, $6 pxor $1, $6 C y1 ^= x0 movdqa $6, $4 C x3 = y1 | y3 por $8, $4 PNOT($8) C y3 = ~y3 pand $4, $5 C y0 &= x3 pxor $3, $5 C y0 ^= x2 ') define(`WSBOX2', ` movdqa $1, $7 C y2 = x1 | x2 por $3, $7 movdqa $1, $6 pxor $2, $6 movdqa $4, $8 pxor $7, $8 movdqa $6, $5 pxor $8, $5 por $1, $4 pxor $5, $3 movdqa $2, $1 pxor $3, $1 por $2, $3 pand $7, $1 pxor $3, $8 por $8, $6 pxor $1, $6 movdqa $8, $7 pxor $6, $7 pxor $2, $7 PNOT($8) pxor $4, $7 ') define(`WSBOX3', ` movdqa $1, $6 pxor $3, $6 movdqa $1, $5 por $4, $5 movdqa $1, $8 pand $4, $8 pand $5, $6 por $2, $8 movdqa $1, $7 pand $2, $7 por $3, $7 movdqa $4, $3 pxor $6, $3 pxor $8, $6 por $3, $1 pxor $2, $3 pand $4, $8 pxor $8, $5 movdqa $7, $8 pxor $3, $8 pxor $5, $7 por $8, $4 pand $4, $2 movdqa $1, $5 pxor $2, $5 ') define(`WSBOX4', ` movdqa $1, $8 por $2, $8 movdqa $2, $7 por $3, $7 pxor $1, $7 pand $4, $8 movdqa $2, $5 pxor $4, $5 por $7, $4 pand $4, $1 pand $3, $2 pxor $8, $3 pxor $7, $8 por $2, $7 movdqa $8, $6 pand $5, $6 pxor $6, $7 pxor $5, $6 por $2, $6 pxor $1, $6 pand $4, $5 pxor $3, $5 PNOT($5) ') define(`WSBOX5', ` movdqa $2, $5 por $4, $5 pxor $3, $5 movdqa $2, $3 pxor $4, $3 movdqa $1, $7 pxor $3, $7 pand $3, $1 pxor $1, $5 movdqa $2, $8 por $7, $8 por $5, $2 PNOT($5) por $5, $1 pxor $3, $8 pxor $1, $8 movdqa $4, $6 por $5, $6 pxor $6, $4 pxor $7, $6 por $4, $7 pxor $2, $7 ') define(`WSBOX6', ` movdqa $1, $5 pxor $4, $5 movdqa $1, $6 pand $4, $6 movdqa $1, $7 por $3, $7 por $2, $4 pxor $3, $4 pxor $2, $1 movdqa $2, $8 por $3, $8 pxor $2, $3 pand $5, $8 pxor $3, $6 PNOT($6) pand $6, $5 pand $6, $2 pxor $8, $2 pxor $4, $8 pxor $2, $7 PNOT($7) pxor $7, $5 pxor $1, $5 ') define(`WSBOX7', ` movdqa $1, $5 pand $3, $5 movdqa $2, $8 por $5, $8 C t04 pxor $3, $8 movdqa $4, $6 pandn $1, $6 C t02 implicit pxor $6, $8 movdqa $3, $6 por $8, $6 pxor $1, $6 movdqa $1, $7 pand $2, $7 pxor $7, $3 por $4, $7 pxor $7, $6 movdqa $2, $7 por $5, $7 C t04 pand $8, $7 pxor $6, $2 por $2, $7 pxor $1, $7 pxor $6, $5 PNOT($4) C t02 por $4, $5 pxor $3, $5 ') C WLT(x0, x1, x2, x3) define(`WLT', ` WROL(13, $1) WROL(3, $3) pxor $1, $2 pxor $3, $2 movdqa $1, T0 pslld `$'3, T0 pxor $3, $4 pxor T0, $4 WROL(1, $2) WROL(7, $4) pxor $2, $1 pxor $4, $1 movdqa $2, T0 pslld `$'7, T0 pxor $4, $3 pxor T0, $3 WROL(5, $1) WROL(22, $3) ') .file "serpent-encrypt.asm" C serpent_encrypt(struct serpent_context *ctx, C size_t length, uint8_t *dst, C const uint8_t *src) .text ALIGN(16) PROLOGUE(nettle_serpent_encrypt) C save all registers that need to be saved W64_ENTRY(4, 13) push %rbx push %rbp push %r12 push %r13 push %r14 lea (SRC, N), SRC lea (DST, N), DST neg N jz .Lend C Point at the final subkey. lea 512(CTX), CTX cmp $-64, N ja .Lblock_loop pcmpeqd MINUS1, MINUS1 .Lwblock_loop: movups (SRC, N), X0 movups 16(SRC, N), X1 movups 32(SRC, N), X2 movups 48(SRC, N), X3 WTRANSPOSE(X0, X1, X2, X3) mov $-512, CNT jmp .Lwround_start ALIGN(16) .Lwround_loop: WLT(X0,X1,X2,X3) .Lwround_start: WKEYXOR(, X0,X1,X2,X3) WSBOX0(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(16, Y0,Y1,Y2,Y3) WSBOX1(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(32, X0,X1,X2,X3) WSBOX2(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(48, Y0,Y1,Y2,Y3) WSBOX3(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(64, X0,X1,X2,X3) WSBOX4(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(80, Y0,Y1,Y2,Y3) WSBOX5(Y0,Y1,Y2,Y3, X0,X1,X2,X3) WLT(X0,X1,X2,X3) WKEYXOR(96, X0,X1,X2,X3) WSBOX6(X0,X1,X2,X3, Y0,Y1,Y2,Y3) WLT(Y0,Y1,Y2,Y3) WKEYXOR(112, Y0,Y1,Y2,Y3) WSBOX7(Y0,Y1,Y2,Y3, X0,X1,X2,X3) add $128, CNT jnz .Lwround_loop C FIXME: CNT known to be zero, no index register needed WKEYXOR(, X0,X1,X2,X3) WTRANSPOSE(X0,X1,X2,X3) movups X0, (DST, N) movups X1, 16(DST, N) movups X2, 32(DST, N) movups X3, 48(DST, N) C FIXME: Adjust N, so we can use just jnc without an extra cmp. add $64, N jz .Lend cmp $-64, N jbe .Lwblock_loop C The single-block loop here is slightly slower than the double-block C loop in serpent-encrypt.c. C FIXME: Should use non-sse2 code only if we have a single block left. C With two or three blocks, it should be better to do them in C parallell. .Lblock_loop: movl (SRC, N), x0 movl 4(SRC, N), x1 movl 8(SRC, N), x2 movl 12(SRC, N), x3 mov $-512, CNT jmp .Lround_start ALIGN(16) .Lround_loop: LT(x0,x1,x2,x3) .Lround_start: xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 SBOX0(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 16(CTX, CNT), y0 xor 20(CTX, CNT), y1 xor 24(CTX, CNT), y2 xor 28(CTX, CNT), y3 SBOX1(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 32(CTX, CNT), x0 xor 36(CTX, CNT), x1 xor 40(CTX, CNT), x2 xor 44(CTX, CNT), x3 SBOX2(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 48(CTX, CNT), y0 xor 52(CTX, CNT), y1 xor 56(CTX, CNT), y2 xor 60(CTX, CNT), y3 SBOX3(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 64(CTX, CNT), x0 xor 68(CTX, CNT), x1 xor 72(CTX, CNT), x2 xor 76(CTX, CNT), x3 SBOX4(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 80(CTX, CNT), y0 xor 84(CTX, CNT), y1 xor 88(CTX, CNT), y2 xor 92(CTX, CNT), y3 SBOX5(y0,y1,y2,y3, x0,x1,x2,x3) LT(x0,x1,x2,x3) xor 96(CTX, CNT), x0 xor 100(CTX, CNT), x1 xor 104(CTX, CNT), x2 xor 108(CTX, CNT), x3 SBOX6(x0,x1,x2,x3, y0,y1,y2,y3) LT(y0,y1,y2,y3) xor 112(CTX, CNT), y0 xor 116(CTX, CNT), y1 xor 120(CTX, CNT), y2 xor 124(CTX, CNT), y3 SBOX7(y0,y1,y2,y3, x0,x1,x2,x3) add $128, CNT jnz .Lround_loop C Apply final subkey. xor (CTX, CNT), x0 xor 4(CTX, CNT), x1 xor 8(CTX, CNT), x2 xor 12(CTX, CNT), x3 movl x0, (DST, N) movl x1, 4(DST, N) movl x2, 8(DST, N) movl x3, 12(DST, N) add $16, N jnc .Lblock_loop .Lend: pop %r14 pop %r13 pop %r12 pop %rbp pop %rbx W64_EXIT(4, 13) ret EPILOGUE(nettle_serpent_encrypt) nettle-3.10/camellia-absorb.c0000644000175000017500000001002214633602171015133 0ustar nissenisse/* camellia-absorb.c Final key setup processing for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif /* For CHAR_BIT, needed by HAVE_NATIVE_64_BIT */ #include #include "camellia-internal.h" #include "macros.h" void _nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey) { uint64_t kw2, kw4; uint32_t dw, tl, tr; unsigned i; /* At this point, the subkey array contains the subkeys as described in the spec, 26 for short keys and 34 for large keys. */ /* absorb kw2 to other subkeys */ kw2 = subkey[1]; subkey[3] ^= kw2; subkey[5] ^= kw2; subkey[7] ^= kw2; for (i = 8; i < nkeys; i += 8) { /* FIXME: gcc for x86_32 is smart enough to fetch the 32 low bits and xor the result into the 32 high bits, but it still generates worse code than for explicit 32-bit operations. */ kw2 ^= (kw2 & ~subkey[i+1]) << 32; dw = (kw2 & subkey[i+1]) >> 32; kw2 ^= ROTL32(1, dw); subkey[i+3] ^= kw2; subkey[i+5] ^= kw2; subkey[i+7] ^= kw2; } subkey[i] ^= kw2; /* absorb kw4 to other subkeys */ kw4 = subkey[nkeys + 1]; for (i = nkeys - 8; i > 0; i -= 8) { subkey[i+6] ^= kw4; subkey[i+4] ^= kw4; subkey[i+2] ^= kw4; kw4 ^= (kw4 & ~subkey[i]) << 32; dw = (kw4 & subkey[i]) >> 32; kw4 ^= ROTL32(1, dw); } subkey[6] ^= kw4; subkey[4] ^= kw4; subkey[2] ^= kw4; subkey[0] ^= kw4; /* key XOR is end of F-function */ dst[0] = subkey[0] ^ subkey[2]; dst[1] = subkey[3]; dst[2] = subkey[2] ^ subkey[4]; dst[3] = subkey[3] ^ subkey[5]; dst[4] = subkey[4] ^ subkey[6]; dst[5] = subkey[5] ^ subkey[7]; for (i = 8; i < nkeys; i += 8) { tl = (subkey[i+2] >> 32) ^ (subkey[i+2] & ~subkey[i]); dw = tl & (subkey[i] >> 32); tr = subkey[i+2] ^ ROTL32(1, dw); dst[i-2] = subkey[i-2] ^ ( ((uint64_t) tl << 32) | tr); dst[i-1] = subkey[i]; dst[i] = subkey[i+1]; tl = (subkey[i-1] >> 32) ^ (subkey[i-1] & ~subkey[i+1]); dw = tl & (subkey[i+1] >> 32); tr = subkey[i-1] ^ ROTL32(1, dw); dst[i+1] = subkey[i+3] ^ ( ((uint64_t) tl << 32) | tr); dst[i+2] = subkey[i+2] ^ subkey[i+4]; dst[i+3] = subkey[i+3] ^ subkey[i+5]; dst[i+4] = subkey[i+4] ^ subkey[i+6]; dst[i+5] = subkey[i+5] ^ subkey[i+7]; } dst[i-2] = subkey[i-2]; dst[i-1] = subkey[i] ^ subkey[i-1]; #if !HAVE_NATIVE_64_BIT for (i = 0; i < nkeys; i += 8) { /* apply the inverse of the last half of F-function */ CAMELLIA_F_HALF_INV(dst[i+1]); CAMELLIA_F_HALF_INV(dst[i+2]); CAMELLIA_F_HALF_INV(dst[i+3]); CAMELLIA_F_HALF_INV(dst[i+4]); CAMELLIA_F_HALF_INV(dst[i+5]); CAMELLIA_F_HALF_INV(dst[i+6]); } #endif } nettle-3.10/nettle.html0000644000175000017500000254277614633602172014170 0ustar nissenisse Nettle: a low-level cryptographic library

Nettle: a low-level cryptographic library

Next:   [Contents][Index]

Nettle

This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application.

This manual is for the Nettle library (version 3.9), a low-level cryptographic library.

Originally written 2001 by Niels Möller, updated 2023.

This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required.

Table of Contents

Next: , Previous: , Up: Nettle   [Contents][Index]

1 Introduction

Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement.

And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around.

Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn’t do algorithm selection. It doesn’t do memory allocation. It doesn’t do any I/O.

The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library.

This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.

Next: , Previous: , Up: Nettle   [Contents][Index]

3 Conventions

For each supported algorithm, there is an include file that defines a context struct, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects.

For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don’t show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application.

If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle.

By convention, for an algorithm named foo, the struct tag for the context struct is foo_ctx, constants and functions uses prefixes like FOO_BLOCK_SIZE (a constant) and foo_set_key (a function).

In all functions, strings are represented with an explicit length, of type size_t, and a pointer of type uint8_t * or const uint8_t *. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for ccm_encrypt_message, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas must not overlap in any other way.

Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.

Next: , Previous: , Up: Nettle   [Contents][Index]

4 Example

A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. 

#include <stdio.h>
#include <stdlib.h>

#include <nettle/sha1.h>

#define BUF_SIZE 1000

static void
display_hex(unsigned length, uint8_t *data)
{
  unsigned i;

  for (i = 0; i<length; i++)
    printf("%02x ", data[i]);

  printf("\n");
}

int
main(int argc, char **argv)
{
  struct sha1_ctx ctx;
  uint8_t buffer[BUF_SIZE];
  uint8_t digest[SHA1_DIGEST_SIZE];
  
  sha1_init(&ctx);
  for (;;)
  {
    int done = fread(buffer, 1, sizeof(buffer), stdin);
    sha1_update(&ctx, done, buffer);
    if (done < sizeof(buffer))
      break;
  }
  if (ferror(stdin))
    return EXIT_FAILURE;

  sha1_digest(&ctx, SHA1_DIGEST_SIZE, digest);

  display_hex(SHA1_DIGEST_SIZE, digest);
  return EXIT_SUCCESS;  
}

On a typical Unix system, this program can be compiled and linked with the command line 

gcc sha-example.c -o sha-example -lnettle

Next: , Previous: , Up: Nettle   [Contents][Index]

5 Linking

Nettle actually consists of two libraries, libnettle and libhogweed. The libhogweed library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries.

If an application uses only the symmetric crypto algorithms of Nettle (i.e., block ciphers, hash functions, and the like), it’s sufficient to link with -lnettle. If an application also uses public-key algorithms, the recommended linker flags are -lhogweed -lnettle -lgmp. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just -lhogweed, and the loader will resolve the dependencies automatically.

Next: , Previous: , Up: Nettle   [Contents][Index]

6 Compatibility

When you write a program using the Nettle library, it’s desirable to have it work together not only with exactly the same version of Nettle you had at hand, but with other current and future versions. If a different version of Nettle is used at compile time, i.e., you recompile it using the header and library files belonging to a different version, we talk about API compatibility (for Application Programming Interface). If a different version of Nettle isn’t used until link time, we talk about ABI compatibility (Application Binary Interface) or binary compatibility. ABI compatibility matters mainly when using dynamic linking with a shared library. E.g., a user has an executable linking at run-time with libnettle.so, and then updates to a later version of the shared library, without updating or recompiling the executable.

Nettle aims to provide backwards compatibility, i.e., a program written for a particular version of the Nettle library should usually work fine with later version of the library. Note that the opposite is not supported: The program should not be expected to work with older versions of the Nettle library; and ABI breakage can be unobvious. E.g, the later version may define a new library symbol, and let header files redefine an old API name as an alias for the new symbol. If the later version ensures that the old symbol is still defined in the library, this change is backwards compatible: A program compiled using headers from the older version can be successfully linked with either version of the library. But if you compile the same program using headers from the later version of the library, and attempt to link with the older version, you’ll get an undefined reference to the new symbol.

API compatibility is rarely broken; exceptions are noted in the NEWS file. For example, the key size argument to the function cast128_set_key was dropped in the Nettle-3.0 release, and all programs using that function had to be updated to work with the new version.

ABI compatibility is broken occasionally. This is also noted in the NEWS file, and the name of the shared library is updated to prevent accidental run-time linking with the wrong version. All programs have to be recompiled before they can link with the new version. Since names are different, multiple versions can be installed on the same system, with a mix of programs linking to one version or the other.

Under some circumstances, it is possible to have a single program linking dynamically with two binary incompatible versions of the Nettle library, thanks to the use of symbol versioning. Consider a program calling functions in both Nettle and GnuTLS. For the direct dependency on Nettle, the program is linked with a particular version of the Nettle shared library. GnuTLS uses Nettle internally, but does not expose any Nettle data structures or the like in its own ABI. In this situation, the GnuTLS shared library may link with a different version of the Nettle library. Then both versions of the Nettle library will be loaded into the program’s address space, and each reference to a symbol will be resolved to the correct version.

Finally, some of Nettle’s symbols are internal. They carry a leading underscore, and are not declared in installed header files. They can be used for local or experimental purposes, but programs referring directly to those symbols get neither API nor ABI compatibility, not even between minor versions.

Next: , Previous: , Up: Nettle   [Contents][Index]

7 Reference

This chapter describes all the Nettle functions, grouped by family.

Next: , Up: Reference   [Contents][Index]

7.1 Hash functions

A cryptographic hash function is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function H should have the following properties:

One-way

Given a hash value H(x) it is hard to find a string x that hashes to that value.

Collision-resistant

It is hard to find two different strings, x and y, such that H(x) = H(y).

Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things.

The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At the time of this writing (Autumn 2015), SHA3 has recently been standardized, and the new SHA3 and other top SHA3 candidates may also be reasonable alternatives.

Next: , Previous: , Up: Hash functions   [Contents][Index]

7.1.2 Miscellaneous hash functions

7.1.2.1 STREEBOG512

STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in <nettle/streebog.h>.

Context struct: struct streebog512_ctx
Constant: STREEBOG512_DIGEST_SIZE

The size of a STREEBOG512 digest, i.e. 64.

Constant: STREEBOG512_BLOCK_SIZE

The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512.

Function: void streebog512_init (struct streebog512_ctx *ctx)

Initialize the STREEBOG512 state.

Function: void streebog512_update (struct streebog512_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void streebog512_digest (struct streebog512_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than STREEBOG512_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as streebog512_init.

7.1.2.2 STREEBOG256

STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in <nettle/streebog.h>.

Context struct: struct streebog256_ctx
Constant: STREEBOG256_DIGEST_SIZE

The size of a STREEBOG256 digest, i.e. 32.

Constant: STREEBOG256_BLOCK_SIZE

The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256.

Function: void streebog256_init (struct streebog256_ctx *ctx)

Initialize the STREEBOG256 state.

Function: void streebog256_update (struct streebog256_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void streebog256_digest (struct streebog256_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than STREEBOG256_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as streebog256_init.

7.1.2.3 SM3

SM3 is a cryptographic hash function standard adopted by the government of the People’s Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 "SM3 Cryptographic Hash Algorithm".

SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256.

Nettle defines SM3 in <nettle/sm3.h>.

Context struct: struct sm3_ctx
Constant: SM3_DIGEST_SIZE

The size of a SM3 digest, i.e. 32.

Constant: SM3_BLOCK_SIZE

The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3.

Function: void sm3_init (struct sm3_ctx *ctx)

Initialize the SM3 state.

Function: void sm3_update (struct sm3_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sm3_digest (struct sm3_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SM3_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sm3_init.

Next: , Previous: , Up: Hash functions   [Contents][Index]

7.1.3 Legacy hash functions

The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model.

7.1.3.1 MD5

MD5 is a message digest function constructed by Ronald Rivest, and described in RFC 1321. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in <nettle/md5.h>.

Context struct: struct md5_ctx
Constant: MD5_DIGEST_SIZE

The size of an MD5 digest, i.e. 16.

Constant: MD5_BLOCK_SIZE

The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5.

Function: void md5_init (struct md5_ctx *ctx)

Initialize the MD5 state.

Function: void md5_update (struct md5_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md5_digest (struct md5_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md5_init.

Function: void md5_compress (const uint32_t *state, uint8_t *input)

Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from input using state as IV (an array of 4 uint32_t). The output is stored in state. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5).

The normal way to use MD5 is to call the functions in order: First md5_init, then md5_update zero or more times, and finally md5_digest. After md5_digest, the context is reset to its initial state, so you can start over calling md5_update to hash new data.

To start over, you can call md5_init at any time.

7.1.3.2 MD2

MD2 is another hash function of Ronald Rivest’s, described in RFC 1319. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in <nettle/md2.h>.

Context struct: struct md2_ctx
Constant: MD2_DIGEST_SIZE

The size of an MD2 digest, i.e. 16.

Constant: MD2_BLOCK_SIZE

The internal block size of MD2.

Function: void md2_init (struct md2_ctx *ctx)

Initialize the MD2 state.

Function: void md2_update (struct md2_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md2_digest (struct md2_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD2_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md2_init.

7.1.3.3 MD4

MD4 is a predecessor of MD5, described in RFC 1320. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in <nettle/md4.h>. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols.

Context struct: struct md4_ctx
Constant: MD4_DIGEST_SIZE

The size of an MD4 digest, i.e. 16.

Constant: MD4_BLOCK_SIZE

The internal block size of MD4.

Function: void md4_init (struct md4_ctx *ctx)

Initialize the MD4 state.

Function: void md4_update (struct md4_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void md4_digest (struct md4_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than MD4_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as md4_init.

7.1.3.4 RIPEMD160

RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in nettle/ripemd160.h.

Context struct: struct ripemd160_ctx
Constant: RIPEMD160_DIGEST_SIZE

The size of a RIPEMD160 digest, i.e. 20.

Constant: RIPEMD160_BLOCK_SIZE

The internal block size of RIPEMD160.

Function: void ripemd160_init (struct ripemd160_ctx *ctx)

Initialize the RIPEMD160 state.

Function: void ripemd160_update (struct ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void ripemd160_digest (struct ripemd160_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as ripemd160_init.

7.1.3.5 SHA1

SHA1 is a hash function specified by NIST (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in <nettle/sha1.h> (and in <nettle/sha.h>, for backwards compatibility).

Context struct: struct sha1_ctx
Constant: SHA1_DIGEST_SIZE

The size of a SHA1 digest, i.e. 20.

Constant: SHA1_BLOCK_SIZE

The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1.

Function: void sha1_init (struct sha1_ctx *ctx)

Initialize the SHA1 state.

Function: void sha1_update (struct sha1_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void sha1_digest (struct sha1_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as sha1_init.

Function: void sha1_compress (const uint32_t *state, uint8_t *input)

Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from input using state as IV (an array of 5 uint32_t). The output is stored in state. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1).

7.1.3.6 GOSTHASH94 and GOSTHASH94CP

The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see RFC 4357). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in <nettle/gosthash94.h>.

Context struct: struct gosthash94_ctx
Constant: GOSTHASH94_DIGEST_SIZE

The size of a GOSTHASH94 digest, i.e. 32.

Constant: GOSTHASH94_BLOCK_SIZE

The internal block size of GOSTHASH94, i.e., 32.

Function: void gosthash94_init (struct gosthash94_ctx *ctx)

Initialize the GOSTHASH94 state.

Function: void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than GOSTHASH94_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as gosthash94_init.

Context struct: struct gosthash94cp_ctx
Constant: GOSTHASH94CP_DIGEST_SIZE

The size of a GOSTHASH94CP digest, i.e. 32.

Constant: GOSTHASH94CP_BLOCK_SIZE

The internal block size of GOSTHASH94CP, i.e., 32.

Function: void gosthash94cp_init (struct gosthash94cp_ctx *ctx)

Initialize the GOSTHASH94CP state.

Function: void gosthash94cp_update (struct gosthash94cp_ctx *ctx, size_t length, const uint8_t *data)

Hash some more data.

Function: void gosthash94cp_digest (struct gosthash94cp_ctx *ctx, size_t length, uint8_t *digest)

Performs final processing and extracts the message digest, writing it to digest. length may be smaller than GOSTHASH94CP_DIGEST_SIZE, in which case only the first length octets of the digest are written.

This function also resets the context in the same way as gosthash94cp_init.

Previous: , Up: Hash functions   [Contents][Index]

7.1.4 The struct nettle_hash abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>, and is used by Nettle’s implementation of HMAC (see Keyed Hash Functions).

Meta struct: struct nettle_hash name context_size digest_size block_size init update digest

The last three attributes are function pointers, of types nettle_hash_init_func *, nettle_hash_update_func *, and nettle_hash_digest_func *. The first argument to these functions is void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_hash nettle_md2
Constant Struct: struct nettle_hash nettle_md4
Constant Struct: struct nettle_hash nettle_md5
Constant Struct: struct nettle_hash nettle_ripemd160
Constant Struct: struct nettle_hash nettle_sha1
Constant Struct: struct nettle_hash nettle_sha224
Constant Struct: struct nettle_hash nettle_sha256
Constant Struct: struct nettle_hash nettle_sha384
Constant Struct: struct nettle_hash nettle_sha512
Constant Struct: struct nettle_hash nettle_sha3_256
Constant Struct: struct nettle_hash nettle_gosthash94
Constant Struct: struct nettle_hash nettle_gosthash94cp
Constant Struct: struct nettle_hash nettle_sm3

These are all the hash functions that Nettle implements.

Nettle also exports a list of all these hashes.

Function: const struct nettle_hash ** nettle_get_hashes (void)

Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_hashes

A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., nettle_hashes[0]->name for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.

Next: , Previous: , Up: Reference   [Contents][Index]

7.2 Cipher functions

A cipher is a function that takes a message or plaintext and a secret key and transforms it to a ciphertext. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key.

There are two main classes of ciphers: Block ciphers and stream ciphers.

A block cipher can process data only in fixed size chunks, called blocks. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called ECB, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some “feedback mode”, CBC (Cipher Block Chaining) and CTR (Counter mode) being two of of the most popular. See See Cipher modes, for information on how to apply CBC and CTR with Nettle.

A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of n octets, you key the generator, generate n octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered.

Caution: The first rule for this kind of cipher is the same as for a One Time Pad: never ever use the same key twice.

A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you’re reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can’t decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message.

It is recommended to always use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (see Keyed Hash Functions), or digital signatures like RSA.

Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don’t have any weak keys.

To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as key setup. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption.

Next: , Up: Cipher functions   [Contents][Index]

7.2.1 AES

AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen.

Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in <nettle/aes.h>, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, struct aes_ctx, for all key sizes. This interface kept for backwards compatibility).

Context struct: struct aes128_ctx
Context struct: struct aes192_ctx
Context struct: struct aes256_ctx
Context struct: struct aes_ctx

Alternative struct, for the old AES interface.

Constant: AES_BLOCK_SIZE

The AES block-size, 16.

Constant: AES128_KEY_SIZE
Constant: AES192_KEY_SIZE
Constant: AES256_KEY_SIZE
Constant: AES_MIN_KEY_SIZE
Constant: AES_MAX_KEY_SIZE
Constant: AES_KEY_SIZE

Default AES key size, 32.

Function: void aes128_set_encrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes128_set_decrypt_key (struct aes128_ctx *ctx, const uint8_t *key)
Function: void aes192_set_encrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes192_set_decrypt_key (struct aes192_ctx *ctx, const uint8_t *key)
Function: void aes256_set_encrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
Function: void aes256_set_decrypt_key (struct aes256_ctx *ctx, const uint8_t *key)
Function: void aes_set_encrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)
Function: void aes_set_decrypt_key (struct aes_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src)
Function: void aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src)
Function: void aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src)
Function: void aes_invert_key (struct aes_ctx *dst, const struct aes_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key, because calling, e.g., aes128_set_encrypt_key and aes128_invert_key, is more efficient than calling aes128_set_encrypt_key and aes128_set_decrypt_key.

Function: void aes128_encrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_encrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_encrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes_encrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void aes128_decrypt (struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes192_decrypt (struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes256_decrypt (struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void aes_decrypt (struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to the encryption functions above.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.2 Arcfour

ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher.

We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards.

One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like “secret:1”, “secret:2”, .... If you have keys that don’t look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR.

Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. 

/* A more robust key setup function for ARCFOUR */
void
arcfour_set_key_hashed(struct arcfour_ctx *ctx,
                       size_t length, const uint8_t *key)
{
  struct sha256_ctx hash;
  uint8_t digest[SHA256_DIGEST_SIZE];
  uint8_t buffer[0x200];

  sha256_init(&hash);
  sha256_update(&hash, length, key);
  sha256_digest(&hash, SHA256_DIGEST_SIZE, digest);

  arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest);
  arcfour_crypt(ctx, sizeof(buffer), buffer, buffer);
}

Nettle defines ARCFOUR in <nettle/arcfour.h>.

Context struct: struct arcfour_ctx
Constant: ARCFOUR_MIN_KEY_SIZE

Minimum key size, 1.

Constant: ARCFOUR_MAX_KEY_SIZE

Maximum key size, 256.

Constant: ARCFOUR_KEY_SIZE

Default ARCFOUR key size, 16.

Function: void arcfour_set_key (struct arcfour_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void arcfour_crypt (struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called arcfour_crypt only once with all the data.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.3 Arctwo

ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to sci.crypt by Peter Gutmann.

ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ekb. This parameter can be used to artificially reduce the key size. In practice, ekb is usually set equal to the input key size. Nettle defines ARCTWO in <nettle/arctwo.h>.

We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards.

Context struct: struct arctwo_ctx
Constant: ARCTWO_BLOCK_SIZE

The ARCTWO block-size, 8.

Constant: ARCTWO_MIN_KEY_SIZE
Constant: ARCTWO_MAX_KEY_SIZE
Constant: ARCTWO_KEY_SIZE

Default ARCTWO key size, 8.

Function: void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t *key, unsigned ekb)
Function: void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)
Function: void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for ekb is 1024, and for convenience, ekb = 0 has the same effect as ekb = 1024.

arctwo_set_key(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 8*length), and arctwo_set_key_gutmann(ctx, length, key) is equivalent to arctwo_set_key_ekb(ctx, length, key, 1024)

Function: void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to arctwo_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.4 Blowfish

BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in <nettle/blowfish.h>.

Context struct: struct blowfish_ctx
Constant: BLOWFISH_BLOCK_SIZE

The BLOWFISH block-size, 8.

Constant: BLOWFISH_MIN_KEY_SIZE

Minimum BLOWFISH key size, 8.

Constant: BLOWFISH_MAX_KEY_SIZE

Maximum BLOWFISH key size, 56.

Constant: BLOWFISH_KEY_SIZE

Default BLOWFISH key size, 16.

Function: int blowfish_set_key (struct blowfish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

blowfish_encrypt or blowfish_decrypt with a weak key will crash with an assert violation.

Function: void blowfish_encrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void blowfish_decrypt (struct blowfish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to blowfish_encrypt

Function: int blowfish_bcrypt_hash (char *dst, size_t lenkey, const char *key, size_t lenscheme, const char *scheme, int log2rounds, const uint8_t *salt)

Compute the bcrypt password hash. The function will return 0 if the hash cannot be computed due to invalid input. The function will return 1 and store the computed hash in the array pointed to by dst. The hash is computed based on the chosen scheme, number of rounds log2rounds and specified salt.

dst must point to a character array of at least BLOWFISH_BCRYPT_HASH_SIZE bytes.

key contains the plaintext password string of size lenkey.

scheme is of size lenscheme and contains either just the chosen scheme (valid schemes are: 2a, 2b, 2x or 2y), or (the prefix of) an existing hashed password (typically $2b$10$...).

log2rounds contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is -1 the value will be extracted from scheme.

salt should point to an array of BLOWFISH_BCRYPT_BINSALT_SIZE random bytes to be used to perturb the hash computation. If it is NULL the salt will be extracted from scheme.

Sample code to generate a bcrypt hash: 

char password[] = "ExamplePassword";
char scheme[] = "2b";
uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE];
…
/* Make sure that salt is filled with random bytes */
…
char hash[BLOWFISH_BCRYPT_HASH_SIZE];
int result = blowfish_bcrypt(hash,
                             sizeof(password) - 1, password,
                             sizeof(scheme) - 1, scheme, 10, salt);
if (result)
  printf("%s\n", hash);
Function: int blowfish_bcrypt_verify (size_t lenkey, const char *key, size_t lenhashed, const char *hashed)

Verifies the bcrypt password hash against the supplied plaintext password. The function will return 0 if the password does not match. The function will return 1 if the password matches.

key contains the plaintext password string of size lenkey.

hashed contains the hashed string of size lenhashed to compare with.

Sample code to verify a bcrypt hash: 

char password[] = "ExamplePassword";
char hash[] =
  "$2y$"  /* Hash algorithm version */
  "10"   /* 2^10 hash rounds (strength) */
  "$"   /* separator */
  "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */
  "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */
if (blowfish_bcrypt_verify(sizeof(password) - 1, password,
                           sizeof(hash) - 1, hash))
  printf("Password is correct.");
else
  printf("Password is incorrect.");

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.5 Camellia

Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in RFC3713. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at https://www.ntt.co.jp/news/news01e/0104/010417.html, but this statement has some limitations which seem problematic for free software.

Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in <nettle/camellia.h>, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, struct camellia_ctx, for all key sizes. This interface kept for backwards compatibility).

Context struct: struct camellia128_ctx
Context struct: struct camellia192_ctx
Context struct: struct camellia256_ctx

Contexts structs. Actually, camellia192_ctx is an alias for camellia256_ctx.

Context struct: struct camellia_ctx

Alternative struct, for the old Camellia interface.

Constant: CAMELLIA_BLOCK_SIZE

The CAMELLIA block-size, 16.

Constant: CAMELLIA128_KEY_SIZE
Constant: CAMELLIA192_KEY_SIZE
Constant: CAMELLIA256_KEY_SIZE
Constant: CAMELLIA_MIN_KEY_SIZE
Constant: CAMELLIA_MAX_KEY_SIZE
Constant: CAMELLIA_KEY_SIZE

Default CAMELLIA key size, 32.

Function: void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia128_set_decrypt_key (struct camellia128_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_encrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia192_set_decrypt_key (struct camellia192_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_encrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia256_set_decrypt_key (struct camellia256_ctx *ctx, const uint8_t *key)
Function: void camellia_set_encrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)
Function: void camellia_set_decrypt_key (struct camellia_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher, for encryption or decryption, respectively.

Function: void camellia128_invert_key (struct camellia128_ctx *dst, const struct camellia128_ctx *src)
Function: void camellia192_invert_key (struct camellia192_ctx *dst, const struct camellia192_ctx *src)
Function: void camellia256_invert_key (struct camellia256_ctx *dst, const struct camellia256_ctx *src)
Function: void camellia_invert_key (struct camellia_ctx *dst, const struct camellia_ctx *src)

Given a context src initialized for encryption, initializes the context struct dst for decryption, using the same key. If the same context struct is passed for both src and dst, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the same key.

Function: void camellia128_crypt (struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia192_crypt (struct camellia192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia256_crypt (struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void camellia_crypt (struct camellia_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

The same function is used for both encryption and decryption. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.6 CAST128

CAST-128 is a block cipher, specified in RFC 2144. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in <nettle/cast128.h>.

Context struct: struct cast128_ctx
Constant: CAST128_BLOCK_SIZE

The CAST128 block-size, 8.

Constant: CAST128_KEY_SIZE

The CAST128 key size, 16.

Constant: CAST5_MIN_KEY_SIZE

Minimum CAST5 key size, 5.

Constant: CAST5_MAX_KEY_SIZE

Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128.

Function: void cast128_set_key (struct cast128_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void cast128_encrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void cast128_decrypt (struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to cast128_encrypt

Function: void cast5_set_key (struct cast128_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.7 ChaCha

ChaCha is a variant of the stream cipher Salsa20 (see Salsa20), below, also designed by D. J. Bernstein. Nettle defines ChaCha in <nettle/chacha.h>.

Context struct: struct chacha_ctx
Constant: CHACHA_KEY_SIZE

ChaCha key size, 32.

Constant: CHACHA_BLOCK_SIZE

ChaCha block size, 64.

Constant: CHACHA_NONCE_SIZE

Size of the nonce, 8.

Constant: CHACHA_COUNTER_SIZE

Size of the counter, 8.

Function: void chacha_set_key (struct chacha_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you must also call chacha_set_nonce, see below.

Function: void chacha_set_nonce (struct chacha_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size CHACHA_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void chacha_set_counter (struct chacha_ctx *ctx, const uint8_t *counter)

Sets the block counter. It is always of size CHACHA_COUNTER_SIZE, 8 octets. This is rarely needed since chacha_set_nonce initializes the block counter to zero. When it is still necessary, this function must be called after chacha_set_nonce.

Function: void chacha_crypt (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to chacha_crypt, all but the last call must use a length that is a multiple of CHACHA_BLOCK_SIZE.

7.2.7.1 32-bit counter variant

While the original paper uses 64-bit counter value, the variant defined in RFC 8439 uses 32-bit counter value. This variant is particularly useful for see ChaCha-Poly1305 AEAD construction, which supports 12-octet nonces.

Constant: CHACHA_NONCE96_SIZE

Size of the nonce, 12.

Constant: CHACHA_COUNTER32_SIZE

Size of the counter, 4.

Function: void chacha_set_nonce96 (struct chacha_ctx *ctx, const uint8_t *nonce)

Sets the nonce. This is similar to the above chacha_set_nonce, but the input is always of size CHACHA_NONCE96_SIZE, 12 octets.

Function: void chacha_set_counter32 (struct chacha_ctx *ctx, const uint8_t *counter)

Sets the block counter. This is similar to the above chacha_set_counter, but the input is always of size CHACHA_COUNTER32_SIZE, 4 octets.

Function: void chacha_crypt32 (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above chacha_crypt, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.8 DES

DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key.

The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn’t be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below.

DES also has some weak keys. Nettle defines DES in <nettle/des.h>.

Context struct: struct des_ctx
Constant: DES_BLOCK_SIZE

The DES block-size, 8.

Constant: DES_KEY_SIZE

DES key size, 8.

Function: int des_set_key (struct des_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value.

Function: void des_encrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des_decrypt (struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

Function: int des_check_parity (size_t length, const uint8_t *key)

Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity.

Function: void des_fix_parity (size_t length, uint8_t *dst, const uint8_t *src)

Adjusts the parity bits to match DES’s requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. dst and src may be equal.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.9 DES3

The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits.

The standard way to increase DES’s key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then decrypt it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”.

The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3.

DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force.

Naturally, it’s simple to implement triple-DES on top of Nettle’s DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, <nettle/des.h>.

Context struct: struct des3_ctx
Constant: DES3_BLOCK_SIZE

The DES3 block-size is the same as DES_BLOCK_SIZE, 8.

Constant: DES3_KEY_SIZE

DES key size, 24.

Function: int des3_set_key (struct des3_ctx *ctx, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don’t care about weak keys can ignore the return value.

For random-looking strings, you can use des_fix_parity to adjust the parity bits before calling des3_set_key.

Function: void des3_encrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void des3_decrypt (struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to des_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.10 Salsa20

Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, see Counter mode). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions.

Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It’s also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets).

Caution: The hash function used in Salsa20 is not directly applicable for use as a general hash function. It’s not collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size.

When using Salsa20 to process a message, one specifies both a key and a nonce, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in <nettle/salsa20.h>.

Context struct: struct salsa20_ctx
Constant: SALSA20_128_KEY_SIZE
Constant: SALSA20_256_KEY_SIZE

The two supported key sizes, 16 and 32 octets.

Constant: SALSA20_KEY_SIZE

Recommended key size, 32.

Constant: SALSA20_BLOCK_SIZE

Salsa20 block size, 64.

Constant: SALSA20_NONCE_SIZE

Size of the nonce, 8.

Function: void salsa20_128_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_256_set_key (struct salsa20_ctx *ctx, const uint8_t *key)
Function: void salsa20_set_key (struct salsa20_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption. salsa20_128_set_key and salsa20_128_set_key use a fix key size each, 16 and 32 octets, respectively. The function salsa20_set_key is provided for backwards compatibility, and the length argument must be either 16 or 32. Before using the cipher, you must also call salsa20_set_nonce, see below.

Function: void salsa20_set_nonce (struct salsa20_ctx *ctx, const uint8_t *nonce)

Sets the nonce. It is always of size SALSA20_NONCE_SIZE, 8 octets. This function also initializes the block counter, setting it to zero.

Function: void salsa20_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to salsa20_crypt, all but the last call must use a length that is a multiple of SALSA20_BLOCK_SIZE.

The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see https://www.ecrypt.eu.org/stream/finallist.html. Nettle calls this variant salsa20r12. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption.

Function: void salsa20r12_crypt (struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.11 Serpent

SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES’. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in <nettle/serpent.h>.

Context struct: struct serpent_ctx
Constant: SERPENT_BLOCK_SIZE

The SERPENT block-size, 16.

Constant: SERPENT_MIN_KEY_SIZE

Minimum SERPENT key size, 16.

Constant: SERPENT_MAX_KEY_SIZE

Maximum SERPENT key size, 32.

Constant: SERPENT_KEY_SIZE

Default SERPENT key size, 32.

Function: void serpent_set_key (struct serpent_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void serpent_encrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void serpent_decrypt (struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to serpent_encrypt

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.12 SM4

SM4 is a block cipher standard adopted by the government of the People’s Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 "SM4 block cipher algorithm". Nettle defines it in <nettle/sm4.h>.

Context struct: struct sm4_ctx
Constant: SM4_BLOCK_SIZE

The SM4 block-size, 16.

Constant: SM4_KEY_SIZE

Default SM4 key size, 16.

Function: void sm4_set_encrypt_key (struct sm4_ctx *ctx, const uint8_t *key)

Initialize the cipher. The function is used for encryption.

Function: void sm4_set_decrypt_key (struct sm4_ctx *ctx, const uint8_t *key)

Initialize the cipher. The function is used for decryption.

Function: void sm4_crypt (const struct sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Cryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption.

Next: , Previous: , Up: Cipher functions   [Contents][Index]

7.2.13 Twofish

Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in <nettle/twofish.h>.

Context struct: struct twofish_ctx
Constant: TWOFISH_BLOCK_SIZE

The TWOFISH block-size, 16.

Constant: TWOFISH_MIN_KEY_SIZE

Minimum TWOFISH key size, 16.

Constant: TWOFISH_MAX_KEY_SIZE

Maximum TWOFISH key size, 32.

Constant: TWOFISH_KEY_SIZE

Default TWOFISH key size, 32.

Function: void twofish_set_key (struct twofish_ctx *ctx, size_t length, const uint8_t *key)

Initialize the cipher. The same function is used for both encryption and decryption.

Function: void twofish_encrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encryption function. length must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. src and dst may be equal, but they must not overlap in any other way.

Function: void twofish_decrypt (struct twofish_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Analogous to twofish_encrypt

Previous: , Up: Cipher functions   [Contents][Index]

7.2.14 The struct nettle_cipher abstraction

Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in <nettle/nettle-meta.h>.

Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt

The last four attributes are function pointers, of types nettle_set_key_func * and nettle_cipher_func *. The first argument to these functions is a const void * pointer to a context struct, which is of size context_size.

Constant Struct: struct nettle_cipher nettle_aes128
Constant Struct: struct nettle_cipher nettle_aes192
Constant Struct: struct nettle_cipher nettle_aes256
Constant Struct: struct nettle_cipher nettle_arctwo40
Constant Struct: struct nettle_cipher nettle_arctwo64
Constant Struct: struct nettle_cipher nettle_arctwo128
Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128
Constant Struct: struct nettle_cipher nettle_arcfour128
Constant Struct: struct nettle_cipher nettle_camellia128
Constant Struct: struct nettle_cipher nettle_camellia192
Constant Struct: struct nettle_cipher nettle_camellia256
Constant Struct: struct nettle_cipher nettle_cast128
Constant Struct: struct nettle_cipher nettle_serpent128
Constant Struct: struct nettle_cipher nettle_serpent192
Constant Struct: struct nettle_cipher nettle_serpent256
Constant Struct: struct nettle_cipher nettle_twofish128
Constant Struct: struct nettle_cipher nettle_twofish192
Constant Struct: struct nettle_cipher nettle_twofish256

Nettle includes such structs for all the regular ciphers, i.e. ones without weak keys or other oddities.

Nettle also exports a list of all these ciphers without weak keys or other oddities.

Function: const struct nettle_cipher ** nettle_get_ciphers (void)

Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_ciphers

A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

7.3 Cipher modes

Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher’s block size. As explained in See Cipher functions, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information.

Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB and CFB8), XEX-based tweaked-codebook mode with ciphertext stealing (XTS) and a couple of AEAD modes (see Authenticated encryption with associated data). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability. Today, CTR is usually preferred over CBC.

Modes like CBC, CTR, CFB and CFB8 provide no message authentication, and should always be used together with a MAC (see Keyed Hash Functions) or signature to authenticate the message.

Next: , Up: Cipher modes   [Contents][Index]

7.3.1 Cipher Block Chaining

When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an IV, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data.

In symbols, if E_k is the encryption function of a block cipher, and IV is the initialization vector, then n plaintext blocks M_1,… M_n are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV  XOR M_1)
C_2 = E_k(C_1 XOR M_2)

…

C_n = E_k(C_(n-1) XOR M_n)

Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses const void * to pass cipher contexts around. The CBC interface is defined in <nettle/cbc.h>.

Function: void cbc_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CBC mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cbc_encrypt. The function f is of type

void f (const void *ctx, size_t length, uint8_t dst, const uint8_t *src),

and the cbc_encrypt and cbc_decrypt functions pass their argument ctx on to f.

7.3.1.1 Utility macros

There are also some macros to help use these functions correctly.

Macro: CBC_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}

It can be used to define a CBC context struct, either directly, 

struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx;

or to give it a struct tag, 

struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE);
Macro: CBC_SET_IV (ctx, iv)

First argument is a pointer to a context struct as defined by CBC_CTX, and the second is a pointer to an Initialization Vector (IV) that is copied into that context.

Macro: CBC_ENCRYPT (ctx, f, length, dst, src)
Macro: CBC_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cbc_encrypt and cbc_decrypt. The first argument is a pointer to a context struct as defined by CBC_CTX, and the second argument is an encryption or decryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

These macros use some tricks to make the compiler display a warning if the types of f and ctx don’t match, e.g. if you try to use an struct aes_ctx context with the des_encrypt function.

7.3.1.2 Cipher-specific functions

Encryption in CBC mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher’s encrypt function. Optimizations to process several blocks in parallel can’t be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, cbc_encrypt can be considerably slower than both cbc_decrypt and CTR mode. The second reason for poor performance can be addressed by having a combined CBC and encrypt function, for ciphers where the overhead is significant.

Nettle currently includes such special functions only for AES.

Function: void cbc_aes128_encrypt (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_aes192_encrypt (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cbc_aes256_encrypt (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Calling cbc_aes128_encrypt(ctx, iv, length, dst, src) does the same thing as calling cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src), but is more efficient on certain platforms.

Next: , Previous: , Up: Cipher modes   [Contents][Index]

7.3.2 Counter mode

Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IC is the initial counter, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IC) XOR M_1
C_2 = E_k(IC + 1) XOR M_2

…

C_(n-1) = E_k(IC + n - 2) XOR M_(n-1)
C_n = E_k(IC + n - 1) [1..m] XOR M_n

The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, IC + x, IC is interpreted as an integer, in network byte order. For the last block, E_k(IC + n - 1) [1..m] means that the cipher output is truncated to m bytes.

Function: void ctr_crypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption function f in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to ctr_crypt, all but the last call must use a length that is a multiple of the block size.

Like for CBC, there are also a couple of helper macros.

Macro: CTR_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t ctr[block_size];
}
Macro: CTR_SET_COUNTER (ctx, iv)

First argument is a pointer to a context struct as defined by CTR_CTX, and the second is a pointer to an initial counter that is copied into that context.

Macro: CTR_CRYPT (ctx, f, length, dst, src)

A simpler way to invoke ctr_crypt. The first argument is a pointer to a context struct as defined by CTR_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Next: , Previous: , Up: Cipher modes   [Contents][Index]

7.3.3 Cipher Feedback mode

Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode (CFB8) being close relatives to both CBC mode and CTR mode borrow some characteristics from stream ciphers.

For CFB the message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size.

If E_k is the encryption function of a block cipher, IV is the initialization vector, then the n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows: 

C_1 = E_k(IV) XOR M_1
C_2 = E_k(C_1) XOR M_2

…

C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1)
C_n = E_k(C_(n - 1)) [1..m] XOR M_n

Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding.

If E_k is the encryption function of a block cipher, b is E_k block size, IV is the initialization vector, then the n plaintext bytes are transformed into n ciphertext bytes C_1,… C_n as follows: 

I_1 = IV
C_1 = E_k(I_1) [1..8] XOR M_1
I_2 = I_1 [9..b] << 8 | C_1
C_2 = E_k(I_2) [1..8] XOR M_2

…

I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2)
C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1)
I_n = I_(n-1) [9..b] << 8 | C_(n-1)
C_n = E_k(I_n) [1..8] XOR M_n

Nettle’s includes functions for applying a block cipher in Cipher Feedback (CFB) and Cipher Feedback 8-bit (CFB8) modes. These functions uses void * to pass cipher contexts around.

Function: void cfb_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cfb_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CFB mode. The final ciphertext block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cfb_encrypt. Note that for CFB mode internally uses encryption only function and hence f should always be the encryption function for the underlying block cipher.

When a message is encrypted using a sequence of calls to cfb_encrypt, all but the last call must use a length that is a multiple of the block size.

Function: void cfb8_encrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)
Function: void cfb8_decrypt (const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption or decryption function f in CFB8 mode. The final IV block processed is copied into iv before returning, so that a large message can be processed by a sequence of calls to cfb8_encrypt. Note that for CFB8 mode internally uses encryption only function and hence f should always be the encryption function for the underlying block cipher.

Like for CBC, there are also a couple of helper macros.

Macro: CFB_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}
Macro: CFB_SET_IV(ctx, iv)

First argument is a pointer to a context struct as defined by CFB_CTX, and the second is a pointer to an initialization vector that is copied into that context.

Macro: CFB_ENCRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_encrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb_decrypt. The first argument is a pointer to a context struct as defined by CFB_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB8_CTX (context_type, block_size)

Expands to 

{
   context_type ctx;
   uint8_t iv[block_size];
}
Macro: CFB8_SET_IV (ctx, iv)

First argument is a pointer to a context struct as defined by CFB8_CTX, and the second is a pointer to an initialization vector that is copied into that context.

Macro: CFB8_ENCRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb8_encrypt. The first argument is a pointer to a context struct as defined by CFB8_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Macro: CFB8_DECRYPT (ctx, f, length, dst, src)

A simpler way to invoke cfb8_decrypt. The first argument is a pointer to a context struct as defined by CFB8_CTX, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.

Previous: , Up: Cipher modes   [Contents][Index]

7.3.4 XEX-based tweaked-codebook mode with ciphertext stealing

XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is a block mode like (CBC) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical.

The message is divided into n blocks M_1,… M_n, where M_n is of size m which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length.

Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256).

XTS encryption mode operates given:

  • A multiplication by a primitive element alpha. MUL a^j here represents the multiplication, where j is the power of alpha, and the input value is converted into a 16 bytes array a_0[k], k = 0,1,..,15. The multiplication is calculated as a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128) a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15 Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte.
  • The encryption key is provided as the Key = K1 | K2, where | denotes string concatenation. E_k1 is the encryption function of the block cipher using K1 as the key, and E_k2 is the same encryption function using K2
  • A 128 bit tweak value is provided as input and is denoted as IV

The n plaintext blocks are transformed into n ciphertext blocks C_1,… C_n as follows.

For a plaintext length that is a perfect multiple of the XTS block size: 

T_1 = E_k2(IV)
C_1 = E_k1(P_1 XOR T_1) XOR T_1

…

T_n = T_(n-1) MUL a
C_n = E_k1(P_n XOR T_n) XOR T_n

For any other plaintext lengths: 

T_1 = E_k2(IV)
C_1 = E_k1(P_1 XOR T_1) XOR T_1

…

T_(n-2) = T_(n-3) MUL a
C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2)

T_(n-1) = T_(n-2) MUL a
CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1)

T_n = T_(n-1) MUL a
PP = [1..m]Pn | [m+1..128]CC_(n-1)
C_(n-1) = E_k1(PP XOR T_n) XOR T_n

C_n = [1..m]CC_(n-1)

7.3.4.1 General (XTS) interface.

The two general functions to encrypt and decrypt using the XTS block cipher mode are the following:

Function: void xts_encrypt_message (const void *enc_ctx, const void *twk_ctx, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_decrypt_message (const void *dec_ctx, const void *twk_ctx, nettle_cipher_func *decf, nettle_cipher_func *encf, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)

Applies the encryption function encf or the decryption function decf in XTS mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal.

The functions encf decf are of type

void f (const void *ctx, size_t length, uint8_t *dst, const uint8_t *src),

and the xts_encrypt_message and xts_decrypt_message functions pass their arguments enc_ctx, twk_ctx and dec_ctx to the functions encf, decf as ctx.

7.3.4.2 XTS-AES interface

The AES XTS functions provide an API for using the XTS mode with the AES block ciphers. The parameters all have the same meaning as the general interface, except that the enc_ctx, dec_ctx, twk_ctx, encf and decf are replaced with an AES context structure called ctx, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface.

Context struct: struct xts_aes128_key

Holds state corresponding to the AES-128 block cipher.

Context struct: struct xts_aes256_key

Holds state corresponding to the AES-256 block cipher.

Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)
Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key *ctx, const uint8_t *key)
Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key *ctx, const uint8_t *key)

Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions.

Function: void xts_aes128_encrypt_message (struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes256_encrypt_message (struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes128_decrypt_message (struct xts_aes128_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)
Function: void xts_aes256_decrypt_message (struct xts_aes256_key *ctx, uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src)

These are identical to xts_encrypt_message and xts_decrypt_message, except that enc_ctx, dec_ctx, twk_ctx, encf and decf are replaced by the ctx context structure.

Next: , Previous: , Up: Reference   [Contents][Index]

7.4 Authenticated encryption with associated data

Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the “associated data”, which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data.

The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle.

For encryption, the inputs are:

  • The key, which can be used for many messages.
  • A nonce, which must be unique for each message using the same key.
  • Additional associated data to be authenticated, but not included in the message.
  • The cleartext message to be encrypted.

The outputs are:

  • The ciphertext, of the same size as the cleartext.
  • A digest or “authentication tag”.

Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported AEAD algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption.

Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle’s low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption.

Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don’t have this restriction.

The supported AEAD constructions are Galois/Counter mode (GCM), EAX, ChaCha-Poly1305, and Counter with CBC-MAC (CCM). There are some weaknesses in GCM authentication, see https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. CCM and EAX use the same building blocks, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important.

Next: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.1 EAX

The EAX mode is an AEAD mode which combines CTR mode encryption, See Counter mode, with a message authentication based on CBC, See Cipher Block Chaining. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, See Counter with CBC-MAC mode, which uses the same primitives but has some undesirable and inelegant properties.

EAX supports arbitrary nonce size; it’s even possible to use an empty nonce in case only a single message is encrypted for each key.

Nettle’s support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in <nettle/eax.h>

7.4.1.1 General EAX interface

Context struct: struct eax_key

EAX state which depends only on the key, but not on the nonce or the message.

Context struct: struct eax_ctx

Holds state corresponding to a particular message.

Constant: EAX_BLOCK_SIZE

EAX’s block size, 16.

Constant: EAX_DIGEST_SIZE

Size of the EAX digest, also 16.

Function: void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce.

Function: void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it’s not necessary to complete the processing of all associated data before encrypting or decrypting the message data.

Function: void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than EAX_DIGEST_SIZE, only the first length octets of the digest are written.

7.4.1.2 EAX helper macros

The following macros are defined.

Macro: EAX_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to 

{
   struct eax_key key;
   struct eax_ctx eax;
   context_type cipher;
}

For all these macros, ctx, is a context struct as defined by EAX_CTX, and encrypt is the encryption function of the underlying cipher.

Macro: EAX_SET_KEY (ctx, set_key, encrypt, key)

set_key is the function for setting the encryption key for the underlying cipher, and key is the key.

Macro: EAX_SET_NONCE (ctx, encrypt, length, nonce)

Sets the nonce to be used for the message.

Macro: EAX_UPDATE (ctx, encrypt, length, data)

Process associated data for authentication.

Macro: EAX_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: EAX_DECRYPT (ctx, encrypt, length, dst, src)

Process message data for encryption or decryption.

Macro: EAX_DIGEST (ctx, encrypt, length, digest)

Extract the authentication tag for the message.

7.4.1.3 EAX-AES128 interface

The following functions implement EAX using AES-128 as the underlying cipher.

Context struct: struct eax_aes128_ctx

The context struct, defined using EAX_CTX.

Function: void eax_aes128_set_key (struct eax_aes128_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given nonce.

Function: void eax_aes128_update (struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_encrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void eax_aes128_decrypt (struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void eax_aes128_digest (struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than EAX_DIGEST_SIZE, only the first length octets of the digest are written.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.2 Galois counter mode

Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (see Keyed Hash Functions) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D. It is constructed on top of a block cipher which must have a block size of 128 bits.

The authentication in GCM has some known weaknesses, see https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf. In particular, don’t use GCM with short authentication tags.

Nettle’s support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in <nettle/gcm.h>

7.4.2.1 General GCM interface

Context struct: struct gcm_key

Message independent hash sub-key, and related tables.

Context struct: struct gcm_ctx

Holds state corresponding to a particular message.

Constant: GCM_BLOCK_SIZE

GCM’s block size, 16.

Constant: GCM_DIGEST_SIZE

Size of the GCM digest, also 16.

Constant: GCM_IV_SIZE

Recommended size of the IV, 12. Arbitrary sizes are allowed.

Function: void gcm_set_key (struct gcm_key *key, const void *cipher, nettle_cipher_func *f)

Initializes key. cipher gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and f is the encryption function.

Function: void gcm_set_iv (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv)

Initializes ctx using the given IV. The key argument is actually needed only if length differs from GCM_IV_SIZE.

Function: void gcm_update (struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_encrypt or gcm_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_decrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_digest (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: gcm_set_key, gcm_set_iv, gcm_update, gcm_encrypt, gcm_digest. The decryption procedure is analogous, just calling gcm_decrypt instead of gcm_encrypt (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call gcm_set_iv with a new iv.

7.4.2.2 GCM helper macros

The following macros are defined.

Macro: GCM_CTX (context_type)

This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to 

{
   struct gcm_key key; 
   struct gcm_ctx gcm;
   context_type cipher;
}

Example use: 

struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx);

The following macros operate on context structs of this form.

Macro: GCM_SET_KEY (ctx, set_key, encrypt, key)

First argument, ctx, is a context struct as defined by GCM_CTX. set_key and encrypt are functions for setting the encryption key and for encrypting data using the underlying cipher.

Macro: GCM_SET_IV (ctx, length, data)

First argument is a context struct as defined by GCM_CTX. length and data give the initialization vector (IV).

Macro: GCM_UPDATE (ctx, length, data)

Simpler way to call gcm_update. First argument is a context struct as defined by GCM_CTX

Macro: GCM_ENCRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DECRYPT (ctx, encrypt, length, dst, src)
Macro: GCM_DIGEST (ctx, encrypt, length, digest)

Simpler way to call gcm_encrypt, gcm_decrypt or gcm_digest. First argument is a context struct as defined by GCM_CTX. Second argument, encrypt, is the encryption function of the underlying cipher.

7.4.2.3 GCM-AES interface

The following functions implement the common case of GCM using AES as the underlying cipher. The variants with a specific AES flavor are recommended, while the fucntinos using struct gcm_aes_ctx are kept for compatibility with older versiosn of Nettle.

Context struct: struct gcm_aes128_ctx
Context struct: struct gcm_aes192_ctx
Context struct: struct gcm_aes256_ctx

Context structs, defined using GCM_CTX.

Context struct: struct gcm_aes_ctx

Alternative context struct, using the old AES interface.

Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *ctx, const uint8_t *key)
Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *ctx, const uint8_t *key)
Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_aes_set_key (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key)

Corresponding function, using the old AES interface. All valid AES key sizes can be used.

Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_aes_set_iv (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_aes_update (struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_aes_encrypt or gcm_aes_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes_encrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_aes_decrypt (struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_aes128_digest (struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes192_digest (struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes256_digest (struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_aes_digest (struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

7.4.2.4 GCM-Camellia interface

The following functions implement the case of GCM using Camellia as the underlying cipher.

Context struct: struct gcm_camellia128_ctx
Context struct: struct gcm_camellia256_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *ctx, const uint8_t *key)
Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv)
Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data)
Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_camellia_encrypt or gcm_camellia_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest)
Function: void gcm_camellia_digest (struct gcm_camellia_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

7.4.2.5 GCM-SM4 interface

The following functions implement the case of GCM using SM4 as the underlying cipher.

Context struct: struct gcm_sm4_ctx

Context structs, defined using GCM_CTX.

Function: void gcm_sm4_set_key (struct gcm_sm4_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key.

Function: void gcm_sm4_set_iv (struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv)

Initializes the per-message state, using the given IV.

Function: void gcm_sm4_update (struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data)

Provides associated data to be authenticated. If used, must be called before gcm_sm4_encrypt or gcm_sm4_decrypt. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_sm4_encrypt (struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void gcm_sm4_decrypt (struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void gcm_sm4_digest (struct gcm_sm4_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that length is GCM_DIGEST_SIZE, but if you provide a smaller value, only the first length octets of the digest are written.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.3 Counter with CBC-MAC mode

CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, see EAX. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C. Nettle’s support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in <nettle/ccm.h>.

In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets.

CCM mode encryption operates as follows:

  • The nonce and message length are concatenated to create B_0 = flags | nonce | mlength
  • The authenticated data and plaintext is formatted into the string B = L(adata) | adata | padding | plaintext | padding with padding being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and L(adata) is an encoding of the length of adata.
  • The string B is separated into blocks B_1 ... B_n
  • The authentication tag T is calculated as T=0, for i=0 to n, do T = E_k(B_i XOR T)
  • An initial counter is then initialized from the nonce to create IC = flags | nonce | padding, where padding is the shortest string of zero bytes such that IC is exactly one block in length.
  • The authentication tag is encrypted using using CTR mode: MAC = E_k(IC) XOR T
  • The plaintext is then encrypted using CTR mode with an initial counter of IC+1.

CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity.

7.4.3.1 General CCM interface

For all of the functions in the CCM interface, cipher is the context struct for the underlying cipher and f is the encryption function. The cipher’s encryption key must be set before calling any of the CCM functions. The cipher’s decryption function and key are never used.

Context struct: struct ccm_ctx

Holds state corresponding to a particular message.

Constant: CCM_BLOCK_SIZE

CCM’s block size, 16.

Constant: CCM_DIGEST_SIZE

Size of the CCM digest, 16.

Constant: CCM_MIN_NONCE_SIZE
Constant: CCM_MAX_NONCE_SIZE

The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively.

Macro: CCM_MAX_MSG_SIZE (nonce_size)

The largest allowed plaintext length, when using CCM with a nonce of the given size.

Function: void ccm_set_nonce (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

Initializes ctx using the given nonce and the sizes of the authenticated data, message, and MAC to be processed.

Function: void ccm_update (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)

Provides associated data to be authenticated. Must be called after ccm_set_nonce, and before ccm_encrypt, ccm_decrypt, or ccm_digest.

Function: void ccm_encrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_decrypt (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the message data. Must be called after ccm_set_nonce and before ccm_digest. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ccm_digest (struct ccm_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. length is usually equal to the taglen parameter supplied to ccm_set_nonce, but if you provide a smaller value, only the first length octets of the digest are written.

To encrypt a message using the general CCM interface, set the message nonce and length using ccm_set_nonce and then call ccm_update to generate the digest of any authenticated data. After all of the authenticated data has been digested use ccm_encrypt to encrypt the plaintext. Finally, use ccm_digest to return the encrypted MAC.

To decrypt a message, use ccm_set_nonce and ccm_update the same as you would for encryption, and then call ccm_decrypt to decrypt the ciphertext. After decrypting the ciphertext ccm_digest will return the encrypted MAC which should be identical to the MAC in the received message.

7.4.3.2 CCM message interface

The CCM message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by mlength and the length of the ciphertext is given by clength, always exactly tlength bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, clength for the encryption functions, and mlength for the decryption functions.

Function: void ccm_encrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the encrypted MAC to ciphertext and outputs it to dst.

Function: int ccm_decrypt_message (void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the MAC from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

7.4.3.3 CCM-AES interface

The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface.

Context struct: struct ccm_aes128_ctx

Holds state corresponding to a particular message encrypted using the AES-128 block cipher.

Context struct: struct ccm_aes192_ctx

Holds state corresponding to a particular message encrypted using the AES-192 block cipher.

Context struct: struct ccm_aes256_ctx

Holds state corresponding to a particular message encrypted using the AES-256 block cipher.

Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *ctx, const uint8_t *key)
Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *ctx, const uint8_t *key)
Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *ctx, const uint8_t *key)

Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface.

Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)
Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *ctx, size_t noncelen, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen)

These are identical to ccm_set_nonce, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_update (struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes192_update (struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data)
Function: void ccm_aes256_update (struct ccm_aes256_ctx *ctx, size_t length, const uint8_t *data)

These are identical to ccm_set_update, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

These are identical to ccm_set_encrypt and ccm_set_decrypt, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_digest (struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest)
Function: void ccm_aes192_digest (struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest)
Function: void ccm_aes256_digest (struct ccm_aes256_ctx *ctx, size_t length, uint8_t *digest)

These are identical to ccm_set_digest, except that cipher, f, and ctx are replaced with a context structure.

Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

These are identical to ccm_encrypt_message and ccm_decrypt_message except that cipher and f are replaced with a context structure.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.4 ChaCha-Poly1305

ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (see Poly1305). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha.

Nettle’s implementation of ChaCha-Poly1305 follows RFC 8439, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce.

For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver’s behaviour) that the forgery succeeded.

The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in <nettle/chacha-poly1305.h>.

Constant: CHACHA_POLY1305_BLOCK_SIZE

Same as the ChaCha block size, 64.

Constant: CHACHA_POLY1305_KEY_SIZE

ChaCha-Poly1305 key size, 32.

Constant: CHACHA_POLY1305_NONCE_SIZE

ChaCha-Poly1305 nonce size, 12.

Constant: CHACHA_POLY1305_DIGEST_SIZE

Digest size, 16.

Context struct: struct chacha_poly1305_ctx
Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key)

Initializes ctx using the given key. Before using the context, you must also call chacha_poly1305_set_nonce, see below.

Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce)

Initializes the per-message state, using the given nonce.

Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data)

Process associated data for authentication.

Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)
Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts or decrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If length is smaller than CHACHA_POLY1305_DIGEST_SIZE, only the first length octets of the digest are written.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.5 OCB (Offset Code Book) Mode

The OCB mode is an AEAD construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits.

There have been several versions of the OCB scheme, the implementation in Nettle follows RFC 7253, which is almost the same as the scheme OCB3.

7.4.5.1 General interface

Context struct: struct ocb_key

OCB state which depends only on the key, but not on the nonce or the message.

Context struct: struct ocb_ctx

Holds state corresponding to a particular message.

Constant: OCB_BLOCK_SIZE

The block size for OCB’s block size, 16.

Constant: OCB_MAX_NONCE_SIZE

The maximum nonce size for OCB, 15.

Constant: OCB_DIGEST_SIZE

Size of the OCB authentication tag.

Function: void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f)

Initializes the key struct. The cipher context must be initialized for encryption, and f should be the corresponding encryption function.

Function: void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce. The cipher must be initialized for encryption, and f should be the corresponding encryption function. The tag_length (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ocb_digest. Nonce is optional, and length at most 15 bytes.

Function: void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts the data of a message. cipher is the context struct for the underlying cipher and f is the encryption function. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src)

Decrypts the data of a message. encrypt_ctx and encrypt define the encryption operation of the underlying cipher, while decrypt_ctx and decrypt represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. The length value should be the same as the tag length passed to the preceding ocb_set_nonce call (using a different length is possible, but incompatible with RFC 7253).

Function: void ocb_encrypt_message (const struct ocb_key *ocb_key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the tag to the ciphertext and writes it to dst. The clength variable must be equal to the length of src plus tlength.

Function: int ocb_decrypt_message (const struct ocb_key *ocb_key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst. Like ocb_decrypt, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

7.4.5.2 OCB-AES interface

Context struct: struct ocb_aes128_encrypt_key

Key-dependent state for encryption using OCB-AES128. For decryption, a separate struct aes128_ctx, initialized for decryption, is needed as well.

Function: void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb, const uint8_t *key)

Initializes ocb and the underlying AES cipher with the given key.

Function: void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb, struct aes128_ctx *decrypt, const uint8_t *key)

Initializes ocb and the underlying AES cipher with the given key. In addition, initialize decrypt for decryption using the same key; this is needed for ocb_aes128_decrypt and ocb_aes128_decrypt_message.

Function: void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce)

Initializes ctx for processing a new message, using the given nonce and key. The tag_length (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ocb_digest. Nonce is optional, and length at most 15 bytes.

Function: void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data)

Process associated data for authentication. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_encrypt (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src)

Encrypts the data of a message. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_decrypt (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src)

Decrypts the data of a message. decrypt is an AES context initialized for decryption using the same key. All but the last call for each message must use a length that is a multiple of the block size.

Function: void ocb_aes128_digest (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *digest)

Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. The length value should be the same as the tag length passed to the preceding ocb_aes128_set_nonce call (using a different length is possible, but incompatible with RFC 7253).

Function: void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the tag to the ciphertext and writes it to dst. The clength variable must be equal to the length of src plus tlength.

Function: int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst. Like ocb_aes128_decrypt, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from adata and the plaintext, and compares it to the final tlength bytes of src. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.6 Synthetic Initialization Vector AEAD

SIV-CMAC mode is a combination of counter mode with message authentication based on CMAC. Unlike other counter AEAD modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle’s support for SIV-CMAC consists of a message encryption and authentication interface, for SIV-CMAC using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in <nettle/siv-cmac.h>.

Unlike other AEAD mode in SIV-CMAC the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext.

Note also, that the SIV-CMAC algorithm, as specified in RFC 5297, introduces the notion of authenticated data which consist of multiple components. For example with SIV-CMAC the authentication tag of data X followed by Y, is different than the concatenated data X || Y. The interfaces described below follow the AEAD paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext.

7.4.6.1 General interface

Constant: SIV_BLOCK_SIZE

SIV-CMAC’s block size, 16.

Constant: SIV_DIGEST_SIZE

Size of the SIV-CMAC digest or initialization vector, 16.

Constant: SIV_MIN_NONCE_SIZE

The the minimum size for an SIV-CMAC nonce, 1.

7.4.6.2 SIV-CMAC-AES interface

The AES SIV-CMAC functions provide an API for using SIV-CMAC mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface.

Context struct: struct siv_cmac_aes128_ctx

Holds state corresponding to a particular message encrypted using the AES-128 block cipher.

Context struct: struct siv_cmac_aes256_ctx

Holds state corresponding to a particular message encrypted using the AES-256 block cipher.

Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *ctx, const uint8_t *key)
Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *ctx, const uint8_t *key)

Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES SIV-CMAC interface.

Function: void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, prepends the initialization vector to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_DIGEST_SIZE.

Function: int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Next: , Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.7 SIV-GCM

SIV-GCM, described in RFC 8452, is an AEAD construction similar to AES-GCM, but provides protection against accidental nonce misuse like SIV-CMAC mode.

It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle’s support for SIV-GCM consists of a message encryption and authentication interface, for SIV-GCM using AES as the underlying block cipher. These interfaces are defined in <nettle/siv-gcm.h>.

Unlike other AEAD mode in SIV-GCM the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext.

7.4.7.1 General interface

Constant: SIV_GCM_BLOCK_SIZE

SIV-GCM’s block size, 16.

Constant: SIV_GCM_DIGEST_SIZE

Size of the SIV-GCM digest for tags, 16.

Constant: SIV_GCM_NONCE_SIZE

Size of the SIV-GCM nonce, 12.

Function: void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the authentication tag to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_GCM_DIGEST_SIZE.

Function: int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

In the above interface, nc must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The ctx context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the ctr_ctx context structure must have the same size as ctx, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *ctx is destroyed by the call.

For convenience, Nettle provides wrapper functions that works with AES described in the following section.

7.4.7.2 SIV-GCM-AES interface

The SIV-GCM functions provide an API for using SIV-GCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the cipher, f, and ctx parameters are replaced with an AES context structure. The AES context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface.

Function: void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)
Function: void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src)

Computes the message digest from the adata and src parameters, encrypts the plaintext from src, appends the authentication tag to the ciphertext and outputs it to dst. The clength variable must be equal to the length of src plus SIV_GCM_DIGEST_SIZE.

Function: int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)
Function: int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src)

Decrypts the ciphertext from src, outputs the plaintext to dst, recalculates the initialization vector from adata and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.

Previous: , Up: Authenticated encryption with associated data   [Contents][Index]

7.4.8 The struct nettle_aead abstraction

Nettle includes a struct including information about the supported hash functions. It is defined in <nettle/nettle-meta.h>.

Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest

The last seven attributes are function pointers.

Constant Struct: struct nettle_aead nettle_gcm_aes128
Constant Struct: struct nettle_aead nettle_gcm_aes192
Constant Struct: struct nettle_aead nettle_gcm_aes256
Constant Struct: struct nettle_aead nettle_gcm_camellia128
Constant Struct: struct nettle_aead nettle_gcm_camellia256
Constant Struct: struct nettle_aead nettle_eax_aes128
Constant Struct: struct nettle_aead nettle_chacha_poly1305

These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the nettle_aead abstraction.

Nettle also exports a list of all these constructions.

Function: const struct nettle_aead ** nettle_get_aeads (void)

Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms.

Macro: nettle_aeads

A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.

Next: , Previous: , Up: Reference   [Contents][Index]

7.5 Keyed Hash Functions

A keyed hash function, or Message Authentication Code (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs.

Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice’s value. If they match, Bob can be assured that the message has not been modified on its way from Alice.

However, unlike digital signatures, this assurance is not transferable. Bob can’t show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the same key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn’t attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can’t distinguish between a MAC created by Alice and one created by Bob.

Keyed hash functions are typically a lot faster than digital signatures as well.

Next: , Up: Keyed Hash Functions   [Contents][Index]

7.5.1 HMAC

One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in RFC 2104.

For an underlying hash function H, with digest size l and internal block size b, HMAC-H is constructed as follows: From a given key k, two distinct subkeys k_i and k_o are constructed, both of length b. The HMAC-H of a message m is then computed as H(k_o | H(k_i | m)), where | denotes string concatenation.

HMAC keys can be of any length, but it is recommended to use keys of length l, the digest size of the underlying hash function H. Keys that are longer than b are shortened to length l by hashing with H, so arbitrarily long keys aren’t very useful.

Nettle’s HMAC functions are defined in <nettle/hmac.h>. There are abstract functions that use a pointer to a struct nettle_hash to represent the underlying hash function and void * pointers that point to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, and HMAC-SM3. First, the abstract functions:

Function: void hmac_set_key (void *outer, void *inner, void *state, const struct nettle_hash *H, size_t length, const uint8_t *key)

Initializes the three context structs from the key. The outer and inner contexts corresponds to the subkeys k_o and k_i. state is used for hashing the message, and is initialized as a copy of the inner context.

Function: void hmac_update (void *state, const struct nettle_hash *H, size_t length, const uint8_t *data)

This function is called zero or more times to process the message. Actually, hmac_update(state, H, length, data) is equivalent to H->update(state, length, data), so if you wish you can use the ordinary update function of the underlying hash function instead.

Function: void hmac_digest (const void *outer, const void *inner, void *state, const struct nettle_hash *H, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. outer and inner are not modified. length is usually equal to H->digest_size, but if you provide a smaller value, only the first length octets of the MAC are written.

This function also resets the state context so that you can start over processing a new message (with the same key).

Like for CBC, there are some macros to help use these functions correctly.

Macro: HMAC_CTX (type)

Expands to 

{
   type outer;
   type inner;
   type state;
}

It can be used to define a HMAC context struct, either directly, 

struct HMAC_CTX(struct md5_ctx) ctx;

or to give it a struct tag, 

struct hmac_md5_ctx HMAC_CTX (struct md5_ctx);
Macro: HMAC_SET_KEY (ctx, H, length, key)

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function (so it must match the type of the components of ctx). The last two arguments specify the secret key.

Macro: HMAC_DIGEST (ctx, H, length, digest)

ctx is a pointer to a context struct as defined by HMAC_CTX, H is a pointer to a const struct nettle_hash describing the underlying hash function. The last two arguments specify where the digest is written.

Note that there is no HMAC_UPDATE macro; simply call hmac_update function directly, or the update function of the underlying hash function.

Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions.

7.5.1.1 HMAC-MD5

Context struct: struct hmac_md5_ctx
Function: void hmac_md5_set_key (struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_md5_update (struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_md5_digest (struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than MD5_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

7.5.1.2 HMAC-RIPEMD160

Context struct: struct hmac_ripemd160_ctx
Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than RIPEMD160_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

7.5.1.3 HMAC-SHA1

Context struct: struct hmac_sha1_ctx
Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha1_update (struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha1_digest (struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA1_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

7.5.1.4 HMAC-SHA256

Context struct: struct hmac_sha256_ctx
Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha256_update (struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha256_digest (struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA256_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

7.5.1.5 HMAC-SHA512

Context struct: struct hmac_sha512_ctx
Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sha512_update (struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sha512_digest (struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SHA512_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

7.5.1.6 HMAC-SM3

Context struct: struct hmac_sm3_ctx
Function: void hmac_sm3_set_key (struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key)

Initializes the context with the key.

Function: void hmac_sm3_update (struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data)

Process some more data.

Function: void hmac_sm3_digest (struct hmac_sm3_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC, writing it to digest. length may be smaller than SM3_DIGEST_SIZE, in which case only the first length octets of the MAC are written.

This function also resets the context for processing new messages, with the same key.

Next: , Previous: , Up: Keyed Hash Functions   [Contents][Index]

7.5.2 UMAC

UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, See Galois counter mode, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in RFC 4418.

The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret.

The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle’s implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets.

UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle’s _digest functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size.

The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle.

Nettle defines UMAC in <nettle/umac.h>.

Context struct: struct umac32_ctx
Context struct: struct umac64_ctx
Context struct: struct umac96_ctx
Context struct: struct umac128_ctx

Each UMAC variant uses its own context struct.

Constant: UMAC_KEY_SIZE

The UMAC key size, 16.

Constant: UMAC_MIN_NONCE_SIZE
Constant: UMAC_MAX_NONCE_SIZE

The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively.

Constant: UMAC32_DIGEST_SIZE

The size of an UMAC32 digest, 4.

Constant: UMAC64_DIGEST_SIZE

The size of an UMAC64 digest, 8.

Constant: UMAC96_DIGEST_SIZE

The size of an UMAC96 digest, 12.

Constant: UMAC128_DIGEST_SIZE

The size of an UMAC128 digest, 16.

Constant: UMAC_BLOCK_SIZE

The internal block size of UMAC.

Function: void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key)
Function: void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key)
Function: void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key)
Function: void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key)

These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment).

Function: void umac32_set_nonce (struct umac32_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac64_set_nonce (struct umac64_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac96_set_nonce (struct umac96_ctx *ctx, size_t length, const uint8_t *nonce)
Function: void umac128_set_nonce (struct umac128_ctx *ctx, size_t length, const uint8_t *nonce)

Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called before the first _update call for the message.

Function: void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data)
Function: void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data)

These functions are called zero or more times to process the message.

Function: void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest)
Function: void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the _set_nonce function explicitly for each message.

Next: , Previous: , Up: Keyed Hash Functions   [Contents][Index]

7.5.3 CMAC

CMAC is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. CMAC-128 is specified in RFC4493. The block size is always 128 bits (16 octets). CMAC-64 is specified by NIST Special Publication 800-38B. The block size is always 64 bits (8 octets).

Nettle provides helper functions for CMAC-128 with the AES block cipher and for CMAC-64 with the Tripple-DES block cipher.

Nettle defines CMAC in <nettle/cmac.h>.

Context struct: struct cmac_aes128_ctx
Context struct: struct cmac_aes256_ctx
Constant: CMAC128_DIGEST_SIZE

The size of an CMAC-128 digest, 16.

Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for AES-128.

Function: void cmac_aes128_update (struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_aes128_digest (struct cmac_aes128_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. This function resets the context for processing of a new message with the same key.

Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for AES-256.

Function: void cmac_aes256_update (struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_aes256_digest (struct cmac_aes256_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. This function resets the context for processing of a new message with the same key.

Context struct: struct cmac_des3_ctx
Constant: CMAC64_DIGEST_SIZE

The size of an CMAC-64 digest, 8.

Function: void cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key)

This function initializes the CMAC context struct for Tripple-DES.

Function: void cmac_des3_update (struct cmac_des3_ctx *ctx,size_t length, const uint8_t *data)

This function is called zero or more times to process the message.

Function: void cmac_des3_digest (struct cmac_des3_ctx *ctx, size_t length, uint8_t *digest)

Extracts the MAC of the message, writing it to digest. length is usually equal to the specified output size, but if you provide a smaller value, only the first length octets of the MAC are written. This function resets the context for processing of a new message with the same key.

Previous: , Up: Keyed Hash Functions   [Contents][Index]

7.5.4 Poly1305

Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5.

The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point r. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that’s the only thing AES is used for.

The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point r. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See https://cr.yp.to/mac/poly1305-20050329.pdf for further details.

Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (see ChaCha-Poly1305). Nettle defines Poly1305-AES in nettle/poly1305.h.

Constant: POLY1305_AES_KEY_SIZE

Key size, 32 octets.

Constant: POLY1305_AES_DIGEST_SIZE

Size of the digest or “authenticator”, 16 octets.

Constant: POLY1305_AES_NONCE_SIZE

Nonce size, 16 octets.

Context struct: struct poly1305_aes_ctx

The poly1305-aes context struct.

Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t *key)

Initialize the context struct. Also sets the nonce to zero.

Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t *nonce)

Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message.

Function: void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data)

Process more data.

Function: void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest)

Extracts the digest. If length is smaller than POLY1305_AES_DIGEST_SIZE, only the first length octets are written. Also increments the nonce, and prepares the context for processing a new message.

Next: , Previous: , Up: Reference   [Contents][Index]

7.6 Key derivation Functions

A key derivation function (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the password-based key derivation functions (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation.

7.6.1 HKDF: HMAC-based Extract-and-Expand

HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in RFC 5869, and is split into two logical modules, called ’extract’ and ’expand’. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys.

Nettle’s HKDF functions are defined in <nettle/hkdf.h>. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the nettle_hash_update_func, and nettle_hash_digest_func interfaces.

Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst)

Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the secret secret of length secret_length. The output length is fixed to digest_size octets, thus the output buffer dst must have room for at least digest_size octets.

Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst)

Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the info info of length info_length, and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

7.6.2 PBKDF2

The most well known PBKDF is the PKCS #5 PBKDF2 described in RFC 2898 which uses a pseudo-random function such as HMAC-SHA1.

Nettle’s PBKDF2 functions are defined in <nettle/pbkdf2.h>. There is an abstract function that operate on any PRF implemented via the nettle_hash_update_func, nettle_hash_digest_func interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function:

Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the update and digest functions passing the mac_ctx context parameter as an argument in order to compute digest of size digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

Like for CBC and HMAC, there is a macro to help use the function correctly.

Macro: PBKDF2 (ctx, update, digest, digest_size, iterations, salt_length, salt, length, dst)

ctx is a pointer to a context struct passed to the update and digest functions (of the types nettle_hash_update_func and nettle_hash_digest_func respectively) to implement the underlying PRF with digest size of digest_size. Inputs are the salt salt of length salt_length, the iteration counter iterations (> 0), and the desired derived output length length. The output buffer is dst which must have room for at least length octets.

7.6.3 Concrete PBKDF2 functions

Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function.

7.6.3.1 PBKDF2-HMAC-SHA1

Function: void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA1. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

7.6.3.2 PBKDF2-HMAC-SHA256

Function: void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA256. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

7.6.3.3 PBKDF2-HMAC-SHA384

Function: void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA384. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

7.6.3.4 PBKDF2-HMAC-SHA512

Function: void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst)

PBKDF2 with HMAC-SHA512. Derive length bytes of key into buffer dst using the password key of length key_length and salt salt of length salt_length, with iteration counter iterations (> 0). The output buffer is dst which must have room for at least length octets.

7.6.4 BALLOON

Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf

Nettle’s definition of the BALLOON algorithm can be found in <nettle/balloon.h>. There is a general BALLOON function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs.

Each BALLOON function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter s_cost determines how many blocks of working space the algorithm will require during its computation. It is common to set s_cost to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter t_cost determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer scratch is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function balloon_itch. Output of BALLOON algorithm will be written into the output buffer dst that has to be at least digest_size bytes long. Note that it is safe to use the same buffer for both scratch and dst. Next follows the description of the general BALLOON function.

Function: void balloon (void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

Compute hash of given password passwd of length passwd_length salted with salt of length salt_length and write digest_size bytes into the output buffer dst. Parameter hash_ctx is a context for the underlying hash function, which much be initialized by the caller. update and digest are the update and digest functions of the chosen hash algorithm. digest_size is the digest size of the chosen hash algorithm and determines the size of the output.

Function: size_t balloon_itch (size_t digest_size, size_t s_cost)

Compute the size of the scratch buffer scratch. digest_size is the digest size of the chosen hash algorithm. s_cost is the space parameter used by the balloon function.

7.6.5 Concrete BALLOON functions

Here follows a list of the specialized BALLOON functions, which are more user-friendly variants of the general function.

7.6.5.1 BALLOON-SHA1

Function: void balloon_sha1 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA1 as the underlying hash function.

7.6.5.2 BALLOON-SHA256

Function: void balloon_sha256 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA256 as the underlying hash function.

7.6.5.3 BALLOON-SHA384

Function: void balloon_sha384 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA384 as the underlying hash function.

7.6.5.4 BALLOON-SHA512

Function: void balloon_sha512 (size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst)

BALLOON algorithm using SHA512 as the underlying hash function.

Next: , Previous: , Up: Reference   [Contents][Index]

7.7 Public-key algorithms

Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install GMP, at least version 3.0, before compiling Nettle, and you need to link your programs with -lhogweed -lnettle -lgmp.

The concept of Public-key encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each pair needs a shared secret key known by nobody else.

Public-key cryptography uses trapdoor one-way functions. A one-way function is a function F such that it is easy to compute the value F(x) for any x, but given a value y, it is hard to compute a corresponding x such that y = F(x). Two examples are cryptographic hash functions, and exponentiation in certain groups.

A trapdoor one-way function is a function F that is one-way, unless one knows some secret information about F. If one knows the secret, it is easy to compute both F and it’s inverse. If this sounds strange, look at the RSA example below.

Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures.

To use a digital signature algorithm, one must first create a key-pair: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user’s list of known public keys), bad things may happen.

There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can’t cut it out of context and glue it to a different message.

The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key.

The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation.

Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”.

Next: , Up: Public-key algorithms   [Contents][Index]

7.7.1 RSA

The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA.

It’s remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is 

F(x) = x^e mod n

I.e. raise x to the e’th power, while discarding all multiples of n. The pair of numbers n and e is the public key. e can be quite small, even e = 3 has been used, although slightly larger numbers are recommended. n should be about 2000 bits or larger.

If n is large enough, and properly chosen, the inverse of F, the computation of e’th roots modulo n, is very difficult. But, where’s the trapdoor?

Let’s first look at how RSA key-pairs are generated. First n is chosen as the product of two large prime numbers p and q of roughly the same size (so if n is 2000 bits, p and q are about 1000 bits each). One also computes the number phi = (p-1)(q-1), in mathematical speak, phi is the order of the multiplicative group of integers modulo n.

Next, e is chosen. It must have no factors in common with phi (in particular, it must be odd), but can otherwise be chosen more or less randomly. e = 65537 is a popular choice, because it makes raising to the e’th power particularly efficient, and being prime, it usually has no factors common with phi.

Finally, a number d, d < n is computed such that e d mod phi = 1. It can be shown that such a number exists (this is why e and phi must have no common factors), and that for all x, 

(x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x

Using Euclid’s algorithm, d can be computed quite easily from phi and e. But it is still hard to get d without knowing phi, which depends on the factorization of n.

So d is the trapdoor, if we know d and y = F(x), we can recover x as y^d mod n. d is also the private half of the RSA key-pair.

The most common signature operation for RSA is defined in PKCS#1, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number x. The signature is computed from x and the private key as s = x^d mod n1. The signature, s is a number of about the same size of n, and it usually encoded as a sequence of octets, most significant octet first.

The verification operation is straight-forward, x is computed from the message in the same way as above. Then s^e mod n is computed, the operation returns true if and only if the result equals x.

The RSA algorithm can also be used for encryption. RSA encryption uses the public key (n,e) to compute the ciphertext m^e mod n. The PKCS#1 padding scheme will use at least 8 random and non-zero octets, using m of the form [00 02 padding 00 plaintext]. It is required that m < n, and therefor the plaintext must be smaller than the octet size of the modulo n, with some margin.

To decrypt the message, one needs the private key to compute m = c^e mod n followed by checking and removing the padding.

7.7.1.1 Nettle’s RSA support

Nettle represents RSA keys using two structures that contain large numbers (of type mpz_t).

Context struct: rsa_public_key size n e

size is the size, in octets, of the modulo, and is used internally. n and e is the public key.

Context struct: rsa_private_key size d p q a b c

size is the size, in octets, of the modulo, and is used internally. d is the secret exponent, but it is not actually used when signing. Instead, the factors p and q, and the parameters a, b and c are used. They are computed from p, q and e such that a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1.

Before use, these structs must be initialized by calling one of

Function: void rsa_public_key_init (struct rsa_public_key *pub)
Function: void rsa_private_key_init (struct rsa_private_key *key)

Calls mpz_init on all numbers in the key struct.

and when finished with them, the space for the numbers must be deallocated by calling one of

Function: void rsa_public_key_clear (struct rsa_public_key *pub)
Function: void rsa_private_key_clear (struct rsa_private_key *key)

Calls mpz_clear on all numbers in the key struct.

In general, Nettle’s RSA functions deviates from Nettle’s “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see See GMP Allocation in GMP Manual.

When you have assigned values to the attributes of a key, you must call

Function: int rsa_public_key_prepare (struct rsa_public_key *pub)
Function: int rsa_private_key_prepare (struct rsa_private_key *key)

Computes the octet size of the key (stored in the size attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can’t be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1.

For each operation using the private key, there are two variants, e.g., rsa_sha256_sign and rsa_sha256_sign_tr. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key.

Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function’s context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument.

There is currently no support for using SHA224 or SHA384 with RSA signatures, since there’s no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively.

Creating an RSA signature is done with one of the following functions:

Function: int rsa_md5_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. The random_ctx and random pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha256_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha512_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t signature)

Creates a signature from the given hash digest. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *digest_info, mpz_t signature)

Similar to the above _sign_digest_tr functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Function: int rsa_md5_sign (const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t signature)
Function: int rsa_sha1_sign (const struct rsa_private_key *key, struct sha1_ctx *hash, mpz_t signature)
Function: int rsa_sha256_sign (const struct rsa_private_key *key, struct sha256_ctx *hash, mpz_t signature)
Function: int rsa_sha512_sign (const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t signature)

The signature is stored in signature (which must have been mpz_init’ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key.

Function: int rsa_md5_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha1_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha256_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)
Function: int rsa_sha512_sign_digest (const struct rsa_private_key *key, const uint8_t *digest, mpz_t signature)

Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE, respectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Function: int rsa_pkcs1_sign (const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s)

Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

Verifying an RSA signature is done with one of the following functions:

Function: int rsa_md5_verify (const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t signature)
Function: int rsa_sha1_verify (const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t signature)
Function: int rsa_sha256_verify (const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t signature)
Function: int rsa_sha512_verify (const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. In either case, the hash context is reset so that it can be used for new messages.

Function: int rsa_md5_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha1_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha256_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)
Function: int rsa_sha512_verify_digest (const struct rsa_public_key *key, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, SHA256_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

Function: int rsa_pkcs1_verify (const struct rsa_public_key *key, size_t length, const uint8_t *digest_info, const mpz_t signature)

Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm.

While the above functions for the RSA signature operations use the PKCS#1 padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in RFC 8017. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security https://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf. The typical choices of the length are between 0 and the digest size of the underlying hash function.

Creating an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)
Function: int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t signature)

Creates a signature using the PSS padding scheme. salt should point to a salt string of size salt_length. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZErespectively. The signature is stored in signature (which must have been mpz_init:ed earlier). Returns one on success, or zero on failure.

Verifying an RSA signature with the PSS padding scheme is done with one of the following functions:

Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)
Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature)

Returns 1 if the signature is valid, or 0 if it isn’t. digest should point to a digest of size SHA256_DIGEST_SIZE, SHA384_DIGEST_SIZE, or SHA512_DIGEST_SIZE respectively.

The following function is used to encrypt a clear text message using RSA.

Function: int rsa_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *cleartext, mpz_t ciphertext)

Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure.

The following function is used to decrypt a cipher text message using RSA.

Function: int rsa_decrypt (const struct rsa_private_key *key, size_t *length, uint8_t *cleartext, const mpz_t ciphertext)

Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by cleartext must be of size *length. After decryption, *length will be updated with the size of the message.

There is also a timing resistant version of decryption that utilizes randomized RSA blinding.

Function: int rsa_decrypt_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t ciphertext)

Returns 1 on success, 0 on failure.

While the above functions for the RSA encryption operations use the PKCS#1 padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in RFC 8017. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs.

Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions:

Function: int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)
Function: int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)
Function: int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext)

Returns 1 on success, 0 on failure. The label is optional and if omitted, label_length and label is set to 0 and NULL respectively. The maximum size of message can be calculated with k - 2 * hLen - 2, where k is the key size in octets obtained with key->size, and hLen is the output size of the underlying hash function (e.g., SHA256_DIGEST_SIZE for rsa_oaep_sha256_encrypt).

Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions:

Function: int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)
Function: int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)
Function: int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext)

Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to rsa_decrypt_tr. The message buffer pointed to by cleartext must be of size *length. After decryption, *length will be updated with the size of the message.

If you need to use the RSA trapdoor, the private key, in a way that isn’t supported by the above functions Nettle also includes a function that computes x^d mod n and nothing more, using the CRT optimization.

Function: int rsa_compute_root_tr (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m)

Computes x = m^d. Returns one on success, or zero if a failure in the computation was detected.

Function: void rsa_compute_root (struct rsa_private_key *key, mpz_t x, const mpz_t m)

Computes x = m^d.

At last, how do you create new keys?

Function: int rsa_generate_keypair (struct rsa_public_key *pub, struct rsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned n_size, unsigned e_size)

There are lots of parameters. pub and key is where the resulting key pair is stored. The structs should be initialized, but you don’t need to call rsa_public_key_prepare or rsa_private_key_prepare after key generation.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

size_n is the desired size of the modulo, in bits. If size_e is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if e_size is zero, it is assumed that the caller has already chosen a value for e, and stored it in pub. Returns one on success, and zero on failure. The function can fail for example if if n_size is too small, or if e_size is zero and pub->e is an even number.

Next: , Previous: , Up: Public-key algorithms   [Contents][Index]

7.7.2 DSA

The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1.

For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime p, a small prime q which is a factor of p-1, a number g which generates a subgroup of order q modulo p, and an element y in that subgroup.

In the original DSA, the size of q is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of p is in principle unlimited, but the standard specifies only nine specific sizes: 512 + l*64, where l is between 0 and 8. Thus, the maximum size of p is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure.

The subgroup requirement means that if you compute 

g^t mod p

for all possible integers t, you will get precisely q distinct values.

The private key is a secret exponent x, such that 

g^x = y mod p

In mathematical speak, x is the discrete logarithm of y mod p, with respect to the generator g. The size of x will also be about the same size as q. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod p. The best known algorithm of this type is the Number Field Sieve, and it’s complexity is similar to the complexity of factoring numbers of the same size as p. The other type works in the smaller q-sized subgroup generated by g, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity sqrt(q).

The important point is that security depends on the size of both p and q, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a p of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a q of size 160 bits implies that cracking using Pollard-rho will take roughly 2^80 group operations. With the size of q fixed, tied to the SHA1 digest size, it may be tempting to increase the size of p to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack.

The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (see Randomness). Let us describe the common case of a 160-bit q.

To create a signature, one starts with the hash digest of the message, h, which is a 160 bit number, and a random number k, 0<k<q, also 160 bits. Next, one computes 

r = (g^k mod p) mod q
s = k^-1 (h + x r) mod q

The signature is the pair (r, s), two 160 bit numbers. Note the two different mod operations when computing r, and the use of the secret exponent x.

To verify a signature, one first checks that 0 < r,s < q, and then one computes backwards, 

w = s^-1 mod q
v = (g^(w h) y^(w r) mod p) mod q

The signature is valid if v = r. This works out because w = s^-1 mod q = k (h + x r)^-1 mod q, so that 

g^(w h) y^(w r) = g^(w h) (g^x)^(w r) = g^(w (h + x r)) = g^k

When reducing mod q this yields r. Note that when verifying a signature, we don’t know either k or x: those numbers are secret.

If you can choose between RSA and DSA, which one is best? Both are believed to be secure. DSA gained popularity in the late 1990s, as a patent free alternative to RSA. Now that the RSA patents have expired, there’s no compelling reason to want to use DSA. Today, the original DSA key size does not provide a large security margin, and it should probably be phased out together with RSA keys of 1024 bits. Using the revised DSA algorithm with a larger hash function, in particular, SHA256, a 256-bit q, and p of size 2048 bits or more, should provide for a more comfortable security margin, but these variants are not yet in wide use.

DSA signatures are smaller than RSA signatures, which is important for some specialized applications.

From a practical point of view, DSA’s need for a good randomness source is a serious disadvantage. If you ever use the same k (and r) for two different message, you leak your private key.

7.7.2.1 Nettle’s DSA support

Like for RSA, Nettle represents DSA keys using two structures, containing values of type mpz_t. For information on how to customize allocation, see See GMP Allocation in GMP Manual. Nettle’s DSA interface is defined in <nettle/dsa.h>.

A DSA group is represented using the following struct.

Context struct: dsa_params p q g

Parameters of the DSA group.

Function: void dsa_params_init (struct dsa_params *params)

Calls mpz_init on all numbers in the struct.

Function: void dsa_params_clear (struct dsa_params *paramsparams)

Calls mpz_clear on all numbers in the struct.

Function: int dsa_generate_params (struct dsa_params *params, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits)

Generates parameters of a new group. The params struct should be initialized before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

p_bits and q_bits are the desired sizes of p and q. To generate keys that conform to the original DSA standard, you must use q_bits = 160 and select p_bits of the form p_bits = 512 + l*64, for 0 <= l <= 8, where the smaller sizes are no longer recommended, so you should most likely stick to p_bits = 1024. Non-standard sizes are possible, in particular p_bits larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large p_bits, with q_bits fixed at 160, doesn’t make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use q_bits = 256 and, e.g., p_bits = 2048.

Returns one on success, and zero on failure. The function will fail if q_bits is too small, or too close to p_bits.

Signatures are represented using the structure below.

Context struct: dsa_signature r s

The r and s fields are both of type mpz_t.

Function: void dsa_signature_init (struct dsa_signature *signature)
Function: void dsa_signature_clear (struct dsa_signature *signature)

You must call dsa_signature_init before creating or using a signature, and call dsa_signature_clear when you are finished with it.

Keys are represented as bignums, of type mpz_t. A public key represents a group element, and is of the same size as p, while a private key is an exponent, of the same size as q.

Function: int dsa_sign (const struct dsa_params *params, const mpz_t x, void *random_ctx, nettle_random_func *random, size_t digest_size, const uint8_t *digest, struct dsa_signature *signature)

Creates a signature from the given hash digest, using the private key x. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo q fails.

Function: int dsa_verify (const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature)

Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0.

To generate a keypair, first generate a DSA group using dsa_generate_params. A keypair in this group is then created using

Function: void dsa_generate_keypair (const struct dsa_params *params, mpz_t pub, mpz_t key, void *random_ctx, nettle_random_func *random)

Generates a new keypair, using the group params. The public key is stored in pub, and the private key in key. Both variables must be initialized using mpz_init before this call.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

7.7.2.2 Old, deprecated, DSA interface

Versions before nettle-3.0 used a different interface for DSA signatures, where the group parameters and the public key was packed together as struct dsa_public_key. Most of this interface is kept for backwards compatibility, and declared in nettle/dsa-compat.h. Below is the old documentation. The old and new interface use distinct names and don’t confict, with one exception: The key generation function. The nettle/dsa-compat.h redefines dsa_generate_keypair as an alias for dsa_compat_generate_keypair, compatible with the old interface and documented below.

The old DSA functions are very similar to the corresponding RSA functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to rsa_public_key_prepare and rsa_private_key_prepare.

Context struct: dsa_public_key p q g y

The public parameters described above.

Context struct: dsa_private_key x

The private key x.

Before use, these structs must be initialized by calling one of

Function: void dsa_public_key_init (struct dsa_public_key *pub)
Function: void dsa_private_key_init (struct dsa_private_key *key)

Calls mpz_init on all numbers in the key struct.

When finished with them, the space for the numbers must be deallocated by calling one of

Function: void dsa_public_key_clear (struct dsa_public_key *pub)
Function: void dsa_private_key_clear (struct dsa_private_key *key)

Calls mpz_clear on all numbers in the key struct.

Signatures are represented using struct dsa_signature, described earlier.

For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the SHA1 or the SHA256 hash function, although the implementation of DSA with SHA256 should be considered somewhat experimental due to lack of official test vectors and interoperability testing.

Function: int dsa_sha1_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha1_ctx *hash, struct dsa_signature *signature)
Function: int dsa_sha1_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)
Function: int dsa_sha256_sign (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, struct sha256_ctx *hash, struct dsa_signature *signature)
Function: int dsa_sha256_sign_digest (const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func random, const uint8_t *digest, struct dsa_signature *signature)

Creates a signature from the given hash context or digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don’t match.

Verifying signatures is a little easier, since no randomness generator is needed. The functions are

Function: int dsa_sha1_verify (const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature)
Function: int dsa_sha1_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)
Function: int dsa_sha256_verify (const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature)
Function: int dsa_sha256_verify_digest (const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature)

Verifies a signature. Returns 1 if the signature is valid, otherwise 0.

Key generation uses mostly the same parameters as the corresponding RSA function.

Function: int dsa_compat_generate_keypair (struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func random, void *progress_ctx, nettle_progress_func progress, unsigned p_bits, unsigned q_bits)

pub and key is where the resulting key pair is stored. The structs should be initialized before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

progress and progress_ctx can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. progress can be NULL, in that case there are no callbacks.

p_bits and q_bits are the desired sizes of p and q. See dsa_generate_keypair for details.

Previous: , Up: Public-key algorithms   [Contents][Index]

7.7.3 Elliptic curves

For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem.

Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a struct ecc_curve. It also supports curve25519, which uses a different form of curve. Supported curves are declared in <nettle/ecc-curve.h>, e.g., call nettle_get_secp_256r1 for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a shorthand for the bitsize of the curve’s prime p, e.g., 256 bits for the SECP 256R1 curve.

Next: , Up: Elliptic curves   [Contents][Index]

7.7.3.1 Side-channel silence

Nettle’s implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are:

  • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key.
  • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries.

Nettle’s ECC implementation is designed to be side-channel silent, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.

Next: , Previous: , Up: Elliptic curves   [Contents][Index]

7.7.3.2 ECDSA

ECDSA is a variant of the DSA digital signature scheme (see DSA), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key).

Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating.

Nettle defines ECDSA in <nettle/ecdsa.h>. We first need to define the data types used to represent public and private keys.

struct: struct ecc_point

Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key.

Function: void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc)

Initializes p to represent points on the given curve ecc. Allocates storage for the coordinates, using the same allocation functions as GMP.

Function: void ecc_point_clear (struct ecc_point *p)

Deallocate storage allocated by previous ecc_point_init.

Function: int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y)

Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed.

Function: void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y)

Extracts the coordinate of the point p. The output parameters x or y may be NULL if the caller doesn’t want that coordinate.

struct: struct ecc_scalar

Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key.

Function: void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc)

Initializes s to represent a scalar suitable for the given curve ecc. Allocates storage using the same allocation functions as GMP.

Function: void ecc_scalar_clear (struct ecc_scalar *s)

Deallocate the storage allocated by previous ecc_scalar_init.

Function: int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z)

Check that z is in the correct range. If so, copies the value to s and returns 1, otherwise returns 0.

Function: void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z)

Extracts the scalar, in GMP mpz_t representation.

To create and verify ECDSA signatures, the following functions are used.

Function: void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)

Uses the private key key to create a signature of digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in signature, in the same way as for plain DSA.

Function: int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)

Uses the public key pub to verify that signature is a valid signature for the message digest digest (of length octets). Returns 1 if the signature is valid, otherwise 0.

Finally, generating a new ECDSA key pair:

Function: void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random)

pub and key is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function.

random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. For advice, see See Randomness.

Next: , Previous: , Up: Elliptic curves   [Contents][Index]

7.7.3.3 GOSTDSA

GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (see DSA) and ECDSA (see ECDSA) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in RFC 5832 and RFC 7091. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key).

GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, RFC 5831). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, RFC 6986) of corresponding size (256 or 512) depending on curve size.

Nettle defines GOSTDSA in <nettle/gostdsa.h>. GOSTDSA reuses ECDSA data types (struct ecc_point, struct ecc_scalar) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use ecdsa_generate_keypair() function.

To create and verify GOSTDSA signatures, the following functions are used.

Function: void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature)

Uses the private key key to create a signature of digest. random_ctx and random is a randomness generator. random(random_ctx, length, dst) should generate length random octets and store them at dst. The signature is stored in signature, in the same was as for plain DSA.

Function: int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature)

Uses the public key pub to verify that signature is a valid signature for the message digest digest (of length octets). Returns 1 if the signature is valid, otherwise 0.

For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle’s view on curves and actual identifiers defined in RFC 4357 and RFC 7836.

Function: const struct ecc_curve nettle_get_gost_gc256b (void)

Returns curve corresponding to following identifiers:

  • id-GostR3410-2001-CryptoPro-A-ParamSet (RFC 4357)
  • id-GostR3410-2001-CryptoPro-XchA-ParamSet (RFC 4357)
  • id-tc26-gost-3410-12-256-paramSetB
Function: const struct ecc_curve nettle_get_gost_gc512a (void)

Returns curve corresponding to following identifiers:

  • id-tc26-gost-3410-12-512-paramSetA (RFC 7836)

For GOST key pairs key derivation/key agreement function (VKO) is defined in RFC 4357 and RFC 7836. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (see GOSTHASH94CP) or GOST R 34.11-2012, Streebog, which nor part of the library yet).

Function: void gostdsa_vko (const struct ecc_scalar *priv, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out)

Uses private key priv, public ket pub and shared key material ukm to generate shared secret, written to buffer out. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret.

Previous: , Up: Elliptic curves   [Contents][Index]

7.7.3.4 Curve25519 and Curve448

Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in RFC 7748. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn’t matter for the curve25519 operations which work with the x-coordinate only).

The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored.

For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252.

Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related “twist curve”. The function curve25519_mul uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by RFC 7748. The output is therefore well defined for all possible inputs, no matter if the input string represents a valid point on the curve or not.

Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from RFC 7748, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The nette/curve25519.h defines a preprocessor symbol NETTLE_CURVE25519_RFC7748 to indicate conformance with the standard.

Nettle defines Curve 25519 in <nettle/curve25519.h>.

Constant: NETTLE_CURVE25519_RFC7748

Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions.

Constant: CURVE25519_SIZE

The size of the strings representing curve25519 points and scalars, 32.

Function: void curve25519_mul_g (uint8_t *q, const uint8_t *n)

Computes Q = N G, where G is the group generator and N is an integer. The input argument n and the output argument q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult_base in the NaCl library.

Function: void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)

Computes Q = N P, where P is an input point and N is an integer. The input arguments n and p and the output argument q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size CURVE25519_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult in the NaCl library.

Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^448 - 2^224 - 1. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in RFC 7748.

Nettle defines Curve 448 in <nettle/curve448.h>.

Constant: CURVE448_SIZE

The octet length of the strings representing curve448 points and scalars, 56.

Function: void curve448_mul_g (uint8_t *q, const uint8_t *n)

Computes Q = N G, where G is the group generator and N is an integer. The input argument n and the output argument q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size CURVE448_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult_base in the NaCl library.

Function: void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p)

Computes Q = N P, where P is an input point and N is an integer. The input arguments n and p and the output argument q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size CURVE448_SIZE.

This function is intended to be compatible with the function crypto_scalar_mult in the NaCl library.

7.7.3.5 EdDSA

EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups.

Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost.

Constant: ED25519_KEY_SIZE

The size of a private or public Ed25519 key, 32 octets.

Constant: ED25519_SIGNATURE_SIZE

The size of an Ed25519 signature, 64 octets.

Function: void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv)

Computes the public key corresponding to the given private key. Both input and output are of size ED25519_KEY_SIZE.

Function: void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair.

Function: int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448.

Constant: ED448_KEY_SIZE

The size of a private or public Ed448 key, 57 octets.

Constant: ED448_SIGNATURE_SIZE

The size of an Ed448 signature, 114 octets.

Function: void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv)

Computes the public key corresponding to the given private key. Both input and output are of size ED448_KEY_SIZE.

Function: void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature)

Signs a message using the provided key pair.

Function: int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature)

Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.

Next: , Previous: , Up: Reference   [Contents][Index]

7.8 Randomness

A crucial ingredient in many cryptographic contexts is randomness: Let p be a random prime, choose a random initialization vector iv, a random key k and a random exponent e, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain.

In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name.

However, such a generator is inadequate for cryptography, for at least two reasons:

  • It’s too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that’s far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried.
  • The generator output reveals too much. By observing only a small segment of the generator’s output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker.

A randomness generator that is used for cryptographic purposes must have better properties. Let’s first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what’s unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask n yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can’t guess the seed correctly, then the conditional entropy is more than n bits.

Let’s look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session.

Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are:

High resolution timing of i/o activities

Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it’s one of the better randomness source one can find in a digital, mostly predictable, computer.

User activity

Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially.

Audio input

Any room, or even a microphone input that’s left unconnected, is a source of some random background noise, which can be fed into the seeding process.

Specialized hardware

Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type.

Secret information

Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once.

For all practical sources, it’s difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can’t observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months?

So let’s assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine).

How do we generate output from this seed, and how much can we get? Some generators (notably the Linux /dev/random generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from /dev/random, you should get 128 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn’t matter much. For most application, there’s no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties.

At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let’s call it the generator’s key. The key is initialized from the unguessable seed. Important properties of a generator are:

Key-hiding

An attacker observing the output should not be able to recover the generator’s key.

Independence of outputs

Observing some of the output should not help the attacker to guess previous or future output.

Forward secrecy

Even if an attacker compromises the generator’s key, he should not be able to guess the generator output before the key compromise.

Recovery from key compromise

If an attacker compromises the generator’s key, he can compute all future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time t_1, there is another later time t_2, such that if the attacker observes all output generated between t_1 and t_2, he still can’t guess what output is generated after t_2.

Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones.

ChaCha (see ChaCha), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There’s no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (see Arcfour) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key.

The “lagged Fibonacci” generator in <nettle/knuth-lfib.h> is a fast generator with good statistical properties, but is not for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed.

The recommended generator to use is Yarrow, described below.

7.8.1 Yarrow

Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at https://www.schneier.com/academic/yarrow/, and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits.

Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later.

Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a “fast reseed” happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise.

The output is generated by using AES to encrypt a counter, using the generator’s current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy.

Yarrow can also use a seed file to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens.

Nettle defines Yarrow-256 in <nettle/yarrow.h>.

Context struct: struct yarrow256_ctx
Context struct: struct yarrow_source

Information about a single source.

Constant: YARROW256_SEED_FILE_SIZE

Recommended size of the Yarrow-256 seed file.

Function: void yarrow256_init (struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources)

Initializes the yarrow context, and its nsources sources. It’s possible to call it with nsources=0 and sources=NULL, if you don’t need the update features.

Function: void yarrow256_seed (struct yarrow256_ctx *ctx, size_t length, uint8_t *seed_file)

Seeds Yarrow-256 from a previous seed file. length should be at least YARROW256_SEED_FILE_SIZE, but it can be larger.

The generator will trust you that the seed_file data really is unguessable. After calling this function, you must overwrite the old seed file with newly generated data from yarrow256_random. If it’s possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism.

Function: int yarrow256_update (struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data)

Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). entropy is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero entropy is always safe, no matter if the data is random or not.

Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with yarrow256_random and overwrite the seed file. Otherwise, the function returns 0.

Function: void yarrow256_random (struct yarrow256_ctx *ctx, size_t length, uint8_t *dst)

Generates length octets of output. The generator must be seeded before you call this function.

If you don’t need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time.

Function: int yarrow256_is_seeded (struct yarrow256_ctx *ctx)

Returns 1 if the generator is seeded and ready to generate output, otherwise 0.

Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *ctx)

Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded.

Function: void yarrow256_fast_reseed (struct yarrow256_ctx *ctx)
Function: void yarrow256_slow_reseed (struct yarrow256_ctx *ctx)

Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care.

Nettle includes an entropy estimator for one kind of input source: User keyboard input.

Context struct: struct yarrow_key_event_ctx

Information about recent key events.

Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *ctx)

Initializes the context.

Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time)

key is the id of the key (ASCII value, hardware key code, X keysym, …, it doesn’t matter), and time is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, time should be provided in units of microseconds. But if you use gettimeofday on a typical Unix system where the clock ticks 10 or so microseconds at a time, time should be given in units of 10 microseconds.

Returns an entropy estimate, in bits, suitable for calling yarrow256_update. Usually, 0, 1 or 2 bits.

7.8.2 DRBG-CTR

The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A.

We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented. Personalization strings can be implemented by the caller, if desired, with xor. If you need re-seeding or entropy derivation, we suggest that you use Yarrow instead.

The security bounds of DRBG-CTR are not intuitive, see “Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator” by Matthew J. Campagna, from https://eprint.iacr.org/2006/379.pdf.

Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm.

Nettle defines DRBG-CTR in <nettle/drbg-ctr.h>.

Context struct: struct drbg_ctr_aes256_ctx
Constant: DRBG_CTR_AES256_SEED_SIZE

The size of the seeding material.

Function: void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material)

Initialize the DRBG-CTR-AES256 context using DRBG_CTR_AES256_SEED_SIZE bytes of seed_material.

Function: void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst)

Generates n octets of output into dst. The generator must be initialized before you call this function.

Next: , Previous: , Up: Reference   [Contents][Index]

7.9 ASCII encoding

Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text.

A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte).

The base64 encoding will always use alphanumeric (upper and lower case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There’s also a “URL safe” variant, which is useful for encoding binary data into URLs and filenames. See RFC 4648.

The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte.

Nettle supports both base64 and base16 encoding and decoding.

Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn’t need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function.

The following functions can be used to perform base64 encoding and decoding. They are defined in <nettle/base64.h>.

Context struct: struct base64_encode_ctx
Function: void base64_encode_init (struct base64_encode_ctx *ctx)
Function: void base64url_encode_init (struct base64_encode_ctx *ctx)

Initializes a base64 context. This is necessary before starting an encoding session. base64_encode_init selects the standard base64 alphabet, while base64url_encode_init selects the URL safe alphabet.

Function: size_t base64_encode_single (struct base64_encode_ctx *ctx, uint8_t *dst, uint8_t src)

Encodes a single byte. Returns amount of output (always 1 or 2).

Macro: BASE64_ENCODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_encode_update.

Function: size_t base64_encode_update (struct base64_encode_ctx *ctx, uint8_t *dst, size_t length, const uint8_t *src)

After ctx is initialized, this function may be called to encode length bytes from src. The result will be placed in dst, and the return value will be the number of bytes generated. Note that dst must be at least of size BASE64_ENCODE_LENGTH(length).

Constant: BASE64_ENCODE_FINAL_LENGTH

The maximum amount of output from base64_encode_final.

Function: size_t base64_encode_final (struct base64_encode_ctx *ctx, uint8_t *dst)

After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated.

Context struct: struct base64_decode_ctx
Function: void base64_decode_init (struct base64_decode_ctx *ctx)
Function: void base64url_decode_init (struct base64_decode_ctx *ctx)

Initializes a base64 decoding context. This is necessary before starting a decoding session. base64_decode_init selects the standard base64 alphabet, while base64url_decode_init selects the URL safe alphabet.

Function: int base64_decode_single (struct base64_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte (src) and stores the result in dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE64_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base64_decode_update.

Function: void base64_decode_update (struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. dst should point to an area of size at least BASE64_DECODE_LENGTH(src_length). The amount of data generated is returned in *dst_length. Returns 1 on success and 0 on error.

Function: int base64_decode_final (struct base64_decode_ctx *ctx)

Check that final padding is correct. Returns 1 on success, and 0 on error.

Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in <nettle/base16.h>. Note that there is no encoding context necessary for doing base16 encoding.

Function: void base16_encode_single (uint8_t *dst, uint8_t src)

Encodes a single byte. Always stores two digits in dst[0] and dst[1].

Macro: BASE16_ENCODE_LENGTH (length)

The number of output bytes when passing length input bytes to base16_encode_update.

Function: void base16_encode_update (uint8_t *dst, size_t length, const uint8_t *src)

Always stores BASE16_ENCODE_LENGTH(length) digits in dst.

Context struct: struct base16_decode_ctx
Function: void base16_decode_init (struct base16_decode_ctx *ctx)

Initializes a base16 decoding context. This is necessary before starting a decoding session.

Function: int base16_decode_single (struct base16_decode_ctx *ctx, uint8_t *dst, uint8_t src)

Decodes a single byte from src into dst. Returns amount of output (0 or 1), or -1 on errors.

Macro: BASE16_DECODE_LENGTH (length)

The maximum number of output bytes when passing length input bytes to base16_decode_update.

Function: int base16_decode_update (struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const uint8_t *src)

After ctx is initialized, this function may be called to decode src_length bytes from src. dst should point to an area of size at least BASE16_DECODE_LENGTH(src_length). The amount of data generated is returned in *dst_length. Returns 1 on success and 0 on error.

Function: int base16_decode_final (struct base16_decode_ctx *ctx)

Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.

Next: , Previous: , Up: Reference   [Contents][Index]

7.10 Miscellaneous functions

Function: void * memxor (void *dst, const void *src, size_t n)

XORs the source area on top of the destination area. The interface doesn’t follow the Nettle conventions, because it is intended to be similar to the ANSI-C memcpy function.

Function: void * memxor3 (void *dst, const void *a, const void *b, size_t n)

Like memxor, but takes two source areas and separate destination area.

Function: int memeql_sec (const void *a, const void *b, size_t n)

Side-channel silent comparison of the n bytes at a and b. I.e., instructions executed and memory accesses are identical no matter where the areas differ, see Side-channel silence. Return non-zero if the areas are equal, and zero if they differ.

These functions are declared in <nettle/memops.h>. For compatibility with earlier versions of Nettle, memxor and memxor3 are also declared in <nettle/memxor.h>.

Previous: , Up: Reference   [Contents][Index]

7.11 Compatibility functions

For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation.

MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in <nettle/md5-compat.h>. This file defines the typedef MD5_CTX, and declares the functions MD5Init, MD5Update and MD5Final.

Next: , Previous: , Up: Nettle   [Contents][Index]

8 Traditional Nettle Soup

For the serious nettle hacker, here is a recipe for nettle soup. 4 servings.

  • 1 liter fresh nettles (urtica dioica)
  • 2 tablespoons butter
  • 3 tablespoons flour
  • 1 liter stock (meat or vegetable)
  • 1/2 teaspoon salt
  • a tad white pepper
  • some cream or milk

Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used.

Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper.

Serve with boiled egg-halves.

Next: , Previous: , Up: Nettle   [Contents][Index]

9 Installation

Nettle uses autoconf. To build it, unpack the source and run 

./configure
make
make check
make install

to install it under the default prefix, /usr/local. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed.

To get a list of configure options, use ./configure --help. Some of the more interesting are:

--enable-fat

Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64.

--enable-mini-gmp

Use the smaller and slower “mini-gmp” implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are not binary compatible with regular builds of Nettle, and more likely to leak side-channel information.

--disable-shared

Omit building the shared libraries.

--disable-dependency-tracking

Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make.

Previous: , Up: Nettle   [Contents][Index]

Function and Concept Index

Jump to:   3  
A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   X   Y  
Index Entry  Section
3
3DES: DES3
A
ABI compatibility: Compatibility
AEAD: Authenticated encryption
AES: AES
aes128_decrypt: AES
aes128_encrypt: AES
aes128_invert_key: AES
aes128_set_decrypt_key: AES
aes128_set_encrypt_key: AES
aes192_decrypt: AES
aes192_encrypt: AES
aes192_invert_key: AES
aes192_set_decrypt_key: AES
aes192_set_encrypt_key: AES
aes256_decrypt: AES
aes256_encrypt: AES
aes256_invert_key: AES
aes256_set_decrypt_key: AES
aes256_set_encrypt_key: AES
aes_decrypt: AES
aes_encrypt: AES
aes_invert_key: AES
aes_set_decrypt_key: AES
aes_set_encrypt_key: AES
API compatibility: Compatibility
Arcfour: Arcfour
arcfour_crypt: Arcfour
arcfour_set_key: Arcfour
Arctwo: Arctwo
arctwo_decrypt: Arctwo
arctwo_encrypt: Arctwo
arctwo_set_key: Arctwo
arctwo_set_key_ekb: Arctwo
arctwo_set_key_gutmann: Arctwo
Authenticated encryption: Authenticated encryption
B
balloon: Key derivation functions
Balloon password-hashing algorithm: Key derivation functions
balloon_itch: Key derivation functions
balloon_sha1: Key derivation functions
balloon_sha256: Key derivation functions
balloon_sha384: Key derivation functions
balloon_sha512: Key derivation functions
base16_decode_final: ASCII encoding
base16_decode_init: ASCII encoding
BASE16_DECODE_LENGTH: ASCII encoding
base16_decode_single: ASCII encoding
base16_decode_update: ASCII encoding
BASE16_ENCODE_LENGTH: ASCII encoding
base16_encode_single: ASCII encoding
base16_encode_update: ASCII encoding
base64url_decode_init: ASCII encoding
base64url_encode_init: ASCII encoding
base64_decode_final: ASCII encoding
base64_decode_init: ASCII encoding
BASE64_DECODE_LENGTH: ASCII encoding
base64_decode_single: ASCII encoding
base64_decode_update: ASCII encoding
base64_encode_final: ASCII encoding
base64_encode_init: ASCII encoding
BASE64_ENCODE_LENGTH: ASCII encoding
base64_encode_single: ASCII encoding
base64_encode_update: ASCII encoding
Binary compatibility: Compatibility
Block Cipher: Cipher functions
Blowfish: Blowfish
blowfish_bcrypt_hash: Blowfish
blowfish_bcrypt_verify: Blowfish
blowfish_decrypt: Blowfish
blowfish_encrypt: Blowfish
blowfish_set_key: Blowfish
C
Camellia: Camellia
camellia128_crypt: Camellia
camellia128_invert_key: Camellia
camellia128_set_decrypt_key: Camellia
camellia128_set_encrypt_key: Camellia
camellia192_crypt: Camellia
camellia192_invert_key: Camellia
camellia192_set_decrypt_key: Camellia
camellia192_set_encrypt_key: Camellia
camellia256_crypt: Camellia
camellia256_invert_key: Camellia
camellia256_set_decrypt_key: Camellia
camellia256_set_encrypt_key: Camellia
camellia_crypt: Camellia
camellia_invert_key: Camellia
camellia_set_decrypt_key: Camellia
camellia_set_encrypt_key: Camellia
CAST: CAST128
cast128_decrypt: CAST128
cast128_encrypt: CAST128
cast128_set_key: CAST128
cast5_set_key: CAST128
CBC Mode: CBC
cbc_aes128_encrypt: CBC
cbc_aes192_encrypt: CBC
cbc_aes256_encrypt: CBC
CBC_CTX: CBC
cbc_decrypt: CBC
CBC_DECRYPT: CBC
cbc_encrypt: CBC
CBC_ENCRYPT: CBC
CBC_SET_IV: CBC
CCM Mode: CCM
ccm_aes128_decrypt: CCM
ccm_aes128_decrypt_message: CCM
ccm_aes128_digest: CCM
ccm_aes128_encrypt: CCM
ccm_aes128_encrypt_message: CCM
ccm_aes128_set_key: CCM
ccm_aes128_set_nonce: CCM
ccm_aes128_update: CCM
ccm_aes192_decrypt: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_decrypt_message: CCM
ccm_aes192_digest: CCM
ccm_aes192_encrypt: CCM
ccm_aes192_encrypt_message: CCM
ccm_aes192_set_key: CCM
ccm_aes192_set_nonce: CCM
ccm_aes192_update: CCM
ccm_aes256_decrypt: CCM
ccm_aes256_digest: CCM
ccm_aes256_encrypt: CCM
ccm_aes256_encrypt_message: CCM
ccm_aes256_set_key: CCM
ccm_aes256_set_nonce: CCM
ccm_aes256_update: CCM
ccm_decrypt: CCM
ccm_decrypt_message: CCM
ccm_digest: CCM
ccm_encrypt: CCM
ccm_encrypt_message: CCM
CCM_MAX_MSG_SIZE: CCM
ccm_set_nonce: CCM
ccm_update: CCM
CFB Modes: CFB and CFB8
CFB8 Mode: CFB and CFB8
CFB8_CTX: CFB and CFB8
cfb8_decrypt: CFB and CFB8
CFB8_DECRYPT: CFB and CFB8
cfb8_encrypt: CFB and CFB8
CFB8_ENCRYPT: CFB and CFB8
CFB8_SET_IV: CFB and CFB8
CFB_CTX: CFB and CFB8
cfb_decrypt: CFB and CFB8
CFB_DECRYPT: CFB and CFB8
cfb_encrypt: CFB and CFB8
CFB_ENCRYPT: CFB and CFB8
CFB_SET_IV(ctx,: CFB and CFB8
ChaCha: ChaCha
chacha_crypt: ChaCha
chacha_crypt32: ChaCha
chacha_poly1305_decrypt: ChaCha-Poly1305
chacha_poly1305_digest: ChaCha-Poly1305
chacha_poly1305_encrypt: ChaCha-Poly1305
chacha_poly1305_set_key: ChaCha-Poly1305
chacha_poly1305_set_nonce: ChaCha-Poly1305
chacha_poly1305_update: ChaCha-Poly1305
chacha_set_counter: ChaCha
chacha_set_counter32: ChaCha
chacha_set_key: ChaCha
chacha_set_nonce: ChaCha
chacha_set_nonce96: ChaCha
Cipher: Cipher functions
Cipher Block Chaining: CBC
Cipher Feedback 8-bit Mode: CFB and CFB8
Cipher Feedback Mode: CFB and CFB8
CMAC: CMAC
CMAC-128: CMAC
CMAC-64: CMAC
cmac_aes128_digest: CMAC
cmac_aes128_set_key: CMAC
cmac_aes128_update: CMAC
cmac_aes256_digest: CMAC
cmac_aes256_set_key: CMAC
cmac_aes256_update: CMAC
cmac_des3_digest: CMAC
cmac_des3_set_key: CMAC
cmac_des3_update: CMAC
Collision-resistant: Hash functions
Conditional entropy: Randomness
Counter Mode: CTR
Counter with CBC-MAC Mode: CCM
CTR Mode: CTR
ctr_crypt: CTR
CTR_CRYPT: CTR
CTR_CTX: CTR
CTR_SET_COUNTER: CTR
Curve 25519: Curve 25519 and Curve 448
Curve 448: Curve 25519 and Curve 448
curve25519_mul: Curve 25519 and Curve 448
curve25519_mul_g: Curve 25519 and Curve 448
curve448_mul: Curve 25519 and Curve 448
curve448_mul_g: Curve 25519 and Curve 448
D
DES: DES
DES3: DES3
des3_decrypt: DES3
des3_encrypt: DES3
des3_set_key: DES3
des_check_parity: DES
des_decrypt: DES
des_encrypt: DES
des_fix_parity: DES
des_set_key: DES
drbg_ctr_aes256_init: Randomness
drbg_ctr_aes256_random: Randomness
dsa_compat_generate_keypair: DSA
dsa_generate_keypair: DSA
dsa_generate_params: DSA
dsa_params: DSA
dsa_params_clear: DSA
dsa_params_init: DSA
dsa_private_key: DSA
dsa_private_key_clear: DSA
dsa_private_key_init: DSA
dsa_public_key: DSA
dsa_public_key_clear: DSA
dsa_public_key_init: DSA
dsa_sha1_sign: DSA
dsa_sha1_sign_digest: DSA
dsa_sha1_verify: DSA
dsa_sha1_verify_digest: DSA
dsa_sha256_sign: DSA
dsa_sha256_sign_digest: DSA
dsa_sha256_verify: DSA
dsa_sha256_verify_digest: DSA
dsa_sign: DSA
dsa_signature: DSA
dsa_signature_clear: DSA
dsa_signature_init: DSA
dsa_verify: DSA
E
eax_aes128_decrypt: EAX
eax_aes128_digest: EAX
eax_aes128_encrypt: EAX
eax_aes128_set_key: EAX
eax_aes128_set_nonce: EAX
eax_aes128_update: EAX
EAX_CTX: EAX
eax_decrypt: EAX
EAX_DECRYPT: EAX
eax_digest: EAX
EAX_DIGEST: EAX
eax_encrypt: EAX
EAX_ENCRYPT: EAX
eax_set_key: EAX
EAX_SET_KEY: EAX
eax_set_nonce: EAX
EAX_SET_NONCE: EAX
eax_update: EAX
EAX_UPDATE: EAX
ecc_point_clear: ECDSA
ecc_point_get: ECDSA
ecc_point_init: ECDSA
ecc_point_set: ECDSA
ecc_scalar_clear: ECDSA
ecc_scalar_get: ECDSA
ecc_scalar_init: ECDSA
ecc_scalar_set: ECDSA
ecdsa_generate_keypair: ECDSA
ecdsa_sign: ECDSA
ecdsa_verify: ECDSA
ed25519_sha512_public_key: Curve 25519 and Curve 448
ed25519_sha512_sign: Curve 25519 and Curve 448
ed25519_sha512_verify: Curve 25519 and Curve 448
ed448_shake256_public_key: Curve 25519 and Curve 448
ed448_shake256_sign: Curve 25519 and Curve 448
ed448_shake256_verify: Curve 25519 and Curve 448
eddsa: Curve 25519 and Curve 448
Entropy: Randomness
G
Galois Counter Mode: GCM
GCM: GCM
gcm_aes128_decrypt: GCM
gcm_aes128_digest: GCM
gcm_aes128_encrypt: GCM
gcm_aes128_set_iv: GCM
gcm_aes128_set_key: GCM
gcm_aes128_update: GCM
gcm_aes192_decrypt: GCM
gcm_aes192_digest: GCM
gcm_aes192_encrypt: GCM
gcm_aes192_set_iv: GCM
gcm_aes192_set_key: GCM
gcm_aes192_update: GCM
gcm_aes256_decrypt: GCM
gcm_aes256_digest: GCM
gcm_aes256_encrypt: GCM
gcm_aes256_set_iv: GCM
gcm_aes256_set_key: GCM
gcm_aes256_update: GCM
gcm_aes_decrypt: GCM
gcm_aes_digest: GCM
gcm_aes_encrypt: GCM
gcm_aes_set_iv: GCM
gcm_aes_set_key: GCM
gcm_aes_update: GCM
gcm_camellia128_decrypt: GCM
gcm_camellia128_digest: GCM
gcm_camellia128_encrypt: GCM
gcm_camellia128_set_iv: GCM
gcm_camellia128_set_key: GCM
gcm_camellia128_update: GCM
gcm_camellia192_digest: GCM
gcm_camellia256_decrypt: GCM
gcm_camellia256_digest: GCM
gcm_camellia256_encrypt: GCM
gcm_camellia256_set_iv: GCM
gcm_camellia256_set_key: GCM
gcm_camellia256_update: GCM
gcm_camellia_digest: GCM
GCM_CTX: GCM
gcm_decrypt: GCM
GCM_DECRYPT: GCM
gcm_digest: GCM
GCM_DIGEST: GCM
gcm_encrypt: GCM
GCM_ENCRYPT: GCM
gcm_set_iv: GCM
GCM_SET_IV: GCM
gcm_set_key: GCM
GCM_SET_KEY: GCM
gcm_sm4_decrypt: GCM
gcm_sm4_digest: GCM
gcm_sm4_encrypt: GCM
gcm_sm4_set_iv: GCM
gcm_sm4_set_key: GCM
gcm_sm4_update: GCM
gcm_update: GCM
GCM_UPDATE: GCM
GOST DSA: GOSTDSA
GOST hash: Legacy hash functions
gostdsa_sign: GOSTDSA
gostdsa_verify: GOSTDSA
gostdsa_vko: GOSTDSA
gosthash94cp_digest: Legacy hash functions
gosthash94cp_init: Legacy hash functions
gosthash94cp_update: Legacy hash functions
gosthash94_digest: Legacy hash functions
gosthash94_init: Legacy hash functions
gosthash94_update: Legacy hash functions
H
Hash function: Hash functions
HKDF: Key derivation functions
hkdf_expand: Key derivation functions
hkdf_extract: Key derivation functions
HMAC: HMAC
HMAC_CTX: HMAC
hmac_digest: HMAC
HMAC_DIGEST: HMAC
hmac_md5_digest: HMAC
hmac_md5_set_key: HMAC
hmac_md5_update: HMAC
hmac_ripemd160_digest: HMAC
hmac_ripemd160_set_key: HMAC
hmac_ripemd160_update: HMAC
hmac_set_key: HMAC
HMAC_SET_KEY: HMAC
hmac_sha1_digest: HMAC
hmac_sha1_set_key: HMAC
hmac_sha1_update: HMAC
hmac_sha256_digest: HMAC
hmac_sha256_set_key: HMAC
hmac_sha256_update: HMAC
hmac_sha512_digest: HMAC
hmac_sha512_set_key: HMAC
hmac_sha512_update: HMAC
hmac_sm3_digest: HMAC
hmac_sm3_set_key: HMAC
hmac_sm3_update: HMAC
hmac_update: HMAC
K
KDF: Key derivation functions
Key Derivation Function: Key derivation functions
Keyed Hash Function: Keyed hash functions
M
MAC: Keyed hash functions
md2_digest: Legacy hash functions
md2_init: Legacy hash functions
md2_update: Legacy hash functions
md4_digest: Legacy hash functions
md4_init: Legacy hash functions
md4_update: Legacy hash functions
md5_compress: Legacy hash functions
md5_digest: Legacy hash functions
md5_init: Legacy hash functions
md5_update: Legacy hash functions
memeql_sec: Miscellaneous functions
memxor: Miscellaneous functions
memxor3: Miscellaneous functions
Message Authentication Code: Keyed hash functions
N
nettle_aead: nettle_aead abstraction
nettle_aeads: nettle_aead abstraction
nettle_cipher: nettle_cipher abstraction
nettle_ciphers: nettle_cipher abstraction
nettle_get_aeads: nettle_aead abstraction
nettle_get_ciphers: nettle_cipher abstraction
nettle_get_gost_gc256b: GOSTDSA
nettle_get_gost_gc512a: GOSTDSA
nettle_get_hashes: nettle_hash abstraction
nettle_hash: nettle_hash abstraction
nettle_hashes: nettle_hash abstraction
O
OCB: OCB
OCB mode: OCB
ocb_aes128_decrypt: OCB
ocb_aes128_decrypt_message: OCB
ocb_aes128_digest: OCB
ocb_aes128_encrypt: OCB
ocb_aes128_encrypt_message: OCB
ocb_aes128_set_decrypt_key: OCB
ocb_aes128_set_encrypt_key: OCB
ocb_aes128_set_nonce: OCB
ocb_aes128_update: OCB
ocb_decrypt: OCB
ocb_decrypt_message: OCB
ocb_digest: OCB
ocb_encrypt: OCB
ocb_encrypt_message: OCB
ocb_set_key: OCB
ocb_set_nonce: OCB
ocb_update: OCB
Offset Code Book: OCB
One-way: Hash functions
One-way function: Public-key algorithms
P
Password Based Key Derivation Function: Key derivation functions
PBKDF: Key derivation functions
pbkdf2: Key derivation functions
PBKDF2: Key derivation functions
pbkdf2_hmac_sha1: Key derivation functions
pbkdf2_hmac_sha256: Key derivation functions
pbkdf2_hmac_sha384: Key derivation functions
pbkdf2_hmac_sha512: Key derivation functions
PKCS #5: Key derivation functions
poly1305_aes_digest: Poly1305
poly1305_aes_set_key: Poly1305
poly1305_aes_set_nonce: Poly1305
poly1305_aes_update: Poly1305
Public Key Cryptography: Public-key algorithms
R
Randomness: Randomness
RC2: Arctwo
RC4: Arcfour
ripemd160_digest: Legacy hash functions
ripemd160_init: Legacy hash functions
ripemd160_update: Legacy hash functions
rsa_compute_root: RSA
rsa_compute_root_tr: RSA
rsa_decrypt: RSA
rsa_decrypt_tr: RSA
rsa_encrypt: RSA
rsa_generate_keypair: RSA
rsa_md5_sign: RSA
rsa_md5_sign_digest: RSA
rsa_md5_sign_digest_tr: RSA
rsa_md5_sign_tr: RSA
rsa_md5_verify: RSA
rsa_md5_verify_digest: RSA
rsa_oaep_sha256_decrypt: RSA
rsa_oaep_sha256_encrypt: RSA
rsa_oaep_sha384_decrypt: RSA
rsa_oaep_sha384_encrypt: RSA
rsa_oaep_sha512_decrypt: RSA
rsa_oaep_sha512_encrypt: RSA
rsa_pkcs1_sign: RSA
rsa_pkcs1_sign_tr: RSA
rsa_pkcs1_verify: RSA
rsa_private_key: RSA
rsa_private_key_clear: RSA
rsa_private_key_init: RSA
rsa_private_key_prepare: RSA
rsa_pss_sha256_sign_digest_tr: RSA
rsa_pss_sha256_verify_digest: RSA
rsa_pss_sha384_sign_digest_tr: RSA
rsa_pss_sha384_verify_digest: RSA
rsa_pss_sha512_sign_digest_tr: RSA
rsa_pss_sha512_verify_digest: RSA
rsa_public_key: RSA
rsa_public_key_clear: RSA
rsa_public_key_init: RSA
rsa_public_key_prepare: RSA
rsa_sha1_sign: RSA
rsa_sha1_sign_digest: RSA
rsa_sha1_sign_digest_tr: RSA
rsa_sha1_sign_tr: RSA
rsa_sha1_verify: RSA
rsa_sha1_verify_digest: RSA
rsa_sha256_sign: RSA
rsa_sha256_sign_digest: RSA
rsa_sha256_sign_digest_tr: RSA
rsa_sha256_sign_tr: RSA
rsa_sha256_verify: RSA
rsa_sha256_verify_digest: RSA
rsa_sha512_sign: RSA
rsa_sha512_sign_digest: RSA
rsa_sha512_sign_digest_tr: RSA
rsa_sha512_sign_tr: RSA
rsa_sha512_verify: RSA
rsa_sha512_verify_digest: RSA
S
Salsa20: Salsa20
salsa20r12_crypt: Salsa20
salsa20_128_set_key: Salsa20
salsa20_256_set_key: Salsa20
salsa20_crypt: Salsa20
salsa20_set_key: Salsa20
salsa20_set_nonce: Salsa20
Serpent: Serpent
serpent_decrypt: Serpent
serpent_encrypt: Serpent
serpent_set_key: Serpent
sha1_compress: Legacy hash functions
sha1_digest: Legacy hash functions
sha1_init: Legacy hash functions
sha1_update: Legacy hash functions
sha224_digest: Recommended hash functions
sha224_init: Recommended hash functions
sha224_update: Recommended hash functions
sha256_compress: Recommended hash functions
sha256_digest: Recommended hash functions
sha256_init: Recommended hash functions
sha256_update: Recommended hash functions
SHA3: Recommended hash functions
sha384_digest: Recommended hash functions
sha384_init: Recommended hash functions
sha384_update: Recommended hash functions
sha3_128_init: Recommended hash functions
sha3_128_shake: Recommended hash functions
sha3_128_shake_output: Recommended hash functions
sha3_128_update: Recommended hash functions
sha3_224_digest: Recommended hash functions
sha3_224_init: Recommended hash functions
sha3_224_update: Recommended hash functions
sha3_256_digest: Recommended hash functions
sha3_256_init: Recommended hash functions
sha3_256_shake: Recommended hash functions
sha3_256_shake_output: Recommended hash functions
sha3_256_update: Recommended hash functions
sha3_384_digest: Recommended hash functions
sha3_384_init: Recommended hash functions
sha3_384_update: Recommended hash functions
sha3_512_digest: Recommended hash functions
sha3_512_init: Recommended hash functions
sha3_512_update: Recommended hash functions
sha512_224_digest: Recommended hash functions
sha512_224_init: Recommended hash functions
sha512_224_update: Recommended hash functions
sha512_256_digest: Recommended hash functions
sha512_256_init: Recommended hash functions
sha512_256_update: Recommended hash functions
sha512_compress: Recommended hash functions
sha512_digest: Recommended hash functions
sha512_init: Recommended hash functions
sha512_update: Recommended hash functions
SHAKE: Recommended hash functions
Side-channel attack: Side-channel silence
SIV mode: SIV-CMAC
SIV-CMAC mode: SIV-CMAC
siv_cmac_aes128_decrypt_message: SIV-CMAC
siv_cmac_aes128_encrypt_message: SIV-CMAC
siv_cmac_aes128_set_key: SIV-CMAC
siv_cmac_aes256_decrypt_message: SIV-CMAC
siv_cmac_aes256_encrypt_message: SIV-CMAC
siv_cmac_aes256_set_key: SIV-CMAC
siv_gcm_aes128_decrypt_message: SIV-GCM
siv_gcm_aes128_encrypt_message: SIV-GCM
siv_gcm_aes256_decrypt_message: SIV-GCM
siv_gcm_aes256_encrypt_message: SIV-GCM
siv_gcm_decrypt_message: SIV-GCM
siv_gcm_encrypt_message: SIV-GCM
sm3_digest: Miscellaneous hash functions
sm3_init: Miscellaneous hash functions
sm3_update: Miscellaneous hash functions
SM4: SM4
sm4_crypt: SM4
sm4_set_decrypt_key: SM4
sm4_set_encrypt_key: SM4
Stream Cipher: Cipher functions
streebog256_digest: Miscellaneous hash functions
streebog256_init: Miscellaneous hash functions
streebog256_update: Miscellaneous hash functions
streebog512_digest: Miscellaneous hash functions
streebog512_init: Miscellaneous hash functions
streebog512_update: Miscellaneous hash functions
struct aes128_ctx: AES
struct aes192_ctx: AES
struct aes256_ctx: AES
struct aes_ctx: AES
struct arcfour_ctx: Arcfour
struct arctwo_ctx: Arctwo
struct base16_decode_ctx: ASCII encoding
struct base64_decode_ctx: ASCII encoding
struct base64_encode_ctx: ASCII encoding
struct blowfish_ctx: Blowfish
struct camellia128_ctx: Camellia
struct camellia192_ctx: Camellia
struct camellia256_ctx: Camellia
struct camellia_ctx: Camellia
struct cast128_ctx: CAST128
struct ccm_aes128_ctx: CCM
struct ccm_aes192_ctx: CCM
struct ccm_aes256_ctx: CCM
struct ccm_ctx: CCM
struct chacha_ctx: ChaCha
struct chacha_poly1305_ctx: ChaCha-Poly1305
struct cmac_aes128_ctx: CMAC
struct cmac_aes256_ctx: CMAC
struct cmac_des3_ctx: CMAC
struct des3_ctx: DES3
struct des_ctx: DES
struct drbg_ctr_aes256_ctx: Randomness
struct eax_aes128_ctx: EAX
struct eax_ctx: EAX
struct eax_key: EAX
struct ecc_point: ECDSA
struct ecc_scalar: ECDSA
struct gcm_aes128_ctx: GCM
struct gcm_aes192_ctx: GCM
struct gcm_aes256_ctx: GCM
struct gcm_aes_ctx: GCM
struct gcm_camellia128_ctx: GCM
struct gcm_camellia256_ctx: GCM
struct gcm_ctx: GCM
struct gcm_key: GCM
struct gcm_sm4_ctx: GCM
struct gosthash94cp_ctx: Legacy hash functions
struct gosthash94_ctx: Legacy hash functions
struct hmac_md5_ctx: HMAC
struct hmac_ripemd160_ctx: HMAC
struct hmac_sha1_ctx: HMAC
struct hmac_sha256_ctx: HMAC
struct hmac_sha512_ctx: HMAC
struct hmac_sm3_ctx: HMAC
struct md2_ctx: Legacy hash functions
struct md4_ctx: Legacy hash functions
struct md5_ctx: Legacy hash functions
struct nettle_aead: nettle_aead abstraction
struct nettle_cipher: nettle_cipher abstraction
struct nettle_hash: nettle_hash abstraction
struct ocb_aes128_encrypt_key: OCB
struct ocb_ctx: OCB
struct ocb_key: OCB
struct poly1305_aes_ctx: Poly1305
struct ripemd160_ctx: Legacy hash functions
struct salsa20_ctx: Salsa20
struct serpent_ctx: Serpent
struct sha1_ctx: Legacy hash functions
struct sha224_ctx: Recommended hash functions
struct sha256_ctx: Recommended hash functions
struct sha384_ctx: Recommended hash functions
struct sha3_128_ctx: Recommended hash functions
struct sha3_224_ctx: Recommended hash functions
struct sha3_256_ctx: Recommended hash functions
struct sha3_384_ctx: Recommended hash functions
struct sha3_512_ctx: Recommended hash functions
struct sha512_224_ctx: Recommended hash functions
struct sha512_256_ctx: Recommended hash functions
struct sha512_ctx: Recommended hash functions
struct siv_cmac_aes128_ctx: SIV-CMAC
struct siv_cmac_aes256_ctx: SIV-CMAC
struct sm3_ctx: Miscellaneous hash functions
struct sm4_ctx: SM4
struct streebog256_ctx: Miscellaneous hash functions
struct streebog512_ctx: Miscellaneous hash functions
struct twofish_ctx: Twofish
struct umac128_ctx: UMAC
struct umac32_ctx: UMAC
struct umac64_ctx: UMAC
struct umac96_ctx: UMAC
struct xts_aes128_key: XTS
struct xts_aes256_key: XTS
struct yarrow256_ctx: Randomness
struct yarrow_key_event_ctx: Randomness
struct yarrow_source: Randomness
T
Triple-DES: DES3
Twofish: Twofish
twofish_decrypt: Twofish
twofish_encrypt: Twofish
twofish_set_key: Twofish
U
UMAC: UMAC
umac128_digest: UMAC
umac128_set_key: UMAC
umac128_set_nonce: UMAC
umac128_update: UMAC
umac32_digest: UMAC
umac32_set_key: UMAC
umac32_set_nonce: UMAC
umac32_update: UMAC
umac64_digest: UMAC
umac64_set_key: UMAC
umac64_set_nonce: UMAC
umac64_update: UMAC
umac96_digest: UMAC
umac96_set_key: UMAC
umac96_set_nonce: UMAC
umac96_update: UMAC
X
XEX-based tweaked-codebook mode with ciphertext stealing: XTS
XTS Mode: XTS
xts_aes128_decrypt_message: XTS
xts_aes128_encrypt_message: XTS
xts_aes128_set_decrypt_key: XTS
xts_aes128_set_encrypt_key: XTS
xts_aes256_decrypt_message: XTS
xts_aes256_encrypt_message: XTS
xts_aes256_set_decrypt_key: XTS
xts_aes256_set_encrypt_key: XTS
xts_decrypt_message: XTS
xts_encrypt_message: XTS
Y
yarrow256_fast_reseed: Randomness
yarrow256_init: Randomness
yarrow256_is_seeded: Randomness
yarrow256_needed_sources: Randomness
yarrow256_random: Randomness
yarrow256_seed: Randomness
yarrow256_slow_reseed: Randomness
yarrow256_update: Randomness
yarrow_key_event_estimate: Randomness
yarrow_key_event_init: Randomness
Jump to:   3  
A   B   C   D   E   G   H   K   M   N   O   P   R   S   T   U   X   Y  

  [Contents][Index]

Footnotes

(1)

Actually, the computation is not done like this, it is done more efficiently using p, q and the Chinese remainder theorem (CRT). But the result is the same.

nettle-3.10/ctr.c0000644000175000017500000001022514633602171012713 0ustar nissenisse/* ctr.c Cipher counter mode. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "ctr.h" #include "ctr-internal.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) static size_t ctr_fill (size_t block_size, uint8_t *ctr, size_t length, uint8_t *buffer) { size_t i; for (i = 0; i + block_size <= length; i += block_size) { memcpy (buffer + i, ctr, block_size); INCREMENT(block_size, ctr); } return i; } #if WORDS_BIGENDIAN # define USE_CTR_CRYPT16 1 static nettle_fill16_func ctr_fill16; static void ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, lo; size_t i; hi = READ_UINT64(ctr); lo = READ_UINT64(ctr + 8); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = lo; hi += !(++lo); } WRITE_UINT64(ctr, hi); WRITE_UINT64(ctr + 8, lo); } #else /* !WORDS_BIGENDIAN */ # if HAVE_BUILTIN_BSWAP64 # define USE_CTR_CRYPT16 1 static nettle_fill16_func ctr_fill16; static void ctr_fill16(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, lo; size_t i; /* Read hi in native endianness */ hi = LE_READ_UINT64(ctr); lo = READ_UINT64(ctr + 8); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = __builtin_bswap64(lo); if (!++lo) hi = __builtin_bswap64(__builtin_bswap64(hi) + 1); } LE_WRITE_UINT64(ctr, hi); WRITE_UINT64(ctr + 8, lo); } # else /* ! HAVE_BUILTIN_BSWAP64 */ # define USE_CTR_CRYPT16 0 # endif #endif /* !WORDS_BIGENDIAN */ void ctr_crypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src) { #if USE_CTR_CRYPT16 if (block_size == 16) { _nettle_ctr_crypt16(ctx, f, ctr_fill16, ctr, length, dst, src); return; } #endif if(src != dst) { size_t filled = ctr_fill (block_size, ctr, length, dst); f(ctx, filled, dst, dst); memxor(dst, src, filled); if (filled < length) { TMP_DECL(block, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(block, block_size); f(ctx, block_size, block, ctr); INCREMENT(block_size, ctr); memxor3(dst + filled, src + filled, block, length - filled); } } else { /* For in-place CTR, construct a buffer of consecutive counter values, of size at most CTR_BUFFER_LIMIT. */ TMP_DECL(buffer, uint8_t, CTR_BUFFER_LIMIT); size_t buffer_size; if (length < block_size) buffer_size = block_size; else if (length <= CTR_BUFFER_LIMIT) buffer_size = length; else buffer_size = CTR_BUFFER_LIMIT; TMP_ALLOC(buffer, buffer_size); while (length >= block_size) { size_t filled = ctr_fill (block_size, ctr, MIN(buffer_size, length), buffer); assert (filled > 0); f(ctx, filled, buffer, buffer); memxor(dst, buffer, filled); length -= filled; dst += filled; } /* Final, possibly partial, block. */ if (length > 0) { f(ctx, block_size, buffer, ctr); INCREMENT(block_size, ctr); memxor(dst, buffer, length); } } } nettle-3.10/serpent-internal.h0000644000175000017500000000554714633602172015436 0ustar nissenisse/* serpent-internal-h The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #ifndef NETTLE_SERPENT_INTERNAL_H_INCLUDED #define NETTLE_SERPENT_INTERNAL_H_INCLUDED #define KEYXOR(x0,x1,x2,x3, subkey) \ do { \ (x0) ^= (subkey)[0]; \ (x1) ^= (subkey)[1]; \ (x2) ^= (subkey)[2]; \ (x3) ^= (subkey)[3]; \ } while (0) #if HAVE_NATIVE_64_BIT /* Operate independently on both halves of a 64-bit word. */ #define DROTL32(n,x) \ (((x) << (n) & ~((((uint64_t) 1 << (n))-1) << 32)) \ |(((x) >> (32-(n))) & ~((((uint64_t) 1 << (32-(n)))-1) << (n)))) #define KEYXOR64(x0,x1,x2,x3, subkey) \ do { \ uint64_t _sk; \ _sk = (subkey)[0]; _sk |= _sk << 32; (x0) ^= _sk; \ _sk = (subkey)[1]; _sk |= _sk << 32; (x1) ^= _sk; \ _sk = (subkey)[2]; _sk |= _sk << 32; (x2) ^= _sk; \ _sk = (subkey)[3]; _sk |= _sk << 32; (x3) ^= _sk; \ } while (0) #define DRSHIFT32(n,x) \ ( ((x) << (n)) & ~((((uint64_t) 1 << (n)) - 1) << 32)) #endif /* HAVE_NATIVE_64_BIT */ #endif /* NETTLE_SERPENT_INTERNAL_H_INCLUDED */ nettle-3.10/gcm-aes256.c0000644000175000017500000000455314633602171013703 0ustar nissenisse/* gcm-aes256.c Galois counter mode using AES256 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); } void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES256_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES256_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes256_encrypt, length, dst, src); } void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes256_encrypt, length, digest); } nettle-3.10/sha1-compress.c0000644000175000017500000002453014633602171014614 0ustar nissenisse/* sha1-compress.c The compression function of the sha1 hash function. Copyright (C) 2001, 2004 Peter Gutmann, Andrew Kuchling, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Here's the first paragraph of Peter Gutmann's posting, * <30ajo5$oe8@ccu2.auckland.ac.nz>: * * The following is my SHA (FIPS 180) code updated to allow use of the "fixed" * SHA, thanks to Jim Gillogly and an anonymous contributor for the information on * what's changed in the new version. The fix is a simple change which involves * adding a single rotate in the initial expansion function. It is unknown * whether this is an optimal solution to the problem which was discovered in the * SHA or whether it's simply a bandaid which fixes the problem with a minimum of * effort (for example the reengineering of a great many Capstone chips). */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA1_DEBUG # define SHA1_DEBUG 0 #endif #if SHA1_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x\n", i, A, B, C, D ,E) #else # define DEBUG(i) #endif #include #include #include #include "sha1.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA1_DATA_LENGTH 16 /* The SHA f()-functions. The f1 and f3 functions can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* FIXME: Can save a temporary in f3 by using ( (x & y) + (z & (x ^ y)) ), and then, in the round, compute one of the terms and add it into the destination word before computing the second term. Credits to George Spelvin for pointing this out. Unfortunately, gcc doesn't seem to be smart enough to take advantage of this. */ /* #define f1(x,y,z) ( ( x & y ) | ( ~x & z ) ) Rounds 0-19 */ #define f1(x,y,z) ( z ^ ( x & ( y ^ z ) ) ) /* Rounds 0-19 */ #define f2(x,y,z) ( x ^ y ^ z ) /* Rounds 20-39 */ /* #define f3(x,y,z) ( ( x & y ) | ( x & z ) | ( y & z ) ) Rounds 40-59 */ #define f3(x,y,z) ( ( x & y ) | ( z & ( x | y ) ) ) /* Rounds 40-59 */ #define f4 f2 /* The SHA Mysterious Constants */ #define K1 0x5A827999L /* Rounds 0-19 */ #define K2 0x6ED9EBA1L /* Rounds 20-39 */ #define K3 0x8F1BBCDCL /* Rounds 40-59 */ #define K4 0xCA62C1D6L /* Rounds 60-79 */ /* The initial expanding function. The hash function is defined over an 80-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ i ] = W[ i - 16 ] ^ W[ i - 14 ] ^ W[ i - 8 ] ^ W[ i - 3 ] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. The updated SHA changes the expanding function by adding a rotate of 1 bit. Thanks to Jim Gillogly, jim@rand.org, and an anonymous contributor for this information */ #define expand(W,i) ( W[ i & 15 ] = \ ROTL32( 1, ( W[ i & 15 ] ^ W[ (i - 14) & 15 ] ^ \ W[ (i - 8) & 15 ] ^ W[ (i - 3) & 15 ] ) ) ) /* The prototype SHA sub-round. The fundamental sub-round is: a' = e + ROTL32( 5, a ) + f( b, c, d ) + k + data; b' = a; c' = ROTL32( 30, b ); d' = c; e' = d; but this is implemented by unrolling the loop 5 times and renaming the variables ( e, a, b, c, d ) = ( a', b', c', d', e' ) each iteration. This code is then replicated 20 times for each of the 4 functions, using the next 20 values from the W[] array each time */ #define subRound(a, b, c, d, e, f, k, data) \ ( e += ROTL32( 5, a ) + f( b, c, d ) + k + data, b = ROTL32( 30, b ) ) /* For fat builds */ #if HAVE_NATIVE_sha1_compress void _nettle_sha1_compress_c(uint32_t *state, const uint8_t *input); #define nettle_sha1_compress _nettle_sha1_compress_c #endif /* Perform the SHA transformation. Note that this code, like MD5, seems to break some optimizing compilers due to the complexity of the expressions and the size of the basic block. It may be necessary to split it into sections, e.g. based on the four subrounds. */ void nettle_sha1_compress(uint32_t *state, const uint8_t *input) { uint32_t data[SHA1_DATA_LENGTH]; uint32_t A, B, C, D, E; /* Local vars */ int i; for (i = 0; i < SHA1_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; DEBUG(-1); /* Heavy mangling, in 4 sub-rounds of 20 interations each. */ subRound( A, B, C, D, E, f1, K1, data[ 0] ); DEBUG(0); subRound( E, A, B, C, D, f1, K1, data[ 1] ); DEBUG(1); subRound( D, E, A, B, C, f1, K1, data[ 2] ); subRound( C, D, E, A, B, f1, K1, data[ 3] ); subRound( B, C, D, E, A, f1, K1, data[ 4] ); subRound( A, B, C, D, E, f1, K1, data[ 5] ); subRound( E, A, B, C, D, f1, K1, data[ 6] ); subRound( D, E, A, B, C, f1, K1, data[ 7] ); subRound( C, D, E, A, B, f1, K1, data[ 8] ); subRound( B, C, D, E, A, f1, K1, data[ 9] ); subRound( A, B, C, D, E, f1, K1, data[10] ); subRound( E, A, B, C, D, f1, K1, data[11] ); subRound( D, E, A, B, C, f1, K1, data[12] ); subRound( C, D, E, A, B, f1, K1, data[13] ); subRound( B, C, D, E, A, f1, K1, data[14] ); subRound( A, B, C, D, E, f1, K1, data[15] ); DEBUG(15); subRound( E, A, B, C, D, f1, K1, expand( data, 16 ) ); DEBUG(16); subRound( D, E, A, B, C, f1, K1, expand( data, 17 ) ); DEBUG(17); subRound( C, D, E, A, B, f1, K1, expand( data, 18 ) ); DEBUG(18); subRound( B, C, D, E, A, f1, K1, expand( data, 19 ) ); DEBUG(19); subRound( A, B, C, D, E, f2, K2, expand( data, 20 ) ); DEBUG(20); subRound( E, A, B, C, D, f2, K2, expand( data, 21 ) ); DEBUG(21); subRound( D, E, A, B, C, f2, K2, expand( data, 22 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 23 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 24 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 25 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 26 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 27 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 28 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 29 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 30 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 31 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 32 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 33 ) ); subRound( B, C, D, E, A, f2, K2, expand( data, 34 ) ); subRound( A, B, C, D, E, f2, K2, expand( data, 35 ) ); subRound( E, A, B, C, D, f2, K2, expand( data, 36 ) ); subRound( D, E, A, B, C, f2, K2, expand( data, 37 ) ); subRound( C, D, E, A, B, f2, K2, expand( data, 38 ) ); DEBUG(38); subRound( B, C, D, E, A, f2, K2, expand( data, 39 ) ); DEBUG(39); subRound( A, B, C, D, E, f3, K3, expand( data, 40 ) ); DEBUG(40); subRound( E, A, B, C, D, f3, K3, expand( data, 41 ) ); DEBUG(41); subRound( D, E, A, B, C, f3, K3, expand( data, 42 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 43 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 44 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 45 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 46 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 47 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 48 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 49 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 50 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 51 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 52 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 53 ) ); subRound( B, C, D, E, A, f3, K3, expand( data, 54 ) ); subRound( A, B, C, D, E, f3, K3, expand( data, 55 ) ); subRound( E, A, B, C, D, f3, K3, expand( data, 56 ) ); subRound( D, E, A, B, C, f3, K3, expand( data, 57 ) ); subRound( C, D, E, A, B, f3, K3, expand( data, 58 ) ); DEBUG(58); subRound( B, C, D, E, A, f3, K3, expand( data, 59 ) ); DEBUG(59); subRound( A, B, C, D, E, f4, K4, expand( data, 60 ) ); DEBUG(60); subRound( E, A, B, C, D, f4, K4, expand( data, 61 ) ); DEBUG(61); subRound( D, E, A, B, C, f4, K4, expand( data, 62 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 63 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 64 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 65 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 66 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 67 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 68 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 69 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 70 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 71 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 72 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 73 ) ); subRound( B, C, D, E, A, f4, K4, expand( data, 74 ) ); subRound( A, B, C, D, E, f4, K4, expand( data, 75 ) ); subRound( E, A, B, C, D, f4, K4, expand( data, 76 ) ); subRound( D, E, A, B, C, f4, K4, expand( data, 77 ) ); subRound( C, D, E, A, B, f4, K4, expand( data, 78 ) ); DEBUG(78); subRound( B, C, D, E, A, f4, K4, expand( data, 79 ) ); DEBUG(79); /* Build message digest */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; #if SHA1_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4]); #endif } nettle-3.10/memxor3.c0000644000175000017500000001621514633602171013522 0ustar nissenisse/* memxor3.c Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Implementation inspired by memcmp in glibc, contributed to the FSF by Torbjorn Granlund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memxor.h" #include "memxor-internal.h" #define WORD_T_THRESH 16 /* For fat builds */ #if HAVE_NATIVE_memxor3 void * _nettle_memxor3_c(void *dst_in, const void *a_in, const void *b_in, size_t n); # define nettle_memxor3 _nettle_memxor3_c #endif /* XOR word-aligned areas. n is the number of words, not bytes. */ static void memxor3_common_alignment (word_t *dst, const word_t *a, const word_t *b, size_t n) { /* FIXME: Require n > 0? */ if (n & 1) { n--; dst[n] = a[n] ^ b[n]; } while (n > 0) { n -= 2; dst[n+1] = a[n+1] ^ b[n+1]; dst[n] = a[n] ^ b[n]; } } static void memxor3_different_alignment_b (word_t *dst, const word_t *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *b_word; word_t s0, s1; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &b_word[n], offset); #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = b_word[n]; dst[n] = a[n] ^ MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = b_word[n+1]; dst[n+1] = a[n+1] ^ MERGE(s0, shl, s1, shr); s1 = b_word[n]; dst[n] = a[n] ^ MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, b, sizeof(word_t) - offset); #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = a[0] ^ MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_ab (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned offset, size_t n) { int shl, shr; const word_t *a_word; const word_t *b_word; word_t s0, s1, t; assert (n > 0); shl = CHAR_BIT * offset; shr = CHAR_BIT * (sizeof(word_t) - offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (s0, (unsigned char *) &a_word[n], offset); READ_PARTIAL (t, (unsigned char *) &b_word[n], offset); s0 ^= t; #ifdef WORDS_BIGENDIAN s0 <<= shr; #endif if (n & 1) s1 = s0; else { n--; s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE (s1, shl, s0, shr); } while (n > 2) { n -= 2; s0 = a_word[n+1] ^ b_word[n+1]; dst[n+1] = MERGE(s0, shl, s1, shr); s1 = a_word[n] ^ b_word[n]; dst[n] = MERGE(s1, shl, s0, shr); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (s0, a, sizeof(word_t) - offset); READ_PARTIAL (t, b, sizeof(word_t) - offset); s0 ^= t; #ifndef WORDS_BIGENDIAN s0 <<= shl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(s0, shl, s1, shr); } static void memxor3_different_alignment_all (word_t *dst, const unsigned char *a, const unsigned char *b, unsigned a_offset, unsigned b_offset, size_t n) { int al, ar, bl, br; const word_t *a_word; const word_t *b_word; word_t a0, a1, b0, b1; al = CHAR_BIT * a_offset; ar = CHAR_BIT * (sizeof(word_t) - a_offset); bl = CHAR_BIT * b_offset; br = CHAR_BIT * (sizeof(word_t) - b_offset); a_word = (const word_t *) ((uintptr_t) a & -sizeof(word_t)); b_word = (const word_t *) ((uintptr_t) b & -sizeof(word_t)); /* Read top offset bytes, in native byte order. */ READ_PARTIAL (a0, (unsigned char *) &a_word[n], a_offset); READ_PARTIAL (b0, (unsigned char *) &b_word[n], b_offset); #ifdef WORDS_BIGENDIAN a0 <<= ar; b0 <<= br; #endif if (n & 1) { a1 = a0; b1 = b0; } else { n--; a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE (a1, al, a0, ar) ^ MERGE (b1, bl, b0, br); } while (n > 2) { n -= 2; a0 = a_word[n+1]; b0 = b_word[n+1]; dst[n+1] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); a1 = a_word[n]; b1 = b_word[n]; dst[n] = MERGE(a1, al, a0, ar) ^ MERGE(b1, bl, b0, br); } assert (n == 1); /* Read low wordsize - offset bytes */ READ_PARTIAL (a0, a, sizeof(word_t) - a_offset); READ_PARTIAL (b0, b, sizeof(word_t) - b_offset); #ifndef WORDS_BIGENDIAN a0 <<= al; b0 <<= bl; #endif /* !WORDS_BIGENDIAN */ dst[0] = MERGE(a0, al, a1, ar) ^ MERGE(b0, bl, b1, br); } /* Current implementation processes data in descending order, to support overlapping operation with one of the sources overlapping the start of the destination area. This feature is used only internally by cbc decrypt, and it is not advertised or documented to nettle users. */ void * nettle_memxor3(void *dst_in, const void *a_in, const void *b_in, size_t n) { unsigned char *dst = dst_in; const unsigned char *a = a_in; const unsigned char *b = b_in; if (n >= WORD_T_THRESH) { unsigned i; unsigned a_offset; unsigned b_offset; size_t nwords; for (i = ALIGN_OFFSET(dst + n); i > 0; i--) { n--; dst[n] = a[n] ^ b[n]; } a_offset = ALIGN_OFFSET(a + n); b_offset = ALIGN_OFFSET(b + n); nwords = n / sizeof (word_t); n %= sizeof (word_t); if (a_offset == b_offset) { if (!a_offset) memxor3_common_alignment((word_t *) (dst + n), (const word_t *) (a + n), (const word_t *) (b + n), nwords); else memxor3_different_alignment_ab((word_t *) (dst + n), a + n, b + n, a_offset, nwords); } else if (!a_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (a + n), b + n, b_offset, nwords); else if (!b_offset) memxor3_different_alignment_b((word_t *) (dst + n), (const word_t *) (b + n), a + n, a_offset, nwords); else memxor3_different_alignment_all((word_t *) (dst + n), a + n, b + n, a_offset, b_offset, nwords); } while (n-- > 0) dst[n] = a[n] ^ b[n]; return dst; } nettle-3.10/asn1.h0000644000175000017500000001017114633602172012773 0ustar nissenisse/* asn1.h Limited support for ASN.1 DER decoding. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ASN1_H_INCLUDED #define NETTLE_ASN1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define asn1_der_iterator_first nettle_asn1_der_iterator_first #define asn1_der_iterator_next nettle_asn1_der_iterator_next #define asn1_der_decode_constructed nettle_asn1_der_decode_constructed #define asn1_der_decode_constructed_last nettle_asn1_der_decode_constructed_last #define asn1_der_decode_bitstring nettle_asn1_der_decode_bitstring #define asn1_der_decode_bitstring_last nettle_asn1_der_decode_bitstring_last #define asn1_der_get_uint32 nettle_asn1_der_get_uint32 #define asn1_der_get_bignum nettle_asn1_der_get_bignum /* enum asn1_type keeps the class number and the constructive in bits 13-14, and the constructive flag in bit 12. The remaining 14 bits are the tag (although currently, only tags in the range 0-30 are supported). */ enum { ASN1_TYPE_CONSTRUCTED = 1 << 12, ASN1_CLASS_UNIVERSAL = 0, ASN1_CLASS_APPLICATION = 1 << 13, ASN1_CLASS_CONTEXT_SPECIFIC = 2 << 13, ASN1_CLASS_PRIVATE = 3 << 13, ASN1_CLASS_MASK = 3 << 13, ASN1_CLASS_SHIFT = 13, }; enum asn1_type { ASN1_BOOLEAN = 1, ASN1_INTEGER = 2, ASN1_BITSTRING = 3, ASN1_OCTETSTRING = 4, ASN1_NULL = 5, ASN1_IDENTIFIER = 6, ASN1_REAL = 9, ASN1_ENUMERATED = 10, ASN1_UTF8STRING = 12, ASN1_SEQUENCE = 16 | ASN1_TYPE_CONSTRUCTED, ASN1_SET = 17 | ASN1_TYPE_CONSTRUCTED, ASN1_PRINTABLESTRING = 19, ASN1_TELETEXSTRING = 20, ASN1_IA5STRING = 22, ASN1_UTC = 23, ASN1_UNIVERSALSTRING = 28, ASN1_BMPSTRING = 30, }; enum asn1_iterator_result { ASN1_ITERATOR_ERROR, ASN1_ITERATOR_PRIMITIVE, ASN1_ITERATOR_CONSTRUCTED, ASN1_ITERATOR_END, }; /* Parsing DER objects. */ struct asn1_der_iterator { size_t buffer_length; const uint8_t *buffer; /* Next object to parse. */ size_t pos; enum asn1_type type; /* Pointer to the current object */ size_t length; const uint8_t *data; }; /* Initializes the iterator. */ enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input); enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *iterator); /* Starts parsing of a constructed object. */ enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); /* For the common case that we have a sequence at the end of the object. Checks that the current object is the final one, and then reinitializes the iterator to parse its ontents. */ enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i); enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents); enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i); /* All these functions return 1 on success, 0 on failure */ int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x); #ifdef __cplusplus } #endif #endif /* NETTLE_ASN1_H_INCLUDED */ nettle-3.10/ed448-shake256-verify.c0000644000175000017500000000355214633602172015611 0ustar nissenisse/* ed448-shake256-verify.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve448; mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); struct sha3_256_ctx ctx; int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) sha3_256_init (&ctx); res = (_eddsa_decompress (ecc, A, pub, scratch_out) && _eddsa_verify (ecc, &_nettle_ed448_shake256, pub, A, &ctx, length, msg, signature, scratch_out)); gmp_free_limbs (scratch, itch); return res; #undef A #undef scratch_out } nettle-3.10/oaep.c0000644000175000017500000001570114633602171013053 0ustar nissenisse/* oaep.c PKCS#1 RSA-OAEP (RFC-8017). Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "oaep.h" #include "gmp-glue.h" #include "memops.h" #include "memxor.h" #include "nettle-internal.h" #include "pss-mgf1.h" #include #include /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. * these macros returns 1 on success, 0 on failure */ #define NOT_EQUAL(a, b) \ ((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31) #define EQUAL(a, b) (IS_ZERO_SMALL ((a) ^ (b))) #define GREATER_OR_EQUAL(a, b) \ (1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31)) /* This is a copy of _pkcs1_sec_decrypt_variable with a slight * modification for the padding format. */ static int _oaep_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message, volatile size_t offset) { volatile int not_found = 1; volatile int ok = 1; size_t buflen, msglen; size_t shift, i; /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. */ for (i = offset; i < padded_message_length; i++) { not_found &= NOT_EQUAL(padded_message[i], 1); offset += not_found; } /* check if we ran out of buffer */ ok &= NOT_EQUAL(not_found, 1); /* skip terminator */ offset++; /* offset can be up to padded_message_length, due to the loop above, * therefore msglen can't underflow */ msglen = padded_message_length - offset; /* we always fill the whole buffer but only up to * padded_message_length length */ buflen = *length; if (buflen > padded_message_length) { /* input independent branch */ buflen = padded_message_length; } /* if the message length is larger than the buffer we must fail */ ok &= GREATER_OR_EQUAL(buflen, msglen); /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); return ok; } int _oaep_decode_mgf1 (const uint8_t *em, size_t key_size, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message) { const uint8_t *db; size_t db_length; const uint8_t *seed; TMP_GMP_DECL(db_mask, uint8_t); uint8_t seed_mask[NETTLE_MAX_HASH_DIGEST_SIZE]; uint8_t lhash[NETTLE_MAX_HASH_DIGEST_SIZE]; int ok = 1; assert (key_size >= 2 * hash->digest_size - 2); /* EM = 0x00 || maskedSeed || maskedDB */ ok &= EQUAL(*em, 0); seed = em + 1; db = seed + hash->digest_size; db_length = key_size - hash->digest_size - 1; TMP_GMP_ALLOC(db_mask, db_length); /* seedMask = MGF(maskedDB, hLen) */ hash->init (hash_ctx); hash->update (hash_ctx, db_length, db); pss_mgf1 (hash_ctx, hash, hash->digest_size, seed_mask); /* seed = maskedSeed \xor seedMask */ memxor (seed_mask, seed, hash->digest_size); /* dbMask = MGF(seed, seed - hLen - 1) */ hash->init (hash_ctx); hash->update (hash_ctx, hash->digest_size, seed_mask); pss_mgf1 (hash_ctx, hash, db_length, db_mask); /* DB = maskedDB \xor dbMask */ memxor (db_mask, db, db_length); hash->init (hash_ctx); hash->update (hash_ctx, label_length, label); hash->digest (hash_ctx, hash->digest_size, lhash); ok &= memeql_sec (db_mask, lhash, hash->digest_size); ok &= _oaep_sec_decrypt_variable (length, message, db_length, db_mask, hash->digest_size); TMP_GMP_FREE (db_mask); return ok; } int _oaep_encode_mgf1 (mpz_t m, size_t key_size, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t message_length, const uint8_t *message) { TMP_GMP_DECL(em, uint8_t); TMP_GMP_DECL(db_mask, uint8_t); uint8_t *db; size_t db_length; uint8_t *seed; uint8_t seed_mask[NETTLE_MAX_HASH_DIGEST_SIZE]; if (message_length > key_size || message_length + 2 + 2 * hash->digest_size > key_size) return 0; TMP_GMP_ALLOC(em, key_size); TMP_GMP_ALLOC(db_mask, key_size); /* EM = 0x00 || maskedSeed || maskedDB */ *em = 0; seed = em + 1; db = seed + hash->digest_size; db_length = key_size - hash->digest_size - 1; /* DB = Hash(L) || PS || 0x01 || M */ memset (db, 0, db_length); hash->init (hash_ctx); hash->update (hash_ctx, label_length, label); hash->digest (hash_ctx, hash->digest_size, db); memcpy (&db[db_length - message_length], message, message_length); db[db_length - message_length - 1] = 0x01; /* Generate seed */ random (random_ctx, hash->digest_size, seed); /* dbMask = MGF(seed, k - hLen - 1) */ hash->init (hash_ctx); hash->update (hash_ctx, hash->digest_size, seed); pss_mgf1 (hash_ctx, hash, db_length, db_mask); /* maskedDB = DB \xor dbMask */ memxor (db, db_mask, db_length); /* seedMask = MGF(maskedDB, hLen) */ hash->init (hash_ctx); hash->update (hash_ctx, db_length, db); pss_mgf1 (hash_ctx, hash, hash->digest_size, seed_mask); /* maskedSeed = seed \xor seedMask */ memxor (seed, seed_mask, hash->digest_size); nettle_mpz_set_str_256_u (m, key_size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (db_mask); return 1; } nettle-3.10/sexp2dsa.c0000644000175000017500000000715714633602171013666 0ustar nissenisse/* sexp2dsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (dsa (p |xxxx|) ...) * ^ here */ int dsa_keypair_from_sexp_alist(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, unsigned q_bits, struct sexp_iterator *i) { static const char * const names[5] = { "p", "q", "g", "y", "x" }; struct sexp_iterator values[5]; unsigned nvalues = priv ? 5 : 4; unsigned p_bits; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; GET(params->p, p_max_bits, &values[0]); p_bits = mpz_sizeinbase (params->p, 2); GET(params->q, q_bits ? q_bits : p_bits, &values[1]); if (q_bits > 0 && mpz_sizeinbase(params->q, 2) != q_bits) return 0; if (mpz_cmp (params->q, params->p) >= 0) return 0; GET(params->g, p_bits, &values[2]); if (mpz_cmp (params->g, params->p) >= 0) return 0; GET(pub, p_bits, &values[3]); if (mpz_cmp (pub, params->p) >= 0) return 0; if (priv) { GET(priv, mpz_sizeinbase (params->q, 2), &values[4]); if (mpz_cmp (priv, params->q) >= 0) return 0; } return 1; } int dsa_sha1_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA1_Q_BITS, &i); } int dsa_sha256_keypair_from_sexp(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *expr) { struct sexp_iterator i; return sexp_iterator_first(&i, length, expr) && sexp_iterator_check_type(&i, priv ? "private-key" : "public-key") && sexp_iterator_check_type(&i, "dsa-sha256") && dsa_keypair_from_sexp_alist(params, pub, priv, p_max_bits, DSA_SHA256_Q_BITS, &i); } int dsa_signature_from_sexp(struct dsa_signature *rs, struct sexp_iterator *i, unsigned q_bits) { static const char * const names[2] = { "r", "s" }; struct sexp_iterator values[2]; if (!sexp_iterator_assoc(i, 2, names, values)) return 0; GET(rs->r, q_bits, &values[0]); GET(rs->s, q_bits, &values[1]); return 1; } nettle-3.10/ecc-eh-to-a.c0000644000175000017500000000325614633602171014113 0ustar nissenisse/* ecc-eh-to-a.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Convert from homogeneous coordinates on the Edwards curve to affine coordinates. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define tp (scratch + ecc->p.size) #define xp p #define yp (p + ecc->p.size) #define zp (p + 2*ecc->p.size) assert(op == 0); /* Needs size + scratch for the invert call. */ ecc->p.invert (&ecc->p, izp, zp, tp); ecc_mod_mul_canonical (&ecc->p, r, xp, izp, tp); ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, yp, izp, tp); } nettle-3.10/eax.c0000644000175000017500000001054314633602171012703 0ustar nissenisse/* eax.c EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eax.h" #include "block-internal.h" #include "ctr.h" #include "memxor.h" static void omac_init (union nettle_block16 *state, unsigned t) { memset (state->b, 0, EAX_BLOCK_SIZE - 1); state->b[EAX_BLOCK_SIZE - 1] = t; } static void omac_update (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { for (; length >= EAX_BLOCK_SIZE; length -= EAX_BLOCK_SIZE, data += EAX_BLOCK_SIZE) { f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, EAX_BLOCK_SIZE); } if (length > 0) { /* Allowed only for the last call */ f (cipher, EAX_BLOCK_SIZE, state->b, state->b); memxor (state->b, data, length); state->b[length] ^= 0x80; /* XOR with (P ^ B), since the digest processing * unconditionally XORs with B */ block16_xor (state, &key->pad_partial); } } static void omac_final (union nettle_block16 *state, const struct eax_key *key, const void *cipher, nettle_cipher_func *f) { block16_xor (state, &key->pad_block); f (cipher, EAX_BLOCK_SIZE, state->b, state->b); } void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, EAX_BLOCK_SIZE, key->pad_block.b, zero_block.b); block16_mulx_be (&key->pad_block, &key->pad_block); block16_mulx_be (&key->pad_partial, &key->pad_block); block16_xor (&key->pad_partial, &key->pad_block); } void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce) { omac_init (&eax->omac_nonce, 0); omac_update (&eax->omac_nonce, key, cipher, f, nonce_length, nonce); omac_final (&eax->omac_nonce, key, cipher, f); memcpy (eax->ctr.b, eax->omac_nonce.b, EAX_BLOCK_SIZE); omac_init (&eax->omac_data, 1); omac_init (&eax->omac_message, 2); } void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data) { omac_update (&eax->omac_data, key, cipher, f, data_length, data); } void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); omac_update (&eax->omac_message, key, cipher, f, length, dst); } void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { omac_update (&eax->omac_message, key, cipher, f, length, src); ctr_crypt (cipher, f, EAX_BLOCK_SIZE, eax->ctr.b, length, dst, src); } void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { assert (length > 0); assert (length <= EAX_BLOCK_SIZE); omac_final (&eax->omac_data, key, cipher, f); omac_final (&eax->omac_message, key, cipher, f); block16_xor (&eax->omac_nonce, &eax->omac_data); memxor3 (digest, eax->omac_nonce.b, eax->omac_message.b, length); } nettle-3.10/siv-cmac.c0000644000175000017500000001133114633602171013624 0ustar nissenisse/* siv-cmac.c SIV-CMAC, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" #include "nettle-internal.h" #include "block-internal.h" /* This is an implementation of S2V for the AEAD case where * vectors if zero, are considered as S empty components */ static void _siv_s2v (const struct nettle_cipher *nc, const struct cmac128_key *cmac_key, const void *cmac_cipher, size_t alength, const uint8_t * adata, size_t nlength, const uint8_t * nonce, size_t plength, const uint8_t * pdata, uint8_t * v) { union nettle_block16 D, S, T; static const union nettle_block16 const_zero = {.b = 0 }; struct cmac128_ctx cmac_ctx; assert (nlength >= SIV_MIN_NONCE_SIZE); cmac128_init(&cmac_ctx); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, const_zero.b); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, D.b); block16_mulx_be (&D, &D); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, alength, adata); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); block16_xor (&D, &S); block16_mulx_be (&D, &D); cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, nlength, nonce); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, S.b); block16_xor (&D, &S); /* Sn */ if (plength >= 16) { cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, plength - 16, pdata); pdata += plength - 16; block16_xor_bytes (&T, &D, pdata); } else { union nettle_block16 pad; block16_mulx_be (&T, &D); memcpy (pad.b, pdata, plength); pad.b[plength] = 0x80; if (plength + 1 < 16) memset (&pad.b[plength + 1], 0, 16 - plength - 1); block16_xor (&T, &pad); } cmac128_update (&cmac_ctx, cmac_cipher, nc->encrypt, 16, T.b); cmac128_digest (&cmac_ctx, cmac_key, cmac_cipher, nc->encrypt, 16, v); } void siv_cmac_set_key (struct cmac128_key *cmac_key, void *cmac_cipher, void *siv_cipher, const struct nettle_cipher *nc, const uint8_t * key) { nc->set_encrypt_key (cmac_cipher, key); cmac128_set_key (cmac_key, cmac_cipher, nc->encrypt); nc->set_encrypt_key (siv_cipher, key + nc->key_size); } void siv_cmac_encrypt_message (const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t * nonce, size_t alength, const uint8_t * adata, size_t clength, uint8_t * dst, const uint8_t * src) { union nettle_block16 siv; size_t slength; assert (clength >= SIV_DIGEST_SIZE); slength = clength - SIV_DIGEST_SIZE; /* create CTR nonce */ _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, slength, src, siv.b); memcpy (dst, siv.b, SIV_DIGEST_SIZE); siv.b[8] &= ~0x80; siv.b[12] &= ~0x80; ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, siv.b, slength, dst + SIV_DIGEST_SIZE, src); } int siv_cmac_decrypt_message (const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t * nonce, size_t alength, const uint8_t * adata, size_t mlength, uint8_t * dst, const uint8_t * src) { union nettle_block16 siv; union nettle_block16 ctr; memcpy (ctr.b, src, SIV_DIGEST_SIZE); ctr.b[8] &= ~0x80; ctr.b[12] &= ~0x80; ctr_crypt (ctr_cipher, nc->encrypt, AES_BLOCK_SIZE, ctr.b, mlength, dst, src + SIV_DIGEST_SIZE); /* create CTR nonce */ _siv_s2v (nc, cmac_key, cmac_cipher, alength, adata, nlength, nonce, mlength, dst, siv.b); return memeql_sec (siv.b, src, SIV_DIGEST_SIZE); } nettle-3.10/rsa-sign.c0000644000175000017500000001067214633602171013654 0ustar nissenisse/* rsa-sign.c Creating RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "gmp-glue.h" void rsa_private_key_init(struct rsa_private_key *key) { mpz_init(key->d); mpz_init(key->p); mpz_init(key->q); mpz_init(key->a); mpz_init(key->b); mpz_init(key->c); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_private_key_clear(struct rsa_private_key *key) { mpz_clear(key->d); mpz_clear(key->p); mpz_clear(key->q); mpz_clear(key->a); mpz_clear(key->b); mpz_clear(key->c); } int rsa_private_key_prepare(struct rsa_private_key *key) { mpz_t n; /* A key is invalid if the sizes of q and c are smaller than * the size of n, we rely on that property in calculations so * fail early if that happens. */ if (mpz_size (key->q) + mpz_size (key->c) < mpz_size(key->p)) return 0; /* The size of the product is the sum of the sizes of the factors, * or sometimes one less. It's possible but tricky to compute the * size without computing the full product. */ mpz_init(n); mpz_mul(n, key->p, key->q); key->size = _rsa_check_size(n); mpz_clear(n); return (key->size > 0); } #if NETTLE_USE_MINI_GMP /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { mpz_t xp; /* modulo p */ mpz_t xq; /* modulo q */ mpz_init(xp); mpz_init(xq); /* Compute xq = m^d % q = (m%q)^b % q */ mpz_fdiv_r(xq, m, key->q); mpz_powm_sec(xq, xq, key->b, key->q); /* Compute xp = m^d % p = (m%p)^a % p */ mpz_fdiv_r(xp, m, key->p); mpz_powm_sec(xp, xp, key->a, key->p); /* Set xp' = (xp - xq) c % p. */ mpz_sub(xp, xp, xq); mpz_mul(xp, xp, key->c); mpz_fdiv_r(xp, xp, key->p); /* Finally, compute x = xq + q xp' * * To prove that this works, note that * * xp = x + i p, * xq = x + j q, * c q = 1 + k p * * for some integers i, j and k. Now, for some integer l, * * xp' = (xp - xq) c + l p * = (x + i p - (x + j q)) c + l p * = (i p - j q) c + l p * = (i c + l) p - j (c q) * = (i c + l) p - j (1 + kp) * = (i c + l - j k) p - j * * which shows that xp' = -j (mod p). We get * * xq + q xp' = x + j q + (i c + l - j k) p q - j q * = x + (i c + l - j k) p q * * so that * * xq + q xp' = x (mod pq) * * We also get 0 <= xq + q xp' < p q, because * * 0 <= xq < q and 0 <= xp' < p. */ mpz_mul(x, key->q, xp); mpz_add(x, x, xq); mpz_clear(xp); mpz_clear(xq); } #else /* !NETTLE_USE_MINI_GMP */ /* Computing an rsa root. */ void rsa_compute_root(const struct rsa_private_key *key, mpz_t x, const mpz_t m) { TMP_GMP_DECL (scratch, mp_limb_t); TMP_GMP_DECL (ml, mp_limb_t); mp_limb_t *xl; size_t key_size; key_size = NETTLE_OCTET_SIZE_TO_LIMB_SIZE(key->size); assert(mpz_size (m) <= key_size); /* we need a copy because m can be shorter than key_size, * but _rsa_sec_compute_root expect all inputs to be * normalized to a key_size long buffer length */ TMP_GMP_ALLOC (ml, key_size); mpz_limbs_copy(ml, m, key_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); xl = mpz_limbs_write (x, key_size); _rsa_sec_compute_root (key, xl, ml, scratch); mpz_limbs_finish (x, key_size); TMP_GMP_FREE (ml); TMP_GMP_FREE (scratch); } #endif /* !NETTLE_USE_MINI_GMP */ nettle-3.10/ecdsa.h0000644000175000017500000000551514633602172013216 0ustar nissenisse/* ecdsa.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECDSA_H_INCLUDED #define NETTLE_ECDSA_H_INCLUDED #include "ecc.h" #include "dsa.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecdsa_sign nettle_ecdsa_sign #define ecdsa_verify nettle_ecdsa_verify #define ecdsa_generate_keypair nettle_ecdsa_generate_keypair #define ecc_ecdsa_sign nettle_ecc_ecdsa_sign #define ecc_ecdsa_sign_itch nettle_ecc_ecdsa_sign_itch #define ecc_ecdsa_verify nettle_ecc_ecdsa_verify #define ecc_ecdsa_verify_itch nettle_ecc_ecdsa_verify_itch /* High level ECDSA functions. * * A public key is represented as a struct ecc_point, and a private * key as a struct ecc_scalar. */ void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature); int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random); /* Low-level ECDSA functions. */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc); void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc); int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_ECDSA_H_INCLUDED */ nettle-3.10/curve448-mul.c0000644000175000017500000000323614633602172014307 0ustar nissenisse/* curve448-mul.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult. */ void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { const struct ecc_modulo *m = &_nettle_curve448.p; mp_size_t itch; mp_limb_t *x; itch = m->size + ECC_MUL_M_ITCH(m->size); x = gmp_alloc_limbs (itch); mpn_set_base256_le (x, m->size, p, CURVE448_SIZE); ecc_mul_m (m, 39081, 2, 446, x, n, x, x + m->size); mpn_get_base256_le (q, CURVE448_SIZE, x, m->size); gmp_free_limbs (x, itch); } nettle-3.10/ed25519-sha512-verify.c0000644000175000017500000000351514633602172015431 0ustar nissenisse/* ed25519-sha512-verify.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = 3*ecc->p.size + _eddsa_verify_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); struct sha512_ctx ctx; int res; #define A scratch #define scratch_out (scratch + 3*ecc->p.size) sha512_init (&ctx); res = (_eddsa_decompress (ecc, A, pub, scratch_out) && _eddsa_verify (ecc, &_nettle_ed25519_sha512, pub, A, &ctx, length, msg, signature, scratch_out)); gmp_free_limbs (scratch, itch); return res; #undef A #undef scratch_out } nettle-3.10/hmac-sm3.c0000644000175000017500000000304214633602171013532 0ustar nissenisse/* hmac-sm3.c HMAC-SM3 message authentication code. Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sm3_set_key(struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sm3, key_length, key); } void hmac_sm3_update(struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data) { sm3_update(&ctx->state, length, data); } void hmac_sm3_digest(struct hmac_sm3_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sm3, length, digest); } nettle-3.10/eddsa-compress.c0000644000175000017500000000344314633602172015041 0ustar nissenisse/* eddsa-compress.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "gmp-glue.h" mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc) { return 2*ecc->p.size + ecc->h_to_a_itch; } void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch) { #define xp scratch #define yp (scratch + ecc->p.size) #define scratch_out (scratch + 2*ecc->p.size) size_t nbytes = 1 + ecc->p.bit_size / 8; ecc->h_to_a (ecc, 0, xp, p, scratch_out); /* Encoding is the y coordinate and an appended "sign" bit, which is the low bit of x. The sign bit is stored as the most significant bit of the last byte. */ mpn_get_base256_le (r, nbytes, yp, ecc->p.size); r[nbytes - 1] += (xp[0] & 1) << 7; } nettle-3.10/aes192-set-decrypt-key.c0000644000175000017500000000351514633602171016162 0ustar nissenisse/* aes192-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes192_invert_key void _nettle_aes192_invert_key_c(struct aes192_ctx *dst, const struct aes192_ctx *src); # define nettle_aes192_invert_key _nettle_aes192_invert_key_c #endif #if HAVE_NATIVE_aes192_set_decrypt_key void _nettle_aes192_set_decrypt_key_c(struct aes192_ctx *ctx, const uint8_t *key); # define nettle_aes192_set_decrypt_key _nettle_aes192_set_decrypt_key_c #endif void nettle_aes192_invert_key (struct aes192_ctx *dst, const struct aes192_ctx *src) { _nettle_aes_invert (_AES192_ROUNDS, dst->keys, src->keys); } void nettle_aes192_set_decrypt_key(struct aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key (ctx, key); aes192_invert_key (ctx, ctx); } nettle-3.10/yarrow_key_event.c0000644000175000017500000000413414633602171015521 0ustar nissenisse/* yarrow_key_event.c Example entropy estimator for key-like input events. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "yarrow.h" void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx) { unsigned i; ctx->index = 0; ctx->previous = 0; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) ctx->chars[i] = 0; } unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time) { unsigned entropy = 0; unsigned i; /* Look at timing first. */ if (ctx->previous && (time > ctx->previous) ) { if ( (time - ctx->previous) >= 256) entropy++; } ctx->previous = time; if (!key) return entropy; for (i = 0; i < YARROW_KEY_EVENT_BUFFER; i++) if (key == ctx->chars[i]) /* This is a recent character. Ignore it. */ return entropy; /* Count one bit of entropy, unless this was one of the initial 16 * characters. */ if (ctx->chars[ctx->index]) entropy++; /* Remember the character. */ ctx->chars[ctx->index] = key; ctx->index = (ctx->index + 1) % YARROW_KEY_EVENT_BUFFER; return entropy; } nettle-3.10/pss-mgf1.c0000644000175000017500000000356614633602171013572 0ustar nissenisse/* pss-mgf1.c PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pss-mgf1.h" #include #include #include "nettle-internal.h" #include "macros.h" void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask) { TMP_DECL(h, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t i; uint8_t c[4]; TMP_ALLOC(h, hash->digest_size); TMP_ALLOC_ALIGN(state, hash->context_size); for (i = 0;; i++, mask += hash->digest_size, length -= hash->digest_size) { WRITE_UINT32(c, i); memcpy(state, seed, hash->context_size); hash->update(state, 4, c); if (length <= hash->digest_size) { hash->digest(state, length, mask); return; } hash->digest(state, hash->digest_size, mask); } } nettle-3.10/desinfo.h0000644000175000017500000000666414633602172013574 0ustar nissenisse/* desinfo.h * * Tables describing DES rather than just this implementation. * These are used in desdata but NOT in runtime code. * */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ /* the initial permutation, E selection, and final permutation are hardwired */ /* Key Load: how to load the shift register from the user key */ unsigned char KL[] = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4, }; /* Key Shift: how many times to shift the key shift register */ unsigned char KS[] = { 1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1, }; /* Key Choose: which key bits from shift reg are used in the key schedule */ unsigned char KC[] = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32, }; /* S Boxes */ unsigned char SB[8][64] = { { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13, },{ 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9, },{ 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12, },{ 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14, },{ 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3, },{ 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13, },{ 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12, },{ 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; /* Sbox Permutation */ char SP[] = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25, }; nettle-3.10/rotors.h0000644000175000017500000000620214633602172013461 0ustar nissenisse/* automagically made - do not fuss with this */ 34, 13, 5, 46, 47, 18, 32, 41, 11, 53, 33, 20, 14, 36, 30, 24, 49, 2, 15, 37, 42, 50, 0, 21, 38, 48, 6, 26, 39, 4, 52, 25, 12, 27, 31, 40, 1, 17, 28, 29, 23, 51, 35, 7, 3, 22, 9, 43, 41, 20, 12, 53, 54, 25, 39, 48, 18, 31, 40, 27, 21, 43, 37, 0, 1, 9, 22, 44, 49, 2, 7, 28, 45, 55, 13, 33, 46, 11, 6, 32, 19, 34, 38, 47, 8, 24, 35, 36, 30, 3, 42, 14, 10, 29, 16, 50, 55, 34, 26, 38, 11, 39, 53, 5, 32, 45, 54, 41, 35, 2, 51, 14, 15, 23, 36, 3, 8, 16, 21, 42, 6, 12, 27, 47, 31, 25, 20, 46, 33, 48, 52, 4, 22, 7, 49, 50, 44, 17, 1, 28, 24, 43, 30, 9, 12, 48, 40, 52, 25, 53, 38, 19, 46, 6, 11, 55, 49, 16, 10, 28, 29, 37, 50, 17, 22, 30, 35, 1, 20, 26, 41, 4, 45, 39, 34, 31, 47, 5, 13, 18, 36, 21, 8, 9, 3, 0, 15, 42, 7, 2, 44, 23, 26, 5, 54, 13, 39, 38, 52, 33, 31, 20, 25, 12, 8, 30, 24, 42, 43, 51, 9, 0, 36, 44, 49, 15, 34, 40, 55, 18, 6, 53, 48, 45, 4, 19, 27, 32, 50, 35, 22, 23, 17, 14, 29, 1, 21, 16, 3, 37, 40, 19, 11, 27, 53, 52, 13, 47, 45, 34, 39, 26, 22, 44, 7, 1, 2, 10, 23, 14, 50, 3, 8, 29, 48, 54, 12, 32, 20, 38, 5, 6, 18, 33, 41, 46, 9, 49, 36, 37, 0, 28, 43, 15, 35, 30, 17, 51, 54, 33, 25, 41, 38, 13, 27, 4, 6, 48, 53, 40, 36, 3, 21, 15, 16, 24, 37, 28, 9, 17, 22, 43, 5, 11, 26, 46, 34, 52, 19, 20, 32, 47, 55, 31, 23, 8, 50, 51, 14, 42, 2, 29, 49, 44, 0, 10, 11, 47, 39, 55, 52, 27, 41, 18, 20, 5, 38, 54, 50, 17, 35, 29, 30, 7, 51, 42, 23, 0, 36, 2, 19, 25, 40, 31, 48, 13, 33, 34, 46, 4, 12, 45, 37, 22, 9, 10, 28, 1, 16, 43, 8, 3, 14, 24, 18, 54, 46, 5, 6, 34, 48, 25, 27, 12, 45, 4, 2, 24, 42, 36, 37, 14, 3, 49, 30, 7, 43, 9, 26, 32, 47, 38, 55, 20, 40, 41, 53, 11, 19, 52, 44, 29, 16, 17, 35, 8, 23, 50, 15, 10, 21, 0, 32, 11, 31, 19, 20, 48, 5, 39, 41, 26, 6, 18, 16, 7, 1, 50, 51, 28, 17, 8, 44, 21, 2, 23, 40, 46, 4, 52, 12, 34, 54, 55, 38, 25, 33, 13, 3, 43, 30, 0, 49, 22, 37, 9, 29, 24, 35, 14, 46, 25, 45, 33, 34, 5, 19, 53, 55, 40, 20, 32, 30, 21, 15, 9, 10, 42, 0, 22, 3, 35, 16, 37, 54, 31, 18, 13, 26, 48, 11, 12, 52, 39, 47, 27, 17, 2, 44, 14, 8, 36, 51, 23, 43, 7, 49, 28, 31, 39, 6, 47, 48, 19, 33, 38, 12, 54, 34, 46, 44, 35, 29, 23, 24, 1, 14, 36, 17, 49, 30, 51, 11, 45, 32, 27, 40, 5, 25, 26, 13, 53, 4, 41, 0, 16, 3, 28, 22, 50, 10, 37, 2, 21, 8, 42, 45, 53, 20, 4, 5, 33, 47, 52, 26, 11, 48, 31, 3, 49, 43, 37, 7, 15, 28, 50, 0, 8, 44, 10, 25, 6, 46, 41, 54, 19, 39, 40, 27, 38, 18, 55, 14, 30, 17, 42, 36, 9, 24, 51, 16, 35, 22, 1, 6, 38, 34, 18, 19, 47, 4, 13, 40, 25, 5, 45, 17, 8, 2, 51, 21, 29, 42, 9, 14, 22, 3, 24, 39, 20, 31, 55, 11, 33, 53, 54, 41, 52, 32, 12, 28, 44, 0, 1, 50, 23, 7, 10, 30, 49, 36, 15, 20, 52, 48, 32, 33, 4, 18, 27, 54, 39, 19, 6, 0, 22, 16, 10, 35, 43, 1, 23, 28, 36, 17, 7, 53, 34, 45, 12, 25, 47, 38, 11, 55, 13, 46, 26, 42, 3, 14, 15, 9, 37, 21, 24, 44, 8, 50, 29, 27, 6, 55, 39, 40, 11, 25, 34, 4, 46, 26, 13, 7, 29, 23, 17, 42, 50, 8, 30, 35, 43, 24, 14, 31, 41, 52, 19, 32, 54, 45, 18, 5, 20, 53, 33, 49, 10, 21, 22, 16, 44, 28, 0, 51, 15, 2, 36, nettle-3.10/pss-mgf1.h0000644000175000017500000000271114633602172013567 0ustar nissenisse/* pss-mgf1.h PKCS#1 mask generation function 1, used in RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_MGF1_H_INCLUDED #define NETTLE_PSS_MGF1_H_INCLUDED #include "nettle-meta.h" #include "sha1.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_mgf1 nettle_pss_mgf1 void pss_mgf1(const void *seed, const struct nettle_hash *hash, size_t length, uint8_t *mask); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_MGF1_H_INCLUDED */ nettle-3.10/sha3-256.c0000644000175000017500000000340214633602171013272 0ustar nissenisse/* sha3-256.c The sha3 hash function, 256 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "nettle-write.h" void sha3_256_init (struct sha3_256_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_256_ctx, block)); } void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_sha3_update (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_256_digest(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad_hash (&ctx->state, SHA3_256_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_256_init (ctx); } nettle-3.10/ecdsa-verify.c0000644000175000017500000000427114633602172014511 0ustar nissenisse/* ecc-ecdsa-verify.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "gmp-glue.h" int ecdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature) { mp_limb_t size = ecc_size (pub->ecc); mp_size_t itch = 2*size + ecc_ecdsa_verify_itch (pub->ecc); /* For ECC_MUL_A_WBITS == 0, at most 1512 bytes. With ECC_MUL_A_WBITS == 4, currently needs 67 * ecc->size, at most 4824 bytes. Don't use stack allocation for this. */ mp_limb_t *scratch; int res; #define rp scratch #define sp (scratch + size) #define scratch_out (scratch + 2*size) if (mpz_sgn (signature->r) <= 0 || mpz_size (signature->r) > size || mpz_sgn (signature->s) <= 0 || mpz_size (signature->s) > size) return 0; scratch = gmp_alloc_limbs (itch); mpz_limbs_copy (rp, signature->r, size); mpz_limbs_copy (sp, signature->s, size); res = ecc_ecdsa_verify (pub->ecc, pub->p, length, digest, rp, sp, scratch_out); gmp_free_limbs (scratch, itch); return res; #undef rp #undef sp #undef scratch_out } nettle-3.10/salsa20-crypt-internal.c0000644000175000017500000000555414633602171016352 0ustar nissenisse/* salsa20-crypt-internal.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "salsa20-internal.h" #include "macros.h" #include "memxor.h" #if HAVE_NATIVE_salsa20_2core #define _nettle_salsa20_crypt_2core _nettle_salsa20_crypt #elif !HAVE_NATIVE_fat_salsa20_2core #define _nettle_salsa20_crypt_1core _nettle_salsa20_crypt #endif #if HAVE_NATIVE_salsa20_2core || HAVE_NATIVE_fat_salsa20_2core void _nettle_salsa20_crypt_2core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src) { uint32_t x[2*_SALSA20_INPUT_LENGTH]; while (length > SALSA20_BLOCK_SIZE) { _nettle_salsa20_2core (x, ctx->input, rounds); ctx->input[8] += 2; ctx->input[9] += (ctx->input[8] < 2); if (length <= 2 * SALSA20_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, 2*SALSA20_BLOCK_SIZE); length -= 2*SALSA20_BLOCK_SIZE; dst += 2*SALSA20_BLOCK_SIZE; src += 2*SALSA20_BLOCK_SIZE; } _nettle_salsa20_core (x, ctx->input, rounds); ctx->input[9] += (++ctx->input[8] == 0); memxor3 (dst, src, x, length); } #endif #if !HAVE_NATIVE_salsa20_2core void _nettle_salsa20_crypt_1core(struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src) { for (;;) { uint32_t x[_SALSA20_INPUT_LENGTH]; _nettle_salsa20_core (x, ctx->input, rounds); ctx->input[9] += (++ctx->input[8] == 0); /* stopping at 2^70 length per nonce is user's responsibility */ if (length <= SALSA20_BLOCK_SIZE) { memxor3 (dst, src, x, length); return; } memxor3 (dst, src, x, SALSA20_BLOCK_SIZE); length -= SALSA20_BLOCK_SIZE; dst += SALSA20_BLOCK_SIZE; src += SALSA20_BLOCK_SIZE; } } #endif nettle-3.10/siv-cmac-aes128.c0000644000175000017500000000424614633602171014634 0ustar nissenisse/* siv-cmac-aes128.c AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "aes.h" #include "siv-cmac.h" #include "cmac.h" #include "ctr.h" #include "memxor.h" #include "memops.h" void siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key) { siv_cmac_set_key(&ctx->cmac_key, &ctx->cmac_cipher, &ctx->ctr_cipher, &nettle_aes128, key); } void siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { siv_cmac_encrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes128, &ctx->ctr_cipher, nlength, nonce, alength, adata, clength, dst, src); } int siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return siv_cmac_decrypt_message(&ctx->cmac_key, &ctx->cmac_cipher, &nettle_aes128, &ctx->ctr_cipher, nlength, nonce, alength, adata, mlength, dst, src); } nettle-3.10/buffer.h0000644000175000017500000000531014633602172013401 0ustar nissenisse/* buffer.h A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BUFFER_H_INCLUDED #define NETTLE_BUFFER_H_INCLUDED #include "realloc.h" #ifdef __cplusplus extern "C" { #endif struct nettle_buffer { uint8_t *contents; /* Allocated size */ size_t alloc; void *realloc_ctx; nettle_realloc_func *realloc; /* Current size */ size_t size; }; /* Initializes a buffer that uses plain realloc */ void nettle_buffer_init(struct nettle_buffer *buffer); void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc); /* Initializes a buffer of fix size */ void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space); void nettle_buffer_clear(struct nettle_buffer *buffer); /* Resets the buffer, without freeing the buffer space. */ void nettle_buffer_reset(struct nettle_buffer *buffer); int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length); #define NETTLE_BUFFER_PUTC(buffer, c) \ ( (((buffer)->size < (buffer)->alloc) || nettle_buffer_grow((buffer), 1)) \ && ((buffer)->contents[(buffer)->size++] = (c), 1) ) int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data); /* Like nettle_buffer_write, but instead of copying data to the * buffer, it returns a pointer to the area where the caller can copy * the data. The pointer is valid only until the next call that can * reallocate the buffer. */ uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length); /* Copy the contents of SRC to the end of DST. */ int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src); #ifdef __cplusplus } #endif #endif /* NETTLE_BUFFER_H_INCLUDED */ nettle-3.10/salsa20.h0000644000175000017500000000545714633602172013411 0ustar nissenisse/* salsa20.h The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SALSA20_H_INCLUDED #define NETTLE_SALSA20_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define salsa20_set_key nettle_salsa20_set_key #define salsa20_128_set_key nettle_salsa20_128_set_key #define salsa20_256_set_key nettle_salsa20_256_set_key #define salsa20_set_nonce nettle_salsa20_set_nonce #define salsa20_crypt nettle_salsa20_crypt #define salsa20r12_crypt nettle_salsa20r12_crypt /* Alias for backwards compatibility */ #define salsa20_set_iv nettle_salsa20_set_nonce /* In octets.*/ #define SALSA20_128_KEY_SIZE 16 #define SALSA20_256_KEY_SIZE 32 #define SALSA20_BLOCK_SIZE 64 #define SALSA20_NONCE_SIZE 8 #define SALSA20_IV_SIZE SALSA20_NONCE_SIZE /* Aliases */ #define SALSA20_MIN_KEY_SIZE 16 #define SALSA20_MAX_KEY_SIZE 32 #define SALSA20_KEY_SIZE 32 #define _SALSA20_INPUT_LENGTH 16 struct salsa20_ctx { /* Indices 1-4 and 11-14 holds the key (two identical copies for the shorter key size), indices 0, 5, 10, 15 are constant, indices 6, 7 are the IV, and indices 8, 9 are the block counter: C K K K K C I I B B C K K K K C */ uint32_t input[_SALSA20_INPUT_LENGTH]; }; void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key); void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key); void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce); void salsa20_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SALSA20_H_INCLUDED */ nettle-3.10/pgp-encode.c0000644000175000017500000002312614633602171014150 0ustar nissenisse/* pgp-encode.c PGP related functions. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pgp.h" #include "base64.h" #include "buffer.h" #include "macros.h" #include "rsa.h" int pgp_put_uint32(struct nettle_buffer *buffer, uint32_t i) { uint8_t *p = nettle_buffer_space(buffer, 4); if (!p) return 0; WRITE_UINT32(p, i); return 1; } int pgp_put_uint16(struct nettle_buffer *buffer, unsigned i) { uint8_t *p = nettle_buffer_space(buffer, 2); if (!p) return 0; WRITE_UINT16(p, i); return 1; } int pgp_put_mpi(struct nettle_buffer *buffer, const mpz_t x) { unsigned bits = mpz_sizeinbase(x, 2); unsigned octets = (bits + 7) / 8; uint8_t *p; /* FIXME: What's the correct representation of zero? */ if (!pgp_put_uint16(buffer, bits)) return 0; p = nettle_buffer_space(buffer, octets); if (!p) return 0; nettle_mpz_get_str_256(octets, p, x); return 1; } int pgp_put_string(struct nettle_buffer *buffer, unsigned length, const uint8_t *s) { return nettle_buffer_write(buffer, length, s); } #if 0 static unsigned length_field(unsigned length) { if (length < PGP_LENGTH_TWO_OCTET) return 1; else if (length < PGP_LENGTH_FOUR_OCTETS) return 2; else return 4; } #endif /* bodyLen = ((1st_octet - 192) << 8) + (2nd_octet) + 192 * ==> bodyLen - 192 + 192 << 8 = (1st_octet << 8) + (2nd_octet) */ #define LENGTH_TWO_OFFSET (192 * 255) int pgp_put_length(struct nettle_buffer *buffer, unsigned length) { if (length < PGP_LENGTH_TWO_OCTETS) return NETTLE_BUFFER_PUTC(buffer, length); else if (length < PGP_LENGTH_FOUR_OCTETS) return pgp_put_uint16(buffer, length + LENGTH_TWO_OFFSET); else return NETTLE_BUFFER_PUTC(buffer, 0xff) && pgp_put_uint32(buffer, length); } /* Uses the "new" packet format */ int pgp_put_header(struct nettle_buffer *buffer, unsigned tag, unsigned length) { assert(tag < 0x40); return (NETTLE_BUFFER_PUTC(buffer, 0xC0 | tag) && pgp_put_length(buffer, length)); } /* FIXME: Should we abort or return error if the length and the field * size don't match? */ void pgp_put_header_length(struct nettle_buffer *buffer, /* start of the header */ unsigned start, unsigned field_size) { unsigned length; switch (field_size) { case 1: length = buffer->size - (start + 2); assert(length < PGP_LENGTH_TWO_OCTETS); buffer->contents[start + 1] = length; break; case 2: length = buffer->size - (start + 3); assert(length < PGP_LENGTH_FOUR_OCTETS && length >= PGP_LENGTH_TWO_OCTETS); WRITE_UINT16(buffer->contents + start + 1, length + LENGTH_TWO_OFFSET); break; case 4: length = buffer->size - (start + 5); WRITE_UINT32(buffer->contents + start + 2, length); break; default: abort(); } } int pgp_put_userid(struct nettle_buffer *buffer, unsigned length, const uint8_t *name) { return (pgp_put_header(buffer, PGP_TAG_USERID, length) && pgp_put_string(buffer, length, name)); } unsigned pgp_sub_packet_start(struct nettle_buffer *buffer) { return nettle_buffer_space(buffer, 2) ? buffer->size : 0; } int pgp_put_sub_packet(struct nettle_buffer *buffer, unsigned type, unsigned length, const uint8_t *data) { return (pgp_put_length(buffer, length + 1) && NETTLE_BUFFER_PUTC(buffer, type) && pgp_put_string(buffer, length, data)); } void pgp_sub_packet_end(struct nettle_buffer *buffer, unsigned start) { unsigned length; assert(start >= 2); assert(start <= buffer->size); length = buffer->size - start; WRITE_UINT32(buffer->contents + start - 2, length); } int pgp_put_public_rsa_key(struct nettle_buffer *buffer, const struct rsa_public_key *pub, time_t timestamp) { /* Public key packet, version 4 */ unsigned start; unsigned length; /* Size of packet is 16 + the size of e and n */ length = (4 * 4 + nettle_mpz_sizeinbase_256_u(pub->n) + nettle_mpz_sizeinbase_256_u(pub->e)); if (!pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, length)) return 0; start = buffer->size; if (! (pgp_put_header(buffer, PGP_TAG_PUBLIC_KEY, /* Assume that we need two octets */ PGP_LENGTH_TWO_OCTETS) && pgp_put_uint32(buffer, 4) /* Version */ && pgp_put_uint32(buffer, timestamp)/* Time stamp */ && pgp_put_uint32(buffer, PGP_RSA) /* Algorithm */ && pgp_put_mpi(buffer, pub->n) && pgp_put_mpi(buffer, pub->e)) ) return 0; assert(buffer->size == start + length); return 1; } int pgp_put_rsa_sha1_signature(struct nettle_buffer *buffer, const struct rsa_private_key *key, const uint8_t *keyid, unsigned type, struct sha1_ctx *hash) { unsigned signature_start = buffer->size; unsigned hash_end; unsigned sub_packet_start; uint8_t trailer[6]; mpz_t s; /* Signature packet. The packet could reasonably be both smaller and * larger than 192, so for simplicity we use the 4 octet header * form. */ if (! (pgp_put_header(buffer, PGP_TAG_SIGNATURE, PGP_LENGTH_FOUR_OCTETS) && NETTLE_BUFFER_PUTC(buffer, 4) /* Version */ && NETTLE_BUFFER_PUTC(buffer, type) /* Could also be PGP_RSA_SIGN */ && NETTLE_BUFFER_PUTC(buffer, PGP_RSA) && NETTLE_BUFFER_PUTC(buffer, PGP_SHA1) && pgp_put_uint16(buffer, 0))) /* Hashed subpacket length */ return 0; hash_end = buffer->size; sha1_update(hash, hash_end - signature_start, buffer->contents + signature_start); trailer[0] = 4; trailer[1] = 0xff; WRITE_UINT32(trailer + 2, buffer->size - signature_start); sha1_update(hash, sizeof(trailer), trailer); { struct sha1_ctx hcopy = *hash; uint8_t *p = nettle_buffer_space(buffer, 2); if (!p) return 0; sha1_digest(&hcopy, 2, p); } /* One "sub-packet" field with the issuer keyid */ sub_packet_start = pgp_sub_packet_start(buffer); if (!sub_packet_start) return 0; if (pgp_put_sub_packet(buffer, PGP_SUBPACKET_ISSUER_KEY_ID, 8, keyid)) { pgp_sub_packet_end(buffer, sub_packet_start); return 0; } mpz_init(s); if (!(rsa_sha1_sign(key, hash, s) && pgp_put_mpi(buffer, s))) { mpz_clear(s); return 0; } mpz_clear(s); pgp_put_header_length(buffer, signature_start, 4); return 1; } #define CRC24_INIT 0x0b704ceL #define CRC24_POLY 0x1864cfbL uint32_t pgp_crc24(unsigned length, const uint8_t *data) { uint32_t crc = CRC24_INIT; unsigned i; for (i = 0; i= BINARY_PER_LINE; length -= BINARY_PER_LINE, data += BINARY_PER_LINE) { unsigned done; char *p = (char *) nettle_buffer_space(buffer, TEXT_PER_LINE); if (!p) return 0; done = base64_encode_update(&ctx, p, BINARY_PER_LINE, data); assert(done <= TEXT_PER_LINE); /* FIXME: Create some official way to do this */ buffer->size -= (TEXT_PER_LINE - done); if (!NETTLE_BUFFER_PUTC(buffer, '\n')) return 0; } if (length) { unsigned text_size = BASE64_ENCODE_LENGTH(length) + BASE64_ENCODE_FINAL_LENGTH; unsigned done; char *p = (char *) nettle_buffer_space(buffer, text_size); if (!p) return 0; done = base64_encode_update(&ctx, p, length, data); done += base64_encode_final(&ctx, p + done); /* FIXME: Create some official way to do this */ buffer->size -= (text_size - done); if (!NETTLE_BUFFER_PUTC(buffer, '\n')) return 0; } /* Checksum */ if (!NETTLE_BUFFER_PUTC(buffer, '=')) return 0; { char *p = (char *) nettle_buffer_space(buffer, 4); if (!p) return 0; base64_encode_group(p, crc); } return (write_string(buffer, "\nBEGIN PGP ") && write_string(buffer, tag) && NETTLE_BUFFER_PUTC(buffer, '\n')); } nettle-3.10/rsa-md5-sign.c0000644000175000017500000000337114633602171014335 0ustar nissenisse/* rsa-md5-sign.c Signatures using RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_sign(const struct rsa_private_key *key, struct md5_ctx *hash, mpz_t s) { if (pkcs1_rsa_md5_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_md5_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_md5_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.10/ripemd160-meta.c0000644000175000017500000000225714633602171014564 0ustar nissenisse/* ripemd160-meta.c Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "ripemd160.h" const struct nettle_hash nettle_ripemd160 = _NETTLE_HASH(ripemd160, RIPEMD160); nettle-3.10/ecc-point.c0000644000175000017500000000651014633602171014006 0ustar nissenisse/* ecc-point.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc) { p->ecc = ecc; p->p = gmp_alloc_limbs (2*ecc->p.size); } void ecc_point_clear (struct ecc_point *p) { gmp_free_limbs (p->p, 2*p->ecc->p.size); } int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y) { mp_size_t size; mpz_t m, lhs, rhs; mpz_t t; int res; size = p->ecc->p.size; mpz_roinit_n (m, p->ecc->p.m, size); if (mpz_sgn (x) < 0 || mpz_cmp (x, m) >= 0 || mpz_sgn (y) < 0 || mpz_cmp (y, m) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_mul (lhs, y, y); if (p->ecc->p.bit_size == 255) { /* ed25519 special case. FIXME: Do in some cleaner way? */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); mpz_mul (rhs, x2, lhs); /* Check that -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 or 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_sub (lhs, x2, lhs); mpz_add_ui (lhs, lhs, 1); mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else if (p->ecc->p.bit_size == 448) { /* curve448 special case. FIXME: Do in some cleaner way? */ mpz_t x2, d; mpz_init (x2); mpz_init_set_ui (d, 39081); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (d, d, x2); /* 39081 x^2 */ mpz_set_ui (rhs, 1); mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ /* Check that x^2 + y^2 = 1 - 39081 x^2 y^2 */ mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ mpz_clear (d); mpz_clear (x2); } else { /* Check that y^2 = x^3 - 3*x + b (mod p) */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, p->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, p->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); if (!res) return 0; mpz_limbs_copy (p->p, x, size); mpz_limbs_copy (p->p + size, y, size); return 1; } void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y) { mp_size_t size = p->ecc->p.size; if (x) mpz_set_n (x, p->p, size); if (y) mpz_set_n (y, p->p + size, size); } nettle-3.10/siv-cmac.h0000644000175000017500000001040414633602172013632 0ustar nissenisse/* siv-cmac.h AES-SIV, RFC5297 Copyright (C) 2017 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SIV_H_INCLUDED #define NETTLE_SIV_H_INCLUDED #include "nettle-types.h" #include "nettle-meta.h" #include "cmac.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define siv_cmac_set_key nettle_siv_cmac_set_key #define siv_cmac_encrypt_message nettle_siv_cmac_encrypt_message #define siv_cmac_decrypt_message nettle_siv_cmac_decrypt_message #define siv_cmac_aes128_set_key nettle_siv_cmac_aes128_set_key #define siv_cmac_aes128_encrypt_message nettle_siv_cmac_aes128_encrypt_message #define siv_cmac_aes128_decrypt_message nettle_siv_cmac_aes128_decrypt_message #define siv_cmac_aes256_set_key nettle_siv_cmac_aes256_set_key #define siv_cmac_aes256_encrypt_message nettle_siv_cmac_aes256_encrypt_message #define siv_cmac_aes256_decrypt_message nettle_siv_cmac_aes256_decrypt_message /* For SIV, the block size of the underlying cipher shall be 128 bits. */ #define SIV_BLOCK_SIZE 16 #define SIV_DIGEST_SIZE 16 #define SIV_MIN_NONCE_SIZE 1 void siv_cmac_set_key(struct cmac128_key *cmac_key, void *cmac_cipher, void *ctr_cipher, const struct nettle_cipher *nc, const uint8_t *key); void siv_cmac_encrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher_ctx, const struct nettle_cipher *nc, const void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_decrypt_message(const struct cmac128_key *cmac_key, const void *cmac_cipher, const struct nettle_cipher *nc, const void *ctr_cipher, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* * SIV mode requires the aad and plaintext when building the IV, which * prevents streaming processing and it incompatible with the AEAD API. */ #define SIV_CMAC_CTX(type) { struct cmac128_key cmac_key; type cmac_cipher; type ctr_cipher; } /* SIV_CMAC_AES128 */ #define SIV_CMAC_AES128_KEY_SIZE 32 struct siv_cmac_aes128_ctx SIV_CMAC_CTX(struct aes128_ctx); void siv_cmac_aes128_set_key(struct siv_cmac_aes128_ctx *ctx, const uint8_t *key); void siv_cmac_aes128_encrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_aes128_decrypt_message(const struct siv_cmac_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* SIV_CMAC_AES256 */ #define SIV_CMAC_AES256_KEY_SIZE 64 struct siv_cmac_aes256_ctx SIV_CMAC_CTX(struct aes256_ctx); void siv_cmac_aes256_set_key(struct siv_cmac_aes256_ctx *ctx, const uint8_t *key); void siv_cmac_aes256_encrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_cmac_aes256_decrypt_message(const struct siv_cmac_aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SIV_H_INCLUDED */ nettle-3.10/version.h.in0000644000175000017500000000326314633602172014227 0ustar nissenisse/* version.h Information about library version. Copyright (C) 2015 Red Hat, Inc. Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_VERSION_H_INCLUDED #define NETTLE_VERSION_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Individual version numbers in decimal */ #define NETTLE_VERSION_MAJOR @MAJOR_VERSION@ #define NETTLE_VERSION_MINOR @MINOR_VERSION@ #define NETTLE_USE_MINI_GMP @NETTLE_USE_MINI_GMP@ /* We need a preprocessor constant for GMP_NUMB_BITS, simply using sizeof(mp_limb_t) * CHAR_BIT is not good enough. */ #if NETTLE_USE_MINI_GMP # define GMP_NUMB_BITS @GMP_NUMB_BITS@ #endif int nettle_version_major (void); int nettle_version_minor (void); #ifdef __cplusplus } #endif #endif /* NETTLE_VERSION_H_INCLUDED */ nettle-3.10/ccm-aes128.c0000644000175000017500000000624214633602171013672 0ustar nissenisse/* ccm-aes128.c Counter with CBC-MAC mode using AES128 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes128_set_key(struct ccm_aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key(&ctx->cipher, key); } void ccm_aes128_set_nonce(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes128_update(struct ccm_aes128_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, data); } void ccm_aes128_encrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_decrypt(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ccm_aes128_digest(struct ccm_aes128_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes128_encrypt, length, digest); } void ccm_aes128_encrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes128_decrypt_message(struct ccm_aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.10/cmac.h0000644000175000017500000001511214633602172013034 0ustar nissenisse/* cmac.h CMAC mode, as specified in RFC4493 Copyright (C) 2017 Red Hat, Inc. Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CMAC_H_INCLUDED #define NETTLE_CMAC_H_INCLUDED #include "aes.h" #include "des.h" #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif #define CMAC128_DIGEST_SIZE 16 #define CMAC64_DIGEST_SIZE 8 #define cmac128_set_key nettle_cmac128_set_key #define cmac128_init nettle_cmac128_init #define cmac128_update nettle_cmac128_update #define cmac128_digest nettle_cmac128_digest #define cmac_aes128_set_key nettle_cmac_aes128_set_key #define cmac_aes128_update nettle_cmac_aes128_update #define cmac_aes128_digest nettle_cmac_aes128_digest #define cmac_aes256_set_key nettle_cmac_aes256_set_key #define cmac_aes256_update nettle_cmac_aes256_update #define cmac_aes256_digest nettle_cmac_aes256_digest #define cmac64_set_key nettle_cmac64_set_key #define cmac64_init nettle_cmac64_init #define cmac64_update nettle_cmac64_update #define cmac64_digest nettle_cmac64_digest #define cmac_des3_set_key nettle_cmac_des3_set_key #define cmac_des3_update nettle_cmac_des3_update #define cmac_des3_digest nettle_cmac_des3_digest struct cmac128_key { union nettle_block16 K1; union nettle_block16 K2; }; struct cmac128_ctx { /* MAC state */ union nettle_block16 X; /* Block buffer */ union nettle_block16 block; size_t index; }; struct cmac64_key { union nettle_block8 K1; union nettle_block8 K2; }; struct cmac64_ctx { /* MAC state */ union nettle_block8 X; /* Block buffer */ union nettle_block8 block; size_t index; }; void cmac128_set_key(struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt); void cmac128_init(struct cmac128_ctx *ctx); void cmac128_update(struct cmac128_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg); void cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt, unsigned length, uint8_t *digest); #define CMAC128_CTX(type) \ { struct cmac128_key key; struct cmac128_ctx ctx; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CMAC128_SET_KEY(self, set_key, encrypt, cmac_key) \ do { \ (set_key)(&(self)->cipher, (cmac_key)); \ if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ cmac128_set_key(&(self)->key, &(self)->cipher, \ (nettle_cipher_func *) (encrypt)); \ cmac128_init(&(self)->ctx); \ } while (0) #define CMAC128_UPDATE(self, encrypt, length, src) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac128_update(&(self)->ctx, &(self)->cipher, \ (nettle_cipher_func *)encrypt, \ (length), (src))) #define CMAC128_DIGEST(self, encrypt, length, digest) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac128_digest(&(self)->ctx, &(self)->key, \ &(self)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (digest))) void cmac64_set_key(struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt); void cmac64_init(struct cmac64_ctx *ctx); void cmac64_update(struct cmac64_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg); void cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt, unsigned length, uint8_t *digest); #define CMAC64_CTX(type) \ { struct cmac64_key key; struct cmac64_ctx ctx; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CMAC64_SET_KEY(self, set_key, encrypt, cmac_key) \ do { \ (set_key)(&(self)->cipher, (cmac_key)); \ if (0) (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ cmac64_set_key(&(self)->key, &(self)->cipher, \ (nettle_cipher_func *) (encrypt)); \ cmac64_init(&(self)->ctx); \ } while (0) #define CMAC64_UPDATE(self, encrypt, length, src) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac64_update(&(self)->ctx, &(self)->cipher, \ (nettle_cipher_func *)encrypt, \ (length), (src))) #define CMAC64_DIGEST(self, encrypt, length, digest) \ (0 ? (encrypt)(&(self)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : cmac64_digest(&(self)->ctx, &(self)->key, \ &(self)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (digest))) struct cmac_aes128_ctx CMAC128_CTX(struct aes128_ctx); void cmac_aes128_set_key(struct cmac_aes128_ctx *ctx, const uint8_t *key); void cmac_aes128_update(struct cmac_aes128_ctx *ctx, size_t length, const uint8_t *data); void cmac_aes128_digest(struct cmac_aes128_ctx *ctx, size_t length, uint8_t *digest); struct cmac_aes256_ctx CMAC128_CTX(struct aes256_ctx); void cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key); void cmac_aes256_update(struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data); void cmac_aes256_digest(struct cmac_aes256_ctx *ctx, size_t length, uint8_t *digest); struct cmac_des3_ctx CMAC64_CTX(struct des3_ctx); void cmac_des3_set_key(struct cmac_des3_ctx *ctx, const uint8_t *key); void cmac_des3_update(struct cmac_des3_ctx *ctx, size_t length, const uint8_t *data); void cmac_des3_digest(struct cmac_des3_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* CMAC_H_INCLUDED */ nettle-3.10/hmac-streebog.c0000644000175000017500000000365214633602171014651 0ustar nissenisse/* hmac-streebog.c HMAC-Streebog message authentication code. Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_streebog512, key_length, key); } void hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, size_t length, const uint8_t *data) { streebog512_update(&ctx->state, length, data); } void hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_streebog512, length, digest); } void hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_streebog256, key_length, key); } void hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_streebog256, length, digest); } nettle-3.10/camellia-invert-key.c0000644000175000017500000000276414633602171015776 0ustar nissenisse/* camellia-invert-key.c Inverting a key means reversing order of subkeys. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" #define SWAP(a, b) \ do { uint64_t t_swap = (a); (a) = (b); (b) = t_swap; } while(0) void _nettle_camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src) { unsigned i; if (dst == src) for (i = 0; i < nkeys - 1 - i; i++) SWAP (dst[i], dst[nkeys - 1- i]); else for (i = 0; i < nkeys; i++) dst[i] = src[nkeys - 1 - i]; } nettle-3.10/pbkdf2-hmac-sha384.c0000644000175000017500000000301414633602171015207 0ustar nissenisse/* pbkdf2-hmac-sha384.c Copyright (C) 2012 Simon Josefsson Copyright (C) 2021 Nicolas Mora This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha384_ctx sha384ctx; hmac_sha384_set_key (&sha384ctx, key_length, key); PBKDF2 (&sha384ctx, hmac_sha384_update, hmac_sha384_digest, SHA384_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.10/gmp-glue.h0000644000175000017500000000745614633602172013662 0ustar nissenisse/* gmp-glue.h Copyright (C) 2013 Niels Möller Copyright (C) 2013 Red Hat This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GMP_GLUE_H_INCLUDED #define NETTLE_GMP_GLUE_H_INCLUDED #include "bignum.h" #define mpz_limbs_copy _nettle_mpz_limbs_copy #define mpz_set_n _nettle_mpz_set_n #define sec_zero_p _nettle_sec_zero_p #define mpn_set_base256 _nettle_mpn_set_base256 #define mpn_set_base256_le _nettle_mpn_set_base256_le #define mpn_get_base256 _nettle_mpn_get_base256 #define mpn_get_base256_le _nettle_mpn_get_base256_le #define gmp_alloc_limbs _nettle_gmp_alloc_limbs #define gmp_free_limbs _nettle_gmp_free_limbs #define gmp_free _nettle_gmp_free #define gmp_alloc _nettle_gmp_alloc #define TMP_GMP_DECL(name, type) type *name; \ size_t tmp_##name##_size #define TMP_GMP_ALLOC(name, size) do { \ tmp_##name##_size = (size); \ (name) = gmp_alloc(sizeof (*name) * (size)); \ } while (0) #define TMP_GMP_FREE(name) (gmp_free(name, tmp_##name##_size)) #if NETTLE_USE_MINI_GMP #define GMP_LIMB_BITS GMP_NUMB_BITS mp_limb_t mpn_cnd_add_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); mp_limb_t mpn_cnd_sub_n (mp_limb_t cnd, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_size_t n); void mpn_cnd_swap (mp_limb_t cnd, volatile mp_limb_t *ap, volatile mp_limb_t *bp, mp_size_t n); void mpn_sec_tabselect (volatile mp_limb_t *rp, volatile const mp_limb_t *table, mp_size_t rn, unsigned tn, unsigned k); #endif static inline int is_zero_limb (mp_limb_t x) { x |= (x << 1); return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1); } /* Side-channel silent variant of mpn_zero_p. */ int sec_zero_p (const mp_limb_t *ap, mp_size_t n); #define NETTLE_BIT_SIZE_TO_LIMB_SIZE(n) \ (((n) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) #define NETTLE_OCTET_SIZE_TO_LIMB_SIZE(n) \ (NETTLE_BIT_SIZE_TO_LIMB_SIZE((n) * 8)) /* Convenience functions */ /* Copy limbs, with zero-padding. */ /* FIXME: Reorder arguments, on the theory that the first argument of an _mpz_* function should be an mpz_t? Or rename to _mpz_get_limbs, with argument order consistent with mpz_get_*. */ void mpz_limbs_copy (mp_limb_t *xp, mpz_srcptr x, mp_size_t n); void mpz_set_n (mpz_t r, const mp_limb_t *xp, mp_size_t xn); /* Like mpn_set_str, but always writes rn limbs. If input is larger, higher bits are ignored. */ void mpn_set_base256 (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_set_base256_le (mp_limb_t *rp, mp_size_t rn, const uint8_t *xp, size_t xn); void mpn_get_base256 (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); void mpn_get_base256_le (uint8_t *rp, size_t rn, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * gmp_alloc_limbs (mp_size_t n); void gmp_free_limbs (mp_limb_t *p, mp_size_t n); void *gmp_alloc(size_t n); void gmp_free(void *p, size_t n); #endif /* NETTLE_GMP_GLUE_H_INCLUDED */ nettle-3.10/sha256-compress-n.c0000644000175000017500000001477114633602171015231 0ustar nissenisse/* sha256-compress-n.c The compression function of the sha256 hash function. Copyright (C) 2001, 2010, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA256_DEBUG # define SHA256_DEBUG 0 #endif #if SHA256_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8x %8x %8x %8x %8x %8x %8x %8x\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* A block, treated as a sequence of 32-bit words. */ #define SHA256_DATA_LENGTH 16 /* The SHA256 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function. They can be optimized to save one boolean operation each - thanks to Rich Schroeppel, rcs@cs.arizona.edu for discovering this */ /* #define Choice(x,y,z) ( ( (x) & (y) ) | ( ~(x) & (z) ) ) */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) /* #define Majority(x,y,z) ( ((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)) ) */ #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL32(30,(x)) ^ ROTL32(19,(x)) ^ ROTL32(10,(x))) #define S1(x) (ROTL32(26,(x)) ^ ROTL32(21,(x)) ^ ROTL32(7,(x))) #define s0(x) (ROTL32(25,(x)) ^ ROTL32(14,(x)) ^ ((x) >> 3)) #define s1(x) (ROTL32(15,(x)) ^ ROTL32(13,(x)) ^ ((x) >> 10)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer - thanks to Colin Plumb, colin@nyx10.cs.du.edu for this optimization. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) /* For fat builds */ #if HAVE_NATIVE_sha256_compress_n const uint8_t * _nettle_sha256_compress_n_c(uint32_t *state, const uint32_t *table, size_t blocks, const uint8_t *input); #define _nettle_sha256_compress_n _nettle_sha256_compress_n_c #endif const uint8_t * _nettle_sha256_compress_n(uint32_t *state, const uint32_t *table, size_t blocks, const uint8_t *input) { uint32_t A, B, C, D, E, F, G, H; /* Local vars */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; for (; blocks > 0; blocks--) { uint32_t data[SHA256_DATA_LENGTH]; unsigned i; const uint32_t *k; uint32_t *d; for (i = 0; i < SHA256_DATA_LENGTH; i++, input+= 4) { data[i] = READ_UINT32(input); } /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data, k = table; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<64; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); DEBUG(i+3); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); DEBUG(i+4); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); DEBUG(i+5); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); DEBUG(i+7); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); DEBUG(i+8); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); DEBUG(i+9); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); DEBUG(i+10); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); DEBUG(i+11); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); DEBUG(i+12); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); DEBUG(i+13); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] = A = state[0] + A; state[1] = B = state[1] + B; state[2] = C = state[2] + C; state[3] = D = state[3] + D; state[4] = E = state[4] + E; state[5] = F = state[5] + F; state[6] = G = state[6] + G; state[7] = H = state[7] + H; #if SHA256_DEBUG fprintf(stderr, "99: %8x %8x %8x %8x %8x %8x %8x %8x\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } return input; } nettle-3.10/sha3-512-meta.c0000644000175000017500000000230214633602171014207 0ustar nissenisse/* sha3-512-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_512 = _NETTLE_HASH(sha3_512, SHA3_512); nettle-3.10/base64url-meta.c0000644000175000017500000000347314633602171014665 0ustar nissenisse/* base64url-meta.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base64.h" /* Same as the macros with the same name */ static nettle_armor_length_func base64url_encode_length; static size_t base64url_encode_length(size_t length) { return BASE64_ENCODE_LENGTH(length); } static nettle_armor_length_func base64url_decode_length; static size_t base64url_decode_length(size_t length) { return BASE64_DECODE_LENGTH(length); } #define base64url_encode_ctx base64_encode_ctx #define base64url_encode_update base64_encode_update #define base64url_encode_final base64_encode_final #define base64url_decode_ctx base64_decode_ctx #define base64url_decode_update base64_decode_update #define base64url_decode_final base64_decode_final const struct nettle_armor nettle_base64url = _NETTLE_ARMOR(base64url, BASE64); nettle-3.10/sexp-transport.c0000644000175000017500000000604114633602171015135 0ustar nissenisse/* sexp-transport.c Parsing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sexp.h" #include "base64.h" /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input) { /* We first base64 decode any transport encoded sexp at the start of * the input. */ size_t in = 0; size_t out = 0; while (in < length) switch(input[in]) { case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': in++; break; case ';': /* Comments */ while (++in < length && input[in] != '\n') ; break; case '{': { /* Found transport encoding */ struct base64_decode_ctx ctx; size_t coded_length; size_t end; for (end = ++in; end < length && input[end] != '}'; end++) ; if (end == length) return 0; base64_decode_init(&ctx); if (base64_decode_update(&ctx, &coded_length, input + out, end - in, (const char*) (input + in)) && base64_decode_final(&ctx)) { out += coded_length; in = end + 1; } else return 0; break; } default: /* Expression isn't in transport encoding. Rest of the input * should be in canonical encoding. */ goto transport_done; } transport_done: /* Here, we have two, possibly empty, input parts in canonical * encoding: * * 0...out-1, in...length -1 * * If the input was already in canonical encoding, out = 0 and in = * amount of leading space. * * If all input was in transport encoding, in == length. */ if (!out) { input += in; length -= in; } else if (in == length) length = out; else if (out == in) /* Unusual case, nothing happens */ ; else { /* Both parts non-empty */ assert(out < in); memmove(input + out, input + in, length - in); length -= (in - out); } return sexp_iterator_first(iterator, length, input); } nettle-3.10/des.c0000644000175000017500000001653514633602171012710 0ustar nissenisse/* des.c The des block cipher. Copyright (C) 2001, 2010 Niels Möller Copyright (C) 1992 Dana L. How This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `descore.README' for the complete copyright notice. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "des.h" #include "desCode.h" /* various tables */ static const uint32_t des_keymap[] = { #include "keymap.h" }; static const uint8_t rotors[] = { #include "rotors.h" }; static ENCRYPT(DesSmallFipsEncrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) static DECRYPT(DesSmallFipsDecrypt,TEMPSMALL, LOADFIPS,KEYMAPSMALL,SAVEFIPS) /* If parity bits are used, keys should have odd parity. We use a small table, to not waste any memory on this fairly obscure DES feature. */ static const unsigned parity_16[16] = { 0, 1, 1, 0, 1, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0 }; #define PARITY(x) (parity_16[(x)&0xf] ^ parity_16[((x)>>4) & 0xf]) int des_check_parity(size_t length, const uint8_t *key) { size_t i; for (i = 0; i> 1; int8_t k1 = key[1] >> 1; unsigned hash = asso_values[k1 + 1] + asso_values[k0]; const int8_t *candidate; if (hash > 25) return 0; candidate = weak_key_hash[hash]; if (k0 != candidate[0] || k1 != candidate[1]) return 0; if ( (key[2] >> 1) != k0 || (key[3] >> 1) != k1) return 0; k0 = key[4] >> 1; k1 = key[5] >> 1; if (k0 != candidate[2] || k1 != candidate[3]) return 0; if ( (key[6] >> 1) != k0 || (key[7] >> 1) != k1) return 0; return 1; } int des_set_key(struct des_ctx *ctx, const uint8_t *key) { register uint32_t n, w; register char * b0, * b1; char bits0[56], bits1[56]; uint32_t *method; const uint8_t *k; /* explode the bits */ n = 56; b0 = bits0; b1 = bits1; k = key; do { w = (256 | *k++) << 2; do { --n; b1[n] = 8 & w; w >>= 1; b0[n] = 4 & w; } while ( w >= 16 ); } while ( n ); /* put the bits in the correct places */ n = 16; k = rotors; method = ctx->key; do { w = (b1[k[ 0 ]] | b0[k[ 1 ]]) << 4; w |= (b1[k[ 2 ]] | b0[k[ 3 ]]) << 2; w |= b1[k[ 4 ]] | b0[k[ 5 ]]; w <<= 8; w |= (b1[k[ 6 ]] | b0[k[ 7 ]]) << 4; w |= (b1[k[ 8 ]] | b0[k[ 9 ]]) << 2; w |= b1[k[10 ]] | b0[k[11 ]]; w <<= 8; w |= (b1[k[12 ]] | b0[k[13 ]]) << 4; w |= (b1[k[14 ]] | b0[k[15 ]]) << 2; w |= b1[k[16 ]] | b0[k[17 ]]; w <<= 8; w |= (b1[k[18 ]] | b0[k[19 ]]) << 4; w |= (b1[k[20 ]] | b0[k[21 ]]) << 2; w |= b1[k[22 ]] | b0[k[23 ]]; method[0] = w; w = (b1[k[ 0+24]] | b0[k[ 1+24]]) << 4; w |= (b1[k[ 2+24]] | b0[k[ 3+24]]) << 2; w |= b1[k[ 4+24]] | b0[k[ 5+24]]; w <<= 8; w |= (b1[k[ 6+24]] | b0[k[ 7+24]]) << 4; w |= (b1[k[ 8+24]] | b0[k[ 9+24]]) << 2; w |= b1[k[10+24]] | b0[k[11+24]]; w <<= 8; w |= (b1[k[12+24]] | b0[k[13+24]]) << 4; w |= (b1[k[14+24]] | b0[k[15+24]]) << 2; w |= b1[k[16+24]] | b0[k[17+24]]; w <<= 8; w |= (b1[k[18+24]] | b0[k[19+24]]) << 4; w |= (b1[k[20+24]] | b0[k[21+24]]) << 2; w |= b1[k[22+24]] | b0[k[23+24]]; ROR(w, 4, 28); /* could be eliminated */ method[1] = w; k += 48; method += 2; } while ( --n ); return !des_weak_p (key); } void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsEncrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % DES_BLOCK_SIZE)); while (length) { DesSmallFipsDecrypt(dst, ctx->key, src); length -= DES_BLOCK_SIZE; src += DES_BLOCK_SIZE; dst += DES_BLOCK_SIZE; } } nettle-3.10/descore.README0000644000175000017500000003516614633602172014276 0ustar nissenissedes - fast & portable DES encryption & decryption. Copyright (C) 1992 Dana L. How This program is free software; you can redistribute it and/or modify it under the terms of the GNU Library General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public License for more details. You should have received a copy of the GNU Library General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA Author's address: how@isl.stanford.edu ==>> To compile after untarring/unsharring, just `make' <<== This package was designed with the following goals: 1. Highest possible encryption/decryption PERFORMANCE. 2. PORTABILITY to any byte-addressable machine with a 32bit unsigned C type 3. Plug-compatible replacement for KERBEROS's low-level routines. performance comparison to other available des code which i could compile on a SPARCStation 1 (cc -O4): this code (byte-order independent): 30us per encryption (options: 64k tables, no IP/FP) 33us per encryption (options: 64k tables, FIPS standard bit ordering) 45us per encryption (options: 2k tables, no IP/FP) 49us per encryption (options: 2k tables, FIPS standard bit ordering) 275us to set a new key (uses 1k of key tables) this has the quickest encryption/decryption routines i've seen. since i was interested in fast des filters rather than crypt(3) and password cracking, i haven't really bothered yet to speed up the key setting routine. also, i have no interest in re-implementing all the other junk in the mit kerberos des library, so i've just provided my routines with little stub interfaces so they can be used as drop-in replacements with mit's code or any of the mit- compatible packages below. (note that the first two timings above are highly variable because of cache effects). kerberos des replacement from australia: 68us per encryption (uses 2k of tables) 96us to set a new key (uses 2.25k of key tables) this is a very nice package which implements the most important of the optimizations which i did in my encryption routines. it's a bit weak on common low-level optimizations which is why it's 39%-106% slower. because he was interested in fast crypt(3) and password-cracking applications, he also used the same ideas to speed up the key-setting routines with impressive results. (at some point i may do the same in my package). he also implements the rest of the mit des library. (code from eay@psych.psy.uq.oz.au via comp.sources.misc) fast crypt(3) package from denmark: the des routine here is buried inside a loop to do the crypt function and i didn't feel like ripping it out and measuring performance. his code takes 26 sparc instructions to compute one des iteration; above, Quick (64k) takes 21 and Small (2k) takes 37. he claims to use 280k of tables but the iteration calculation seems to use only 128k. his tables and code are machine independent. (code from glad@daimi.aau.dk via alt.sources or comp.sources.misc) swedish reimplementation of Kerberos des library 108us per encryption (uses 34k worth of tables) 134us to set a new key (uses 32k of key tables to get this speed!) the tables used seem to be machine-independent; he seems to have included a lot of special case code so that, e.g., `long' loads can be used instead of 4 `char' loads when the machine's architecture allows it. (code obtained from chalmers.se:pub/des) crack 3.3c package from england: as in crypt above, the des routine is buried in a loop. it's also very modified for crypt. his iteration code uses 16k of tables and appears to be slow. (code obtained from aem@aber.ac.uk via alt.sources or comp.sources.misc) ``highly optimized'' and tweaked Kerberos/Athena code (byte-order dependent): 165us per encryption (uses 6k worth of tables) 478us to set a new key (uses <1k of key tables) so despite the comments in this code, it was possible to get faster code AND smaller tables, as well as making the tables machine-independent. (code obtained from prep.ai.mit.edu) UC Berkeley code (depends on machine-endedness): 226us per encryption 10848us to set a new key table sizes are unclear, but they don't look very small (code obtained from wuarchive.wustl.edu) motivation and history a while ago i wanted some des routines and the routines documented on sun's man pages either didn't exist or dumped core. i had heard of kerberos, and knew that it used des, so i figured i'd use its routines. but once i got it and looked at the code, it really set off a lot of pet peeves - it was too convoluted, the code had been written without taking advantage of the regular structure of operations such as IP, E, and FP (i.e. the author didn't sit down and think before coding), it was excessively slow, the author had attempted to clarify the code by adding MORE statements to make the data movement more `consistent' instead of simplifying his implementation and cutting down on all data movement (in particular, his use of L1, R1, L2, R2), and it was full of idiotic `tweaks' for particular machines which failed to deliver significant speedups but which did obfuscate everything. so i took the test data from his verification program and rewrote everything else. a while later i ran across the great crypt(3) package mentioned above. the fact that this guy was computing 2 sboxes per table lookup rather than one (and using a MUCH larger table in the process) emboldened me to do the same - it was a trivial change from which i had been scared away by the larger table size. in his case he didn't realize you don't need to keep the working data in TWO forms, one for easy use of half the sboxes in indexing, the other for easy use of the other half; instead you can keep it in the form for the first half and use a simple rotate to get the other half. this means i have (almost) half the data manipulation and half the table size. in fairness though he might be encoding something particular to crypt(3) in his tables - i didn't check. i'm glad that i implemented it the way i did, because this C version is portable (the ifdef's are performance enhancements) and it is faster than versions hand-written in assembly for the sparc! porting notes one thing i did not want to do was write an enormous mess which depended on endedness and other machine quirks, and which necessarily produced different code and different lookup tables for different machines. see the kerberos code for an example of what i didn't want to do; all their endedness-specific `optimizations' obfuscate the code and in the end were slower than a simpler machine independent approach. however, there are always some portability considerations of some kind, and i have included some options for varying numbers of register variables. perhaps some will still regard the result as a mess! 1) i assume everything is byte addressable, although i don't actually depend on the byte order, and that bytes are 8 bits. i assume word pointers can be freely cast to and from char pointers. note that 99% of C programs make these assumptions. i always use unsigned char's if the high bit could be set. 2) the typedef `word' means a 32 bit unsigned integral type. if `unsigned long' is not 32 bits, change the typedef in desCore.h. i assume sizeof(word) == 4 EVERYWHERE. the (worst-case) cost of my NOT doing endedness-specific optimizations in the data loading and storing code surrounding the key iterations is less than 12%. also, there is the added benefit that the input and output work areas do not need to be word-aligned. OPTIONAL performance optimizations 1) you should define one of `i386,' `vax,' `mc68000,' or `sparc,' whichever one is closest to the capabilities of your machine. see the start of desCode.h to see exactly what this selection implies. note that if you select the wrong one, the des code will still work; these are just performance tweaks. 2) for those with functional `asm' keywords: you should change the ROR and ROL macros to use machine rotate instructions if you have them. this will save 2 instructions and a temporary per use, or about 32 to 40 instructions per en/decryption. these optimizations are all rather persnickety, yet with them you should be able to get performance equal to assembly-coding, except that: 1) with the lack of a bit rotate operator in C, rotates have to be synthesized from shifts. so access to `asm' will speed things up if your machine has rotates, as explained above in (3). 2) if your machine has less than 12 32-bit registers i doubt your compiler will generate good code. `i386' tries to configure the code for a 386 by only declaring 3 registers (it appears that gcc can use ebx, esi and edi to hold register variables). however, if you like assembly coding, the 386 does have 7 32-bit registers, and if you use ALL of them, use `scaled by 8' address modes with displacement and other tricks, you can get reasonable routines for DesQuickCore... with about 250 instructions apiece. For DesSmall... it will help to rearrange des_keymap, i.e., now the sbox # is the high part of the index and the 6 bits of data is the low part; it helps to exchange these. since i have no way to conveniently test it i have not provided my shoehorned 386 version. coding notes the en/decryption routines each use 6 necessary register variables, with 4 being actively used at once during the inner iterations. if you don't have 4 register variables get a new machine. up to 8 more registers are used to hold constants in some configurations. i assume that the use of a constant is more expensive than using a register: a) additionally, i have tried to put the larger constants in registers. registering priority was by the following: anything more than 12 bits (bad for RISC and CISC) greater than 127 in value (can't use movq or byte immediate on CISC) 9-127 (may not be able to use CISC shift immediate or add/sub quick), 1-8 were never registered, being the cheapest constants. b) the compiler may be too stupid to realize table and table+256 should be assigned to different constant registers and instead repetitively do the arithmetic, so i assign these to explicit `m' register variables when possible and helpful. i assume that indexing is cheaper or equivalent to auto increment/decrement, where the index is 7 bits unsigned or smaller. this assumption is reversed for 68k and vax. i assume that addresses can be cheaply formed from two registers, or from a register and a small constant. i never use the `two registers and offset' form you see in some CISC machines. all index scaling is done explicitly - no hidden shifts by log2(sizeof). the code is written so that even a dumb compiler should never need more than one hidden temporary, increasing the chance that everything will fit in the registers. KEEP THIS MORE SUBTLE POINT IN MIND IF YOU REWRITE ANYTHING. special efficient data format bits are manipulated in this arrangement most of the time (S7 S5 S3 S1): 003130292827xxxx242322212019xxxx161514131211xxxx080706050403xxxx (the x bits are still there, i'm just emphasizing where the S boxes are). bits are rotated left 4 when computing S6 S4 S2 S0: 282726252423xxxx201918171615xxxx121110090807xxxx040302010031xxxx the rightmost two bits are usually cleared so the lower byte can be used as an index into an sbox mapping table. the next two x'd bits are set to various values to access different parts of the tables. how to use the routines datatypes: pointer to 8 byte area of type DesData used to hold keys and input/output blocks to des. pointer to 128 byte area of type DesKeys used to hold full 768-bit key. must be long-aligned. DesQuickInit() call this before using any other routine with `Quick' in its name. it generates the special 64k table these routines need. DesQuickDone() frees this table DesMethod(m, k) m points to a 128byte block, k points to an 8 byte des key which must have odd parity (or -1 is returned) and which must not be a (semi-)weak key (or -2 is returned). normally DesMethod() returns 0. m is filled in from k so that when one of the routines below is called with m, the routine will act like standard des en/decryption with the key k. if you use DesMethod, you supply a standard 56bit key; however, if you fill in m yourself, you will get a 768bit key - but then it won't be standard. it's 768bits not 1024 because the least significant two bits of each byte are not used. and yes, each byte controls a specific sbox during a specific iteration. NOTE: actually, every other word has been rotated right 4 bits to reduce the number of temporaries needed when the key is used. you really shouldn't use the 768bit format directly; i should provide a routine that converts 128 6-bit bytes (specified in S-box mapping order or something) into the right format for you. this would entail some byte concatenation and rotation. Des{Small|Quick}{Fips|Core}{Encrypt|Decrypt}(d, m, s) performs des on the 8 bytes at s into the 8 bytes at d. (d,s: char *). uses m as a 768bit key as explained above. the Encrypt|Decrypt choice is obvious. Fips|Core determines whether a completely standard FIPS initial and final permutation is done; if not, then the data is loaded and stored in a nonstandard bit order (FIPS w/o IP/FP). Fips slows down Quick by 10%, Small by 9%. Small|Quick determines whether you use the normal routine or the crazy quick one which gobbles up 64k more of memory. Small is 50% slower then Quick, but Quick needs 32 times as much memory. Quick is included for programs that do nothing but DES, e.g., encryption filters, etc. Getting it to compile on your machine there are no machine-dependencies in the code (see porting), except perhaps the `now()' macro in desTest.c. ALL generated tables are machine independent. you should edit the Makefile with the appropriate optimization flags for your compiler (MAX optimization). Speeding up kerberos (and/or its des library) note that i have included a kerberos-compatible interface in desUtil.c through the functions des_key_sched() and des_ecb_encrypt(). to use these with kerberos or kerberos-compatible code put desCore.a ahead of the kerberos-compatible library on your linker's command line. you should not need to #include desCore.h; just include the header file provided with the kerberos library. Other uses the macros in desCode.h would be very useful for putting inline des functions in more complicated encryption routines. nettle-3.10/aes-set-decrypt-key.c0000644000175000017500000000400314633602171015717 0ustar nissenisse/* aes-set-decrypt-key.c Inverse key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include /* This file implements and uses deprecated functions */ #define _NETTLE_ATTRIBUTE_DEPRECATED #include "aes.h" void aes_invert_key(struct aes_ctx *dst, const struct aes_ctx *src) { switch (src->key_size) { default: abort(); case AES128_KEY_SIZE: aes128_invert_key(&dst->u.ctx128, &src->u.ctx128); break; case AES192_KEY_SIZE: aes192_invert_key(&dst->u.ctx192, &src->u.ctx192); break; case AES256_KEY_SIZE: aes256_invert_key(&dst->u.ctx256, &src->u.ctx256); break; } dst->key_size = src->key_size; } void aes_set_decrypt_key(struct aes_ctx *ctx, size_t keysize, const uint8_t *key) { /* We first create subkeys for encryption, * then modify the subkeys for decryption. */ aes_set_encrypt_key(ctx, keysize, key); aes_invert_key(ctx, ctx); } nettle-3.10/pss.h0000644000175000017500000000316014633602172012736 0ustar nissenisse/* pss.h PKCS#1 RSA-PSS (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PSS_H_INCLUDED #define NETTLE_PSS_H_INCLUDED #include "nettle-meta.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pss_encode_mgf1 nettle_pss_encode_mgf1 #define pss_verify_mgf1 nettle_pss_verify_mgf1 int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest); int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PSS_H_INCLUDED */ nettle-3.10/ecc-mul-a.c0000644000175000017500000001151714633602171013673 0ustar nissenisse/* ecc-mul-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_jja. Current total is 12 ecc->p.size, at most 864 bytes. Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_jjj. */ #if ECC_MUL_A_WBITS == 0 void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define pj (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) int is_zero; unsigned i; ecc_a_to_j (ecc, pj, p); mpn_zero (r, 3*ecc->p.size); for (i = ecc->p.size, is_zero = 1; i-- > 0; ) { mp_limb_t w = np[i] << (GMP_LIMB_BITS - GMP_NUMB_BITS); unsigned j; for (j = 0; j < GMP_NUMB_BITS; j++, w <<= 1) { int bit; ecc_dup_jj (ecc, r, r, scratch_out); ecc_add_jja (ecc, tp, r, pj, scratch_out); bit = w >> (GMP_LIMB_BITS - 1); /* If is_zero is set, r is the zero point, and ecc_add_jja produced garbage. */ cnd_copy (is_zero, tp, pj, 3*ecc->p.size); is_zero &= 1 - bit; /* If we had a one-bit, use the sum. */ cnd_copy (bit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc_dup_jj (ecc, TABLE(j), TABLE(j/2), scratch); ecc_add_jja (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_WBITS); int is_zero = 0; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_WBITS - 1) / ECC_MUL_A_WBITS; unsigned bit_index = (blocks-1) * ECC_MUL_A_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); mpn_sec_tabselect (r, table, 3*ecc->p.size, TABLE_SIZE, bits); is_zero = IS_ZERO_SMALL (bits); for (;;) { int bits_is_zero; unsigned j; if (shift >= ECC_MUL_A_WBITS) { shift -= ECC_MUL_A_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_WBITS; j++) ecc_dup_jj (ecc, r, r, scratch_out); bits &= TABLE_MASK; mpn_sec_tabselect (tp, table, 3*ecc->p.size, TABLE_SIZE, bits); cnd_copy (is_zero, r, tp, 3*ecc->p.size); ecc_add_jjj (ecc, tp, tp, r, scratch_out); bits_is_zero = IS_ZERO_SMALL (bits); /* Use the sum when valid. ecc_add_jja produced garbage if is_zero or bits_is_zero. */ cnd_copy (1 - (bits_is_zero | is_zero), r, tp, 3*ecc->p.size); is_zero &= bits_is_zero; } #undef table #undef tp } #endif /* ECC_MUL_A_WBITS > 1 */ nettle-3.10/camellia256-set-decrypt-key.c0000644000175000017500000000323714633602171017163 0ustar nissenisse/* camellia256-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src) { _nettle_camellia_invert_key (_CAMELLIA256_NKEYS, dst->keys, src->keys); } void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia256_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { camellia192_set_encrypt_key(ctx, key); camellia256_invert_key(ctx, ctx); } nettle-3.10/sha3-224.c0000644000175000017500000000337714633602171013300 0ustar nissenisse/* sha3-224.c The sha3 hash function, 224 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "nettle-write.h" void sha3_224_init (struct sha3_224_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_224_ctx, block)); } void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_sha3_update (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_224_digest(struct sha3_224_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad_hash (&ctx->state, SHA3_224_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_224_init (ctx); } nettle-3.10/sha512-meta.c0000644000175000017500000000224514633602171014055 0ustar nissenisse/* sha512-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512 = _NETTLE_HASH(sha512, SHA512); nettle-3.10/rsa-sha256-verify.c0000644000175000017500000000337414633602171015227 0ustar nissenisse/* rsa-sha256-verify.c Verifying signatures created with RSA and SHA256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_verify(const struct rsa_public_key *key, struct sha256_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) &&_rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha256_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.10/cmac.c0000644000175000017500000000702014633602171013025 0ustar nissenisse/* AES-CMAC-128 (rfc 4493) Copyright (C) Stefan Metzmacher 2012 Copyright (C) Jeremy Allison 2012 Copyright (C) Michael Adam 2012 Copyright (C) 2017, Red Hat Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cmac.h" #include "memxor.h" #include "nettle-internal.h" #include "block-internal.h" #include "macros.h" void cmac128_set_key(struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt) { static const union nettle_block16 zero_block; union nettle_block16 L; /* step 1 - generate subkeys k1 and k2 */ encrypt(cipher, 16, L.b, zero_block.b); block16_mulx_be(&key->K1, &L); block16_mulx_be(&key->K2, &key->K1); } void cmac128_init(struct cmac128_ctx *ctx) { memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } #define MIN(x,y) ((x)<(y)?(x):(y)) void cmac128_update(struct cmac128_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg) { union nettle_block16 Y; /* * check if we expand the block */ if (ctx->index < 16) { size_t len = MIN(16 - ctx->index, msg_len); memcpy(&ctx->block.b[ctx->index], msg, len); msg += len; msg_len -= len; ctx->index += len; } if (msg_len == 0) { /* if it is still the last block, we are done */ return; } /* * now checksum everything but the last block */ block16_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 16, ctx->X.b, Y.b); while (msg_len > 16) { block16_xor_bytes (&Y, &ctx->X, msg); encrypt(cipher, 16, ctx->X.b, Y.b); msg += 16; msg_len -= 16; } /* * copy the last block, it will be processed in * cmac128_digest(). */ memcpy(ctx->block.b, msg, msg_len); ctx->index = msg_len; } void cmac128_digest(struct cmac128_ctx *ctx, const struct cmac128_key *key, const void *cipher, nettle_cipher_func *encrypt, unsigned length, uint8_t *dst) { union nettle_block16 Y; /* re-use ctx->block for memxor output */ if (ctx->index < 16) { ctx->block.b[ctx->index] = 0x80; memset(ctx->block.b + ctx->index + 1, 0, 16 - 1 - ctx->index); block16_xor (&ctx->block, &key->K2); } else { block16_xor (&ctx->block, &key->K1); } block16_xor3 (&Y, &ctx->block, &ctx->X); assert(length <= 16); if (length == 16) { encrypt(cipher, 16, dst, Y.b); } else { encrypt(cipher, 16, ctx->block.b, Y.b); memcpy(dst, ctx->block.b, length); } /* reset state for re-use */ cmac128_init(ctx); } nettle-3.10/nettle-meta.h0000644000175000017500000002216314633602172014354 0ustar nissenisse/* nettle-meta.h Information about algorithms. Copyright (C) 2002, 2014, 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_META_H_INCLUDED #define NETTLE_META_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif struct nettle_cipher { const char *name; unsigned context_size; /* Zero for stream ciphers */ unsigned block_size; /* Suggested key size; other sizes are sometimes possible. */ unsigned key_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_cipher_func *encrypt; nettle_cipher_func *decrypt; }; /* null-terminated list of ciphers implemented by this version of nettle */ const struct nettle_cipher * const * _NETTLE_ATTRIBUTE_PURE nettle_get_ciphers (void); #define nettle_ciphers (nettle_get_ciphers()) extern const struct nettle_cipher nettle_aes128; extern const struct nettle_cipher nettle_aes192; extern const struct nettle_cipher nettle_aes256; extern const struct nettle_cipher nettle_camellia128; extern const struct nettle_cipher nettle_camellia192; extern const struct nettle_cipher nettle_camellia256; extern const struct nettle_cipher nettle_cast128; extern const struct nettle_cipher nettle_serpent128; extern const struct nettle_cipher nettle_serpent192; extern const struct nettle_cipher nettle_serpent256; extern const struct nettle_cipher nettle_twofish128; extern const struct nettle_cipher nettle_twofish192; extern const struct nettle_cipher nettle_twofish256; extern const struct nettle_cipher nettle_arctwo40; extern const struct nettle_cipher nettle_arctwo64; extern const struct nettle_cipher nettle_arctwo128; extern const struct nettle_cipher nettle_arctwo_gutmann128; extern const struct nettle_cipher nettle_sm4; struct nettle_hash { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Internal block size */ unsigned block_size; nettle_hash_init_func *init; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; #define _NETTLE_HASH(name, NAME) { \ #name, \ sizeof(struct name##_ctx), \ NAME##_DIGEST_SIZE, \ NAME##_BLOCK_SIZE, \ (nettle_hash_init_func *) name##_init, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest \ } /* null-terminated list of digests implemented by this version of nettle */ const struct nettle_hash * const * _NETTLE_ATTRIBUTE_PURE nettle_get_hashes (void); #define nettle_hashes (nettle_get_hashes()) const struct nettle_hash * nettle_lookup_hash (const char *name); extern const struct nettle_hash nettle_md2; extern const struct nettle_hash nettle_md4; extern const struct nettle_hash nettle_md5; extern const struct nettle_hash nettle_gosthash94; extern const struct nettle_hash nettle_gosthash94cp; extern const struct nettle_hash nettle_ripemd160; extern const struct nettle_hash nettle_sha1; extern const struct nettle_hash nettle_sha224; extern const struct nettle_hash nettle_sha256; extern const struct nettle_hash nettle_sha384; extern const struct nettle_hash nettle_sha512; extern const struct nettle_hash nettle_sha512_224; extern const struct nettle_hash nettle_sha512_256; extern const struct nettle_hash nettle_sha3_224; extern const struct nettle_hash nettle_sha3_256; extern const struct nettle_hash nettle_sha3_384; extern const struct nettle_hash nettle_sha3_512; extern const struct nettle_hash nettle_streebog256; extern const struct nettle_hash nettle_streebog512; extern const struct nettle_hash nettle_sm3; struct nettle_mac { const char *name; /* Size of the context struct */ unsigned context_size; /* Size of digests */ unsigned digest_size; /* Key size */ unsigned key_size; nettle_set_key_func *set_key; nettle_hash_update_func *update; nettle_hash_digest_func *digest; }; struct nettle_aead { const char *name; unsigned context_size; /* Block size for encrypt and decrypt. */ unsigned block_size; unsigned key_size; unsigned nonce_size; unsigned digest_size; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_set_key_func *set_nonce; nettle_hash_update_func *update; nettle_crypt_func *encrypt; nettle_crypt_func *decrypt; /* FIXME: Drop length argument? */ nettle_hash_digest_func *digest; }; /* null-terminated list of aead constructions implemented by this version of nettle */ const struct nettle_aead * const * _NETTLE_ATTRIBUTE_PURE nettle_get_aeads (void); #define nettle_aeads (nettle_get_aeads()) extern const struct nettle_aead nettle_gcm_aes128; extern const struct nettle_aead nettle_gcm_aes192; extern const struct nettle_aead nettle_gcm_aes256; extern const struct nettle_aead nettle_gcm_camellia128; extern const struct nettle_aead nettle_gcm_camellia256; extern const struct nettle_aead nettle_gcm_sm4; extern const struct nettle_aead nettle_eax_aes128; extern const struct nettle_aead nettle_chacha_poly1305; struct nettle_armor { const char *name; unsigned encode_context_size; unsigned decode_context_size; unsigned encode_final_length; nettle_armor_init_func *encode_init; nettle_armor_length_func *encode_length; nettle_armor_encode_update_func *encode_update; nettle_armor_encode_final_func *encode_final; nettle_armor_init_func *decode_init; nettle_armor_length_func *decode_length; nettle_armor_decode_update_func *decode_update; nettle_armor_decode_final_func *decode_final; }; #define _NETTLE_ARMOR(name, NAME) { \ #name, \ sizeof(struct name##_encode_ctx), \ sizeof(struct name##_decode_ctx), \ NAME##_ENCODE_FINAL_LENGTH, \ (nettle_armor_init_func *) name##_encode_init, \ (nettle_armor_length_func *) name##_encode_length, \ (nettle_armor_encode_update_func *) name##_encode_update, \ (nettle_armor_encode_final_func *) name##_encode_final, \ (nettle_armor_init_func *) name##_decode_init, \ (nettle_armor_length_func *) name##_decode_length, \ (nettle_armor_decode_update_func *) name##_decode_update, \ (nettle_armor_decode_final_func *) name##_decode_final, \ } #define _NETTLE_ARMOR_0(name, NAME) { \ #name, \ 0, \ sizeof(struct name##_decode_ctx), \ NAME##_ENCODE_FINAL_LENGTH, \ (nettle_armor_init_func *) name##_encode_init, \ (nettle_armor_length_func *) name##_encode_length, \ (nettle_armor_encode_update_func *) name##_encode_update, \ (nettle_armor_encode_final_func *) name##_encode_final, \ (nettle_armor_init_func *) name##_decode_init, \ (nettle_armor_length_func *) name##_decode_length, \ (nettle_armor_decode_update_func *) name##_decode_update, \ (nettle_armor_decode_final_func *) name##_decode_final, \ } /* null-terminated list of armor schemes implemented by this version of nettle */ const struct nettle_armor * const * _NETTLE_ATTRIBUTE_PURE nettle_get_armors (void); #define nettle_armors (nettle_get_armors()) extern const struct nettle_armor nettle_base64; extern const struct nettle_armor nettle_base64url; extern const struct nettle_armor nettle_base16; #define _NETTLE_HMAC(name, HASH) { \ #name, \ sizeof(struct name##_ctx), \ HASH##_DIGEST_SIZE, \ HASH##_DIGEST_SIZE, \ name##_set_key_wrapper, \ (nettle_hash_update_func *) name##_update, \ (nettle_hash_digest_func *) name##_digest, \ } /* null-terminated list of macs implemented by this version of nettle */ const struct nettle_mac * const * _NETTLE_ATTRIBUTE_PURE nettle_get_macs (void); #define nettle_macs (nettle_get_macs()) extern const struct nettle_mac nettle_cmac_aes128; extern const struct nettle_mac nettle_cmac_aes256; extern const struct nettle_mac nettle_cmac_des3; /* HMAC variants with key size = digest size */ extern const struct nettle_mac nettle_hmac_md5; extern const struct nettle_mac nettle_hmac_ripemd160; extern const struct nettle_mac nettle_hmac_sha1; extern const struct nettle_mac nettle_hmac_sha224; extern const struct nettle_mac nettle_hmac_sha256; extern const struct nettle_mac nettle_hmac_sha384; extern const struct nettle_mac nettle_hmac_sha512; extern const struct nettle_mac nettle_hmac_streebog256; extern const struct nettle_mac nettle_hmac_streebog512; extern const struct nettle_mac nettle_hmac_sm3; #ifdef __cplusplus } #endif #endif /* NETTLE_META_H_INCLUDED */ nettle-3.10/dsa-verify.c0000644000175000017500000000526314633602171014202 0ustar nissenisse/* dsa-verify.c The DSA publickey algorithm. Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "dsa.h" #include "dsa-internal.h" #include "gmp-glue.h" int dsa_verify(const struct dsa_params *params, const mpz_t y, size_t digest_size, const uint8_t *digest, const struct dsa_signature *signature) { mpz_t w; mpz_t tmp; mpz_t v; unsigned bit_size; unsigned limb_size; int res; /* Check that r and s are in the proper range */ if (mpz_sgn(signature->r) <= 0 || mpz_cmp(signature->r, params->q) >= 0) return 0; if (mpz_sgn(signature->s) <= 0 || mpz_cmp(signature->s, params->q) >= 0) return 0; mpz_init(w); /* Compute w = s^-1 (mod q) */ /* NOTE: In gmp-2, mpz_invert sometimes generates negative inverses, * so we need gmp-3 or better. */ if (!mpz_invert(w, signature->s, params->q)) { mpz_clear(w); return 0; } mpz_init(tmp); mpz_init(v); /* The message digest */ bit_size = mpz_sizeinbase(params->q, 2); limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE(bit_size); _nettle_dsa_hash (mpz_limbs_write (tmp, limb_size), bit_size, digest_size, digest); mpz_limbs_finish (tmp, limb_size); /* v = g^{w * h (mod q)} (mod p) */ mpz_mul(tmp, tmp, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(v, params->g, tmp, params->p); /* y^{w * r (mod q) } (mod p) */ mpz_mul(tmp, signature->r, w); mpz_fdiv_r(tmp, tmp, params->q); mpz_powm(tmp, y, tmp, params->p); /* v = (g^{w * h} * y^{w * r} (mod p) ) (mod q) */ mpz_mul(v, v, tmp); mpz_fdiv_r(v, v, params->p); mpz_fdiv_r(v, v, params->q); res = !mpz_cmp(v, signature->r); mpz_clear(w); mpz_clear(tmp); mpz_clear(v); return res; } nettle-3.10/curve25519-mul.c0000644000175000017500000000352214633602172014453 0ustar nissenisse/* curve25519-mul.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult. */ void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p) { const struct ecc_modulo *m = &_nettle_curve25519.p; mp_size_t itch; mp_limb_t *x; itch = m->size + ECC_MUL_M_ITCH(m->size); x = gmp_alloc_limbs (itch); /* Note that 255 % GMP_NUMB_BITS == 0 isn't supported, so x always holds at least 256 bits. */ mpn_set_base256_le (x, m->size, p, CURVE25519_SIZE); /* Clear bit 255, as required by RFC 7748. */ x[255/GMP_NUMB_BITS] &= ~((mp_limb_t) 1 << (255 % GMP_NUMB_BITS)); ecc_mul_m (m, 121665, 3, 253, x, n, x, x + m->size); mpn_get_base256_le (q, CURVE25519_SIZE, x, m->size); gmp_free_limbs (x, itch); } nettle-3.10/ocb.c0000644000175000017500000002731314633602171012674 0ustar nissenisse/* ocb.c OCB AEAD mode, RFC 7253 Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ocb.h" #include "block-internal.h" #include "bswap-internal.h" #include "memops.h" #define OCB_MAX_BLOCKS 16 /* Returns 64 bits from the concatenation (u0, u1), starting from bit offset. */ static inline uint64_t extract(uint64_t u0, uint64_t u1, unsigned offset) { if (offset == 0) return u0; u0 = bswap64_if_le(u0); u1 = bswap64_if_le(u1); return bswap64_if_le((u0 << offset) | (u1 >> (64 - offset))); } void ocb_set_key (struct ocb_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; f (cipher, OCB_BLOCK_SIZE, key->L[0].b, zero_block.b); block16_mulx_be (&key->L[1], &key->L[0]); block16_mulx_be (&key->L[2], &key->L[1]); } /* Add x^k L[2], where k is the number of trailing zero bits in i. */ static void update_offset(const struct ocb_key *key, union nettle_block16 *offset, size_t i) { if (i & 1) block16_xor (offset, &key->L[2]); else { assert (i > 0); union nettle_block16 diff; block16_mulx_be (&diff, &key->L[2]); for (i >>= 1; !(i&1); i >>= 1) block16_mulx_be (&diff, &diff); block16_xor (offset, &diff); } } static void pad_block (union nettle_block16 *block, size_t length, const uint8_t *data) { memcpy (block->b, data, length); block->b[length] = 0x80; memset (block->b + length + 1, 0, OCB_BLOCK_SIZE - 1 - length); } void ocb_set_nonce (struct ocb_ctx *ctx, const void *cipher, nettle_cipher_func *f, size_t tag_length, size_t nonce_length, const uint8_t *nonce) { union nettle_block16 top; uint64_t stretch; unsigned bottom; assert (nonce_length < 16); assert (tag_length > 0); assert (tag_length <= 16); /* Bit size, or zero for tag_length == 16 */ top.b[0] = (tag_length & 15) << 4; memset (top.b + 1, 0, 15 - nonce_length); top.b[15 - nonce_length] |= 1; memcpy (top.b + 16 - nonce_length, nonce, nonce_length); bottom = top.b[15] & 0x3f; top.b[15] &= 0xc0; f (cipher, OCB_BLOCK_SIZE, top.b, top.b); stretch = top.u64[0]; #if WORDS_BIGENDIAN stretch ^= (top.u64[0] << 8) | (top.u64[1] >> 56); #else stretch ^= (top.u64[0] >> 8) | (top.u64[1] << 56); #endif ctx->initial.u64[0] = extract(top.u64[0], top.u64[1], bottom); ctx->initial.u64[1] = extract(top.u64[1], stretch, bottom); ctx->sum.u64[0] = ctx->sum.u64[1] = 0; ctx->checksum.u64[0] = ctx->checksum.u64[1] = 0; ctx->data_count = ctx->message_count = 0; } static void ocb_fill_n (const struct ocb_key *key, union nettle_block16 *offset, size_t count, size_t n, union nettle_block16 *o) { assert (n > 0); union nettle_block16 *prev; if (count & 1) prev = offset; else { /* Do a single block to align block count. */ count++; /* Always odd. */ block16_xor (offset, &key->L[2]); block16_set (&o[0], offset); prev = o; n--; o++; } for (; n >= 2; n -= 2, o += 2) { size_t i; count += 2; /* Always odd. */ /* Based on trailing zeros of ctx->message_count - 1, the initial shift below discards a one bit. */ block16_mulx_be (&o[0], &key->L[2]); for (i = count >> 1; !(i&1); i >>= 1) block16_mulx_be (&o[0], &o[0]); block16_xor (&o[0], prev); block16_xor3 (&o[1], &o[0], &key->L[2]); prev = &o[1]; } block16_set(offset, prev); if (n > 0) { update_offset (key, offset, ++count); block16_set (o, offset); } } void ocb_update (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, const uint8_t *data) { union nettle_block16 block[OCB_MAX_BLOCKS]; size_t n = length / OCB_BLOCK_SIZE; assert (ctx->message_count == 0); if (ctx->data_count == 0) ctx->offset.u64[0] = ctx->offset.u64[1] = 0; while (n > 0) { size_t size, i; size_t blocks = (n <= OCB_MAX_BLOCKS) ? n : OCB_MAX_BLOCKS - 1 + (ctx->data_count & 1); ocb_fill_n (key, &ctx->offset, ctx->data_count, blocks, block); ctx->data_count += blocks; size = blocks * OCB_BLOCK_SIZE; memxor (block[0].b, data, size); f (cipher, size, block[0].b, block[0].b); for (i = 0; i < blocks; i++) block16_xor(&ctx->sum, &block[i]); n -= blocks; data += size; } length &= 15; if (length > 0) { union nettle_block16 block; pad_block (&block, length, data); block16_xor (&ctx->offset, &key->L[0]); block16_xor (&block, &ctx->offset); f (cipher, OCB_BLOCK_SIZE, block.b, block.b); block16_xor (&ctx->sum, &block); } } static void ocb_crypt_n (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t n, uint8_t *dst, const uint8_t *src) { union nettle_block16 o[OCB_MAX_BLOCKS], block[OCB_MAX_BLOCKS]; size_t size; while (n > 0) { size_t blocks = (n <= OCB_MAX_BLOCKS) ? n : OCB_MAX_BLOCKS - 1 + (ctx->message_count & 1); ocb_fill_n (key, &ctx->offset, ctx->message_count, blocks, o); ctx->message_count += blocks; size = blocks * OCB_BLOCK_SIZE; memxor3 (block[0].b, o[0].b, src, size); f (cipher, size, block[0].b, block[0].b); memxor3 (dst, block[0].b, o[0].b, size); n -= blocks; src += size; dst += size; } } /* Rotate bytes c positions to the right, in memory order. */ #if WORDS_BIGENDIAN # define MEM_ROTATE_RIGHT(c, s0, s1) do { \ uint64_t __rotate_t = ((s0) >> (8*(c))) | ((s1) << (64-8*(c))); \ (s1) = ((s1) >> (8*(c))) | ((s0) << (64-8*(c))); \ (s0) = __rotate_t; \ } while (0) #else # define MEM_ROTATE_RIGHT(c, s0, s1) do { \ uint64_t __rotate_t = ((s0) << (8*(c))) | ((s1) >> (64-8*(c))); \ (s1) = ((s1) << (8*(c))) | ((s0) >> (64-8*(c))); \ (s0) = __rotate_t; \ } while (0) #endif /* Mask for the first c bytes in memory */ #if WORDS_BIGENDIAN # define MEM_MASK(c) (-((uint64_t) 1 << (64 - 8*(c)))) #else # define MEM_MASK(c) (((uint64_t) 1 << (8*(c))) - 1) #endif /* Checksum of n complete blocks. */ static void ocb_checksum_n (union nettle_block16 *checksum, size_t n, const uint8_t *src) { unsigned initial; uint64_t edge_word = 0; uint64_t s0, s1; if (n == 1) { memxor (checksum->b, src, OCB_BLOCK_SIZE); return; } /* Initial unaligned bytes. */ initial = -(uintptr_t) src & 7; if (initial > 0) { /* Input not 64-bit aligned. Read initial bytes. */ unsigned i; /* Edge word is read in big-endian order */ for (i = initial; i > 0; i--) edge_word = (edge_word << 8) + *src++; n--; } /* Now src is 64-bit aligned, so do 64-bit reads. */ for (s0 = s1 = 0 ; n > 0; n--, src += OCB_BLOCK_SIZE) { s0 ^= ((const uint64_t *) src)[0]; s1 ^= ((const uint64_t *) src)[1]; } if (initial > 0) { unsigned i; uint64_t mask; s0 ^= ((const uint64_t *) src)[0]; for (i = 8 - initial, src += 8; i > 0; i--) edge_word = (edge_word << 8) + *src++; /* Rotate [s0, s1] right initial bytes. */ MEM_ROTATE_RIGHT(initial, s0, s1); /* Add in the edge bytes. */ mask = MEM_MASK(initial); edge_word = bswap64_if_le (edge_word); s0 ^= (edge_word & mask); s1 ^= (edge_word & ~mask); } checksum->u64[0] ^= s0; checksum->u64[1] ^= s1; } void ocb_encrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { size_t n = length / OCB_BLOCK_SIZE; if (ctx->message_count == 0) ctx->offset = ctx->initial; if (n > 0) { ocb_checksum_n (&ctx->checksum, n, src); ocb_crypt_n (ctx, key, cipher, f, n, dst, src); length &= 15; } if (length > 0) { union nettle_block16 block; src += n*OCB_BLOCK_SIZE; dst += n*OCB_BLOCK_SIZE; pad_block (&block, length, src); block16_xor (&ctx->checksum, &block); block16_xor (&ctx->offset, &key->L[0]); f (cipher, OCB_BLOCK_SIZE, block.b, ctx->offset.b); memxor3 (dst, block.b, src, length); ctx->message_count++; } } void ocb_decrypt (struct ocb_ctx *ctx, const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t length, uint8_t *dst, const uint8_t *src) { size_t n = length / OCB_BLOCK_SIZE; if (ctx->message_count == 0) ctx->offset = ctx->initial; if (n > 0) { ocb_crypt_n (ctx, key, decrypt_ctx, decrypt, n, dst, src); ocb_checksum_n (&ctx->checksum, n, dst); length &= 15; } if (length > 0) { union nettle_block16 block; src += n*OCB_BLOCK_SIZE; dst += n*OCB_BLOCK_SIZE; block16_xor (&ctx->offset, &key->L[0]); encrypt (encrypt_ctx, OCB_BLOCK_SIZE, block.b, ctx->offset.b); memxor3 (dst, block.b, src, length); pad_block (&block, length, dst); block16_xor (&ctx->checksum, &block); ctx->message_count++; } } void ocb_digest (const struct ocb_ctx *ctx, const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { union nettle_block16 block; assert (length <= OCB_DIGEST_SIZE); block16_xor3 (&block, &key->L[1], (ctx->message_count > 0) ? &ctx->offset : &ctx->initial); block16_xor (&block, &ctx->checksum); f (cipher, OCB_BLOCK_SIZE, block.b, block.b); memxor3 (digest, block.b, ctx->sum.b, length); } void ocb_encrypt_message (const struct ocb_key *key, const void *cipher, nettle_cipher_func *f, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { struct ocb_ctx ctx; assert (clength >= tlength); ocb_set_nonce (&ctx, cipher, f, tlength, nlength, nonce); ocb_update (&ctx, key, cipher, f, alength, adata); ocb_encrypt (&ctx, key, cipher, f, clength - tlength, dst, src); ocb_digest (&ctx, key, cipher, f, tlength, dst + clength - tlength); } int ocb_decrypt_message (const struct ocb_key *key, const void *encrypt_ctx, nettle_cipher_func *encrypt, const void *decrypt_ctx, nettle_cipher_func *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { struct ocb_ctx ctx; union nettle_block16 digest; ocb_set_nonce (&ctx, encrypt_ctx, encrypt, tlength, nlength, nonce); ocb_update (&ctx, key, encrypt_ctx, encrypt, alength, adata); ocb_decrypt (&ctx, key, encrypt_ctx, encrypt, decrypt_ctx, decrypt, mlength, dst, src); ocb_digest (&ctx, key, encrypt_ctx, encrypt, tlength, digest.b); return memeql_sec(digest.b, src + mlength, tlength); } nettle-3.10/balloon.h0000644000175000017500000000577714633602172013577 0ustar nissenisse/* balloon.h Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: * A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. * Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf */ #ifndef NETTLE_BALLOON_H_INCLUDED #define NETTLE_BALLOON_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define balloon nettle_balloon #define balloon_itch nettle_balloon_itch #define balloon_sha1 nettle_balloon_sha1 #define balloon_sha256 nettle_balloon_sha256 #define balloon_sha384 nettle_balloon_sha384 #define balloon_sha512 nettle_balloon_sha512 void balloon(void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); size_t balloon_itch(size_t digest_size, size_t s_cost); void balloon_sha1(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha256(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha384(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); void balloon_sha512(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_BALLOON_H_INCLUDED */ nettle-3.10/rsa2openpgp.c0000644000175000017500000000546214633602171014372 0ustar nissenisse/* rsa2openpgp.c Converting rsa keys to OpenPGP format. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "rsa.h" #include "buffer.h" #include "pgp.h" /* According to RFC 2440, a public key consists of the following packets: * * Public key packet * * Zero or more revocation signatures * * One or more User ID packets * * After each User ID packet, zero or more signature packets * * Zero or more Subkey packets * * After each Subkey packet, one signature packet, optionally a * revocation. * * Currently, we generate a public key packet, a single user id, and a * signature. */ int rsa_keypair_to_openpgp(struct nettle_buffer *buffer, const struct rsa_public_key *pub, const struct rsa_private_key *priv, /* A single user id. NUL-terminated utf8. */ const char *userid) { time_t now = time(NULL); unsigned key_start; unsigned userid_start; struct sha1_ctx key_hash; struct sha1_ctx signature_hash; uint8_t fingerprint[SHA1_DIGEST_SIZE]; key_start = buffer->size; if (!pgp_put_public_rsa_key(buffer, pub, now)) return 0; /* userid packet */ userid_start = buffer->size; if (!pgp_put_userid(buffer, strlen(userid), (const uint8_t *) userid)) return 0; /* FIXME: We hash the key first, and then the user id. Is this right? */ sha1_init(&key_hash); sha1_update(&key_hash, userid_start - key_start, buffer->contents + key_start); signature_hash = key_hash; sha1_digest(&key_hash, sizeof(fingerprint), fingerprint); sha1_update(&signature_hash, buffer->size - userid_start, buffer->contents + userid_start); return pgp_put_rsa_sha1_signature(buffer, priv, fingerprint + SHA1_DIGEST_SIZE - 8, PGP_SIGN_CERTIFICATION, &signature_hash); } nettle-3.10/powerpc64/0000755000175000017500000000000014633602172013611 5ustar nissenissenettle-3.10/powerpc64/ecc-secp224r1-modp.asm0000644000175000017500000000471514633602172017434 0ustar nissenisseC powerpc64/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2021 Amitay Isaacs, IBM Corporation Based on x86_64/ecc-secp224r1-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`T0', `r6') define(`T1', `r7') define(`H0', `r8') define(`H1', `r9') define(`H2', `r10') define(`F0', `r11') define(`F1', `r12') define(`F2', `r14') define(`T2', `r3') C void ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp224r1_modp) std r14, -8(SP) ld H0, 48(XP) ld H1, 56(XP) C set (F2, F1, F0) <-- (H1, H0) << 32 sldi F0, H0, 32 srdi F1, H0, 32 sldi T0, H1, 32 srdi F2, H1, 32 or F1, T0, F1 li H2, 0 ld T0, 16(XP) ld T1, 24(XP) subfc T0, F0, T0 subfe T1, F1, T1 subfe H0, F2, H0 addme H1, H1 ld T2, 32(XP) addc H0, T2, H0 ld T2, 40(XP) adde H1, T2, H1 addze H2, H2 C Set (F2, F1, F0) <-- (H2, H1, H0) << 32 sldi F0, H0, 32 srdi F1, H0, 32 addc H0, T0, H0 sldi T0, H1, 32 srdi F2, H1, 32 adde H1, T1, H1 sldi T1, H2, 32 addze H2, H2 or F1, T0, F1 or F2, T1, F2 ld T0, 0(XP) ld T1, 8(XP) subfc T0, F0, T0 subfe T1, F1, T1 subfe H0, F2, H0 addme H1, H1 addme H2, H2 srdi F0, H1, 32 sldi F1, H2, 32 or F0, F1, F0 clrrdi F1, H1, 32 mr F2, H2 clrldi H1, H1, 32 subfc T0, F0, T0 addme F1, F1 addme F2, F2 addc T1, F1, T1 adde H0, F2, H0 addze H1, H1 std T0, 0(RP) std T1, 8(RP) std H0, 16(RP) std H1, 24(RP) ld r14, -8(SP) blr EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-3.10/powerpc64/machine.m40000644000175000017500000000467414633602172015472 0ustar nissenissedefine(`PROLOGUE', `.globl C_NAME($1) DECLARE_FUNC(C_NAME($1)) ifelse(ELFV2_ABI,yes, `ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') C_NAME($1): addis 2,12,(.TOC.-C_NAME($1))@ha addi 2,2,(.TOC.-C_NAME($1))@l .localentry C_NAME($1), .-C_NAME($1)', `.section ".opd","aw" .align 3 C_NAME($1): .quad .C_NAME($1),.TOC.@tocbase,0 .previous ifdef(`FUNC_ALIGN',`.align FUNC_ALIGN') .C_NAME($1):') undefine(`FUNC_ALIGN')') define(`EPILOGUE', `ifelse(ELFV2_ABI,yes, `.size C_NAME($1), . - C_NAME($1)', `.size .C_NAME($1), . - .C_NAME($1) .size C_NAME($1), . - .C_NAME($1)')') C Get vector-scalar register from vector register C VSR(VR) define(`VSR',`ifelse(substr($1,0,1),`v', ``vs'eval(32+substr($1,1,len($1)))', `eval(32+$1)')') C Load the quadword in DATA_SRC storage into C VEC_DST. GPR is general-purpose register C used to obtain the effective address of C DATA_SRC storage. C DATA_LOAD_VEC(VEC_DST, DATA_SRC, GPR) define(`DATA_LOAD_VEC', `addis $3,r2,$2@got@ha ld $3,$2@got@l($3) lvx $1,0,$3') dnl Usage: r0 ... r31, cr0 ... cr7 dnl dnl Registers names, either left as "r0" etc or mapped to plain 0 etc, dnl according to the result of the ASM_PPC_WANT_R_REGISTERS configure dnl test. ifelse(ASM_PPC_WANT_R_REGISTERS,no,` forloop(i,0,31,`deflit(`r'i,i)') forloop(i,0,31,`deflit(`v'i,i)') forloop(i,0,63,`deflit(`vs'i,i)') forloop(i,0,31,`deflit(`f'i,i)') forloop(i,0,7, `deflit(`cr'i,i)') ') C Increase index of general-purpose register by specific value C INC_GPR(GPR, INC) define(`INC_GPR',`ifelse(substr($1,0,1),`r', ``r'eval($2+substr($1,1,len($1)))', `eval($2+$1)')') C Increase index of vector register by specific value C INC_VR(VR, INC) define(`INC_VR',`ifelse(substr($1,0,1),`v', ``v'eval($2+substr($1,1,len($1)))', `eval($2+$1)')') C Apply op x, x, y, for each x. C OPN_XXY(OP, Y, X1, X2, ...) define(`OPN_XXY', `$1 $3, $3, $2 ifelse(eval($# > 3), 1, `OPN_XXY($1, $2, shift(shift(shift($@))))dnl ')') C Apply op x, x, x, y, for each x. C OPN_XXXY(OP, Y, X1, X2, ...) define(`OPN_XXXY', `$1 $3, $3, $3, $2 ifelse(eval($# > 3), 1, `OPN_XXXY($1, $2, shift(shift(shift($@))))dnl ')') C Polynomial reduction R += x^{-64} F mod P C where x^{-64} = x^{64} + P1 (mod P) C GHASH_REDUCE(R, F, P1, T1, T2) define(`GHASH_REDUCE', ` vpmsumd $4, $2, $3 xxswapd VSR($5),VSR($2) vxor $1, $1, $5 vxor $1, $1, $4 ') C GF multification of L/M and data C GF_MUL( C GF_MUL(F, R, HL, HM, S) define(`GF_MUL', `vpmsumd $1,$3,$5 vpmsumd $2,$4,$5') nettle-3.10/powerpc64/ecc-curve25519-modp.asm0000644000175000017500000000437714633602172017545 0ustar nissenisseC powerpc64/ecc-curve25519-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-curve25519-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve25519-modp.asm" define(`RP', `r4') define(`XP', `r5') define(`U0', `r6') define(`U1', `r7') define(`U2', `r8') define(`U3', `r9') define(`T0', `r10') define(`T1', `r11') define(`M', `r12') define(`UN', r3) C Overlaps unused modulo input C void ecc_curve25519_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_curve25519_modp) C First fold the limbs affecting bit 255 ld UN, 56(XP) li M, 38 mulhdu T1, M, UN mulld UN, M, UN ld U3, 24(XP) li T0, 0 addc U3, UN, U3 adde T0, T1, T0 ld UN, 40(XP) mulhdu U2, M, UN mulld UN, M, UN addc U3, U3, U3 adde T0, T0, T0 srdi U3, U3, 1 C Undo shift, clear high bit C Fold the high limb again, together with RP[5] li T1, 19 mulld T0, T1, T0 ld U0, 0(XP) ld U1, 8(XP) ld T1, 16(XP) addc U0, T0, U0 adde U1, UN, U1 ld T0, 32(XP) adde U2, U2, T1 addze U3, U3 mulhdu T1, M, T0 mulld T0, M, T0 addc U0, T0, U0 adde U1, T1, U1 std U0, 0(RP) std U1, 8(RP) ld T0, 48(XP) mulhdu T1, M, T0 mulld UN, M, T0 adde U2, UN, U2 adde U3, T1, U3 std U2, 16(RP) std U3, 24(RP) blr EPILOGUE(_nettle_ecc_curve25519_modp) nettle-3.10/powerpc64/README0000644000175000017500000000777214633602172014506 0ustar nissenisseGeneral-Purpose Register Conventions Register Status Use GPR0 volatile In function prologs. GPR1 dedicated Stack pointer. GPR2 dedicated Table of Contents (TOC) pointer. GPR3 volatile First word of a function's argument list; first word of a scalar function return. GPR4 volatile Second word of a function's argument list; second word of a scalar function return. GPR5 volatile Third word of a function's argument list. GPR6 volatile Fourth word of a function's argument list. GPR7 volatile Fifth word of a function's argument list. GPR8 volatile Sixth word of a function's argument list. GPR9 volatile Seventh word of a function's argument list. GPR10 volatile Eighth word of a function's argument list. GPR11 volatile In calls by pointer and as an environment pointer for languages that require it (for example, PASCAL). GPR12 volatile For special exception handling required by certain languages and in glink code. GPR13 reserved Reserved under 64-bit environment; not restored across system calls. GPR14:GPR31 nonvolatile These registers must be preserved across a function call. These registers are named rX in the assembly files. Vector Register Conventions Register Status VR0:V19 Volatile VR20:VR31 Nonvolatile (extended ABI mode) their values are preserved across function calls These registers are named vX in the assembly files. Float/VSR Register Conventions FPR0:FPR13 Volatile FPR14:FPR31 Nonvolatile These registers are named fX in the assembly files, but aren't currently used by Nettle. For ISA 2.06 and later, floating point registers are mapped to the upper halves of the VSR registers. Then the corresponding VSR registers (named vsX in the assembly files) are volatile and non-volatile. (Formally, the lower halves of VSR14:VSR31 are volatile, but that is not so useful). Addressing memory There are many ways to reference data, to maintain support of position-independent code the current implementations use GOT-indirect addressing (Accessing data through the global offset table): 1. Define data in .data section 2. Load the address of data into register from the global offset table Use 32-bit offset (medium or large code model) to get maximum addressing reach of 4 GB e.g. addis r7, r2, my_var@got@ha ld r7, my_var@got@l(r7) 3. Use the address to load the value of data into register e.g. ld r3, 0(r7) Refer to [2] for more information about referencing data VSX instructions "lxvd2x/stxvd2x" are used to load and store data to memory instead of VR instructions "lvx/stvx" as it produces a fewer instructions "lvx/stvx" can be used to load/store data into storage operands but additional instructions are needed to access unaligned storage operands, refer to "6.4.1 Accessing Unaligned Storage Operands" in [3] to see an example of accessing unaligned storage operands. "lxvd2x/stxvd2x" can be used to load/store data into unaligned storage operands but permuting is needed for loading and storing data in little-endian mode VSX registers are defined with "X" suffix Function Prologue Big-endian systems usually support only ELFv1 ABI which requires the following steps in the function prologue: 1. Write the "official procedure descriptor" in ".opd","aw" section 2. Write procedure description for .my_func in my_func label 3. Switch back to ".text" section for program code 4. Label the beginning of the code .my_func Refer to [1] for more information Little-endian systems are compatible with ELFv2 ABI, an example of function prologue for ELFv2 ABI can be seen in [2] Stack There's a 288 byte "protected zone" below the stack pointer, that can be used for storage (obviously "volatile": not preserved if calling other functions). Both ELFv1 [4] and ELFv2 [3] ABIs are the same in this respect. [1] http://www.ibm.com/developerworks/linux/library/l-powasm1.html [2] https://openpowerfoundation.org/?resource_lib=64-bit-elf-v2-abi-specification-power-architecture [3] https://openpowerfoundation.org/specifications/64bitelfabi/ [4] https://refspecs.linuxfoundation.org/ELF/ppc64/PPC-elf64abi.html#STACK nettle-3.10/powerpc64/ecc-curve448-modp.asm0000644000175000017500000000650214633602172017367 0ustar nissenisseC powerpc/ecc-curve448-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Amitay Isaacs, IBM Corporation Based on x86_64/ecc-curve448-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-curve448-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`X0', `r3') define(`X1', `r9') define(`X2', `r10') define(`X3', `r11') define(`X4', `r12') define(`X5', `r14') define(`X6', `r15') define(`X7', `r16') define(`T0', `r6') define(`T1', `r7') define(`T2', `r8') define(`TT', `r17') define(`LO', `TT') C Overlap C void ecc_curve448_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_curve448_modp) std r14, -32(SP) std r15, -24(SP) std r16, -16(SP) std r17, -8(SP) C First load the values to be shifted by 32. ld T0, 88(XP) C use for X0, X1 ld T1, 96(XP) C use for X2 ld T2, 104(XP) C use for X3 ld X4, 56(XP) ld X5, 64(XP) ld X6, 72(XP) ld X7, 80(XP) C Multiply by 2^32 sldi X0, T0, 32 srdi LO, T0, 32 sldi X1, T1, 32 or X1, X1, LO srdi LO, T1, 32 sldi X2, T2, 32 or X2, X2, LO srdi LO, T2, 32 sldi X3, X4, 32 or X3, X3, LO srdi LO, X4, 32 sldi X4, X5, 32 or X4, X4, LO srdi LO, X5, 32 sldi X5, X6, 32 or X5, X5, LO srdi LO, X6, 32 sldi X6, X7, 32 or X6, X6, LO srdi X7, X7, 32 C Multiply by 2 addc T0, T0, T0 adde T1, T1, T1 adde T2, T2, T2 addze X7, X7 C Main additions ld TT, 56(XP) addc X0, TT, X0 ld TT, 64(XP) adde X1, TT, X1 ld TT, 72(XP) adde X2, TT, X2 ld TT, 80(XP) adde X3, TT, X3 adde X4, T0, X4 adde X5, T1, X5 adde X6, T2, X6 addze X7, X7 ld T0, 0(XP) addc X0, T0, X0 ld T1, 8(XP) adde X1, T1, X1 ld T2, 16(XP) adde X2, T2, X2 ld TT, 24(XP) adde X3, TT, X3 ld T0, 32(XP) adde X4, T0, X4 ld T1, 40(XP) adde X5, T1, X5 ld T2, 48(XP) adde X6, T2, X6 addze X7, X7 C X7 wraparound sldi T0, X7, 32 srdi T1, X7, 32 li T2, 0 addc X0, X7, X0 addze X1, X1 addze X2, X2 adde X3, T0, X3 adde X4, T1, X4 addze X5, X5 addze X6, X6 addze T2, T2 C Final carry wraparound. Carry T2 > 0 only if C X6 is zero, so carry is absorbed. sldi T0, T2, 32 addc X0, T2, X0 addze X1, X1 addze X2, X2 adde X3, T0, X3 addze X4, X4 addze X5, X5 addze X6, X6 std X0, 0(RP) std X1, 8(RP) std X2, 16(RP) std X3, 24(RP) std X4, 32(RP) std X5, 40(RP) std X6, 48(RP) ld r14, -32(SP) ld r15, -24(SP) ld r16, -16(SP) ld r17, -8(SP) blr EPILOGUE(_nettle_ecc_curve448_modp) nettle-3.10/powerpc64/ecc-secp192r1-modp.asm0000644000175000017500000000353314633602172017435 0ustar nissenisseC powerpc64/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2021 Amitay Isaacs, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" define(`RP', `r4') define(`XP', `r5') define(`T0', `r6') define(`T1', `r7') define(`T2', `r8') define(`T3', `r9') define(`C1', `r10') define(`C2', `r11') C void ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp192r1_modp) ld T0, 0(XP) ld T1, 8(XP) ld T2, 16(XP) li C1, 0 li C2, 0 ld T3, 24(XP) addc T0, T3, T0 adde T1, T3, T1 addze T2, T2 addze C1, C1 ld T3, 32(XP) addc T1, T3, T1 adde T2, T3, T2 addze C1, C1 ld T3, 40(XP) addc T0, T3, T0 adde T1, T3, T1 adde T2, T3, T2 addze C1, C1 addc T0, C1, T0 adde T1, C1, T1 addze T2, T2 addze C2, C2 addc T0, C2, T0 adde T1, C2, T1 addze T2, T2 std T0, 0(RP) std T1, 8(RP) std T2, 16(RP) blr EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-3.10/powerpc64/p7/0000755000175000017500000000000014633602172014137 5ustar nissenissenettle-3.10/powerpc64/p7/chacha-2core.asm0000644000175000017500000001420214633602172017057 0ustar nissenisseC powerpc64/p7/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C State, even elements in X, odd elements in Y define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') define(`Y0', `v4') define(`Y1', `v5') define(`Y2', `v6') define(`Y3', `v7') define(`ROT16', `v8') define(`ROT12', `v9') define(`ROT8', `v10') define(`ROT7', `v11') C Original input state define(`S0', `v12') define(`S1', `v13') define(`S2', `v14') define(`S3', `v15') define(`S3p1', `v16') define(`T0', `v17') define(`EW_MASK', `v18') define(`OW_MASK', `v19') .text C _chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_2core) li r8, 0x30 C offset for x3 vspltisw X1, 1 C {1,1,...,1} vspltisw X0, 0 C {0,0,...,0} vsldoi X1, X1, X0, 12 C {1,0,...,0} lxvw4x VSR(X3), r8, SRC vaddcuw Y3, X3, X1 C Counter carry out vsldoi Y3, Y3, Y3, 12 vor Y3, Y3, X1 .Lshared_entry: DATA_LOAD_VEC(EW_MASK,.even_word_mask,r6) DATA_LOAD_VEC(OW_MASK,.odd_word_mask,r6) vadduwm Y3, Y3, X3 li r6, 0x10 C set up some... li r7, 0x20 C ...useful... lxvw4x VSR(X0), 0, SRC lxvw4x VSR(X1), r6, SRC lxvw4x VSR(X2), r7, SRC vor S0, X0, X0 vor S1, X1, X1 vor S2, X2, X2 vor S3, X3, X3 vor S3p1, Y3, Y3 vperm Y0, X0, X0, OW_MASK C 1 1 3 3 vperm X0, X0, X0, EW_MASK C 0 0 2 2 vperm Y1, X1, X1, OW_MASK C 5 5 7 7 vperm X1, X1, X1, EW_MASK C 4 4 6 6 vperm Y2, X2, X2, OW_MASK C 9 9 11 11 vperm X2, X2, X2, EW_MASK C 8 8 10 10 vperm Y3, X3, S3p1, OW_MASK C 13 13 15 15 vperm X3, X3, S3p1, EW_MASK C 12 12 14 14 vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C X1: A4 B4 A6 B6 Y1: A5 B5 A7 B7 C X2: A8 B8 A10 B10 Y2: A9 B9 A11 B11 C X3: A12 B12 A14 B14 Y3: A13 B13 A15 B15 vadduwm X0, X0, X1 vadduwm Y0, Y0, Y1 vxor X3, X3, X0 vxor Y3, Y3, Y0 vrlw X3, X3, ROT16 vrlw Y3, Y3, ROT16 vadduwm X2, X2, X3 vadduwm Y2, Y2, Y3 vxor X1, X1, X2 vxor Y1, Y1, Y2 vrlw X1, X1, ROT12 vrlw Y1, Y1, ROT12 vadduwm X0, X0, X1 vadduwm Y0, Y0, Y1 vxor X3, X3, X0 vxor Y3, Y3, Y0 vrlw X3, X3, ROT8 vrlw Y3, Y3, ROT8 vadduwm X2, X2, X3 vadduwm Y2, Y2, Y3 vxor X1, X1, X2 vxor Y1, Y1, Y2 vrlw X1, X1, ROT7 vrlw Y1, Y1, ROT7 vsldoi X1, X1, X1, 8 vsldoi X2, X2, X2, 8 vsldoi Y2, Y2, Y2, 8 vsldoi Y3, Y3, Y3, 8 C Register layout: C X0: A0 B0 A2 B2 Y0: A1 B1 A3 B3 C Y1: A5 B5 A7 B7 X1: A6 B6 A4 B4 (X1 swapped) C X2: A10 B10 A8 B8 Y2: A11 A11 A9 B9 (X2, Y2 swapped) C Y3 A15 B15 A13 B13 X3 A12 B12 A14 B14 (Y3 swapped) vadduwm X0, X0, Y1 vadduwm Y0, Y0, X1 vxor Y3, Y3, X0 vxor X3, X3, Y0 vrlw Y3, Y3, ROT16 vrlw X3, X3, ROT16 vadduwm X2, X2, Y3 vadduwm Y2, Y2, X3 vxor Y1, Y1, X2 vxor X1, X1, Y2 vrlw Y1, Y1, ROT12 vrlw X1, X1, ROT12 vadduwm X0, X0, Y1 vadduwm Y0, Y0, X1 vxor Y3, Y3, X0 vxor X3, X3, Y0 vrlw Y3, Y3, ROT8 vrlw X3, X3, ROT8 vadduwm X2, X2, Y3 vadduwm Y2, Y2, X3 vxor Y1, Y1, X2 vxor X1, X1, Y2 vrlw Y1, Y1, ROT7 vrlw X1, X1, ROT7 vsldoi X1, X1, X1, 8 vsldoi X2, X2, X2, 8 vsldoi Y2, Y2, Y2, 8 vsldoi Y3, Y3, Y3, 8 bdnz .Loop vperm T0, X0, Y0, EW_MASK vperm Y0, X0, Y0, OW_MASK vperm X0, X1, Y1, EW_MASK vperm Y1, X1, Y1, OW_MASK vperm X1, X2, Y2, EW_MASK vperm Y2, X2, Y2, OW_MASK vperm X2, X3, Y3, EW_MASK vperm Y3, X3, Y3, OW_MASK vadduwm T0, T0, S0 vadduwm Y0, Y0, S0 vadduwm X0, X0, S1 vadduwm Y1, Y1, S1 vadduwm X1, X1, S2 vadduwm Y2, Y2, S2 vadduwm X2, X2, S3 vadduwm Y3, Y3, S3p1 IF_BE(` C Output always stored in little-endian byte order. C Can reuse S0 and S1 to construct permutation mask. li r9, 0 lvsl S0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb S1, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor S1, S1, S0 C 03 02 01 00 ... 0f 0e 0d 0c vperm T0, T0, T0, S1 vperm X0, X0, X0, S1 vperm X1, X1, X1, S1 vperm X2, X2, X2, S1 vperm Y0, Y0, Y0, S1 vperm Y1, Y1, Y1, S1 vperm Y2, Y2, Y2, S1 vperm Y3, Y3, Y3, S1 ') stxvw4x VSR(T0), 0, DST stxvw4x VSR(X0), r6, DST stxvw4x VSR(X1), r7, DST stxvw4x VSR(X2), r8, DST addi DST, DST, 64 stxvw4x VSR(Y0), 0, DST stxvw4x VSR(Y1), r6, DST stxvw4x VSR(Y2), r7, DST stxvw4x VSR(Y3), r8, DST blr EPILOGUE(_nettle_chacha_2core) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_2core32) li r8, 0x30 C offset for x3 vspltisw Y3, 1 C {1,1,...,1} vspltisw X0, 0 C {0,0,...,0} vsldoi Y3, Y3, X0, 12 C {1,0,...,0} lxvw4x VSR(X3), r8, SRC b .Lshared_entry EPILOGUE(_nettle_chacha_2core32) .rodata .align 4 .even_word_mask: IF_LE(`.byte 27,26,25,24,11,10,9,8,19,18,17,16,3,2,1,0') IF_BE(`.byte 0,1,2,3,16,17,18,19,8,9,10,11,24,25,26,27') .odd_word_mask: IF_LE(`.byte 31,30,29,28,15,14,13,12,23,22,21,20,7,6,5,4') IF_BE(`.byte 4,5,6,7,20,21,22,23,12,13,14,15,28,29,30,31') divert(-1) define core2state p/x $vs32.v4_int32 p/x $vs33.v4_int32 p/x $vs34.v4_int32 p/x $vs35.v4_int32 p/x $vs36.v4_int32 p/x $vs37.v4_int32 p/x $vs38.v4_int32 p/x $vs39.v4_int32 end nettle-3.10/powerpc64/p7/chacha-core-internal.asm0000644000175000017500000000653714633602172020623 0ustar nissenisseC powerpc64/p7/chacha-core-internal.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C Working state define(`X0', `v0') define(`X1', `v1') define(`X2', `v2') define(`X3', `v3') define(`ROT16', `v4') define(`ROT12', `v5') define(`ROT8', `v6') define(`ROT7', `v7') C Original input state define(`S0', `v8') define(`S1', `v9') define(`S2', `v10') define(`S3', `v11') C Big-endian working state define(`LE_MASK', `v12') define(`LE_TEMP', `v13') C QROUND(X0, X1, X2, X3) define(`QROUND', ` C x0 += x1, x3 ^= x0, x3 lrot 16 C x2 += x3, x1 ^= x2, x1 lrot 12 C x0 += x1, x3 ^= x0, x3 lrot 8 C x2 += x3, x1 ^= x2, x1 lrot 7 vadduwm $1, $1, $2 vxor $4, $4, $1 vrlw $4, $4, ROT16 vadduwm $3, $3, $4 vxor $2, $2, $3 vrlw $2, $2, ROT12 vadduwm $1, $1, $2 vxor $4, $4, $1 vrlw $4, $4, ROT8 vadduwm $3, $3, $4 vxor $2, $2, $3 vrlw $2, $2, ROT7 ') C LE_SWAP32(X0, X1, X2, X3) define(`LE_SWAP32', `IF_BE(` vperm X0, X0, X0, LE_MASK vperm X1, X1, X1, LE_MASK vperm X2, X2, X2, LE_MASK vperm X3, X3, X3, LE_MASK ')') .text C _chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_core) li r6, 0x10 C set up some... li r7, 0x20 C ...useful... li r8, 0x30 C ...offsets vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 IF_BE(` li r9, 0 lvsl LE_MASK, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb LE_TEMP, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor LE_MASK, LE_MASK, LE_TEMP C 03 02 01 00 ... 0f 0e 0d 0c ') lxvw4x VSR(X0), 0, SRC lxvw4x VSR(X1), r6, SRC lxvw4x VSR(X2), r7, SRC lxvw4x VSR(X3), r8, SRC vor S0, X0, X0 vor S1, X1, X1 vor S2, X2, X2 vor S3, X3, X3 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: QROUND(X0, X1, X2, X3) C Rotate rows, to get C 0 1 2 3 C 5 6 7 4 <<< 1 C 10 11 8 9 <<< 2 C 15 12 13 14 <<< 3 vsldoi X1, X1, X1, 4 vsldoi X2, X2, X2, 8 vsldoi X3, X3, X3, 12 QROUND(X0, X1, X2, X3) C Inverse rotation vsldoi X1, X1, X1, 12 vsldoi X2, X2, X2, 8 vsldoi X3, X3, X3, 4 bdnz .Loop vadduwm X0, X0, S0 vadduwm X1, X1, S1 vadduwm X2, X2, S2 vadduwm X3, X3, S3 LE_SWAP32(X0, X1, X2, X3) stxvw4x VSR(X0), 0, DST stxvw4x VSR(X1), r6, DST stxvw4x VSR(X2), r7, DST stxvw4x VSR(X3), r8, DST blr EPILOGUE(_nettle_chacha_core) nettle-3.10/powerpc64/p7/chacha-4core.asm0000644000175000017500000001572314633602172017072 0ustar nissenisseC powerpc64/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller and Torbjörn Granlund This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`DST', `r3') define(`SRC', `r4') define(`ROUNDS', `r5') C Working state in v0,...,v15 define(`ROT16', v16) define(`ROT12', v17) define(`ROT8', v18) define(`ROT7', v19) C During the loop, used to save the original values for last 4 words C of each block. Also used as temporaries for transpose. define(`T0', `v20') define(`T1', `v21') define(`T2', `v22') define(`T3', `v23') C A workaround for expanding multiple digits of argument references to QR macro which is incompatible with POSIX C See https://www.gnu.org/software/m4/manual/html_node/Arguments.html define(`P1', `ifelse($1, 0, v0, $1, 1, v4, $1, 2, v8, $1, 3, v12, $1, 4, v1, $1, 5, v5, $1, 6, v9, $1, 7, v13, $1, 8, v2, $1, 9, v6, $1, 10, v10, $1, 11, v14, $1, 12, v3, $1, 13, v7, $1, 14, v11, $1, 15, v15)') define(`P2', `ifelse($1, 0, v0, $1, 1, v5, $1, 2, v10, $1, 3, v15, $1, 4, v1, $1, 5, v6, $1, 6, v11, $1, 7, v12, $1, 8, v2, $1, 9, v7, $1, 10, v8, $1, 11, v13, $1, 12, v3, $1, 13, v4, $1, 14, v9, $1, 15, v14)') C Main loop for round define(`QR',` vadduwm $1(0), $1(0), $1(1) vadduwm $1(4), $1(4), $1(5) vadduwm $1(8), $1(8), $1(9) vadduwm $1(12), $1(12), $1(13) vxor $1(3), $1(3), $1(0) vxor $1(7), $1(7), $1(4) vxor $1(11), $1(11), $1(8) vxor $1(15), $1(15), $1(12) vrlw $1(3), $1(3), ROT16 vrlw $1(7), $1(7), ROT16 vrlw $1(11), $1(11), ROT16 vrlw $1(15), $1(15), ROT16 vadduwm $1(2), $1(2), $1(3) vadduwm $1(6), $1(6), $1(7) vadduwm $1(10), $1(10), $1(11) vadduwm $1(14), $1(14), $1(15) vxor $1(1), $1(1), $1(2) vxor $1(5), $1(5), $1(6) vxor $1(9), $1(9), $1(10) vxor $1(13), $1(13), $1(14) vrlw $1(1), $1(1), ROT12 vrlw $1(5), $1(5), ROT12 vrlw $1(9), $1(9), ROT12 vrlw $1(13), $1(13), ROT12 vadduwm $1(0), $1(0), $1(1) vadduwm $1(4), $1(4), $1(5) vadduwm $1(8), $1(8), $1(9) vadduwm $1(12), $1(12), $1(13) vxor $1(3), $1(3), $1(0) vxor $1(7), $1(7), $1(4) vxor $1(11), $1(11), $1(8) vxor $1(15), $1(15), $1(12) vrlw $1(3), $1(3), ROT8 vrlw $1(7), $1(7), ROT8 vrlw $1(11), $1(11), ROT8 vrlw $1(15), $1(15), ROT8 vadduwm $1(2), $1(2), $1(3) vadduwm $1(6), $1(6), $1(7) vadduwm $1(10), $1(10), $1(11) vadduwm $1(14), $1(14), $1(15) vxor $1(1), $1(1), $1(2) vxor $1(5), $1(5), $1(6) vxor $1(9), $1(9), $1(10) vxor $1(13), $1(13), $1(14) vrlw $1(1), $1(1), ROT7 vrlw $1(5), $1(5), ROT7 vrlw $1(9), $1(9), ROT7 vrlw $1(13), $1(13), ROT7 ') define(`TRANSPOSE',` vmrghw T0, $1, $3 C A0 A2 B0 B2 vmrghw T1, $2, $4 C A1 A3 B1 B3 vmrglw T2, $1, $3 C C0 C2 D0 D2 vmrglw T3, $2, $4 C C1 C3 D1 D3 vmrghw $1, T0, T1 C A0 A1 A2 A3 vmrglw $2, T0, T1 C B0 B1 B2 B3 vmrghw $3, T2, T3 C C0 C2 C1 C3 vmrglw $4, T2, T3 C D0 D1 D2 D3 ') C _chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_4core) vspltisw T2, 1 C Apply counter carries .Lshared_entry: li r6, 0x10 C set up some... li r7, 0x20 C ...useful... li r8, 0x30 C ...offsets C Save callee-save registers. Use the "protected zone", max C 228 bytes, below the stack pointer, accessed via r10. addi r10, SP, -0x40 stvx v20, 0, r10 stvx v21, r6, r10 stvx v22, r7, r10 stvx v23, r8, r10 vspltisw ROT16, -16 C -16 instead of 16 actually works! vspltisw ROT12, 12 vspltisw ROT8, 8 vspltisw ROT7, 7 C Load state and splat lxvw4x VSR(v0), 0, SRC C "expa ..." lxvw4x VSR(v4), r6, SRC C key lxvw4x VSR(v8), r7, SRC C key lxvw4x VSR(v12), r8, SRC C cnt and nonce vspltw v1, v0, 1 vspltw v2, v0, 2 vspltw v3, v0, 3 vspltw v0, v0, 0 vspltw v5, v4, 1 vspltw v6, v4, 2 vspltw v7, v4, 3 vspltw v4, v4, 0 vspltw v9, v8, 1 vspltw v10, v8, 2 vspltw v11, v8, 3 vspltw v8, v8, 0 vspltw v13, v12, 1 vspltw v14, v12, 2 vspltw v15, v12, 3 vspltw v12, v12, 0 addis r9, r2, .Lcnts@got@ha ld r9, .Lcnts@got@l(r9) lxvw4x VSR(T0), 0, r9 C increments vaddcuw T1, v12, T0 C compute carry-out vadduwm v12, v12, T0 C low adds vand T1, T1, T2 C discard carries for 32-bit counter variant vadduwm v13, v13, T1 C apply carries C Save all 4x4 of the last words. vor T0, v12, v12 vor T1, v13, v13 vor T2, v14, v14 vor T3, v15, v15 srdi ROUNDS, ROUNDS, 1 mtctr ROUNDS .Loop: QR(`P1') QR(`P2') bdnz .Loop C Add in saved original words, including counters, before C transpose. vadduwm v12, v12, T0 vadduwm v13, v13, T1 vadduwm v14, v14, T2 vadduwm v15, v15, T3 TRANSPOSE(v0, v1,v2, v3) TRANSPOSE(v4, v5, v6, v7) TRANSPOSE(v8, v9, v10, v11) TRANSPOSE(v12, v13, v14, v15) lxvw4x VSR(T0), 0, SRC lxvw4x VSR(T1), r6, SRC lxvw4x VSR(T2), r7, SRC vadduwm v0, v0, T0 vadduwm v1, v1, T0 vadduwm v2, v2, T0 vadduwm v3, v3, T0 vadduwm v4, v4, T1 vadduwm v5, v5, T1 vadduwm v6, v6, T1 vadduwm v7, v7, T1 vadduwm v8, v8, T2 vadduwm v9, v9, T2 vadduwm v10, v10, T2 vadduwm v11, v11, T2 IF_BE(` C Output always stored in little-endian byte order. C Can reuse T0 and T1 to construct permutation mask. li r9, 0 lvsl T0, r9, r9 C 00 01 02 03 ... 0c 0d 0e 0f vspltisb T1, 0x03 C 03 03 03 03 ... 03 03 03 03 vxor T1, T1, T0 C 03 02 01 00 ... 0f 0e 0d 0c forloop(i, 0, 15, ` vperm m4_unquote(v`'i), m4_unquote(v`'i), m4_unquote(v`'i), T1 ') ') stxvw4x VSR(v0), 0, DST stxvw4x VSR(v4), r6, DST stxvw4x VSR(v8), r7, DST stxvw4x VSR(v12), r8, DST addi DST, DST, 64 stxvw4x VSR(v1), 0, DST stxvw4x VSR(v5), r6, DST stxvw4x VSR(v9), r7, DST stxvw4x VSR(v13), r8, DST addi DST, DST, 64 stxvw4x VSR(v2), 0, DST stxvw4x VSR(v6), r6, DST stxvw4x VSR(v10), r7, DST stxvw4x VSR(v14), r8, DST addi DST, DST, 64 stxvw4x VSR(v3), 0, DST stxvw4x VSR(v7), r6, DST stxvw4x VSR(v11), r7, DST stxvw4x VSR(v15), r8, DST C Restore callee-save registers lvx v20, 0, r10 lvx v21, r6, r10 lvx v22, r7, r10 lvx v23, r8, r10 blr EPILOGUE(_nettle_chacha_4core) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_chacha_4core32) vspltisw T2, 0 C Ignore counter carries b .Lshared_entry EPILOGUE(_nettle_chacha_4core32) .section .rodata ALIGN(16) .Lcnts: .long 0,1,2,3 C increments nettle-3.10/powerpc64/fat/0000755000175000017500000000000014633602172014363 5ustar nissenissenettle-3.10/powerpc64/fat/aes-encrypt-internal-2.asm0000644000175000017500000000226314633602172021273 0ustar nissenisseC powerpc64/fat/aes-encrypt-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_encrypt) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-encrypt-internal.asm') nettle-3.10/powerpc64/fat/sha256-compress-n-2.asm0000644000175000017500000000230214633602172020315 0ustar nissenisseC powerpc64/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2024 Eric Richter, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/sha256-compress-n.asm') nettle-3.10/powerpc64/fat/aes-decrypt-internal-2.asm0000644000175000017500000000226314633602172021261 0ustar nissenisseC powerpc64/fat/aes-decrypt-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_decrypt) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-decrypt-internal.asm') nettle-3.10/powerpc64/fat/chacha-2core.asm0000644000175000017500000000220214633602172017300 0ustar nissenisseC powerpc64/fat/chacha-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_2core) picked up by configure include_src(`powerpc64/p7/chacha-2core.asm') nettle-3.10/powerpc64/fat/chacha-core-internal-2.asm0000644000175000017500000000226514633602172021200 0ustar nissenisseC powerpc64/fat/chacha-core-internal-2.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_chacha_core) picked up by configure define(`fat_transform', `$1_altivec') include_src(`powerpc64/p7/chacha-core-internal.asm') nettle-3.10/powerpc64/fat/ghash-set-key-2.asm0000644000175000017500000000225214633602172017676 0ustar nissenisseC powerpc64/fat/ghash-set-key-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_set_key) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/ghash-set-key.asm') nettle-3.10/powerpc64/fat/poly1305-internal-2.asm0000644000175000017500000000240014633602172020326 0ustar nissenisseC powerpc64/fat/poly1305-internal-2.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_poly1305_set_key) dnl PROLOGUE(_nettle_poly1305_block) dnl PROLOGUE(_nettle_poly1305_digest) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p9/poly1305-internal.asm') nettle-3.10/powerpc64/fat/ghash-update-2.asm0000644000175000017500000000224714633602172017603 0ustar nissenisseC powerpc64/fat/ghash-update-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_ghash_update) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/ghash-update.asm') nettle-3.10/powerpc64/fat/poly1305-blocks.asm0000644000175000017500000000233014633602172017632 0ustar nissenisseC powerpc64/fat/poly1305-blocks.asm ifelse(` Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_poly1305_blocks) dnl PROLOGUE(_nettle_fat_poly1305_blocks) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p9/poly1305-blocks.asm') nettle-3.10/powerpc64/fat/gcm-aes-encrypt-2.asm0000644000175000017500000000221314633602172020220 0ustar nissenisseC powerpc64/fat/gcm-aes-encrypt-2.asm ifelse(` This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_gcm_aes_encrypt) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/gcm-aes-encrypt.asm') nettle-3.10/powerpc64/fat/gcm-aes-decrypt-2.asm0000644000175000017500000000221314633602172020206 0ustar nissenisseC powerpc64/fat/gcm-aes-decrypt-2.asm ifelse(` This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl picked up by configure dnl PROLOGUE(_nettle_gcm_aes_decrypt) define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/gcm-aes-decrypt.asm') nettle-3.10/powerpc64/fat/aes-invert-internal-2.asm0000644000175000017500000000226014633602172021113 0ustar nissenisseC powerpc64/fat/aes-invert-internal-2.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_aes_invert) picked up by configure define(`fat_transform', `$1_ppc64') include_src(`powerpc64/p8/aes-invert-internal.asm') nettle-3.10/powerpc64/fat/chacha-4core.asm0000644000175000017500000000220214633602172017302 0ustar nissenisseC powerpc64/fat/chacha-4core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_4core) picked up by configure include_src(`powerpc64/p7/chacha-4core.asm') nettle-3.10/powerpc64/p9/0000755000175000017500000000000014633602172014141 5ustar nissenissenettle-3.10/powerpc64/p9/poly1305.m40000644000175000017500000000503214633602172015677 0ustar nissenisseC Threshold of processing multiple blocks in parallel C of a multiple of 4 define(`POLY1305_BLOCK_THRESHOLD', `12') C DEFINES_BLOCK_R64(GPR0, VR0) define(`DEFINES_BLOCK_R64', ` define(`H0', `$1') define(`H1', `INC_GPR($1,1)') define(`H2', `INC_GPR($1,2)') define(`T0', `INC_GPR($1,3)') define(`T1', `INC_GPR($1,4)') define(`T2', `H2') define(`T2A', `INC_GPR($1,3)') define(`T2S', `INC_GPR($1,4)') define(`RZ', `H0') define(`IDX', `INC_GPR($1,4)') define(`F0', `$2') define(`F1', `INC_VR($2,1)') define(`ZERO', `INC_VR($2,2)') define(`F0S', `INC_VR($2,3)') define(`F11', `INC_VR($2,4)') define(`T', `INC_VR($2,5)') define(`R', `INC_VR($2,6)') define(`S', `INC_VR($2,7)') define(`T00', `INC_VR($2,8)') define(`T10', `INC_VR($2,9)') define(`T11', `INC_VR($2,10)') define(`MU0', `INC_VR($2,11)') define(`MU1', `INC_VR($2,12)') ') C CTX is the address of context where key and pre-computed values are stored C DATA is the address of input block C PADBYTE is padding byte for input block C GPR0 is the starting register of sequential general-purpose registers C used in the macro of following layout C GPR0, GPR1, GPR2 are inputs representing the previous state radix 2^64 C GPR3, GPR4 are temporary registers C VR0 is the starting register of sequential vector resigers used in C the macro of following layout C VR0, VR1 are outputs representing the result state radix 2^64 sorted as follows C (low 64-bit of VR0) + (low 64-bit of VR1) + (high 64-bit of VR1) C VR2..VR12 are temporary registers C BLOCK_R64(CTX, DATA, PADBYTE, GPR0, VR0) define(`BLOCK_R64', ` DEFINES_BLOCK_R64($4,$5) C Load 128-bit input block IF_LE(` ld T0, 0($2) ld T1, 8($2) ') IF_BE(` li IDX, 8 ldbrx T1, IDX, $2 ldbrx T0, 0, $2 ') C Combine state with input block, latter is padded to 17-bytes C by low-order byte of PADBYTE register addc T0, T0, H0 adde T1, T1, H1 adde T2, $3, H2 mtvsrdd VSR(T), T0, T1 C Load key and pre-computed values li IDX, 16 lxvd2x VSR(R), 0, $1 lxvd2x VSR(S), IDX, $1 andi. T2A, T2, 3 srdi T2S, T2, 2 li RZ, 0 vxor ZERO, ZERO, ZERO xxpermdi VSR(MU0), VSR(R), VSR(S), 0b01 xxswapd VSR(MU1), VSR(R) mtvsrdd VSR(T11), 0, T2A mtvsrdd VSR(T00), T2S, RZ mtvsrdd VSR(T10), 0, T2 C Multiply key by combined state and block vmsumudm F0, T, MU0, ZERO vmsumudm F1, T, MU1, ZERO vmsumudm F11, T11, MU1, ZERO vmsumudm F0, T00, S, F0 vmsumudm F1, T10, MU0, F1 C Product addition xxmrgld VSR(F11), VSR(F11), VSR(ZERO) vadduqm F1, F1, F11 xxmrghd VSR(F0S), VSR(ZERO), VSR(F0) vadduqm F1, F1, F0S ') nettle-3.10/powerpc64/p9/poly1305-blocks.asm0000644000175000017500000002241514633602172017416 0ustar nissenisseC powerpc64/p9/poly1305-blocks.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`powerpc64/p9/poly1305.m4') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`CTX', `r3') define(`BLOCKS', `r4') define(`DATA', `r5') define(`PADBYTE', `r6') C Padding byte register define(`DEFINES_BLOCK_R44', ` define(`R0', `v0') define(`R1', `v1') define(`R2', `v2') define(`S1', `v3') define(`S2', `v4') define(`H0', `v5') define(`H1', `v6') define(`H2', `v7') define(`R3', `v8') define(`R4', `v9') define(`R5', `v10') define(`S4', `v11') define(`S5', `v12') define(`T0', `v13') define(`T1', `v14') define(`T2', `v15') define(`T3', `v16') define(`T4', `v17') define(`T5', `v18') define(`TMP', `v19') define(`TMP2', `v20') define(`ZERO', `v21') define(`MASK44', `v22') define(`MASK42L', `v23') define(`MASK44L', `v24') define(`T4PAD', `v25') define(`D40', `v26') define(`D20', `v27') define(`D24', `v28') define(`D44', `v29') define(`D2', `v30') define(`D4', `v31') ') C Compute S_1 = 20 * R_1 and S_2 = 20 * R_2 C COMPUTE_S(S1, S2, R1, R2) define(`COMPUTE_S', ` vsld $1, $3, D2 vsld $2, $4, D2 vaddudm $1, $1, $3 vaddudm $2, $2, $4 vsld $1, $1, D2 vsld $2, $2, D2 ') C Convert two-part radix 2^64 to three-part radix 2^44 of four blocks C R64_TO_R44_4B(VR0, VR1, VR2, VR3, VR4, VR5) define(`R64_TO_R44_4B', ` vsrd $3, $2, D24 vsrd $6, $5, D24 vsrd TMP, $1, D44 vsrd TMP2, $4, D44 vsld $2, $2, D20 vsld $5, $5, D20 vor $2, $2, TMP vor $5, $5, TMP2 vand $1, $1, MASK44 vand $4, $4, MASK44 vand $2, $2, MASK44 vand $5, $5, MASK44 ') C T_0 = R_0 H_0 + S_2 H_1 + S_1 H_2 C T_1 = R_1 H_0 + R_0 H_1 + S_2 H_2 C T_2 = R_2 H_0 + R_1 H_1 + R_0 H_2 C MUL(T0, T1, T2, H0, H1, H2) define(`MUL', ` vmsumudm $1, $4, R0, ZERO vmsumudm $2, $4, R1, ZERO vmsumudm $3, $4, R2, ZERO vmsumudm $1, $5, S2, $1 vmsumudm $2, $5, R0, $2 vmsumudm $3, $5, R1, $3 vmsumudm $1, $6, S1, $1 vmsumudm $2, $6, S2, $2 vmsumudm $3, $6, R0, $3 ') C Apply aforenamed equations on four-blocks C Each two successive blocks are interleaved horizontally C MUL_4B(T0, T1, T2, H0, H1, H2, H3, H4, H5) define(`MUL_4B', ` vmsumudm $1, $7, R0, ZERO vmsumudm $2, $7, R1, ZERO vmsumudm $3, $7, R2, ZERO vmsumudm $1, $8, S2, $1 vmsumudm $2, $8, R0, $2 vmsumudm $3, $8, R1, $3 vmsumudm $1, $9, S1, $1 vmsumudm $2, $9, S2, $2 vmsumudm $3, $9, R0, $3 vmsumudm $1, $4, R3, $1 vmsumudm $2, $4, R4, $2 vmsumudm $3, $4, R5, $3 vmsumudm $1, $5, S5, $1 vmsumudm $2, $5, R3, $2 vmsumudm $3, $5, R4, $3 vmsumudm $1, $6, S4, $1 vmsumudm $2, $6, S5, $2 vmsumudm $3, $6, R3, $3 ') C Reduction phase of two interleaved chains C RED(H0, H1, H2, T0, T1, T2) define(`RED', ` vand $1, $4, MASK44L vsro $4, $4, D40 vsrd $4, $4, D4 vadduqm $5, $5, $4 vand $2, $5, MASK44L vsro $5, $5, D40 vsrd $5, $5, D4 vadduqm $6, $6, $5 vand $3, $6, MASK42L vsro $6, $6, D40 vsrd $6, $6, D2 vadduqm $1, $1, $6 vsld $6, $6, D2 vadduqm $1, $1, $6 vsrd TMP, $1, D44 vand $1, $1, MASK44L vadduqm $2, $2, TMP ') .text C void _nettle_poly1305_blocks(struct poly1305_ctx *ctx, C size_t length, const uint8_t *data) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_blocks) C Save non-volatile vector registers std r31,-8(SP) stxv VSR(v31),-32(SP) stxv VSR(v30),-48(SP) stxv VSR(v29),-64(SP) stxv VSR(v28),-80(SP) stxv VSR(v27),-96(SP) stxv VSR(v26),-112(SP) stxv VSR(v25),-128(SP) stxv VSR(v24),-144(SP) stxv VSR(v23),-160(SP) stxv VSR(v22),-176(SP) stxv VSR(v21),-192(SP) stxv VSR(v20),-208(SP) C Initialize padding byte register li PADBYTE, 1 C Process data blocks of number of multiple 4 DEFINES_BLOCK_R44() cmpldi BLOCKS, POLY1305_BLOCK_THRESHOLD blt Ldata_r64 srdi r9, BLOCKS, 2 andi. BLOCKS, BLOCKS, 3 mtctr r9 C Initialize constants vxor ZERO, ZERO, ZERO vspltisb D2, 2 vspltisb D4, 4 addis r9, TOCP, .mask44@got@ha ld r9, .mask44@got@l(r9) lxvd2x VSR(MASK44), 0, r9 addi r9, r9, 16 lxvd2x VSR(MASK42L), 0, r9 addi r9, r9, 16 lxvd2x VSR(D40), 0, r9 addi r9, r9, 16 lxvd2x VSR(D20), 0, r9 addi r9, r9, 16 lxvd2x VSR(D24), 0, r9 addi r9, r9, 16 lxvd2x VSR(D44), 0, r9 xxmrghd VSR(MASK44L), VSR(ZERO), VSR(MASK44) sldi r10, PADBYTE, 40 mtvsrdd VSR(T4PAD), r10, r10 C Load key of radix 2^44 lxsd R0, 0(CTX) lxsd R1, 8(CTX) vsrd R2, R1, D24 vsrd TMP, R0, D44 vsld R1, R1, D20 vor R1, R1, TMP vand R0, R0, MASK44 vand R1, R1, MASK44 xxmrghd VSR(R0), VSR(R0), VSR(ZERO) xxmrghd VSR(R1), VSR(R1), VSR(ZERO) xxmrghd VSR(R2), VSR(R2), VSR(ZERO) COMPUTE_S(S1, S2, R1, R2) C Calculate R^2 = R R MUL(T0, T1, T2, R0, R1, R2) RED(H0, H1, H2, T0, T1, T2) xxpermdi VSR(R0), VSR(R0), VSR(H0), 0b01 xxpermdi VSR(R1), VSR(R1), VSR(H1), 0b01 xxpermdi VSR(R2), VSR(R2), VSR(H2), 0b01 COMPUTE_S(S1, S2, R1, R2) C Calculate R^3 = R^2 R xxmrghd VSR(R3), VSR(ZERO), VSR(R0) xxmrghd VSR(R4), VSR(ZERO), VSR(R1) xxmrghd VSR(R5), VSR(ZERO), VSR(R2) MUL(T0, T1, T2, R3, R4, R5) RED(H0, H1, H2, T0, T1, T2) C Calculate R^4 = R^2 R^2 xxmrgld VSR(R3), VSR(ZERO), VSR(R0) xxmrgld VSR(R4), VSR(ZERO), VSR(R1) xxmrgld VSR(R5), VSR(ZERO), VSR(R2) MUL(T0, T1, T2, R3, R4, R5) RED(R3, R4, R5, T0, T1, T2) xxmrgld VSR(R3), VSR(H0), VSR(R3) xxmrgld VSR(R4), VSR(H1), VSR(R4) xxmrgld VSR(R5), VSR(H2), VSR(R5) COMPUTE_S(S4, S5, R4, R5) C Load state ld r7, 32(CTX) ld r8, 40(CTX) ld r31, 48(CTX) C Fold high part of H2 srdi r9, r31, 2 sldi r10, r9, 2 add r10, r10, r9 andi. r31, r31, 3 li r9, 0 addc r7, r7, r10 adde r8, r8, r9 adde r31, r31, r9 mtvsrdd VSR(H0), 0, r7 mtvsrdd VSR(H1), 0, r8 mtvsrdd VSR(H2), 0, r31 C Convert state of radix 2^64 to 2^44 vsrd TMP, H1, D24 vsld H2, H2, D40 vor H2, H2, TMP vsrd TMP2, H0, D44 vsld H1, H1, D20 vor H1, H1, TMP2 vand H0, H0, MASK44 vand H1, H1, MASK44 li r8, 0x10 li r9, 0x20 li r10, 0x30 L4B_loop: C Load four blocks lxvd2x VSR(T3), 0, DATA lxvd2x VSR(T4), r8, DATA lxvd2x VSR(T5), r9, DATA lxvd2x VSR(TMP), r10, DATA IF_BE(` xxbrd VSR(T3), VSR(T3) xxbrd VSR(T4), VSR(T4) xxbrd VSR(T5), VSR(T5) xxbrd VSR(TMP), VSR(TMP) ') C Permute blocks in little-endian and line each two successive C blocks horizontally xxmrghd VSR(T0), VSR(T4), VSR(T3) xxmrgld VSR(T1), VSR(T4), VSR(T3) xxmrghd VSR(T3), VSR(TMP), VSR(T5) xxmrgld VSR(T4), VSR(TMP), VSR(T5) R64_TO_R44_4B(T0, T1, T2, T3, T4, T5) vor T2, T2, T4PAD vor T5, T5, T4PAD C Combine first block with previous state vaddudm H0, H0, T0 vaddudm H1, H1, T1 vaddudm H2, H2, T2 MUL_4B(T0, T1, T2, H0, H1, H2, T3, T4, T5) RED(H0, H1, H2, T0, T1, T2) addi DATA, DATA, 64 bdnz L4B_loop C Moving carry vsrd TMP, H1, D44 vaddudm H2, H2, TMP vsrd TMP2, H2, D40 vsrd TMP2, TMP2, D2 vsld TMP, TMP2, D2 vand H1, H1, MASK44 vaddudm TMP2, TMP2, TMP vaddudm H0, H0, TMP2 vsrd TMP, H0, D44 vaddudm H1, H1, TMP vand H2, H2, MASK42L vand H0, H0, MASK44 C Convert state of radix 2^44 to 2^64 vsld TMP, H1, D44 vor H0, H0, TMP vsrd H1, H1, D20 vsld TMP2, H2, D24 vor H1, H1, TMP2 vsrd H2, H2, D40 xxswapd VSR(H0), VSR(H0) xxswapd VSR(H1), VSR(H1) xxswapd VSR(H2), VSR(H2) C Store state stxsd H0, 32(CTX) stxsd H1, 40(CTX) stxsd H2, 48(CTX) Ldata_r64: cmpldi BLOCKS, 0 beq Ldone mtctr BLOCKS mr r4, PADBYTE ld r6, P1305_H0 (CTX) ld r7, P1305_H1 (CTX) ld r8, P1305_H2 (CTX) L1B_loop: BLOCK_R64(CTX,DATA,r4,r6,v0) mfvsrld r6, VSR(v0) mfvsrld r7, VSR(v1) mfvsrd r8, VSR(v1) addi DATA, DATA, 16 bdnz L1B_loop std r6, P1305_H0 (CTX) std r7, P1305_H1 (CTX) std r8, P1305_H2 (CTX) Ldone: C Restore non-volatile vector registers ld r31, -8(SP) lxv VSR(v31),-32(SP) lxv VSR(v30),-48(SP) lxv VSR(v29),-64(SP) lxv VSR(v28),-80(SP) lxv VSR(v27),-96(SP) lxv VSR(v26),-112(SP) lxv VSR(v25),-128(SP) lxv VSR(v24),-144(SP) lxv VSR(v23),-160(SP) lxv VSR(v22),-176(SP) lxv VSR(v21),-192(SP) lxv VSR(v20),-208(SP) mr r3, DATA blr EPILOGUE(_nettle_poly1305_blocks) .rodata .align 4 .mask44: .quad 0x00000FFFFFFFFFFF,0x00000FFFFFFFFFFF .mask42l: .quad 0x0000000000000000,0x000003FFFFFFFFFF .d40: .quad 0x0000000000000028,0x0000000000000028 .d20: .quad 0x0000000000000014,0x0000000000000014 .d24: .quad 0x0000000000000018,0x0000000000000018 .d44: .quad 0x000000000000002C,0x000000000000002C nettle-3.10/powerpc64/p9/poly1305-internal.asm0000644000175000017500000000700014633602172017746 0ustar nissenisseC powerpc64/p9/poly1305-internal.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller Copyright (C) 2022 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`powerpc64/p9/poly1305.m4') C Register usage: define(`SP', `r1') define(`TOCP', `r2') C Argments define(`CTX', `r3') define(`DATA', `r4') define(`PADBYTE', `r5') C Padding byte register .text C _poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_set_key) li r9, 0 addis r5, TOCP, .key_mask@got@ha ld r5, .key_mask@got@l(r5) ld r8, 0(r5) ori r7, r8, 3 C Load R_0 and R_1 IF_LE(` ld r5, 0(r4) ld r6, 8(r4) ') IF_BE(` ldbrx r5, 0, r4 addi r4, r4, 8 ldbrx r6, 0, r4 ') and r5, r5, r7 C R_0 &= 0x0FFFFFFC0FFFFFFF and r6, r6, r8 C R_1 &= 0x0FFFFFFC0FFFFFFC srdi r10, r6, 2 sldi r7, r5, 2 sldi r8, r10, 2 add r7, r7, r5 add r8, r8, r10 C Store key std r5, P1305_R0 (r3) std r6, P1305_R1 (r3) std r7, P1305_S0 (r3) std r8, P1305_S1 (r3) C Reset state std r9, P1305_H0 (r3) std r9, P1305_H1 (r3) std r9, P1305_H2 (r3) blr EPILOGUE(_nettle_poly1305_set_key) C void _nettle_poly1305_block(struct poly1305_ctx *ctx, const uint8_t *m, unsigned m128) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_block) ld r6, P1305_H0 (CTX) ld r7, P1305_H1 (CTX) ld r8, P1305_H2 (CTX) BLOCK_R64(CTX,DATA,PADBYTE,r6,v0) li r10, P1305_H1 xxswapd VSR(v0), VSR(v0) xxswapd VSR(v1), VSR(v1) stxsd v0, P1305_H0 (CTX) stxvd2x VSR(v1), r10, CTX blr EPILOGUE(_nettle_poly1305_block) C _poly1305_digest (struct poly1305_ctx *ctx, uint8_t *s) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_poly1305_digest) C Load current state ld r5, P1305_H0 (r3) ld r6, P1305_H1 (r3) ld r7, P1305_H2 (r3) C Fold high part of H2 li r10, 0 srdi r9, r7, 2 sldi r8, r9, 2 add r8, r8, r9 andi. r7, r7, 3 addc r5, r5, r8 adde r6, r6, r10 adde r7, r7, r10 C Add 5 to state, save result if it carries li r8, 5 li r9, 0 li r10, -4 addc r8, r8, r5 adde r9, r9, r6 adde. r10, r10, r7 iseleq r5, r8, r5 iseleq r6, r9, r6 C Load digest IF_LE(` ld r7, 0(r4) ld r8, 8(r4) ') IF_BE(` li r10, 8 ldbrx r7, 0, r4 ldbrx r8, r10, r4 ') C Add hash to digest addc r5, r5, r7 adde r6, r6, r8 C Store digest IF_LE(` std r5, 0(r4) std r6, 8(r4) ') IF_BE(` stdbrx r5, 0, r4 stdbrx r6, r10, r4 ') C Reset hash li r9, 0 std r9, P1305_H0 (r3) std r9, P1305_H1 (r3) std r9, P1305_H2 (r3) blr EPILOGUE(_nettle_poly1305_digest) .rodata .align 3 .key_mask: .quad 0x0FFFFFFC0FFFFFFC nettle-3.10/powerpc64/p8/0000755000175000017500000000000014633602172014140 5ustar nissenissenettle-3.10/powerpc64/p8/aes-decrypt-internal.asm0000644000175000017500000001230014633602172020670 0ustar nissenisseC powerpc64/p8/aes-decrypt-internal.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`KEYS', `r4') define(`LENGTH', `r6') define(`DST', `r7') define(`SRC', `r8') C r9 used as loop index register, r10-r12, r14-r17 as constants. define(`SWAP_MASK', `v0') define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') .file "aes-decrypt-internal.asm" .text C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_decrypt) DATA_LOAD_VEC(SWAP_MASK,.swap_mask,r5) subi ROUNDS,ROUNDS,1 srdi LENGTH,LENGTH,4 C Used as offsets for load/store, throughout this function li r10,0x10 li r11,0x20 li r12,0x30 srdi r5,LENGTH,3 #8x loop count cmpldi r5,0 beq L4x std r14,-32(SP) std r15,-24(SP) std r16,-16(SP) std r17,-8(SP) li r14,0x40 li r15,0x50 li r16,0x60 li r17,0x70 .align 5 Lx8_loop: lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC lxvd2x VSR(S4),r14,SRC lxvd2x VSR(S5),r15,SRC lxvd2x VSR(S6),r16,SRC lxvd2x VSR(S7),r17,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr ROUNDS li r9,-0x10 .align 5 L8x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipher, K, S0, S1, S2, S3, S4, S5, S6, S7) subi r9,r9,0x10 bdnz L8x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST stxvd2x VSR(S4),r14,DST stxvd2x VSR(S5),r15,DST stxvd2x VSR(S6),r16,DST stxvd2x VSR(S7),r17,DST addi SRC,SRC,0x80 addi DST,DST,0x80 subic. r5,r5,1 bne Lx8_loop ld r14,-32(SP) ld r15,-24(SP) ld r16,-16(SP) ld r17,-8(SP) clrldi LENGTH,LENGTH,61 L4x: srdi r5,LENGTH,2 cmpldi r5,0 beq L2x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') OPN_XXY(vxor, K, S0, S1, S2, S3) mtctr ROUNDS li r9,-0x10 .align 5 L4x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipher, K, S0, S1, S2, S3) subi r9,r9,0x10 bdnz L4x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vncipherlast, K, S0, S1, S2, S3) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST addi SRC,SRC,0x40 addi DST,DST,0x40 clrldi LENGTH,LENGTH,62 L2x: srdi r5,LENGTH,1 cmpldi r5,0 beq L1x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') vxor S0,S0,K vxor S1,S1,K mtctr ROUNDS li r9,-0x10 .align 5 L2x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipher S0,S0,K vncipher S1,S1,K subi r9,r9,0x10 bdnz L2x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipherlast S0,S0,K vncipherlast S1,S1,K IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST addi SRC,SRC,0x20 addi DST,DST,0x20 clrldi LENGTH,LENGTH,63 L1x: cmpldi LENGTH,0 beq Ldone lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK') vxor S0,S0,K mtctr ROUNDS li r9,-0x10 .align 5 L1x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipher S0,S0,K subi r9,r9,0x10 bdnz L1x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vncipherlast S0,S0,K IF_LE(`vperm S0,S0,S0,SWAP_MASK') stxvd2x VSR(S0),0,DST Ldone: blr EPILOGUE(_nettle_aes_decrypt) .data .align 4 .swap_mask: IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') nettle-3.10/powerpc64/p8/ghash-set-key.asm0000644000175000017500000001711414633602172017317 0ustar nissenisseC powerpc64/p8/ghash-set-key.asm ifelse(` Copyright (C) 2020, 2022 Niels Möller and Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`CTX', `r3') define(`KEY', `r4') define(`ZERO', `v0') define(`B1', `v1') define(`EMSB', `v16') define(`POLY', `v17') define(`POLY_L', `v1') define(`H', `v2') define(`H2', `v3') define(`H3', `v4') define(`H4', `v5') define(`H1M', `v6') define(`H1L', `v7') define(`H2M', `v8') define(`H2L', `v9') define(`Hl', `v10') define(`Hm', `v11') define(`Hp', `v12') define(`Hl2', `v13') define(`Hm2', `v14') define(`Hp2', `v15') define(`R', `v13') define(`F', `v14') define(`T', `v15') define(`R2', `v16') define(`F2', `v17') define(`T2', `v18') define(`LE_TEMP', `v18') define(`LE_MASK', `v19') .file "ghash-set-key.asm" .text C void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) C This function populates the gcm table as the following layout C ******************************************************************************* C | H1M = (H1 div x⁶⁴)||((H1 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H1L = (H1 mod x⁶⁴)||(((H1 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H1 div x⁶⁴) | C | | C | H2M = (H2 div x⁶⁴)||((H2 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H2L = (H2 mod x⁶⁴)||(((H2 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H2 div x⁶⁴) | C | | C | H3M = (H3 div x⁶⁴)||((H3 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H3L = (H3 mod x⁶⁴)||(((H3 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H3 div x⁶⁴) | C | | C | H4M = (H3 div x⁶⁴)||((H4 mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷)) div x⁶⁴ | C | H4L = (H3 mod x⁶⁴)||(((H4 mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷)) mod x⁶⁴) + (H4 div x⁶⁴) | C ******************************************************************************* define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ghash_set_key) DATA_LOAD_VEC(POLY,.polynomial,r7) C 0xC2000000000000000000000000000001 IF_LE(` li r8,0 lvsl LE_MASK,0,r8 C 0x000102030405060708090A0B0C0D0E0F vspltisb LE_TEMP,0x07 C 0x07070707070707070707070707070707 vxor LE_MASK,LE_MASK,LE_TEMP C 0x07060504030201000F0E0D0C0B0A0908 ') C 'H' is assigned by gcm_set_key() to the middle element of the table lxvd2x VSR(H),0,KEY C load 'H' C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm H,H,H,LE_MASK ') C --- calculate H = H << 1 mod P(X), P(X) = (x¹²⁸+x¹²⁷+x¹²⁶+x¹²¹+1) --- vupkhsb EMSB,H C extend most significant bit to first byte vspltisb B1,1 C 0x01010101010101010101010101010101 vspltb EMSB,EMSB,0 C first byte quadword-extend vsl H,H,B1 C H = H << 1 vand EMSB,EMSB,POLY C EMSB &= 0xC2000000000000000000000000000001 vxor ZERO,ZERO,ZERO C 0x00000000000000000000000000000000 vxor H,H,EMSB C H ^= EMSB C --- calculate H^2 = H*H --- xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C 0x0000000000000000C200000000000000 C --- Hp = (H mod x⁶⁴) / x⁶⁴ mod P(X) --- C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) mod P(X), deg(Hp) ≤ 127 --- C --- Hp = (H mod x⁶⁴) × (x⁶⁴+x⁶³+x⁶²+x⁵⁷) --- vpmsumd Hp,H,POLY_L C Hp = (H mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) xxswapd VSR(Hm),VSR(H) xxmrgld VSR(Hl),VSR(H),VSR(ZERO) C Hl = (H mod x⁶⁴) × x⁶⁴ vxor Hm,Hm,Hp C Hm = Hm + Hp vxor Hl,Hl,Hp C Hl = Hl + Hp xxmrgld VSR(H1L),VSR(H),VSR(Hm) C H1L = (H mod x⁶⁴)||(Hl mod x⁶⁴) xxmrghd VSR(H1M),VSR(H),VSR(Hl) C H1M = (H div x⁶⁴)||(Hl div x⁶⁴) vpmsumd F,H1L,H C F = (H1Lh × Hh) + (H1Ll × Hl) vpmsumd R,H1M,H C R = (H1Mh × Hh) + (H1Ml × Hl) C --- rduction --- vpmsumd T,F,POLY_L C T = (F mod x⁶⁴) × (x⁶³+x⁶²+x⁵⁷) xxswapd VSR(H2),VSR(F) vxor R,R,T C R = R + T vxor H2,R,H2 xxmrgld VSR(Hl),VSR(H2),VSR(ZERO) xxswapd VSR(Hm),VSR(H2) vpmsumd Hp,H2,POLY_L vxor Hl,Hl,Hp vxor Hm,Hm,Hp xxmrghd VSR(H2M),VSR(H2),VSR(Hl) xxmrgld VSR(H2L),VSR(H2),VSR(Hm) C store H1M, H1L, H2M, H2L li r8,1*16 li r9,2*16 li r10,3*16 stxvd2x VSR(H1M),0,CTX stxvd2x VSR(H1L),r8,CTX stxvd2x VSR(H2M),r9,CTX stxvd2x VSR(H2L),r10,CTX C --- calculate H^3 = H^1*H^2, H^4 = H^2*H^2 --- vpmsumd F,H1L,H2 vpmsumd F2,H2L,H2 vpmsumd R,H1M,H2 vpmsumd R2,H2M,H2 vpmsumd T,F,POLY_L vpmsumd T2,F2,POLY_L xxswapd VSR(H3),VSR(F) xxswapd VSR(H4),VSR(F2) vxor R,R,T vxor R2,R2,T2 vxor H3,R,H3 vxor H4,R2,H4 xxmrgld VSR(Hl),VSR(H3),VSR(ZERO) xxmrgld VSR(Hl2),VSR(H4),VSR(ZERO) xxswapd VSR(Hm),VSR(H3) xxswapd VSR(Hm2),VSR(H4) vpmsumd Hp,H3,POLY_L vpmsumd Hp2,H4,POLY_L vxor Hl,Hl,Hp vxor Hl2,Hl2,Hp2 vxor Hm,Hm,Hp vxor Hm2,Hm2,Hp2 xxmrghd VSR(H1M),VSR(H3),VSR(Hl) xxmrghd VSR(H2M),VSR(H4),VSR(Hl2) xxmrgld VSR(H1L),VSR(H3),VSR(Hm) xxmrgld VSR(H2L),VSR(H4),VSR(Hm2) C store H3M, H3L, H4M, H4L li r7,4*16 li r8,5*16 li r9,6*16 li r10,7*16 stxvd2x VSR(H1M),r7,CTX stxvd2x VSR(H1L),r8,CTX stxvd2x VSR(H2M),r9,CTX stxvd2x VSR(H2L),r10,CTX blr EPILOGUE(_nettle_ghash_set_key) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-3.10/powerpc64/p8/ghash-update.asm0000644000175000017500000001524614633602172017224 0ustar nissenisseC powerpc64/p8/ghash-update.asm ifelse(` Copyright (C) 2020, 2020 Niels Möller and Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`CTX', `r3') .file "ghash-update.asm" .text define(`CTX', `r3') define(`X', `r4') define(`BLOCKS', `r5') define(`DATA', `r6') define(`ZERO', `v16') define(`LE_TEMP', `v17') define(`POLY_L', `v0') define(`LE_MASK', `v1') define(`C0', `v2') define(`C1', `v3') define(`C2', `v4') define(`C3', `v5') define(`H1M', `v6') define(`H1L', `v7') define(`H2M', `v8') define(`H2L', `v9') define(`H3M', `v10') define(`H3L', `v11') define(`H4M', `v12') define(`H4L', `v13') define(`R', `v14') define(`F', `v15') define(`R2', `v16') define(`F2', `v17') define(`R3', `v18') define(`F3', `v19') define(`R4', `v20') define(`F4', `v21') C const uint8_t *_ghash_update (const struct gcm_key *ctx, C union nettle_block16 *x, C size_t blocks, const uint8_t *data) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ghash_update) vxor ZERO,ZERO,ZERO DATA_LOAD_VEC(POLY_L,.polynomial,r7) IF_LE(` li r8,0 lvsl LE_MASK,0,r8 vspltisb LE_TEMP,0x07 vxor LE_MASK,LE_MASK,LE_TEMP ') xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY_L) lxvd2x VSR(R),0,X C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm R,R,R,LE_MASK ') C Used as offsets for load/store, throughout this function li r8,1*16 li r9,2*16 li r10,3*16 C --- process 4 blocks '128-bit each' per one loop --- srdi. r7,BLOCKS,2 C 4-blocks loop count 'BLOCKS / 4' beq L2x mtctr r7 C assign counter register to loop count C store non-volatile vector registers addi r7,SP,-32 stvx v20,0,r7 stvx v21,r8,r7 C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX lxvd2x VSR(H2M),r9,CTX lxvd2x VSR(H2L),r10,CTX addi r7,CTX,64 lxvd2x VSR(H3M),0,r7 lxvd2x VSR(H3L),r8,r7 lxvd2x VSR(H4M),r9,r7 lxvd2x VSR(H4L),r10,r7 .align 5 L4x_loop: C input loading lxvd2x VSR(C0),0,DATA C load C0 lxvd2x VSR(C1),r8,DATA C load C1 lxvd2x VSR(C2),r9,DATA C load C2 lxvd2x VSR(C3),r10,DATA C load C3 IF_LE(` vperm C0,C0,C0,LE_MASK vperm C1,C1,C1,LE_MASK vperm C2,C2,C2,LE_MASK vperm C3,C3,C3,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F2,H3L,C1 vpmsumd R2,H3M,C1 vpmsumd F3,H2L,C2 vpmsumd R3,H2M,C2 vpmsumd F4,H1L,C3 vpmsumd R4,H1M,C3 vpmsumd F,H4L,C0 vpmsumd R,H4M,C0 C deferred recombination of partial products vxor F3,F3,F4 vxor R3,R3,R4 vxor F,F,F2 vxor R,R,R2 vxor F,F,F3 vxor R,R,R3 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x40 bdnz L4x_loop C restore non-volatile vector registers addi r7,SP,-32 lvx v20,0,r7 addi r7,r7,16 lvx v21,0,r7 clrldi BLOCKS,BLOCKS,62 C 'set the high-order 62 bits to zeros' L2x: C --- process 2 blocks --- srdi. r7,BLOCKS,1 C 'BLOCKS / 2' beq L1x C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX lxvd2x VSR(H2M),r9,CTX lxvd2x VSR(H2L),r10,CTX C input loading lxvd2x VSR(C0),0,DATA C load C0 lxvd2x VSR(C1),r8,DATA C load C1 IF_LE(` vperm C0,C0,C0,LE_MASK vperm C1,C1,C1,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F2,H1L,C1 vpmsumd R2,H1M,C1 vpmsumd F,H2L,C0 vpmsumd R,H2M,C0 C deferred recombination of partial products vxor F,F,F2 vxor R,R,R2 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x20 clrldi BLOCKS,BLOCKS,63 C 'set the high-order 63 bits to zeros' L1x: C --- process 1 block --- srdi. r7,BLOCKS,0 C 'LENGTH / 1' beq Ldone C load table elements lxvd2x VSR(H1M),0,CTX lxvd2x VSR(H1L),r8,CTX C input loading lxvd2x VSR(C0),0,DATA C load C0 IF_LE(` vperm C0,C0,C0,LE_MASK ') C previous digest combining vxor C0,C0,R C polynomial multiplication vpmsumd F,H1L,C0 vpmsumd R,H1M,C0 GHASH_REDUCE(R, F, POLY_L, R2, F2) C R2, F2 used as temporaries addi DATA,DATA,0x10 clrldi BLOCKS,BLOCKS,60 C 'set the high-order 60 bits to zeros' Ldone: C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm R,R,R,LE_MASK ') stxvd2x VSR(R),0,X C store digest 'R' mr r3, DATA blr EPILOGUE(_nettle_ghash_update) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-3.10/powerpc64/p8/gcm-aes-decrypt.asm0000644000175000017500000002350114633602172017627 0ustar nissenisseC powerpc64/p8/gcm-aes-decrypt.asm ifelse(` Copyright (C) 2023- IBM Inc. Copyright (C) 2024 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`HT', `r3') define(`SRND', `r4') define(`SLEN', `r5') define(`SDST', `r6') define(`SSRC', `r7') define(`RK', `r8') C r9-r11 used as constant indices. define(`LOOP', `r12') C C vectors used in aes encrypt output C define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') C C ghash assigned registers and vectors C define(`ZERO', `v21') C Overlap R2 (only used in setup phase) define(`POLY', `v22') C Overlap F2 (only used in setup phase) define(`POLY_L', `v0') define(`D', `v10') define(`H1M', `v11') define(`H1L', `v12') define(`H2M', `v13') define(`H2L', `v14') define(`H3M', `v15') define(`H3L', `v16') define(`H4M', `v17') define(`H4L', `v18') define(`R', `v19') define(`F', `v20') define(`R2', `v21') define(`F2', `v22') define(`LE_TEMP', `v1') C Overlap K (only used in setup phase) define(`LE_MASK', `v23') define(`CNT1', `v24') define(`LASTCNT', `v25') .file "gcm-aes-decrypt.asm" .text C size_t C _gcm_aes_decrypt(struct gcm_key *key, size_t rounds, C size_t len, uint8_t *dst, const uint8_t *src) C define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_gcm_aes_decrypt) srdi. LOOP, SLEN, 7 C loop n 8 blocks sldi SLEN, LOOP, 7 beq end C 288 byte "protected zone" is sufficient for storage. stxv VSR(v20), -16(SP) stxv VSR(v21), -32(SP) stxv VSR(v22), -48(SP) stxv VSR(v23), -64(SP) stxv VSR(v24), -80(SP) stxv VSR(v25), -96(SP) vxor ZERO,ZERO,ZERO vspltisb CNT1, 1 vsldoi CNT1, ZERO, CNT1, 1 C counter 1 DATA_LOAD_VEC(POLY,.polynomial,r9) li r9,0 lvsl LE_MASK,0,r9 IF_LE(`vspltisb LE_TEMP,0x07') IF_BE(`vspltisb LE_TEMP,0x03') vxor LE_MASK,LE_MASK,LE_TEMP xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C load table elements li r9,1*16 li r10,2*16 li r11,3*16 lxvd2x VSR(H1M),0,HT lxvd2x VSR(H1L),r9,HT lxvd2x VSR(H2M),r10,HT lxvd2x VSR(H2L),r11,HT addi HT, HT, 64 lxvd2x VSR(H3M),0,HT lxvd2x VSR(H3L),r9,HT lxvd2x VSR(H4M),r10,HT lxvd2x VSR(H4L),r11,HT addi HT, HT, 4048 C Advance to point to the 'CTR' field in the context lxvd2x VSR(D),r9,HT C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') lxvb16x VSR(S0), 0, HT C Load 'CTR' addi LOOP, LOOP, -1 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK .align 5 C increase ctr value as input to aes_encrypt vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) addi SRND, SRND, -1 mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop1: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop1 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) cmpdi LOOP, 0 beq do_ghash .align 5 Loop8x_de: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') C do two 4x ghash C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST addi SDST, SDST, 0x40 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK vadduwm S0, LASTCNT, CNT1 vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt to v29 OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop2: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop2 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) addi LOOP, LOOP, -1 cmpdi LOOP, 0 bne Loop8x_de do_ghash: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST gcm_aes_out: vadduwm LASTCNT, LASTCNT, CNT1 C increase ctr C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') stxvd2x VSR(D),r9,HT C store digest 'D' IF_LE(` vperm LASTCNT,LASTCNT,LASTCNT,LE_MASK ') stxvd2x VSR(LASTCNT), 0, HT C store ctr lxv VSR(v20), -16(SP) lxv VSR(v21), -32(SP) lxv VSR(v22), -48(SP) lxv VSR(v23), -64(SP) lxv VSR(v24), -80(SP) lxv VSR(v25), -96(SP) end: mr r3, SLEN blr EPILOGUE(_nettle_gcm_aes_decrypt) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-3.10/powerpc64/p8/aes-encrypt-internal.asm0000644000175000017500000001226214633602172020711 0ustar nissenisseC powerpc64/p8/aes-encrypt-internal.asm ifelse(` Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`KEYS', `r4') define(`LENGTH', `r6') define(`DST', `r7') define(`SRC', `r8') C r9 used as loop index register, r10-r12, r14-r17 as constants. define(`SWAP_MASK', `v0') define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') .file "aes-encrypt-internal.asm" .text C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_encrypt) DATA_LOAD_VEC(SWAP_MASK,.swap_mask,r5) subi ROUNDS,ROUNDS,1 srdi LENGTH,LENGTH,4 C Used as offsets for load/store, throughout this function li r10,0x10 li r11,0x20 li r12,0x30 srdi r5,LENGTH,3 #8x loop count cmpldi r5,0 beq L4x std r14,-32(SP) std r15,-24(SP) std r16,-16(SP) std r17,-8(SP) li r14,0x40 li r15,0x50 li r16,0x60 li r17,0x70 .align 5 Lx8_loop: lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC lxvd2x VSR(S4),r14,SRC lxvd2x VSR(S5),r15,SRC lxvd2x VSR(S6),r16,SRC lxvd2x VSR(S7),r17,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr ROUNDS li r9,0x10 .align 5 L8x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi r9,r9,0x10 bdnz L8x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3,S4,S5,S6,S7)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST stxvd2x VSR(S4),r14,DST stxvd2x VSR(S5),r15,DST stxvd2x VSR(S6),r16,DST stxvd2x VSR(S7),r17,DST addi SRC,SRC,0x80 addi DST,DST,0x80 subic. r5,r5,1 bne Lx8_loop ld r14,-32(SP) ld r15,-24(SP) ld r16,-16(SP) ld r17,-8(SP) clrldi LENGTH,LENGTH,61 L4x: srdi r5,LENGTH,2 cmpldi r5,0 beq L2x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC lxvd2x VSR(S2),r11,SRC lxvd2x VSR(S3),r12,SRC IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') OPN_XXY(vxor, K, S0, S1, S2, S3) mtctr ROUNDS li r9,0x10 .align 5 L4x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3) addi r9,r9,0x10 bdnz L4x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3) IF_LE(`OPN_XXXY(vperm, SWAP_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST stxvd2x VSR(S2),r11,DST stxvd2x VSR(S3),r12,DST addi SRC,SRC,0x40 addi DST,DST,0x40 clrldi LENGTH,LENGTH,62 L2x: srdi r5,LENGTH,1 cmpldi r5,0 beq L1x lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC lxvd2x VSR(S1),r10,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') vxor S0,S0,K vxor S1,S1,K mtctr ROUNDS li r9,0x10 .align 5 L2x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipher S0,S0,K vcipher S1,S1,K addi r9,r9,0x10 bdnz L2x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipherlast S0,S0,K vcipherlast S1,S1,K IF_LE(`vperm S0,S0,S0,SWAP_MASK vperm S1,S1,S1,SWAP_MASK') stxvd2x VSR(S0),0,DST stxvd2x VSR(S1),r10,DST addi SRC,SRC,0x20 addi DST,DST,0x20 clrldi LENGTH,LENGTH,63 L1x: cmpldi LENGTH,0 beq Ldone lxvd2x VSR(K),0,KEYS vperm K,K,K,SWAP_MASK lxvd2x VSR(S0),0,SRC IF_LE(`vperm S0,S0,S0,SWAP_MASK') vxor S0,S0,K mtctr ROUNDS li r9,0x10 .align 5 L1x_round_loop: lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipher S0,S0,K addi r9,r9,0x10 bdnz L1x_round_loop lxvd2x VSR(K),r9,KEYS vperm K,K,K,SWAP_MASK vcipherlast S0,S0,K IF_LE(`vperm S0,S0,S0,SWAP_MASK') stxvd2x VSR(S0),0,DST Ldone: blr EPILOGUE(_nettle_aes_encrypt) .data .align 4 .swap_mask: IF_LE(`.byte 8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7') IF_BE(`.byte 3,2,1,0,7,6,5,4,11,10,9,8,15,14,13,12') nettle-3.10/powerpc64/p8/aes-invert-internal.asm0000644000175000017500000000315214633602172020532 0ustar nissenisseC powerpc64/p8/aes-invert-internal.asm ifelse(` Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`ROUNDS', `r3') define(`DST', `r4') define(`SRC', `r5') define(`KEY', `v1') .file "aes-invert-internal.asm" .text C _aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src) define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_aes_invert) C Since decrypt wants the same subkeys, just copy, or do C nothing if SRC == DST. cmpld SRC, DST beq .Ldone sldi ROUNDS, ROUNDS, 4 .Loop: lxvd2x VSR(KEY),ROUNDS,SRC stxvd2x VSR(KEY),ROUNDS,DST subic. ROUNDS, ROUNDS, 0x10 bge .Loop .Ldone: blr EPILOGUE(_nettle_aes_invert) nettle-3.10/powerpc64/p8/sha256-compress-n.asm0000644000175000017500000002132714633602172017743 0ustar nissenisseC x86_64/sha256-compress-n.asm ifelse(` Copyright (C) 2024 Eric Richter, IBM Corporation This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" C Parameters in define(`SP', `r1') define(`STATE', `r3') define(`K', `r4') define(`NUMBLOCKS', `r5') define(`INPUT', `r6') define(`T0', `r7') define(`T1', `r8') define(`TK', `r9') define(`COUNT', `r10') define(`TC0', `0') C Index instructions allow literal 0 instead of a GPR define(`TC4', `r11') define(`TC8', `r12') define(`TC12', `r14') define(`TC16', `r15') C State registers define(`VSA', `v0') define(`VSB', `v1') define(`VSC', `v2') define(`VSD', `v3') define(`VSE', `v4') define(`VSF', `v5') define(`VSG', `v6') define(`VSH', `v7') C Previous state value registers stored in VSX define(`VSXA', `vs0') define(`VSXB', `vs1') define(`VSXC', `vs2') define(`VSXD', `vs3') define(`VSXE', `vs4') define(`VSXF', `vs5') define(`VSXG', `vs6') define(`VSXH', `vs7') C Current K values define(`VK', `v8') C Temp registers for math define(`VT0', `v9') define(`VT1', `v10') define(`VT2', `v11') define(`VT3', `v12') define(`VT4', `v13') C Convenience named registers for sigma(a) and sigma(e) define(`SIGA', `v14') define(`SIGE', `v15') C Registers v16-v31 are used for input words W[0] through W[15] C Convert an index for W[i] to the corresponding vector register v[16 + i] define(`IV', `m4_unquote(v`'eval((($1) % 16) + 16))') C ROUND(A B C D E F G H R) define(`ROUND', ` vadduwm VT1, VK, IV($9) C VT1: k+W vadduwm VT4, $8, VT1 C VT4: H+k+W lxvw4x VSR(VK), TK, K C Load Key addi TK, TK, 4 C Increment Pointer to next key vadduwm VT2, $4, $8 C VT2: H+D vadduwm VT2, VT2, VT1 C VT2: H+D+k+W vshasigmaw SIGE, $5, 1, 0b1111 C Sigma(E) Se vshasigmaw SIGA, $1, 1, 0 C Sigma(A) Sa vxor VT3, $2, $3 C VT3: b^c vsel VT0, $7, $6, $5 C VT0: Ch. vsel VT3, $3, $1, VT3 C VT3: Maj(a,b,c) vadduwm VT4, VT4, VT0 C VT4: Hkw + Ch. vadduwm VT3, VT3, VT4 C VT3: HkW + Ch. + Maj. vadduwm VT0, VT0, VT2 C VT0: Ch. + DHKW vadduwm $8, SIGE, SIGA C Anext: Se + Sa vadduwm $4, VT0, SIGE C Dnext: Ch. + DHKW + Se vadduwm $8, $8, VT3 C Anext: Se+Sa+HkW+Ch.+Maj. ') C Extend W[i] define(`EXTEND', ` vshasigmaw SIGE, IV($1 + 14), 0, 0b1111 vshasigmaw SIGA, IV($1 + 1), 0, 0b0000 vadduwm IV($1), IV($1), SIGE vadduwm IV($1), IV($1), SIGA vadduwm IV($1), IV($1), IV($1 + 9) ') define(`EXTENDROUND', ` ROUND($1, $2, $3, $4, $5, $6, $7, $8, $9) C Schedule (data) for 16th round in future EXTEND($9) ') define(`NOEXTENDROUND', `ROUND($1, $2, $3, $4, $5, $6, $7, $8, $9)') define(`NOEXTENDROUNDS', ` NOEXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 0) NOEXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 1) NOEXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 2) NOEXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 3) NOEXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 4) NOEXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 5) NOEXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 6) NOEXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 7) NOEXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 8) NOEXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 9) NOEXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 10) NOEXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 11) NOEXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 12) NOEXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 13) NOEXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 14) NOEXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 15) ') define(`EXTENDROUNDS', ` EXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 0) EXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 1) EXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 2) EXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 3) EXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 4) EXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 5) EXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 6) EXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 7) EXTENDROUND(VSA, VSB, VSC, VSD, VSE, VSF, VSG, VSH, 8) EXTENDROUND(VSH, VSA, VSB, VSC, VSD, VSE, VSF, VSG, 9) EXTENDROUND(VSG, VSH, VSA, VSB, VSC, VSD, VSE, VSF, 10) EXTENDROUND(VSF, VSG, VSH, VSA, VSB, VSC, VSD, VSE, 11) EXTENDROUND(VSE, VSF, VSG, VSH, VSA, VSB, VSC, VSD, 12) EXTENDROUND(VSD, VSE, VSF, VSG, VSH, VSA, VSB, VSC, 13) EXTENDROUND(VSC, VSD, VSE, VSF, VSG, VSH, VSA, VSB, 14) EXTENDROUND(VSB, VSC, VSD, VSE, VSF, VSG, VSH, VSA, 15) ') define(`LOAD', ` IF_BE(`lxvw4x VSR(IV($1)), m4_unquote(TC`'eval(($1 % 4) * 4)), INPUT') IF_LE(` lxvd2x VSR(IV($1)), m4_unquote(TC`'eval(($1 % 4) * 4)), INPUT vperm IV($1), IV($1), IV($1), VT0 ') ') define(`DOLOADS', ` IF_LE(`DATA_LOAD_VEC(VT0, .load_swap, T1)') LOAD(0) LOAD(1) LOAD(2) LOAD(3) addi INPUT, INPUT, 16 LOAD(4) LOAD(5) LOAD(6) LOAD(7) addi INPUT, INPUT, 16 LOAD(8) LOAD(9) LOAD(10) LOAD(11) addi INPUT, INPUT, 16 LOAD(12) LOAD(13) LOAD(14) LOAD(15) addi INPUT, INPUT, 16 ') .text PROLOGUE(_nettle_sha256_compress_n) cmpwi 0, NUMBLOCKS, 0 ble 0, .done mtctr NUMBLOCKS C Store non-volatile registers li T0, -8 li T1, -24 stvx v20, T0, SP stvx v21, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v22, T0, SP stvx v23, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v24, T0, SP stvx v25, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v26, T0, SP stvx v27, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v28, T0, SP stvx v29, T1, SP subi T0, T0, 32 subi T1, T1, 32 stvx v30, T0, SP stvx v31, T1, SP subi T0, T0, 32 subi T1, T1, 32 stdx r14, T0, SP stdx r15, T1, SP li TC4, 4 li TC8, 8 li TC12, 12 li TC16, 16 C Load state values lxvw4x VSR(VSA), 0, STATE C VSA contains A,B,C,D lxvw4x VSR(VSE), TC16, STATE C VSE contains E,F,G,H C "permute" state from VSA containing A,B,C,D into VSA,VSB,VSC,VSD vsldoi VSB, VSA, VSA, 4 vsldoi VSF, VSE, VSE, 4 vsldoi VSC, VSA, VSA, 8 vsldoi VSG, VSE, VSE, 8 vsldoi VSD, VSA, VSA, 12 vsldoi VSH, VSE, VSE, 12 .loop: xxlor VSXA, VSR(VSA), VSR(VSA) xxlor VSXB, VSR(VSB), VSR(VSB) xxlor VSXC, VSR(VSC), VSR(VSC) xxlor VSXD, VSR(VSD), VSR(VSD) xxlor VSXE, VSR(VSE), VSR(VSE) xxlor VSXF, VSR(VSF), VSR(VSF) xxlor VSXG, VSR(VSG), VSR(VSG) xxlor VSXH, VSR(VSH), VSR(VSH) li TK, 0 lxvw4x VSR(VK), TK, K addi TK, TK, 4 DOLOADS EXTENDROUNDS EXTENDROUNDS EXTENDROUNDS NOEXTENDROUNDS C Reload initial state from VSX registers xxlor VSR(VT0), VSXA, VSXA xxlor VSR(VT1), VSXB, VSXB xxlor VSR(VT2), VSXC, VSXC xxlor VSR(VT3), VSXD, VSXD xxlor VSR(VT4), VSXE, VSXE xxlor VSR(SIGA), VSXF, VSXF xxlor VSR(SIGE), VSXG, VSXG xxlor VSR(VK), VSXH, VSXH vadduwm VSA, VSA, VT0 vadduwm VSB, VSB, VT1 vadduwm VSC, VSC, VT2 vadduwm VSD, VSD, VT3 vadduwm VSE, VSE, VT4 vadduwm VSF, VSF, SIGA vadduwm VSG, VSG, SIGE vadduwm VSH, VSH, VK bdnz .loop C Repack VSA,VSB,VSC,VSD into VSA,VSE for storing vmrghw VSA, VSA, VSB vmrghw VSC, VSC, VSD vmrghw VSE, VSE, VSF vmrghw VSG, VSG, VSH xxmrghd VSR(VSA), VSR(VSA), VSR(VSC) xxmrghd VSR(VSE), VSR(VSE), VSR(VSG) stxvw4x VSR(VSA), 0, STATE stxvw4x VSR(VSE), TC16, STATE C Restore nonvolatile registers li T0, -8 li T1, -24 lvx v20, T0, SP lvx v21, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v22, T0, SP lvx v23, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v24, T0, SP lvx v25, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v26, T0, SP lvx v27, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v28, T0, SP lvx v29, T1, SP subi T0, T0, 32 subi T1, T1, 32 lvx v30, T0, SP lvx v31, T1, SP subi T0, T0, 32 subi T1, T1, 32 ldx r14, T0, SP ldx r15, T1, SP .done: mr r3, INPUT blr EPILOGUE(_nettle_sha256_compress_n) IF_LE(` .data .align 4 .load_swap: .byte 8,9,10,11, 12,13,14,15, 0,1,2,3, 4,5,6,7 ') nettle-3.10/powerpc64/p8/gcm-aes-encrypt.asm0000644000175000017500000002360714633602172017650 0ustar nissenisseC powerpc64/p8/gcm-aes-encrypt.asm ifelse(` Copyright (C) 2023- IBM Inc. Copyright (C) 2024 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`SP', `r1') define(`TOCP', `r2') define(`HT', `r3') define(`SRND', `r4') define(`SLEN', `r5') define(`SDST', `r6') define(`SSRC', `r7') define(`RK', `r8') C r9-r11 used as constant indices. define(`LOOP', `r12') C C vectors used in aes encrypt output C define(`K', `v1') define(`S0', `v2') define(`S1', `v3') define(`S2', `v4') define(`S3', `v5') define(`S4', `v6') define(`S5', `v7') define(`S6', `v8') define(`S7', `v9') C C ghash assigned registers and vectors C define(`ZERO', `v21') C Overlap R2 (only used in setup phase) define(`POLY', `v22') C Overlap F2 (only used in setup phase) define(`POLY_L', `v0') define(`D', `v10') define(`H1M', `v11') define(`H1L', `v12') define(`H2M', `v13') define(`H2L', `v14') define(`H3M', `v15') define(`H3L', `v16') define(`H4M', `v17') define(`H4L', `v18') define(`R', `v19') define(`F', `v20') define(`R2', `v21') define(`F2', `v22') define(`LE_TEMP', `v1') C Overlap K (only used in setup phase) define(`LE_MASK', `v23') define(`CNT1', `v24') define(`LASTCNT', `v25') .file "gcm-aes-encrypt.asm" .text C size_t C _gcm_aes_encrypt(struct gcm_key *key, size_t rounds, C size_t len, uint8_t *dst, const uint8_t *src) C define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_gcm_aes_encrypt) srdi. LOOP, SLEN, 7 C loop n 8 blocks sldi SLEN, LOOP, 7 beq end C 288 byte "protected zone" is sufficient for storage. stxv VSR(v20), -16(SP) stxv VSR(v21), -32(SP) stxv VSR(v22), -48(SP) stxv VSR(v23), -64(SP) stxv VSR(v24), -80(SP) stxv VSR(v25), -96(SP) vxor ZERO,ZERO,ZERO vspltisb CNT1, 1 vsldoi CNT1, ZERO, CNT1, 1 C counter 1 DATA_LOAD_VEC(POLY,.polynomial,r9) li r9,0 lvsl LE_MASK,0,r9 IF_LE(`vspltisb LE_TEMP,0x07') IF_BE(`vspltisb LE_TEMP,0x03') vxor LE_MASK,LE_MASK,LE_TEMP xxmrghd VSR(POLY_L),VSR(ZERO),VSR(POLY) C load table elements li r9,1*16 li r10,2*16 li r11,3*16 lxvd2x VSR(H1M),0,HT lxvd2x VSR(H1L),r9,HT lxvd2x VSR(H2M),r10,HT lxvd2x VSR(H2L),r11,HT addi HT, HT, 64 lxvd2x VSR(H3M),0,HT lxvd2x VSR(H3L),r9,HT lxvd2x VSR(H4M),r10,HT lxvd2x VSR(H4L),r11,HT addi HT, HT, 4048 C Advance to point to the 'CTR' field in the context lxvd2x VSR(D),r9,HT C load 'X' pointer C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') lxvb16x VSR(S0), 0, HT C Load 'CTR' addi LOOP, LOOP, -1 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK .align 5 C increase ctr value as input to aes_encrypt vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) addi SRND, SRND, -1 mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop1: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop1 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) cmpdi LOOP, 0 beq do_ghash .align 5 Loop8x_en: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') C do two 4x ghash C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST addi SDST, SDST, 0x40 lxvd2x VSR(K),r11,HT C First subkey vperm K,K,K,LE_MASK vadduwm S0, LASTCNT, CNT1 vadduwm S1, S0, CNT1 vadduwm S2, S1, CNT1 vadduwm S3, S2, CNT1 vadduwm S4, S3, CNT1 vadduwm S5, S4, CNT1 vadduwm S6, S5, CNT1 vadduwm S7, S6, CNT1 vmr LASTCNT, S7 C save last cnt to v29 OPN_XXY(vxor, K, S0, S1, S2, S3, S4, S5, S6, S7) mtctr SRND addi RK, HT, 64 C Point at second subkey .align 5 L8x_round_loop2: lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipher, K, S0, S1, S2, S3, S4, S5, S6, S7) addi RK,RK,0x10 bdnz L8x_round_loop2 lxvd2x VSR(K),0,RK vperm K,K,K,LE_MASK OPN_XXY(vcipherlast, K, S0, S1, S2, S3, S4, S5, S6, S7) addi LOOP, LOOP, -1 cmpdi LOOP, 0 bne Loop8x_en do_ghash: xxlor vs1, VSR(S0), VSR(S0) xxlor vs2, VSR(S1), VSR(S1) xxlor vs3, VSR(S2), VSR(S2) xxlor vs4, VSR(S3), VSR(S3) xxlor vs5, VSR(S4), VSR(S4) xxlor vs6, VSR(S5), VSR(S5) xxlor vs7, VSR(S6), VSR(S6) xxlor vs8, VSR(S7), VSR(S7) lxvd2x VSR(S0),0,SSRC lxvd2x VSR(S1),r9,SSRC lxvd2x VSR(S2),r10,SSRC lxvd2x VSR(S3),r11,SSRC addi SSRC, SSRC, 0x40 lxvd2x VSR(S4),0,SSRC lxvd2x VSR(S5),r9,SSRC lxvd2x VSR(S6),r10,SSRC lxvd2x VSR(S7),r11,SSRC addi SSRC, SSRC, 0x40 IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') xxlxor VSR(S0), VSR(S0), vs1 xxlxor VSR(S1), VSR(S1), vs2 xxlxor VSR(S2), VSR(S2), vs3 xxlxor VSR(S3), VSR(S3), vs4 IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') C previous digest combining vxor D,S0,D GF_MUL(F2, R2, H3L, H3M, S1) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S2) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S3) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S0,S1,S2,S3)') stxvd2x VSR(S0),0,SDST stxvd2x VSR(S1),r9,SDST stxvd2x VSR(S2),r10,SDST stxvd2x VSR(S3),r11,SDST addi SDST, SDST, 0x40 xxlxor VSR(S4), VSR(S4), vs5 xxlxor VSR(S5), VSR(S5), vs6 xxlxor VSR(S6), VSR(S6), vs7 xxlxor VSR(S7), VSR(S7), vs8 C previous digest combining vxor D,S4,D GF_MUL(F2, R2, H3L, H3M, S5) GF_MUL(F, R, H4L, H4M, D) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H2L, H2M, S6) vxor F,F,F2 vxor R,R,R2 GF_MUL(F2, R2, H1L, H1M, S7) vxor F,F,F2 vxor D,R,R2 GHASH_REDUCE(D, F, POLY_L, R2, F2) C R2, F2 used as temporaries IF_LE(`OPN_XXXY(vperm, LE_MASK, S4,S5,S6,S7)') stxvd2x VSR(S4),0,SDST stxvd2x VSR(S5),r9,SDST stxvd2x VSR(S6),r10,SDST stxvd2x VSR(S7),r11,SDST gcm_aes_out: vadduwm LASTCNT, LASTCNT, CNT1 C increase ctr C byte-reverse of each doubleword permuting on little-endian mode IF_LE(` vperm D,D,D,LE_MASK ') stxvd2x VSR(D),r9,HT C store digest 'D' IF_LE(` vperm LASTCNT,LASTCNT,LASTCNT,LE_MASK ') stxvd2x VSR(LASTCNT), 0, HT C store ctr lxv VSR(v20), -16(SP) lxv VSR(v21), -32(SP) lxv VSR(v22), -48(SP) lxv VSR(v23), -64(SP) lxv VSR(v24), -80(SP) lxv VSR(v25), -96(SP) end: mr r3, SLEN blr EPILOGUE(_nettle_gcm_aes_encrypt) .data C 0xC2000000000000000000000000000001 .polynomial: .align 4 IF_BE(` .byte 0xC2 .rept 14 .byte 0x00 .endr .byte 0x01 ',` .byte 0x01 .rept 14 .byte 0x00 .endr .byte 0xC2 ') nettle-3.10/powerpc64/ecc-secp384r1-modp.asm0000644000175000017500000001045714633602172017443 0ustar nissenisseC powerpc64/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke, Amitay Isaacs & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-secp256r1-redc.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" C Register usage: define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`D5', `r6') define(`T0', `r7') define(`T1', `r8') define(`T2', `r9') define(`T3', `r10') define(`T4', `r11') define(`T5', `r12') define(`H0', `r14') define(`H1', `r15') define(`H2', `r16') define(`H3', `r17') define(`H4', `r18') define(`H5', `r19') define(`C2', `r3') define(`C0', H5) C Overlap define(`TMP', XP) C Overlap C void ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp384r1_modp) std r14, -48(SP) std r15, -40(SP) std r16, -32(SP) std r17, -24(SP) std r18, -16(SP) std r19, -8(SP) C First get top 2 limbs, which need folding twice. C B^10 = B^6 + B^4 + 2^32 (B-1)B^4. C We handle the terms as follow: C C B^6: Folded immediatly. C C B^4: Delayed, added in in the next folding. C C 2^32(B-1) B^4: Low half limb delayed until the next C folding. Top 1.5 limbs subtracted and shifter now, resulting C in 2.5 limbs. The low limb saved in D5, high 1.5 limbs added C in. ld H4, 80(XP) ld H5, 88(XP) C Shift right 32 bits, into H1, H0 srdi H1, H5, 32 sldi D5, H5, 32 srdi H0, H4, 32 or H0, H0, D5 C H1 H0 C - H1 H0 C -------- C H1 H0 D5 subfic D5, H0, 0 subfe H0, H1, H0 addme H1, H1 li C2, 0 addc H0, H4, H0 adde H1, H5, H1 addze C2, C2 C Add in to high part ld T1, 48(XP) ld T2, 56(XP) addc H0, T1, H0 adde H1, T2, H1 addze C2, C2 C Do C2 later C +1 term ld T0, 0(XP) ld T1, 8(XP) ld T2, 16(XP) ld T3, 24(XP) ld T4, 32(XP) ld T5, 40(XP) ld H2, 64(XP) ld H3, 72(XP) addc T0, H0, T0 adde T1, H1, T1 adde T2, H2, T2 adde T3, H3, T3 adde T4, H4, T4 adde T5, H5, T5 li C0, 0 addze C0, C0 C +B^2 term addc T2, H0, T2 adde T3, H1, T3 adde T4, H2, T4 adde T5, H3, T5 addze C0, C0 C Shift left, including low half of H4 sldi H4, H4, 32 srdi TMP, H3, 32 or H4, TMP, H4 sldi H3, H3, 32 srdi TMP, H2, 32 or H3, TMP, H3 sldi H2, H2, 32 srdi TMP, H1, 32 or H2, TMP, H2 sldi H1, H1, 32 srdi TMP, H0, 32 or H1, TMP, H1 sldi H0, H0, 32 C H4 H3 H2 H1 H0 0 C - H4 H3 H2 H1 H0 C --------------- C H4 H3 H2 H1 H0 TMP subfic TMP, H0, 0 subfe H0, H1, H0 subfe H1, H2, H1 subfe H2, H3, H2 subfe H3, H4, H3 addme H4, H4 addc T0, TMP, T0 adde T1, H0, T1 adde T2, H1, T2 adde T3, H2, T3 adde T4, H3, T4 adde T5, H4, T5 addze C0, C0 C Remains to add in C2 and C0 C Set H1, H0 = (2^96 - 2^32 + 1) C0 sldi H1, C0, 32 subfc H0, H1, C0 addme H1, H1 C Set H3, H2 = (2^96 - 2^32 + 1) C2 sldi H3, C2, 32 subfc H2, H3, C2 addme H3, H3 addc H2, C0, H2 li C0, 0 addc T0, H0, T0 adde T1, H1, T1 adde T2, H2, T2 adde T3, H3, T3 adde T4, C2, T4 adde T5, D5, T5 C Value delayed from initial folding addze C0, C0 C Final unlikely carry sldi H1, C0, 32 subfc H0, H1, C0 addme H1, H1 addc T0, H0, T0 adde T1, H1, T1 adde T2, C0, T2 addze T3, T3 addze T4, T4 addze T5, T5 std T0, 0(RP) std T1, 8(RP) std T2, 16(RP) std T3, 24(RP) std T4, 32(RP) std T5, 40(RP) ld r14, -48(SP) ld r15, -40(SP) ld r16, -32(SP) ld r17, -24(SP) ld r18, -16(SP) ld r19, -8(SP) blr EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-3.10/powerpc64/ecc-secp521r1-modp.asm0000644000175000017500000000613114633602172017426 0ustar nissenisseC powerpc64/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2021 Martin Schwenke & Alastair D´Silva, IBM Corporation Based on x86_64/ecc-secp521r1-modp.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" define(`SP', `r1') define(`RP', `r4') define(`XP', `r5') define(`U0', `r6') define(`U1', `r7') define(`U2', `r8') define(`U3', `r9') define(`U4', `r10') define(`U5', `r11') define(`U6', `r12') define(`U7', `r14') define(`U8', `r15') define(`U9', `r16') define(`T0', `r3') define(`T1', `r17') C void ecc_secp521r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp521r1_modp) std r14, -32(SP) std r15, -24(SP) std r16, -16(SP) std r17, -8(SP) C Read top 17 limbs, shift left 55 bits ld U1, 72(XP) sldi U0, U1, 55 srdi U1, U1, 9 ld T0, 80(XP) srdi U2, T0, 9 sldi T0, T0, 55 or U1, T0, U1 ld T0, 88(XP) srdi U3, T0, 9 sldi T0, T0, 55 or U2, T0, U2 ld T0, 96(XP) srdi U4, T0, 9 sldi T0, T0, 55 or U3, T0, U3 ld T0, 104(XP) srdi U5, T0, 9 sldi T0, T0, 55 or U4, T0, U4 ld T0, 112(XP) srdi U6, T0, 9 sldi T0, T0, 55 or U5, T0, U5 ld T0, 120(XP) srdi U7, T0, 9 sldi T0, T0, 55 or U6, T0, U6 ld T0, 128(XP) srdi U8, T0, 9 sldi T0, T0, 55 or U7, T0, U7 ld T0, 136(XP) srdi U9, T0, 9 sldi T0, T0, 55 or U8, T0, U8 ld T0, 0(XP) ld T1, 8(XP) addc U0, T0, U0 adde U1, T1, U1 ld T0, 16(XP) ld T1, 24(XP) adde U2, T0, U2 adde U3, T1, U3 ld T0, 32(XP) ld T1, 40(XP) adde U4, T0, U4 adde U5, T1, U5 ld T0, 48(XP) ld T1, 56(XP) adde U6, T0, U6 adde U7, T1, U7 ld T0, 64(XP) adde U8, T0, U8 addze U9, U9 C Top limbs are . Keep low 9 bits of 8, and fold the C top bits (at most 65 bits). srdi T0, U8, 9 andi. U8, U8, 0x1ff srdi T1, U9, 9 sldi U9, U9, 55 or T0, U9, T0 addc U0, T0, U0 adde U1, T1, U1 addze U2, U2 addze U3, U3 addze U4, U4 addze U5, U5 addze U6, U6 addze U7, U7 addze U8, U8 std U0, 0(RP) std U1, 8(RP) std U2, 16(RP) std U3, 24(RP) std U4, 32(RP) std U5, 40(RP) std U6, 48(RP) std U7, 56(RP) std U8, 64(RP) ld r14, -32(SP) ld r15, -24(SP) ld r16, -16(SP) ld r17, -8(SP) blr EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-3.10/powerpc64/ecc-secp256r1-redc.asm0000644000175000017500000000517714633602172017422 0ustar nissenisseC powerpc64/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2021 Amitay Isaacs & Martin Schwenke, IBM Corporation Based on x86_64/ecc-secp256r1-redc.asm This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: define(`RP', `r4') define(`XP', `r5') define(`F0', `r3') define(`F1', `r6') define(`F2', `r7') define(`T', `r8') define(`U0', `r9') define(`U1', `r10') define(`U2', `r11') define(`U3', `r12') .file "ecc-secp256r1-redc.asm" C FOLD(x), sets (x,F2,F1,F0) <-- [(x << 192) - (x << 160) + (x << 128) + (x <<32)] define(`FOLD', ` sldi F0, $1, 32 srdi F1, $1, 32 subfc F2, F0, $1 subfe $1, F1, $1 ') C FOLDC(x), sets (x,F2,F1,F0) <-- [((x+c) << 192) - (x << 160) + (x << 128) + (x <<32)] define(`FOLDC', ` sldi F0, $1, 32 srdi F1, $1, 32 addze T, $1 subfc F2, F0, $1 subfe $1, F1, T ') C void ecc_secp256r1_redc (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) .text define(`FUNC_ALIGN', `5') PROLOGUE(_nettle_ecc_secp256r1_redc) ld U0, 0(XP) ld U1, 8(XP) ld U2, 16(XP) ld U3, 24(XP) FOLD(U0) ld T, 32(XP) addc U1, F0, U1 adde U2, F1, U2 adde U3, F2, U3 adde U0, U0, T FOLDC(U1) ld T, 40(XP) addc U2, F0, U2 adde U3, F1, U3 adde U0, F2, U0 adde U1, U1, T FOLDC(U2) ld T, 48(XP) addc U3, F0, U3 adde U0, F1, U0 adde U1, F2, U1 adde U2, U2, T FOLDC(U3) ld T, 56(XP) addc U0, F0, U0 adde U1, F1, U1 adde U2, F2, U2 adde U3, U3, T C If carry, we need to add in C 2^256 - p = <0xfffffffe, 0xff..ff, 0xffffffff00000000, 1> li F0, 0 addze F0, F0 neg F2, F0 sldi F1, F2, 32 srdi T, F2, 32 li XP, -2 and T, T, XP addc U0, F0, U0 adde U1, F1, U1 adde U2, F2, U2 adde U3, T, U3 std U0, 0(RP) std U1, 8(RP) std U2, 16(RP) std U3, 24(RP) blr EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-3.10/COPYINGv30000644000175000017500000010451614633602172013273 0ustar nissenisse GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If the program does terminal interaction, make it output a short notice like this when it starts in an interactive mode: Copyright (C) This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, your program's commands might be different; for a GUI interface, you would use an "about box". You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU GPL, see . The GNU General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. But first, please read . nettle-3.10/pbkdf2-hmac-sha512.c0000644000175000017500000000301414633602171015200 0ustar nissenisse/* pbkdf2-hmac-sha512.c Copyright (C) 2012 Simon Josefsson Copyright (C) 2021 Nicolas Mora This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha512_ctx sha512ctx; hmac_sha512_set_key (&sha512ctx, key_length, key); PBKDF2 (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.10/pkcs1-internal.h0000644000175000017500000000344114633602172014766 0ustar nissenisse/* pkcs1-internal.h Copyright (C) 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PKCS1_INTERNAL_H_INCLUDED #define NETTLE_PKCS1_INTERNAL_H_INCLUDED #include "nettle-types.h" #define _pkcs1_sec_decrypt _nettle_pkcs1_sec_decrypt #define _pkcs1_sec_decrypt_variable _nettle_pkcs1_sec_decrypt_variable /* additional resistance to memory access side-channel attacks. * Note: message buffer is returned unchanged on error */ int _pkcs1_sec_decrypt (size_t length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message); int _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message); #endif /* NETTLE_PKCS1_INTERNAL_H_INCLUDED */ nettle-3.10/gostdsa.h0000644000175000017500000000574214633602172013605 0ustar nissenisse/* gostdsa.h Copyright (C) 2015 Dmity Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GOSTDSA_H_INCLUDED #define NETTLE_GOSTDSA_H_INCLUDED #include "ecc.h" #include "dsa.h" #include "ecdsa.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define gostdsa_sign nettle_gostdsa_sign #define gostdsa_verify nettle_gostdsa_verify #define gostdsa_vko nettle_gostdsa_vko #define ecc_gostdsa_sign nettle_ecc_gostdsa_sign #define ecc_gostdsa_sign_itch nettle_ecc_gostdsa_sign_itch #define ecc_gostdsa_verify nettle_ecc_gostdsa_verify #define ecc_gostdsa_verify_itch nettle_ecc_gostdsa_verify_itch /* Just use ECDSA function for key generation */ #define gostdsa_generate_keypair ecdsa_generate_keypair /* High level GOST DSA functions. * * A public key is represented as a struct ecc_point, and a private * key as a struct ecc_scalar. */ void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature); int gostdsa_verify (const struct ecc_point *pub, size_t length, const uint8_t *digest, const struct dsa_signature *signature); void gostdsa_vko (const struct ecc_scalar *key, const struct ecc_point *pub, size_t ukm_length, const uint8_t *ukm, uint8_t *out); /* Low-level GOSTDSA functions. */ mp_size_t ecc_gostdsa_sign_itch (const struct ecc_curve *ecc); void ecc_gostdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch); mp_size_t ecc_gostdsa_verify_itch (const struct ecc_curve *ecc); int ecc_gostdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch); #ifdef __cplusplus } #endif #endif /* NETTLE_GOSTDSA_H_INCLUDED */ nettle-3.10/poly1305-update.c0000644000175000017500000000422114633602171014676 0ustar nissenisse/* poly1305-update.c Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "poly1305.h" #include "poly1305-internal.h" #include "md-internal.h" #if HAVE_NATIVE_fat_poly1305_blocks const uint8_t * _nettle_poly1305_blocks_c(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); const uint8_t * _nettle_poly1305_blocks_c(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m) { for (; blocks; blocks--, m += POLY1305_BLOCK_SIZE) _nettle_poly1305_block(ctx, m, 1); return m; } #endif unsigned _nettle_poly1305_update (struct poly1305_ctx *ctx, uint8_t *block, unsigned index, size_t length, const uint8_t *m) { if (!length) return index; if (index > 0) { /* Try to fill partial block */ MD_FILL_OR_RETURN_INDEX (POLY1305_BLOCK_SIZE, block, index, length, m); _nettle_poly1305_block(ctx, block, 1); } #if HAVE_NATIVE_poly1305_blocks m = _nettle_poly1305_blocks (ctx, length >> 4, m); length &= 15; #else for (; length >= POLY1305_BLOCK_SIZE; length -= POLY1305_BLOCK_SIZE, m += POLY1305_BLOCK_SIZE) _nettle_poly1305_block (ctx, m, 1); #endif memcpy (block, m, length); return length; } nettle-3.10/stamp-h.in0000644000175000017500000000001214633602172013652 0ustar nissenissetimestamp nettle-3.10/.bootstrap0000755000175000017500000000004314633602172013776 0ustar nissenisse#! /bin/sh autoconf && autoheader nettle-3.10/drbg-ctr.h0000644000175000017500000000342414633602172013640 0ustar nissenisse/* drbg-ctr.h This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DRBG_CTR_H_INCLUDED #define NETTLE_DRBG_CTR_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define drbg_ctr_aes256_init nettle_drbg_ctr_aes256_init #define drbg_ctr_aes256_random nettle_drbg_ctr_aes256_random #define DRBG_CTR_AES256_SEED_SIZE (AES_BLOCK_SIZE + AES256_KEY_SIZE) struct drbg_ctr_aes256_ctx { struct aes256_ctx key; union nettle_block16 V; }; /* Initialize using DRBG_CTR_AES256_SEED_SIZE bytes of SEED_MATERIAL. */ void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material); /* Output N bytes of random data into DST. */ void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_DRBG_CTR_H_INCLUDED */ nettle-3.10/sha-example.c0000644000175000017500000000127714633602172014337 0ustar nissenisse#include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; isize, random_ctx, random, hash_ctx, hash, label_length, label, length, message)) { mpz_powm (gibberish, gibberish, key->e, key->n); nettle_mpz_get_str_256 (key->size, ciphertext, gibberish); mpz_clear (gibberish); return 1; } mpz_clear (gibberish); return 0; } int rsa_oaep_sha256_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha256_ctx ctx; sha256_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha256, label_length, label, length, message, ciphertext); } int rsa_oaep_sha384_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha384_ctx ctx; sha384_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha384, label_length, label, length, message, ciphertext); } int rsa_oaep_sha512_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha512_ctx ctx; sha512_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha512, label_length, label, length, message, ciphertext); } nettle-3.10/cmac-aes256-meta.c0000644000175000017500000000262714633602171014764 0ustar nissenisse/* cmac-aes256-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_aes256 = { "cmac_aes256", sizeof(struct cmac_aes256_ctx), CMAC128_DIGEST_SIZE, AES256_KEY_SIZE, (nettle_set_key_func*) cmac_aes256_set_key, (nettle_hash_update_func*) cmac_aes256_update, (nettle_hash_digest_func*) cmac_aes256_digest }; nettle-3.10/install-sh0000755000175000017500000003577614633602172014006 0ustar nissenisse#!/bin/sh # install - install a program, script, or datafile scriptversion=2020-11-14.01; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # 'make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. tab=' ' nl=' ' IFS=" $tab$nl" # Set DOITPROG to "echo" to test this script. doit=${DOITPROG-} doit_exec=${doit:-exec} # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_mkdir= # Desired mode of installed file. mode=0755 # Create dirs (including intermediate dirs) using mode 755. # This is like GNU 'install' as of coreutils 8.32 (2020). mkdir_umask=22 backupsuffix= chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false is_target_a_directory=possibly usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -p pass -p to $cpprog. -s $stripprog installed files. -S SUFFIX attempt to back up existing files, with suffix SUFFIX. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG By default, rm is invoked with -f; when overridden with RMPROG, it's up to you to specify -f if you want it. If -S is not specified, no backups are attempted. Email bug reports to bug-automake@gnu.org. Automake home page: https://www.gnu.org/software/automake/ " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *"$tab"* | *"$nl"* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -p) cpprog="$cpprog -p";; -s) stripcmd=$stripprog;; -S) backupsuffix="$2" shift;; -t) is_target_a_directory=always dst_arg=$2 # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac shift;; -T) is_target_a_directory=never;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done # We allow the use of options -d and -T together, by making -d # take the precedence; this is for compatibility with GNU install. if test -n "$dir_arg"; then if test -n "$dst_arg"; then echo "$0: target directory not allowed when installing a directory." >&2 exit 1 fi fi if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg # Protect names problematic for 'test' and other utilities. case $dst_arg in -* | [=\(\)!]) dst_arg=./$dst_arg;; esac done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call 'install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then if test $# -gt 1 || test "$is_target_a_directory" = always; then if test ! -d "$dst_arg"; then echo "$0: $dst_arg: Is not a directory." >&2 exit 1 fi fi fi if test -z "$dir_arg"; then do_exit='(exit $ret); exit $ret' trap "ret=129; $do_exit" 1 trap "ret=130; $do_exit" 2 trap "ret=141; $do_exit" 13 trap "ret=143; $do_exit" 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names problematic for 'test' and other utilities. case $src in -* | [=\(\)!]) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? # Don't chown directories that already exist. if test $dstdir_status = 0; then chowncmd="" fi else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # If destination is a directory, append the input filename. if test -d "$dst"; then if test "$is_target_a_directory" = never; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dstbase=`basename "$src"` case $dst in */) dst=$dst$dstbase;; *) dst=$dst/$dstbase;; esac dstdir_status=0 else dstdir=`dirname "$dst"` test -d "$dstdir" dstdir_status=$? fi fi case $dstdir in */) dstdirslash=$dstdir;; *) dstdirslash=$dstdir/;; esac obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false # The $RANDOM variable is not portable (e.g., dash). Use it # here however when possible just to lower collision chance. tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap ' ret=$? rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" 2>/dev/null exit $ret ' 0 # Because "mkdir -p" follows existing symlinks and we likely work # directly in world-writeable /tmp, make sure that the '$tmpdir' # directory is successfully created first before we actually test # 'mkdir -p'. if (umask $mkdir_umask && $mkdirprog $mkdir_mode "$tmpdir" && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/a/b") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. test_tmpdir="$tmpdir/a" ls_ld_tmpdir=`ls -ld "$test_tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$test_tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$test_tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/a/b" "$tmpdir/a" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- "$tmpdir" 2>/dev/null fi trap '' 0;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; [-=\(\)!]*) prefix='./';; *) prefix='';; esac oIFS=$IFS IFS=/ set -f set fnord $dstdir shift set +f IFS=$oIFS prefixes= for d do test X"$d" = X && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=${dstdirslash}_inst.$$_ rmtmp=${dstdirslash}_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && { test -z "$stripcmd" || { # Create $dsttmp read-write so that cp doesn't create it read-only, # which would cause strip to fail. if test -z "$doit"; then : >"$dsttmp" # No need to fork-exec 'touch'. else $doit touch "$dsttmp" fi } } && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # If $backupsuffix is set, and the file being installed # already exists, attempt a backup. Don't worry if it fails, # e.g., if mv doesn't support -f. if test -n "$backupsuffix" && test -f "$dst"; then $doit $mvcmd -f "$dst" "$dst$backupsuffix" 2>/dev/null fi # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: nettle-3.10/ghash-update.c0000644000175000017500000000473214633602171014503 0ustar nissenisse/* ghash-update.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" #if GCM_TABLE_BITS < 7 # error Unsupported table size. #endif /* For fat builds */ #if HAVE_NATIVE_ghash_update const uint8_t * _nettle_ghash_update_c (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); #define _nettle_ghash_update _nettle_ghash_update_c #endif static void gcm_gf_mul (union nettle_block16 *x, const union nettle_block16 *table) { uint64_t x0 = x->u64[0]; uint64_t x1 = x->u64[1]; uint64_t r0 = 0; uint64_t r1 = 0; unsigned i; for (i = 0; i < 64; i++, x0 >>= 1, x1 >>= 1) { uint64_t m0 = -(x0 & 1); uint64_t m1 = -(x1 & 1); r0 ^= m0 & table[2*i].u64[0]; r1 ^= m0 & table[2*i].u64[1]; r0 ^= m1 & table[2*i+1].u64[0]; r1 ^= m1 & table[2*i+1].u64[1]; } x->u64[0] = r0; x->u64[1] = r1; } const uint8_t * _ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data) { for (; blocks-- > 0; data += GCM_BLOCK_SIZE) { memxor (state->b, data, GCM_BLOCK_SIZE); gcm_gf_mul (state, ctx->h); } return data; } nettle-3.10/version.c0000644000175000017500000000230414633602171013607 0ustar nissenisse/* version.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "version.h" int nettle_version_major (void) { return NETTLE_VERSION_MAJOR; } int nettle_version_minor (void) { return NETTLE_VERSION_MINOR; } nettle-3.10/salsa20r12-crypt.c0000644000175000017500000000266214633602171015062 0ustar nissenisse/* salsa20r12-crypt.c The Salsa20 stream cipher, reduced round variant. Copyright (C) 2013 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "salsa20-internal.h" void salsa20r12_crypt(struct salsa20_ctx *ctx, size_t length, uint8_t *c, const uint8_t *m) { if (!length) return; _nettle_salsa20_crypt (ctx, 12, length, c, m); } nettle-3.10/hmac-ripemd160.c0000644000175000017500000000312414633602171014540 0ustar nissenisse/* hmac-ripemd160.c HMAC-RIPEMD160 message authentication code. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_ripemd160, key_length, key); } void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data) { ripemd160_update(&ctx->state, length, data); } void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_ripemd160, length, digest); } nettle-3.10/xts-aes256.c0000644000175000017500000000457114633602171013753 0ustar nissenisse/* xts-aes256.c XTS Mode using AES256 as the underlying cipher. Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "xts.h" void xts_aes256_set_encrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { aes256_set_encrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } void xts_aes256_set_decrypt_key(struct xts_aes256_key *xts_key, const uint8_t *key) { aes256_set_decrypt_key(&xts_key->cipher, key); aes256_set_encrypt_key(&xts_key->tweak_cipher, &key[AES256_KEY_SIZE]); } void xts_aes256_encrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes256_encrypt, tweak, length, dst, src); } void xts_aes256_decrypt_message(const struct xts_aes256_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes256_decrypt, (nettle_cipher_func *) aes256_encrypt, tweak, length, dst, src); } nettle-3.10/memops.h0000644000175000017500000000277014633602172013437 0ustar nissenisse/* memops.h Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMOPS_H_INCLUDED #define NETTLE_MEMOPS_H_INCLUDED #include "memxor.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cnd_memcpy nettle_cnd_memcpy #define memeql_sec nettle_memeql_sec int memeql_sec (const void *a, const void *b, size_t n); /* Side-channel silent conditional memcpy. cnd must be 0 (nop) or 1 (copy). */ void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMOPS_H_INCLUDED */ nettle-3.10/ecc-add-eh.c0000644000175000017500000000616214633602171014002 0ustar nissenisse/* ecc-add-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, with result and first point in homogeneous coordinates. */ void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) B = z1^2 sqr B, C, E, T F = B - E B, C, E, F, T G = B + E C, F, G, T x3 = z1*F*T 3 mul C, F, G, T y3 = z1*G*(D-C) 2 mul F, G z3 = F*G mul */ #define T scratch #define E (scratch + 1*ecc->p.size) #define G E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, T, T, z1, x3); ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, C, C, z1, x3); ecc_mod_sqr (&ecc->p, B, z1, x3); /* C, T, E, B */ ecc_mod_sub (&ecc->p, x3, B, E); ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-3.10/Makefile.in0000644000175000017500000006235214633602172014035 0ustar nissenisse# Nettle Makefile @SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ OPT_NETTLE_OBJS = @OPT_NETTLE_OBJS@ OPT_HOGWEED_OBJS = @OPT_HOGWEED_OBJS@ OPT_NETTLE_SOURCES = @OPT_NETTLE_SOURCES@ FAT_TEST_LIST = @FAT_TEST_LIST@ SUBDIRS = tools testsuite examples include config.make PRE_CPPFLAGS = -I. EXTRA_CFLAGS = $(CCPIC) LIBTARGETS = @IF_STATIC@ libnettle.a @IF_HOGWEED@ libhogweed.a SHLIBTARGETS = @IF_SHARED@ $(LIBNETTLE_FORLINK) @IF_HOGWEED@ $(LIBHOGWEED_FORLINK) getopt_SOURCES = getopt.c getopt1.c getopt_TARGETS = $(getopt_SOURCES:.c=.$(OBJEXT)) internal_SOURCES = non-nettle.c internal_TARGETS = $(internal_SOURCES:.c=.$(OBJEXT)) TARGETS = $(getopt_TARGETS) $(internal_TARGETS) \ $(LIBTARGETS) $(SHLIBTARGETS) DOCTARGETS = @IF_DOCUMENTATION@ nettle.info nettle.html nettle.pdf PKGCONFIG_FILES = nettle.pc @IF_HOGWEED@ hogweed.pc pkgconfigdir = $(libdir)/pkgconfig all check install uninstall: $(MAKE) $@-here set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done clean distclean mostlyclean maintainer-clean tags: set -e; for d in $(SUBDIRS); do \ echo "Making $@ in $$d" ; (cd $$d && $(MAKE) $@); done $(MAKE) $@-here check-here: true # Tries different settings of NETTLE_FAT_OVERRIDE. Note that this # requires that corresponding processor features are available on the # test machine. check-fat: [ -z "$(FAT_TEST_LIST)" ] || \ set -e; cd testsuite && for f in $(FAT_TEST_LIST) ; do \ echo NETTLE_FAT_OVERRIDE=$$f ; \ NETTLE_FAT_OVERRIDE=$$f $(MAKE) check TS_ALL='$$(TS_FAT)' ; \ done all-here: $(TARGETS) $(DOCTARGETS) nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c aes-decrypt-table.c \ aes128-decrypt.c aes192-decrypt.c aes256-decrypt.c \ aes-encrypt-internal.c aes-encrypt.c aes-encrypt-table.c \ aes128-encrypt.c aes192-encrypt.c aes256-encrypt.c \ aes-invert-internal.c aes-set-key-internal.c \ aes-set-encrypt-key.c aes-set-decrypt-key.c \ aes128-set-encrypt-key.c aes128-set-decrypt-key.c \ aes128-meta.c \ aes192-set-encrypt-key.c aes192-set-decrypt-key.c \ aes192-meta.c \ aes256-set-encrypt-key.c aes256-set-decrypt-key.c \ aes256-meta.c \ nist-keywrap.c \ arcfour.c \ arctwo.c arctwo-meta.c blowfish.c blowfish-bcrypt.c \ balloon.c balloon-sha1.c balloon-sha256.c \ balloon-sha384.c balloon-sha512.c \ base16-encode.c base16-decode.c base16-meta.c \ base64-encode.c base64-decode.c base64-meta.c \ base64url-encode.c base64url-decode.c base64url-meta.c \ buffer.c buffer-init.c \ camellia-crypt-internal.c camellia-table.c \ camellia-absorb.c camellia-invert-key.c \ camellia128-set-encrypt-key.c camellia128-crypt.c \ camellia128-set-decrypt-key.c \ camellia128-meta.c \ camellia192-meta.c \ camellia256-set-encrypt-key.c camellia256-crypt.c \ camellia256-set-decrypt-key.c \ camellia256-meta.c \ cast128.c cast128-meta.c \ cbc.c cbc-aes128-encrypt.c cbc-aes192-encrypt.c cbc-aes256-encrypt.c \ ccm.c ccm-aes128.c ccm-aes192.c ccm-aes256.c cfb.c \ siv-cmac.c siv-cmac-aes128.c siv-cmac-aes256.c \ siv-gcm.c siv-gcm-aes128.c siv-gcm-aes256.c \ cnd-memcpy.c \ chacha-crypt.c chacha-core-internal.c \ chacha-poly1305.c chacha-poly1305-meta.c \ chacha-set-key.c chacha-set-nonce.c \ ctr.c ctr16.c des.c des3.c \ eax.c eax-aes128.c eax-aes128-meta.c \ ghash-set-key.c ghash-update.c \ siv-ghash-set-key.c siv-ghash-update.c \ gcm.c gcm-aes.c \ gcm-aes128.c gcm-aes128-meta.c \ gcm-aes192.c gcm-aes192-meta.c \ gcm-aes256.c gcm-aes256-meta.c \ gcm-camellia128.c gcm-camellia128-meta.c \ gcm-camellia256.c gcm-camellia256-meta.c \ gcm-sm4.c gcm-sm4-meta.c \ cmac.c cmac64.c cmac-aes128.c cmac-aes256.c cmac-des3.c \ cmac-aes128-meta.c cmac-aes256-meta.c cmac-des3-meta.c \ gost28147.c gosthash94.c gosthash94-meta.c \ hmac.c hmac-gosthash94.c hmac-md5.c hmac-ripemd160.c \ hmac-sha1.c hmac-sha224.c hmac-sha256.c hmac-sha384.c \ hmac-sha512.c hmac-streebog.c hmac-sm3.c \ hmac-md5-meta.c hmac-ripemd160-meta.c hmac-sha1-meta.c \ hmac-sha224-meta.c hmac-sha256-meta.c hmac-sha384-meta.c \ hmac-sha512-meta.c hmac-streebog-meta.c hmac-sm3-meta.c \ knuth-lfib.c hkdf.c \ md2.c md2-meta.c md4.c md4-meta.c \ md5.c md5-compat.c md5-meta.c \ memeql-sec.c memxor.c memxor3.c \ nettle-lookup-hash.c \ nettle-meta-aeads.c nettle-meta-armors.c \ nettle-meta-ciphers.c nettle-meta-hashes.c nettle-meta-macs.c \ ocb.c ocb-aes128.c \ pbkdf2.c pbkdf2-hmac-gosthash94.c pbkdf2-hmac-sha1.c \ pbkdf2-hmac-sha256.c pbkdf2-hmac-sha384.c pbkdf2-hmac-sha512.c \ poly1305-aes.c poly1305-internal.c poly1305-update.c \ realloc.c \ ripemd160.c ripemd160-compress.c ripemd160-meta.c \ salsa20-core-internal.c salsa20-crypt-internal.c \ salsa20-crypt.c salsa20r12-crypt.c salsa20-set-key.c \ salsa20-set-nonce.c \ salsa20-128-set-key.c salsa20-256-set-key.c \ sha1.c sha1-compress.c sha1-meta.c \ sha256.c sha256-compress-n.c sha224-meta.c sha256-meta.c \ sha512.c sha512-compress.c sha384-meta.c sha512-meta.c \ sha512-224-meta.c sha512-256-meta.c \ sha3.c sha3-permute.c \ sha3-224.c sha3-224-meta.c sha3-256.c sha3-256-meta.c \ sha3-384.c sha3-384-meta.c sha3-512.c sha3-512-meta.c \ sha3-shake.c shake128.c shake256.c \ sm3.c sm3-meta.c \ serpent-set-key.c serpent-encrypt.c serpent-decrypt.c \ serpent-meta.c \ streebog.c streebog-meta.c \ twofish.c twofish-meta.c \ sm4.c sm4-meta.c \ umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c \ umac-poly64.c umac-poly128.c umac-set-key.c \ umac32.c umac64.c umac96.c umac128.c \ version.c \ write-be32.c write-le32.c write-le64.c \ yarrow256.c yarrow_key_event.c \ xts.c xts-aes128.c xts-aes256.c \ drbg-ctr-aes256.c hogweed_SOURCES = sexp.c sexp-format.c \ sexp-transport.c sexp-transport-format.c \ bignum.c bignum-random.c bignum-random-prime.c \ sexp2bignum.c \ pkcs1.c pkcs1-encrypt.c pkcs1-decrypt.c \ oaep.c \ pkcs1-sec-decrypt.c \ pkcs1-rsa-digest.c pkcs1-rsa-md5.c pkcs1-rsa-sha1.c \ pkcs1-rsa-sha256.c pkcs1-rsa-sha512.c \ pss.c pss-mgf1.c \ rsa.c rsa-sign.c rsa-sign-tr.c rsa-verify.c \ rsa-sec-compute-root.c \ rsa-pkcs1-sign.c rsa-pkcs1-sign-tr.c rsa-pkcs1-verify.c \ rsa-md5-sign.c rsa-md5-sign-tr.c rsa-md5-verify.c \ rsa-sha1-sign.c rsa-sha1-sign-tr.c rsa-sha1-verify.c \ rsa-sha256-sign.c rsa-sha256-sign-tr.c rsa-sha256-verify.c \ rsa-sha512-sign.c rsa-sha512-sign-tr.c rsa-sha512-verify.c \ rsa-pss-sha256-sign-tr.c rsa-pss-sha256-verify.c \ rsa-pss-sha512-sign-tr.c rsa-pss-sha512-verify.c \ rsa-encrypt.c rsa-decrypt.c \ rsa-oaep-encrypt.c rsa-oaep-decrypt.c \ rsa-sec-decrypt.c rsa-decrypt-tr.c \ rsa-keygen.c rsa-blind.c \ rsa2sexp.c sexp2rsa.c \ dsa.c dsa-compat.c dsa-compat-keygen.c dsa-gen-params.c \ dsa-sign.c dsa-verify.c dsa-keygen.c dsa-hash.c \ dsa-sha1-sign.c dsa-sha1-verify.c \ dsa-sha256-sign.c dsa-sha256-verify.c \ dsa2sexp.c sexp2dsa.c \ pgp-encode.c rsa2openpgp.c \ der-iterator.c der2rsa.c der2dsa.c \ sec-add-1.c sec-sub-1.c \ gmp-glue.c cnd-copy.c \ ecc-mod.c ecc-mod-inv.c \ ecc-mod-arith.c ecc-pp1-redc.c ecc-pm1-redc.c \ ecc-curve25519.c ecc-curve448.c \ ecc-gost-gc256b.c ecc-gost-gc512a.c \ ecc-secp192r1.c ecc-secp224r1.c ecc-secp256r1.c \ ecc-secp384r1.c ecc-secp521r1.c \ ecc-size.c ecc-j-to-a.c ecc-a-to-j.c \ ecc-dup-jj.c ecc-add-jja.c ecc-add-jjj.c ecc-nonsec-add-jjj.c \ ecc-eh-to-a.c \ ecc-dup-eh.c ecc-add-eh.c ecc-add-ehh.c \ ecc-dup-th.c ecc-add-th.c ecc-add-thh.c \ ecc-mul-g-eh.c ecc-mul-a-eh.c ecc-mul-m.c \ ecc-mul-g.c ecc-mul-a.c ecc-random.c \ ecc-point.c ecc-scalar.c ecc-point-mul.c ecc-point-mul-g.c \ ecc-ecdsa-sign.c ecdsa-sign.c \ ecc-ecdsa-verify.c ecdsa-verify.c ecdsa-keygen.c \ ecc-gostdsa-sign.c gostdsa-sign.c \ ecc-gostdsa-verify.c gostdsa-verify.c gostdsa-vko.c \ curve25519-mul-g.c curve25519-mul.c curve25519-eh-to-x.c \ curve448-mul-g.c curve448-mul.c curve448-eh-to-x.c \ eddsa-compress.c eddsa-decompress.c eddsa-expand.c \ eddsa-hash.c eddsa-pubkey.c eddsa-sign.c eddsa-verify.c \ ed25519-sha512.c ed25519-sha512-pubkey.c \ ed25519-sha512-sign.c ed25519-sha512-verify.c \ ed448-shake256.c ed448-shake256-pubkey.c \ ed448-shake256-sign.c ed448-shake256-verify.c OPT_SOURCES = fat-arm.c fat-arm64.c fat-ppc.c fat-s390x.c fat-x86_64.c mini-gmp.c HEADERS = aes.h arcfour.h arctwo.h asn1.h blowfish.h balloon.h \ base16.h base64.h bignum.h buffer.h camellia.h cast128.h \ cbc.h ccm.h cfb.h chacha.h chacha-poly1305.h ctr.h \ curve25519.h curve448.h des.h dsa.h dsa-compat.h eax.h \ ecc-curve.h ecc.h ecdsa.h eddsa.h \ gcm.h gostdsa.h gosthash94.h hmac.h \ knuth-lfib.h hkdf.h \ macros.h \ cmac.h siv-cmac.h siv-gcm.h \ md2.h md4.h \ md5.h md5-compat.h \ memops.h memxor.h \ nettle-meta.h nettle-types.h \ ocb.h pbkdf2.h \ pgp.h pkcs1.h pss.h pss-mgf1.h realloc.h ripemd160.h rsa.h \ salsa20.h sexp.h serpent.h \ sha.h sha1.h sha2.h sha3.h sm3.h sm4.h streebog.h twofish.h \ umac.h yarrow.h xts.h poly1305.h nist-keywrap.h \ drbg-ctr.h INSTALL_HEADERS = $(HEADERS) version.h @IF_MINI_GMP@ mini-gmp.h SOURCES = $(nettle_SOURCES) $(hogweed_SOURCES) \ $(getopt_SOURCES) $(internal_SOURCES) \ $(OPT_SOURCES) \ aesdata.c desdata.c twofishdata.c shadata.c eccdata.c # NOTE: This list must include all source files, with no duplicates, # independently of which source files are included in the build. DISTFILES = $(SOURCES) $(HEADERS) getopt.h getopt_int.h \ .bootstrap run-tests \ aclocal.m4 configure.ac \ configure stamp-h.in version.h.in \ libnettle.map.in libhogweed.map.in \ config.guess config.sub install-sh \ config.h.in config.m4.in config.make.in Makefile.in \ README CONTRIBUTING.md AUTHORS COPYING.LESSERv3 COPYINGv2 COPYINGv3 \ INSTALL NEWS ChangeLog \ nettle.pc.in hogweed.pc.in \ desdata.stamp $(des_headers) descore.README \ aes-internal.h block-internal.h blowfish-internal.h bswap-internal.h \ camellia-internal.h gcm-internal.h \ ghash-internal.h gost28147-internal.h poly1305-internal.h \ serpent-internal.h cast128_sboxes.h desinfo.h desCode.h \ ripemd160-internal.h md-internal.h sha2-internal.h \ memxor-internal.h nettle-internal.h non-nettle.h nettle-write.h \ ctr-internal.h chacha-internal.h sha3-internal.h \ salsa20-internal.h umac-internal.h hogweed-internal.h \ rsa-internal.h pkcs1-internal.h dsa-internal.h eddsa-internal.h \ gmp-glue.h ecc-internal.h fat-setup.h oaep.h \ mini-gmp.h asm.m4 m4-utils.m4 \ nettle.texinfo nettle.info nettle.html nettle.pdf sha-example.c # Rules building static libraries nettle_OBJS = $(nettle_SOURCES:.c=.$(OBJEXT)) \ $(OPT_NETTLE_SOURCES:.c=.$(OBJEXT)) $(OPT_NETTLE_OBJS) hogweed_OBJS = $(hogweed_SOURCES:.c=.$(OBJEXT)) \ $(OPT_HOGWEED_OBJS) @IF_MINI_GMP@ mini-gmp.$(OBJEXT) libnettle.a: $(nettle_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(nettle_OBJS) $(RANLIB) $@ echo nettle > libnettle.stamp libhogweed.a: $(hogweed_OBJS) -rm -f $@ $(AR) $(ARFLAGS) $@ $(hogweed_OBJS) $(RANLIB) $@ echo hogweed > libhogweed.stamp %.$(OBJEXT): %.asm $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $(M4) $(srcdir)/m4-utils.m4 $(srcdir)/asm.m4 config.m4 machine.m4 $< >$*.s $(COMPILE) $(ASM_FLAGS) -c $*.s %.$(OBJEXT): %.c $(COMPILE) -c $< \ && $(DEP_PROCESS) # Rules building shared libraries. $(LIBNETTLE_FORLINK): $(nettle_OBJS) $(LIBNETTLE_LINK) $(nettle_OBJS) @EXTRA_LINKER_FLAGS@ -o $@ $(LIBNETTLE_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBNETTLE_FORLINK) \ && $(LN_S) ../$(LIBNETTLE_FORLINK) $(LIBNETTLE_FORLINK) \ && [ -z "$(LIBNETTLE_SONAME)" ] \ || { rm -f $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FORLINK) $(LIBNETTLE_SONAME) ; } ) echo nettle > libnettle.stamp $(LIBHOGWEED_FORLINK): $(hogweed_OBJS) $(LIBNETTLE_FORLINK) $(LIBHOGWEED_LINK) $(hogweed_OBJS) @EXTRA_HOGWEED_LINKER_FLAGS@ -o $@ $(LIBHOGWEED_LIBS) -mkdir .lib 2>/dev/null (cd .lib \ && rm -f $(LIBHOGWEED_FORLINK) \ && $(LN_S) ../$(LIBHOGWEED_FORLINK) $(LIBHOGWEED_FORLINK) \ && [ -z "$(LIBHOGWEED_SONAME)" ] \ || { rm -f $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FORLINK) $(LIBHOGWEED_SONAME) ; } ) echo hogweed > libhogweed.stamp # For building the various *data.c programs. -lm needed for shadata. %$(EXEEXT_FOR_BUILD): %.c $(CC_FOR_BUILD) $< -lm -o $@ # Explicit dependency. eccdata$(EXEEXT_FOR_BUILD): mini-gmp.c mini-gmp.h # desCore rules # It seems using $(srcdir)/ doesn't work with GNU make 3.79.1 # des_headers = $(srcdir)/rotors.h $(srcdir)/keymap.h des_headers = rotors.h keymap.h # Generate DES headers. $(des_headers): desdata.stamp f="$(srcdir)/`basename $@`"; \ ./desdata$(EXEEXT_FOR_BUILD) $(@F) > $${f}T; \ test -s $${f}T && mv -f $${f}T $$f desdata.stamp: desdata.c $(MAKE) desdata$(EXEEXT_FOR_BUILD) echo stamp > desdata.stamp des.$(OBJEXT): des.c des.h $(des_headers) # Generate ECC files, with roughly 16 KB of tables per curve. # Some reasonable choices for 192: # k = 8, c = 6, S = 256, T = 40 ( 32 A + 8 D) 12 KB # k = 14, c = 7, S = 256, T = 42 ( 28 A + 14 D) 12 KB # k = 11, c = 6, S = 192, T = 44 ( 33 A + 11 D) 9 KB # k = 16, c = 6, S = 128, T = 48 ( 32 A + 16 D) 6 KB ecc-secp192r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp192r1 8 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 224: # k = 16, c = 7, S = 256, T = 48 ( 32 A + 16 D) ~16 KB # k = 10, c = 6, S = 256, T = 50 ( 40 A + 10 D) ~16 KB # k = 13, c = 6, S = 192, T = 52 ( 39 A + 13 D) ~12 KB # k = 9, c = 5, S = 160, T = 54 ( 45 A + 9 D) ~10 KB ecc-secp224r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp224r1 16 7 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB ecc-secp256r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp256r1 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 384: # k = 16, c = 6, S = 256, T = 80 ( 64 A + 16 D) 24 KB # k = 28, c = 7, S = 256, T = 84 ( 56 A + 28 D) 24 KB # k = 11, c = 5, S = 224, T = 88 ( 77 A + 11 D) 21 KB # k = 22, c = 6, S = 192, T = 88 ( 66 A + 22 D) 18 KB # k = 13, c = 5, S = 192, T = 91 ( 78 A + 13 D) 18 KB # k = 16, c = 5, S = 160, T = 96 ( 80 A + 16 D) 15 KB # k = 32, c = 6, S = 128, T = 96 ( 64 A + 32 D) 12 KB ecc-secp384r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp384r1 32 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 521: # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) ~27 KB # k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) ~23 KB # k = 44, c = 6, S = 128, T = 132 ( 88 A + 44 D) ~18 KB # k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) ~14 KB ecc-secp521r1.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) secp521r1 44 6 $(NUMB_BITS) > $@T && mv $@T $@ # Parameter choices mostly the same as for ecc-secp256r1.h. ecc-curve25519.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve25519 11 6 $(NUMB_BITS) > $@T && mv $@T $@ ecc-curve448.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) curve448 38 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 256: # k = 9, c = 6, S = 320, T = 54 ( 45 A + 9 D) 20 KB # k = 11, c = 6, S = 256, T = 55 ( 44 A + 11 D) 16 KB # k = 19, c = 7, S = 256, T = 57 ( 38 A + 19 D) 16 KB # k = 15, c = 6, S = 192, T = 60 ( 45 A + 15 D) 12 KB ecc-gost-gc256b.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc256b 11 6 $(NUMB_BITS) > $@T && mv $@T $@ # Some reasonable choices for 512: # k = 22, c = 6, S = 256, T = 110 ( 88 A + 22 D) 32 KB # k = 29, c = 6, S = 192, T = 116 ( 87 A + 29 D) 24 KB # k = 21, c = 5, S = 160, T = 126 (105 A + 21 D) 20 KB # k = 43, c = 6, S = 128, T = 129 ( 86 A + 43 D) 16 KB # k = 35, c = 5, S = 96, T = 140 (105 A + 35 D) 12 KB ecc-gost-gc512a.h: eccdata.stamp ./eccdata$(EXEEXT_FOR_BUILD) gost_gc512a 43 6 $(NUMB_BITS) > $@T && mv $@T $@ eccdata.stamp: eccdata.c $(MAKE) eccdata$(EXEEXT_FOR_BUILD) echo stamp > eccdata.stamp ecc-curve25519.$(OBJEXT): ecc-curve25519.h ecc-curve448.$(OBJEXT): ecc-curve448.h ecc-gost-gc256b.$(OBJEXT): ecc-gost-gc256b.h ecc-gost-gc512a.$(OBJEXT): ecc-gost-gc512a.h ecc-secp192r1.$(OBJEXT): ecc-secp192r1.h ecc-secp224r1.$(OBJEXT): ecc-secp224r1.h ecc-secp256r1.$(OBJEXT): ecc-secp256r1.h ecc-secp384r1.$(OBJEXT): ecc-secp384r1.h ecc-secp521r1.$(OBJEXT): ecc-secp521r1.h # Texinfo rules %.info: %.texinfo cd $(srcdir) && $(MAKEINFO) --output $@ `basename "$<"` %.html: %.texinfo cd $(srcdir) && $(MAKEINFO) --html --no-split \ --output $@T `basename "$<"` \ && test -s $@T && mv -f $@T $@ %.pdf: %.texinfo cd $(srcdir) && texi2pdf `basename "$<"` # Configure-related rules, mostly copied from the autoconf manual. No # $(srcdir) prefixes on the targets, though. configure: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOCONF) # autoheader might not change config.h.in, so touch a stamp file. config.h.in: stamp-h.in stamp-h.in: configure.ac aclocal.m4 cd $(srcdir) && $(AUTOHEADER) echo timestamp > $(srcdir)/stamp-h.in config.status: configure ./config.status --recheck config.h: stamp-h stamp-h: config.h.in config.status ./config.status config.h echo timestamp > stamp-h Makefile: Makefile.in config.status ./config.status $@ config.make: config.make.in config.status ./config.status $@ config.m4: config.m4.in config.status ./config.status $@ nettle.pc: nettle.pc.in config.status ./config.status $@ hogweed.pc: hogweed.pc.in config.status ./config.status $@ version.h: version.h.in config.status ./config.status $@ # Installation install-doc: @IF_DOCUMENTATION@ install-info install-here: install-doc install-headers install-static install-pkgconfig \ @IF_SHARED@ install-shared-nettle @IF_HOGWEED@ install-shared-hogweed install-static: $(LIBTARGETS) $(MKDIR_P) $(DESTDIR)$(libdir) for f in $(LIBTARGETS); do \ $(INSTALL_DATA) $$f $(DESTDIR)$(libdir) ; \ done install-dll-nettle: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBNETTLE_FORLINK) $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) install-shared-nettle: $(LIBNETTLE_FORLINK) @IF_DLL@ install-dll-nettle $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBNETTLE_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_SONAME) \ && $(LN_S) $(LIBNETTLE_FILE) $(LIBNETTLE_FORLINK)) install-dll-hogweed: $(MKDIR_P) $(DESTDIR)$(bindir) $(INSTALL_DATA) $(LIBHOGWEED_FORLINK) $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) install-shared-hogweed: $(LIBHOGWEED_FORLINK) @IF_DLL@ install-dll-hogweed $(MKDIR_P) $(DESTDIR)$(libdir) $(INSTALL_DATA) $(LIBHOGWEED_FILE_SRC) $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || (cd $(DESTDIR)$(libdir) \ && rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_SONAME) \ && $(LN_S) $(LIBHOGWEED_FILE) $(LIBHOGWEED_FORLINK)) # I'd like to use makes VPATH search to locate the files to be # installed. But it seems most make programs don't set $<, $^, $? and # friends for ordinary explicit rules. install-info: nettle.info $(MKDIR_P) $(DESTDIR)$(infodir) f=nettle.info ; \ [ -f $$f ] || f="$(srcdir)/$$f" ; \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(infodir) ; \ if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" "$$f" ; \ else : ; fi # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, and equivalent for phony targets. install-headers: $(INSTALL_HEADERS) $(MKDIR_P) $(DESTDIR)$(includedir)/nettle for f in $(INSTALL_HEADERS) ; do \ if [ -f "$$f" ] ; then \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(includedir)/nettle ; \ else \ $(INSTALL_DATA) "$(srcdir)/$$f" $(DESTDIR)$(includedir)/nettle ; \ fi ; done install-pkgconfig: $(PKGCONFIG_FILES) $(MKDIR_P) $(DESTDIR)$(pkgconfigdir) for f in $(PKGCONFIG_FILES) ; do \ $(INSTALL_DATA) "$$f" $(DESTDIR)$(pkgconfigdir) ; \ done # Uninstall uninstall-here: uninstall-info uninstall-headers uninstall-static \ uninstall-pkgconfig @IF_SHARED@ uninstall-shared uninstall-static: for f in $(LIBTARGETS) ; do \ rm -f $(DESTDIR)$(libdir)/$$f ; \ done uninstall-headers: for f in $(INSTALL_HEADERS) ; do \ rm -f $(DESTDIR)$(includedir)/nettle/$$f ; \ done uninstall-info: if (install-info --version && \ install-info --version 2>&1 | sed 1q | grep -i -v debian) >/dev/null 2>&1; then \ install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)"/nettle.info ; \ else : ; fi -rm -f $(DESTDIR)$(infodir)/nettle.info # FIXME: Leaves the links around uninstall-shared: uninstall-shared-nettle @IF_HOGWEED@ uninstall-shared-hogweed uninstall-dll-nettle: rm -f $(DESTDIR)$(bindir)/$(LIBNETTLE_FORLINK) uninstall-shared-nettle: @IF_DLL@ uninstall-dll-nettle rm -f $(DESTDIR)$(libdir)/$(LIBNETTLE_FILE) [ -z "$(LIBNETTLE_SONAME)" ] \ || rm -f $(LIBNETTLE_SONAME) $(LIBNETTLE_FORLINK) uninstall-dll-hogweed: rm -f $(DESTDIR)$(bindir)/$(LIBHOGWEED_FORLINK) uninstall-shared-hogweed: @IF_DLL@ uninstall-dll-hogweed rm -f $(DESTDIR)$(libdir)/$(LIBHOGWEED_FILE) [ -z "$(LIBHOGWEED_SONAME)" ] \ || rm -f $(LIBHOGWEED_SONAME) $(LIBHOGWEED_FORLINK) uninstall-pkgconfig: for f in $(PKGCONFIG_FILES) ; do \ rm -f $(DESTDIR)$(pkgconfigdir)/$$f ; \ done # Distribution distdir = $(PACKAGE_NAME)-$(PACKAGE_VERSION) top_distdir = $(distdir) # NOTE: We should handle both absolute and relative $destdir. distdir: $(DISTFILES) rm -rf "$(distdir)" mkdir "$(distdir)" set -e; for f in $(DISTFILES) ; do \ if [ -f "$$f" ] ; then cp "$$f" "$(distdir)" ; \ else cp "$(srcdir)/$$f" "$(distdir)" ; \ fi ; \ done set -e; for d in sparc64 x86 \ x86_64 x86_64/aesni x86_64/sha_ni x86_64/pclmul x86_64/fat \ arm arm/neon arm/v6 arm/fat \ arm64 arm64/crypto arm64/fat \ powerpc64 powerpc64/p7 powerpc64/p8 powerpc64/p9 powerpc64/fat \ s390x s390x/vf s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 s390x/fat ; do \ mkdir "$(distdir)/$$d" ; \ find "$(srcdir)/$$d" -maxdepth 1 '(' -name '*.asm' -o -name '*.m4' -o -name README ')' \ -exec cp '{}' "$(distdir)/$$d" ';' ; \ done set -e; for d in $(SUBDIRS); do \ sd="$(distdir)/$$d" ; \ mkdir "$$sd" && $(MAKE) -C $$d distdir="`cd $$sd && pwd`" $@ ; \ done dist: distdir tar cf - $(distdir) | gzip -c >$(distdir).tar.gz rm -rf $(distdir) rm_distcheck = test ! -d distcheck-tmp \ || { find distcheck-tmp -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -fr distcheck-tmp; }; distcheck: dist $(rm_distcheck) mkdir distcheck-tmp gzip -d < $(distdir).tar.gz \ | { cd distcheck-tmp && tar xf - && chmod -R a-w $(distdir) ; } mkdir distcheck-tmp/build mkdir distcheck-tmp/install cd distcheck-tmp/build && ../$(distdir)/configure --prefix="`cd ../install && pwd`" cd distcheck-tmp/build && $(MAKE) cd distcheck-tmp/build && $(MAKE) check cd distcheck-tmp/build && $(MAKE) install cd distcheck-tmp/build && $(MAKE) uninstall cd distcheck-tmp && find install -type f -print > leftover-install-files @test `cat distcheck-tmp/leftover-install-files | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ cat distcheck-tmp/leftover-install-files ; \ exit 1; } chmod -R a-w distcheck-tmp/install mkdir distcheck-tmp/destdir destdir="`cd distcheck-tmp/destdir && pwd`" \ && cd distcheck-tmp/build \ && $(MAKE) install DESTDIR="$$destdir" \ && $(MAKE) uninstall DESTDIR="$$destdir" cd distcheck-tmp && find destdir -type f -print > leftover-destdir-files @test `cat distcheck-tmp/leftover-destdir-files | wc -l` -le 1 \ || { echo "ERROR: destdir files left after uninstall:" ; \ cat distcheck-tmp/leftover-destdir-files ; \ exit 1; } cd distcheck-tmp/build && $(MAKE) dist cd distcheck-tmp/build && rm *.gz cd distcheck-tmp/build && $(MAKE) distclean cd distcheck-tmp && find build -type f -print > leftover-build-files @test `cat distcheck-tmp/leftover-build-files | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ cat distcheck-tmp/leftover-build-files ; \ exit 1; } $(rm_distcheck) clean-here: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d *.s *.so *.dll *.a \ ecc-curve25519.h ecc-curve448.h \ ecc-gost-gc256b.h ecc-gost-gc512a.h \ ecc-secp192r1.h ecc-secp224r1.h ecc-secp256r1.h \ ecc-secp384r1.h ecc-secp521r1.h \ aesdata$(EXEEXT_FOR_BUILD) \ desdata$(EXEEXT_FOR_BUILD) \ twofishdata$(EXEEXT_FOR_BUILD) \ shadata$(EXEEXT_FOR_BUILD) \ eccdata$(EXEEXT_FOR_BUILD) eccdata.stamp -rm -rf .lib libnettle.stamp libhogweed.stamp distclean-here: clean-here -rm -f config.h stamp-h config.log config.status machine.m4 \ config.make config.m4 Makefile version.h \ nettle.pc hogweed.pc libnettle.map libhogweed.map \ *.asm *.d maintainer-clean-here: -rm -f $(DOCTARGETS) *.dvi *.ps tags-here: etags -o $(srcdir)/TAGS $(srcdir)/*.c $(srcdir)/*.h DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) -include $(DEP_FILES) nettle-3.10/cmac-des3.c0000644000175000017500000000306514633602171013666 0ustar nissenisse/* cmac-des3.c CMAC using TripleDES as the underlying cipher. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_des3_set_key (struct cmac_des3_ctx *ctx, const uint8_t *key) { CMAC64_SET_KEY (ctx, des3_set_key, des3_encrypt, key); } void cmac_des3_update (struct cmac_des3_ctx *ctx, size_t length, const uint8_t *data) { CMAC64_UPDATE (ctx, des3_encrypt, length, data); } void cmac_des3_digest (struct cmac_des3_ctx *ctx, size_t length, uint8_t *digest) { CMAC64_DIGEST (ctx, des3_encrypt, length, digest); } nettle-3.10/base16-decode.c0000644000175000017500000000607414633602171014434 0ustar nissenisse/* base16-encode.c Hex decoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base16.h" void base16_decode_init(struct base16_decode_ctx *ctx) { ctx->word = ctx->bits = 0; } enum { HEX_INVALID = -1, HEX_SPACE=-2 }; static const signed char hex_decode_table[0x80] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 10, 11, 12, 13, 14, 15, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base16_decode_single(struct base16_decode_ctx *ctx, uint8_t *dst, char src) { /* Avoid signed char for indexing. */ unsigned char usrc = src; int digit; if (usrc >= 0x80) return -1; digit = hex_decode_table[usrc]; switch (digit) { case -1: return -1; case -2: return 0; default: assert(digit >= 0); assert(digit < 0x10); if (ctx->bits) { *dst = (ctx->word << 4) | digit; ctx->bits = 0; return 1; } else { ctx->word = digit; ctx->bits = 4; return 0; } } } int base16_decode_update(struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = done = 0; ibits == 0; } nettle-3.10/sm3.h0000644000175000017500000000366214633602172012642 0ustar nissenisse/* sm3.h The SM3 hash function. Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SM3_H_INCLUDED #define NETTLE_SM3_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sm3_init nettle_sm3_init #define sm3_update nettle_sm3_update #define sm3_digest nettle_sm3_digest #define SM3_DIGEST_SIZE 32 #define SM3_BLOCK_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SM3_DIGEST_LENGTH 8 struct sm3_ctx { uint32_t state[_SM3_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[SM3_BLOCK_SIZE]; /* Block buffer */ }; void sm3_init(struct sm3_ctx *ctx); void sm3_update(struct sm3_ctx *ctx, size_t length, const uint8_t *data); void sm3_digest(struct sm3_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SM3_H_INCLUDED */ nettle-3.10/rsa-pss-sha256-verify.c0000644000175000017500000000311014633602171016016 0ustar nissenisse/* rsa-pss-sha256-verify.c Verifying signatures created with RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha256, salt_length, digest)); mpz_clear (m); return res; } nettle-3.10/ecc-secp521r1.c0000644000175000017500000001371714633602171014311 0ustar nissenisse/* ecc-secp521r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp521r1.h" #define B_SHIFT (521 % GMP_NUMB_BITS) #if HAVE_NATIVE_ecc_secp521r1_modp #define ecc_secp521r1_modp _nettle_ecc_secp521r1_modp void ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #define BMODP_SHIFT (GMP_NUMB_BITS - B_SHIFT) #define BMODP ((mp_limb_t) 1 << BMODP_SHIFT) /* Result may be *slightly* larger than 2^521 */ static void ecc_secp521r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { /* FIXME: Should use mpn_addlsh_n_ip1 */ mp_limb_t hi; /* Reduce from 2*ECC_LIMB_SIZE to ECC_LIMB_SIZE + 1 */ xp[ECC_LIMB_SIZE] = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, ECC_LIMB_SIZE, BMODP); hi = mpn_addmul_1 (xp, xp + ECC_LIMB_SIZE, 1, BMODP); hi = sec_add_1 (xp + 1, xp + 1, ECC_LIMB_SIZE - 1, hi); /* Combine hi with top bits, and add in. */ hi = (hi << BMODP_SHIFT) | (xp[ECC_LIMB_SIZE-1] >> B_SHIFT); rp[ECC_LIMB_SIZE-1] = (xp[ECC_LIMB_SIZE-1] & (((mp_limb_t) 1 << B_SHIFT)-1)) + sec_add_1 (rp, xp, ECC_LIMB_SIZE - 1, hi); } #endif #define ECC_SECP521R1_INV_ITCH (3*ECC_LIMB_SIZE) static void ecc_secp521r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) /* Addition chain for p - 2: 2^{521} - 3 = 1 + 2^2(2^519 - 1) = 1 + 2^2(1 + 2 (2^518 - 1) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^258 - 1))) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (2^129 - 1))) = 1 + 2^2(1 + 2 (2^259 + 1) (1 + 2(2^129 + 1) (1 + 2 (2^128 - 1)))) where 2^{128} - 1 = (2^64 + 1) (2^32+1) (2^16 + 1) (2^8 + 1) (2^4 + 1) (2^2 + 1) (2 + 1) This addition chain needs 520 squarings and 13 multiplies. */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^3 = a^{2^2 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^15 = a^{2^4 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 4, tp); /* a^{2^8 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 8, tp); /* a^{2^16 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 16, tp); /* a^{2^32 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 32, tp); /* a^{2^64 - 1} */ ecc_mod_pow_2kp1 (p, rp, t0, 64, tp); /* a^{2^128 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^129 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^129 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 129, tp);/* a^{2^258 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^259 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^259 - 1} */ ecc_mod_pow_2kp1 (p, t0, rp, 259, tp);/* a^{2^518 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^519 - 2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^519 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^520 - 2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^521 - 4} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^521 - 3} */ } #define ECC_SECP521R1_SQRT_ITCH (2*ECC_LIMB_SIZE) static int ecc_secp521r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { mp_limb_t hi; /* This computes the square root modulo p256 using the identity: sqrt(c) = c^(2^519) (mod P-521) which can be seen as a special case of Tonelli-Shanks with e=1. */ ecc_mod_pow_2k (m, rp, cp, 519, scratch); /* Check result. */ ecc_mod_sqr (m, scratch, rp, scratch); ecc_mod_sub (m, scratch, scratch, cp); /* Reduce top bits, since ecc_mod_zero_p requires input < 2p */ hi = scratch[ECC_LIMB_SIZE-1] >> B_SHIFT; scratch[ECC_LIMB_SIZE-1] = (scratch[ECC_LIMB_SIZE-1] & (((mp_limb_t) 1 << B_SHIFT)-1)) + sec_add_1 (scratch, scratch, ECC_LIMB_SIZE - 1, hi); return ecc_mod_zero_p (m, scratch); } const struct ecc_curve _nettle_secp_521r1 = { { 521, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP521R1_INV_ITCH, ECC_SECP521R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp521r1_modp, ecc_secp521r1_modp, ecc_secp521r1_inv, ecc_secp521r1_sqrt, NULL, }, { 521, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP521R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_521r1(void) { return &_nettle_secp_521r1; } nettle-3.10/sha256-meta.c0000644000175000017500000000223714633602171014063 0ustar nissenisse/* sha256-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha256 = _NETTLE_HASH(sha256, SHA256); nettle-3.10/ecc-point-mul.c0000644000175000017500000000330414633602171014577 0ustar nissenisse/* ecc-point-mul.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p) { const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_itch; mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); assert (p->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_itch); ecc->mul (ecc, scratch, n->p, p->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } nettle-3.10/cmac-des3-meta.c0000644000175000017500000000260314633602171014607 0ustar nissenisse/* cmac-des3-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_des3 = { "cmac_des3", sizeof(struct cmac_des3_ctx), CMAC64_DIGEST_SIZE, DES3_KEY_SIZE, (nettle_set_key_func*) cmac_des3_set_key, (nettle_hash_update_func*) cmac_des3_update, (nettle_hash_digest_func*) cmac_des3_digest }; nettle-3.10/aes192-decrypt.c0000644000175000017500000000325714633602171014606 0ustar nissenisse/* aes192-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_decrypt void _nettle_aes192_decrypt_c(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes192_decrypt _nettle_aes192_decrypt_c #endif void nettle_aes192_decrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES192_ROUNDS, ctx->keys + 4 * _AES192_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-3.10/eddsa-verify.c0000644000175000017500000000660214633602172014512 0ustar nissenisse/* eddsa-verify.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-meta.h" /* Checks if x1/z1 == x2/z2 (mod p). Assumes z1 and z2 are non-zero. */ static int equal_h (const struct ecc_modulo *p, const mp_limb_t *x1, const mp_limb_t *z1, const mp_limb_t *x2, const mp_limb_t *z2, mp_limb_t *scratch) { #define t0 scratch #define t1 (scratch + p->size) ecc_mod_mul_canonical (p, t0, x1, z2, t0); ecc_mod_mul_canonical (p, t1, x2, z1, t1); return mpn_cmp (t0, t1, p->size) == 0; #undef t0 #undef t1 } mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc) { assert (_eddsa_decompress_itch (ecc) <= ecc->mul_itch); return 8*ecc->p.size + ecc->mul_itch; } int _eddsa_verify (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch) { size_t nbytes; #define R scratch #define sp (scratch + 2*ecc->p.size) #define hp (scratch + 3*ecc->p.size) #define P (scratch + 5*ecc->p.size) #define scratch_out (scratch + 8*ecc->p.size) #define S R #define hash ((uint8_t *) P) nbytes = 1 + ecc->p.bit_size / 8; /* Could maybe save some storage by delaying the R and S operations, but it makes sense to check them for validity up front. */ if (!_eddsa_decompress (ecc, R, signature, R+2*ecc->p.size)) return 0; mpn_set_base256_le (sp, ecc->q.size, signature + nbytes, nbytes); /* Check that s < q */ if (mpn_cmp (sp, ecc->q.m, ecc->q.size) >= 0) return 0; eddsa->dom (ctx); eddsa->update (ctx, nbytes, signature); eddsa->update (ctx, nbytes, pub); eddsa->update (ctx, length, msg); eddsa->digest (ctx, 2*nbytes, hash); _eddsa_hash (&ecc->q, hp, 2*nbytes, hash); /* Compute h A + R - s G, which should be the neutral point */ ecc->mul (ecc, P, hp, A, scratch_out); ecc->add_hh (ecc, P, P, R, scratch_out); /* Move out of the way. */ mpn_copyi (hp, sp, ecc->q.size); ecc->mul_g (ecc, S, hp, scratch_out); return equal_h (&ecc->p, P, P + 2*ecc->p.size, S, S + 2*ecc->p.size, scratch_out) && equal_h (&ecc->p, P + ecc->p.size, P + 2*ecc->p.size, S + ecc->p.size, S + 2*ecc->p.size, scratch_out); #undef R #undef sp #undef hp #undef P #undef S } nettle-3.10/salsa20-set-nonce.c0000644000175000017500000000266214633602171015267 0ustar nissenisse/* salsa20-set-nonce.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_set_nonce(struct salsa20_ctx *ctx, const uint8_t *nonce) { ctx->input[6] = LE_READ_UINT32(nonce + 0); ctx->input[7] = LE_READ_UINT32(nonce + 4); ctx->input[8] = 0; ctx->input[9] = 0; } nettle-3.10/gosthash94-meta.c0000644000175000017500000000245014633602171015045 0ustar nissenisse/* gosthash94-meta.c Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "gosthash94.h" const struct nettle_hash nettle_gosthash94 = _NETTLE_HASH(gosthash94, GOSTHASH94); const struct nettle_hash nettle_gosthash94cp = _NETTLE_HASH(gosthash94cp, GOSTHASH94CP); nettle-3.10/ecc-secp256r1.c0000644000175000017500000002557514633602171014323 0ustar nissenisse/* ecc-secp256r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #if HAVE_NATIVE_ecc_secp256r1_redc # define USE_REDC 1 #else # define USE_REDC (ECC_REDC_SIZE != 0) #endif #include "ecc-secp256r1.h" #if HAVE_NATIVE_ecc_secp256r1_redc # define ecc_secp256r1_redc _nettle_ecc_secp256r1_redc void ecc_secp256r1_redc (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp); #else /* !HAVE_NATIVE_ecc_secp256r1_redc */ # if ECC_REDC_SIZE > 0 # define ecc_secp256r1_redc ecc_pp1_redc # elif ECC_REDC_SIZE == 0 # define ecc_secp256r1_redc NULL # else # error Configuration error # endif #endif /* !HAVE_NATIVE_ecc_secp256r1_redc */ #if ECC_BMODP_SIZE < ECC_LIMB_SIZE #define ecc_secp256r1_modp ecc_mod #define ecc_secp256r1_modq ecc_mod #elif GMP_NUMB_BITS == 64 static void ecc_secp256r1_modp (const struct ecc_modulo *p, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t d1, u1, cy; mp_size_t n; /* Reduce to < B^4 p up front, to avoid first quotient overflowing a limb. */ cy = mpn_sub_n (xp + 4, xp + 4, p->m, p->size); mpn_cnd_add_n (cy, xp + 4, xp + 4, p->m, p->size); d1 = UINT64_C(0xffffffff00000001); for (n = 2*p->size, u1 = xp[--n] ;; n--) { mp_limb_t u0, q1, q0, qmax, r, t, mask; u0 = xp[n-1]; /* Since d0 == 0, 2/1 division gives a good enough quotient approximation. = v * u1 + , with v = 2^32 - 1: +---+---+ | u1| u0| +---+---+ |-u1| +-+-+-+ | u1| +-+-+-+-+ | q1| q0| +---+---+ */ q1 = u1 - (u1 > u0); q0 = u0 - u1; t = u1 << 32; q0 += t; q1 += (u1 >> 32) + (q0 < t) + 1; /* Force q = B-1 when u1 == d1 */ qmax = - (mp_limb_t) (u1 >= d1); /* Candidate remainder r = u0 - q d1 (mod B), and 2/1 division adjustments. */ r = u0 + (q1 << 32) - q1; mask = - (mp_limb_t) (r > q0); q1 += mask; r += (mask & d1); mask = - (mp_limb_t) (r >= d1); q1 -= mask; r -= (mask & d1); /* In the case that u1 == d1, we get q1 == 0, r == 0 here (and correct 2/1 quotient would be B). Replace with q1 = B-1, r = d1. */ q1 |= qmax; r += d1 & qmax; cy = mpn_submul_1 (xp + n - 4, p->m, 3, q1); mask = - (mp_limb_t) (r < cy); if (n == p->size) { rp[3] = r - cy + (mask & d1) + mpn_cnd_add_n (mask, rp, xp, p->m, 3); return; } u1 = r - cy + (mask & d1) + mpn_cnd_add_n (mask, xp + n - 4, xp + n- 4, p->m, 3); } } static void ecc_secp256r1_modq (const struct ecc_modulo *q, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t d1, cy; mp_size_t n; /* Reduce to < B^4 p up front, to avoid first quotient overflowing a limb. */ cy = mpn_sub_n (xp + 4, xp + 4, q->m, q->size); mpn_cnd_add_n (cy, xp + 4, xp + 4, q->m, q->size); d1 = UINT64_C(0xffffffff00000000); n = 2*q->size; for (;;) { mp_limb_t u1, u0, q1, q0, r, t, qmax, mask; u1 = xp[--n]; u0 = xp[n-1]; /* divappr2, specialized for d1 = 2^64 - 2^32, d0 = 2^64-1. = v * u1 + , with v = 2^32 - 1: +---+---+ | u1| u0| +---+---+ |-u1| +-+-+-+ | u1| +-+-+-+-+ | q1| q0| +---+---+ */ q1 = u1 - (u1 > u0); q0 = u0 - u1; t = u1 << 32; q0 += t; q1 += (q0 < t); t = u1 >> 32; /* The divappr2 algorithm handles only q < B - 1. If we check for u1 >= d1 = 2^{64}-2^{32}, we cover all cases where q = 2^64-1, and some when q = 2^64-2. The latter case is corrected by the final adjustment. */ qmax = - (mp_limb_t) (t == 0xffffffff); q1 += t + 1; /* Candidate remainder r = u0 - q (d1 + 1) (mod B), and divappr2 adjustments. For general divappr2, the expression is r = u_0 - q1 d1 - floor(q1 d0 / B) - 1 but in our case floor(q1 d0 / B) simplifies to q1 - 1. */ r = u0 + (q1 << 32) - q1; mask = - (mp_limb_t) (r >= q0); q1 += mask; r += (mask & (d1 + 1)); q1 += (r >= d1 - 1); /* Replace by qmax, when that is needed */ q1 |= qmax; /* Subtract, may underflow. */ cy = mpn_submul_1 (xp + n - 4, q->m, 4, q1); if (n == q->size) { mpn_cnd_add_n (cy > u1, rp, xp, q->m, 4); return; } mpn_cnd_add_n (cy > u1, xp + n - 4, xp + n- 4, q->m, 4); } } #else #error Unsupported parameters #endif #define ECC_SECP256R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp256r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a5m1 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define a15m1 t0 #define a32m1 a5m1 #define tp (scratch + 2*ECC_LIMB_SIZE) /* Addition chain for p - 2 = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 3 2^5 - 1 = 1 + 2 (2^4 - 1) = 1 + 2 (2^2+1)(2 + 1) 4 S + 3 M 2^{15} - 1 = (2^5 - 1) (1 + 2^5 (1 + 2^5) 10 S + 2 M 2^{16} - 1 = 1 + 2 (2^{15} - 1) S + M 2^{32} - 1 = (2^{16} + 1) (2^{16} - 1) 16 S + M 2^{64} - 2^{32} + 1 = 2^{32} (2^{32} - 1) + 1 32 S + M 2^{192} - 2^{160} + 2^{128} + 2^{32} - 1 = 2^{128} (2^{64} - 2^{32} + 1) + 2^{32} - 1 128 S + M 2^{224} - 2^{192} + 2^{160} + 2^{64} - 1 = 2^{32} (...) + 2^{32} - 1 32 S + M 2^{239} - 2^{207} + 2^{175} + 2^{79} - 1 = 2^{15} (...) + 2^{15} - 1 15 S + M 2^{254} - 2^{222} + 2^{190} + 2^{94} - 1 = 2^{15} (...) + 2^{15} - 1 15 S + M p - 2 = 2^2 (...) + 1 2 S M --------------- 255 S + 13 M */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ ecc_mod_pow_2kp1 (p, t0, rp, 2, tp); /* a^{2^4 - 1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^5 - 2} */ ecc_mod_mul (p, a5m1, rp, ap, tp); /* a^{2^5 - 1}, a5m1 */ ecc_mod_pow_2kp1 (p, rp, a5m1, 5, tp); /* a^{2^{10} - 1, a5m1*/ ecc_mod_pow_2k_mul (p, a15m1, rp, 5, a5m1, tp); /* a^{2^{15} - 1}, a5m1 a15m1 */ ecc_mod_sqr (p, rp, a15m1, tp); /* a^{2^{16} - 2}, a15m1 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^{16} - 1}, a15m1 */ ecc_mod_pow_2kp1 (p, a32m1, rp, 16, tp); /* a^{2^{32} - 1}, a15m1, a32m1 */ ecc_mod_pow_2k_mul (p, rp, a32m1, 32, ap, tp);/* a^{2^{64} - 2^{32} + 1 */ ecc_mod_pow_2k_mul (p, rp, rp, 128, a32m1, tp); /* a^{2^{192} - 2^{160} + 2^{128} + 2^{32} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 32, a32m1, tp);/* a^{2^{224} - 2^{192} + 2^{160} + 2^{64} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{239} - 2^{207} + 2^{175} + 2^{79} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 15, a15m1, tp);/* a^{2^{254} - 2^{222} + 2^{190} + 2^{94} - 1} */ ecc_mod_pow_2k_mul (p, rp, rp, 2, ap, tp); /* a^{2^{256} - 2^{224} + 2^{192} + 2^{96} - 3} */ #undef a5m1 #undef t0 #undef a15m1 #undef a32m1 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 256 #error Unsupported limb size #endif #define ECC_SECP256R1_SQRT_ITCH (3*ECC_LIMB_SIZE) static int ecc_secp256r1_sqrt (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p256 using the identity: sqrt(c) = c^(2^254 − 2^222 + 2^190 + 2^94) (mod P-256) which can be seen as a special case of Tonelli-Shanks with e=1. It would be nice to share part of the addition chain between inverse and sqrt. We need p-2 = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 3 (inverse) and (p+1)/4 = 2^{254} − 2^{222} + 2^{190} + 2^{94} (sqrt) which we can both get conveniently from (p-3)/4 = 2^{254} − 2^{222} + 2^{190} + 2^{94} - 1 But addition chain for 2^{94} - 1 appears to cost a few more mul operations than the current, separate, chains. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr (m, rp, cp, tp); /* c^2 */ ecc_mod_mul (m, t0, rp, cp, tp); /* c^3 */ ecc_mod_pow_2kp1 (m, rp, t0, 2, tp); /* c^(2^4 - 1) */ ecc_mod_pow_2kp1 (m, t0, rp, 4, tp); /* c^(2^8 - 1) */ ecc_mod_pow_2kp1 (m, rp, t0, 8, tp); /* c^(2^16 - 1) */ ecc_mod_pow_2kp1 (m, t0, rp, 16, tp); /* c^(2^32 - 1) */ ecc_mod_pow_2k_mul (m, rp, t0, 32, cp, tp); /* c^(2^64 - 2^32 + 1) */ ecc_mod_pow_2k_mul (m, t0, rp, 96, cp, tp); /* c^(2^160 - 2^128 + 2^96 + 1) */ ecc_mod_pow_2k (m, rp, t0, 94, tp); /* c^(2^254 - 2^222 + 2^190 + 2^94) */ ecc_mod_sqr (m, t0, rp, tp); ecc_mod_sub (m, t0, t0, cp); return ecc_mod_zero_p (m, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_256r1 = { { 256, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP256R1_INV_ITCH, ECC_SECP256R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp256r1_modp, USE_REDC ? ecc_secp256r1_redc : ecc_secp256r1_modp, ecc_secp256r1_inv, ecc_secp256r1_sqrt, NULL, }, { 256, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_secp256r1_modq, ecc_secp256r1_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP256R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_256r1(void) { return &_nettle_secp_256r1; } nettle-3.10/ecc-ecdsa-verify.c0000644000175000017500000000717514633602172015247 0ustar nissenisse/* ecc-ecdsa-verify.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "dsa-internal.h" /* Low-level ECDSA verify */ static int ecdsa_in_range (const struct ecc_curve *ecc, const mp_limb_t *xp) { return !mpn_zero_p (xp, ecc->p.size) && mpn_cmp (xp, ecc->q.m, ecc->p.size) < 0; } mp_size_t ecc_ecdsa_verify_itch (const struct ecc_curve *ecc) { /* Largest storage need is for the ecc_mul_a call. */ return 5*ecc->p.size + ECC_MUL_A_ITCH (ecc->p.size); } /* FIXME: Use faster primitives, not requiring side-channel silence. */ int ecc_ecdsa_verify (const struct ecc_curve *ecc, const mp_limb_t *pp, /* Public key */ size_t length, const uint8_t *digest, const mp_limb_t *rp, const mp_limb_t *sp, mp_limb_t *scratch) { /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. Check 0 < r, s < q. 2. s' <-- s^{-1} (mod q) 3. u1 <-- h * s' (mod q) 4. u2 <-- r * s' (mod q) 5. R = u1 G + u2 Y 6. Signature is valid if R_x = r (mod q). */ #define P2 scratch #define u1 (scratch + 3*ecc->p.size) #define u2 (scratch + 4*ecc->p.size) #define P1 (scratch + 4*ecc->p.size) #define sinv (scratch) #define hp (scratch + ecc->p.size) if (! (ecdsa_in_range (ecc, rp) && ecdsa_in_range (ecc, sp))) return 0; /* FIXME: Micro optimizations: Either simultaneous multiplication. Or convert to projective coordinates (can be done without division, I think), and write an ecc_add_ppp. */ /* Compute sinv */ ecc->q.invert (&ecc->q, sinv, sp, sinv + ecc->p.size); /* u1 = h / s, P1 = u1 * G */ _nettle_dsa_hash (hp, ecc->q.bit_size, length, digest); ecc_mod_mul_canonical (&ecc->q, u1, hp, sinv, u1); /* u2 = r / s, P2 = u2 * Y */ ecc_mod_mul_canonical (&ecc->q, u2, rp, sinv, u2); /* Total storage: 5*ecc->p.size + ECC_MUL_A_ITCH */ ecc_mul_a (ecc, P2, u2, pp, u2 + ecc->p.size); /* u = 0 can happen only if h = 0 or h = q, which is extremely unlikely. */ if (!mpn_zero_p (u1, ecc->p.size)) { /* Total storage: 7*ecc->p.size + ECC_MUL_G_ITCH */ ecc_mul_g (ecc, P1, u1, P1 + 3*ecc->p.size); /* Total storage: 6*ecc->p.size + ECC_ADD_JJJ_ITCH */ if (!ecc_nonsec_add_jjj (ecc, P2, P2, P1, P1 + 3*ecc->p.size)) /* Infinity point, not a valid signature. */ return 0; } /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, P1, P2, P1 + 3*ecc->p.size); return (mpn_cmp (rp, P1, ecc->p.size) == 0); #undef P2 #undef P1 #undef sinv #undef u2 #undef hp #undef u1 } nettle-3.10/macros.h0000644000175000017500000001626414633602172013426 0ustar nissenisse/* macros.h Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MACROS_H_INCLUDED #define NETTLE_MACROS_H_INCLUDED /* Reads a 64-bit integer, in network, big-endian, byte order */ #define READ_UINT64(p) \ ( (((uint64_t) (p)[0]) << 56) \ | (((uint64_t) (p)[1]) << 48) \ | (((uint64_t) (p)[2]) << 40) \ | (((uint64_t) (p)[3]) << 32) \ | (((uint64_t) (p)[4]) << 24) \ | (((uint64_t) (p)[5]) << 16) \ | (((uint64_t) (p)[6]) << 8) \ | ((uint64_t) (p)[7])) #define WRITE_UINT64(p, i) \ do { \ (p)[0] = ((i) >> 56) & 0xff; \ (p)[1] = ((i) >> 48) & 0xff; \ (p)[2] = ((i) >> 40) & 0xff; \ (p)[3] = ((i) >> 32) & 0xff; \ (p)[4] = ((i) >> 24) & 0xff; \ (p)[5] = ((i) >> 16) & 0xff; \ (p)[6] = ((i) >> 8) & 0xff; \ (p)[7] = (i) & 0xff; \ } while(0) /* Reads a 32-bit integer, in network, big-endian, byte order */ #define READ_UINT32(p) \ ( (((uint32_t) (p)[0]) << 24) \ | (((uint32_t) (p)[1]) << 16) \ | (((uint32_t) (p)[2]) << 8) \ | ((uint32_t) (p)[3])) #define WRITE_UINT32(p, i) \ do { \ (p)[0] = ((i) >> 24) & 0xff; \ (p)[1] = ((i) >> 16) & 0xff; \ (p)[2] = ((i) >> 8) & 0xff; \ (p)[3] = (i) & 0xff; \ } while(0) /* Analogous macros, for 24 and 16 bit numbers */ #define READ_UINT24(p) \ ( (((uint32_t) (p)[0]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[2])) #define WRITE_UINT24(p, i) \ do { \ (p)[0] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[2] = (i) & 0xff; \ } while(0) #define READ_UINT16(p) \ ( (((uint32_t) (p)[0]) << 8) \ | ((uint32_t) (p)[1])) #define WRITE_UINT16(p, i) \ do { \ (p)[0] = ((i) >> 8) & 0xff; \ (p)[1] = (i) & 0xff; \ } while(0) /* And the other, little-endian, byteorder */ #define LE_READ_UINT64(p) \ ( (((uint64_t) (p)[7]) << 56) \ | (((uint64_t) (p)[6]) << 48) \ | (((uint64_t) (p)[5]) << 40) \ | (((uint64_t) (p)[4]) << 32) \ | (((uint64_t) (p)[3]) << 24) \ | (((uint64_t) (p)[2]) << 16) \ | (((uint64_t) (p)[1]) << 8) \ | ((uint64_t) (p)[0])) #define LE_WRITE_UINT64(p, i) \ do { \ (p)[7] = ((i) >> 56) & 0xff; \ (p)[6] = ((i) >> 48) & 0xff; \ (p)[5] = ((i) >> 40) & 0xff; \ (p)[4] = ((i) >> 32) & 0xff; \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while (0) #define LE_READ_UINT32(p) \ ( (((uint32_t) (p)[3]) << 24) \ | (((uint32_t) (p)[2]) << 16) \ | (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT32(p, i) \ do { \ (p)[3] = ((i) >> 24) & 0xff; \ (p)[2] = ((i) >> 16) & 0xff; \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Analogous macros, for 16 bit numbers */ #define LE_READ_UINT16(p) \ ( (((uint32_t) (p)[1]) << 8) \ | ((uint32_t) (p)[0])) #define LE_WRITE_UINT16(p, i) \ do { \ (p)[1] = ((i) >> 8) & 0xff; \ (p)[0] = (i) & 0xff; \ } while(0) /* Macro to make it easier to loop over several blocks. */ #define FOR_BLOCKS(length, dst, src, blocksize) \ assert( !((length) % (blocksize))); \ for (; (length); ((length) -= (blocksize), \ (dst) += (blocksize), \ (src) += (blocksize)) ) /* The masking of the right shift is needed to allow n == 0 (using just 32 - n and 64 - n results in undefined behaviour). Most uses of these macros use a constant and non-zero rotation count. */ #define ROTL32(n,x) (((x)<<(n)) | ((x)>>((-(n)&31)))) #define ROTL64(n,x) (((x)<<(n)) | ((x)>>((-(n))&63))) /* Requires that size > 0 */ #define INCREMENT(size, ctr) \ do { \ unsigned increment_i = (size) - 1; \ if (++(ctr)[increment_i] == 0) \ while (increment_i > 0 \ && ++(ctr)[--increment_i] == 0 ) \ ; \ } while (0) /* Helper macro for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ /* Currently used by sha512 (and sha384) only. */ #define MD_INCR(ctx) ((ctx)->count_high += !++(ctx)->count_low) /* Takes the compression function f as argument. NOTE: also clobbers length and data. */ #define MD_UPDATE(ctx, length, data, f, incr) \ do { \ if (!length) goto __md_done; \ if ((ctx)->index) \ { \ /* Try to fill partial block */ \ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ if ((length) < __md_left) \ { \ memcpy((ctx)->block + (ctx)->index, (data), (length)); \ (ctx)->index += (length); \ goto __md_done; /* Finished */ \ } \ else \ { \ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ \ f((ctx), (ctx)->block); \ (incr); \ \ (data) += __md_left; \ (length) -= __md_left; \ } \ } \ while ((length) >= sizeof((ctx)->block)) \ { \ f((ctx), (data)); \ (incr); \ \ (data) += sizeof((ctx)->block); \ (length) -= sizeof((ctx)->block); \ } \ memcpy ((ctx)->block, (data), (length)); \ (ctx)->index = (length); \ __md_done: \ ; \ } while (0) /* Pads the block to a block boundary with the bit pattern 1 0*, leaving size octets for the length field at the end. If needed, compresses the block and starts a new one. */ #define MD_PAD(ctx, size, f) \ do { \ unsigned __md_i; \ __md_i = (ctx)->index; \ \ /* Set the first char of padding to 0x80. This is safe since there \ is always at least one byte free */ \ \ assert(__md_i < sizeof((ctx)->block)); \ (ctx)->block[__md_i++] = 0x80; \ \ if (__md_i > (sizeof((ctx)->block) - (size))) \ { /* No room for length in this block. Process it and \ pad with another one */ \ memset((ctx)->block + __md_i, 0, sizeof((ctx)->block) - __md_i); \ \ f((ctx), (ctx)->block); \ __md_i = 0; \ } \ memset((ctx)->block + __md_i, 0, \ sizeof((ctx)->block) - (size) - __md_i); \ \ } while (0) #endif /* NETTLE_MACROS_H_INCLUDED */ nettle-3.10/rsa-internal.h0000644000175000017500000000701614633602172014534 0ustar nissenisse/* rsa-internal.h The RSA publickey algorithm. Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RSA_INTERNAL_H_INCLUDED #define NETTLE_RSA_INTERNAL_H_INCLUDED #include "rsa.h" #include "nettle-meta.h" #define _rsa_verify _nettle_rsa_verify #define _rsa_verify_recover _nettle_rsa_verify_recover #define _rsa_check_size _nettle_rsa_check_size #define _rsa_blind _nettle_rsa_blind #define _rsa_unblind _nettle_rsa_unblind #define _rsa_sec_compute_root_itch _nettle_rsa_sec_compute_root_itch #define _rsa_sec_compute_root _nettle_rsa_sec_compute_root #define _rsa_sec_compute_root_tr _nettle_rsa_sec_compute_root_tr #define _rsa_oaep_encrypt _nettle_rsa_oaep_encrypt #define _rsa_oaep_decrypt _nettle_rsa_oaep_decrypt /* Internal functions. */ int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s); int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s); size_t _rsa_check_size(mpz_t n); /* _rsa_blind and _rsa_unblind are deprecated, unused in the library, and will likely be removed with the next ABI break. */ void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED; void _rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED; /* side-channel silent root computation */ mp_size_t _rsa_sec_compute_root_itch(const struct rsa_private_key *key); void _rsa_sec_compute_root(const struct rsa_private_key *key, mp_limb_t *rp, const mp_limb_t *mp, mp_limb_t *scratch); /* Safe side-channel silent variant, using RSA blinding, and checking the * result after CRT. In-place calls, with x == m, is allowed. */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m); int _rsa_oaep_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); int _rsa_oaep_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */ nettle-3.10/rsa-blind.c0000644000175000017500000000364514633602171014006 0ustar nissenisse/* rsa-blind.c RSA blinding. Used for resistance to timing-attacks. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" /* Blinds the c, by computing c *= r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ void _rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri) { mpz_t r; mpz_init(r); /* c = c*(r^e) * ri = r^(-1) */ do { nettle_mpz_random(r, random_ctx, random, pub->n); /* invert r */ } while (!mpz_invert (ri, r, pub->n)); /* c = c*(r^e) mod n */ mpz_powm_sec(r, r, pub->e, pub->n); mpz_mul(c, c, r); mpz_fdiv_r(c, c, pub->n); mpz_clear(r); } /* c *= ri mod n */ void _rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri) { mpz_mul(c, c, ri); mpz_fdiv_r(c, c, pub->n); } nettle-3.10/pkcs1-encrypt.c0000644000175000017500000000431614633602171014632 0ustar nissenisse/* pkcs1-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pkcs1.h" #include "bignum.h" #include "gmp-glue.h" int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m) { TMP_GMP_DECL(em, uint8_t); size_t padding; size_t i; /* The message is encoded as a string of the same length as the * modulo n, of the form * * 00 02 pad 00 message * * where padding should be at least 8 pseudorandomly generated * *non-zero* octets. */ if (length + 11 > key_size) /* Message too long for this key. */ return 0; /* At least 8 octets of random padding */ padding = key_size - length - 3; assert(padding >= 8); TMP_GMP_ALLOC(em, key_size - 1); em[0] = 2; random(random_ctx, padding, em + 1); /* Replace 0-octets with 1 */ for (i = 0; i * 100% Public Domain - no warranty * Released 1997.10.11 */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cast128.h" #include "cast128_sboxes.h" #include "macros.h" #define CAST_SMALL_KEY 10 #define S1 cast_sbox1 #define S2 cast_sbox2 #define S3 cast_sbox3 #define S4 cast_sbox4 #define S5 cast_sbox5 #define S6 cast_sbox6 #define S7 cast_sbox7 #define S8 cast_sbox8 /* Macros to access 8-bit bytes out of a 32-bit word */ #define B0(x) ( (uint8_t) (x>>24) ) #define B1(x) ( (uint8_t) ((x>>16)&0xff) ) #define B2(x) ( (uint8_t) ((x>>8)&0xff) ) #define B3(x) ( (uint8_t) ((x)&0xff) ) /* NOTE: Depends on ROTL32 supporting a zero shift count. */ /* CAST-128 uses three different round functions */ #define F1(l, r, i) do { \ t = ctx->Km[i] + r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] ^ S2[B1(t)]) - S3[B2(t)]) + S4[B3(t)]; \ } while (0) #define F2(l, r, i) do { \ t = ctx->Km[i] ^ r; \ t = ROTL32( ctx->Kr[i], t); \ l ^= ((S1[B0(t)] - S2[B1(t)]) + S3[B2(t)]) ^ S4[B3(t)]; \ } while (0) #define F3(l, r, i) do { \ t = ctx->Km[i] - r; \ t = ROTL32(ctx->Kr[i], t); \ l ^= ((S1[B0(t)] + S2[B1(t)]) ^ S3[B2(t)]) - S4[B3(t)]; \ } while (0) /***** Encryption Function *****/ void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ l = READ_UINT32(src); r = READ_UINT32(src+4); /* Do the work */ F1(l, r, 0); F2(r, l, 1); F3(l, r, 2); F1(r, l, 3); F2(l, r, 4); F3(r, l, 5); F1(l, r, 6); F2(r, l, 7); F3(l, r, 8); F1(r, l, 9); F2(l, r, 10); F3(r, l, 11); /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(l, r, 12); F2(r, l, 13); F3(l, r, 14); F1(r, l, 15); } /* Put l,r into outblock */ WRITE_UINT32(dst, r); WRITE_UINT32(dst + 4, l); } } /***** Decryption Function *****/ void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAST128_BLOCK_SIZE) { uint32_t t, l, r; /* Get inblock into l,r */ r = READ_UINT32(src); l = READ_UINT32(src+4); /* Do the work */ /* Only do full 16 rounds if key length > 80 bits */ if (ctx->rounds & 16) { F1(r, l, 15); F3(l, r, 14); F2(r, l, 13); F1(l, r, 12); } F3(r, l, 11); F2(l, r, 10); F1(r, l, 9); F3(l, r, 8); F2(r, l, 7); F1(l, r, 6); F3(r, l, 5); F2(l, r, 4); F1(r, l, 3); F3(l, r, 2); F2(r, l, 1); F1(l, r, 0); /* Put l,r into outblock */ WRITE_UINT32(dst, l); WRITE_UINT32(dst + 4, r); } } /***** Key Schedule *****/ #define SET_KM(i, k) ctx->Km[i] = (k) #define SET_KR(i, k) ctx->Kr[i] = (k) & 31 #define EXPAND(set, full) do { \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(0, S5[B0(z2)] ^ S6[B1(z2)] ^ S7[B3(z1)] ^ S8[B2(z1)] ^ S5[B2(z0)]); \ set(1, S5[B2(z2)] ^ S6[B3(z2)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S6[B2(z1)]); \ set(2, S5[B0(z3)] ^ S6[B1(z3)] ^ S7[B3(z0)] ^ S8[B2(z0)] ^ S7[B1(z2)]); \ set(3, S5[B2(z3)] ^ S6[B3(z3)] ^ S7[B1(z0)] ^ S8[B0(z0)] ^ S8[B0(z3)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ \ set(4, S5[B3(x0)] ^ S6[B2(x0)] ^ S7[B0(x3)] ^ S8[B1(x3)] ^ S5[B0(x2)]); \ set(5, S5[B1(x0)] ^ S6[B0(x0)] ^ S7[B2(x3)] ^ S8[B3(x3)] ^ S6[B1(x3)]); \ set(6, S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B0(x2)] ^ S8[B1(x2)] ^ S7[B3(x0)]); \ set(7, S5[B1(x1)] ^ S6[B0(x1)] ^ S7[B2(x2)] ^ S8[B3(x2)] ^ S8[B3(x1)]); \ \ z0 = x0 ^ S5[B1(x3)] ^ S6[B3(x3)] ^ S7[B0(x3)] ^ S8[B2(x3)] ^ S7[B0(x2)]; \ z1 = x2 ^ S5[B0(z0)] ^ S6[B2(z0)] ^ S7[B1(z0)] ^ S8[B3(z0)] ^ S8[B2(x2)]; \ z2 = x3 ^ S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B1(z1)] ^ S8[B0(z1)] ^ S5[B1(x2)]; \ z3 = x1 ^ S5[B2(z2)] ^ S6[B1(z2)] ^ S7[B3(z2)] ^ S8[B0(z2)] ^ S6[B3(x2)]; \ \ set(8, S5[B3(z0)] ^ S6[B2(z0)] ^ S7[B0(z3)] ^ S8[B1(z3)] ^ S5[B1(z2)]); \ set(9, S5[B1(z0)] ^ S6[B0(z0)] ^ S7[B2(z3)] ^ S8[B3(z3)] ^ S6[B0(z3)]); \ set(10, S5[B3(z1)] ^ S6[B2(z1)] ^ S7[B0(z2)] ^ S8[B1(z2)] ^ S7[B2(z0)]); \ set(11, S5[B1(z1)] ^ S6[B0(z1)] ^ S7[B2(z2)] ^ S8[B3(z2)] ^ S8[B2(z1)]); \ \ x0 = z2 ^ S5[B1(z1)] ^ S6[B3(z1)] ^ S7[B0(z1)] ^ S8[B2(z1)] ^ S7[B0(z0)]; \ x1 = z0 ^ S5[B0(x0)] ^ S6[B2(x0)] ^ S7[B1(x0)] ^ S8[B3(x0)] ^ S8[B2(z0)]; \ x2 = z1 ^ S5[B3(x1)] ^ S6[B2(x1)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S5[B1(z0)]; \ x3 = z3 ^ S5[B2(x2)] ^ S6[B1(x2)] ^ S7[B3(x2)] ^ S8[B0(x2)] ^ S6[B3(z0)]; \ if (full) \ { \ set(12, S5[B0(x2)] ^ S6[B1(x2)] ^ S7[B3(x1)] ^ S8[B2(x1)] ^ S5[B3(x0)]); \ set(13, S5[B2(x2)] ^ S6[B3(x2)] ^ S7[B1(x1)] ^ S8[B0(x1)] ^ S6[B3(x1)]); \ set(14, S5[B0(x3)] ^ S6[B1(x3)] ^ S7[B3(x0)] ^ S8[B2(x0)] ^ S7[B0(x2)]); \ set(15, S5[B2(x3)] ^ S6[B3(x3)] ^ S7[B1(x0)] ^ S8[B0(x0)] ^ S8[B1(x3)]); \ } \ } while (0) void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key) { uint32_t x0, x1, x2, x3, z0, z1, z2, z3; uint32_t w; int full; assert (length >= CAST5_MIN_KEY_SIZE); assert (length <= CAST5_MAX_KEY_SIZE); full = (length > CAST_SMALL_KEY); x0 = READ_UINT32 (key); /* Read final word, possibly zero-padded. */ switch (length & 3) { case 0: w = READ_UINT32 (key + length - 4); break; case 3: w = READ_UINT24 (key + length - 3) << 8; break; case 2: w = READ_UINT16 (key + length - 2) << 16; break; case 1: w = (uint32_t) key[length - 1] << 24; break; } if (length <= 8) { x1 = w; x2 = x3 = 0; } else { x1 = READ_UINT32 (key + 4); if (length <= 12) { x2 = w; x3 = 0; } else { x2 = READ_UINT32 (key + 8); x3 = w; } } EXPAND(SET_KM, full); EXPAND(SET_KR, full); ctx->rounds = full ? 16 : 12; } void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key) { cast5_set_key (ctx, CAST128_KEY_SIZE, key); } nettle-3.10/realloc.c0000644000175000017500000000320514633602171013544 0ustar nissenisse/* realloc.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "realloc.h" /* NOTE: Calling libc realloc with size == 0 is not required to totally free the object, it is allowed to return a valid pointer. */ void * nettle_realloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) return realloc(p, length); free(p); return NULL; } void * nettle_xrealloc(void *ctx UNUSED, void *p, size_t length) { if (length > 0) { void *n = realloc(p, length); if (!n) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return n; } free(p); return NULL; } nettle-3.10/gcm-internal.h0000644000175000017500000000365214633602172014517 0ustar nissenisse/* gcm-internal.h Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GCM_INTERNAL_H_INCLUDED #define NETTLE_GCM_INTERNAL_H_INCLUDED #include "gcm.h" #if HAVE_NATIVE_gcm_aes_encrypt /* Name mangling */ #define _gcm_aes_encrypt _nettle_gcm_aes_encrypt #define _gcm_aes_decrypt _nettle_gcm_aes_decrypt /* To reduce the number of arguments (e.g., maximum of 6 register arguments on x86_64), pass a pointer to gcm_key, which really is a pointer to the first member of the appropriate gcm_aes*_ctx struct. */ size_t _gcm_aes_encrypt (struct gcm_key *key, unsigned rounds, size_t size, uint8_t *dst, const uint8_t *src); size_t _gcm_aes_decrypt (struct gcm_key *CTX, unsigned rounds, size_t size, uint8_t *dst, const uint8_t *src); #else /* !HAVE_NATIVE_gcm_aes_encrypt */ #define _gcm_aes_encrypt(key, rounds, size, dst, src) 0 #define _gcm_aes_decrypt(key, rounds, size, dst, src) 0 #endif /* !HAVE_NATIVE_gcm_aes_encrypt */ #endif /* NETTLE_GCM_INTERNAL_H_INCLUDED */ nettle-3.10/gcm-camellia256-meta.c0000644000175000017500000000354114633602171015622 0ustar nissenisse/* gcm-camellia256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia256_set_nonce_wrapper; static void gcm_camellia256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia256 = { "gcm_camellia256", sizeof(struct gcm_camellia256_ctx), GCM_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia256_set_key, (nettle_set_key_func *) gcm_camellia256_set_key, gcm_camellia256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia256_update, (nettle_crypt_func *) gcm_camellia256_encrypt, (nettle_crypt_func *) gcm_camellia256_decrypt, (nettle_hash_digest_func *) gcm_camellia256_digest, }; nettle-3.10/sha512-224-meta.c0000644000175000017500000000261314633602171014361 0ustar nissenisse/* sha512-224-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha512_224 = { "sha512_224", sizeof(struct sha512_ctx), SHA512_224_DIGEST_SIZE, SHA512_224_BLOCK_SIZE, (nettle_hash_init_func *) sha512_224_init, (nettle_hash_update_func *) sha512_224_update, (nettle_hash_digest_func *) sha512_224_digest }; nettle-3.10/dsa-compat-keygen.c0000644000175000017500000000425614633602171015442 0ustar nissenisse/* dsa-compat-keygen.c Generation of DSA keypairs Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "dsa-compat.h" #include "bignum.h" /* Undo name mangling */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_generate_keypair /* Valid sizes, according to FIPS 186-3 are (1024, 160), (2048, 224), (2048, 256), (3072, 256). */ int dsa_compat_generate_keypair(struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits) { struct dsa_params *params; switch (q_bits) { case 160: if (p_bits < DSA_SHA1_MIN_P_BITS) return 0; break; case 224: case 256: if (p_bits < DSA_SHA256_MIN_P_BITS) return 0; break; default: return 0; } /* NOTE: Depends on identical layout! */ params = (struct dsa_params *) pub; if (!dsa_generate_params (params, random_ctx, random, progress_ctx, progress, p_bits, q_bits)) return 0; dsa_generate_keypair (params, pub->y, key->x, random_ctx, random); return 1; } nettle-3.10/hmac.h0000644000175000017500000002053314633602172013044 0ustar nissenisse/* hmac.h HMAC message authentication code (RFC-2104). Copyright (C) 2001, 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HMAC_H_INCLUDED #define NETTLE_HMAC_H_INCLUDED #include "nettle-meta.h" #include "gosthash94.h" #include "md5.h" #include "ripemd160.h" #include "sha1.h" #include "sha2.h" #include "streebog.h" #include "sm3.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hmac_set_key nettle_hmac_set_key #define hmac_update nettle_hmac_update #define hmac_digest nettle_hmac_digest #define hmac_md5_set_key nettle_hmac_md5_set_key #define hmac_md5_update nettle_hmac_md5_update #define hmac_md5_digest nettle_hmac_md5_digest #define hmac_ripemd160_set_key nettle_hmac_ripemd160_set_key #define hmac_ripemd160_update nettle_hmac_ripemd160_update #define hmac_ripemd160_digest nettle_hmac_ripemd160_digest #define hmac_sha1_set_key nettle_hmac_sha1_set_key #define hmac_sha1_update nettle_hmac_sha1_update #define hmac_sha1_digest nettle_hmac_sha1_digest #define hmac_sha224_set_key nettle_hmac_sha224_set_key #define hmac_sha224_digest nettle_hmac_sha224_digest #define hmac_sha256_set_key nettle_hmac_sha256_set_key #define hmac_sha256_update nettle_hmac_sha256_update #define hmac_sha256_digest nettle_hmac_sha256_digest #define hmac_sha384_set_key nettle_hmac_sha384_set_key #define hmac_sha384_digest nettle_hmac_sha384_digest #define hmac_sha512_set_key nettle_hmac_sha512_set_key #define hmac_sha512_update nettle_hmac_sha512_update #define hmac_sha512_digest nettle_hmac_sha512_digest #define hmac_gosthash94_set_key nettle_hmac_gosthash94_set_key #define hmac_gosthash94_update nettle_hmac_gosthash94_update #define hmac_gosthash94_digest nettle_hmac_gosthash94_digest #define hmac_gosthash94cp_set_key nettle_hmac_gosthash94cp_set_key #define hmac_gosthash94cp_update nettle_hmac_gosthash94cp_update #define hmac_gosthash94cp_digest nettle_hmac_gosthash94cp_digest #define hmac_streebog256_set_key nettle_hmac_streebog256_set_key #define hmac_streebog256_digest nettle_hmac_streebog256_digest #define hmac_streebog512_set_key nettle_hmac_streebog512_set_key #define hmac_streebog512_update nettle_hmac_streebog512_update #define hmac_streebog512_digest nettle_hmac_streebog512_digest #define hmac_sm3_set_key nettle_hmac_sm3_set_key #define hmac_sm3_update nettle_hmac_sm3_update #define hmac_sm3_digest nettle_hmac_sm3_digest void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, size_t length, const uint8_t *key); /* This function is not strictly needed, it's s just the same as the * hash update function. */ void hmac_update(void *state, const struct nettle_hash *hash, size_t length, const uint8_t *data); void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, size_t length, uint8_t *digest); #define HMAC_CTX(type) \ { type outer; type inner; type state; } #define HMAC_SET_KEY(ctx, hash, length, key) \ hmac_set_key( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ (hash), (length), (key) ) #define HMAC_DIGEST(ctx, hash, length, digest) \ hmac_digest( &(ctx)->outer, &(ctx)->inner, &(ctx)->state, \ (hash), (length), (digest) ) /* HMAC using specific hash functions */ /* hmac-md5 */ struct hmac_md5_ctx HMAC_CTX(struct md5_ctx); void hmac_md5_set_key(struct hmac_md5_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_md5_update(struct hmac_md5_ctx *ctx, size_t length, const uint8_t *data); void hmac_md5_digest(struct hmac_md5_ctx *ctx, size_t length, uint8_t *digest); /* hmac-ripemd160 */ struct hmac_ripemd160_ctx HMAC_CTX(struct ripemd160_ctx); void hmac_ripemd160_set_key(struct hmac_ripemd160_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_ripemd160_update(struct hmac_ripemd160_ctx *ctx, size_t length, const uint8_t *data); void hmac_ripemd160_digest(struct hmac_ripemd160_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha1 */ struct hmac_sha1_ctx HMAC_CTX(struct sha1_ctx); void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha256 */ struct hmac_sha256_ctx HMAC_CTX(struct sha256_ctx); void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha224 */ #define hmac_sha224_ctx hmac_sha256_ctx void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha224_update nettle_hmac_sha256_update void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha512 */ struct hmac_sha512_ctx HMAC_CTX(struct sha512_ctx); void hmac_sha512_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sha512_update(struct hmac_sha512_ctx *ctx, size_t length, const uint8_t *data); void hmac_sha512_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sha384 */ #define hmac_sha384_ctx hmac_sha512_ctx void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_sha384_update nettle_hmac_sha512_update void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest); /* hmac-gosthash94 */ struct hmac_gosthash94_ctx HMAC_CTX(struct gosthash94_ctx); void hmac_gosthash94_set_key(struct hmac_gosthash94_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_gosthash94_update(struct hmac_gosthash94_ctx *ctx, size_t length, const uint8_t *data); void hmac_gosthash94_digest(struct hmac_gosthash94_ctx *ctx, size_t length, uint8_t *digest); struct hmac_gosthash94cp_ctx HMAC_CTX(struct gosthash94cp_ctx); void hmac_gosthash94cp_set_key(struct hmac_gosthash94cp_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_gosthash94cp_update(struct hmac_gosthash94cp_ctx *ctx, size_t length, const uint8_t *data); void hmac_gosthash94cp_digest(struct hmac_gosthash94cp_ctx *ctx, size_t length, uint8_t *digest); /* hmac-streebog */ struct hmac_streebog512_ctx HMAC_CTX(struct streebog512_ctx); void hmac_streebog512_set_key(struct hmac_streebog512_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_streebog512_update(struct hmac_streebog512_ctx *ctx, size_t length, const uint8_t *data); void hmac_streebog512_digest(struct hmac_streebog512_ctx *ctx, size_t length, uint8_t *digest); #define hmac_streebog256_ctx hmac_streebog512_ctx void hmac_streebog256_set_key(struct hmac_streebog256_ctx *ctx, size_t key_length, const uint8_t *key); #define hmac_streebog256_update hmac_streebog512_update void hmac_streebog256_digest(struct hmac_streebog256_ctx *ctx, size_t length, uint8_t *digest); /* hmac-sm3 */ struct hmac_sm3_ctx HMAC_CTX(struct sm3_ctx); void hmac_sm3_set_key(struct hmac_sm3_ctx *ctx, size_t key_length, const uint8_t *key); void hmac_sm3_update(struct hmac_sm3_ctx *ctx, size_t length, const uint8_t *data); void hmac_sm3_digest(struct hmac_sm3_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_HMAC_H_INCLUDED */ nettle-3.10/eddsa.h0000644000175000017500000000466614633602172013225 0ustar nissenisse/* eddsa.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EDDSA_H #define NETTLE_EDDSA_H #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ed25519_sha512_set_private_key nettle_ed25519_sha512_set_private_key #define ed25519_sha512_public_key nettle_ed25519_sha512_public_key #define ed25519_sha512_sign nettle_ed25519_sha512_sign #define ed25519_sha512_verify nettle_ed25519_sha512_verify #define ed448_shake256_public_key nettle_ed448_shake256_public_key #define ed448_shake256_sign nettle_ed448_shake256_sign #define ed448_shake256_verify nettle_ed448_shake256_verify #define ED25519_KEY_SIZE 32 #define ED25519_SIGNATURE_SIZE 64 void ed25519_sha512_public_key (uint8_t *pub, const uint8_t *priv); void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int ed25519_sha512_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); #define ED448_KEY_SIZE 57 #define ED448_SIGNATURE_SIZE 114 void ed448_shake256_public_key (uint8_t *pub, const uint8_t *priv); void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature); int ed448_shake256_verify (const uint8_t *pub, size_t length, const uint8_t *msg, const uint8_t *signature); #ifdef __cplusplus } #endif #endif /* NETTLE_EDDSA_H */ nettle-3.10/md5-compat.h0000644000175000017500000000306114633602172014077 0ustar nissenisse/* md5-compat.h The md5 hash function, RFC 1321-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD5_COMPAT_H_INCLUDED #define NETTLE_MD5_COMPAT_H_INCLUDED #include "md5.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define MD5Init nettle_MD5Init #define MD5Update nettle_MD5Update #define MD5Final nettle_MD5Final typedef struct md5_ctx MD5_CTX; void MD5Init(MD5_CTX *ctx); void MD5Update(MD5_CTX *ctx, const unsigned char *data, unsigned int length); void MD5Final(unsigned char *out, MD5_CTX *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_MD5_COMPAT_H_INCLUDED */ nettle-3.10/chacha-poly1305.c0000644000175000017500000001037214633602171014627 0ustar nissenisse/* chacha-poly1305.c AEAD mechanism based on chacha and poly1305. Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This implements chacha-poly1305 according to draft-irtf-cfrg-chacha20-poly1305-08. The inputs to poly1305 are: associated data zero padding ciphertext zero padding length of associated data (64-bit, little endian) length of ciphertext (64-bit, little endian) where the padding fields are 0-15 zero bytes, filling up to a 16-byte boundary. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha-internal.h" #include "chacha-poly1305.h" #include "poly1305-internal.h" #include "macros.h" #define CHACHA_ROUNDS 20 /* FIXME: Also set nonce to zero, and implement nonce auto-increment? */ void chacha_poly1305_set_key (struct chacha_poly1305_ctx *ctx, const uint8_t *key) { chacha_set_key (&ctx->chacha, key); } void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *ctx, const uint8_t *nonce) { union { uint32_t x[_CHACHA_STATE_LENGTH]; uint8_t subkey[32]; } u; chacha_set_nonce96 (&ctx->chacha, nonce); /* Generate authentication key */ _nettle_chacha_core (u.x, ctx->chacha.state, CHACHA_ROUNDS); _nettle_poly1305_set_key (&ctx->poly1305, u.subkey); /* For final poly1305 processing */ memcpy (ctx->s.b, u.subkey + 16, 16); /* Increment block count */ ctx->chacha.state[12] = 1; ctx->auth_size = ctx->data_size = ctx->index = 0; } /* FIXME: Duplicated in poly1305-aes128.c */ #define COMPRESS(ctx, data) _nettle_poly1305_block(&(ctx)->poly1305, (data), 1) static void poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_poly1305_update (&(ctx)->poly1305, ctx->block, ctx->index, length, data); } static void poly1305_pad (struct chacha_poly1305_ctx *ctx) { if (ctx->index) { memset (ctx->block + ctx->index, 0, POLY1305_BLOCK_SIZE - ctx->index); _nettle_poly1305_block(&ctx->poly1305, ctx->block, 1); ctx->index = 0; } } void chacha_poly1305_update (struct chacha_poly1305_ctx *ctx, size_t length, const uint8_t *data) { assert (ctx->data_size == 0); poly1305_update (ctx, length, data); ctx->auth_size += length; } void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); chacha_crypt32 (&ctx->chacha, length, dst, src); poly1305_update (ctx, length, dst); ctx->data_size += length; } void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { if (!length) return; assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0); poly1305_pad (ctx); poly1305_update (ctx, length, src); chacha_crypt32 (&ctx->chacha, length, dst, src); ctx->data_size += length; } void chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx, size_t length, uint8_t *digest) { uint8_t buf[16]; poly1305_pad (ctx); LE_WRITE_UINT64 (buf, ctx->auth_size); LE_WRITE_UINT64 (buf + 8, ctx->data_size); _nettle_poly1305_block (&ctx->poly1305, buf, 1); _nettle_poly1305_digest (&ctx->poly1305, &ctx->s); memcpy (digest, &ctx->s.b, length); } nettle-3.10/README0000644000175000017500000000460514633602172012645 0ustar nissenisseWhat is GNU Nettle? A quote from the introduction in the Nettle Manual: Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. GNU Nettle is free software; you can redistribute it and/or modify it under the terms contained in the files COPYING* (see the manual for information on how these licenses apply). If you have downloaded a Nettle release, build it with the usual ./configure && make && make check && make install (see the INSTALL file for further instructions). Using GNU make is strongly recommended. Nettle's support for public key algorithms, such as RSA and ECDSA, depends on the GNU GMP library. You can also get Nettle from git, see http://www.lysator.liu.se/~nisse/nettle/ for current instructions. In particular, you need to run the ./.bootstrap script after checkout and before running ./configure. Read the manual. Mail me if you have any questions or suggestions. You may want to subscribe to the nettle-bugs mailing list. See . See CONTRIBUTING.md for information on contibuting patches. Happy hacking, /Niels Möller nettle-3.10/sha256.c0000644000175000017500000001157314633602171013142 0ustar nissenisse/* sha256.c The sha256 hash function. See http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" #include "md-internal.h" #include "nettle-write.h" /* Generated by the shadata program. */ static const uint32_t K[64] = { 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, }; void sha256_compress(uint32_t *state, const uint8_t *input) { _nettle_sha256_compress_n(state, K, 1, input); } #define COMPRESS(ctx, data) (sha256_compress((ctx)->state, (data))) /* Initialize the SHA values */ void sha256_init(struct sha256_ctx *ctx) { /* Initial values, also generated by the shadata program. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0x6a09e667UL, 0xbb67ae85UL, 0x3c6ef372UL, 0xa54ff53aUL, 0x510e527fUL, 0x9b05688cUL, 0x1f83d9abUL, 0x5be0cd19UL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data) { size_t blocks; if (!length) return; if (ctx->index > 0) { /* Try to fill partial block */ MD_FILL_OR_RETURN (ctx, length, data); sha256_compress (ctx->state, ctx->block); ctx->count++; } blocks = length >> 6; data = _nettle_sha256_compress_n (ctx->state, K, blocks, data); ctx->count += blocks; length &= 63; memcpy (ctx->block, data, length); ctx->index = length; } static void sha256_write_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SHA256_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA256_BLOCK_SIZE - 8), bit_count); sha256_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); } void sha256_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); sha256_init(ctx); } /* sha224 variant. */ void sha224_init(struct sha256_ctx *ctx) { /* Initial values. Low 32 bits of the initial values for sha384. */ static const uint32_t H0[_SHA256_DIGEST_LENGTH] = { 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } void sha224_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest) { sha256_write_digest(ctx, length, digest); sha224_init(ctx); } nettle-3.10/der2rsa.c0000644000175000017500000000740414633602171013472 0ustar nissenisse/* der2rsa.c Decoding of keys in PKCS#1 format. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) int rsa_public_key_from_der_iterator(struct rsa_public_key *pub, unsigned limit, struct asn1_der_iterator *i) { /* RSAPublicKey ::= SEQUENCE { modulus INTEGER, -- n publicExponent INTEGER -- e } */ return (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && asn1_der_get_bignum(i, pub->n, limit) && mpz_sgn(pub->n) > 0 && GET(i, pub->e, limit) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END && rsa_public_key_prepare(pub)); } int rsa_private_key_from_der_iterator(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct asn1_der_iterator *i) { /* RSAPrivateKey ::= SEQUENCE { version Version, modulus INTEGER, -- n publicExponent INTEGER, -- e privateExponent INTEGER, -- d prime1 INTEGER, -- p prime2 INTEGER, -- q exponent1 INTEGER, -- d mod (p-1) exponent2 INTEGER, -- d mod (q-1) coefficient INTEGER, -- (inverse of q) mod p otherPrimeInfos OtherPrimeInfos OPTIONAL } */ uint32_t version; if (i->type != ASN1_SEQUENCE) return 0; if (asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version <= 1 && GET(i, pub->n, limit) && GET(i, pub->e, limit) && rsa_public_key_prepare(pub) && GET(i, priv->d, limit) && GET(i, priv->p, limit) && GET(i, priv->q, limit) && GET(i, priv->a, limit) && GET(i, priv->b, limit) && GET(i, priv->c, limit) && rsa_private_key_prepare(priv)) { if (version == 1) { /* otherPrimeInfos must be present. We ignore the contents */ if (!(asn1_der_iterator_next(i) == ASN1_ITERATOR_CONSTRUCTED && i->type == ASN1_SEQUENCE)) return 0; } return (asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } return 0; } int rsa_keypair_from_der(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); if (res != ASN1_ITERATOR_CONSTRUCTED) return 0; if (priv) return rsa_private_key_from_der_iterator(pub, priv, limit, &i); else return rsa_public_key_from_der_iterator(pub, limit, &i); } nettle-3.10/ecc-add-jja.c0000644000175000017500000000676114633602171014157 0ustar nissenisse/* ecc-add-jj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* NOTE: Behaviour for corner cases: + p = 0 ==> r = 0 (invalid except if also q = 0) + q = 0 ==> r = invalid + p = -q ==> r = 0, correct! + p = q ==> r = 0, invalid */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b): Computation Operation Live variables ZZ = Z_1^2 sqr ZZ H = X_2*ZZ - X_1 mul (djb: U_2) ZZ, H HH = H^2 sqr ZZ, H, HH ZZZ = ZZ*Z_1 mul ZZ, H, HH, ZZZ Z_3 = (Z_1+H)^2-ZZ-HH sqr H, HH, ZZZ W = 2 (Y_2*ZZZ - Y_1) mul (djb: S_2) H, HH, W I = 4*HH H, W, I J = H*I mul W, I, J V = X_1*I mul W, J, V X_3 = W^2-J-2*V sqr W, J, V Y_3 = W*(V-X_3)-2*Y_1*J mul, mul */ #define zz scratch #define h (scratch + ecc->p.size) #define w (scratch + 2*ecc->p.size) #define hh zz #define i zz #define v zz #define j h #define tp (scratch + 3*ecc->p.size) /* zz */ ecc_mod_sqr (&ecc->p, zz, z1, tp); /* zz */ /* h*/ ecc_mod_mul (&ecc->p, h, x2, zz, tp); /* zz, h */ ecc_mod_sub (&ecc->p, h, h, x1); /* Do z^3 early, store at w. */ ecc_mod_mul (&ecc->p, w, zz, z1, tp); /* zz, h, w */ /* z_3 */ ecc_mod_add (&ecc->p, z3, z1, h); ecc_mod_sqr (&ecc->p, z3, z3, tp); ecc_mod_sub (&ecc->p, z3, z3, zz); /* h, w */ /* hh */ ecc_mod_sqr (&ecc->p, hh, h, tp); /* h, w, hh */ ecc_mod_sub (&ecc->p, z3, z3, hh); /* w */ ecc_mod_mul (&ecc->p, w, y2, w, tp); ecc_mod_sub (&ecc->p, w, w, y1); ecc_mod_add (&ecc->p, w, w, w); /* i replaces hh */ ecc_mod_mul_1 (&ecc->p, i, hh, 4); /* h, w, i */ /* j replaces h */ ecc_mod_mul (&ecc->p, j, i, h, tp); /* w, i, j */ /* v replaces i */ ecc_mod_mul (&ecc->p, v, x1, i, tp); /* x_3 */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y_3 */ ecc_mod_mul (&ecc->p, j, y1, j, tp); ecc_mod_sub (&ecc->p, y3, v, x3); ecc_mod_mul (&ecc->p, y3, y3, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); } nettle-3.10/camellia192-meta.c0000644000175000017500000000274614633602171015063 0ustar nissenisse/* camellia192-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia192 = { "camellia192", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA192_KEY_SIZE, (nettle_set_key_func *) camellia192_set_encrypt_key, (nettle_set_key_func *) camellia192_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-3.10/arcfour.c0000644000175000017500000000426514633602171013573 0ustar nissenisse/* arcfour.c The arcfour/rc4 stream cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "arcfour.h" #define SWAP(a,b) do { int _t = a; a = b; b = _t; } while(0) void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { unsigned i, j, k; assert(length >= ARCFOUR_MIN_KEY_SIZE); assert(length <= ARCFOUR_MAX_KEY_SIZE); /* Initialize context */ for (i = 0; i<256; i++) ctx->S[i] = i; for (i = j = k = 0; i<256; i++) { j += ctx->S[i] + key[k]; j &= 0xff; SWAP(ctx->S[i], ctx->S[j]); /* Repeat key as needed */ k = (k + 1) % length; } ctx->i = ctx->j = 0; } void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key) { arcfour_set_key (ctx, ARCFOUR128_KEY_SIZE, key); } void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { register uint8_t i, j; register int si, sj; i = ctx->i; j = ctx->j; while(length--) { i++; i &= 0xff; si = ctx->S[i]; j += si; j &= 0xff; sj = ctx->S[i] = ctx->S[j]; ctx->S[j] = si; *dst++ = *src++ ^ ctx->S[ (si + sj) & 0xff ]; } ctx->i = i; ctx->j = j; } nettle-3.10/dsa-hash.c0000644000175000017500000000465414633602171013624 0ustar nissenisse/* dsa-hash.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "dsa-internal.h" #include "gmp-glue.h" /* Convert hash value to an integer. The general description of DSA in FIPS186-3 allows both larger and smaller q; in the the former case the hash is zero-padded at the left, in the latter case, the hash is truncated at the right. NOTE: We don't considered the hash value to be secret, so it's ok if the running time of this conversion depends on h. Output size is ceil(bit_size / GMP_NUMB_BITS). */ void _nettle_dsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest) { unsigned octet_size = (bit_size + 7) / 8; unsigned limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE (bit_size); if (length > octet_size) length = octet_size; mpn_set_base256(hp, limb_size, digest, length); if (8 * length > bit_size) /* We got a few extra bits, at the low end. Discard them. */ mpn_rshift (hp, hp, limb_size, 8*length - bit_size); } /* Uses little-endian order, and no trimming of left-over bits in the last byte (bits will instead be reduced mod q later). */ void _nettle_gostdsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest) { unsigned octet_size = (bit_size + 7) / 8; unsigned limb_size = NETTLE_BIT_SIZE_TO_LIMB_SIZE (bit_size); if (length > octet_size) length = octet_size; mpn_set_base256_le(hp, limb_size, digest, length); } nettle-3.10/ecc-ecdsa-sign.c0000644000175000017500000000532014633602172014671 0ustar nissenisse/* ecc-ecdsa-sign.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "dsa-internal.h" /* Low-level ECDSA signing */ mp_size_t ecc_ecdsa_sign_itch (const struct ecc_curve *ecc) { /* Needs 3*ecc->p.size + scratch for ecc_mul_g. */ assert (ecc->p.size + ecc->p.invert_itch <= 3*ecc->p.size + ECC_MUL_G_ITCH (ecc->p.size)); return ECC_ECDSA_SIGN_ITCH (ecc->p.size); } /* NOTE: Caller should check if r or s is zero. */ void ecc_ecdsa_sign (const struct ecc_curve *ecc, const mp_limb_t *zp, /* Random nonce, must be invertible mod ecc group order. */ const mp_limb_t *kp, size_t length, const uint8_t *digest, mp_limb_t *rp, mp_limb_t *sp, mp_limb_t *scratch) { #define P scratch #define kinv scratch #define hp (scratch + ecc->p.size) /* NOTE: ecc->p.size + 1 limbs! */ #define tp (scratch + 2*ecc->p.size) /* Procedure, according to RFC 6090, "KT-I". q denotes the group order. 1. k <-- uniformly random, 0 < k < q 2. R <-- (r_x, r_y) = k g 3. s1 <-- r_x mod q 4. s2 <-- (h + z*s1)/k mod q. */ ecc_mul_g (ecc, P, kp, P + 3*ecc->p.size); /* x coordinate only, modulo q */ ecc_j_to_a (ecc, 2, rp, P, P + 3*ecc->p.size); /* Invert k, uses up to 7 * ecc->p.size including scratch (for secp384). */ ecc->q.invert (&ecc->q, kinv, kp, tp); /* Process hash digest */ _nettle_dsa_hash (hp, ecc->q.bit_size, length, digest); ecc_mod_mul (&ecc->q, tp, zp, rp, tp); ecc_mod_add (&ecc->q, hp, hp, tp); ecc_mod_mul_canonical (&ecc->q, sp, hp, kinv, tp); #undef P #undef hp #undef kinv #undef tp } nettle-3.10/ed448-shake256-sign.c0000644000175000017500000000366314633602172015250 0ustar nissenisse/* ed448-shake256-sign.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "ecc-internal.h" #include "eddsa-internal.h" #include "sha3.h" void ed448_shake256_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve448; const struct ecc_eddsa *eddsa = &_nettle_ed448_shake256; mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k2 scratch #define scratch_out (scratch + ecc->q.size) struct sha3_256_ctx ctx; uint8_t digest[ED448_SIGNATURE_SIZE]; sha3_256_init (&ctx); _eddsa_expand_key (ecc, eddsa, &ctx, priv, digest, k2); _eddsa_sign (ecc, eddsa, &ctx, pub, digest + ED448_KEY_SIZE, k2, length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 #undef k2 #undef scratch_out } nettle-3.10/ecc-j-to-a.c0000644000175000017500000000447114633602171013750 0ustar nissenisse/* ecc-j-to-a.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define izp scratch #define iz2p (scratch + ecc->p.size) #define iz3p (scratch + 2*ecc->p.size) #define tp scratch ecc->p.invert (&ecc->p, izp, p+2*ecc->p.size, izp + ecc->p.size); ecc_mod_sqr (&ecc->p, iz2p, izp, iz2p); if (ecc->use_redc) { /* Divide this common factor by B, instead of applying redc to both x and y outputs. */ mpn_zero (iz2p + ecc->p.size, ecc->p.size); ecc->p.reduce (&ecc->p, iz2p, iz2p); } /* r_x <-- x / z^2 */ ecc_mod_mul_canonical (&ecc->p, r, iz2p, p, iz3p); if (op) { /* Skip y coordinate */ if (op > 1) { mp_limb_t cy; /* Also reduce the x coordinate mod ecc->q. It should already be < 2*ecc->q, so one subtraction should suffice. */ cy = mpn_sub_n (scratch, r, ecc->q.m, ecc->p.size); cnd_copy (1 - cy, r, scratch, ecc->p.size); } return; } ecc_mod_mul (&ecc->p, iz3p, iz2p, izp, iz3p); ecc_mod_mul_canonical (&ecc->p, r + ecc->p.size, iz3p, p + ecc->p.size, tp); #undef izp #undef iz2p #undef iz3p #undef tp } nettle-3.10/ecc-add-ehh.c0000644000175000017500000000630214633602171014146 0ustar nissenisse/* ecc-add-ehh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Add two points on an Edwards curve, in homogeneous coordinates */ void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#addition-add-2007-bl): Computation Operation Live variables C = x1*x2 mul C D = y1*y2 mul C, D T = (x1+y1)(x2+y2) - C - D, mul C, D, T E = b*C*D 2 mul C, E, T (Replace C <-- D - C) A = z1*z2 mul A, C, E, T B = A^2 sqr A, B, C, E, T F = B - E A, B, C, E, F, T G = B + E A, C, F, G, T x3 = A*F*T 2 mul A, C, G y3 = A*G*(D-C) 2 mul F, G z3 = F*G mul */ #define T scratch #define E (scratch + 1*ecc->p.size) #define G E #define C (scratch + 2*ecc->p.size) #define D (scratch + 3*ecc->p.size) #define B D /* Use T as scratch, clobber E */ ecc_mod_mul (&ecc->p, C, x1, x2, T); /* C */ ecc_mod_mul (&ecc->p, D, y1, y2, T); /* C, D */ ecc_mod_add (&ecc->p, x3, x1, y1); ecc_mod_add (&ecc->p, y3, x2, y2); ecc_mod_mul (&ecc->p, T, x3, y3, T); /* C, D, T */ ecc_mod_sub (&ecc->p, T, T, C); ecc_mod_sub (&ecc->p, T, T, D); /* Can now use x3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, E, C, D, x3); /* C, D, T, E */ ecc_mod_mul (&ecc->p, E, E, ecc->b, x3); ecc_mod_sub (&ecc->p, C, D, C); /* C, T, E */ ecc_mod_mul (&ecc->p, B, z1, z2, x3); /* C, T, E, B */ ecc_mod_mul (&ecc->p, C, C, B, x3); ecc_mod_mul (&ecc->p, T, T, B, x3); ecc_mod_sqr (&ecc->p, B, B, x3); ecc_mod_sub (&ecc->p, x3, B, E); ecc_mod_add (&ecc->p, G, B, E); /* C, T, G */ /* Can now use y3 as scratch, without breaking in-place operation. */ ecc_mod_mul (&ecc->p, y3, C, G, y3); /* T G */ /* Can use C--D as scratch */ ecc_mod_mul (&ecc->p, z3, x3, G, C); /* T */ ecc_mod_mul (&ecc->p, x3, x3, T, C); } nettle-3.10/sm4.h0000644000175000017500000000331014633602172012631 0ustar nissenisse/* sm4.h Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SM4_H_INCLUDED #define NETTLE_SM4_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sm4_set_encrypt_key nettle_sm4_set_encrypt_key #define sm4_set_decrypt_key nettle_sm4_set_decrypt_key #define sm4_crypt nettle_sm4_crypt #define SM4_BLOCK_SIZE 16 #define SM4_KEY_SIZE 16 struct sm4_ctx { uint32_t rkey[32]; }; void sm4_set_encrypt_key(struct sm4_ctx *ctx, const uint8_t *key); void sm4_set_decrypt_key(struct sm4_ctx *ctx, const uint8_t *key); void sm4_crypt(const struct sm4_ctx *context, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SM4_H_INCLUDED */ nettle-3.10/camellia256-set-encrypt-key.c0000644000175000017500000001013014633602171017163 0ustar nissenisse/* camellia256-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" static void _camellia256_set_encrypt_key (struct camellia256_ctx *ctx, uint64_t k0, uint64_t k1, uint64_t k2, uint64_t k3) { uint64_t subkey[_CAMELLIA256_NKEYS + 2]; uint64_t w; /* generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(45, k0, k1); subkey[12] = k0; subkey[13] = k1; ROTL128(15, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; ROTL128(34, k0, k1); subkey[30] = k0; subkey[31] = k1; /* generate KR dependent subkeys */ ROTL128(15, k2, k3); subkey[4] = k2; subkey[5] = k3; ROTL128(15, k2, k3); subkey[8] = k2; subkey[9] = k3; ROTL128(30, k2, k3); subkey[18] = k2; subkey[19] = k3; ROTL128(34, k2, k3); subkey[26] = k2; subkey[27] = k3; ROTL128(34, k2, k3); /* generate KA */ /* The construction of KA is done as D1 = (KL ^ KR) >> 64 D2 = (KL ^ KR) & MASK64 W = F(D1, SIGMA1) D2 = D2 ^ W D1 = F(D2, SIGMA2) ^ (KR >> 64) D2 = F(D1, SIGMA3) ^ W ^ (KR & MASK64) D1 = D1 ^ F(W, SIGMA2) D2 = D2 ^ F(D1, SIGMA3) D1 = D1 ^ F(D2, SIGMA4) */ k0 = subkey[0] ^ k2; k1 = subkey[1] ^ k3; CAMELLIA_F(k0, SIGMA1, w); k1 ^= w; CAMELLIA_F(k1, SIGMA2, k0); k0 ^= k2; CAMELLIA_F(k0, SIGMA3, k1); k1 ^= w ^ k3; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KB */ k2 ^= k0; k3 ^= k1; CAMELLIA_F(k2, SIGMA5, w); k3 ^= w; CAMELLIA_F(k3, SIGMA6, w); k2 ^= w; /* generate KA dependent subkeys */ ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(30, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(32, k0, k1); subkey[24] = k0; subkey[25] = k1; ROTL128(17, k0, k1); subkey[28] = k0; subkey[29] = k1; /* generate KB dependent subkeys */ subkey[2] = k2; subkey[3] = k3; ROTL128(30, k2, k3); subkey[10] = k2; subkey[11] = k3; ROTL128(30, k2, k3); subkey[20] = k2; subkey[21] = k3; ROTL128(51, k2, k3); subkey[32] = k2; subkey[33] = k3; /* Common final processing */ _nettle_camellia_absorb (_CAMELLIA256_NKEYS, ctx->keys, subkey); } void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2, k3; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); k3 = READ_UINT64(key + 24); _camellia256_set_encrypt_key (ctx, k0, k1, k2, k3); } void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key) { uint64_t k0, k1, k2; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); k2 = READ_UINT64(key + 16); _camellia256_set_encrypt_key (ctx, k0, k1, k2, ~k2); } nettle-3.10/gcm-camellia128-meta.c0000644000175000017500000000354114633602171015620 0ustar nissenisse/* gcm-camellia128-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_camellia128_set_nonce_wrapper; static void gcm_camellia128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_camellia128_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_camellia128 = { "gcm_camellia128", sizeof(struct gcm_camellia128_ctx), GCM_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_camellia128_set_key, (nettle_set_key_func *) gcm_camellia128_set_key, gcm_camellia128_set_nonce_wrapper, (nettle_hash_update_func *) gcm_camellia128_update, (nettle_crypt_func *) gcm_camellia128_encrypt, (nettle_crypt_func *) gcm_camellia128_decrypt, (nettle_hash_digest_func *) gcm_camellia128_digest, }; nettle-3.10/getopt1.c0000644000175000017500000001111614633602172013507 0ustar nissenisse/* getopt_long and getopt_long_only entry points for GNU getopt. Copyright (C) 1987-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifdef HAVE_CONFIG_H #include #endif #ifdef _LIBC # include #else # include "getopt.h" #endif #include "getopt_int.h" #include /* Comment out all this code if we are using the GNU C Library, and are not actually compiling the library itself. This code is part of the GNU C Library, but also included in many other GNU distributions. Compiling and linking in this code is a waste when using the GNU C library (especially if it is a shared library). Rather than having every GNU program understand `configure --with-gnu-libc' and omit the object files, it is simpler to just do this in the source for each such file. */ #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 #include #if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION #define ELIDE_CODE #endif #endif #ifndef ELIDE_CODE /* This needs to come after some library #include to get __GNU_LIBRARY__ defined. */ #ifdef __GNU_LIBRARY__ #include #endif #ifndef NULL #define NULL 0 #endif int getopt_long (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, argv, options, long_options, opt_index, 0, 0); } int _getopt_long_r (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 0, d, 0); } /* Like getopt_long, but '-' as well as '--' can indicate a long option. If an option that starts with '-' (not '--') doesn't match a long option, but does match a short option, it is parsed as a short option instead. */ int getopt_long_only (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index) { return _getopt_internal (argc, argv, options, long_options, opt_index, 1, 0); } int _getopt_long_only_r (int argc, char *const *argv, const char *options, const struct option *long_options, int *opt_index, struct _getopt_data *d) { return _getopt_internal_r (argc, argv, options, long_options, opt_index, 1, d, 0); } #endif /* Not ELIDE_CODE. */ #ifdef TEST #include int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; int option_index = 0; static struct option long_options[] = { {"add", 1, 0, 0}, {"append", 0, 0, 0}, {"delete", 1, 0, 0}, {"verbose", 0, 0, 0}, {"create", 0, 0, 0}, {"file", 1, 0, 0}, {0, 0, 0, 0} }; c = getopt_long (argc, argv, "abc:d:0123456789", long_options, &option_index); if (c == -1) break; switch (c) { case 0: printf ("option %s", long_options[option_index].name); if (optarg) printf (" with arg %s", optarg); printf ("\n"); break; case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value `%s'\n", optarg); break; case 'd': printf ("option d with value `%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-3.10/umac-nh.c0000644000175000017500000000407114633602171013455 0ustar nissenisse/* umac-nh.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh uint64_t _nettle_umac_nh_c (const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh _nettle_umac_nh_c #endif uint64_t _nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg) { uint64_t y; assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); for (y = 0; length > 0; length -= 32, msg += 32, key += 8) { uint32_t a, b; a = LE_READ_UINT32 (msg) + key[0]; b = LE_READ_UINT32 (msg + 16) + key[4]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 4) + key[1]; b = LE_READ_UINT32 (msg + 20) + key[5]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 8) + key[2]; b = LE_READ_UINT32 (msg + 24) + key[6]; y += (uint64_t) a * b; a = LE_READ_UINT32 (msg + 12) + key[3]; b = LE_READ_UINT32 (msg + 28) + key[7]; y += (uint64_t) a * b; } return y; } nettle-3.10/pbkdf2-hmac-sha256.c0000644000175000017500000000304114633602171015205 0ustar nissenisse/* pbkdf2-hmac-sha256.c PKCS #5 PBKDF2 used with HMAC-SHA256, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha256_ctx sha256ctx; hmac_sha256_set_key (&sha256ctx, key_length, key); PBKDF2 (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.10/pkcs1-rsa-sha256.c0000644000175000017500000000561714633602171014746 0ustar nissenisse/* pkcs1-rsa-sha256.c PKCS stuff for rsa-sha256. Copyright (C) 2001, 2003, 2006 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha256 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 1} */ static const uint8_t sha256_prefix[] = { /* 19 octets prefix, 32 octets hash, total 51 */ 0x30, 49, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0, /* NULL */ 0x04, 32 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_sha256_encode(mpz_t m, size_t key_size, struct sha256_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { sha256_digest(hash, SHA256_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha256_prefix), sha256_prefix, SHA256_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA256_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.10/salsa20-256-set-key.c0000644000175000017500000000354014633602171015263 0ustar nissenisse/* salsa20-256-set-key.c The Salsa20 stream cipher. Key setup for 128-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_256_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[4] = LE_READ_UINT32(key + 12); ctx->input[11] = LE_READ_UINT32(key + 16); ctx->input[12] = LE_READ_UINT32(key + 20); ctx->input[13] = LE_READ_UINT32(key + 24); ctx->input[14] = LE_READ_UINT32(key + 28); /* "expand 32-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3320646e; ctx->input[10] = 0x79622d32; ctx->input[15] = 0x6b206574; } nettle-3.10/rsa-decrypt-tr.c0000644000175000017500000000412314633602171015003 0ustar nissenisse/* rsa-decrypt-tr.c RSA decryption, using randomized RSA blinding to be more resistant to timing attacks. Copyright (C) 2001, 2012 Niels Möller, Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa-internal.h" #include "pkcs1-internal.h" #include "gmp-glue.h" int rsa_decrypt_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t *length, uint8_t *message, const mpz_t gibberish) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); mp_size_t key_limb_size; int res; /* First check that input is in range. */ if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, pub->n) >= 0) return 0; key_limb_size = mpz_size(pub->n); TMP_GMP_ALLOC (m, key_limb_size); TMP_GMP_ALLOC (em, key->size); mpz_limbs_copy(m, gibberish, key_limb_size); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, key_limb_size); res &= _pkcs1_sec_decrypt_variable (length, message, key->size, em); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } nettle-3.10/bignum.c0000644000175000017500000000755414633602171013417 0ustar nissenisse/* bignum.c Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" /* Two's complement negation means that -x = ~x + 1, ~x = -(x+1), * and we use that x = ~~x = ~(-x-1). * * Examples: * * x ~x = -x+1 ~~x = x * -1 0 ff * -2 1 fe * -7f 7e 81 * -80 7f 80 * -81 80 ff7f */ /* Including extra sign bit, if needed. Also one byte for zero. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x) { if (mpz_sgn(x) >= 0) return 1 + mpz_sizeinbase(x, 2) / 8; else { /* We'll output ~~x, so we need as many bits as for ~x */ size_t size; mpz_t c; mpz_init(c); mpz_com(c, x); /* Same as c = - x - 1 = |x| + 1 */ size = 1 + mpz_sizeinbase(c,2) / 8; mpz_clear(c); return size; } } size_t nettle_mpz_sizeinbase_256_u(const mpz_t x) { return (mpz_sizeinbase(x,2) + 7) / 8; } static void nettle_mpz_to_octets(size_t length, uint8_t *s, const mpz_t x, uint8_t sign) { uint8_t *dst = s + length - 1; size_t size = mpz_size(x); size_t i; for (i = 0; i>= 8; length--; } } if (length) memset(s, sign, length); } void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x) { if (!length) { /* x must be zero */ assert(!mpz_sgn(x)); return; } if (mpz_sgn(x) >= 0) { assert(nettle_mpz_sizeinbase_256_u(x) <= length); nettle_mpz_to_octets(length, s, x, 0); } else { mpz_t c; mpz_init(c); mpz_com(c, x); assert(nettle_mpz_sizeinbase_256_u(c) <= length); nettle_mpz_to_octets(length, s, c, 0xff); mpz_clear(c); } } /* Converting from strings */ /* mpz_import was introduced in GMP-4.1 */ #define nettle_mpz_from_octets(x, length, s) \ mpz_import((x), (length), 1, 1, 0, 0, (s)) void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { nettle_mpz_from_octets(x, length, s); } void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_from_octets(x, length, s); } void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { if (!length) { mpz_set_ui(x, 0); return; } nettle_mpz_from_octets(x, length, s); if (s[0] & 0x80) { mpz_t t; mpz_init_set_ui(t, 1); mpz_mul_2exp(t, t, length*8); mpz_sub(x, x, t); mpz_clear(t); } } void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s) { mpz_init(x); nettle_mpz_set_str_256_s(x, length, s); } nettle-3.10/balloon-sha512.c0000644000175000017500000000322214633602171014551 0ustar nissenisse/* balloon-sha512.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha512(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha512_ctx ctx; sha512_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha512_update, (nettle_hash_digest_func*)sha512_digest, SHA512_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-3.10/bswap-internal.h0000644000175000017500000000450714633602172015065 0ustar nissenisse/* bswap-internal.h Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BSWAP_INTERNAL_H_INCLUDED #define NETTLE_BSWAP_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Note that these definitions depend config.h, which should be included first. */ #if HAVE_BUILTIN_BSWAP64 #define nettle_bswap64 __builtin_bswap64 /* Assume bswap32 is also available. */ #define nettle_bswap32 __builtin_bswap32 #else static inline uint64_t nettle_bswap64 (uint64_t x) { x = (x >> 32) | (x << 32); x = ((x >> 16) & UINT64_C (0xffff0000ffff)) | ((x & UINT64_C (0xffff0000ffff)) << 16); x = ((x >> 8) & UINT64_C (0xff00ff00ff00ff)) | ((x & UINT64_C (0xff00ff00ff00ff)) << 8); return x; } static inline uint32_t nettle_bswap32 (uint32_t x) { x = (x << 16) | (x >> 16); x = ((x & 0x00FF00FF) << 8) | ((x >> 8) & 0x00FF00FF); return x; } #endif static inline void nettle_bswap32_n (unsigned n, uint32_t *x) { unsigned i; for (i = 0; i < n; i++) x[i] = nettle_bswap32 (x[i]); } #if WORDS_BIGENDIAN #define bswap64_if_be nettle_bswap64 #define bswap32_if_be nettle_bswap32 #define bswap64_if_le(x) (x) #define bswap32_if_le(x) (x) #define bswap32_n_if_le(n, x) #else #define bswap64_if_be(x) (x) #define bswap32_if_be(x) (x) #define bswap64_if_le nettle_bswap64 #define bswap32_if_le nettle_bswap32 #define bswap32_n_if_le nettle_bswap32_n #endif #endif /* NETTLE_BSWAP_INTERNAL_H_INCLUDED */ nettle-3.10/ecc-mod-arith.c0000644000175000017500000001317414633602171014545 0ustar nissenisse/* ecc-mod-arith.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Routines for modp arithmetic. All values are ecc->size limbs, but not necessarily < p. */ int ecc_mod_zero_p (const struct ecc_modulo *m, const mp_limb_t *xp_in) { volatile mp_limb_t is_non_zero, is_not_p; const volatile mp_limb_t *xp; mp_size_t i; for (xp = xp_in, i = 0, is_non_zero = is_not_p = 0; i < m->size; i++) { is_non_zero |= xp[i]; is_not_p |= (xp[i] ^ m->m[i]); } return is_zero_limb (is_non_zero) | is_zero_limb (is_not_p); } int ecc_mod_equal_p (const struct ecc_modulo *m, const mp_limb_t *a, const mp_limb_t *ref, mp_limb_t *scratch) { mp_limb_t cy; cy = mpn_sub_n (scratch, a, ref, m->size); /* If cy > 0, i.e., a < ref, then they can't be equal mod m. */ return (1 - cy) & ecc_mod_zero_p (m, scratch); } void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_add_n (rp, ap, bp, m->size); cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); cy = mpn_cnd_add_n (cy, rp, rp, m->B, m->size); assert_maybe (cy == 0); } void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp) { mp_limb_t cy; cy = mpn_sub_n (rp, ap, bp, m->size); /* The adjustments for this function work differently depending on the value of the most significant bit of m. If m has a most significant bit of zero, then the first adjustment step conditionally adds 2m. If in addition, inputs are in the 0 <= a,b < 2m range, then the first adjustment guarantees that result is in that same range. The second adjustment step is needed only if b > 2m, it then ensures output is correct modulo m, but nothing more. If m has a most significant bit of one, Bm2m and B are the same, and this function works analogously to ecc_mod_add. */ cy = mpn_cnd_sub_n (cy, rp, rp, m->Bm2m, m->size); cy = mpn_cnd_sub_n (cy, rp, rp, m->B, m->size); assert_maybe (cy == 0); } void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_mul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_addmul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b) { mp_limb_t hi; assert (b <= 0xffffffff); hi = mpn_submul_1 (rp, ap, m->size, b); hi = mpn_submul_1 (rp, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_sub_n (hi, rp, rp, m->B, m->size); /* Sufficient roughly if b < B^size / p */ assert_maybe (hi == 0); } void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) { mpn_mul_n (tp, ap, bp, m->size); m->reduce (m, rp, tp); } void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { mpn_sqr (tp, ap, m->size); m->reduce (m, rp, tp); } void ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp) { mp_limb_t cy; mpn_mul_n (tp, ap, bp, m->size); m->reduce (m, tp + m->size, tp); cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); cnd_copy (cy, rp, tp + m->size, m->size); } void ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { mp_limb_t cy; mpn_sqr (tp, ap, m->size); m->reduce (m, tp + m->size, tp); cy = mpn_sub_n (rp, tp + m->size, m->m, m->size); cnd_copy (cy, rp, tp + m->size, m->size); } void ecc_mod_pow_2k (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp) { ecc_mod_sqr (m, rp, xp, tp); while (--k > 0) ecc_mod_sqr (m, rp, rp, tp); } void ecc_mod_pow_2k_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, const mp_limb_t *yp, mp_limb_t *tp) { ecc_mod_pow_2k (m, rp, xp, k, tp); ecc_mod_mul (m, rp, rp, yp, tp); } nettle-3.10/sexp2bignum.c0000644000175000017500000000316614633602171014374 0ustar nissenisse/* sexp2bignum.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "bignum.h" int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i) { if (i->type == SEXP_ATOM && i->atom_length && !i->display) { /* Allow some extra here, for leading sign octets. */ if (limit && (8 * i->atom_length > (16 + limit))) return 0; nettle_mpz_set_str_256_s(x, i->atom_length, i->atom); /* FIXME: How to interpret a limit for negative numbers? */ if (limit && mpz_sizeinbase(x, 2) > limit) return 0; return sexp_iterator_next(i); } else return 0; } nettle-3.10/rsa-oaep-decrypt.c0000644000175000017500000000714514633602171015311 0ustar nissenisse/* rsa-oaep-decrypt.c The RSA publickey algorithm. OAEP decryption. Copyright (C) 2021-2024 Nicolas Mora Copyright (C) 2024 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "rsa.h" #include "gmp-glue.h" #include "nettle-internal.h" #include "oaep.h" #include "rsa-internal.h" int _rsa_oaep_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, void *hash_ctx, const struct nettle_hash *hash, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { TMP_GMP_DECL (m, mp_limb_t); TMP_GMP_DECL (em, uint8_t); int res; TMP_GMP_ALLOC (m, mpz_size (pub->n)); TMP_GMP_ALLOC (em, key->size); mpn_set_base256 (m, mpz_size (pub->n), ciphertext, pub->size); /* Check that input is in range. */ if (mpn_cmp (m, mpz_limbs_read (pub->n), mpz_size (pub->n)) >= 0) { TMP_GMP_FREE (em); TMP_GMP_FREE (m); return 0; } res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, m, m); mpn_get_base256 (em, key->size, m, mpz_size (pub->n)); res &= _oaep_decode_mgf1 (em, key->size, hash_ctx, hash, label_length, label, length, message); TMP_GMP_FREE (em); TMP_GMP_FREE (m); return res; } int rsa_oaep_sha256_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha256_ctx ctx; sha256_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha256, label_length, label, length, message, ciphertext); } int rsa_oaep_sha384_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha384_ctx ctx; sha384_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha384, label_length, label, length, message, ciphertext); } int rsa_oaep_sha512_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha512_ctx ctx; sha512_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha512, label_length, label, length, message, ciphertext); } nettle-3.10/ecdsa-sign.c0000644000175000017500000000427314633602172014147 0ustar nissenisse/* ecdsa-sign.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_ECDSA_SIGN_ITCH (ECC_MAX_SIZE)); mp_limb_t size = key->ecc->p.size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); TMP_ALLOC (k, size + ECC_ECDSA_SIGN_ITCH (size)); /* Timing reveals the number of rounds through this loop, but the timing is still independent of the secret k finally used. */ do { ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); ecc_ecdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); mpz_limbs_finish (signature->s, size); } while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); } nettle-3.10/fat-arm64.c0000644000175000017500000002451714633602172013636 0ustar nissenisse/* fat-arm64.c Copyright (C) 2021 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(__linux__) && defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # endif #elif __ANDROID_API__ >= 18 # define USE_GETAUXVAL 1 #endif #if USE_GETAUXVAL # include # include #elif defined(__OpenBSD__) # include # include # include #elif defined(__APPLE__) # include #endif #include "nettle-types.h" #include "aes.h" #include "ghash-internal.h" #include "fat-setup.h" /* Defines from arch/arm64/include/uapi/asm/hwcap.h in Linux kernel */ #ifndef HWCAP_ASIMD #define HWCAP_ASIMD (1 << 1) #endif #ifndef HWCAP_AES #define HWCAP_AES (1 << 3) #endif #ifndef HWCAP_PMULL #define HWCAP_PMULL (1 << 4) #endif #ifndef HWCAP_SHA1 #define HWCAP_SHA1 (1 << 5) #endif #ifndef HWCAP_SHA2 #define HWCAP_SHA2 (1 << 6) #endif struct arm64_features { int have_aes; int have_pmull; int have_sha1; int have_sha2; }; #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) #if defined(__APPLE__) static int check_sysctlbyname(const char* name) { int val; size_t s = sizeof(val); return sysctlbyname(name, &val, &s, NULL, 0) ? 0 : val; } #endif static void get_arm64_features (struct arm64_features *features) { const char *s; features->have_aes = 0; features->have_pmull = 0; features->have_sha1 = 0; features->have_sha2 = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "aes", 3)) features->have_aes = 1; else if (MATCH (s, length, "pmull", 5)) features->have_pmull = 1; else if (MATCH (s, length, "sha1", 4)) features->have_sha1 = 1; else if (MATCH (s, length, "sha2", 4)) features->have_sha2 = 1; if (!sep) break; s = sep + 1; } else { #if USE_GETAUXVAL unsigned long hwcap = getauxval(AT_HWCAP); features->have_aes = ((hwcap & (HWCAP_ASIMD | HWCAP_AES)) == (HWCAP_ASIMD | HWCAP_AES)); features->have_pmull = ((hwcap & (HWCAP_ASIMD | HWCAP_PMULL)) == (HWCAP_ASIMD | HWCAP_PMULL)); features->have_sha1 = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA1)) == (HWCAP_ASIMD | HWCAP_SHA1)); features->have_sha2 = ((hwcap & (HWCAP_ASIMD | HWCAP_SHA2)) == (HWCAP_ASIMD | HWCAP_SHA2)); #elif defined(__OpenBSD__) const int isar0_mib[] = { CTL_MACHDEP, CPU_ID_AA64ISAR0 }; uint64_t isar0; size_t len = sizeof(isar0); if (sysctl(isar0_mib, 2, &isar0, &len, NULL, 0) < 0) return; features->have_aes = (ID_AA64ISAR0_AES(isar0) >= ID_AA64ISAR0_AES_BASE); features->have_pmull = (ID_AA64ISAR0_AES(isar0) >= ID_AA64ISAR0_AES_PMULL); features->have_sha1 = (ID_AA64ISAR0_SHA1(isar0) >= ID_AA64ISAR0_SHA1_BASE); features->have_sha2 = (ID_AA64ISAR0_SHA2(isar0) >= ID_AA64ISAR0_SHA2_BASE); #elif defined(__APPLE__) /* See https://developer.apple.com/documentation/kernel/1387446-sysctlbyname/determining_instruction_set_characteristics */ features->have_aes = check_sysctlbyname("hw.optional.arm.FEAT_AES"); features->have_pmull = check_sysctlbyname("hw.optional.arm.FEAT_PMULL"); features->have_sha1 = check_sysctlbyname("hw.optional.arm.FEAT_SHA1"); features->have_sha2 = check_sysctlbyname("hw.optional.arm.FEAT_SHA256"); #endif } } DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, arm64) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, arm64) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, arm64) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, arm64) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, arm64) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, arm64) static void CONSTRUCTOR fat_init (void) { struct arm64_features features; int verbose; get_arm64_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features:%s%s%s%s\n", features.have_aes ? " aes instructions" : "", features.have_pmull ? " polynomial multiply long instructions (PMULL/PMULL2)" : "", features.have_sha1 ? " sha1 instructions" : "", features.have_sha2 ? " sha2 instructions" : ""); if (features.have_aes) { if (verbose) fprintf (stderr, "libnettle: enabling hardware accelerated AES encrypt/decrypt code.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_arm64; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_arm64; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_arm64; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_arm64; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_arm64; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_arm64; } else { nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; } if (features.have_pmull) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated polynomial multiply code.\n"); /* Make sure _nettle_ghash_set_key_vec function is compatible with _nettle_ghash_update_vec function e.g. _nettle_ghash_key_c() fills gcm_key table with values that are incompatible with _nettle_ghash_update_arm64() */ _nettle_ghash_set_key_vec = _nettle_ghash_set_key_arm64; _nettle_ghash_update_vec = _nettle_ghash_update_arm64; } else { _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; } if (features.have_sha1) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated sha1 compress code.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_arm64; } else { nettle_sha1_compress_vec = _nettle_sha1_compress_c; } if (features.have_sha2) { if (verbose) fprintf (stderr, "libnettle: enabling hardware-accelerated sha256 compress code.\n"); _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_arm64; } else { _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } } DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) nettle-3.10/nettle-lookup-hash.c0000644000175000017500000000255414633602171015654 0ustar nissenisse/* nettle-lookup-hash.c Copyright (C) 2016 Niels Möller. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "nettle-meta.h" #include "nettle-internal.h" const struct nettle_hash * nettle_lookup_hash (const char *name) { unsigned i; for (i = 0; _nettle_hashes[i]; i++) if (!strcmp (name, _nettle_hashes[i]->name)) return _nettle_hashes[i]; return NULL; } nettle-3.10/sha512.c0000644000175000017500000002016114633602171013126 0ustar nissenisse/* sha512.c The sha512 hash function. See http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf Copyright (C) 2001, 2010 Niels Möller Copyright (C) 2014 Joachim Strömbergson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Modelled after the sha1.c code by Peter Gutmann. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* Generated by the gp script { print("obase=16"); for (i = 1,80, root = prime(i)^(1/3); fraction = root - floor(root); print(floor(2^64 * fraction)); ); quit(); } piped through |grep -v '^[' | bc \ |awk '{printf("0x%sULL,%s", $1, NR%3 == 0 ? "\n" : "");}' to convert it to hex. */ static const uint64_t K[80] = { 0x428A2F98D728AE22ULL,0x7137449123EF65CDULL, 0xB5C0FBCFEC4D3B2FULL,0xE9B5DBA58189DBBCULL, 0x3956C25BF348B538ULL,0x59F111F1B605D019ULL, 0x923F82A4AF194F9BULL,0xAB1C5ED5DA6D8118ULL, 0xD807AA98A3030242ULL,0x12835B0145706FBEULL, 0x243185BE4EE4B28CULL,0x550C7DC3D5FFB4E2ULL, 0x72BE5D74F27B896FULL,0x80DEB1FE3B1696B1ULL, 0x9BDC06A725C71235ULL,0xC19BF174CF692694ULL, 0xE49B69C19EF14AD2ULL,0xEFBE4786384F25E3ULL, 0x0FC19DC68B8CD5B5ULL,0x240CA1CC77AC9C65ULL, 0x2DE92C6F592B0275ULL,0x4A7484AA6EA6E483ULL, 0x5CB0A9DCBD41FBD4ULL,0x76F988DA831153B5ULL, 0x983E5152EE66DFABULL,0xA831C66D2DB43210ULL, 0xB00327C898FB213FULL,0xBF597FC7BEEF0EE4ULL, 0xC6E00BF33DA88FC2ULL,0xD5A79147930AA725ULL, 0x06CA6351E003826FULL,0x142929670A0E6E70ULL, 0x27B70A8546D22FFCULL,0x2E1B21385C26C926ULL, 0x4D2C6DFC5AC42AEDULL,0x53380D139D95B3DFULL, 0x650A73548BAF63DEULL,0x766A0ABB3C77B2A8ULL, 0x81C2C92E47EDAEE6ULL,0x92722C851482353BULL, 0xA2BFE8A14CF10364ULL,0xA81A664BBC423001ULL, 0xC24B8B70D0F89791ULL,0xC76C51A30654BE30ULL, 0xD192E819D6EF5218ULL,0xD69906245565A910ULL, 0xF40E35855771202AULL,0x106AA07032BBD1B8ULL, 0x19A4C116B8D2D0C8ULL,0x1E376C085141AB53ULL, 0x2748774CDF8EEB99ULL,0x34B0BCB5E19B48A8ULL, 0x391C0CB3C5C95A63ULL,0x4ED8AA4AE3418ACBULL, 0x5B9CCA4F7763E373ULL,0x682E6FF3D6B2B8A3ULL, 0x748F82EE5DEFB2FCULL,0x78A5636F43172F60ULL, 0x84C87814A1F0AB72ULL,0x8CC702081A6439ECULL, 0x90BEFFFA23631E28ULL,0xA4506CEBDE82BDE9ULL, 0xBEF9A3F7B2C67915ULL,0xC67178F2E372532BULL, 0xCA273ECEEA26619CULL,0xD186B8C721C0C207ULL, 0xEADA7DD6CDE0EB1EULL,0xF57D4F7FEE6ED178ULL, 0x06F067AA72176FBAULL,0x0A637DC5A2C898A6ULL, 0x113F9804BEF90DAEULL,0x1B710B35131C471BULL, 0x28DB77F523047D84ULL,0x32CAAB7B40C72493ULL, 0x3C9EBE0A15C9BEBCULL,0x431D67C49C100D4CULL, 0x4CC5D4BECB3E42B6ULL,0x597F299CFC657E2AULL, 0x5FCB6FAB3AD6FAECULL,0x6C44198C4A475817ULL, }; #define COMPRESS(ctx, data) (sha512_compress((ctx)->state, (data))) void sha512_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 1,8, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x6A09E667F3BCC908ULL,0xBB67AE8584CAA73BULL, 0x3C6EF372FE94F82BULL,0xA54FF53A5F1D36F1ULL, 0x510E527FADE682D1ULL,0x9B05688C2B3E6C1FULL, 0x1F83D9ABFB41BD6BULL,0x5BE0CD19137E2179ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, MD_INCR(ctx)); } static void sha512_write_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { uint64_t high, low; unsigned i; unsigned words; unsigned leftover; assert(length <= SHA512_DIGEST_SIZE); MD_PAD(ctx, 16, COMPRESS); /* There are 1024 = 2^10 bits in one block */ high = (ctx->count_high << 10) | (ctx->count_low >> 54); low = (ctx->count_low << 10) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 16), high); WRITE_UINT64(ctx->block + (SHA512_BLOCK_SIZE - 8), low); sha512_compress(ctx->state, ctx->block); words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, digest += 8) WRITE_UINT64(digest, ctx->state[i]); if (leftover) { /* Truncate to the right size */ uint64_t word = ctx->state[i] >> (8*(8 - leftover)); do { digest[--leftover] = word & 0xff; word >>= 8; } while (leftover); } } void sha512_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA512_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_init(ctx); } /* sha384 variant. */ void sha384_init(struct sha512_ctx *ctx) { /* Initial values, generated by the gp script { for (i = 9,16, root = prime(i)^(1/2); fraction = root - floor(root); print(floor(2^64 * fraction)); ); } . */ static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0xCBBB9D5DC1059ED8ULL, 0x629A292A367CD507ULL, 0x9159015A3070DD17ULL, 0x152FECD8F70E5939ULL, 0x67332667FFC00B31ULL, 0x8EB44A8768581511ULL, 0xDB0C2E0D64F98FA7ULL, 0x47B5481DBEFA4FA4ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha384_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA384_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha384_init(ctx); } /* sha-512/224 variant. */ void sha512_224_init(struct sha512_224_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x8c3d37c819544da2ULL, 0x73e1996689dcd4d6ULL, 0x1dfab7ae32ff9c82ULL, 0x679dd514582f9fcfULL, 0x0f6d2b697bd44da8ULL, 0x77e36f7304c48942ULL, 0x3f9d85a86a1d36c8ULL, 0x1112e6ad91d692a1ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_224_digest(struct sha512_224_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA224_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_224_init(ctx); } /* sha-512/256 variant. */ void sha512_256_init(struct sha512_256_ctx *ctx) { static const uint64_t H0[_SHA512_DIGEST_LENGTH] = { 0x22312194fc2bf72cULL, 0x9f555fa3c84c64c2ULL, 0x2393b86b6f53b151ULL, 0x963877195940eabdULL, 0x96283ee2a88effe3ULL, 0xbe5e1e2553863992ULL, 0x2b0199fc2c85b8aaULL, 0x0eb72ddc81c52ca2ULL, }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count_low = ctx->count_high = 0; /* Initialize buffer */ ctx->index = 0; } void sha512_256_digest(struct sha512_256_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= SHA256_DIGEST_SIZE); sha512_write_digest(ctx, length, digest); sha512_256_init(ctx); } void sha512_compress(uint64_t *state, const uint8_t *input) { _nettle_sha512_compress(state, input, K); } nettle-3.10/rsa-pss-sha512-sign-tr.c0000644000175000017500000000433414633602171016101 0ustar nissenisse/* rsa-pss-sha512-sign-tr.c Signatures using RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha384, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_pss_sha512_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha512, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/cbc-aes256-encrypt.c0000644000175000017500000000307014633602171015337 0ustar nissenisse/* cbc-aes256-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes256_encrypt void _nettle_cbc_aes256_encrypt_c(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes256_encrypt _nettle_cbc_aes256_encrypt_c #endif void cbc_aes256_encrypt(const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes256_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-3.10/tools/0000755000175000017500000000000014633602172013120 5ustar nissenissenettle-3.10/tools/nettle-pbkdf2.c0000644000175000017500000001163014633602172015726 0ustar nissenisse/* nettle-pbkdf2.c Command-line tool for pbkdf2 hashing. Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "pbkdf2.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define DEFAULT_ITERATIONS 10000 #define DEFAULT_LENGTH 16 static void usage (FILE *f) { fprintf(f, "Usage: nettle-pbkdf2 [OPTIONS] SALT\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " -i, --iterations=COUNT Desired iteration count (default %d).\n" " -l, --length=LENGTH Desired output length (octets, default %d)\n" " --raw Raw binary output.\n" " --hex-salt Use hex encoding for the salt.\n", DEFAULT_ITERATIONS, DEFAULT_LENGTH); } #define MAX_PASSWORD 1024 int main (int argc, char **argv) { unsigned iterations = DEFAULT_ITERATIONS; unsigned output_length = DEFAULT_LENGTH; char password[MAX_PASSWORD]; size_t password_length; uint8_t *output; size_t salt_length; char *salt; int raw = 0; int hex_salt = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_HEX_SALT }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "length", required_argument, NULL, 'l' }, { "iterations", required_argument, NULL, 'i' }, { "raw", no_argument, NULL, OPT_RAW }, { "hex-salt", no_argument, NULL, OPT_HEX_SALT }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vl:i:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-pbkdf2 (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); output_length = arg; } break; case 'i': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid iteration count: `%s'\n", optarg); iterations = arg; } break; case OPT_RAW: raw = 1; break; case OPT_HEX_SALT: hex_salt = 1; break; } argv += optind; argc -= optind; if (argc != 1) { usage (stderr); return EXIT_FAILURE; } salt = strdup (argv[0]); if (!salt) die ("strdup failed: Virtual memory exhausted.\n"); salt_length = strlen(argv[0]); if (hex_salt) { struct base16_decode_ctx base16; base16_decode_init (&base16); if (!base16_decode_update (&base16, &salt_length, (uint8_t *) salt, salt_length, salt) || !base16_decode_final (&base16)) die ("Invalid salt (expecting hex encoding).\n"); } password_length = fread (password, 1, sizeof(password), stdin); if (password_length == sizeof(password)) die ("Password input too long. Current limit is %d characters.\n", (int) sizeof(password) - 1); if (ferror (stdin)) die ("Reading password input failed: %s.\n", strerror (errno)); output = xalloc (output_length); pbkdf2_hmac_sha256 (password_length, (const uint8_t *) password, iterations, salt_length, (const uint8_t*) salt, output_length, output); free (salt); if (raw) fwrite (output, output_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < output_length; i += 8) { base16_encode_update(hex, 8, output + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s%c", hex, i % 64 == 56 ? '\n' : ' '); } base16_encode_update(hex, output_length - i, output + i); hex[BASE16_ENCODE_LENGTH(output_length - i)] = 0; printf("%s\n", hex); } free (output); if (fflush(stdout) != 0 ) die("Write failed: %s\n", strerror(errno)); return EXIT_SUCCESS; } nettle-3.10/tools/input.c0000644000175000017500000002200214633602172014417 0ustar nissenisse/* input.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "input.h" void sexp_input_init(struct sexp_input *input, FILE *f) { input->f = f; input->coding = NULL; } static void sexp_get_raw_char(struct sexp_input *input) { int c = getc(input->f); if (c < 0) { if (ferror(input->f)) die("Read error: %s\n", strerror(errno)); input->ctype = SEXP_EOF_CHAR; } else { input->ctype = SEXP_NORMAL_CHAR; input->c = c; } } void sexp_get_char(struct sexp_input *input) { if (input->coding) for (;;) { size_t done; sexp_get_raw_char(input); if (input->ctype == SEXP_EOF_CHAR) die("Unexpected end of file in coded data.\n"); if (input->c == input->terminator) { input->ctype = SEXP_END_CHAR; return; } done = 1; /* Decodes in place. Should always work, when we decode one * character at a time. */ if (!input->coding->decode_update(&input->state, &done, &input->c, 1, (const char*) &input->c)) die("Invalid coded data.\n"); if (done) return; } else sexp_get_raw_char(input); } static uint8_t sexp_next_char(struct sexp_input *input) { sexp_get_char(input); if (input->ctype != SEXP_NORMAL_CHAR) die("Unexpected end of file.\n"); return input->c; } static void sexp_push_char(struct sexp_input *input, struct nettle_buffer *string) { assert(input->ctype == SEXP_NORMAL_CHAR); if (!NETTLE_BUFFER_PUTC(string, input->c)) die("Virtual memory exhasuted.\n"); } static void sexp_input_start_coding(struct sexp_input *input, const struct nettle_armor *coding, uint8_t terminator) { assert(!input->coding); input->coding = coding; input->coding->decode_init(&input->state); input->terminator = terminator; } static void sexp_input_end_coding(struct sexp_input *input) { assert(input->coding); if (!input->coding->decode_final(&input->state)) die("Invalid coded data.\n"); input->coding = NULL; } /* Return 0 at end-of-string */ static int sexp_get_quoted_char(struct sexp_input *input) { sexp_next_char(input); switch (input->c) { default: return 1; case '\"': return 0; case '\\': sexp_next_char(input); switch (input->c) { case 'b': input->c = '\b'; return 1; case 't': input->c = '\t'; return 1; case 'n': input->c = '\n'; return 1; case 'f': input->c = '\f'; return 1; case 'r': input->c = '\r'; return 1; case '\\': input->c = '\\'; return 1; case 'o': case 'x': /* FIXME: Not implemnted */ abort(); case '\n': if (sexp_next_char(input) == '\r') sexp_next_char(input); break; case '\r': if (sexp_next_char(input) == '\n') sexp_next_char(input); break; } return 1; } } static void sexp_get_token_string(struct sexp_input *input, struct nettle_buffer *string) { assert(!input->coding); assert(input->ctype == SEXP_NORMAL_CHAR); if (!TOKEN_CHAR(input->c)) die("Invalid token.\n"); do { sexp_push_char(input, string); sexp_get_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && TOKEN_CHAR(input->c)); assert (string->size); } static void sexp_get_string(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); input->token = SEXP_STRING; switch (input->c) { case '\"': while (sexp_get_quoted_char(input)) sexp_push_char(input, string); sexp_get_char(input); break; case '#': sexp_input_start_coding(input, &nettle_base16, '#'); goto decode; case '|': sexp_input_start_coding(input, &nettle_base64, '|'); decode: for (;;) { sexp_get_char(input); switch (input->ctype) { case SEXP_NORMAL_CHAR: sexp_push_char(input, string); break; case SEXP_EOF_CHAR: die("Unexpected end of file in coded string.\n"); case SEXP_END_CHAR: sexp_input_end_coding(input); sexp_get_char(input); return; } } break; default: sexp_get_token_string(input, string); break; } } static void sexp_get_string_length(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { unsigned length; nettle_buffer_reset(string); input->token = SEXP_STRING; length = input->c - '0'; if (!length) /* There must be no more digits */ sexp_next_char(input); else { assert(length < 10); /* Get rest of digits */ for (;;) { sexp_next_char(input); if (input->c < '0' || input->c > '9') break; /* FIXME: Check for overflow? */ length = length * 10 + input->c - '0'; } } if (input->c == ':') /* Verbatim */ for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } else if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); else switch(input->c) { case '"': for (; length; length--) if (sexp_get_quoted_char(input)) sexp_push_char(input, string); else die("Unexpected end of string.\n"); if (sexp_get_quoted_char(input)) die("Quoted string longer than expected.\n"); break; case '#': sexp_input_start_coding(input, &nettle_base16, '#'); goto decode; case '|': sexp_input_start_coding(input, &nettle_base64, '|'); decode: for (; length; length--) { sexp_next_char(input); sexp_push_char(input, string); } sexp_get_char(input); if (input->ctype != SEXP_END_CHAR) die("Coded string too long.\n"); sexp_input_end_coding(input); break; default: die("Invalid string.\n"); } /* Skip the ending character. */ sexp_get_char(input); } static void sexp_get_comment(struct sexp_input *input, struct nettle_buffer *string) { nettle_buffer_reset(string); assert(input->ctype == SEXP_NORMAL_CHAR); assert(input->c == ';'); do { sexp_push_char(input, string); sexp_get_raw_char(input); } while (input->ctype == SEXP_NORMAL_CHAR && input->c != '\n'); input->token = SEXP_COMMENT; } /* When called, input->c should be the first character of the current * token. * * When returning, input->c should be the first character of the next * token. */ void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string) { for(;;) switch(input->ctype) { case SEXP_EOF_CHAR: input->token = SEXP_EOF; return; case SEXP_END_CHAR: input->token = SEXP_CODING_END; sexp_input_end_coding(input); sexp_get_char(input); return; case SEXP_NORMAL_CHAR: switch(input->c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': sexp_get_string_length(input, mode, string); return; case '(': input->token = SEXP_LIST_START; sexp_get_char(input); return; case ')': input->token = SEXP_LIST_END; sexp_get_char(input); return; case '[': input->token = SEXP_DISPLAY_START; sexp_get_char(input); return; case ']': input->token = SEXP_DISPLAY_END; sexp_get_char(input); return; case '{': if (mode == SEXP_CANONICAL) die("Unexpected transport data in canonical mode.\n"); sexp_input_start_coding(input, &nettle_base64, '}'); sexp_get_char(input); input->token = SEXP_TRANSPORT_START; return; case ' ': /* SPC, TAB, LF, CR */ case '\t': case '\n': case '\r': if (mode == SEXP_CANONICAL) die("Whitespace encountered in canonical mode.\n"); sexp_get_char(input); break; case ';': /* Comments */ if (mode == SEXP_CANONICAL) die("Comment encountered in canonical mode.\n"); sexp_get_comment(input, string); return; default: /* Ought to be a string */ if (mode != SEXP_ADVANCED) die("Encountered advanced string in canonical mode.\n"); sexp_get_string(input, string); return; } } } nettle-3.10/tools/misc.h0000644000175000017500000000366214633602172014233 0ustar nissenisse/* misc.h Copyright (C) 2002, 2003, 2008, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_MISC_H_INCLUDED #define NETTLE_TOOLS_MISC_H_INCLUDED #if HAVE_CONFIG_H # include "config.h" #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void werror(const char *format, ...) PRINTF_STYLE (1, 2); void * xalloc(size_t size); enum sexp_mode { SEXP_CANONICAL = 0, SEXP_ADVANCED = 1, SEXP_TRANSPORT = 2, }; enum sexp_token { SEXP_STRING, SEXP_DISPLAY, /* Constructed by sexp_parse */ SEXP_COMMENT, SEXP_LIST_START, SEXP_LIST_END, SEXP_EOF, /* The below types are internal to the input parsing, only * returned by sexp_get_token. sexp_parse should never return a * token of these types. */ SEXP_DISPLAY_START, SEXP_DISPLAY_END, SEXP_TRANSPORT_START, SEXP_CODING_END, }; extern const char sexp_token_chars[0x80]; #define TOKEN_CHAR(c) ((c) < 0x80 && sexp_token_chars[(c)]) #endif /* NETTLE_TOOLS_MISC_H_INCLUDED */ nettle-3.10/tools/input.h0000644000175000017500000000376614633602172014444 0ustar nissenisse/* input.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_INPUT_H_INCLUDED #define NETTLE_TOOLS_INPUT_H_INCLUDED #include "misc.h" #include "base16.h" #include "base64.h" #include "buffer.h" #include "nettle-meta.h" #include /* Special marks in the input stream */ enum sexp_char_type { SEXP_NORMAL_CHAR = 0, SEXP_EOF_CHAR, SEXP_END_CHAR, }; struct sexp_input { FILE *f; /* Character stream, consisting of ordinary characters, * SEXP_EOF_CHAR, and SEXP_END_CHAR. */ enum sexp_char_type ctype; uint8_t c; const struct nettle_armor *coding; union { struct base64_decode_ctx base64; struct base16_decode_ctx hex; } state; /* Terminator for current coding */ uint8_t terminator; /* Type of current token */ enum sexp_token token; }; void sexp_input_init(struct sexp_input *input, FILE *f); void sexp_get_char(struct sexp_input *input); void sexp_get_token(struct sexp_input *input, enum sexp_mode mode, struct nettle_buffer *string); #endif /* NETTLE_TOOLS_INPUT_H_INCLUDED */ nettle-3.10/tools/misc.c0000644000175000017500000000420214633602172014215 0ustar nissenisse/* misc.c Copyright (C) 2002, 2003, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "misc.h" void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); exit(EXIT_FAILURE); } void werror(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); } void * xalloc(size_t size) { void *p = malloc(size); if (!p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } const char sexp_token_chars[0x80] = { /* 0, ... 0x1f */ 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0, /* SPC ! " # $ % & ' ( ) * + , - . / */ 0,0,0,0,0,0,0,0, 0,0,1,1,0,1,1,1, /* 0 1 2 3 4 5 6 7 8 9 : ; < = > ? */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,1,0,0, /* @ A ... O */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* P ... Z [ \ ] ^ _ */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,1, /* ` a, ... o */ 0,1,1,1,1,1,1,1, 1,1,1,1,1,1,1,1, /* p ... z { | } ~ DEL */ 1,1,1,1,1,1,1,1, 1,1,1,0,0,0,0,0, }; nettle-3.10/tools/output.h0000644000175000017500000000461114633602172014633 0ustar nissenisse/* output.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_OUTPUT_H_INCLUDED #define NETTLE_TOOLS_OUTPUT_H_INCLUDED #include "misc.h" #include "base64.h" #include "buffer.h" #include "nettle-meta.h" #include struct sexp_output { FILE *f; unsigned line_width; const struct nettle_armor *coding; unsigned coding_indent; int prefer_hex; const struct nettle_hash *hash; void *ctx; /* NOTE: There's no context for hex encoding, the state argument to encode_update is ignored */ struct base64_decode_ctx base64; unsigned pos; int soft_newline; }; void sexp_output_init(struct sexp_output *output, FILE *f, unsigned width, int prefer_hex); void sexp_output_hash_init(struct sexp_output *output, const struct nettle_hash *hash, void *ctx); void sexp_put_newline(struct sexp_output *output, unsigned indent); void sexp_put_soft_newline(struct sexp_output *output, unsigned indent); void sexp_put_char(struct sexp_output *output, uint8_t c); void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data); void sexp_put_code_start(struct sexp_output *output, const struct nettle_armor *coding); void sexp_put_code_end(struct sexp_output *output); void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string); void sexp_put_digest(struct sexp_output *output); #endif /* NETTLE_TOOLS_OUTPUT_H_INCLUDED */ nettle-3.10/tools/Makefile.in0000644000175000017500000000613014633602172015165 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = $(INSTALL_PROGRAM) -s MKDIR_P = @MKDIR_P@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. HOGWEED_TARGETS = pkcs1-conv$(EXEEXT) TARGETS = sexp-conv$(EXEEXT) nettle-hash$(EXEEXT) nettle-pbkdf2$(EXEEXT) \ nettle-lfib-stream$(EXEEXT) \ @IF_HOGWEED@ $(HOGWEED_TARGETS) TS_ALL = sexp-conv-test pkcs1-conv-test nettle-pbkdf2-test all: $(TARGETS) getopt_OBJS = ../getopt.$(OBJEXT) ../getopt1.$(OBJEXT) sexp_conv_SOURCES = sexp-conv.c input.c output.c parse.c misc.c pkcs1_conv_SOURCES = pkcs1-conv.c misc.c nettle_hash_SOURCES = nettle-hash.c misc.c nettle_pbkdf2_SOURCES = nettle-pbkdf2.c misc.c SOURCES = $(sexp_conv_SOURCES) nettle-hash.c nettle-lfib-stream.c pkcs1-conv.c nettle-pbkdf2.c DISTFILES = $(SOURCES) $(TS_ALL) Makefile.in input.h misc.h output.h parse.h sexp_conv_OBJS = $(sexp_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) sexp-conv$(EXEEXT): $(sexp_conv_OBJS) ../libnettle.stamp $(LINK) $(sexp_conv_OBJS) -lnettle $(LIBS) -o $@ nettle-lfib-stream$(EXEEXT): nettle-lfib-stream.$(OBJEXT) ../libnettle.stamp $(LINK) nettle-lfib-stream.$(OBJEXT) -lnettle $(LIBS) -o $@ pkcs1_conv_OBJS = $(pkcs1_conv_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) pkcs1-conv$(EXEEXT): $(pkcs1_conv_OBJS) ../libnettle.stamp ../libhogweed.stamp $(LINK) $(pkcs1_conv_OBJS) -lhogweed -lnettle $(LIBS) -o $@ # FIXME: Avoid linking with gmp nettle_hash_OBJS = $(nettle_hash_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-hash$(EXEEXT): $(nettle_hash_OBJS) ../libnettle.stamp $(LINK) $(nettle_hash_OBJS) -lnettle -o $@ nettle_pbkdf2_OBJS = $(nettle_pbkdf2_SOURCES:.c=.$(OBJEXT)) $(getopt_OBJS) nettle-pbkdf2$(EXEEXT): $(nettle_pbkdf2_OBJS) ../libnettle.stamp $(LINK) $(nettle_pbkdf2_OBJS) -lnettle -o $@ %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) # NOTE: If we required GNU make, we could use a single rule with $(@F) # or $(notdir $@) ../getopt.$(OBJEXT): ( cd .. && $(MAKE) getopt.$(OBJEXT)) ../getopt1.$(OBJEXT): ( cd .. && $(MAKE) getopt1.$(OBJEXT)) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status tools/$@ check: $(TS_ALL) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) install: $(TARGETS) $(MKDIR_P) $(DESTDIR)$(bindir) for f in $(TARGETS) ; do \ $(INSTALL_PROGRAM) $$f $(DESTDIR)$(bindir) ; \ done uninstall: for f in $(TARGETS) ; do \ rm -f $(DESTDIR)$(bindir)/$$f ; \ done # NOTE: I'd like to use $^, but that's a GNU extension. $? should be # more portable, equivalent for phony targets. distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) *.$(OBJEXT) *.$(OBJEXT).d test.in test1.out test2.out \ testkey.priv testkey.pub testtmp testsignature testsignature2 distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h -include $(SOURCES:.c=.$(OBJEXT).d) nettle-3.10/tools/sexp-conv-test0000755000175000017500000000474614633602172015760 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi print_raw () { printf "%s" "$1" > "$2" } print_nl () { printf "%s\n" "$1" > "$2" } test_advanced () { print_raw "$1" test.in if $EMULATOR ./sexp-conv$EXEEXT -s advanced test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_advanced_hex () { print_raw "$1" test.in if $EMULATOR ./sexp-conv$EXEEXT -s hex test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_transport () { print_raw "$1" test.in if $EMULATOR ./sexp-conv$EXEEXT -s transport test1.out ; then true else exit 1 fi print_nl "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_canonical () { print_raw "$1" test.in if $EMULATOR ./sexp-conv$EXEEXT -s canonical test1.out ; then true else exit 1 fi print_raw "$2" test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_advanced '0:' '""' test_advanced '3:foo' 'foo' test_advanced '12:fooooooooooo' 'fooooooooooo' test_advanced '10:fooooooooo' 'fooooooooo' test_advanced '4:3des' '"3des"' test_advanced '"foo"' 'foo' test_advanced '4:foo ' '"foo\n"' # Having the string end with a \ breaks with sysv echo. \x seems harmless. test_advanced '3:"\x' '"\"\\x"' test_advanced '()' '()' test_advanced '(foo bar baz)' '(foo bar baz)' test_advanced '; comment ()' '; comment ()' test_advanced '(foo ; gazonk bar)' '(foo ; gazonk bar)' test_advanced '(foo[bar]foo)' '(foo [bar]foo)' test_advanced '(#aabb#)' '(|qrs=|)' test_advanced '(|qrs=|)' '(|qrs=|)' test_advanced_hex '(|qrs=|)' '(#aabb#)' test_advanced_hex '(#aabb#)' '(#aabb#)' test_advanced_hex '{MToR}' '#11#' test_advanced_hex '|EQ==|' '#11#' test_transport '0:' '{MDo=}' test_transport '()' '{KCk=}' test_transport '1:A' '{MTpB}' test_transport 'foo' '{Mzpmb28=}' test_transport '(foo bar baz)' '{KDM6Zm9vMzpiYXIzOmJheik=}' test_canonical '""' '0:' test_canonical '{MDo=}' '0:' test_canonical '{KCk=}' '()' test_canonical '{MTpB}' '1:A' test_canonical 'foo' '3:foo' test_canonical 'fooooooooooo' '12:fooooooooooo' test_canonical 'fooooooooo' '10:fooooooooo' test_canonical '(foo bar baz)' '(3:foo3:bar3:baz)' test_canonical '{KDM6Zm9vMzpiYXIzOmJheik=}' '(3:foo3:bar3:baz)' exit 0 nettle-3.10/tools/output.c0000644000175000017500000001517614633602172014636 0ustar nissenisse/* output.c Copyright (C) 2002, 2003, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include #include "output.h" /* For TMP_ALLOC */ #include "nettle-internal.h" void sexp_output_init(struct sexp_output *output, FILE *f, unsigned width, int prefer_hex) { output->f = f; output->line_width = width; output->coding = NULL; output->prefer_hex = prefer_hex; output->hash = NULL; output->ctx = NULL; output->pos = 0; output->soft_newline = 0; } void sexp_output_hash_init(struct sexp_output *output, const struct nettle_hash *hash, void *ctx) { output->hash = hash; output->ctx = ctx; hash->init(ctx); } static void sexp_put_raw_char(struct sexp_output *output, uint8_t c) { if (putc(c, output->f) < 0) die("Write failed: %s\n", strerror(errno)); output->pos++; output->soft_newline = 0; } void sexp_put_newline(struct sexp_output *output, unsigned indent) { if (output->soft_newline) output->soft_newline = 0; else { unsigned i; sexp_put_raw_char(output, '\n'); output->pos = 0; for(i = 0; i < indent; i++) sexp_put_raw_char(output, ' '); output->pos = indent; } } /* Put a newline, but only if it is followed by another newline, collaps to one newline only. */ void sexp_put_soft_newline(struct sexp_output *output, unsigned indent) { sexp_put_newline(output, indent); output->soft_newline = 1; } void sexp_put_char(struct sexp_output *output, uint8_t c) { if (output->coding) { /* Two is enough for both base16 and base64. */ char encoded[2]; unsigned done; unsigned i; done = output->coding->encode_update(&output->base64, encoded, 1, &c); assert(done <= sizeof(encoded)); for (i = 0; iline_width && output->pos >= output->line_width && output->pos >= (output->coding_indent + 10)) sexp_put_newline(output, output->coding_indent); sexp_put_raw_char(output, encoded[i]); } } else if (output->hash) output->hash->update(output->ctx, 1, &c); else sexp_put_raw_char(output, c); } void sexp_put_data(struct sexp_output *output, unsigned length, const uint8_t *data) { unsigned i; for (i = 0; i length) break; digit = next; } for (; digit; length %= digit, digit /= 10) sexp_put_char(output, '0' + length / digit); } void sexp_put_code_start(struct sexp_output *output, const struct nettle_armor *coding) { assert(!output->coding); output->coding_indent = output->pos; output->coding = coding; output->coding->encode_init(&output->base64); } void sexp_put_code_end(struct sexp_output *output) { /* Enough for both hex and base64 */ char encoded[BASE64_ENCODE_FINAL_LENGTH]; unsigned done; assert(output->coding); done = output->coding->encode_final(&output->base64, encoded); assert(done <= sizeof(encoded)); output->coding = NULL; sexp_put_data(output, done, (const uint8_t*) encoded); } void sexp_put_string(struct sexp_output *output, enum sexp_mode mode, struct nettle_buffer *string) { if (!string->size) sexp_put_data(output, 2, (const uint8_t *) ((mode == SEXP_ADVANCED) ? "\"\"": "0:")); else if (mode == SEXP_ADVANCED) { unsigned i; int token = (string->contents[0] < '0' || string->contents[0] > '9'); int quote_friendly = 1; #define CONTROL_SIZE 0x20 static const char escape_names[CONTROL_SIZE] = { 0,0,0,0,0,0,0,0, 'b','t','n',0,'f','r',0,0, 0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0 }; for (i = 0; isize; i++) { uint8_t c = string->contents[i]; if (token & !TOKEN_CHAR(c)) token = 0; if (quote_friendly) { if (c >= 0x7f) quote_friendly = 0; else if (c < CONTROL_SIZE && !escape_names[c]) quote_friendly = 0; } } if (token) sexp_put_data(output, string->size, string->contents); else if (quote_friendly) { sexp_put_char(output, '"'); for (i = 0; isize; i++) { int escape = 0; uint8_t c = string->contents[i]; assert(c < 0x7f); if (c == '\\' || c == '"') escape = 1; else if (c < CONTROL_SIZE) { escape = 1; c = escape_names[c]; assert(c); } if (escape) sexp_put_char(output, '\\'); sexp_put_char(output, c); } sexp_put_char(output, '"'); } else { uint8_t delimiter; const struct nettle_armor *coding; if (output->prefer_hex) { delimiter = '#'; coding = &nettle_base16; } else { delimiter = '|'; coding = &nettle_base64; } sexp_put_char(output, delimiter); sexp_put_code_start(output, coding); sexp_put_data(output, string->size, string->contents); sexp_put_code_end(output); sexp_put_char(output, delimiter); } #undef CONTROL_SIZE } else { sexp_put_length(output, string->size); sexp_put_char(output, ':'); sexp_put_data(output, string->size, string->contents); } } void sexp_put_digest(struct sexp_output *output) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, output->hash->digest_size); assert(output->hash); output->hash->digest(output->ctx, output->hash->digest_size, digest); sexp_put_code_start(output, &nettle_base16); sexp_put_data(output, output->hash->digest_size, digest); sexp_put_code_end(output); } nettle-3.10/tools/nettle-pbkdf2-test0000755000175000017500000000134214633602172016464 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi test_pbkdf2 () { password="$1" salt="$2" iters="$3" expected="$4" # Relies on division rounding down; breaks if # $expected contains more than one space. length=`expr "$expected" : '.*' / 2` # Delete carriage return characters, needed when testing with # wine. printf "%s" "$password" | $EMULATOR ./nettle-pbkdf2$EXEEXT \ -i "$iters" -l "$length" "$salt" | tr -d '\r' > test1.out echo "$expected" | tr -d '\r' > test2.out if cmp test1.out test2.out ; then true else exit 1; fi } test_pbkdf2 passwd salt 1 "55ac046e56e3089f ec1691c22544b605" test_pbkdf2 Password NaCl 80000 "4ddcd8f60b98be21 830cee5ef22701f9" exit 0 nettle-3.10/tools/nettle-lfib-stream.c0000644000175000017500000000373214633602172016767 0ustar nissenisse/* lfib-stream.c Generates a pseudorandom stream, using the Knuth lfib (non-cryptographic) pseudorandom generator. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "knuth-lfib.h" #include #include #include #include #define BUFSIZE 500 static void usage(void) { fprintf(stderr, "Usage: lfib-stream [SEED]\n"); } int main(int argc, char **argv) { struct knuth_lfib_ctx ctx; uint32_t seed; if (argc == 1) seed = time(NULL); else if (argc == 2) { seed = atoi(argv[1]); if (!seed) { usage(); return EXIT_FAILURE; } } else { usage(); return EXIT_FAILURE; } knuth_lfib_init(&ctx, seed); for (;;) { uint8_t buffer[BUFSIZE]; knuth_lfib_random(&ctx, sizeof(buffer), buffer); if (fwrite(buffer, 1, sizeof(buffer), stdout) < sizeof(buffer) || fflush(stdout) < 0) return EXIT_FAILURE; } /* Not reached. This program is usually terminated by SIGPIPE */ } nettle-3.10/tools/parse.h0000644000175000017500000000363714633602172014414 0ustar nissenisse/* parse.h Copyright (C) 2002, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TOOLS_PARSE_H_INCLUDED #define NETTLE_TOOLS_PARSE_H_INCLUDED #include "misc.h" #include "buffer.h" struct sexp_compound_token { enum sexp_token type; struct nettle_buffer display; struct nettle_buffer string; }; void sexp_compound_token_init(struct sexp_compound_token *token); void sexp_compound_token_clear(struct sexp_compound_token *token); struct sexp_parser { struct sexp_input *input; enum sexp_mode mode; /* Nesting level of lists. Transport encoding counts as one * level of nesting. */ unsigned level; /* The nesting level where the transport encoding occured. * Zero if we're not currently using tranport encoding. */ unsigned transport; }; void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode); void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token); #endif /* NETTLE_TOOLS_PARSE_H_INCLUDED */ nettle-3.10/tools/nettle-hash.c0000644000175000017500000001306114633602172015501 0ustar nissenisse/* nettle-hash.c General hashing tool. Copyright (C) 2011, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-meta.h" #include "base16.h" #include "getopt.h" #include "misc.h" #define BUFSIZE 16384 static void list_algorithms (void) { unsigned i; const struct nettle_hash *alg; printf ("%10s digestsize (internal block size, context size), in units of octets\n", "name"); for (i = 0; (alg = nettle_hashes[i]); i++) printf ("%10s %d (%d, %d)\n", alg->name, alg->digest_size, alg->block_size, alg->context_size); }; /* Also in examples/io.c */ static int hash_file(const struct nettle_hash *hash, void *ctx, FILE *f) { for (;;) { uint8_t buffer[BUFSIZE]; size_t res = fread(buffer, 1, sizeof(buffer), f); if (ferror(f)) return 0; hash->update(ctx, res, buffer); if (feof(f)) return 1; } } static int digest_file(const struct nettle_hash *alg, unsigned digest_length, int raw, FILE *f) { void *ctx; uint8_t *digest; ctx = xalloc(alg->context_size); alg->init(ctx); if (!hash_file (alg, ctx, f)) { free (ctx); return 0; } digest = xalloc(digest_length); alg->digest(ctx, digest_length, digest); free(ctx); if (raw) fwrite (digest, digest_length, 1, stdout); else { unsigned i; char hex[BASE16_ENCODE_LENGTH(8) + 1]; for (i = 0; i + 8 < digest_length; i += 8) { base16_encode_update(hex, 8, digest + i); hex[BASE16_ENCODE_LENGTH(8)] = 0; printf("%s ", hex); } base16_encode_update(hex, digest_length - i, digest + i); hex[BASE16_ENCODE_LENGTH(digest_length - i)] = 0; printf("%s %s\n", hex, alg->name); } free(digest); return 1; } static void usage (FILE *f) { fprintf(f, "Usage: nettle-hash -a ALGORITHM [OPTIONS] [FILE ...]\n" "Options:\n" " --help Show this help.\n" " -V, --version Show version information.\n" " --list List supported hash algorithms.\n" " -a, --algorithm=ALG Hash algorithm to use.\n" " -l, --length=LENGTH Desired digest length (octets)\n" " --raw Raw binary output.\n"); } /* FIXME: Be more compatible with md5sum and sha1sum. Options -c (check), -b (binary), -t (text), and output format with hex hash sum, optional star (meaning binary mode), and file name. */ int main (int argc, char **argv) { const char *alg_name = NULL; const struct nettle_hash *alg; unsigned length = 0; int raw = 0; int c; enum { OPT_HELP = 0x300, OPT_RAW, OPT_LIST }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "algorithm", required_argument, NULL, 'a' }, { "length", required_argument, NULL, 'l' }, { "list", no_argument, NULL, OPT_LIST }, { "raw", no_argument, NULL, OPT_RAW }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Va:l:", options, NULL)) != -1) switch (c) { default: abort(); case '?': usage (stderr); return EXIT_FAILURE; case OPT_HELP: usage (stdout); return EXIT_SUCCESS; case 'V': printf("nettle-hash (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; case 'a': alg_name = optarg; break; case 'l': { int arg; arg = atoi (optarg); if (arg <= 0) die ("Invalid length argument: `%s'\n", optarg); length = arg; } break; case OPT_RAW: raw = 1; break; case OPT_LIST: list_algorithms(); return EXIT_SUCCESS; } if (!alg_name) die("Algorithm argument (-a option) is mandatory.\n" "See nettle-hash --help for further information.\n"); alg = nettle_lookup_hash (alg_name); if (!alg) die("Hash algorithm `%s' not supported or .\n" "Use nettle-hash --list to list available algorithms.\n", alg_name); if (length == 0) length = alg->digest_size; else if (length > alg->digest_size) die ("Length argument %d too large for selected algorithm.\n", length); argv += optind; argc -= optind; if (argc == 0) digest_file (alg, length, raw, stdin); else { int i; for (i = 0; i < argc; i++) { FILE *f = fopen (argv[i], "rb"); if (!f) die ("Cannot open `%s': %s\n", argv[i], strerror(errno)); printf("%s: ", argv[i]); if (!digest_file (alg, length, raw, f)) die("Reading `%s' failed: %s\n", argv[i], strerror(errno)); fclose(f); } } if (fflush(stdout) != 0 ) die("Write failed: %s\n", strerror(errno)); return EXIT_SUCCESS; } nettle-3.10/tools/pkcs1-conv.c0000644000175000017500000003646114633602172015262 0ustar nissenisse/* pkcs1-conv.c Converting pkcs#1 and related keys to sexp format. Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "asn1.h" #include "base64.h" #include "buffer.h" #include "rsa.h" #include "dsa.h" #include "getopt.h" #include "misc.h" enum object_type { /* Use a range of values which also work as option id:s */ RSA_PRIVATE_KEY = 0x200, RSA_PUBLIC_KEY, DSA_PRIVATE_KEY, /* DSA public keys only supported as part of a SubjectPublicKeyInfo, i.e., the GENERAL_PUBLIC_KEY case. */ GENERAL_PUBLIC_KEY, }; static int write_file(struct nettle_buffer *buffer, FILE *f) { size_t res = fwrite(buffer->contents, 1, buffer->size, f); if (res < buffer->size) { werror("Write failed: %s.\n", strerror(errno)); return 0; } else return 1; } /* Return 1 on success, 0 on error, -1 on eof */ static int read_line(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) { if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (c == '\n') return 1; } if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return -1; } static int read_file(struct nettle_buffer *buffer, FILE *f) { int c; while ((c = getc(f)) != EOF) if (!NETTLE_BUFFER_PUTC(buffer, c)) return 0; if (ferror(f)) { werror("Read failed: %s\n", strerror(errno)); return 0; } else return 1; } static const uint8_t pem_start_pattern[11] = "-----BEGIN "; static const uint8_t pem_end_pattern[9] = "-----END "; static const uint8_t pem_trailer_pattern[5] = "-----"; static const char pem_ws[33] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 1, 1, 1, 0, 0, /* \t, \n, \v, \f, \r */ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 /* SPC */ }; #define PEM_IS_SPACE(c) ((c) < sizeof(pem_ws) && pem_ws[(c)]) /* Returns 1 on match, otherwise 0. */ static int match_pem_start(size_t length, const uint8_t *line, size_t *marker_start, size_t *marker_length) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_start_pattern, sizeof(pem_start_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { *marker_start = 11; *marker_length = length - (sizeof(pem_start_pattern) + sizeof(pem_trailer_pattern)); return 1; } else return 0; } /* Returns 1 on match, -1 if the line is of the right form except for the marker, otherwise 0. */ static int match_pem_end(size_t length, const uint8_t *line, size_t marker_length, const uint8_t *marker) { while (length > 0 && PEM_IS_SPACE(line[length - 1])) length--; if (length > (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line, pem_end_pattern, sizeof(pem_end_pattern)) == 0 && memcmp(line + length - sizeof(pem_trailer_pattern), pem_trailer_pattern, sizeof(pem_trailer_pattern)) == 0) { /* Right form. Check marker */ if (length == marker_length + (sizeof(pem_end_pattern) + sizeof(pem_trailer_pattern)) && memcmp(line + sizeof(pem_end_pattern), marker, marker_length) == 0) return 1; else return -1; } else return 0; } struct pem_info { /* The FOO part in "-----BEGIN FOO-----" */ size_t marker_start; size_t marker_length; size_t data_start; size_t data_length; }; static int read_pem(struct nettle_buffer *buffer, FILE *f, struct pem_info *info) { /* Find start line */ for (;;) { int res; nettle_buffer_reset(buffer); res = read_line(buffer, f); if (res != 1) return res; if (match_pem_start(buffer->size, buffer->contents, &info->marker_start, &info->marker_length)) break; } /* NUL-terminate the marker. Don't care to check for embedded NULs. */ buffer->contents[info->marker_start + info->marker_length] = 0; info->data_start = buffer->size; for (;;) { size_t line_start = buffer->size; if (read_line(buffer, f) != 1) return 0; switch (match_pem_end(buffer->size - line_start, buffer->contents + line_start, info->marker_length, buffer->contents + info->marker_start)) { case 0: break; case -1: werror("PEM END line doesn't match BEGIN.\n"); return 0; case 1: /* Return base 64 data; let caller do the decoding */ info->data_length = line_start - info->data_start; return 1; } } } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } static int decode_base64(struct nettle_buffer *buffer, size_t start, size_t *length) { struct base64_decode_ctx ctx; base64_decode_init(&ctx); /* Decode in place */ if (base64_decode_in_place(&ctx, length, *length, buffer->contents + start) && base64_decode_final(&ctx)) return 1; else { werror("Invalid base64 date.\n"); return 0; } } static int convert_rsa_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; int res; rsa_public_key_init(&pub); if (rsa_keypair_from_der(&pub, NULL, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL); } else { werror("Invalid PKCS#1 public key.\n"); res = 0; } rsa_public_key_clear(&pub); return res; } static int convert_rsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct rsa_public_key pub; struct rsa_private_key priv; int res; rsa_public_key_init(&pub); rsa_private_key_init(&priv); if (rsa_keypair_from_der(&pub, &priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, &priv); } else { werror("Invalid PKCS#1 private key.\n"); res = 0; } rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); return res; } static int convert_dsa_private_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { struct dsa_params params; mpz_t pub; mpz_t priv; int res; dsa_params_init (¶ms); mpz_init (pub); mpz_init (priv); if (dsa_openssl_private_key_from_der(¶ms, pub, priv, 0, length, data)) { /* Reuses the buffer */ nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, priv); } else { werror("Invalid OpenSSL private key.\n"); res = 0; } dsa_params_clear (¶ms); mpz_clear (pub); mpz_clear (priv); return res; } /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_public_key(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { /* SubjectPublicKeyInfo ::= SEQUENCE { algorithm AlgorithmIdentifier, subjectPublicKey BIT STRING } AlgorithmIdentifier ::= SEQUENCE { algorithm OBJECT IDENTIFIER, parameters OPTIONAL } */ struct asn1_der_iterator i; struct asn1_der_iterator j; int res = 0; if (asn1_der_iterator_first(&i, length, data) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(&i) == ASN1_ITERATOR_CONSTRUCTED && i.type == ASN1_SEQUENCE /* Use the j iterator to parse the algorithm identifier */ && asn1_der_decode_constructed(&i, &j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_IDENTIFIER && asn1_der_iterator_next(&i) == ASN1_ITERATOR_PRIMITIVE && i.type == ASN1_BITSTRING /* Use i to parse the object wrapped in the bit string.*/ && asn1_der_decode_bitstring_last(&i)) { /* pkcs-1 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) modules(0) pkcs-1(1) } -- -- When rsaEncryption is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST be NULL. -- rsaEncryption OBJECT IDENTIFIER ::= { pkcs-1 1 } */ static const uint8_t id_rsaEncryption[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x01 }; /* -- -- When dsa is used in an AlgorithmIdentifier the -- parameters MUST be present and MUST NOT be NULL. -- dsa OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) x9-57(10040) x9algorithm(4) 1 } */ static const uint8_t id_dsa[7] = { 0x2A, 0x86, 0x48, 0xCE, 0x38, 0x04, 0x01 }; switch (j.length) { unknown: default: werror("SubjectPublicKeyInfo: Unsupported algorithm.\n"); res = -1; break; case 7: if (memcmp(j.data, id_dsa, 7) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_CONSTRUCTED && asn1_der_decode_constructed_last(&j) == ASN1_ITERATOR_PRIMITIVE) { struct dsa_params params; mpz_t pub; dsa_params_init (¶ms); mpz_init (pub); if (dsa_params_from_der_iterator(¶ms, 0, 0, &i) && dsa_public_key_from_der_iterator(¶ms, pub, &j)) { nettle_buffer_reset(buffer); res = dsa_keypair_to_sexp(buffer, NULL, ¶ms, pub, NULL) > 0; } dsa_params_clear(¶ms); mpz_clear(pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid DSA key.\n"); break; } else goto unknown; case 9: if (memcmp(j.data, id_rsaEncryption, 9) == 0) { if (asn1_der_iterator_next(&j) == ASN1_ITERATOR_PRIMITIVE && j.type == ASN1_NULL && j.length == 0 && asn1_der_iterator_next(&j) == ASN1_ITERATOR_END) { struct rsa_public_key pub; rsa_public_key_init(&pub); if (rsa_public_key_from_der_iterator(&pub, 0, &i)) { nettle_buffer_reset(buffer); res = rsa_keypair_to_sexp(buffer, NULL, &pub, NULL) > 0; } rsa_public_key_clear(&pub); } if (!res) werror("SubjectPublicKeyInfo: Invalid RSA key.\n"); break; } else goto unknown; } } else werror("SubjectPublicKeyInfo: Invalid object.\n"); return res; } /* NOTE: Destroys contents of buffer */ /* Returns 1 on success, 0 on error, and -1 for unsupported algorithms. */ static int convert_type(struct nettle_buffer *buffer, enum object_type type, size_t length, const uint8_t *data) { int res; switch(type) { default: abort(); case GENERAL_PUBLIC_KEY: res = convert_public_key(buffer, length, data); break; case RSA_PUBLIC_KEY: res = convert_rsa_public_key(buffer, length, data); break; case RSA_PRIVATE_KEY: res = convert_rsa_private_key(buffer, length, data); break; case DSA_PRIVATE_KEY: res = convert_dsa_private_key(buffer, length, data); break; } if (res > 0) res = write_file(buffer, stdout); return res; } static int convert_file(struct nettle_buffer *buffer, FILE *f, enum object_type type, int base64) { if (type) { read_file(buffer, f); if (base64 && !decode_base64(buffer, 0, &buffer->size)) return 0; if (convert_type(buffer, type, buffer->size, buffer->contents) != 1) return 0; return 1; } else { /* PEM processing */ for (;;) { struct pem_info info; const uint8_t *marker; nettle_buffer_reset(buffer); switch (read_pem(buffer, f, &info)) { default: return 0; case 1: break; case -1: /* EOF */ return 1; } if (!decode_base64(buffer, info.data_start, &info.data_length)) return 0; marker = buffer->contents + info.marker_start; type = 0; switch (info.marker_length) { case 10: if (memcmp(marker, "PUBLIC KEY", 10) == 0) type = GENERAL_PUBLIC_KEY; break; case 14: if (memcmp(marker, "RSA PUBLIC KEY", 14) == 0) type = RSA_PUBLIC_KEY; break; case 15: if (memcmp(marker, "RSA PRIVATE KEY", 15) == 0) type = RSA_PRIVATE_KEY; else if (memcmp(marker, "DSA PRIVATE KEY", 15) == 0) type = DSA_PRIVATE_KEY; break; } if (!type) werror("Ignoring unsupported object type `%s'.\n", marker); else if (convert_type(buffer, type, info.data_length, buffer->contents + info.data_start) != 1) return 0; } } } int main(int argc, char **argv) { struct nettle_buffer buffer; enum object_type type = 0; int base64 = 0; int c; enum { OPT_HELP = 0x300, OPT_PRIVATE_RSA = RSA_PRIVATE_KEY, OPT_PUBLIC_RSA = RSA_PUBLIC_KEY, OPT_PRIVATE_DSA = DSA_PRIVATE_KEY, OPT_PUBLIC_KEY = GENERAL_PUBLIC_KEY, }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "private-rsa-key", no_argument, NULL, OPT_PRIVATE_RSA }, { "public-rsa-key", no_argument, NULL, OPT_PUBLIC_RSA }, { "private-dsa-key", no_argument, NULL, OPT_PRIVATE_DSA }, { "public-key-info", no_argument, NULL, OPT_PUBLIC_KEY }, { "base-64", no_argument, NULL, 'b' }, { NULL, 0, NULL, 0 } }; while ( (c = getopt_long(argc, argv, "Vb", options, NULL)) != -1) { switch (c) { default: abort(); case 'b': base64 = 1; break; case OPT_PRIVATE_RSA: case OPT_PUBLIC_RSA: case OPT_PRIVATE_DSA: case OPT_PUBLIC_KEY: /* Same values as the type codes. */ type = c; break; case OPT_HELP: printf("FIXME: Usage information.\n"); return EXIT_SUCCESS; case '?': return EXIT_FAILURE; case 'V': printf("pkcs1-conv (" PACKAGE_STRING ")\n"); return EXIT_SUCCESS; } } nettle_buffer_init_realloc(&buffer, NULL, nettle_xrealloc); if (optind == argc) { if (!convert_file(&buffer, stdin, type, base64)) return EXIT_FAILURE; } else { int i; const char *mode = (type || base64) ? "r" : "rb"; for (i = optind; i < argc; i++) { FILE *f = fopen(argv[i], mode); if (!f) die("Failed to open `%s': %s.\n", argv[i], strerror(errno)); if (!convert_file(&buffer, f, type, base64)) return EXIT_FAILURE; fclose(f); } } nettle_buffer_clear (&buffer); return EXIT_SUCCESS; } nettle-3.10/tools/pkcs1-conv-test0000755000175000017500000000403714633602172016013 0ustar nissenisse#! /bin/sh if [ -z "$srcdir" ] ; then srcdir=`pwd` fi [ -x ./pkcs1-conv$EXEEXT ] || exit 77 # Private RSA key, generated by openssl $EMULATOR ./pkcs1-conv$EXEEXT >testkey.priv <testkey.pub <testtmp < testsignature # Signature on the data "gazonk\n", using sha1 and the above key cat > testsignature2 < #include #include #include #include #if HAVE_FCNTL_LOCKING # if HAVE_SYS_TYPES_H # include # endif # if HAVE_UNISTD_H # include # endif # include #endif #include "buffer.h" #include "nettle-meta.h" #include "getopt.h" #include "input.h" #include "output.h" #include "parse.h" #define BUG_ADDRESS "nettle-bugs@lists.lysator.liu.se" /* Conversion functions. */ /* Should be called with input->token being the first token of the * expression, to be converted, and return with input->token being the * last token of the expression. */ static void sexp_convert_item(struct sexp_parser *parser, struct sexp_compound_token *token, struct sexp_output *output, enum sexp_mode mode_out, unsigned indent) { if (mode_out == SEXP_TRANSPORT) { sexp_put_char(output, '{'); sexp_put_code_start(output, &nettle_base64); sexp_convert_item(parser, token, output, SEXP_CANONICAL, 0); sexp_put_code_end(output); sexp_put_char(output, '}'); } else switch(token->type) { case SEXP_LIST_END: die("Unmatched end of list.\n"); case SEXP_EOF: die("Unexpected end of file.\n"); case SEXP_CODING_END: die("Unexpected end of coding.\n"); case SEXP_LIST_START: { unsigned item; sexp_put_char(output, '('); for (item = 0; sexp_parse(parser, token), token->type != SEXP_LIST_END; item++) { if (mode_out == SEXP_ADVANCED) { /* FIXME: Adapt pretty printing to handle a big first * element. */ switch (item) { case 0: if (token->type == SEXP_COMMENT) { indent = output->pos; /* Disable the indentation setup for next item */ item++; } break; case 1: sexp_put_char(output, ' '); indent = output->pos; break; default: sexp_put_newline(output, indent); break; } } sexp_convert_item(parser, token, output, mode_out, indent); } sexp_put_char(output, ')'); break; } case SEXP_STRING: sexp_put_string(output, mode_out, &token->string); break; case SEXP_DISPLAY: sexp_put_char(output, '['); sexp_put_string(output, mode_out, &token->display); sexp_put_char(output, ']'); sexp_put_string(output, mode_out, &token->string); break; case SEXP_COMMENT: if (mode_out == SEXP_ADVANCED) { sexp_put_data(output, token->string.size, token->string.contents); sexp_put_soft_newline(output, indent); } break; default: /* Internal error */ abort(); } } /* Argument parsing and main program */ /* The old lsh sexp-conv program took the following options: * * Usage: sexp-conv [OPTION...] * Conversion: sexp-conv [options] OUTPUT * or: sexp-conv [OPTION...] * Fingerprinting: sexp-conv --raw-hash [ --hash=ALGORITHM ] * mode = SEXP_ADVANCED; o->prefer_hex = 0; o->once = 0; o->lock = 0; o->hash = NULL; o->width = 72; for (;;) { static const struct nettle_hash *hashes[] = { &nettle_md5, &nettle_sha1, &nettle_sha256, NULL }; static const struct option options[] = { /* Name, args, flag, val */ { "help", no_argument, NULL, OPT_HELP }, { "version", no_argument, NULL, 'V' }, { "once", no_argument, NULL, OPT_ONCE }, { "syntax", required_argument, NULL, 's' }, { "hash", optional_argument, NULL, OPT_HASH }, { "raw-hash", optional_argument, NULL, OPT_HASH }, { "width", required_argument, NULL, 'w' }, #if HAVE_FCNTL_LOCKING { "lock", no_argument, NULL, OPT_LOCK }, #endif #if 0 /* Not yet implemented */ { "replace", required_argument, NULL, OPT_REPLACE }, { "select", required_argument, NULL, OPT_SELECT }, { "spki-hash", optional_argument, NULL, OPT_SPKI_HASH }, #endif { NULL, 0, NULL, 0 } }; int c; int option_index = 0; unsigned i; c = getopt_long(argc, argv, "Vs:w:", options, &option_index); switch (c) { default: abort(); case -1: if (optind != argc) die("sexp-conv: Command line takes no arguments, only options.\n"); return; case '?': exit(EXIT_FAILURE); case 'w': { char *end; int width; assert(optarg != NULL); width = strtol(optarg, &end , 0); if (!*optarg || *end || width < 0) die("sexp-conv: Invalid width `%s'.\n", optarg); o->width = width; break; } case 's': if (o->hash) werror("sexp-conv: Combining --hash and -s usually makes no sense.\n"); if (match_argument(optarg, "advanced")) o->mode = SEXP_ADVANCED; else if (match_argument(optarg, "transport")) o->mode = SEXP_TRANSPORT; else if (match_argument(optarg, "canonical")) o->mode = SEXP_CANONICAL; else if (match_argument(optarg, "hex")) { o->mode = SEXP_ADVANCED; o->prefer_hex = 1; } else die("Available syntax variants: advanced, transport, canonical\n"); break; case OPT_ONCE: o->once = 1; break; case OPT_HASH: o->mode = SEXP_CANONICAL; if (!optarg) o->hash = &nettle_sha1; else for (i = 0;; i++) { if (!hashes[i]) die("sexp_conv: Unknown hash algorithm `%s'\n", optarg); if (match_argument(optarg, hashes[i]->name)) { o->hash = hashes[i]; break; } } break; #if HAVE_FCNTL_LOCKING case OPT_LOCK: o->lock = 1; break; #endif case OPT_HELP: printf("Usage: sexp-conv [OPTION...]\n" " Conversion: sexp-conv [OPTION...] name); } printf(" (default is sha1).\n" " -s, --syntax=SYNTAX The syntax used for the output. Available\n" " variants: advanced, hex, transport, canonical\n" " --once Process only the first s-expression.\n" " -w, --width=WIDTH Linewidth for base64 encoded data.\n" " Zero means no limit.\n" #if HAVE_FCNTL_LOCKING " --lock Lock output file.\n" #endif " --raw-hash Alias for --hash, for compatibility\n" " with lsh-1.x.\n\n" "Report bugs to " BUG_ADDRESS ".\n"); exit(EXIT_SUCCESS); case 'V': printf("sexp-conv (" PACKAGE_STRING ")\n"); exit (EXIT_SUCCESS); } } } int main(int argc, char **argv) { struct conv_options options; struct sexp_input input; struct sexp_parser parser; struct sexp_compound_token token; struct sexp_output output; parse_options(&options, argc, argv); sexp_input_init(&input, stdin); sexp_parse_init(&parser, &input, SEXP_ADVANCED); sexp_compound_token_init(&token); sexp_output_init(&output, stdout, options.width, options.prefer_hex); #if HAVE_FCNTL_LOCKING if (options.lock) { struct flock fl; memset(&fl, 0, sizeof(fl)); fl.l_type = F_WRLCK; fl.l_whence = SEEK_SET; fl.l_start = 0; fl.l_len = 0; /* Means entire file. */ if (fcntl(STDOUT_FILENO, F_SETLKW, &fl) == -1) die("Locking output file failed: %s\n", strerror(errno)); } #endif /* HAVE_FCNTL_LOCKING */ if (options.hash) { /* Leaks the context, but that doesn't matter */ void *ctx = xalloc(options.hash->context_size); sexp_output_hash_init(&output, options.hash, ctx); } sexp_get_char(&input); sexp_parse(&parser, &token); if (token.type == SEXP_EOF) { if (options.once) die("sexp-conv: No input expression.\n"); return EXIT_SUCCESS; } do { sexp_convert_item(&parser, &token, &output, options.mode, 0); if (options.hash) { sexp_put_digest(&output); sexp_put_newline(&output, 0); } else if (options.mode != SEXP_CANONICAL) sexp_put_newline(&output, 0); sexp_parse(&parser, &token); } while (!options.once && token.type != SEXP_EOF); sexp_compound_token_clear(&token); if (fflush(output.f) < 0) die("Final fflush failed: %s.\n", strerror(errno)); return EXIT_SUCCESS; } nettle-3.10/tools/parse.c0000644000175000017500000001040214633602172014373 0ustar nissenisse/* parse.c Copyright (C) 2002, 2003, 2008 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "parse.h" #include "input.h" void sexp_compound_token_init(struct sexp_compound_token *token) { token->type = 0; nettle_buffer_init(&token->display); nettle_buffer_init(&token->string); } void sexp_compound_token_clear(struct sexp_compound_token *token) { nettle_buffer_clear(&token->display); nettle_buffer_clear(&token->string); } void sexp_parse_init(struct sexp_parser *parser, struct sexp_input *input, enum sexp_mode mode) { parser->input = input; parser->mode = mode; /* Start counting with 1 for the top level, to make comparisons * between transport and level simpler. * * FIXME: Is that trick ugly? */ parser->level = 1; parser->transport = 0; } /* Get next token, and check that it is of the expected kind. */ static void sexp_check_token(struct sexp_parser *parser, enum sexp_token token, struct nettle_buffer *string) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, string); if (parser->input->token != token) die("Syntax error.\n"); } /* Performs further processing of the input, in particular display * types and transport decoding. * * This is complicated a little by the requirement that a * transport-encoded block, {xxxxx}, must include exactly one * expression. We check at the end of strings and list whether or not * we should expect a SEXP_CODING_END as the next token. */ void sexp_parse(struct sexp_parser *parser, struct sexp_compound_token *token) { for (;;) { sexp_get_token(parser->input, parser->transport ? SEXP_CANONICAL : parser->mode, &token->string); switch(parser->input->token) { case SEXP_LIST_END: if (parser->level == parser->transport) die("Unmatched end of list in transport encoded data.\n"); parser->level--; if (!parser->level) die("Unmatched end of list.\n"); token->type = SEXP_LIST_END; check_transport_end: if (parser->level == parser->transport) { sexp_check_token(parser, SEXP_CODING_END, &token->string); assert(parser->transport); assert(parser->level == parser->transport); parser->level--; parser->transport = 0; } return; case SEXP_EOF: if (parser->level > 1) die("Unexpected end of file.\n"); token->type = SEXP_EOF; return; case SEXP_LIST_START: parser->level++; token->type = SEXP_LIST_START; return; case SEXP_DISPLAY_START: sexp_check_token(parser, SEXP_STRING, &token->display); sexp_check_token(parser, SEXP_DISPLAY_END, &token->display); sexp_check_token(parser, SEXP_STRING, &token->string); token->type = SEXP_DISPLAY; goto check_transport_end; case SEXP_STRING: token->type = SEXP_STRING; goto check_transport_end; case SEXP_COMMENT: token->type = SEXP_COMMENT; return; case SEXP_TRANSPORT_START: if (parser->mode == SEXP_CANONICAL) die("Base64 not allowed in canonical mode.\n"); parser->level++; parser->transport = parser->level; continue; case SEXP_CODING_END: die("Unexpected end of transport encoding.\n"); case SEXP_DISPLAY_END: die("Unexpected end of display tag.\n"); case SEXP_DISPLAY: /* Internal error. */ abort(); } } } nettle-3.10/md5-meta.c0000644000175000017500000000222214633602171013532 0ustar nissenisse/* md5-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md5.h" const struct nettle_hash nettle_md5 = _NETTLE_HASH(md5, MD5); nettle-3.10/x86/0000755000175000017500000000000014633602172012405 5ustar nissenissenettle-3.10/x86/aes-decrypt-internal.asm0000644000175000017500000000772714633602172017156 0ustar nissenisseC x86/aes-decrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86/aes.m4') C Register usage: C AES state define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. define(`T',`%ebp') define(`TMP',`%edi') define(`KEY',`%esi') define(`PARAM_ROUNDS', `40(%esp)') define(`PARAM_KEYS', `44(%esp)') define(`PARAM_TABLE', `48(%esp)') define(`PARAM_LENGTH', `52(%esp)') define(`PARAM_DST', `56(%esp)') define(`PARAM_SRC', `60(%esp)') define(`FRAME_KEY', `16(%esp)') define(`FRAME_COUNT', `12(%esp)') define(`TA', `8(%esp)') define(`TB', `4(%esp)') define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_decrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH decl PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT subl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SD,SC,SB, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SA,SD,SC, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SB,SA,SD, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SC,SB,SA, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD subl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SD,SC,SB,T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SA,SD,SC,T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SB,SA,SD,T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SC,SB,SA,T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C Inverse S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store decrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_decrypt) nettle-3.10/x86/aes.m40000644000175000017500000000366614633602172013432 0ustar nissenissednl AES_LOAD(a, b, c, d, src, key) dnl Loads the next block of data from src, and add the subkey pointed dnl to by key. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_LOAD', ` movl ($5),$1 movl 4($5),$2 movl 8($5),$3 movl 12($5),$4 xorl ($6),$1 xorl 4($6),$2 xorl 8($6),$3 xorl 12($6),$4')dnl dnl AES_STORE(a, b, c, d, key, dst) dnl Adds the subkey to a, b, c, d, dnl and stores the result in the area pointed to by dst. dnl Note that x86 allows unaligned accesses. dnl Would it be preferable to interleave the loads and stores? define(`AES_STORE', ` xorl ($5),$1 xorl 4($5),$2 xorl 8($5),$3 xorl 12($5),$4 movl $1,($6) movl $2,4($6) movl $3,8($6) movl $4,12($6)')dnl dnl AES_ROUND(table,a,b,c,d,out,ptr) dnl Computes one word of the AES round. Leaves result in $6. define(`AES_ROUND', ` movzbl LREG($2), $7 movl AES_TABLE0 ($1, $7, 4),$6 movzbl HREG($3), $7 xorl AES_TABLE1 ($1, $7, 4),$6 movl $4,$7 shrl `$'16,$7 andl `$'0xff,$7 xorl AES_TABLE2 ($1, $7, 4),$6 movl $5,$7 shrl `$'24,$7 xorl AES_TABLE3 ($1, $7, 4),$6')dnl dnl AES_FINAL_ROUND(a, b, c, d, table, out, tmp) dnl Computes one word of the final round. dnl Note that we have to quote $ in constants. define(`AES_FINAL_ROUND', ` movzbl LREG($1),$6 movzbl ($5, $6), $6 movl $2,$7 andl `$'0x0000ff00,$7 orl $7, $6 movl $3,$7 andl `$'0x00ff0000,$7 orl $7, $6 movl $4,$7 andl `$'0xff000000,$7 orl $7, $6 roll `$'8, $6')dnl dnl AES_SUBST_BYTE(A, B, C, D, table, ptr) dnl Substitutes the least significant byte of dnl each of eax, ebx, ecx and edx, and also rotates dnl the words one byte to the left. dnl Uses that AES_SBOX == 0 define(`AES_SUBST_BYTE', ` movzbl LREG($1),$6 movb ($5, $6),LREG($1) roll `$'8,$1 movzbl LREG($2),$6 movb ($5, $6),LREG($2) roll `$'8,$2 movzbl LREG($3),$6 movb ($5, $6),LREG($3) roll `$'8,$3 movzbl LREG($4),$6 movb ($5, $6),LREG($4) roll `$'8,$4')dnl nettle-3.10/x86/machine.m40000644000175000017500000000057414633602172014261 0ustar nissenisseC OFFSET(i) C Expands to 4*i, or to the empty string if i is zero define(`OFFSET', `ifelse($1,0,,eval(4*$1))') dnl LREG(reg) gives the 8-bit register corresponding to the given 32-bit register. define(`LREG',`ifelse( $1, %eax, %al, $1, %ebx, %bl, $1, %ecx, %cl, $1, %edx, %dl)')dnl define(`HREG',`ifelse( $1, %eax, %ah, $1, %ebx, %bh, $1, %ecx, %ch, $1, %edx, %dh)')dnl nettle-3.10/x86/camellia-crypt-internal.asm0000644000175000017500000001111214633602172017623 0ustar nissenisseC x86/camellia-crypt-internal.asm ifelse(` Copyright (C) 2010, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage: C Camellia state, 128-bit value in little endian order. C L0, H0 corresponds to D1 in the spec and i0 in the C implementation. C while L1, H1 corresponds to D2/i1. define(`L0',`%eax') define(`H0',`%ebx') define(`L1',`%ecx') define(`H1',`%edx') define(`TMP',`%ebp') define(`KEY',`%esi') define(`T',`%edi') C Locals on the stack define(`FRAME_L0', `(%esp)') define(`FRAME_H0', `4(%esp)') define(`FRAME_L1', `8(%esp)') define(`FRAME_H1', `12(%esp)') define(`FRAME_CNT', `16(%esp)') C Arguments on stack. define(`FRAME_NKEYS', `40(%esp)') define(`FRAME_KEYS', `44(%esp)') define(`FRAME_TABLE', `48(%esp)') define(`FRAME_LENGTH', `52(%esp)') define(`FRAME_DST', `56(%esp)') define(`FRAME_SRC', `60(%esp)') define(`SP1110', `(T,$1,4)') define(`SP0222', `1024(T,$1,4)') define(`SP3033', `2048(T,$1,4)') define(`SP4404', `3072(T,$1,4)') C ROUND(xl, xh, yl, yh, key-offset) C xl and xh are rotated 16 bits at the end C yl and yh are read from stack, and left in registers define(`ROUND', ` movzbl LREG($1), TMP movl SP1110(TMP), $4 movzbl HREG($1), TMP xorl SP4404(TMP), $4 roll `$'16, $1 movzbl LREG($2), TMP movl SP4404(TMP), $3 movzbl HREG($2), TMP xorl SP3033(TMP), $3 roll `$'16, $2 movzbl LREG($1), TMP xorl SP3033(TMP), $4 movzbl HREG($1), TMP xorl SP0222(TMP), $4 movzbl LREG($2), TMP xorl SP0222(TMP), $3 movzbl HREG($2), TMP xorl SP1110(TMP), $3 xorl $5(KEY), $4 xorl $5 + 4(KEY), $3 xorl $3, $4 rorl `$'8, $3 xorl $4, $3 xorl FRAME_$3, $3 xorl FRAME_$4, $4 ') C Six rounds, with inputs and outputs in registers. define(`ROUND6', ` movl L0, FRAME_L0 movl H0, FRAME_H0 movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L0,H0,`L1',`H1',0) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,`L0',`H0',8) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,`L1',`H1',16) movl L1, FRAME_L1 movl H1, FRAME_H1 ROUND(L1,H1,`L0',`H0',24) movl L0, FRAME_L0 movl H0, FRAME_H0 ROUND(L0,H0,`L1',`H1',32) ROUND(L1,H1,`L0',`H0',40) roll `$'16, L1 roll `$'16, H1 ') C FL(x0, x1, key-offset) define(`FL', ` movl $3 + 4(KEY), TMP andl $2, TMP roll `$'1, TMP xorl TMP, $1 movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 ') C FLINV(x0, x1, key-offset) define(`FLINV', ` movl $3(KEY), TMP orl $1, TMP xorl TMP, $2 movl $3 + 4(KEY), TMP andl $2, TMP roll `$'1, TMP xorl TMP, $1 ') .file "camellia-crypt-internal.asm" C _camellia_crypt(unsigned nkeys, const uint64_t *keys, C const struct camellia_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_camellia_crypt) C save all registers that need to be saved pushl %ebx C 32(%esp) pushl %ebp C 28(%esp) pushl %esi C 24(%esp) pushl %edi C 20(%esp) subl $20, %esp movl FRAME_LENGTH, %ebp testl %ebp,%ebp jz .Lend .Lblock_loop: C Load data, note that we'll happily do unaligned loads movl FRAME_SRC, TMP movl (TMP), H0 bswap H0 movl 4(TMP), L0 bswap L0 movl 8(TMP), H1 bswap H1 movl 12(TMP), L1 bswap L1 addl $16, FRAME_SRC movl FRAME_KEYS, KEY movl FRAME_NKEYS, TMP subl $8, TMP movl TMP, FRAME_CNT xorl (KEY), L0 xorl 4(KEY), H0 addl $8, KEY movl FRAME_TABLE, T ROUND6 .Lround_loop: addl $64, KEY FL(L0, H0, -16) FLINV(L1, H1, -8) ROUND6 subl $8, FRAME_CNT ja .Lround_loop movl FRAME_DST, TMP bswap H0 movl H0,8(TMP) bswap L0 movl L0,12(TMP) xorl 52(KEY), H1 bswap H1 movl H1, 0(TMP) xorl 48(KEY), L1 bswap L1 movl L1, 4(TMP) addl $16, FRAME_DST subl $16, FRAME_LENGTH ja .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_camellia_crypt) nettle-3.10/x86/sha1-compress.asm0000644000175000017500000007216114633602172015603 0ustar nissenisseC x86/sha1-compress.asm ifelse(` Copyright (C) 2004, 2009 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Register usage define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') define(`SE',`%ebp') define(`DATA',`%esp') define(`T1',`%edi') define(`T2',`%esi') C Constants define(`K1VALUE', `0x5A827999') C Rounds 0-19 define(`K2VALUE', `0x6ED9EBA1') C Rounds 20-39 define(`K3VALUE', `0x8F1BBCDC') C Rounds 40-59 define(`K4VALUE', `0xCA62C1D6') C Rounds 60-79 C Reads the input via T2 into register, byteswaps it, and stores it in the DATA array. C SWAP(index, register) define(`SWAP', ` movl OFFSET($1)(T2), $2 bswap $2 movl $2, OFFSET($1) (DATA) ')dnl C The f functions, C C f1(x,y,z) = z ^ (x & (y ^ z)) C f2(x,y,z) = x ^ y ^ z C f3(x,y,z) = (x & (y ^ z)) + (y & z) C f4 = f2 C This form for f3 was suggested by George Spelvin. The terms can be C added into the result one at a time, saving one temporary. C The form of one sha1 round is C C a' = e + a <<< 5 + f( b, c, d ) + k + w; C b' = a; C c' = b <<< 30; C d' = c; C e' = d; C C where <<< denotes rotation. We permute our variables, so that we C instead get C C e += a <<< 5 + f( b, c, d ) + k + w; C b <<<= 30 dnl ROUND_F1(a, b, c, d, e, i) define(`ROUND_F1', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 and $2, T2 xor $4, T2 rol `$'30, $2 lea K1VALUE (T1, $5), $5 mov $1, T1 rol `$'5, T1 add T1, $5 add T2, $5 ') dnl ROUND_F1_NOEXP(a, b, c, d, e, i) define(`ROUND_F1_NOEXP', ` mov $4, T2 xor $3, T2 mov $1, T1 and $2, T2 add OFFSET($6) (DATA), $5 xor $4, T2 add T2, $5 rol `$'30, $2 rol `$'5, T1 lea K1VALUE (T1, $5), $5 ') dnl ROUND_F2(a, b, c, d, e, i, k) define(`ROUND_F2', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 xor $3, T2 xor $2, T2 rol `$'30, $2 lea $7 (T1, $5), $5 mov $1, T1 rol `$'5, T1 add T1, $5 add T2, $5 ') dnl ROUND_F3(a, b, c, d, e, i) define(`ROUND_F3', ` mov OFFSET(eval($6 % 16)) (DATA), T1 xor OFFSET(eval(($6 + 2) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 8) % 16)) (DATA), T1 xor OFFSET(eval(($6 + 13) % 16)) (DATA), T1 rol `$'1, T1 mov T1, OFFSET(eval($6 % 16)) (DATA) mov $4, T2 and $3, T2 lea K3VALUE (T1, $5), $5 mov $4, T1 xor $3, T1 and $2, T1 add T2, $5 rol `$'30, $2 mov $1, T2 rol `$'5, T2 add T1, $5 add T2, $5 ') .file "sha1-compress.asm" C nettle_sha1_compress(uint32_t *state, uint8_t *data) .text PROLOGUE(nettle_sha1_compress) C save all registers that need to be saved C 88(%esp) data C 84(%esp) state C 80(%esp) Return address pushl %ebx C 76(%esp) pushl %ebp C 72(%esp) pushl %esi C 68(%esp) pushl %edi C 64(%esp) subl $64, %esp C %esp = W C Loop-mixed to 520 cycles (for the complete function call) on C AMD K7. ALIGN(32) mov 88(%esp), T2 mov OFFSET(2)(T2), %ecx mov OFFSET(0)(T2), %eax bswap %ecx bswap %eax mov %ecx, OFFSET(2) (DATA) mov %eax, OFFSET(0) (DATA) mov OFFSET(3)(T2), %edx mov OFFSET(6)(T2), %ecx mov OFFSET(4)(T2), %eax mov OFFSET(1)(T2), %ebx bswap %ebx bswap %eax bswap %ecx mov %ecx, OFFSET(6) (DATA) mov %eax, OFFSET(4) (DATA) bswap %edx mov %edx, OFFSET(3) (DATA) mov %ebx, OFFSET(1) (DATA) mov OFFSET(10)(T2), %ecx mov OFFSET(8)(T2), %eax mov OFFSET(7)(T2), %edx bswap %eax bswap %edx mov %edx, OFFSET(7) (DATA) mov OFFSET(5)(T2), %ebx mov %eax, OFFSET(8) (DATA) mov OFFSET(11)(T2), %edx bswap %ecx bswap %edx mov OFFSET(12)(T2), %eax bswap %ebx mov %ecx, OFFSET(10) (DATA) mov %ebx, OFFSET(5) (DATA) mov %edx, OFFSET(11) (DATA) mov OFFSET(15)(T2), %edx mov 84(%esp),T1 mov OFFSET(9)(T2), %ebx bswap %edx bswap %ebx bswap %eax mov OFFSET(14)(T2), %ecx mov %edx, OFFSET(15) (DATA) bswap %ecx mov %ecx, OFFSET(14) (DATA) mov %ebx, OFFSET(9) (DATA) mov OFFSET(13)(T2), %ebx mov 12(T1), SD bswap %ebx mov %ebx, OFFSET(13) (DATA) mov 8(T1), SC mov 16(T1), SE mov 4(T1), SB mov SD, T2 add OFFSET(0) (DATA), SE xor SC, T2 mov %eax, OFFSET(12) (DATA) mov (T1), SA and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SA, T1 mov SC, T2 add OFFSET(1) (DATA), SD rol $5, T1 xor SB, T2 and SA, T2 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 rol $30, SA xor SA, T2 and SE, T2 mov SE, T1 add OFFSET(2) (DATA), SC rol $30, SE xor SB, T2 rol $5, T1 lea K1VALUE (T1, SD), SD mov SD, T1 rol $5, T1 add T2, SC mov SA, T2 xor SE, T2 lea K1VALUE (T1, SC), SC and SD, T2 xor SA, T2 add OFFSET(3) (DATA), SB mov SC, T1 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 rol $5, T1 xor SE, T2 add OFFSET(4) (DATA), SA lea K1VALUE (T1, SB), SB add T2, SA rol $30, SC mov SD, T2 xor SC, T2 and SB, T2 mov SB, T1 rol $5, T1 add OFFSET(5) (DATA), SE rol $30, SB xor SD, T2 add T2, SE mov SC, T2 xor SB, T2 lea K1VALUE (T1, SA), SA mov SA, T1 add OFFSET(6) (DATA), SD and SA, T2 rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE rol $30, SA add T2, SD mov SB, T2 mov SE, T1 xor SA, T2 and SE, T2 rol $5, T1 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(7) (DATA), SC rol $30, SE add OFFSET(8) (DATA), SB mov SD, T1 add T2, SC mov SA, T2 xor SE, T2 rol $5, T1 and SD, T2 lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 mov SC, T1 rol $30, SD xor SD, T2 rol $5, T1 lea K1VALUE (T1, SB), SB and SC, T2 xor SE, T2 add OFFSET(10) (DATA), SE add OFFSET(9) (DATA), SA mov SB, T1 add T2, SA rol $5, T1 lea K1VALUE (T1, SA), SA mov SD, T2 rol $30, SC xor SC, T2 and SB, T2 xor SD, T2 rol $30, SB add T2, SE mov SC, T2 mov SA, T1 xor SB, T2 add OFFSET(11) (DATA), SD and SA, T2 rol $30, SA rol $5, T1 xor SC, T2 lea K1VALUE (T1, SE), SE add T2, SD mov SB, T2 xor SA, T2 mov SE, T1 rol $5, T1 and SE, T2 lea K1VALUE (T1, SD), SD xor SB, T2 add OFFSET(12) (DATA), SC add T2, SC rol $30, SE mov SA, T2 xor SE, T2 mov SD, T1 rol $5, T1 and SD, T2 add OFFSET(13) (DATA), SB lea K1VALUE (T1, SC), SC xor SA, T2 add T2, SB mov SE, T2 rol $30, SD xor SD, T2 and SC, T2 mov SC, T1 rol $5, T1 rol $30, SC add OFFSET(14) (DATA), SA xor SE, T2 add T2, SA mov SD, T2 xor SC, T2 lea K1VALUE (T1, SB), SB and SB, T2 mov SB, T1 rol $5, T1 lea K1VALUE (T1, SA), SA mov SA, T1 xor SD, T2 add OFFSET(15) (DATA), SE add T2, SE rol $5, T1 lea K1VALUE (T1, SE), SE mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 mov SC, T2 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SB xor SB, T2 and SA, T2 xor SC, T2 rol $1, T1 lea K1VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 and SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 xor SB, T2 rol $1, T1 mov T1, OFFSET(1) (DATA) lea K1VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(2) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $30, SE add T2, SC mov SA, T2 xor SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 and SD, T2 rol $1, T1 xor SA, T2 mov T1, OFFSET(2) (DATA) lea K1VALUE (T1, T2), T2 mov SC, T1 rol $30, SD rol $5, T1 add T1, SB add T2, SB mov SE, T2 mov OFFSET(3) (DATA), T1 xor SD, T2 xor OFFSET(5) (DATA), T1 and SC, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $1, T1 mov T1, OFFSET(3) (DATA) lea K1VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 rol $30, SC xor OFFSET(12) (DATA), T1 add T2, SA xor OFFSET(1) (DATA), T1 mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(5) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(7) (DATA), T1 rol $30, SB xor OFFSET(13) (DATA), T1 xor SB, T2 xor OFFSET(2) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD rol $30, SA xor OFFSET(14) (DATA), T1 mov SB, T2 xor OFFSET(3) (DATA), T1 xor SA, T2 rol $1, T1 xor SE, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(6) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 rol $30, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor SE, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 xor SD, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(7) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SA xor OFFSET(6) (DATA), T1 mov SD, T2 rol $1, T1 rol $30, SC xor SC, T2 mov T1, OFFSET(9) (DATA) xor SB, T2 lea K2VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor OFFSET(7) (DATA), T1 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(10) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 rol $30, SA xor OFFSET(3) (DATA), T1 add T2, SD xor OFFSET(8) (DATA), T1 mov SB, T2 xor SA, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) xor SE, T2 lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $30, SE add T2, SC xor OFFSET(4) (DATA), T1 mov SA, T2 xor OFFSET(9) (DATA), T1 xor SE, T2 rol $1, T1 xor SD, T2 mov T1, OFFSET(12) (DATA) lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 xor OFFSET(10) (DATA), T1 xor SC, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA mov SD, T2 mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SC xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 xor SC, T2 xor SB, T2 rol $1, T1 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 rol $30, SB xor SB, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 xor SA, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K2VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(0) (DATA), T1 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SD mov SB, T2 rol $30, SA xor SA, T2 xor OFFSET(13) (DATA), T1 rol $1, T1 xor SE, T2 mov T1, OFFSET(0) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor SE, T2 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 rol $1, T1 xor SD, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(2) (DATA), T1 rol $30, SD xor OFFSET(4) (DATA), T1 add T2, SB mov SE, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SD, T2 xor SC, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 add T2, SA rol $30, SC mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(3) (DATA) mov SA, T1 rol $5, T1 rol $30, SB add T1, SE mov OFFSET(4) (DATA), T1 add T2, SE xor OFFSET(6) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(1) (DATA), T1 mov SC, T2 xor SB, T2 rol $1, T1 xor SA, T2 lea K2VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD mov OFFSET(5) (DATA), T1 mov SB, T2 rol $30, SA xor SA, T2 xor SE, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K2VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 add T2, SC xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 mov T1, OFFSET(6) (DATA) mov SA, T2 rol $30, SE xor SE, T2 xor SD, T2 lea K2VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB add T2, SB mov OFFSET(7) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(9) (DATA), T1 xor SD, T2 xor SC, T2 xor OFFSET(15) (DATA), T1 xor OFFSET(4) (DATA), T1 rol $1, T1 mov T1, OFFSET(7) (DATA) lea K2VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 rol $30, SC xor OFFSET(0) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(5) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 mov SD, T2 xor SC, T2 and SB, T2 rol $30, SB rol $5, T1 add T1, SE mov OFFSET(9) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SE mov SC, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 and SB, T2 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SC, T2 xor SB, T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(10) (DATA), T1 and SA, T2 add T2, SD xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 rol $30, SA mov SB, T2 and SA, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 add T1, SC mov OFFSET(11) (DATA), T1 xor SA, T2 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 and SE, T2 xor OFFSET(8) (DATA), T1 add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(11) (DATA) rol $30, SE and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 rol $30, SD add T2, SB rol $1, T1 mov T1, OFFSET(12) (DATA) mov SE, T2 and SD, T2 lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SE, T2 xor OFFSET(5) (DATA), T1 xor SD, T2 and SC, T2 xor OFFSET(10) (DATA), T1 add T2, SA rol $1, T1 rol $30, SC mov T1, OFFSET(13) (DATA) mov SD, T2 and SC, T2 lea K3VALUE (T1, T2), T1 mov SD, T2 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor SC, T2 and SB, T2 xor OFFSET(6) (DATA), T1 rol $30, SB xor OFFSET(11) (DATA), T1 rol $1, T1 add T2, SE mov SC, T2 mov T1, OFFSET(14) (DATA) and SB, T2 lea K3VALUE (T1, T2), T1 mov SC, T2 add T1, SD mov SE, T1 xor SB, T2 rol $5, T1 add T1, SD mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 and SA, T2 xor OFFSET(7) (DATA), T1 xor OFFSET(12) (DATA), T1 add T2, SD rol $30, SA mov SB, T2 rol $1, T1 mov T1, OFFSET(15) (DATA) and SA, T2 lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 mov SB, T2 rol $5, T1 add T1, SC mov OFFSET(0) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(13) (DATA), T1 and SE, T2 add T2, SC rol $30, SE rol $1, T1 mov T1, OFFSET(0) (DATA) mov SA, T2 and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SC, T1 mov SA, T2 xor SE, T2 rol $5, T1 add T1, SB mov OFFSET(1) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 and SD, T2 xor OFFSET(14) (DATA), T1 add T2, SB rol $30, SD mov SE, T2 rol $1, T1 and SD, T2 mov T1, OFFSET(1) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov SE, T2 mov OFFSET(2) (DATA), T1 xor SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(10) (DATA), T1 and SC, T2 add T2, SA xor OFFSET(15) (DATA), T1 rol $30, SC mov SD, T2 rol $1, T1 mov T1, OFFSET(2) (DATA) and SC, T2 lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 mov SD, T2 rol $1, T1 xor SC, T2 and SB, T2 mov T1, OFFSET(3) (DATA) rol $30, SB add T2, SE mov SC, T2 and SB, T2 lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 mov SC, T2 rol $5, T1 add T1, SD mov OFFSET(4) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SB, T2 and SA, T2 add T2, SD mov SB, T2 xor OFFSET(12) (DATA), T1 rol $30, SA and SA, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 mov T1, OFFSET(4) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(5) (DATA), T1 xor OFFSET(7) (DATA), T1 mov SB, T2 xor OFFSET(13) (DATA), T1 xor SA, T2 xor OFFSET(2) (DATA), T1 and SE, T2 rol $30, SE add T2, SC rol $1, T1 mov SA, T2 mov T1, OFFSET(5) (DATA) and SE, T2 lea K3VALUE (T1, T2), T1 add T1, SB mov SA, T2 mov SC, T1 rol $5, T1 add T1, SB xor SE, T2 and SD, T2 mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 xor OFFSET(3) (DATA), T1 rol $1, T1 add T2, SB rol $30, SD mov SE, T2 and SD, T2 mov T1, OFFSET(6) (DATA) lea K3VALUE (T1, T2), T1 add T1, SA mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(15) (DATA), T1 and SC, T2 rol $30, SC add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 rol $1, T1 and SC, T2 mov T1, OFFSET(7) (DATA) lea K3VALUE (T1, T2), T1 add T1, SE mov SA, T1 rol $5, T1 mov SD, T2 add T1, SE mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 xor SC, T2 xor OFFSET(0) (DATA), T1 and SB, T2 add T2, SE xor OFFSET(5) (DATA), T1 rol $30, SB mov SC, T2 and SB, T2 rol $1, T1 mov T1, OFFSET(8) (DATA) lea K3VALUE (T1, T2), T1 add T1, SD mov SE, T1 rol $5, T1 mov SC, T2 xor SB, T2 add T1, SD and SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SA xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 add T2, SD mov SB, T2 and SA, T2 xor OFFSET(6) (DATA), T1 rol $1, T1 mov T1, OFFSET(9) (DATA) lea K3VALUE (T1, T2), T1 add T1, SC mov SD, T1 rol $5, T1 mov SB, T2 xor SA, T2 and SE, T2 add T1, SC mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SC mov SA, T2 rol $30, SE xor OFFSET(7) (DATA), T1 rol $1, T1 and SE, T2 mov T1, OFFSET(10) (DATA) lea K3VALUE (T1, T2), T1 mov SA, T2 xor SE, T2 add T1, SB mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 xor OFFSET(8) (DATA), T1 and SD, T2 add T2, SB mov SE, T2 rol $1, T1 mov T1, OFFSET(11) (DATA) rol $30, SD and SD, T2 lea K3VALUE (T1, T2), T1 mov SE, T2 add T1, SA xor SD, T2 mov SB, T1 and SC, T2 rol $30, SC rol $5, T1 add T1, SA mov OFFSET(12) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor OFFSET(4) (DATA), T1 xor OFFSET(9) (DATA), T1 rol $1, T1 mov T1, OFFSET(12) (DATA) xor SC, T2 xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 add T2, SE rol $30, SB mov SC, T2 xor OFFSET(5) (DATA), T1 xor SB, T2 xor OFFSET(10) (DATA), T1 rol $1, T1 mov T1, OFFSET(13) (DATA) xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 xor SA, T2 xor SE, T2 xor OFFSET(6) (DATA), T1 xor OFFSET(11) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov OFFSET(15) (DATA), T1 mov SA, T2 rol $30, SE xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 xor SE, T2 xor SD, T2 xor OFFSET(12) (DATA), T1 rol $1, T1 mov T1, OFFSET(15) (DATA) lea K4VALUE (T1, T2), T2 mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(0) (DATA), T1 add T2, SB xor OFFSET(2) (DATA), T1 mov SE, T2 rol $30, SD xor OFFSET(8) (DATA), T1 xor SD, T2 xor OFFSET(13) (DATA), T1 xor SC, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(0) (DATA) mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(1) (DATA), T1 rol $30, SC xor OFFSET(3) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA mov SD, T2 xor SC, T2 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(1) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(2) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 add T2, SE mov SC, T2 xor SB, T2 xor OFFSET(10) (DATA), T1 xor OFFSET(15) (DATA), T1 xor SA, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(2) (DATA) mov SE, T1 rol $5, T1 add T1, SD mov OFFSET(3) (DATA), T1 xor OFFSET(5) (DATA), T1 xor OFFSET(11) (DATA), T1 xor OFFSET(0) (DATA), T1 rol $30, SA add T2, SD mov SB, T2 rol $1, T1 mov T1, OFFSET(3) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(4) (DATA), T1 add T2, SC rol $30, SE xor OFFSET(6) (DATA), T1 mov SA, T2 xor OFFSET(12) (DATA), T1 xor SE, T2 xor OFFSET(1) (DATA), T1 rol $1, T1 xor SD, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(4) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(5) (DATA), T1 add T2, SB xor OFFSET(7) (DATA), T1 xor OFFSET(13) (DATA), T1 mov SE, T2 xor SD, T2 xor OFFSET(2) (DATA), T1 xor SC, T2 rol $1, T1 mov T1, OFFSET(5) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(6) (DATA), T1 xor OFFSET(8) (DATA), T1 xor OFFSET(14) (DATA), T1 add T2, SA xor OFFSET(3) (DATA), T1 mov SD, T2 rol $30, SC rol $1, T1 xor SC, T2 mov T1, OFFSET(6) (DATA) xor SB, T2 lea K4VALUE (T1, T2), T2 mov SA, T1 rol $5, T1 add T1, SE add T2, SE mov OFFSET(7) (DATA), T1 xor OFFSET(9) (DATA), T1 xor OFFSET(15) (DATA), T1 rol $30, SB xor OFFSET(4) (DATA), T1 mov SC, T2 rol $1, T1 mov T1, OFFSET(7) (DATA) xor SB, T2 xor SA, T2 lea K4VALUE (T1, T2), T2 mov SE, T1 rol $5, T1 add T1, SD rol $30, SA mov OFFSET(8) (DATA), T1 xor OFFSET(10) (DATA), T1 add T2, SD xor OFFSET(0) (DATA), T1 xor OFFSET(5) (DATA), T1 rol $1, T1 mov SB, T2 mov T1, OFFSET(8) (DATA) xor SA, T2 xor SE, T2 lea K4VALUE (T1, T2), T2 mov SD, T1 rol $5, T1 add T1, SC add T2, SC mov SA, T2 mov OFFSET(9) (DATA), T1 rol $30, SE xor OFFSET(11) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(6) (DATA), T1 xor SE, T2 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(9) (DATA) mov SC, T1 rol $5, T1 add T1, SB rol $30, SD mov OFFSET(10) (DATA), T1 xor OFFSET(12) (DATA), T1 xor OFFSET(2) (DATA), T1 add T2, SB mov SE, T2 xor SD, T2 xor SC, T2 xor OFFSET(7) (DATA), T1 rol $1, T1 mov T1, OFFSET(10) (DATA) lea K4VALUE (T1, T2), T2 mov SB, T1 rol $5, T1 add T1, SA mov OFFSET(11) (DATA), T1 xor OFFSET(13) (DATA), T1 xor OFFSET(3) (DATA), T1 add T2, SA mov SD, T2 rol $30, SC xor SC, T2 xor OFFSET(8) (DATA), T1 rol $1, T1 xor SB, T2 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(11) (DATA) mov SA, T1 rol $5, T1 add T1, SE mov OFFSET(12) (DATA), T1 add T2, SE xor OFFSET(14) (DATA), T1 rol $30, SB mov SC, T2 xor OFFSET(4) (DATA), T1 xor SB, T2 xor SA, T2 xor OFFSET(9) (DATA), T1 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(12) (DATA) mov SE, T1 rol $5, T1 add T1, SD add T2, SD rol $30, SA mov OFFSET(13) (DATA), T1 xor OFFSET(15) (DATA), T1 mov SB, T2 xor OFFSET(5) (DATA), T1 xor SA, T2 xor OFFSET(10) (DATA), T1 xor SE, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(13) (DATA) mov SD, T1 rol $5, T1 add T1, SC mov OFFSET(14) (DATA), T1 xor OFFSET(0) (DATA), T1 xor OFFSET(6) (DATA), T1 add T2, SC rol $30, SE mov SA, T2 xor SE, T2 xor OFFSET(11) (DATA), T1 xor SD, T2 rol $1, T1 lea K4VALUE (T1, T2), T2 mov T1, OFFSET(14) (DATA) mov SC, T1 rol $5, T1 add T1, SB mov OFFSET(15) (DATA), T1 xor OFFSET(1) (DATA), T1 xor OFFSET(7) (DATA), T1 rol $30, SD add T2, SB xor OFFSET(12) (DATA), T1 mov SE, T2 xor SD, T2 rol $1, T1 xor SC, T2 lea K4VALUE (T1, T2), T2 rol $30, SC mov T1, OFFSET(15) (DATA) mov SB, T1 rol $5, T1 add T1, SA add T2, SA C C Load and byteswap data C movl 88(%esp), T2 C C SWAP( 0, %eax) SWAP( 1, %ebx) SWAP( 2, %ecx) SWAP( 3, %edx) C SWAP( 4, %eax) SWAP( 5, %ebx) SWAP( 6, %ecx) SWAP( 7, %edx) C SWAP( 8, %eax) SWAP( 9, %ebx) SWAP(10, %ecx) SWAP(11, %edx) C SWAP(12, %eax) SWAP(13, %ebx) SWAP(14, %ecx) SWAP(15, %edx) C C C load the state vector C movl 84(%esp),T1 C movl (T1), SA C movl 4(T1), SB C movl 8(T1), SC C movl 12(T1), SD C movl 16(T1), SE C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 0) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 1) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 2) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 3) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 4) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 5) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 6) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 7) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 8) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 9) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 10) C ROUND_F1_NOEXP(SE, SA, SB, SC, SD, 11) C ROUND_F1_NOEXP(SD, SE, SA, SB, SC, 12) C ROUND_F1_NOEXP(SC, SD, SE, SA, SB, 13) C ROUND_F1_NOEXP(SB, SC, SD, SE, SA, 14) C C ROUND_F1_NOEXP(SA, SB, SC, SD, SE, 15) C ROUND_F1(SE, SA, SB, SC, SD, 16) C ROUND_F1(SD, SE, SA, SB, SC, 17) C ROUND_F1(SC, SD, SE, SA, SB, 18) C ROUND_F1(SB, SC, SD, SE, SA, 19) C C ROUND_F2(SA, SB, SC, SD, SE, 20, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 21, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 22, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 23, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 24, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 25, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 26, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 27, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 28, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 29, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 30, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 31, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 32, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 33, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 34, K2VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 35, K2VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 36, K2VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 37, K2VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 38, K2VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 39, K2VALUE) C C ROUND_F3(SA, SB, SC, SD, SE, 40) C ROUND_F3(SE, SA, SB, SC, SD, 41) C ROUND_F3(SD, SE, SA, SB, SC, 42) C ROUND_F3(SC, SD, SE, SA, SB, 43) C ROUND_F3(SB, SC, SD, SE, SA, 44) C C ROUND_F3(SA, SB, SC, SD, SE, 45) C ROUND_F3(SE, SA, SB, SC, SD, 46) C ROUND_F3(SD, SE, SA, SB, SC, 47) C ROUND_F3(SC, SD, SE, SA, SB, 48) C ROUND_F3(SB, SC, SD, SE, SA, 49) C C ROUND_F3(SA, SB, SC, SD, SE, 50) C ROUND_F3(SE, SA, SB, SC, SD, 51) C ROUND_F3(SD, SE, SA, SB, SC, 52) C ROUND_F3(SC, SD, SE, SA, SB, 53) C ROUND_F3(SB, SC, SD, SE, SA, 54) C C ROUND_F3(SA, SB, SC, SD, SE, 55) C ROUND_F3(SE, SA, SB, SC, SD, 56) C ROUND_F3(SD, SE, SA, SB, SC, 57) C ROUND_F3(SC, SD, SE, SA, SB, 58) C ROUND_F3(SB, SC, SD, SE, SA, 59) C C ROUND_F2(SA, SB, SC, SD, SE, 60, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 61, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 62, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 63, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 64, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 65, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 66, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 67, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 68, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 69, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 70, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 71, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 72, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 73, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 74, K4VALUE) C C ROUND_F2(SA, SB, SC, SD, SE, 75, K4VALUE) C ROUND_F2(SE, SA, SB, SC, SD, 76, K4VALUE) C ROUND_F2(SD, SE, SA, SB, SC, 77, K4VALUE) C ROUND_F2(SC, SD, SE, SA, SB, 78, K4VALUE) C ROUND_F2(SB, SC, SD, SE, SA, 79, K4VALUE) C Update the state vector movl 84(%esp),T1 addl SA, (T1) addl SB, 4(T1) addl SC, 8(T1) addl SD, 12(T1) addl SE, 16(T1) addl $64, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(nettle_sha1_compress) C TODO: C * Extend loopmixer so that it can exploit associativity, and for C example reorder C C add %eax, %ebx C add %ecx, %ebx C * Use mmx instructions for the data expansion, doing two words at a C time. nettle-3.10/x86/aes-encrypt-internal.asm0000644000175000017500000000772714633602172017170 0ustar nissenisseC x86/aes-encrypt-internal.asm ifelse(` Copyright (C) 2001, 2002, 2005, Rafael R. Sevilla, Niels Möller Copyright (C) 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`x86/aes.m4') C Register usage: C AES state define(`SA',`%eax') define(`SB',`%ebx') define(`SC',`%ecx') define(`SD',`%edx') C Primary use of these registers. They're also used temporarily for other things. define(`T',`%ebp') define(`TMP',`%edi') define(`KEY',`%esi') define(`PARAM_ROUNDS', `40(%esp)') define(`PARAM_KEYS', `44(%esp)') define(`PARAM_TABLE', `48(%esp)') define(`PARAM_LENGTH', `52(%esp)') define(`PARAM_DST', `56(%esp)') define(`PARAM_SRC', `60(%esp)') define(`FRAME_KEY', `16(%esp)') define(`FRAME_COUNT', `12(%esp)') define(`TA', `8(%esp)') define(`TB', `4(%esp)') define(`TC', `(%esp)') C The aes state is kept in %eax, %ebx, %ecx and %edx C C %esi is used as temporary, to point to the input, and to the C subkeys, etc. C C %ebp is used as the round counter, and as a temporary in the final round. C C %edi is a temporary, often used as an accumulator. .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(16) PROLOGUE(_nettle_aes_encrypt) C save all registers that need to be saved pushl %ebx C 20(%esp) pushl %ebp C 16(%esp) pushl %esi C 12(%esp) pushl %edi C 8(%esp) subl $20, %esp C loop counter and save area for the key pointer movl PARAM_LENGTH, %ebp testl %ebp,%ebp jz .Lend shrl $4, PARAM_LENGTH subl $1, PARAM_ROUNDS .Lblock_loop: movl PARAM_KEYS, KEY C address of subkeys movl PARAM_SRC, TMP C address of plaintext AES_LOAD(SA, SB, SC, SD, TMP, KEY) addl $16, PARAM_SRC C Increment src pointer movl PARAM_TABLE, T movl PARAM_ROUNDS, TMP C Loop counter on stack movl TMP, FRAME_COUNT addl $16,KEY C point to next key movl KEY,FRAME_KEY ALIGN(16) .Lround_loop: AES_ROUND(T, SA,SB,SC,SD, TMP, KEY) movl TMP, TA AES_ROUND(T, SB,SC,SD,SA, TMP, KEY) movl TMP, TB AES_ROUND(T, SC,SD,SA,SB, TMP, KEY) movl TMP, TC AES_ROUND(T, SD,SA,SB,SC, SD, KEY) movl TA, SA movl TB, SB movl TC, SC movl FRAME_KEY, KEY xorl (KEY),SA C add current session key to plaintext xorl 4(KEY),SB xorl 8(KEY),SC xorl 12(KEY),SD addl $16,FRAME_KEY C point to next key decl FRAME_COUNT jnz .Lround_loop C last round AES_FINAL_ROUND(SA,SB,SC,SD, T, TMP, KEY) movl TMP, TA AES_FINAL_ROUND(SB,SC,SD,SA, T, TMP, KEY) movl TMP, TB AES_FINAL_ROUND(SC,SD,SA,SB, T, TMP, KEY) movl TMP, TC AES_FINAL_ROUND(SD,SA,SB,SC, T, SD, KEY) movl TA, SA movl TB, SB movl TC, SC C S-box substitution mov $3,TMP .Lsubst: AES_SUBST_BYTE(SA,SB,SC,SD, T, KEY) decl TMP jnz .Lsubst C Add last subkey, and store encrypted data movl PARAM_DST,TMP movl FRAME_KEY, KEY AES_STORE(SA,SB,SC,SD, KEY, TMP) addl $16, PARAM_DST C Increment destination pointer decl PARAM_LENGTH jnz .Lblock_loop .Lend: addl $20, %esp popl %edi popl %esi popl %ebp popl %ebx ret EPILOGUE(_nettle_aes_encrypt) nettle-3.10/hmac.c0000644000175000017500000000560514633602171013041 0ustar nissenisse/* hmac.c HMAC message authentication code (RFC-2104). Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "hmac.h" #include "memxor.h" #include "nettle-internal.h" #define IPAD 0x36 #define OPAD 0x5c void hmac_set_key(void *outer, void *inner, void *state, const struct nettle_hash *hash, size_t key_length, const uint8_t *key) { TMP_DECL(pad, uint8_t, NETTLE_MAX_HASH_BLOCK_SIZE); TMP_ALLOC(pad, hash->block_size); hash->init(outer); hash->init(inner); if (key_length > hash->block_size) { /* Reduce key to the algorithm's hash size. Use the area pointed * to by state for the temporary state. */ TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, hash->digest_size); hash->init(state); hash->update(state, key_length, key); hash->digest(state, hash->digest_size, digest); key = digest; key_length = hash->digest_size; } assert(key_length <= hash->block_size); memset(pad, OPAD, hash->block_size); memxor(pad, key, key_length); hash->update(outer, hash->block_size, pad); memset(pad, IPAD, hash->block_size); memxor(pad, key, key_length); hash->update(inner, hash->block_size, pad); memcpy(state, inner, hash->context_size); } void hmac_update(void *state, const struct nettle_hash *hash, size_t length, const uint8_t *data) { hash->update(state, length, data); } void hmac_digest(const void *outer, const void *inner, void *state, const struct nettle_hash *hash, size_t length, uint8_t *dst) { TMP_DECL(digest, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_ALLOC(digest, hash->digest_size); hash->digest(state, hash->digest_size, digest); memcpy(state, outer, hash->context_size); hash->update(state, hash->digest_size, digest); hash->digest(state, length, dst); memcpy(state, inner, hash->context_size); } nettle-3.10/umac-l3.c0000644000175000017500000000346414633602171013373 0ustar nissenisse/* umac-l3.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "umac.h" #include "umac-internal.h" #include "bswap-internal.h" /* 2^36 - 5 */ #define P 0x0000000FFFFFFFFBULL void _nettle_umac_l3_init (unsigned size, uint64_t *k) { unsigned i; for (i = 0; i < size; i++) { uint64_t w = k[i]; w = bswap64_if_le (w); k[i] = w % P; } } static uint64_t umac_l3_word (const uint64_t *k, uint64_t w) { unsigned i; uint64_t y; /* Since it's easiest to process the input word from the low end, * loop over keys in reverse order. */ for (i = y = 0; i < 4; i++, w >>= 16) y += (w & 0xffff) * k[3-i]; return y; } uint32_t _nettle_umac_l3 (const uint64_t *key, const uint64_t *m) { uint32_t y = (umac_l3_word (key, m[0]) + umac_l3_word (key + 4, m[1])) % P; return bswap32_if_le (y); } nettle-3.10/keymap.h0000644000175000017500000001427214633602172013425 0ustar nissenisse/* automagically made - do not fuss with this */ 0x02080008, 0x02082000, 0x00002008, 0x00000000, 0x02002000, 0x00080008, 0x02080000, 0x02082008, 0x00000008, 0x02000000, 0x00082000, 0x00002008, 0x00082008, 0x02002008, 0x02000008, 0x02080000, 0x00002000, 0x00082008, 0x00080008, 0x02002000, 0x02082008, 0x02000008, 0x00000000, 0x00082000, 0x02000000, 0x00080000, 0x02002008, 0x02080008, 0x00080000, 0x00002000, 0x02082000, 0x00000008, 0x00080000, 0x00002000, 0x02000008, 0x02082008, 0x00002008, 0x02000000, 0x00000000, 0x00082000, 0x02080008, 0x02002008, 0x02002000, 0x00080008, 0x02082000, 0x00000008, 0x00080008, 0x02002000, 0x02082008, 0x00080000, 0x02080000, 0x02000008, 0x00082000, 0x00002008, 0x02002008, 0x02080000, 0x00000008, 0x02082000, 0x00082008, 0x00000000, 0x02000000, 0x02080008, 0x00002000, 0x00082008, 0x08000004, 0x00020004, 0x00000000, 0x08020200, 0x00020004, 0x00000200, 0x08000204, 0x00020000, 0x00000204, 0x08020204, 0x00020200, 0x08000000, 0x08000200, 0x08000004, 0x08020000, 0x00020204, 0x00020000, 0x08000204, 0x08020004, 0x00000000, 0x00000200, 0x00000004, 0x08020200, 0x08020004, 0x08020204, 0x08020000, 0x08000000, 0x00000204, 0x00000004, 0x00020200, 0x00020204, 0x08000200, 0x00000204, 0x08000000, 0x08000200, 0x00020204, 0x08020200, 0x00020004, 0x00000000, 0x08000200, 0x08000000, 0x00000200, 0x08020004, 0x00020000, 0x00020004, 0x08020204, 0x00020200, 0x00000004, 0x08020204, 0x00020200, 0x00020000, 0x08000204, 0x08000004, 0x08020000, 0x00020204, 0x00000000, 0x00000200, 0x08000004, 0x08000204, 0x08020200, 0x08020000, 0x00000204, 0x00000004, 0x08020004, 0x80040100, 0x01000100, 0x80000000, 0x81040100, 0x00000000, 0x01040000, 0x81000100, 0x80040000, 0x01040100, 0x81000000, 0x01000000, 0x80000100, 0x81000000, 0x80040100, 0x00040000, 0x01000000, 0x81040000, 0x00040100, 0x00000100, 0x80000000, 0x00040100, 0x81000100, 0x01040000, 0x00000100, 0x80000100, 0x00000000, 0x80040000, 0x01040100, 0x01000100, 0x81040000, 0x81040100, 0x00040000, 0x81040000, 0x80000100, 0x00040000, 0x81000000, 0x00040100, 0x01000100, 0x80000000, 0x01040000, 0x81000100, 0x00000000, 0x00000100, 0x80040000, 0x00000000, 0x81040000, 0x01040100, 0x00000100, 0x01000000, 0x81040100, 0x80040100, 0x00040000, 0x81040100, 0x80000000, 0x01000100, 0x80040100, 0x80040000, 0x00040100, 0x01040000, 0x81000100, 0x80000100, 0x01000000, 0x81000000, 0x01040100, 0x04010801, 0x00000000, 0x00010800, 0x04010000, 0x04000001, 0x00000801, 0x04000800, 0x00010800, 0x00000800, 0x04010001, 0x00000001, 0x04000800, 0x00010001, 0x04010800, 0x04010000, 0x00000001, 0x00010000, 0x04000801, 0x04010001, 0x00000800, 0x00010801, 0x04000000, 0x00000000, 0x00010001, 0x04000801, 0x00010801, 0x04010800, 0x04000001, 0x04000000, 0x00010000, 0x00000801, 0x04010801, 0x00010001, 0x04010800, 0x04000800, 0x00010801, 0x04010801, 0x00010001, 0x04000001, 0x00000000, 0x04000000, 0x00000801, 0x00010000, 0x04010001, 0x00000800, 0x04000000, 0x00010801, 0x04000801, 0x04010800, 0x00000800, 0x00000000, 0x04000001, 0x00000001, 0x04010801, 0x00010800, 0x04010000, 0x04010001, 0x00010000, 0x00000801, 0x04000800, 0x04000801, 0x00000001, 0x04010000, 0x00010800, 0x00000400, 0x00000020, 0x00100020, 0x40100000, 0x40100420, 0x40000400, 0x00000420, 0x00000000, 0x00100000, 0x40100020, 0x40000020, 0x00100400, 0x40000000, 0x00100420, 0x00100400, 0x40000020, 0x40100020, 0x00000400, 0x40000400, 0x40100420, 0x00000000, 0x00100020, 0x40100000, 0x00000420, 0x40100400, 0x40000420, 0x00100420, 0x40000000, 0x40000420, 0x40100400, 0x00000020, 0x00100000, 0x40000420, 0x00100400, 0x40100400, 0x40000020, 0x00000400, 0x00000020, 0x00100000, 0x40100400, 0x40100020, 0x40000420, 0x00000420, 0x00000000, 0x00000020, 0x40100000, 0x40000000, 0x00100020, 0x00000000, 0x40100020, 0x00100020, 0x00000420, 0x40000020, 0x00000400, 0x40100420, 0x00100000, 0x00100420, 0x40000000, 0x40000400, 0x40100420, 0x40100000, 0x00100420, 0x00100400, 0x40000400, 0x00800000, 0x00001000, 0x00000040, 0x00801042, 0x00801002, 0x00800040, 0x00001042, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00001040, 0x00800042, 0x00801002, 0x00801040, 0x00000000, 0x00001040, 0x00800000, 0x00001002, 0x00000042, 0x00800040, 0x00001042, 0x00000000, 0x00800002, 0x00000002, 0x00800042, 0x00801042, 0x00001002, 0x00801000, 0x00000040, 0x00000042, 0x00801040, 0x00801040, 0x00800042, 0x00001002, 0x00801000, 0x00001000, 0x00000002, 0x00800002, 0x00800040, 0x00800000, 0x00001040, 0x00801042, 0x00000000, 0x00001042, 0x00800000, 0x00000040, 0x00001002, 0x00800042, 0x00000040, 0x00000000, 0x00801042, 0x00801002, 0x00801040, 0x00000042, 0x00001000, 0x00001040, 0x00801002, 0x00800040, 0x00000042, 0x00000002, 0x00001042, 0x00801000, 0x00800002, 0x10400000, 0x00404010, 0x00000010, 0x10400010, 0x10004000, 0x00400000, 0x10400010, 0x00004010, 0x00400010, 0x00004000, 0x00404000, 0x10000000, 0x10404010, 0x10000010, 0x10000000, 0x10404000, 0x00000000, 0x10004000, 0x00404010, 0x00000010, 0x10000010, 0x10404010, 0x00004000, 0x10400000, 0x10404000, 0x00400010, 0x10004010, 0x00404000, 0x00004010, 0x00000000, 0x00400000, 0x10004010, 0x00404010, 0x00000010, 0x10000000, 0x00004000, 0x10000010, 0x10004000, 0x00404000, 0x10400010, 0x00000000, 0x00404010, 0x00004010, 0x10404000, 0x10004000, 0x00400000, 0x10404010, 0x10000000, 0x10004010, 0x10400000, 0x00400000, 0x10404010, 0x00004000, 0x00400010, 0x10400010, 0x00004010, 0x00400010, 0x00000000, 0x10404000, 0x10000010, 0x10400000, 0x10004010, 0x00000010, 0x00404000, 0x00208080, 0x00008000, 0x20200000, 0x20208080, 0x00200000, 0x20008080, 0x20008000, 0x20200000, 0x20008080, 0x00208080, 0x00208000, 0x20000080, 0x20200080, 0x00200000, 0x00000000, 0x20008000, 0x00008000, 0x20000000, 0x00200080, 0x00008080, 0x20208080, 0x00208000, 0x20000080, 0x00200080, 0x20000000, 0x00000080, 0x00008080, 0x20208000, 0x00000080, 0x20200080, 0x20208000, 0x00000000, 0x00000000, 0x20208080, 0x00200080, 0x20008000, 0x00208080, 0x00008000, 0x20000080, 0x00200080, 0x20208000, 0x00000080, 0x00008080, 0x20200000, 0x20008080, 0x20000000, 0x20200000, 0x00208000, 0x20208080, 0x00008080, 0x00208000, 0x20200080, 0x00200000, 0x20000080, 0x20008000, 0x00000000, 0x00008000, 0x00200000, 0x20200080, 0x00208080, 0x20000000, 0x20208000, 0x00000080, 0x20008080, nettle-3.10/sha384-meta.c0000644000175000017500000000224514633602171014064 0ustar nissenisse/* sha384-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha384 = _NETTLE_HASH(sha384, SHA384); nettle-3.10/hmac-sha384-meta.c0000644000175000017500000000245514633602171014775 0ustar nissenisse/* hmac-sha384-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha384_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha384_set_key (ctx, SHA384_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha384 = _NETTLE_HMAC(hmac_sha384, SHA384); nettle-3.10/ecc-curve448.c0000644000175000017500000001640714633602171014247 0ustar nissenisse/* ecc-curve448.c Arithmetic and tables for curve448, Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-curve448.h" #if HAVE_NATIVE_ecc_curve448_modp #define ecc_curve448_modp _nettle_ecc_curve448_modp void ecc_curve448_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #elif GMP_NUMB_BITS == 64 static void ecc_curve448_modp(const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { /* Let B = 2^64, b = 2^32 = sqrt(B). p = B^7 - b B^3 - 1 ==> B^7 = b B^3 + 1 We use this to reduce {r_{13}, ..., r_0} = {r_6,...,r_0} + {r_{10},...,r_7} + 2 {r_{13},r_{12}, r_{11}} B^4 + b {r_{10},...,r_7,r_{13},r_{12},r_{11} (mod p) or +----+----+----+----+----+----+----+ |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | +----+----+----+----+----+----+----+ |r_10|r_9 |r_8 |r_7 | +----+----+----+----+----+----+----+ 2 * |r_13|r_12|r_11| +----+----+----+----+----+----+----+ + b * |r_10|r_9 |r_8 |r_7 |r_13|r_12|r_11| -------+----+----+----+----+----+----+----+ c_7 |r_6 |r_5 |r_4 |r_3 |r_2 |r_1 |r_0 | +----+----+----+----+----+----+----+ */ mp_limb_t c3, c4, c7; mp_limb_t *tp = xp + 7; c4 = mpn_add_n (xp, xp, xp + 7, 4); c7 = mpn_addmul_1 (xp + 4, xp + 11, 3, 2); c3 = mpn_addmul_1 (xp, xp + 11, 3, (mp_limb_t) 1 << 32); c7 += mpn_addmul_1 (xp + 3, xp + 7, 4, (mp_limb_t) 1 << 32); tp[0] = c7; tp[1] = tp[2] = 0; tp[3] = c3 + (c7 << 32); tp[4] = c4 + (c7 >> 32) + (tp[3] < c3); tp[5] = tp[6] = 0; c7 = mpn_add_n (rp, xp, tp, 7); c7 = mpn_cnd_add_n (c7, rp, rp, m->B, 7); assert_maybe (c7 == 0); } #else #define ecc_curve448_modp ecc_mod #endif /* Computes a^{(p-3)/4} = a^{2^446-2^222-1} mod m. Needs 4 * n scratch space. */ static void ecc_mod_pow_446m224m1 (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { /* Note overlap: operations writing to t0 clobber t1. */ #define t0 scratch #define t1 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* Set t0 = a^7 */ ecc_mod_sqr (p, t0, ap, tp); /* a^2 */ ecc_mod_mul (p, t0, ap, t0, tp); /* a^3 */ ecc_mod_sqr (p, t0, t0, tp); /* a^6 */ ecc_mod_mul (p, t0, ap, t0, tp); /* a^{2^3-1} */ /* Set t0 = a^{2^18-1} */ ecc_mod_pow_2kp1 (p, rp, t0, 3, tp); /* a^{2^6-1} */ ecc_mod_pow_2k (p, rp, rp, 3, tp); /* a^{2^9-2^3} */ ecc_mod_mul (p, rp, rp, t0, tp); /* a^{2^9-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 9, tp); /* a^{2^18-1} */ /* Set t0 = a^{2^37-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^19-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^19-1} */ ecc_mod_pow_2k (p, t1, rp, 18, tp); /* a^{2^37-2^18} */ ecc_mod_mul (p, t0, t0, t1, tp); /* a^{2^37-1} */ /* Set t0 = a^{2^222-1} */ ecc_mod_pow_2kp1 (p, rp, t0, 37, tp); /* a^{2^74-1} */ ecc_mod_pow_2k (p, t1, rp, 37, tp); /* a^{2^111-2^37} */ ecc_mod_mul (p, t1, t1, t0, tp); /* a^{2^111-1} */ ecc_mod_pow_2kp1 (p, t0, t1, 111, tp);/* a^{2^222-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^223-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^223-1} */ ecc_mod_pow_2k (p, t1, rp, 223, tp); /* a^{2^446-2^223} */ ecc_mod_mul (p, rp, t1, t0, tp); /* a^{2^446-2^222-1} */ #undef t0 #undef t1 #undef tp } #define ECC_CURVE448_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_curve448_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp) { ecc_mod_pow_446m224m1 (p, rp, ap, tp);/* a^{2^446-2^222-1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^447-2^223-2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^448-2^224-4} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^448-2^224-3} */ } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 448 #error Unsupported limb size #endif /* Compute x such that x^2 = u/v (mod p). Returns one on success, zero on failure. To avoid a separate inversion, we use a trick of djb's, to compute the candidate root as x = (u/v)^{(p+1)/4} = u^3 v (u^5 v^3)^{(p-3)/4}. */ /* Needs 2*n space + scratch for ecc_mod_pow_446m224m1. */ #define ECC_CURVE448_SQRT_RATIO_ITCH (6*ECC_LIMB_SIZE) static int ecc_curve448_sqrt_ratio(const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch) { #define uv scratch #define u3v (scratch + ECC_LIMB_SIZE) #define u5v3 uv #define t0 scratch #define scratch_out (scratch + 2*ECC_LIMB_SIZE) /* Live values */ ecc_mod_mul (p, uv, up, vp, scratch_out); /* uv */ ecc_mod_sqr (p, u3v, up, scratch_out); /* uv, u3v */ ecc_mod_mul (p, u3v, u3v, uv, scratch_out); /* uv, u3v */ ecc_mod_sqr (p, u5v3, uv, scratch_out); /* u5v3, u3v */ ecc_mod_mul (p, u5v3, u5v3, u3v, scratch_out);/* u5v3, u3v */ ecc_mod_pow_446m224m1 (p, rp, u5v3, scratch_out); /* u3v */ ecc_mod_mul (p, rp, rp, u3v, scratch_out); /* If square root exists, have v x^2 = u */ ecc_mod_sqr (p, t0, rp, scratch_out); /* x^2 */ ecc_mod_mul (p, t0, t0, vp, scratch_out); /* v x^2 */ ecc_mod_sub (p, t0, t0, up); return ecc_mod_zero_p (p, t0); #undef uv #undef u3v #undef u5v3 #undef t0 #undef scratch_out } const struct ecc_curve _nettle_curve448 = { { 448, ECC_LIMB_SIZE, ECC_BMODP_SIZE, 0, ECC_CURVE448_INV_ITCH, 0, ECC_CURVE448_SQRT_RATIO_ITCH, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, NULL, ecc_pp1h, ecc_curve448_modp, ecc_curve448_modp, ecc_curve448_inv, NULL, ecc_curve448_sqrt_ratio, }, { 446, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, 0, /* No redc */ ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_EH_ITCH (ECC_LIMB_SIZE), ECC_ADD_EHH_ITCH (ECC_LIMB_SIZE), ECC_DUP_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_EH_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_EH_ITCH (ECC_LIMB_SIZE), ECC_EH_TO_A_ITCH (ECC_LIMB_SIZE, ECC_CURVE448_INV_ITCH), ecc_add_eh, ecc_add_ehh, ecc_dup_eh, ecc_mul_a_eh, ecc_mul_g_eh, ecc_eh_to_a, ecc_b, ecc_unit, ecc_table }; nettle-3.10/nettle-write.h0000644000175000017500000000327414633602172014562 0ustar nissenisse/* nettle-write.h Internal functions to write out word-sized data to byte arrays. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_WRITE_H_INCLUDED #define NETTLE_WRITE_H_INCLUDED /* For size_t */ #include #include /* Write the word array at SRC to the byte array at DST, using little endian (le) or big endian (be) byte order, and truncating the result to LENGTH bytes. */ /* FIXME: Use a macro shortcut to memcpy for native endianness. */ void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le32(size_t length, uint8_t *dst, const uint32_t *src); void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src); #endif /* NETTLE_WRITE_H_INCLUDED */ nettle-3.10/pbkdf2.h0000644000175000017500000000610514633602172013303 0ustar nissenisse/* pbkdf2.h PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PBKDF2_H_INCLUDED #define NETTLE_PBKDF2_H_INCLUDED #include "nettle-meta.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define pbkdf2 nettle_pbkdf2 #define pbkdf2_hmac_sha1 nettle_pbkdf2_hmac_sha1 #define pbkdf2_hmac_sha256 nettle_pbkdf2_hmac_sha256 #define pbkdf2_hmac_sha384 nettle_pbkdf2_hmac_sha384 #define pbkdf2_hmac_sha512 nettle_pbkdf2_hmac_sha512 #define pbkdf2_hmac_gosthash94cp nettle_pbkdf2_hmac_gosthash94cp void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #define PBKDF2(ctx, update, digest, digest_size, \ iterations, salt_length, salt, length, dst) \ (0 ? ((update)((ctx), 0, (uint8_t *) 0), \ (digest)((ctx), 0, (uint8_t *) 0)) \ : pbkdf2 ((ctx), \ (nettle_hash_update_func *)(update), \ (nettle_hash_digest_func *)(digest), \ (digest_size), (iterations), \ (salt_length), (salt), (length), (dst))) /* PBKDF2 with specific PRFs. */ void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha256 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha384 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_sha512 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); void pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_PBKDF2_H_INCLUDED */ nettle-3.10/siv-gcm.h0000644000175000017500000000654614633602172013511 0ustar nissenisse/* siv-gcm.h AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SIV_GCM_H_INCLUDED #define NETTLE_SIV_GCM_H_INCLUDED #include "nettle-types.h" #include "nettle-meta.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define siv_gcm_encrypt_message nettle_siv_gcm_encrypt_message #define siv_gcm_decrypt_message nettle_siv_gcm_decrypt_message #define siv_gcm_aes128_encrypt_message nettle_siv_gcm_aes128_encrypt_message #define siv_gcm_aes128_decrypt_message nettle_siv_gcm_aes128_decrypt_message #define siv_gcm_aes256_encrypt_message nettle_siv_gcm_aes256_encrypt_message #define siv_gcm_aes256_decrypt_message nettle_siv_gcm_aes256_decrypt_message /* For AES-GCM-SIV, the block size of the underlying cipher shall be 128 bits. */ #define SIV_GCM_BLOCK_SIZE 16 #define SIV_GCM_DIGEST_SIZE 16 #define SIV_GCM_NONCE_SIZE 12 /* Generic interface. NC must be a block cipher with 128-bit block size, and keysize that is a multiple of 64 bits, such as AES-128 or AES-256. */ void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* AEAD_AES_128_GCM_SIV */ void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); /* AEAD_AES_256_GCM_SIV */ void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SIV_H_INCLUDED */ nettle-3.10/ecc-size.c0000644000175000017500000000274214633602171013632 0ustar nissenisse/* ecc-size.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" unsigned ecc_bit_size (const struct ecc_curve *ecc) { return ecc->p.bit_size; } mp_size_t ecc_size (const struct ecc_curve *ecc) { return ecc->p.size; } mp_size_t ecc_size_a (const struct ecc_curve *ecc) { return 2*ecc->p.size; } mp_size_t ecc_size_j (const struct ecc_curve *ecc) { return 3*ecc->p.size; } nettle-3.10/testsuite/0000755000175000017500000000000014633602172014011 5ustar nissenissenettle-3.10/testsuite/sha1-huge-test.c0000644000175000017500000000054714633602172016722 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Hashes 10 000 000 x 30 000 bytes > 64 * 2^32. This overflows the low word of the block counter. This test vector is not cross checked with any other sha1 implementation. */ test_hash_large(&nettle_sha1, 10000000, 30000, 'a', SHEX("0ba79364dc64648f 2074fb4bc5c28bcf" "b7a787b0")); } nettle-3.10/testsuite/gosthash94-test.c0000644000175000017500000000233514633602172017132 0ustar nissenisse#include "testutils.h" #include "gosthash94.h" /* Using test vectors from Wikipedia article on GOST */ void test_main(void) { test_hash(&nettle_gosthash94, SDATA("The quick brown fox jumps over the lazy dog"), SHEX("77b7fa410c9ac58a25f49bca7d0468c9296529315eaca76bd1a10f376d1f4294")); test_hash(&nettle_gosthash94, SDATA("message digest"), SHEX("ad4434ecb18f2c99b60cbe59ec3d2469582b65273f48de72db2fde16a4889a4d")); test_hash(&nettle_gosthash94, SDATA("a"), SHEX("d42c539e367c66e9c88a801f6649349c21871b4344c6a573f849fdce62f314dd")); test_hash(&nettle_gosthash94, SDATA(""), SHEX("ce85b99cc46752fffee35cab9a7b0278abb4c2d2055cff685af4912c49490f8d")); test_hash(&nettle_gosthash94cp, SDATA("The quick brown fox jumps over the lazy dog"), SHEX("9004294a361a508c586fe53d1f1b02746765e71b765472786e4770d565830a76")); test_hash(&nettle_gosthash94cp, SDATA("message digest"), SHEX("bc6041dd2aa401ebfa6e9886734174febdb4729aa972d60f549ac39b29721ba0")); test_hash(&nettle_gosthash94cp, SDATA("a"), SHEX("e74c52dd282183bf37af0079c9f78055715a103f17e3133ceff1aacf2f403011")); test_hash(&nettle_gosthash94cp, SDATA(""), SHEX("981e5f3ca30c841487830f84fb433e13ac1101569b9c13584ac483234cd656c0")); } nettle-3.10/testsuite/sc-ed25519-test0000755000175000017500000000013314633602172016312 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ed25519-test nettle-3.10/testsuite/curve25519-dh-test.c0000644000175000017500000001140614633602172017257 0ustar nissenisse/* curve25519-dh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "curve25519.h" static void test_g (const uint8_t *s, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; mark_bytes_undefined (CURVE25519_SIZE, s); curve25519_mul_g (p, s); mark_bytes_defined (CURVE25519_SIZE, p); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul_g failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } static void test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) { uint8_t p[CURVE25519_SIZE]; mark_bytes_undefined (CURVE25519_SIZE, b); mark_bytes_undefined (CURVE25519_SIZE, s); curve25519_mul (p, s, b); mark_bytes_defined (CURVE25519_SIZE, p); if (!MEMEQ (CURVE25519_SIZE, p, r)) { printf ("curve25519_mul failure:\ns = "); print_hex (CURVE25519_SIZE, s); printf ("\nb = "); print_hex (CURVE25519_SIZE, b); printf ("\np = "); print_hex (CURVE25519_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE25519_SIZE, r); printf (" (expected)\n"); abort (); } } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* From RFC 7748. */ test_g (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); test_a (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_g. */ test_g (H("70076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_g (H("5dab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e02b"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f")); /* Check that the least significant three bits (first octet) of the scalar are ignored by mul_a. */ test_a (H("5aab087e624a8a4b79e17f8b83800ee6" "6f3bb1292618b6fd1c2f8b27ff88e0eb"), H("8520f0098930a754748b7ddcb43ef75a" "0dbf3a0d26381af4eba4a98eaa9b4e6a"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant two bits (last octet) of the scalar are ignored by mul_g. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92cea"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882b4f"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); /* Check that the most significant bit (last octet) of the x coordinate is ignored. */ test_a (H("77076d0a7318a57d3c16c17251b26645" "df4c2f87ebc0992ab177fba51db92c2a"), H("de9edb7d7b7dc1b4d35b61c2ece43537" "3f8343c85b78674dadfc7e146f882bcf"), H("4a5d9d5ba4ce2de1728e3bf480350f25" "e07e21c947d19e3376f09b3c1e161742")); } nettle-3.10/testsuite/sc-rsa-oaep-encrypt-test0000755000175000017500000000014414633602172020507 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./rsa-oaep-encrypt-test nettle-3.10/testsuite/ecc-dup-test.c0000644000175000017500000000154614633602172016460 0ustar nissenisse#include "testutils.h" void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->dup_itch); test_ecc_get_g (i, g); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc->dup (ecc, p, z, scratch); test_ecc_mul_h (i, 0, p); free (z); } ecc->dup (ecc, p, g, scratch); test_ecc_mul_h (i, 2, p); ecc->dup (ecc, p, p, scratch); test_ecc_mul_h (i, 4, p); free (p); free (g); free (scratch); } } nettle-3.10/testsuite/ecc-mul-g-test.c0000644000175000017500000000247514633602172016713 0ustar nissenisse#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); test_randomize(rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_g_itch); mpn_zero (n, size); n[0] = 1; ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); test_ecc_ga (i, p); for (n[0] = 2; n[0] <= 4; n[0]++) { ecc->mul_g (ecc, p, n, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul_g (ecc, p, n, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); test_ecc_ga (i, p); free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-3.10/testsuite/rsa2sexp-test.c0000644000175000017500000000573714633602172016715 0ustar nissenisse#include "testutils.h" #include "buffer.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; struct nettle_buffer buffer; rsa_public_key_init(&pub); rsa_private_key_init(&priv); mpz_set_str(pub.n, "085c3408989acae4faec3cbbad91c90d34c1d259cd74121a" "36f38b0b51424a9b2be514a04377113a6cdafe79dd7d5f2e" "cc8b5e9661189b86a7b22239907c25", 16); mpz_set_str(pub.e, "36ad4b1d", 16); ASSERT(rsa_public_key_prepare(&pub)); mpz_set_str(priv.d, "06ee6d4ff3c239e408150daf8117abfa36a40ad4455d9059" "a86d52f33a2de07418a0a699594588c64810248c9412d554" "f74af947c73c32007e87c92f0937ed", 16); mpz_set_str(priv.p, "03259879b24315e9cf14254824c7935d807cdb6990f414a0" "f65e6065130a611f", 16); mpz_set_str(priv.q, "02a81ba73bad45fc73b36deffce52d1b73e0747f4d8a8264" "8cecd310448ea63b", 16); mpz_set_str(priv.a, "026cbdad5dd0046e093f060ecd5b4ac918e098b0278bb752" "b7cadd6a8944f0b9", 16); mpz_set_str(priv.b, "0148751e622d6d58e3bb094afd6edacf7370351d068e2ce9" "f565c5528c4a7473", 16); mpz_set_str(priv.c, "f8a458ea73a018dc6fa56863e3bc6de405f364f77dee6f09" "62679ea1a8282e", 16); ASSERT(rsa_private_key_prepare(&priv)); nettle_buffer_init(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, "rsa", &pub, &priv)); if (verbose) { printf("private:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"))); nettle_buffer_clear(&buffer); ASSERT(rsa_keypair_to_sexp(&buffer, NULL, &pub, NULL)); if (verbose) { printf("public:"); print_hex(buffer.size, buffer.contents); } ASSERT(MEMEQ(buffer.size, buffer.contents, H("2831303a7075626c69632d6b65792839" "3a7273612d706b63733128313a6e3633" "3a085c3408989acae4faec3cbbad91c9" "0d34c1d259cd74121a36f38b0b51424a" "9b2be514a04377113a6cdafe79dd7d5f" "2ecc8b5e9661189b86a7b22239907c25" "2928313a65343a36ad4b1d292929"))); nettle_buffer_clear(&buffer); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-3.10/testsuite/ecdsa-keygen-test.c0000644000175000017500000000435014633602172017473 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" void test_main (void) { unsigned i; struct knuth_lfib_ctx rctx; struct dsa_signature signature; struct tstring *digest; knuth_lfib_init (&rctx, 4711); dsa_signature_init (&signature); digest = SHEX (/* sha256("abc") */ "BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; struct ecc_point pub; struct ecc_scalar key; if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* Exclude curve25519 and curve448, not supported with ECDSA. */ continue; if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); ecdsa_generate_keypair (&pub, &key, &rctx, (nettle_random_func *) knuth_lfib_random); if (verbose) { fprintf (stderr, "Public key:\nx = "); write_mpn (stderr, 16, pub.p, ecc->p.size); fprintf (stderr, "\ny = "); write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); fprintf (stderr, "\nPrivate key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } if (!test_ecc_point_valid_p (&pub)) die ("ecdsa_generate_keypair produced an invalid point.\n"); ecdsa_sign (&key, &rctx, (nettle_random_func *) knuth_lfib_random, digest->length, digest->data, &signature); if (!ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify failed.\n"); digest->data[3] ^= 17; if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid digest.\n"); digest->data[3] ^= 17; mpz_combit (signature.r, 117); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.r.\n"); mpz_combit (signature.r, 117); mpz_combit (signature.s, 93); if (ecdsa_verify (&pub, digest->length, digest->data, &signature)) die ("ecdsa_verify returned success with invalid signature.s.\n"); ecc_point_clear (&pub); ecc_scalar_clear (&key); } dsa_signature_clear (&signature); } nettle-3.10/testsuite/des-test.c0000644000175000017500000000635714633602172015720 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "des.h" static void test_des(const struct tstring *key, int expected_parity, const struct tstring *cleartext, const struct tstring *ciphertext) { struct des_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == DES_KEY_SIZE); data = xalloc(length); ASSERT (des_check_parity(8, key->data) == expected_parity); ASSERT (des_set_key(&ctx, key->data)); des_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } des_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } static void test_weak(const struct tstring *key) { struct des_ctx ctx; ASSERT (key->length == DES_KEY_SIZE); ASSERT (des_set_key(&ctx, key->data) == 0); } void test_main(void) { /* From Applied Cryptography */ test_des(SHEX("01234567 89ABCDEF"), 1, SHEX("01234567 89ABCDE7"), SHEX("C9574425 6A5ED31D")); test_des(SHEX("01 01 01 01 01 01 01 80"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("9C C6 2D F4 3B 6E ED 74")); test_des(SHEX("80 01 01 01 01 01 01 01"), 1, SHEX("00 00 00 00 00 00 00 40"), SHEX("A3 80 E0 2A 6B E5 46 96")); test_des(SHEX("08 19 2A 3B 4C 5D 6E 7F"), 1, SHEX("00 00 00 00 00 00 00 00"), SHEX("25 DD AC 3E 96 17 64 67")); test_des(SHEX("01 23 45 67 89 AB CD EF"), 1, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Same key, but with one bad parity bit, */ test_des(SHEX("01 23 45 66 89 AB CD EF"), 0, SDATA("Now is t"), SHEX("3F A4 0E 8A 98 4D 48 15")); /* Parity check */ { const struct tstring *s = SHEX("01 01 01 01 01 01 01 00"); ASSERT (des_check_parity(s->length, s->data) == 0); } /* The four weak keys */ test_weak(SHEX("01 01 01 01 01 01 01 01")); test_weak(SHEX("FE FE FE FE FE FE FE FE")); test_weak(SHEX("1F 1F 1F 1F 0E 0E 0E 0E")); test_weak(SHEX("E0 E0 E0 E0 F1 F1 F1 F1")); /* Same weak key, but different parity. */ test_weak(SHEX("E0 E0 E0 E0 F0 F1 F1 F1")); /* The six pairs of semiweak keys */ test_weak(SHEX("01 FE 01 FE 01 FE 01 FE")); test_weak(SHEX("FE 01 FE 01 FE 01 FE 01")); test_weak(SHEX("1F E0 1F E0 0E F1 0E F1")); test_weak(SHEX("E0 1F E0 1F F1 0E F1 0E")); test_weak(SHEX("01 E0 01 E0 01 F1 01 F1")); test_weak(SHEX("E0 01 E0 01 F1 01 F1 01")); test_weak(SHEX("1F FE 1F FE 0E FE 0E FE")); test_weak(SHEX("FE 1F FE 1F FE 0E FE 0E")); test_weak(SHEX("01 1F 01 1F 01 0E 01 0E")); test_weak(SHEX("1F 01 1F 01 0E 01 0E 01")); test_weak(SHEX("E0 FE E0 FE F1 FE F1 FE")); test_weak(SHEX("FE E0 FE E0 FE F1 FE F1")); } nettle-3.10/testsuite/ecc-mod-test.c0000644000175000017500000001361514633602172016447 0ustar nissenisse#include "testutils.h" static void ref_mod (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t r, a, m; mpz_init (r); mpz_mod (r, mpz_roinit_n (a, ap, 2*mn), mpz_roinit_n (m, mp, mn)); mpz_limbs_copy (rp, r, mn); mpz_clear (r); } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 10000 /* Destructively normalize tp, then compare */ static int mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) { if (mpn_cmp (tp, m->m, m->size) >= 0) mpn_sub_n (tp, tp, m->m, m->size); return mpn_cmp (ref, tp, m->size) == 0; } static void test_one(const char *name, const struct ecc_modulo *m, const mpz_t r) { mp_limb_t a[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; mpz_limbs_copy (a, r, 2*m->size); ref_mod (ref, a, m->m, m->size); mpn_copyi (t, a, 2*m->size); m->mod (m, t, t); if (!mod_equal (m, ref, t)) { fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } mpn_copyi (t, a, 2*m->size); m->mod (m, t + m->size, t); if (!mod_equal (m, ref, t + m->size)) { fprintf (stderr, "m->mod %s failed: bit_size = %u, rp == xp + size\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t + m->size, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } if (m->B_size < m->size) { mpn_copyi (t, a, 2*m->size); ecc_mod (m, t, t); if (!mod_equal (m, ref, t)) { fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } mpn_copyi (t, a, 2*m->size); ecc_mod (m, t + m->size, t); if (!mod_equal (m, ref, t + m->size)) { fprintf (stderr, "ecc_mod %s failed: bit_size = %u, rp == xp + size\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t + m->size, m->size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, m->size); fprintf (stderr, "\n"); abort (); } } } static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, unsigned count) { mpz_t r; unsigned j; mpz_init (r); for (j = 0; j < count; j++) { if (j & 2) { if (j & 1) mpz_rrandomb (r, rands, 2*m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*m->size * GMP_NUMB_BITS); } else { /* Test inputs close to a multiple of m. */ mpz_t q; unsigned q_size; int diff; mpz_urandomb(r, rands, 30); q_size = 11 + mpz_get_ui(r) % (m->size * GMP_NUMB_BITS - 10); mpz_urandomb(r, rands, 30); diff = mpz_get_si(r) % 20 - 10; if (j & 1) mpz_rrandomb (r, rands, q_size); else mpz_urandomb (r, rands, q_size); mpz_mul (r, r, mpz_roinit_n(q, m->m, m->size)); if (diff >= 0) mpz_add_ui (r, r, diff); else mpz_sub_ui (r, r, -diff); if (mpz_sgn(r) < 0) continue; } test_one (name, m, r); } mpz_clear (r); } static void test_fixed (void) { mpz_t r; mpz_init (r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFF001C2C00", 16); mpz_mul_2exp (r, r, 256); test_one ("p", &_nettle_secp_256r1.p, r); test_one ("q", &_nettle_secp_256r1.q, r); mpz_set_str (r, "ffffffff00000001fffffffeffffffffffffffffffffffffffffffc0000000000007ffffffffffffffffffffffffffff00000000000000000fffffffffffffff", 16); test_one ("p", &_nettle_secp_256r1.p, r); test_one ("q", &_nettle_secp_256r1.q, r); /* Triggered a bug reported by Hanno Böck. */ mpz_set_str (r, "4c9000000000000000000000000000000000000000000000004a604db486e000000000000000000000000000000000000000121025be29575adb2c8ffffffffffffffffffffffffffffffffffffffffffffffffffffffff", 16); test_one ("p", &_nettle_secp_384r1.p, r); test_one ("q", &_nettle_secp_384r1.q, r); /* Triggered a carry bug in development version. */ mpz_set_str (r, "e64a84643150260640e4677c19ffc4faef06042132b86af6e9ee33fe1850222e57a514d5f1d6d444008bb896a96a43d5629945e57548f5e12f66be132b24110cbb2df6d7d3dd3aaadc98b0bbf29573843ad72e57f59fc5d4f56cc599da18bb99", 16); test_one ("p", &_nettle_secp_384r1.p, r); test_one ("q", &_nettle_secp_384r1.q, r); mpz_clear (r); } static void test_patterns (const char *name, const struct ecc_modulo *m) { mpz_t r; unsigned j; mpz_init (r); for (j = m->bit_size; j < 2*m->bit_size; j++) { /* Single one bit */ mpz_set_ui (r, 1); mpz_mul_2exp (r, r, j); test_one (name, m, r); /* All ones. */ mpz_mul_2exp (r, r, 1); mpz_sub_ui (r, r, 1); test_one (name, m, r); } mpz_clear (r); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_fixed (); for (i = 0; ecc_curves[i]; i++) { test_patterns ("p", &ecc_curves[i]->p); test_patterns ("q", &ecc_curves[i]->p); } test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, COUNT); test_modulo (rands, "q", &ecc_curves[i]->q, COUNT); } gmp_randclear (rands); } nettle-3.10/testsuite/dsa-keygen-test.c0000644000175000017500000000313314633602172017161 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; struct dsa_params *params; struct knuth_lfib_ctx lfib; dsa_private_key_init(&key); dsa_public_key_init(&pub); knuth_lfib_init(&lfib, 13); params = (struct dsa_params *) &pub; ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 160)); test_dsa_key(params, pub.y, key.x, 160); test_dsa160(&pub, &key, NULL); ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 256)); test_dsa_key(params, pub.y, key.x, 256); test_dsa256(&pub, &key, NULL); ASSERT (dsa_compat_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2048, 224)); test_dsa_key(params, pub.y, key.x, 224); test_dsa256(&pub, &key, NULL); /* Test with large q */ if (!dsa_generate_params (params, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 768)) FAIL(); dsa_generate_keypair (params, pub.y, key.x, &lfib, (nettle_random_func *) knuth_lfib_random); test_dsa_key(params, pub.y, key.x, 768); test_dsa256(&pub, &key, NULL); dsa_public_key_clear(&pub); dsa_private_key_clear(&key); } nettle-3.10/testsuite/sc-ecdsa-sign-test0000755000175000017500000000013614633602172017334 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ecdsa-sign-test nettle-3.10/testsuite/sc-memeql-test0000755000175000017500000000013214633602172016573 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./memeql-test nettle-3.10/testsuite/pss-test.c0000644000175000017500000000504314633602172015741 0ustar nissenisse#include "testutils.h" #include "pss.h" void test_main(void) { struct tstring *salt; struct tstring *digest; mpz_t m; mpz_t expected; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ mpz_init(m); mpz_init(expected); salt = SHEX("e3b5d5d002c1bce50c2b65ef88a188d83bce7e61"); digest = SHEX("37b66ae0445843353d47ecb0b4fd14c110e62d6a"); ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha1, salt->length, salt->data, digest->data)); mpz_set_str(expected, "66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc896da1cb39311af37ea4a75e24bdbfd5c1da0de7cecdf" "1a896f9d8bc816d97cd7a2c43bad546fbe8cfebc", 16); ASSERT(mpz_cmp(m, expected) == 0); mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha1, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); /* Test with our own data. */ mpz_init(m); mpz_init(expected); salt = SHEX("11223344556677889900"); /* From sha256-test.c */ digest = SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad"); mpz_set_str(expected, "76b9a52705c8382c5367732f993184eff340b6305c9f73e7e308c8" "004fcc15cbbaab01e976bae4b774628595379a2d448a36b3ea6fa8" "353b97eeea7bdac93b4b7807ac98cd4b3bebfb31f3718e1dd3625f" "227fbb8696606498e7070e21c3cbbd7386ea20eb81ac7927e0c6d1" "d7788826a63af767f301bcc05dd65b00da862cbc", 16); /* Try bad salt */ salt->data[6] = 0x00; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) != 0); /* Try the good salt */ salt->data[6] = 0x77; ASSERT(pss_encode_mgf1(m, 1024, &nettle_sha256, salt->length, salt->data, digest->data)); ASSERT(mpz_cmp(m, expected) == 0); /* Try bad message */ mpz_add_ui(m, m, 2); ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good message */ mpz_sub_ui(m, m, 2); ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try bad digest */ digest->data[17] = 0x00; ASSERT(!pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); /* Try the good digest */ digest->data[17] = 0x03; ASSERT(pss_verify_mgf1(m, 1024, &nettle_sha256, salt->length, digest->data)); mpz_clear(m); mpz_clear(expected); } nettle-3.10/testsuite/sc-pkcs1-sec-decrypt-test0000755000175000017500000000014514633602172020560 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./pkcs1-sec-decrypt-test nettle-3.10/testsuite/ecdh-test.c0000644000175000017500000002610414633602172016040 0ustar nissenisse/* ecdh-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" static int set_point (struct ecc_point *p, const char *x, const char *y) { mpz_t X, Y; int ret; mpz_init_set_str (X, x, 0); mpz_init_set_str (Y, y, 0); ret = ecc_point_set (p, X, Y); mpz_clear (X); mpz_clear (Y); return ret; } static void set_scalar (struct ecc_scalar *s, const char *x) { mpz_t X; mpz_init_set_str (X, x, 0); if (!ecc_scalar_set (s, X)) abort (); mpz_clear (X); } static void check_point (const char *name, const char *label, const struct ecc_point *P, const struct ecc_point *R) { mpz_t px, py, rx, ry; mpz_init (px); mpz_init (py); mpz_init (rx); mpz_init (ry); ecc_point_get (P, px, py); ecc_point_get (R, rx, ry); /* FIXME: Should have a public point compare function */ if (mpz_cmp (px, rx) != 0 || mpz_cmp (py, ry) != 0) { fprintf (stderr, "Failed %s %s\np_x = ", name, label); mpz_out_str (stderr, 10, px); fprintf (stderr, "\nr_x = "); mpz_out_str (stderr, 10, rx); fprintf (stderr, " (expected)\np_y = "); mpz_out_str (stderr, 10, py); fprintf (stderr, "\nr_y = "); mpz_out_str (stderr, 10, ry); fprintf (stderr, " (expected)\n"); abort (); } mpz_clear (px); mpz_clear (py); mpz_clear (rx); mpz_clear (ry); } static void test_dh (const char *name, const struct ecc_curve *ecc, const char *a_priv, const char *ax, const char *ay, const char *b_priv, const char *bx, const char *by, const char *sx, const char *sy) { struct ecc_point A, B, S, T; struct ecc_scalar A_priv, B_priv; ecc_scalar_init (&A_priv, ecc); set_scalar (&A_priv, a_priv); ecc_point_init (&A, ecc); ASSERT (set_point (&A, ax, ay)); ecc_scalar_init (&B_priv, ecc); set_scalar (&B_priv, b_priv); ecc_point_init (&B, ecc); ASSERT (set_point (&B, bx, by)); ecc_point_init (&S, ecc); ASSERT (set_point (&S, sx, sy)); ecc_point_init (&T, ecc); ecc_point_mul_g (&T, &A_priv); check_point (name, "a g", &T, &A); ecc_point_mul (&T, &B_priv, &T); check_point (name, "b (a g)", &T, &S); ecc_point_mul_g (&T, &B_priv); check_point (name, "b g", &T, &B); ecc_point_mul (&T, &A_priv, &T); check_point (name, "a (b g)", &T, &S); ecc_scalar_clear (&A_priv); ecc_scalar_clear (&B_priv); ecc_point_clear (&A); ecc_point_clear (&B); ecc_point_clear (&S); ecc_point_clear (&T); } static void test_public_key (const char *label, const struct ecc_curve *ecc, const char *x, const char *y, int expect_success) { struct ecc_point P; int ret; ecc_point_init (&P, ecc); ret = set_point (&P, x, y); if (!ret && expect_success) die ("Test point '%s' not on curve!\n", label); if (ret && !expect_success) die ("Expected failure to set point '%s'!", label); ecc_point_clear (&P); } void test_main(void) { test_public_key ("(0,0) with secp-192r1", &_nettle_secp_192r1, "0", "0", 0); test_public_key ( "(P,0) with secp-192r1", &_nettle_secp_192r1, "6277101735386680763835789423207666416083908700390324961279", "0", 0); test_public_key ( "(0,P) with secp-192r1", &_nettle_secp_192r1, "0", "6277101735386680763835789423207666416083908700390324961279", 0); test_public_key ( "(P,P) with secp-192r1", &_nettle_secp_192r1, "6277101735386680763835789423207666416083908700390324961279", "6277101735386680763835789423207666416083908700390324961279", 0); test_public_key ("(1,2) with secp-192r1", &_nettle_secp_192r1, "1", "2", 0); test_public_key ("(X,Y) with secp-192r1", &_nettle_secp_192r1, "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", 1); test_dh ("secp-192r1", &_nettle_secp_192r1, "3406157206141798348095184987208239421004566462391397236532", "1050363442265225480786760666329560655512990381040021438562", "5298249600854377235107392014200406283816103564916230704184", "738368960171459956677260317271477822683777845013274506165", "2585840779771604687467445319428618542927556223024046979917", "293088185788565313717816218507714888251468410990708684573", "149293809021051532782730990145509724807636529827149481690", "2891131861147398318714693938158856874319184314120776776192"); test_dh ("secp-224r1", &_nettle_secp_224r1, "1321072106881784386340709783538698930880431939595776773514895067682", "6768311794185371282972144247871764855860666277647541840973645586477", "2880077809069104378181313860274147139049600284805670362929579614547", "13934723037778859565852601874354272638301919827851286722006496784914", "373124771833407982305885866158843810218322878380632071540538232035", "24223309755162432227459925493224336241652868856405241018762887667883", "8330362698029245839097779050425944245826040430538860338085968752913", "24167244512472228715617822000878192535267113543393576038737592837010"); test_dh ("secp-256r1", &_nettle_secp_256r1, "94731533361265297353914491124013058635674217345912524033267198103710636378786", "22441589863306126152768848344973918725077248391248404659242620344938484650846", "8673475622926171928656873398933611700804732317466515884933832073457396747355", "97657865959185011849283028361556797595752581630732610898393589042714626616209", "18453500628354973083413728373777272885280811435138222441593126858566687017580", "14365748655141740924607822284126054269177292284541187981786689038777833170313", "102958799567030688009123101477538973715497039396202015119148334812951370853564", "29188877854984806245046208182450375893010623119030341548941791125497546766367"); test_dh ("secp-384r1", &_nettle_secp_384r1, "39086550219018474560700767788227987514008150214902287969462741484831311917159729009715909108606822193356890811565070", "15536343869384820642787280162462493474000839389760580357050317691132784247078954166759523572989472049798969369413707", "23268351460749985365652822073294615614961429585671989812206213135127969284347174876010177880230302801199500921999966", "36869963309577906178833120963925446333578086292605692048464445726274368063284094788012795873582576522541658781990645", "6571571183519639697971973492227725184968062063941037806786906539419849188357322949908539215960508669158121817812397", "36555212611228586427448926841660565534959679681904941933188284044726925984417589749068550977832780023128545833460008", "27780263733159299625371532605243698753833039933618994121416145881861678645978369807598146716869504289033472077532789", "12327518461490664021199432424728005314646140038116972426756705356672414772151215711157356913456651047992140493843405"); test_dh ("secp-521r1", &_nettle_secp_521r1, "1177787298234877762125077260641419691552146813662613924864132680693789861345339466386194840381422980702458955378518702648732728796955434922249345867267377826", "3168153642368000846168628288850857848098131369578410603904155841373678828215434925507474033105518841999665785152501356092020415699294327720257651796364374116", "278603899104240796379373331240296114411332466119196525390128418935585486485808560319073463912513286987331907013829243645911963547435764718505394265715321106", "4632844957395758597246278843156350179301194123641664447791935593091018103746003967476919616681982477804041933745387575872964923485212972039478646226080044590", "3278857364905061449863537070675297207767865967146919975942590789168732752489407699106980407552332044280575891715425195464227794423128203118286002006478070253", "4488572162727491199625798812850846214916160870437505769058530973184916706326908828109446998319674522651965593412129100088877891410841200092694907512496020182", "2126311732129869456512627735193938710331935978955001830871465201548004444073866677974896970734635601049909886616595755762740651165670628002084824920216966370", "4803556648772727869384704240411011976585308117802975396033423138930126997561438092192867119930177133880625991019440171972612468402200399449807843995563872782"); /* NOTE: This isn't the standard way to do curve25519 diffie-hellman, but it tests that the ecc_point interface works also with curve25519. */ test_dh ("curve25519", &_nettle_curve25519, "238301186166219052901200372289459967515481170332211409964804596991365959539", "14283836751943535877833976277675258994717521964638468784408792140505262281235", "43912344711849354965202408139054167824861850336739416536288592824181793690574", "3795950278952272509684177709511717492358770264218705926196469999516028451559", "9468726108732441384988851273894214794301501512287024874346147472389705411936", "38072138078045635808869930165213470653418146012939584392304609812494425185763", "10481077163111981870382976851703705086808805457403127024129174358161599078055", "29260211489972704256554624312266763530759418996739976957020673870747051409679"); /* NOTE: This isn't the standard way to do curve448 diffie-hellman, but it tests that the ecc_point interface works also with curve448. */ test_dh ("curve448", &_nettle_curve448, "129458936807933142766404648460937163205634163580407624950524900086792185737444124895392953822100034523565454893159084960036749128566328", "23903108874160330022289088207864530114505726115081678533913226179385920277612083777349117962138808929878378666596532036566924169949084", "693683143993815499711046966874265987454661213870193324674425656110752379002105414428569086535475560314058341102862207145978150379762153", "66424594649188102315894632429895338306697492782714758296415311427244880255966850729749965592839835963032731282879151354354178946253531", "411851112596680430188999894591634506976361833537024658040418853047370769553774913299417695327870642536912872558385293694714169201128264", "337433451779159274143076131600929733721586133908369086734805607026091240174740218929467625260731556550599267570314197354864315711490353", "224725768629972498035446273711269105191383993674106563435257119903436206484342709996926420948730961128941009070083709026343858723205213", "514544926219850986487923720424370435708360925070646212523588162169142573918197583804309386017625350764529605929374479238949748203847320"); } nettle-3.10/testsuite/bcrypt-test.c0000644000175000017500000000745314633602172016446 0ustar nissenisse#include "testutils.h" #include "blowfish.h" static void test_bcrypt(int succeed, const struct tstring *key, const struct tstring *hash) { if (succeed != blowfish_bcrypt_verify(key->length, key->data, hash->length, hash->data)) { fprintf(stderr, "blowfish_bcrypt_verify failed:\nKey:"); tstring_print_hex(key); fprintf(stderr, "\nHash: "); tstring_print_hex(hash); fprintf(stderr, "\n"); FAIL(); } } void test_main(void) { /* Tests for BSD-style bcrypt. From John the Ripper 1.7.9 via Phpass */ test_bcrypt(1, SDATA("U*U"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.E5YPO9kmyuRGyh0XouQYb4YMJKvyOeW")); test_bcrypt(1, SDATA("U*U*"), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.VGOzA784oUp/Z0DY336zx7pLYAy0lwK")); test_bcrypt(1, SDATA("U*U*U"), SDATA("$2a$05$XXXXXXXXXXXXXXXXXXXXXOAcXxm9kjPGEMsLznoKqmqw7tc8WCx4a")); test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); test_bcrypt(1, SDATA("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789chars after 72 are ignored"), SDATA("$2a$05$abcdefghijklmnopqrstuu5s2v8.iXieOjg/.AySBTTZIIVFJeBui")); test_bcrypt(1, SDATA("\xa3"), SDATA("$2x$05$/OK.fbVrR/bpIqNJ5ianF.CE5elHaaO4EbggVDjb8P19RukzXSM3e")); test_bcrypt(1, SDATA("\xa3"), SDATA("$2y$05$/OK.fbVrR/bpIqNJ5ianF.Sa7shbm4.OzKpvFnX1pQLmQW96oUlCq")); test_bcrypt(1, SDATA("\xd1\x91"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/OiwqTymGIGzFsA4hOTWebfehXHNprcAS")); test_bcrypt(1, SDATA("\xd0\xc1\xd2\xcf\xcc\xd8"), SDATA("$2x$05$6bNw2HLQYeqHYyBfLMsv/O9LIGgn8OMzuDoHfof8AQimSGfcSWxnS")); test_bcrypt(1, SDATA("\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa""chars after 72 are ignored as usual"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.swQOIzjOiJ9GHEPuhEkvqrUyvWhEMx6")); test_bcrypt(1, SDATA("\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55\xaa\x55"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.R9xrDjiycxMbQE2bp.vgqlYpW5wx2yy")); test_bcrypt(1, SDATA(""), SDATA("$2a$05$CCCCCCCCCCCCCCCCCCCCC.7uG0VCzI2bS7j6ymqJi9CdcdxiRTWNy")); test_bcrypt(1, SDATA("\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff\x55\xaa\xff"), SDATA("$2a$05$/OK.fbVrR/bpIqNJ5ianF.9tQZzcJfm3uj2NvJ/n5xkhpqLrMpWCe")); /* From Openwall's crypt v1.2 via Phpass */ test_bcrypt(0, SDATA(""), SDATA("$2a$03$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2a$32$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2z$05$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2`$05$CCCCCCCCCCCCCCCCCCCCC.")); test_bcrypt(0, SDATA(""), SDATA("$2{$05$CCCCCCCCCCCCCCCCCCCCC.")); /* Stephen's personal tests */ test_bcrypt(1, SDATA("yawinpassword"), SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); test_bcrypt(0, SDATA("xawinpassword"), SDATA("$2a$04$MzVXtd4o0y4DOlyHMMLMDeE4/eezrsT5Xad.2lmGr/NkCpwBgvn3e")); test_bcrypt(1, SDATA("Bootq9sH5"), SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); test_bcrypt(0, SDATA("Bootq9sH6"), SDATA("$2y$10$1b2lPgo4XumibnJGN3r3sOsXFfVVYlebFjlw47qpaslC4KIwu9dAK")); test_bcrypt(0, SDATA("1234"), SDATA("$2y$")); } nettle-3.10/testsuite/eddsa-verify-test.c0000644000175000017500000001524514633602172017523 0ustar nissenisse/* eddsa-verify-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #include "sha3.h" static void test_eddsa (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { mp_limb_t *A = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (_eddsa_verify_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *cmsg = xalloc (msg->length); uint8_t *csignature = xalloc (2*nbytes); if (!_eddsa_decompress (ecc, A, pub, scratch)) die ("Invalid eddsa public key.\n"); memcpy (csignature, signature, 2*nbytes); if (!_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "eddsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\npub = ", ecc->p.bit_size); print_hex (nbytes, pub); fprintf (stderr, "\nmsg = "); tstring_print_hex (msg); fprintf (stderr, "\nsign = "); print_hex (2*nbytes, csignature); fprintf (stderr, "\n"); abort(); } memcpy (csignature, signature, 2*nbytes); csignature[nbytes/3] ^= 0x40; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature r.\n"); goto fail; } memcpy (csignature, signature, 2*nbytes); csignature[5*nbytes/3] ^= 0x8; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, msg->data, csignature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature s.\n"); goto fail; } if (msg->length == 0) { if (_eddsa_verify (ecc, eddsa, pub, A, ctx, LDATA("foo"), signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with different message.\n"); goto fail; } } else { if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length - 1, msg->data, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with truncated message.\n"); goto fail; } memcpy (cmsg, msg->data, msg->length); cmsg[2*msg->length / 3] ^= 0x20; if (_eddsa_verify (ecc, eddsa, pub, A, ctx, msg->length, cmsg, signature, scratch)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with modified message.\n"); goto fail; } } free (A); free (scratch); free (cmsg); free (csignature); } static void test_ed25519 (const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { struct sha512_ctx ctx; sha512_init (&ctx); test_eddsa (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, pub, msg, signature); } static void test_ed448 (const uint8_t *pub, const struct tstring *msg, const uint8_t *signature) { struct sha3_256_ctx ctx; sha3_256_init (&ctx); test_eddsa (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, pub, msg, signature); } void test_main (void) { test_ed25519 (H("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX(""), H("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_ed25519 (H("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("72"), H("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_ed25519 (H("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), H("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); /* Based on a few of the test vectors from RFC 8032 */ test_ed448 (H("5fd7449b59b461fd 2ce787ec616ad46a" "1da1342485a70e1f 8a0ea75d80e96778" "edf124769b46c706 1bd6783df1e50f6c" "d1fa1abeafe82561 80"), SHEX(""), H("533a37f6bbe45725 1f023c0d88f976ae" "2dfb504a843e34d2 074fd823d41a591f" "2b233f034f628281 f2fd7a22ddd47d78" "28c59bd0a21bfd39 80ff0d2028d4b18a" "9df63e006c5d1c2d 345b925d8dc00b41" "04852db99ac5c7cd da8530a113a0f4db" "b61149f05a736326 8c71d95808ff2e65" "2600")); test_ed448 (H("43ba28f430cdff45 6ae531545f7ecd0a" "c834a55d9358c037 2bfa0c6c6798c086" "6aea01eb00742802 b8438ea4cb82169c" "235160627b4c3a94 80"), SHEX("03"), H("26b8f91727bd6289 7af15e41eb43c377" "efb9c610d48f2335 cb0bd0087810f435" "2541b143c4b981b7 e18f62de8ccdf633" "fc1bf037ab7cd779 805e0dbcc0aae1cb" "cee1afb2e027df36 bc04dcecbf154336" "c19f0af7e0a64729 05e799f1953d2a0f" "f3348ab21aa4adaf d1d234441cf807c0" "3a00")); test_ed448 (H("df9705f58edbab80 2c7f8363cfe5560a" "b1c6132c20a9f1dd 163483a26f8ac53a" "39d6808bf4a1dfbd 261b099bb03b3fb5" "0906cb28bd8a081f 00"), SHEX("bd0f6a3747cd561b dddf4640a332461a" "4a30a12a434cd0bf 40d766d9c6d458e5" "512204a30c17d1f5 0b5079631f64eb31" "12182da300583546 1113718d1a5ef944"), H("554bc2480860b49e ab8532d2a533b7d5" "78ef473eeb58c98b b2d0e1ce488a98b1" "8dfde9b9b90775e6 7f47d4a1c3482058" "efc9f40d2ca033a0 801b63d45b3b722e" "f552bad3b4ccb667 da350192b61c508c" "f7b6b5adadc2c8d9 a446ef003fb05cba" "5f30e88e36ec2703 b349ca229c267083" "3900")); } nettle-3.10/testsuite/shake128-test.c0000644000175000017500000126146314633602172016475 0ustar nissenisse/* shake128-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "sha3.h" const struct nettle_hash nettle_shake128 = { "shake128", sizeof(struct sha3_128_ctx), 0, SHA3_128_BLOCK_SIZE, (nettle_hash_init_func *) sha3_128_init, (nettle_hash_update_func *) sha3_128_update, (nettle_hash_digest_func *) sha3_128_shake, }; void test_main(void) { /* Extracted from ShortMsgKAT_SHAKE128.txt. */ test_hash (&nettle_shake128, /* 0 octets */ SHEX(""), SHEX("7F9C2BA4E88F827D616045507605853ED73B8093F6EFBC88EB1A6EACFA66EF263CB1EEA988004B93103CFB0AEEFD2A686E01FA4A58E8A3639CA8A1E3F9AE57E235B8CC873C23DC62B8D260169AFA2F75AB916A58D974918835D25E6A435085B2BADFD6DFAAC359A5EFBB7BCC4B59D538DF9A04302E10C8BC1CBF1A0B3A5120EA17CDA7CFAD765F5623474D368CCCA8AF0007CD9F5E4C849F167A580B14AABDEFAEE7EEF47CB0FCA9767BE1FDA69419DFB927E9DF07348B196691ABAEB580B32DEF58538B8D23F87732EA63B02B4FA0F4873360E2841928CD60DD4CEE8CC0D4C922A96188D032675C8AC850933C7AFF1533B94C834ADBB69C6115BAD4692D8619F90B0CDF8A7B9C264029AC185B70B83F2801F2F4B3F70C593EA3AEEB613A7F1B1DE33FD75081F592305F2E4526EDC09631B10958F464D889F31BA010250FDA7F1368EC2967FC84EF2AE9AFF268E0B1700AFFC6820B523A3D917135F2DFF2EE06BFE72B3124721D4A26C04E53A75E30E73A7A9C4A95D91C55D495E9F51DD0B5E9D83C6D5E8CE803AA62B8D654DB53D09B8DCFF273CDFEB573FAD8BCD45578BEC2E770D01EFDE86E721A3F7C6CCE275DABE6E2143F1AF18DA7EFDDC4C7B70B5E345DB93CC936BEA323491CCB38A388F546A9FF00DD4E1300B9B2153D2041D205B443E41B45A653F2A5C4492C1ADD544512DDA2529833462B71A41A45BE97290B6F")); test_hash (&nettle_shake128, /* 1 octets */ SHEX("CC"), SHEX("4DD4B0004A7D9E613A0F488B4846F804015F0F8CCDBA5F7C16810BBC5A1C6FB254EFC81969C5EB49E682BABAE02238A31FD2708E418D7B754E21E4B75B65E7D39B5B42D739066E7C63595DAF26C3A6A2F7001EE636C7CB2A6C69B1EC7314A21FF24833EAB61258327517B684928C7444380A6EACD60A6E9400DA37A61050E4CD1FBDD05DDE0901EA2F3F67567F7C9BF7AA53590F29C94CB4226E77C68E1600E4765BEA40B3644B4D1E93EDA6FB0380377C12D5BB9DF4728099E88B55D820C7F827034D809E756831A334C078FC28ACB76B5ADB3BFF6DD659CAA49CC34F726880F293BD3FC132027AE7602242064EFEC4D9D656E069D4DFAE0B40C1D6B6CDB21D89D00E168B0B74D72EBB3B672B57AF3E99C85DA2F41CE70672CD0E0521678FC56EAB6314A0B3AF8B724376C01433D84943A73AF703D293634BC24322992756EE261FFF0D71BFFB8AEBF1026A6A345F2EAED505BC7E02498A3225FC91499DD5F5E30E386557C5FE0A88BC2337C80D7EA42B60622960230577CE800CB63594F619B7DE31E026429B7648C5835AFC00559FA4C7695D6DD9F7B2537A265E9AF7A2C986F8B60E7DC6EB3C4D805A6EEFB6FBB5BFDE21ED7E41CFDBEB02B0BAB76F9998BA1E52815A246B084EFAE7960AFFC2BA5C647E7CC05EF8120568432DFDE1D7246473304808985600A1AFC20B99185AF25E89DC2EC6F4880DC79BAD50DFFCC9EA")); test_hash (&nettle_shake128, /* 2 octets */ SHEX("41FB"), SHEX("09C9652BB968996A35E4814E27587131F53FD01AB9FE83758ACEB8134FCECA24C84F592CEE43A4476E8853FCAB7DAFEF7B60ECFEBFD70DFCF587B3AF358A286FE3713BF4735A84975BB65E3586C81EA716BFB999626DC973A495A6E0024061387D628E9E59DFD2B39C68C8CEAD665AB43F6D2625A10630761DFB60276EA97B280442462246C6D74A1960A8419A76A37B68449A9E427D6A7EC1FBDF4760847AD6F6F5A08CEFB767CAEB6C2382F4F3D0E49DE4428CD4240635C9136911A82FF0B9C74569A1B7C8AF72AB1EA5F2F6F6A45E3BB08229ADDFA916B18A74F7939C5130152AC8343A10694154FDC6E1570EC7ECABBB01EDDC92EF0BB1B3DB914C74CCE399ACC9B766FD7494B2EF27AC57B80D52535942D55E2DBFAA61CDF3F48759AA612DED11421855AD15FFAB91462A56F873BBAF4FE88457A47B6C0594818D0A9189895239C1429ED8754EEE5498F4D0FB6C9D0DF0EB5316289E72C6AAEB8C61317B409156D4221CE6CFC7C5F39272D87C2D884F88F1B8B3C05CA9E235ED92C7DD7806CDADA7166CC1B9107DA5E6536D4FF111BF9199D6B72AC17D874323D68D76AEC4650F1A4B067C50215362201A7F71116BF6633AF08D712804B83F08A5DC7CCD4315963106D50453D44EFF59C9C652F4A924BE93C0B958EA286B0A4B597899A28C9BD5419C042668AA7B0CFCAC4CDF9260F2824ABF3EE79FEF53EBE3C36DF831")); test_hash (&nettle_shake128, /* 3 octets */ SHEX("1F877C"), SHEX("E2D3144669AB578347FCCA0B572783A269A8CF9ADDA4D87782053D80D5F0FDD27835CF883036E536CE76FEF689A5E7BD646A7FB7D74F090193B2390E614759B7EB7DE915A38328745890B1EF1E7AED78168E996D7AC774D47F8F118B3E00A7BD151131BA3705AE81B57FB7CBFFE114E2F4C3CA152B8874FB906E862840624E02BBF9502E46D8888433A38E82E04CAACB60019222D433E8F2E758BD41AAB395BF83611FD0C3F7FD5173306182449B9A22C4013F2263B41EAC4D0EDA16854961FBAA6AD04A89E72A602AC59659EC2A60C1D020BACC74A711D4254A2ECC5F8F0627B4F72AE130C50590F8B91C52957B795D12DA09BDD40D41E3CD48E30E37FE5FD0B86EB38AB4661085EF515E70231A5F11F9DBF7433763B17D84F36BF42FB6D57789C6DA2BE8D205EAD87BDCC3FA6AC85FCC3E70571EBB2EE4BBBFC04E71B3A88E000464608475C94C7D7EC1BBFCEC980B166096E9BDDE9192C53E350D3B92F3AB0FCEF4E49E05BBBC18B11ECA942C8A0776ED4F293B7FC9B8E7C0303A29A41DE64BFEBD2967875290D471640A914B0775CDFF140B2B66CB099A05F5357C9D5E7F9F1D78B828CCD23FC7CD58329613DE4BE9869B4F2DB18F5792795C34C43D23E2CC5525B4A363A9619AD57E42C36EC459FFAE56B61717EF36AFC9FBE5A72A7D23D435B2EF38A2B0E22AB5DFC8BB8747B6EBF17A63F6368795C6A16DEE05362422")); test_hash (&nettle_shake128, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("B5EB987E7CBFC7C9D140AFD20B500E30F2F71188BCE885951F22FBC35DE40E7411311BC8479F895A069600483751295F5C3855474D65436B347608583125A6BD41CA30DC99CB342B72A96F8A2213E98A16BBB9E38A141B4FBA68C1A723D1D578A91B4A1BAFD03B25BD3CFB6D4E1E044637889C6D7AF0209DBB5E10837D5C5991D2766012E7E86A82838B455B96D882B7E25C9072A66DA22B0ACB992FD3CCF5FBC28625B896BDF8D4B7358901D12698FD823FE09AFB4F238631EE1277752F2900E38C7FC163381A01601DBDE8CD30A9A8EE8353DEF6C610B50962D0EC1F4F3EEC2AFD7FCD5296E299C23005960C1AABF3408EDE96DE18E10FDE99774B5BD33092639D8BE9D872130C96311EB6DCA82CC28A62C01E3F9C454251D87FA890284C06187F904CF23CCC62690628C590BC8B84EEE68371D3412DCB5648A634F2359951CD011028E61C28A33EC4E31550C1C0E4123D1091E22D56BD587E73B7DD43C1B431D9547398C5E7EB6C682EA2FD758C86C1222C0D6AB236B8106DAC19338E86CB8F6EC0FB607D70C938CAC172C80079B018BB62939546505B8B6E146A3AD7A35F20D7F9A353F1E6535C23AE93CE8F78C045402E707A664F5918E6836D343240E6112EFA29DFC4D18778C91E2B8530E4FF6E4947623D31DAFAC9B0D194E36C44E10B1A846935684F89ADB44782E8FFF2E3E62B65D18140F10D36CD817F835EB0C0")); test_hash (&nettle_shake128, /* 5 octets */ SHEX("21F134AC57"), SHEX("7BFBB40DA3704A558291B39E1E56ED9F6F56AE783270AB02A202060C9173FBB0B45575B32348A6ED2C927A39A30DA0A2BBC1807497AD50F27A107754AF62762C0B9E8E62438101DECA378899C521CB76C75D299EDE19BA70E2AB91DA9E39EBDC917355B6FE28EE254C0CD48F3A28FB51766FD58154C98A5C650A4E4841D14E2C8F5BAEBF5AAF2A2120279D2D33214A51CA30C4E05209BBD60106CC343EC867EFFC826CB32A2E736C4AA561FFAECB46FFB74D1B3FD36242244312067C7CEA2EBBCF988E17742C3C80E8DEE6D509997866A308C101214F860512D38E3B6C307C1CE779FD42FDCB9D909A2D6F9DD5A3687708905390479950D55E8890D10D7057863CF006034A6D01D77FB33C0E28B093FE3337BE8416202DC866796739271C9E326199092FA27556C9F40D7E9BAC869B6D7E8018409EA92AF2464C58245E89556DA3E80B6B4200B9E53FC80C93149E3DC4921A5FBE7DF67F1D0B753CBA41B75EE5CBA78A89A2A85A46BBFAA625A40EE62616E68B07C06339717C81B4343760E97E2676C347D9625ECE383FBB8448E7837DC704E2956B18CC506E3BA1416C936BFD66E9AED3A2C7B0A8DEDADB04AB711D147F1C1C83322EC1E6F1468AD770663C7938D4032758462513652498CF124B6357B4F7C7E4DB0D0C0C1B7247875CB6685E0567A8AB8CFBE9383DAEAA27D224CA9C69C07AFA929FFC09A03E165D72153AD2")); test_hash (&nettle_shake128, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("8D876C67A5CC15A544EB81E93B6FC15713FD1C55D778204EB6AF7086AF3FE97D12B4DD22C7AAD54EB9C9E391B90A7C55ABACC3C81DD1788895F17033D561060E2B9CFFD47974F196C6907907DFDC65CDF33BAAFA7049635A70353D92A56A59ECF0CD291AB9B509D296356E8B0C91983D158DB1568681DE035E56B86EAE32AD3E0193CB816BD2D111C266632DDF907BB276E14880571506E2C328A3EEAA9744210EBFEAD123E241A8C49C92ADA79B718D970F0E8525A60FFE9074E73491E6F0EED1E047EB95CB52C47F6A1BAB77017D020F016B64798E5D7FC360D5FA213D44E5B75C918C9ECBB134CE1DBE13C419DA62326A550AD4A22E171CE75A369BB820CD75FDE01993CA131F302BE7941F7950A9969D78148FE7C45BBD22FE83AD0354194859F2F0DDA1C92F2C8EDFD3F7A9D8F618D0D02222442DF41D858CBB7A46E5B12A0923DCB53587957EE07ED3E1C4A46EB1141CEE394972726DD003239ECFE8FDDC4E58C50359AF3F89FE58F5CD5AEBC0DC6B9D600F3ED08506256F18695DDC1E3B459AD75090F0764FA89E5CCEC98EE0B387B5FB778620BDA72CB3E2AE50DE8B0D6B43F26E13A16FDF08BEA752B457BF486CE427FD17BD4C5890A89AF2C85B292C51CEC75490C1C6DE9D60DC49D3A77EEB7E19002150794234194115BC685E9981F88B0E1D9C6585F2C5F9DC805FF6C7636C1E06D9F5C018F74A2CE92EFF6B26")); test_hash (&nettle_shake128, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("E2A9537BAC3C4DFC9008C1A7ABA653883D7A1DF35685DBF49ABE5A7E93BF044BC3312A5E4D9743D72BD28ACC16F64AC5090A71761D936FB9DA7C782AF9BC1F636D0E17CB41C7E0E9DFBDB2017ECABA6DBECDCE2AECCE3ED4F59324E74D58D434096356E567B35AC85F7CA9AB80B1C987CE70F998ABE6536FE485A866A22CDCC37DB08CC742B4612121CF34C2D404B37E8EA8D90CA9CFD0C8C6ECB6B44BF73F4D048A0FD85591D8726BE6246DF406472CA05D18DFFEBEAB7ED991BE6CD2940EC9B26F9C9219DFFFCD721F5DD93CF5342A89A6C69168871B14934D4F1794E14B92EA991A78292423F5CD0A5D3454E55DEE27077D6AF78D87BB3FB9E139331ABF326FDE2FE1D3B1533AA038BF59BDC2D6333F968611A4F9BA66EFE92AE8C099ECFC1A36BE726816FAFCC0B016C58B1E42D2CC7065E71ABBD7CEC1ED547AEBF46F5DD72BD472CD764CCB3C4AFACA540BDC27F52F63151E9FD90AD5BBA7F84C9EC7E996692B842FB1A54D2860A301A9DF6F357C2E05C14154F5FB77A86E4DA9E9A039CDDEB10D6E5DE2E0A585B2701D48E8298BF71F5F72351F8EB3FBA5426286A82ABB75EA46BFC0F65A2E49567CFC970C36D63B2CC73AD7F9791179B1A0C4D84651DCE57B966410CA23CFCB9BF5BD70D56F5BF1A7C939DE74924EDBFCC614113C83803B123F3EEFCE2C809A7A9FB01C709BC09B5F7632D6B59E31A6469D90185477")); test_hash (&nettle_shake128, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("977735A853D872FF7C17C4A825AFD9DF886AC43387DF245C37A608AC7F4E0ED015811167222000AEE1968960174EE5A39369A23C5DFFB4991AD247B8801DE71BEA97069EA77202999F8E8CF3829816EE598B00C4049265DFBB2B138B13EC3194B988242BC099248BAF9997AED80E95B5F859D42B12DBD578FDEAE47CCC2F8D3E90BF6E8D98AFBE2F4813F68B6FBC4C18C9B8A557A0D87D744A4238D89260941030945538B2DF07E05FD45B50BD790A0510ED4430ADB3B7768DF8C4914E0914FB00DA09331F11371052D301031853C7F3C32528C0622A77C48463CD1CD96ECF7490F70F16E941CBFADE71DD8477ECFF1177B7193E456ECC42BEFBE070667D6F39ABEE5CBA354B33A83602C1C17280D2DBD0CE597ECF1FEC3B27810DF38C2805D8B85D60994EDD2C83F5898CC6623241F16C4C92444FB6A0714D8BF189AA5AEC9D5BF1448805764EA0CCC8B6E399961DFA7CB9D8DE8D800080EEB5D010BCACAC6728E8DE482C37270459DCBC80F496267377D97817149372A053B2D53209C2DD61216CC3AAD29C7238D6B142D71A92CEEE4710476C2A48FADB683B9423727CE772FCE2BDBCF781C119FB43526B8EAAF1D10F21E586952227E29BAE61FA2C7EDC6260F76AB543244E538180CD90C207330EF29CEA987F7ACDFA028A78D3E93F11EA159B21BF3F50FAEB7961874E816162D42735C9D3567AFA45D1D8B66CEFB58678")); test_hash (&nettle_shake128, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("1D96E0454BE037D890FBEB776CE5C922BDFB827AF1D1ABEE1BC8B3AE95453532D40C0B3F9C93E400FF70F6FBD4DD0470DF1F06E04AB4A596B6F92BBCAAD3650D60B940096260226913435C9BBF5F29DE8BCC9721748E3F1DEB7FAE88741084507E1BA72A267C2C2276D8BD8ED284578B46AE81230F383214137CD7C190524818576F77B0A53C3421E0476D91E11BAE79ACC4995A24FD1398F6F67E22033BC381ABE6DE4E0563238FDC39A1B305FA9403EE35800432999EB3421C8CC17F77F2A544957AFC2CE9496D2B739511B3CC52DB118EE874E43E95FA69D7EF024931377AF86A9448F3899DD0A87EDCFECFC1BCF7C17D470C71CC488744F2B627626112AEE465ADDE9C6719AC0F6E928C77B0BA0AE8A5CE20005C46768021438B611826675E0B94FDC7484A3854936216E2239650C794EF001EF8F9F4CB440664472445875D06C519E14C957D6FCFB73FB72B46CFAC4548BA94B95979FE5FEAC07035E0FDD21AF7E3B69228AFB2D97F2A333A5D40A84399C6D4F5A7EBEF9ACD08D66C2781EB9085A42E38C434230816B90DD838A2F10E727EE5F58D7469B47FD5324EF53A88208C44943009AE7A2803D55760A6AD4BC6E961C8BCC7F7F5BD07DA63709D85832E26772E01886B2D5B73CA488B8402C6A15D2AEC605D154F9A41EFA93601D26374D3FE8A5337E98BB7A1B5F0071D3C8BCB69CBD0B3683E7A494808C9BC4490")); test_hash (&nettle_shake128, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("0C5DB5EB4C5C83FDCEFE9EF623596F96D2078C6DCC5D9B5E4F1EB5ABBEA23ED4478895D9D9C8FDE4733933986C6CB4D03AAC65DC7BD628169785CFC5D9D4D33ECC7C6AC98312F020B117C831B2ACE85E1ADBE0A5349BBE9FECBC6E998C6DA1E2F333C105362506766D105F707D905CB616D8BD4B23ED5072E3F4D42412E3ED6C894CD37D8F9A46BE6EF9A53D60254F4E9627625A3671B234664740C24BDA608A44EDDA0CC652B843DF722AD38B9FD7F122C89D8DF0A68E03FBC0320BBA016A0F3C36FBA6278F9C2AF9BCFC9F312CE55F011255332505FCBAF0ADC512864D633CC0FB4D81BAE980E9522AEBB2A07199B238592E4379537E045CCDE8B0FC44B2781421DC657938851324F5FB6E1B7D9548A50CB6C02A71B16DACE90B84EF033594B2F0A688F6F9719A1008C1451353F8895AE1B7B16B27AC94B67F390D9586B7EE31AF7B6E7D110813A6A4E01D4C94F17A1EDB0633A1C4F69DE184BF4315DC98BD453FC22EA11F8EA5F5548C5DC09D3F186B40C4783AAA4BDE1A8F2AEED007A0BE440BE16649111921F779C7E284B8326785D87C3DF06A05B3373E88526D9E8AFDAFD8E673D1876711FF2F68ABADB7CAD4545F0DFF64BBA98C86D7422C4DFCFA8F2BF7D72FF0617BD076B4DE0B457F5FA2B881FCA5722864EBCA11602923BD0D6B21A9D7101ED1F34AD480F8F73E2ADF821B2B259D6DC535AA94D3CAD7158DF14E")); test_hash (&nettle_shake128, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("055C0A829125F20A0DBAA6106DE95579BE4188363C7D7E3F3EFC40AFF360298897968B250B8410829CDDCE5EDC80B764A5AFF16FFF1C3D29614C6BC4C80D095F0C73443E8FE596C86C83AC1D9BA69847F6E64CA643EF3D7010C5F9944A660B14559FF27D4A5AA9862CFFB67B47810D04C736BF842450A7E5239C5D2C61087888EB892B9BA495EF7031FFE2A56BC4E8FE4CA92D908666091D40F8DBADB0186DB30AF31A4BCD3FAF962B56271A4C5C4A02C75F11D13F3DEDB0F57EE554B9AA47B19109D3CC2AC58D9C55653B42BF5CC3C8143481146BB54B6284077E94A6B2DAADCCDB3E85FDEBD9003C12FC62DFD07DCD9CE747893DC611EB71580F2AFFC624958E1C78C1554706A1582359F6962ED70FCF82FCCDDF9FBFAF0023FA1FE771D358A5D69E6F8917EC3425543557ABA96D40303C5034FC7A873CA12D485998A856DB5724009B884590C284B685DE5677C76944D07DB1FF855743587374D9F0AB70136AFEE1D1EDF962D1AE9D9DB036F28499ADE8386E78D2D54F8F54A85EF0D771750A5D51511439ECFAB2A486FA1CF77E8973E977BEC186ED45F6C49845E9E19502CCB3CFBC4F2576D9D30A003F8C00DC209EE68F147CF17BEB5E5E410388A0CEC4643A3BA24B6532CD73DB049B74E4EC5DB415586095378297A60C2EFB70674C473488385B47EA9E9D39952AE9A515E139B20D76A30E65F09B7D701B3172899643")); test_hash (&nettle_shake128, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("9F8F1774FBEA8EC70D0661F8DCCA2953EBD20FD73BFD74E6BF037B4FBFEF17177F1A02E919FC2B40BEDCF640BE5F191D6572BC57C0F5EA29CDD413E8A97BC24BD490B221FA452594F78136C68B21984DAEA6B61899C386963EA6F078A9A903F05506D0C5592E341A798DC46C0198C039FA2913B7F7560CA6A703A6A86B18CD67ADB53A13295ADE0BA89522CF98263094B362C0635890CF4FD14D0CE5DEAE75049C5AF37EDBA5C0803B26EBE951996018D66390FBD37FF9F24FC5A7435513D3173E26E1850EF3AE729EFF8C38AA18A41B97E11A7AC452445D7EC617B8E0894153B067EB380D83209D05BC1B18B41272ECBEF29472EC90686256F0CBBF9F5089A78D853B50772E494BF27FC0DBD3492FB16B8AAD6D7AE027D41AEB633CFA3CA931CDACD968C1F24684267ABF45534F89A362C1195F8CB31F1026D3D554AF70DECA0C5FD3973F55F20218056FE70B74A3311AC394EFE4FC0130B5BB092B33BA3B91E2288815BAC931C5625297C2F3180DAE4B824409B435842AA12F7F01A185F699FDB2C6A9D42CB475B0493EB6759FD5809781560626FEF4A4522EE06A2D3FEE7CA2203EB84B717A1A825A2965D2C1C1CC0402658EC5D2448961F521AC318FA4A672F0F8051AE59C05394F84D25A1F9E27B21550A71EC285C8B2F86BBD8FC0DA09614BBB635F905AAE3D401E7969DDC9FE0837959A6749AA76FCD3A70920766662")); test_hash (&nettle_shake128, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("E73D11EF660C0F9B35CE16C12C58051953C229AC29229FD38E00ABEA6FC7917427D30952DC52FF435A928F34BF14EA4EDF960C78A5008F4678727BDB4C591D47C0D3A1ABC314CC475E47CF68B243A0F193B5A0FE06613C2715829E672EAE605905E6F52624F971731AED8D1CC022CF166C7391E249626FFC578F2CC48F89784D7F38DD14012151834DDFDAA245922A27FDDA1465A8056C511A72A784095496FA0258007394C193ED705588607DF19A6452F4E5C890FE648339A597418BA2E7E706C36D3DC493A3A6842F39409CE186222AFB81EB044081C6145CCF8B0E852DC602A2B7031355911A7C1B16ED74E8BD6C4EC8AC56511768C008BA25343FE5CC7AC262C4662AC803EC1082A52A0530F0C8431F68EF9F7C4C7DFC9C05228E3638B7A26DCD9FD28331F7B04BEF3956D6C49FC946DC97E935A76B3B2B4DECDA6113A9DCAB916538520B28DEFB05DB55F2D168FD6FAF678C6ED335A33C5DA6B575FCCFB64FF2EFBC5BCF2500F006E2F3DFB4C60A2BABEC8240143C779A3D9753F107BCF9981206922757E04FC93083ED10A77D5C603EFFF8592AC3902E2D07B72A5C75C71B631DFDBF3997744FD63250D2EBBEC2DD3BB10E05FBB3A993831D62A6C03F403E30EA3B80F2C8A3B80473C2D2F2C51B8B5563E46A0A57A02C4E73DA0491312865E15C4251D3DB6516A51DCFEFB1167CEF7021E570FDCBF862BB5B81B461E2")); test_hash (&nettle_shake128, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("B28D5EF1E7CB85B4406FD3349EC1D5F3727A9FC9C7132EF6593779B0D3677512D5F10A6022DF96AEFFB4252159CCE5562008E3E6BF02DC91A1DA479B5B091C88B65C80F4E8D83279DFECCAE72DA723842EDCB2BA02C4E3E9325804A04366E7FADCEE8BB2D678E31928D59F2F0A546C742D8120694F5F02810D5BCDC320855164F60226865BDCEC1437F262D6D222D1CBA8577910847B75D5C4549BDDDCA32C3768F1B789CEF62F56993CB72338274E5740062BE3EC7AFFF53215E894600B35DDEEB1AA1E9962B22329FC41A5696580DCCE450DE6C11F92332A3FD959CA5B367B9EC156FAD0318191314E98C1E2F82FCEBAFCB6523693A0C633B82251AA5AB4801B1AFB004FB28DE7B790E65F50E0CC85181FD914C76D915C1E220A53070D73BDC1C1BF2D0D9A3EA45697C3538AFAB5F577E09483195EC8B7737236491143D7AB0F81228031CDCA4EBB2442AD5AF92CAAEC92CC1F72E32E573D57BB48EB58453B0E0D680B7A3D46B4A5716B7756F8F73BC876DE181C443C082022C7A3322059F83AA16FCDFF5E078AF2F85562F0D60632F4A76B29F27BD91301B276CC414AF7C7B0A20FE0D0540DBC2B7A4F6918B37BAC345411247F2F7ED5AEDD12E72ADE756DA4962C2E19B998AE1A29E0DAF6379A45ADFEF26AECC80D9ED1714582F7D40DE0C3BFADF4A35DA62ED4357B88C45227810D63F33BE90529F426B6AF513C1B43BA")); test_hash (&nettle_shake128, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("D7DA38E9032FFCADF7CB93C9969171A0493525F8EEE3073DCC9AFC83C704843A8173EF5374C4D564BDF246D41AF6EDD0872E5EE43F5D2C5C85134166F9B2AB9203CFCA96A405F934F3B834299C954A3D30A2CC6737935DB8C094636D659D8A3192AC8925809567719FAF13AD40CCBE7FB1099BF4FCF415817B32CE923B1AD764B88E6FA24A9F0876C84D8B6FBB0346A87248A99E15C528D8EFB167F6F1F00099D67F5B879FE8B7943726F648158C0356985CC48D92424A44B906B14EB8217B5C75D88E50311007C1CE7BADBD9A48ECCD4F8936B81D0C2A76918A06E3D2B2936C5A157D9375058162259D7D0AD25DBA2490AE1BABF69176B394FE2F00DC000EDA5A0DA049153C077D51A89100DD5B8EF4EC3868F5C9D8E4C1875F292C4FD22C51ECFFE30AA40EB4FF50FA00A61F6116A337BED4D13B52E12F06BB4F8A88060B77B9F1300B5D895F7314AE728421CA951FE8DA4BE55723AE5533E59E06E0BC8D828603CEDDDFDFB9D82506141E1D90FFCD65403A94586C9259A6CB18550BD22B241112DD9D866F12ADF2B009740AD71630C35B16E062460C708831DF28918A5DAE14BAB1CA781EFFAFBD267081A7FCDB418417717756F34BD98A799B02FF2E275193B0C1B721C2696AD732AC77AF212DA45B22F27D54D1559A1CD7B39A49A6286D305DD4A257452E930D5F2C3CF16C6674ADF81BE1D8231DB6C1B8A9CCAFA6E98B")); test_hash (&nettle_shake128, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("3A0FACA70C9D2B81D1064D429EA3B05AD27366F64985379DDD75BC73D6A8381045C2AE2E9C723462EE09EFBB1C2A8ED7A0729D0D9B20F03BBCF55A86859ECBE80C8CAB60BAB4C5D063DEA224E825E38642124EA705327E075B61D08E0B49DC184C5194292BB4A797CD24D924CC64816BF911FBF4985130A59D68FF0673CC8C4A390AD593BEBF16419FF464ECB3FC78C160B6DB9F755A5FAA7A9365B58CE7F90465AF960C48B771699E0EB227F5370387E6248E17EE192007128EE7AD3D94BB9A2193BBD4618AFB3A399CB2016ECD5F9E41AF10701FF1915A6E091F44F193B0F729CC4AF5FECF683B1C7DD2644D7458C45FFD635EEB85C79E241C1F4869CDA9E77E80F7B878C24E9AF77D22D8C7C0C406C8AAF50F57BAB68FC6C3A20274B6BC353E6D60DA40E8369139B4508DAE96DBA12DCA9D80A19041A3798B252FD24BF2BE64035CDA6D95D6E570EA868EB8808193B3792897A2147396A47D27C81D40FF4BF9212AB239D7A789D8CDD545A98B447F6ABBFF4BF6FE631CF2483881E933C1E62A21BEC503A6EA60F3B179F9CA6852DAABA4CED7ADE5E35E960463FA4C3A32F4C580F03CD2E45F10E32507FB2880827F56BFC5030A4CA94635EDB134580715A23C87D755FD91B1566D1A471F310EDB2C12AA11F2D280683F43155D67E2EC04EC2CB2CEE53A4D00F77AA73DCD6CAD61D1AB7C30A627CC75F83D48BDF9A76AB456")); test_hash (&nettle_shake128, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("3D62E50DE92BF40637D481CEDBD22F2DBABAEEC0E94D1F99F3EF2E68B1F55D97ADA13D2372104D63946E3EB7C50D7E58F5AA0D5730E4366BBCB6CD332AEF45DA6C4E5EFFFDA948E4E7E6FB9C49B46AC954CBD53A925C8EBF73BC4FD53ECF34F0D67026136E8CFF3C8B8661C9D5D19420509B47A19D4C848C83B791D1F843F8DF7F69F736A414BB9075B4BB6070FA094A0095F101FE569E45E4E7FDD2B3622B5B912C21BE28208CE90C7C342E6DE485D7344DCF3E89D9C71F320001C52054EAD0EC37B4CB356CCF80088DFD2EB63823210CA3767ABB13623C9BAEA9BE5ECB8DBB8D3DC97C88F6BA9C4A9C443A00E9A476FDAD93ADA9F64D12803DC7FE1C7126D23430CF680F94F0B218A06D5FB4F7698DCB5C896070A03D5DAEAD54E3624EA55E966EA64D0714AAF9E17FEF5DA0998F6A301B20E988579FD98831649B5F71B67CE86F65003EF5F160B18CA218D446C6A18F341282CC89E585894A2CDB24E107BCEBE66D3265895A622E51B617A57020B29E236DF78271B1B87C5FFEEEFBDF3F36EB3152687209929C800B9CB4A29CFE7AFF4302C990E60CF61ACDBABC3CD7F98BFAA55BD61C7D97B3B0A935E254D1D46801FB6A02567DE9F75343B612F95DC555340BEE70E61BA8B3E1D7478D77D52C5F395301178D42FC3DDDD1322CD31ECB8E236F1748260F45AF38A57AA8DD1796BDBC99AC14D1801BE95A08C1C6C61B70AE")); test_hash (&nettle_shake128, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("D062C8F1218F1DC5F3CA5C2FF3F33847F3F74C6A40A3C2C6C15E316B6C9FB36A7C1DA9C25833D25C8DC7FCF4F852E3955B4C9246F4CCC3FB9BEC64990E5D84730D56E5E4839EA23B258BE3660014C49645A268EB03BFD932D879B2260BF4C6CC4EE97C8BDC9C02E609372D1FC24029193475992A27C52C20F1F821F285BFD1F4C6ED944EE89A96860364E44971E0B6AAECD446D868C9F7175C7C23E980ADAFA860E690EBA14B71F7EEF16DA6017BA3FAFCE89628F64662AF12BEA0DC93222FEFA733434A4778F0F2F5C0DA2439C5C577345B59771A4991A56EBCAC98961E7EF8AE3F1F8062C1268DE1E6CA5291D4D7F1C1C4652A49AEA180A5685F9E6C8BA01F8E3BE7C1E5D40A9A0CB8661FC77F624F373C90DA1876218A78BE6507C2E999A25FE87E5F334ED83689936AD06A7F031590AD13105DCDFDE7554D42F85BBA80A03D3C1459A25F07E93B77293B48E8D831EC371E268E361454CA01539357D4C10255E3DB0576CA7F9E6F4AE766822274A6669AB218474F9D0CB5B96FD0A55D4F454C6EE31E3A040568CF77F97D5B8C4FA783AA5625BD8EA951DEB4BEF186F37663AE83B2CD27276A390D730EFBDBB798049B151E4962B5B17C4739F9127B87CD5ACB00C4CF04295ACBBF53324C3C539BDED5E64FB4A3BC08076F52EB0A4BAB60138E50DCFBE48765047FF4468404820088485974F4C4FD8546538698EA3904795D")); test_hash (&nettle_shake128, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("ABC182A9D28B3E043F887C072ACEA1E0E6C26A90BF6FE9E1BF925D20100C3F8E46DD5634CE077F6768450626105210BBD36789FEB64E9E0A0EB5007EAE54D2431156A6BAA49D85B31A716B69336DBCAD7BD43F0C9AFD4D62BBE69D5EA276F01B1B39C637BA13F9D5CFD637FEFA3D80706896F47A58D602166645AA5CAFBF5C280EAF765A47F4981A9673EDB27089F31314A6367BFB333E4A937CCC3E704218696F998A3269518965BEA095A934C171F78979D6CED938F8FB3D6CC8F61EDEABFDEA038DBF7159917E3F941C2D17E351390AB77678477B11D2DFE2351180E305025403FB826255DEF38AAF0ED06BC2AF707337DCDC1E5A08FE03E9CD043D5A152EF37FD4893266ABC1875DD28E2C7160700899D5F39DF5DEAC2E91131360922F2ABB6BFC49A8FC0B638CD13B6037F99BD0D72A56346804E146E8B2889AD843813DACB56FD8D9909A989C82064E4838D4F01C19A8E8D1B189EB060F642CA5CEF14A2F361C1F34D968FDCF37D7837E3AA9B866935095966109C763C8DD1CC70DF91FBE7B5AC7FC6433F5DB4B780BC9BE4EF862B596E08AD32C201A07F04E267EE2705245C48918B71C84D78BA48AF70A4776523D37A8B90D53AD45465DABA2B48CE0C09978FAB5F4A0CFA6174D55612B7102CEDB7A591EB6A778BD41CF3C289D06E86B4D329F71DC6C3BE75D7E661E7E9B5F4CD92225FB5991F73237E2520B9AA604")); test_hash (&nettle_shake128, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("BFCBFB531C1689126C2323F9294C1BEA280013A2315A596ADA34F022BB6D3D8A699BA8E2C54AE3BB7B32C422C727B41678F781D652DCBF1A40B8627B56E004AA5F1753B1152920121B1A2D8CD5E9CA02929BE7F2EB433BAAE2FA41830F146C72A12AAA97E8F8B863749B3026E99E0BB7E0A937F003604B470C913546E73413A86EE2E9892FCA2A7839B20309AFC1FC9A0EF14478CE0CCB5CCBE37469B7DAC3A7B74B253CCF2ED085F9A0BEF3759A4002E2E67F81D953E9BD53A4D39A267CC0D262E5D80F50F8B87D816C91A2C64D798784A5677744EE02B5DA2CF07D79282BF8C791433E0B3E296C38AD9E0162BAEDC89F1B368537103EF797AE54E68AABD23DE81B760689839341155930796AD7A49702113F737D0812E20B850C38C3767421177B39FB60F3FCD0B81A50A8624E57B676203BE7C8BDC66BE9ABB5A1AB175705DBF65BDF5D119F331205AA74E6E04C766E408D0B2651511CDC513C75C6E326220DD3DA4A12C82317455D450F44F5F1E55BB7A91BAC1C34C1E405BAF53FC8BCBFF7EA119CA53F6DDFCB5E4F2892B837846CEAFD8ABF5BBACF09A3127685B8B40A2452E52EA6C006F22EC7FD9DF925B939570096E5E0AE74D67E46E5402DC94D4A47E460D718C98A4426F3E68DEAE1A4E509707A20B136FCCF3C26C8956C14312BD855F0B3FC6A97CF1C7E9ADE4A4907A7CCFE6EB5830D17451378ACFEE3884E8A")); test_hash (&nettle_shake128, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("E3A05F6157BA90878E8C394E09753A69D271C77B233799E0D68A32209F0CDFCD5E3F41DC9109F836A4C45043E7EABF41946FD05922723B0E6526E5B99B10E89B3C4CA6CE5A2C6C431FB14E6CBC7986C4CA691037B1F306F8ECAA146D3E0B5736A53A2BE74E1704E65864C3ACF042459BBFBB440EC73EC884D89AEE7525CECBA651429F2CD092E4B3BF24AA144873EB870749564A52AE62FC86674B0D9FCEE67DE8910DFD812CA75A47F8FD0B2393E616FE8250899C36C27DBC30716C9F5FA181AC6A6065B73E3DDB94447E22EB858E8D1E12C24B80D99D4E6291A0D588508319C5B54E616270FCC504D5925B0ECB12F211C3B63286383498FA1A7B4B1BD399934DC6DF4B7A6BE0F42934052AAE7624EA4B6837E07EBA9EF2D066A911CF71776A2EEA41E04122E5AFA6F91865DAC64686212A93CCE21305D925606FAAFABF7C6D27A8A91C5BD24730E2EF0F11A9467F7661736123E7B8EC29B4ACABF9AED239EBF3C79F4C37F54DB912916EBA3A91AD6362DC616D7339AB457629BDD0FB97B8AB605B9FEFB65E2E70FEE3F2A29A3D6D487682BEE87D5C615870CB615ADF197AEC1E5EE35C242149DB2D5DCDD598DB5981A5EC57D31C9644CFBDDC03FD2F5F8881D2244A094FF4140D252E2505089337B925D84E3EF632C96888E0FE5C23B1D67A64FF3269A430DB1927CECE798ED159DAAA3B69819FED596EABA5B6BF4FE3E688")); test_hash (&nettle_shake128, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("2D81F6711464AD6B3DE6F985E02D52C30DDB350BCAD92FC15DF3A67290E4D74E2EAC52EBF9479DC223770D6481B1A640784B6E4A31EA840692E625BB2D400A5C0C7966E5C4AE2A4CD0A3204D7DB266745D64122F83141FDDC676B57713E45CA04139D49BF42EDCDF443B5600668C1534953AA95FCF4BF9A8EE8B52680C9463E5CB5AAF09F18EEB2885A061DAEE4C3EE5DD6E824BDEF31A93E092236F91B8E2ADE094E718F8E203E43EF00A843A2548457D0EF2315FF91E5221011B874CD798254FB4A2E4C65405644E0DEAC6529EF59EE52F2496D9B19485E8128A76548C212D667637213B637919186AFAF827A1A0CB5F584F475723D7D2EEF4162E05F9ACD221C3416E7E88D22D4C471A05EB0DC70822E912942261E9369C0D35A672ACC5A48C86D6835ED99BC201A02CE40E86E0C096B2C34E5BCA207E5C5C90CF86BB3CCD7FB89613E53EC90245F9D8315D1102462CE10AAEE4608101AEDB37857DB22ACCD5B024ED323151D75223E6CB0EF402F12EE2905869396EF6AD09F6FCFC57310BBE46CA7817021DF43FBDCCD9D62158AFA8F20300F8FA17B202733438C1F6B0F1D1FB1FC8AD8414E864DEBBEBB5F96367135224581B9B8E54E64937F708A2CF07573A42C45444C37DDB1287D4D27CD3A9DBE476EAB7C39A37722BC4A1345A34C168DC93D48BF719E79F25FF112FD687B86C20C98533CA4B0FBC1F3D4A6CA469E4")); test_hash (&nettle_shake128, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("CFDDA60353118CB298A271246886E4C7F976465C1B65FB51E87F7E5A9BE050B38BA3EB23F52116F0A13AD802E12AF81A0626A51C17E9EDEF5CFD1937BD774B4E63B19BF1BC61A4ED23A2ACF45869E4EFE9CFCC8C89AF6861E4122515E2B5EA8DBF024F36EFEDB7E6D6DDA829A5E45E21466F4BFC55596748A9FE0A61B3B9B9AB2906008DC3B8BFB71761EEACCE68FED2F0F0B380661831E4754175AE79E9C093DB7F2219C39CC36EC72EA39C65128D835127C3808DE4F3113E9CE42BF1F86250919C8907E21B0905D960480D9786ED5BE6FEA4CA1017708E1A153846AE80F8C81DF6118DE9C25DE8B72473E5A2F40980417259CA2D3FAC3AFCC42E1D5DDEF03673CC2D9A7E6170357085A135B31B6E8334D331E222055FE01AC3DDA56472572CFCD908797BBD7B8DA672E2F9A10497E423AC9E84C17C81F81A944952C7511FC34C5626471B85D80CBC618A68DCC343575219999F28D01F732E76DCD6B056F60D0A9CEB822C1BB772F55BC85FD122A0972B0C0FE8B88D731887656036A4A4278D0F46B27B93530D3DDA7A689DBBB73D9DE39A6F96082C8D9B9AEC1FCEF64C7434C38B132A66B3E2DD51367EB83FEC5E6AF8B18A151058D092ED381AB4A86CB542F54EBF5B0824DF726B91DE3BD088CF8D1E55EB1F2C834AB5AB9E25BDD0A4445C692D568B6458BC29CEDB6CB5C5E7C29F16E1B95F22C2752FE1175FFD41F112EE")); test_hash (&nettle_shake128, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("8FDB0BFC41E23944858401D837455D17966DB41F4B9D2BAB52E208B2E32B22E1FBF3CD83F13B6B99F14BCDE767B286F7D16331FD56DB42A4ACD9C370BAFA8C99F91A5CEB24D52B52CC657686163057471F2D8C982AF779B05BA1E49114BD55BD59E1DFDC69F49EA96F771FB4F6B67D1606E6D652368A31CC3F7418427A8DF6FFF8E0B5E43EFB6D9795D766017284879AA199B6726C84623ED69288633A34D3742D20F1249E1C70370BB19320627598D208A7531EA233E772CF7F3994C06FFDA7E63B85BEF873CB89A83499174B461B36A375FAE6D5779E23EED9D6624DE2EF309721C428D8A64A2FA7ABDE1BB56F66F04225E30501AAD9B9D9078CCEFC8F721252A232B82D984DC5D1A03E9F94630B4023CCC4BA6A47FFBBCABEDD754BB403C25EBD27D445743E17DEF49EB16A75B25921E49373A4A669A3B3C6BF5ACF72FAAD2D9E0AEC3723FC07E541B72EA98DC3E7903CC89DF00F6B20F147302D6AF18FC94FBA446D37F5EA3A49A9B2942DC4926E06F6D385409753E3ED1C9E1672B783E491635B2701FCEB0F133C1CDF9364B7BD55CF1CA89DE5ACD13FD7B94B3EE849E789454EC39474636522FE41EA3504CE134610D675D5CF299F3E94686F1AD9BE58AF227928B9033823CA7195E6856F72008B31F4AD7095F98B4A5256D2A676817E02E7839B2B875B59AD020B97BCAEFD515B061F49526821043B3B1A1F29B61F5B")); test_hash (&nettle_shake128, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("64C80B3CDEBA491185A9ED7E0B5EFC031E36D4F22F9B99A30237C5459C7DA37B16296A7D2E221B314B47F524A01D94845F7B1F38D7D52DA83860E576E8910365A217EBBA342C7E26A350FFCDA54FAD792756EB1D87096F0625D6B237E77060E350B9CB9179DB967BFD8C63E15AAA24336B8314B692F027C99EDBB757E572B0DA00B45D90200BD778B396D18375D77E0CF32E7EAC5003794A010B3A1DCC5968F59A0CEDD4B2EBF4F0F151E5D8F88C297506295080C91CA11DA2CF32447245E0667D1D4FB619C514014ADFB7733D972198BA4846D57EE8D9FF73D543CB32CB6822996D04B08AF13DF3A696DF38C29B677BA6FA481A5A22D2611B8D721EF11C4361A3205F75C90B7B439B47893CD5C38462646355800EE91DD9366D8CA3C2EF754B8DDB4FA83397FAAEE9BB24EE4FDA89532CD7E1F05CC4D52754ECB59DC6BCA363D9E804B32C47664BE92A23023BDEBABC70DC45F15A708D5A0CA7E6F461C825D58784748284722DF182296103D27A2868C06DEFCE8F0669A173A9EA7C9D7BA1AD721A48A7076CA7E005D0BE0C6F5DF889747A581B54674DDD18A3002662A8D1F1373CCF9C0760B008A805E737660CE28BE2DB4FDFCA40BFDE0357615B8B09B264B9A9C3EDFB70F967BB520B09A76654ECA9FDF6AF19B298DC3348E7A5771F3C3E2ABEE576819A1C59881E6B8FB1DB1B114D746E90CE6F9F6C09ACB5C46B03653E")); test_hash (&nettle_shake128, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("50102CB39FFBD98F3499FF53914870CBE4440CA8B6D61B79B7E6481B943D8E532947D06A5E04A6EC8E595958245088FA807600B1300ED4DE47A2E800D812BADA538E351DAC64DD3043E7F655B411241C9031ED2765264E372C6F59435988963EF83098452029761D43E4D329CBBD04825719ADAB1920DBED999C1C82BC9A362AB6C0DE15A65EA6E7EAF9B75FA15543910E7CFC214F25CAFBC771D9E641FA65A6F52FA97CE428910972EFCE8C23FFB56AA5ECCA3EFE08E12125E3C88C652C89765AB1B72C9D16AE3CF4C8A413ACA5675C18439F3909BC8DA92ED71C7219A89DCDBB3E07A3A8D4145B2D65E9525D3E583C70589D79519793F463DE6799D682E24E83E91A96E866BBF0BD72C041DFD44FF345FA83C24C13AE0689DE442DD01C85179E69FD9E07FE2E2AF1F5D1B5365FE16C3D9DA5F1D83A6BD71923252371D230D20DE8A76A810EF29469A370CC552BC0FE8329CDF85905134BA4F7C4F77FC83BEF84F7560ADCBBF8D384267AE24EFCBD78B8DEDC130BA739C5CE96D8CD05299C50037B94F9B48012BF346E079C4599C2DFBBB1F3980A1800BD593ACDF5C7E355D3CC44CA412A3565FBD8B2A9E8A9E44667979C9B261AAD8EC2B201259A2D7E4D5DA6D5DE05AE61760EE8DEA70CE5F380BF3F1620B3C67D8EC5DCD47EB14C078EFF113A952B7C77B8E832DFCBB5E7492F090D8D4A9893D222AB77BEE17501B8CBBE")); test_hash (&nettle_shake128, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("EA2A6C14ACAA13B8CE15F4363206525A44AE834D82B000EFE0438A4321EC1EB6DE31390BB495EA7F067D4A3FD9BE173981076BBE4928F2E9173F4A3158DC4DE9F940BD4C8E76C2F886C5D4C07A28E6CA1B35A4C31C153323508DB12D63908ED758195CBA55B1B8C9687D219E4B053849D5134D3BDD8D8B0ADB2C02793677853D6FB496813D72DD415F9EE59B6C30AEBE1BE2CC5FC3D9B4D4456AC65BE1970E5853F87C57BEC289E995FAA9FFF16AAB0ECA5EEE8319897D24E6D68F29B9A8937A0D98717AD61370E25C0F0B68974D41ABF5DBC3C05A26C4B5BD4C60F5D2F2F0126675B785CC2A0D0BD1B2EFC2BFD14790AEB55DB281535950891BB90A6A02279852BC07D6F03F7C42B4E2B4DA0008E6CCC0A8FDDE198159F6A2BCD516EA80D48F8EE63580ABF97980530AB589FC2158705EB0B5015D6B92D41D4D985661BED07CD1E43595C1A9C902F08976F22E01825CD2C9970A2D09FA0AC68C3428FE2B4957E528DEAB2D1324DB176761ED9A3CEFD129EDAA882C848E994B45D7DF77A489569B1720C183902A5A7E8116223DC3CD0FE84826A28D2266834D0B09AFF134611203D8704FEB7F1BE1736EC9868F4F638598BD530F6D0DAA795EA85C2954DC188A27A14AACBE2EA7CDDF85B3DC9F2DF61175530127AF3594EA39186F9A18348F9D60DD2B32DB207E5398F59DBA345511D9798613D66318C7F3504A431A0CB8E9D9")); test_hash (&nettle_shake128, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("3325661A828829064E99ADEF00E99E8B9B08A53A4C6B008FAE8DB1A833CF26D83F3F8C613DEFA9885593996ADAE75995DD196893DE7A89718296F12611B3315E22218B8E26E8124BA7604B4CFE5F427DAFA90E78D0B5E14351D52F9B8EEE659B54E07F1A8AA08281B2D8672CD405359A681C74E84B1F6F6553ED9B5184D10EB608B37807E5A824C3F0E1126824ACF192C9767919F1070E77E2F81A1B5E5DDAFDCE09DE562CAA1470BC1023E0EDB8901EB9CCFB813366EF60DECF20D0BEB552E7883EA4063383B123D94C35F5D00D57827D60DFB3550485B75D2235400A696684289962C2F71227C847548961B4F3631C656ACCA90F9AB21547A99197C32FBDD410FB7DEF62D1B293BB0FA36921BEE609A6D7C2C9D6ABB287EB2920003C1E965BDDE75A90A41518855039E3EDFEF1A3DDDAA192FC6198ABA7C0631949F140291FCDFB8D387AD4C19F71B6EC4A6C3F5B22A0F8BBC0F852E03953057CEAC0183569815625F566F050AC6B14BD87D3056A8FA5D99E621632AAABE723189B0E87DCD3CC3D29A4E3ACF2EA915A8A7E0ED73AF0BB905A4E8B0599D20D699D2C971BBE338C964BB735F72540D8DFDC069F950AA13C814F46866A32C3EFD0EC5D28482298BEE0CFED7B8725E64C75ED0A35D8DB157278D169849B56AFF015603E1006C168276D96AAA91EBCFC6C6890D5382CDF1C6C5A1BB6A3C090F37ACA605E9E7459EE")); test_hash (&nettle_shake128, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("1ACB385112F369E6D00420FAF1291B1BAEB428C09017B647D7343DD2FF50870CBD47601EFE679AC0724DC63CBF543C87DF5060CB0F11C786E97844A02BDAB528D3FA5890DBCADD9EDDF2DE00A639B0FFB8FB2CDE673F66C54BD554E737B5F370F53823B135B3257AF3394408A853666BB00139F147C6EC198A5829E8A5F85279B306A428DC2579E66E1E18EB3C4971644DBEDF4F99BDDC9E4096D0BC915AD1F72D522395C6306D047C399BB1C4877BD8278FD29926C3B74AAC5414E9E0936E01DAEE1061C5CD243C380AD802459972D3C2DF479719A554CD9318A8FAA3016AA6EE057A4E57CCCB698A4B0EC411F31D11F0642053880662EB3E098F88F74C65225669A4CC8F3A04E23F6E5E40F9A3C7FC2B4993782D58B27F80040DD94475A85A14BC792C6B86525D359CAB32744E2BDB4890A392EE847C065364BFA18C85D7E328E5ACD9F04E6A6542C8B734A3E3795898D7E48FFA8686CC12497883092395239A55E56AC18C4D63A9281FB8AECA2C099BDCCC65CD239CBE597CF5D577585FDDE3F4B573A666C2D1E3C611DF94C9C519DCE3110C33EA697FC1955127C91BDD420DE5EB667933A49E15959EB3049C7D265CB638BDFE3D6425E20DCE650892E0FC346922A4277C1CB1ADE59886F8006F0D0074937E852A0542B5A111CC4ACD65F3B2580670DFD41C0C9EE3CA5FCCDD7743D131EEFBA0543646B31A9EAAC4CD30DE")); test_hash (&nettle_shake128, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("3C7002A2ECED36B19A3D71464F86A526D0F2A92CA76FE392810616E75A25C223F06BB1EC3BB5BA0D00A51958789DE67724E1D57C4806F6752E610327B4C84E9C5E815F8765E6B452376CB1EA5E3151C21E789FCBA16ED05306C53F2F089B21F2B5590CD4B48647CAAD444450A1A60E1CD0BD87465C2A3C2D25B15146767B6DCEA1A8AEB8B717410EEBAB139B041FBBA1F654A7136B7071573316B3A7E5BCF8929CC1465FFDE55DF7449C7068EB1D74C0B12418B50046FA2197A47F4CD15E7D3702E260C188CFDFBD55CF4332BE6CBB157FA8E62D003D902433719B516C59D31F8F935CED0F010EE66E8E48448FB9BF3A855BED9CC604DF713A689009223F858DE44137CFDAF2B194131B84559A98AFD4F86AB13D7A1DF01E414A10768F6D48E426EA64A0602BDACA1CA56C903940A35F28842922C114F25F7000D720EDD40AAE30F300ABCE4FA5A3B6088B27377D7767762B220DA383308D00A43E3B9EAA1899C3D4E261EB132C41029AC024D781001B56A1127226C3517A015782097D754233D83D3237A04754F3F22547C4321FC175F9E83E679B0EC7564D942D77F64EA480780242CCA0BA64A8C41C7E94E575CD9E60C229E4765C8BC993048A81EB4D9A7F1F1FE449ABCC1CC5B5CF500D922A3DD26D6ABC62085249AF7A60271177B19F2D150495FF3B4E8AA0414C58FC1A1979EB9938FCFC6AB3AF97B9A7C8C94D12C821")); test_hash (&nettle_shake128, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("E22AC7FE9DB19147B2DBD586D6C5837A5DD3DF2346EA61DAC753B0371274DC110612AE3DB350EAFEEB89BB1179EB9D84A0590B243D0DD9BAA00796030D2782F0163E85328A0AA06974A7321E66649281DB8C506400310AB3E21243F4C2CC5CD8B36AC7C35C235305E6B1585B33784897D82A2D31F664D963ADA323A9C922A61D9AA5BEF0B90C6B7183F1FD0ED4128B2FE0E12EB6B461176C52AEBFD608C00C7D79799071AB30DA33CA9AA26932AEEE0D585905BBC853E80AA746706FAF7BE50C90C1FBC18E290505277E9BB9BFA9C767E952A68C4F93A044F62E066E61A0AD301BBFB921C818690BF6D116C6CBE7DF174A7E57E22294303820494757B3254AC40404A7F4A6D1F9624E5CF3A770392B2DF9FD1FFEF01AC9AFDC74442C0EB6F11E1EABC59270B4DA6F2D6356E79607D6462C08A6F29154BCADF4FFD6E20ECB700E188E523B3930E35C8990AFAD2141FF71912ADB07DC00D5BB78D7FC5590467815BA9F46CE4F5CAD34910A574687D8F7FAC2F60B34D4C3BA6D25D3E5118B851BCB73C1B1004A623F8DDC8A0D07AD21B45F543CA8E705B3864D1C4FE024A19ED5FB0542DBA0C39FE0A82D83266D9C124E61DDB107D8E0AB57C970CFE5879DAAA7170022408F7A9A228196C5C7AC614CB98CC276D1F5ECD79347A41D97360A19E65681A5B75E78C7F79ADDCD401DA6DE7DED3B1DFF1F746806AE03F496CA701C8448")); test_hash (&nettle_shake128, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("FCDEAD82F39CDFCEF99C1BABB674A9A8E24AC594646C31D020A4CD2BC2554AFD78C4E413F7804FA1708B9F4000FD860E3070F2E1BA9EEE3805352AAD655B4B0A728F2D5FCC43243825BC0DCE33CA716626DC76E920D72575E26DDD7110D0F991A91200B513AEE23AC9BC7043A152ACE0CD0B49181D2BB6BD36E93C0B627ACA9C6AB6C85ED70CE762429C8F262708103284C0A792138F10E8568EFB2399B38A31055C1188BA59344E6A2B73D5C04AA524056649844D1DADCD07D35DF5D851EBAFFCA5703B80153EA627B1BADFB2885F70F786D34F5650FE73E3690A8A96610059253DD3ABB5FA7C54CF6E77695D24A6594077EE4D3673F9FC56C62FC7F710CF872014C0A7DE8B1CA6AE8CEFAADEAF5F4D055FF765AD418713F2DD08EAFB5E16EED9FE344EE8D4388FDC22351F63834017B539E3FF143F394B5B74D06F65E96A7A3D028FD14F6C7001EB7AD2DCFCF4B2447AA173A2AE8EDB581B5BBD89E8A468FE0A38507530B9795DA3BCEC6DDEBCE9EB3132EF18C9C2A8B936A431C8B121FA996FF9BA5CE522986B678A5EC99A103A91CF33196E08C82DC65E68AED238A9316A73E71CF5A67CE440B93BDB845B3A60539ECCDCE41BC723EC9A14EE4E082F60C0BE3D5E50DFC8BE1E86A97ECEE9D88E2BB2A3AFF47FBD6D6675D81EFE0708926B81AB314A524FC745090162D2AC723C4326E0F9E16FBDBA2B1E9914BBEEDFF96B")); test_hash (&nettle_shake128, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("F9A4D63D82C6EFA5B1FF90B26510ECF06C53BB1C3B7427B64C41DE1FA03BC0728085C972E94A7FBFE5F3150A7B9FD8477C6CC1C250DC6FE017B0D0668ADCA12E3C1C9BDC78247529DD1F69198BB0A371072F0225420AFDDFD64AC1F7A8F06FEFDE803579491D8BF61D6CA84E985B1EBC7F0B48822B8BDA9CF9AAF75B7C33C5D360547A34C68114E8A894D658E4F27E3C137E1B2A203293C015975AEB49AB315D142024767836EFE41DDCF42458C5B5238ADE07302A0EDC28A5E4F686D1F98372A179DCDD2EFF78914AEFA492C05AFF03A5CA3E188F611AC24922CC28AC8010572F406C0ED1BBA849664952AE23842454F60D7F4091D0A4BC2CA6C7B3E1C7DC72659DF6A709587BDB30FFC3BFE6391FFE3D94084D93F2186024B9AA7EB52D5CBE760E5E3A49496A2239C9C71FD2C18C199441F7509108B8E32BCE086A110507038069F99477DD9F75EFDAD8ED861C38C61E2888F7BA3E1AC237A2703BCD64F19BEFE921259F88D225B9B5461F070297A28908A35D78BD66165C8CA532EC58C64DA1988E39D1237588661933320C80B30C183126A10222D6C2DEBA60A55EB6574AF1050AB4A6253817EF90A1DA8B42633B97F792950364D1E7C490A5A2BBB8C3412289329D2B0A644F8A447C5CE8A420C402429B94F4FE11BCC71FA2314D4692DB47EC2EB58C32513B07B7CF7DB276D1AB7190232E7025F805CA2FF9F27AFEC20E")); test_hash (&nettle_shake128, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("CB65EDDD9ED9FBB19E03DDBEE2D0EB5F0C2610F0AE9F89C50A463A303C3CEBD64345F39F1CE7E04BD5AFF16B15D5DED79E717CE07ECAEE9B7BF1841B17A1266B5F92F2A92D6BF964E53C3727C50FD9418C1CDBD06F0F0510FEF3ABED7B4CC31534E885EDD00FB1316617D6433B249956E1565BE72E5483EDC6E5E90B470CB2E089150D3B3B70FFF3227131E0DFA12A2248C064DFC83702FC462FB2165CAFDBEF309EDF1BB785ADDBE17C6E6DE702BA4BE1229A7AB7BE122306E306E92D0DE7020FC1CB568F5EAB5F0A2140B010587DEBDD8404DDA2C4D6E728A4F1A55182E018789CFE03600301641D5DE2DC58FECADA9A9E1425DABF1F00EA013C05EF3D64113FF351F10916438C6B92B6B6BC5FD3D6CAB43669A1C60ECD39829C327899885EDBA19B8A9B4992805916C460E5B5F72F53242D206D2B3DA3A976784FC40B6A4F0FCDE7422453565398A040F9E5545C482EFBF9D3110100DFB04DBFB24A94FCF3FA05406EE9B7E677BA0D3A52032AEBC2CBA54DDDD8CC0900C90F48CB9AE107DE01C3218F0EF5BD9DB9D7DF8E926E60A384DCA5299610413316BCCAF2821B926174EFBB791D465F887CE3020B908B07E545A386283E17F980639E81E71B0203A3D22EF233B4B2E593FADB04503F0CFC5EAD74075767228458B1EF4C5DA77D126D6DB7EAAD6A2BF5FE9C18E562AFE5671DCCB60F8DDEF168375BE45EF2A391556F")); test_hash (&nettle_shake128, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("7A3E2CF760D677AB42125BC78324A8E42866E2C148087F92FF27E149DCB2ECC3F3209D3000583D96C60ACCBB637714C4175B0DB1F982A99A7D121774AFA37ADAC741AD9CF72BFE7175F591E18256A95A0CBEEA06B5CACE02C7903B1448DED23F3A7AD61F9C5CE0F61235520706667E94062CBA04F735CFF813A5B7501975BB7DE70747E619EFAD4D548CBA8FA818A0F4B59F8974429075DC492E014436CCEE77FF6947FE3702659A14BAF89FDEE45DEDCFE4CFB1D45D59EE5D79DDE87C187AD1E04F06217C41C35F1185E63B625E30E67C5377A11909612DAC6539F72A6BF46EFA1674D41F00FC2DF3A603A480517894B88556971B793FE3D14E7699762641913ACE9460A4791487937FC6C94B6A0A091C465A3EF24EC55ACC8BE486255848DC7BACE4A3F860C7DF0307B70FB33D8164FE3FEA9ACD2BF3484BACEEFBB4D24D77BDE756CF7614BC2F4D037E16943E08437695DAE204CA08972BE843F59D608325C7D6D64B136148887B49FC71ADE52B11E80576FACBA740D88993DC77DF9B7ADEC54A6DAF3149B21B9D0D910F2EEF2C39AB3304F2E5656DF646E551BAD1E4B2BAA3C7BA7857CA2387F516A0DE8600F14B653055DB1221A57CEAE2E4AE4D3102B60BEE67A5456E0E2C0E5A0A2EC249A3AD11B533005946BC6038A98D129FC696F48F05F0914913D45BD7626046ADDB5AE3BB4C4E1BEF5332767B49D8B576953832")); test_hash (&nettle_shake128, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("0622ECABCDD9A8C2BC20FE0B9B39CE1A6A835B5181327794DB2E1B40070FD9D89A498D242AAAA8FB5063D5E2AF45A1CD04CB28B96EDF844AA37C7CF6EFE39363AAE56E1E6C1E537CF8E58C20D5AF57AA0687978E8EA46936DEFD6A6F3486ABB9E1F04B6128710F75314DF64706190F4AACCA8FA9F4E1008385E641F40FABD228B9DD421E30184995720D49112FC429165AAB6DADB0CFB6F986E11866D138DDA8A5B4656B062D73CFCBC8B8873509FEA2820E150672AE7C01EACF5D9575EC6B1DCFF1F55E6C2DCA4ECE5FB4A6F1EC7BD089C24149F1136AF9018920977519F390FB7929FE84228D5ECBF8FCD5291791CF7FB6CA7208350CFD5D7A761CB8B6524DE5A85467DEE4202232218CE6B39E5505EF02452B4FC0A87C32C9B9C9B8BF5FBD5755313F551891C5D11E26FD57B65A42DEF3BEB07C88D117CD168335A7749B97B1FDB04C7ED3D2AA1A2DB4E70226F3D8B87ACC19A1F34F60BFC1CD0EA1864C5A991CA21C72C163D0B6BA5833D8EFC7AAADE5BC6D335E62852ADDAB38831AA04DC4247DC7E1CA5E0B2DA9ECC5358A889EAD2F2CDFB538D900FACE60AA53228145644FC4AA2BE363655ED6CCC47D23CCAA0EEA0048887E2C670AB4AC85BC71D1CAF7A1C02EB3C784FB189AE756EE9133115232A92105B033148C1C9806821BEB545035A1359CB4290B736D3D14C5F990AD2E4FB02A1780E34DB86FEE3BD2A3A9FD")); test_hash (&nettle_shake128, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("0D126808ED2AC9458F8002CF172966C8DAF02045518EDBCF87FD315F31EA781C73579DD9BE6A3000F7D6E5C400970D4B6731F90D75CA01E55EDE430D8A459A98C71D9CE16BCFC334BFA1CE8E18A70A50E3B795B810FE3273B9EB7DE8D9B7175F97C32FB057678D819B1134AC30797F6FF7B622CE48616436FF7C38453029DD7B35E648C14AC725EB49067DE2F0DFCED2CB89AC6988CA178E72D0D19ECC481748BE17E8BAAABDBADBB84D0B2F2A49C4E60C00018ECB61D2CD25D8841157D9B6ED74C70C7791F6F88CE61B5FE0F28DDD2B4EAE5E2A71DFF495907FD883CCD522EA1DD55291A5B274B4333EB62650D55B0CE61EC1761CB2D5EA39C712365309537918EBAC6EB8A0BE3D19CDD0F32FCA2C32FDA5DEB68EA99FF5F7B66EC4FDBC2F8A829A4B3512A52044A7F7C567532376D971AE504601841C8091695533266D14A14AC46A7370372195CBB4BC212EF72A18F7962EEE6738EF1A669B663B336CB324ED808C3AFFE2F39514BECD5D654715C85F3E5CDBD9029C1F589CD0D563AA98C6FA99769815922CA7A30F13F55843DD952F5724CCDBB58A269DA7D066A548540C23F4A740D82F90246D193C22A0CD0601C2030E08E5F0A9AB7B468DE0530F50B156C38DBF08217B63B726B85227A5FAD8BF9165E76B02CB00CF7DDFB03D9D38C882E81E657FE5596B66E777E672FF416A3155D4E2EBEEAC5B49A8AE3851AB13BA")); test_hash (&nettle_shake128, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("863DD45342E1AF41F682C138EE8DAF96308B1973B3740CEBE9C2999D4190B05C7630EDC87F9942F31A089712BF2B705F1F3D835E25E51E8BC6D5FFD017A5FC2F30ECFA82C6B9033AA336ACAEC58FA5E0D4F4B40BE4F60B0AB303AD007336B5D08989E635E92C7C0F22CBEB049BB4761E786FDE0E7AA378F6C492B3357916DE530E7FDFAB45D2116B3137B0BA6BBC5A04313757B26CB3467031D82A98025E628F0A3BCDB234D4E7FAAEBD7F7F4E94A2C4DDBD947A3AD2E66F7D45E66C89AA037B956AF67D7A2DD696D231D31159B5E217EF4A911A24B4C012AD67152C9A1FBF85BFFDEF6523629BAF766E22F009B6371A4C9473A42AC84E2BE89D2698E668373A01A2E8EDF60F9C7D83BA415EBF8588C0812A4409A5EE205D794EC5E3B5A3688D8520C98D516C877F5448B6CDFC1A1DF445008CEE775160096237EFC27FD32E1629835B6663601647AADE495A117C025E03C80D8DC2F31BBB7CDD4D2C50C7987E8003AC04226E5E051E8D2930F93C143F2804DDDB343591CE11FE55BED40A5DEB0728EB575694D4F62B7E7901E3A005A306961051A0219FA49E263E85E87B2880CE9C9CAD37F5DCF001DF265FB448093CF08EE592C66D2BDD37907D6492B05EF24E96B08DA4E55A289E6A2CCF65624257A754C133B54DB543FFCE3D11093576357C75D09E0E5D18D95D2FD5206A1F5750030FA789B83A81B6E81D98B1D360C179")); test_hash (&nettle_shake128, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("015BB0DE6A28737D365353E9F0052EDB5272A67F83863341A7B798CA9197A051039987E22E6FF95F31EF2BE455956F7C5704FA4108F600DB247802712ED268F35B27AB89AD0116245783DC7BE9B511EE4A0388A7EF9A234E1161F69910D3C0C76738DB4BE4480EA0E8BBABB081428410C34CB54968F7DBB8CDE3336317B6D813A9A859E4AE69BFCD855D261EC89A54C510C4DD2F68CD5D607B299204654F01DE5A8158F2E2BBFCB20857F029A579CB769B3F232A17F546A653D04FEFFBEDF3C6875DB3B1905E73A4C7BB383A6B825C240F047A2B6F6B944B3C51362DD2DCA46D23CB502A7267ACDE99A8E76E63086461EEC706612452E240F97873CA213F9FE6A72E66D91BD3F60D04F7DA7CB059258875F0D458120F0800BDFCEBDFFE2ABE784189406C9BB63F3E807BE88C72CEEA54A55244B481875DC2C736D899D9A928CF02C2B5176D8AC5B64BBA7D949C974E613F41B5CE1B687B91DBEECEB66AEBA8CE8799B3484D9255D54559ADB01D960710D198FA8C5A18EFF47E3399A8E2C386D846BDA56E5D9E7C9478DD563C50D840DC664D105EA92B62C6656E2CCD31955EE7C438256B2275036DEB2380C08D26D26C1E638F7EAE12F5E8539F74516F1340DA7B16A4EBF8ADC93F690FF39B39C612D42F8D4CBD764B2F7CECD12250527810C490B0FF8A3991E3924EAEC03F67BA99759232D00CD58130BB3BE9235E14772462")); test_hash (&nettle_shake128, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("9CE519A1F37B2C70C6F641C076F787E8AB26186EFABEB6CE18EB8E75B0A8EEDE06FD78D326EBB3B049AE484D6AF7B1DAEAD737653717796A34DE1DBCF900FC59B299756398EDCE063C5654205C5FD268AA71A639C35E35D4DEEBFB8DCA17686B58A639F0DA50E1A7938B47A466D03DE7041B5192FDAF036547B7F22D5A23F8B6AC48E7C67B7372AF0E358CF73D2FA922AB3CE823A68B95BC3A543BA236E413A3CC2B3181DF4D3649474213A0F8148836230BAB4AD722B2A3FC446C395977CB3875C06C0031E807C24BE7EA9B025248F1A99C494472CF417A803C69B3FF8880C0D364512166F7E34F9837B5C66931017A4DA3E63998D0F402D5A75212C8042712AE4AF4B4900EFE6C9E1EC5ACA07FC230E6E7834A5A865F2DA71EEC9054427945A913C5345506EE32E6AEFE4EA3E488BA07455D98C94B5078E75E2304F2E85DD9DD4BE18F023D1AC6ABE5924C8E7B8219E3248F14EB4B78B6C16FE2C3AA40B97566AD3BB89154926BAF8820D7E8E4557F8138EDAB423CC0C800DBAEC892482B6155422D2AE3C1E90DFC96AB800FD35DF97092AB0A83A40C7B925514CCA3833BC1FF6B7E25469D6744A117699C481E4EDDE082211E9D94A73A0C29FECDB271E75AD038EED0C7D5B856C1768C4B9749B25811F16B1C408C1F2E3F2BFDCFC8E5A329B675418ABC4809DCDF2A3C4F867AB9E0C0AE28924FCE90802715FD5424E783C4")); test_hash (&nettle_shake128, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("648167774B09A9FBFBFD351051D18F9112D63B066BEAF5070D3780189658FEBEA0A4581DAFC6948EC1FA96F0364EF3D1F2323EFE5294BD76C28632FDDEDA51079E9BCA5C1EFE95F76BCD4593836B9C64D82DD6ED02AD07622BF2B1F7F0B0738E0E3929F49EDAC321268C78D47D853390FDD8F1BB29C6DF469360E75E96493DD4FE5BB2D0816938D5642B87F0344FE4186DDFCCA06643A691BD9272F407D6DF7A1633550F076042277C325152C8673F3FD6C980D6BDE4EAB43018E322DD3647DA183910CF4BCD3464CDFE0D0283E79201553BF03B028FE6F4862953F865C6108BCE672C4DB5503C1D969F87BDC310F7B78D9DF08ADE46F54EF718083F90E60599E41CCE34110BEFBE315E8A0BB91D428DF35AF59CD4F0C8059B6ED68339307280B05C3AA490B7900C13C3E12F1A4A3983DB5F0A620179AF9EF900535E32146C8801C750080E363A6A67E4A9037FC4301FB28B006822598B38DC38DEE16AF9A1127518684BFD4A0920C7267AD52A447CBD6178A0329D4DA146657549CDCED7ECF9C2053541943AFCD508F677549F364D7F793A7B7BB8FF12B7594FF768FAF6DD77B3CEFE97715FE70D8CE8468AEB8266CB09F21285A001AE13D0FC8F29CF8380685034A886DDFE8D3AD57329E6FB92D2A079E5AF01F77AEFD78A29D294A6A8E37E20159408BBA4F10F6FBA5D54D4C4D93B1ACD65D84088ABA61EC29E122EFDCB6E")); test_hash (&nettle_shake128, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("BE4DDBAD9BE9ABC823F65A647910AA06265B547B0234C1AF6A12987000F710016295EA57CC5F30656C56A66F28E85C24567ADF2224011191A045C23D4491E444114392B74BFBC60858E719A67BFDEBC135725DE961EF7A81AB90CE4192107A5CA84AABBFD919BCDB8270E8079E29EDA4C22E130A1F046E5A87A4F2CDFBB4DAFAE337C1FDB5BDD9DEB321704C585D632CBB7A0438427A86CCF7575856B535B2E92A3872F2B5D3C945C16F3547B4779E5798BC82883E850585A7FAE200A47B68FFBAE54B17238D7CB3FA2C9374942523584D85F1485969BF61AF5E117275FAD27577DAAD38EA3702B5DADE3D27B4A2E2A66F88CCDA568D5D4A11E1DDA5D8BA7ED9CBDEC91487C19E1F9A57D59AFE374741D8FC9DF32B3BB60F8FABEA1EAA95289B43D1FE712A50B73BF68CAD16AA25A1DD95D80A0F174061A01D9F18509589188D186BDB991AC9A41423BAF9154210ED6CB098D6844699F07A388EEE76E8DBA801276F6D2AA7965065F3C923AB64620DA1E17A444790F9B7B326A3579B9A5EA5FEC313D294F97FC846D721945B6ADDE91B66454FF2F2A81CFA19F6B45C51D07BE8216FE7C1E052A24904B2EC2E9929314CD9DA48450BEB8FFED8C499816C078AEB2A1B52F07B5917DEC0A7BEEC2B83F778BFB15CE413C9A4307CCB7C83C879824D0CFCCC4B3AECC519326FFAB353E37C59BB99FFBEB44A95BEB1DAD25843BECC51")); test_hash (&nettle_shake128, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("2378C76E867947E94C0383861E60E659401B1177BDC1133FBDFBA3552B458DCF1BA41C825ED8F41F7F8C8986B0A47B25BFD5F0294FDC707C8389560BE932C582E2B5C63CD85754E9D96A9725C12AD234B887FD5E96CCD52507BC564F59E2E0A8FE89A444AA3542C2B302D1B9F8F3D41F1C960E1867A4FE64D5F6216E64199F3D66FE4BD22ABE7B23EF97328F5FDB5CD502A118000E0606D31560C2CBD4CB7EBF90A0AA1826CB32AC85156B678198D225F4D58D3076FFF881D9E6815DAE811E7A04191602E4287F72C95A497C2DC47C925B7B1B78BEF334B153566A8B46AC8F6CC0765300E970B12ADF8E0DFACCA6A59092891D73ED55DD624A2464509FB5610BE2AE0696097D5645CBC9E992B7F1F39005EEA0AE0A8B55ADA1F28EC2A544266462E6A3BA97A000EA722701690007EA7FD41FB3F83BF85D5E19AB140F2FFE6DD70F199B7995997EEC43B98ABCA0E7902442D0F14E7E4B288A83F8E4F5287F78F57A2DF951D62BDB9B9CFDF3D28F0374BBD3B4AB955244AE444E23988721E5B3C4F536A80FBB7114DE769D587600C92539D92C3B2621C679064693BD9893BED3C353AF5347707B6586912D6CED5903ABB41DBCD5B4BB67EF2A315F8BFD23073D76715E869F474DF6F5C98E3C1E65117B1844B03835187A6B2AE054EAE51797DE704C7D4C88A258EFB12D1FD618D9E95C4AE37EA0F54EFFE216C71A0F0514BD569B")); test_hash (&nettle_shake128, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("66C5253CB16C479B2D7B63E7DB76CA275F14319DACC1D00C08A7E170D97366638949FE0FE252448D9749EC105105E8BB483224076FA9204F9A4585F150EAADD931B5D895EDD8F2AE37E30FD991174064F7CD93B03434C22A8E5CD27CFE19B5D8F4BD405A9D182E4D7F9A2B009C68EF4798A469662E40467AD626FDD0553B0EE86320B3DB087C096B54FD9F367199AAE4490F796BFE72DF10756BB10E336DBA6305B686A291D1097FD9DCB1A629F38D2ED30B87A8F5C1EA1A2AE384BD5F316BF112F6BED8DDC50B4E17509C3D194750D02AE76FC1105753B07130861E866E89B2DF9C498C87BA2B9161753303E0DB34FA6A523A6BBCB262D3C644D1EC88F9FE1710A65290DB69FF847D850107E028EE6CF444E5AA986C98D3D5585D66B4FAFA1331FF4A6F54EACD712F39FCB234F4D4CB8C992D079471A269CD3D3F733F0806A78BFC30F8FB3AA97F2F2AD36E8AB019D7E833855299EBC91CA512FB226D797226486153133858649C31CE43308E6E0499EDE16AF5FCC5CC9593A71BEED6206063D471A79F65E640B8C20A131FB15439B9F35D6053DBA46B2F2682281E9572720BD3945CAC603E61E82BCE2144A19DC1F254179E011D096BD9FB2CAF77BDA529BF7F654118D5DB1CD2F973F55EC7B11AB616E731955752FD8347718CFDB2CF6EB6551C449CA601299166DD7E10EBA447DF8C29E96436B6834F162D7987D9F55B12")); test_hash (&nettle_shake128, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("0128B09A01815373846EB62037245B4BF522303FFF74A76B0AC17482AD79E0BB2686871B1916DF154A7506985F2A3A6D86074C988C2FA255DDC266CB8EFFDE2D0275BD3360C1E920595E185EDA95B54A0B02D6BAD88F63509C5B816CD375C0281D1FE29F11318BD35E4AFE0CDF51B9C7CCEA285787FA74A72878DD3878565606F4889D3454913B0DCB7ABC4B2F08FA3F2AAEB6856A25185A00B1BE8A8BC7A9A34670793923647AE426BB98C75E45896D4DB8A990D2712401694E202EF2E3F33DF1120EA9E821A874E67F37648A898CCD759A1DB6FA6FD5C14756538F725C468BD3C0B6973A7592C8CF0091D347174E8D954E5795D360C4DE1D0785FE45B71DA884659C98BAC3005E5BD88817450359B51510AD95F16F08ECC64CB9842F0F8EA005315F6CB17C1CF6E01BA64F6847EBD4472DB1AFFCBC0E7B7F5EE8DC5DD18B148BC542CF0987E294AFF2EDB3EE60C8AA4B8BFBD42433243D55B4B9E00CCDED77251F789AAD74681880AC765B21E01D499553ACEFA48456A7E70A9A39163C2E089F26C94733DD63EAC1D2BCA7082145402FD762665C3F72760DCFF13CA4E80F504148144054B714573381C7770C33E07D3A787ACC072F3C35B9573FCDC352CD87BE8653618D159F78BAF16ECF6F8E316A97ACDF4BCE2C65CA1BC98F257914FCE9BE62E899CA3BA40A98A57AFC3D63B0B0B92B69FD0DF0451D7F34297523A99D58")); test_hash (&nettle_shake128, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("FB206D80AA1D2AF8CE64890D3FA84600F80423AA98447792F732FCE4716E559F7FD4338BAFA60937781B68736603B7A86F1688A2EC60880F6A90781DC8BA3D9B329D662DE842961AC84D8FC876449DD8C393441767206188D561AF59BEFE6B91E365413A5F357622A670E22E730183358F9689E70F1B0D09CA9924903379394F516003E37B800602EDB84912492288A2E09B46BACFA3F4677D2B24605A584B3CE3174FCD1AE4DEBDC99C9A75EA7F4E770E2EF184F801E4D111EE5B11950B29376FF19B30A50C4DF93A82EC891A321F9A6EA1E0F96EDA2FA0C2FC176D5151A6DAE7C9536AB17BA47AE31AD69B2AF9248E5236AA58D7B864202512E5356DA226D5750CE12C062733BD73B7163812EFD452FFC4CDD8E5611996E23CC0A5824C5AE4ABB59A5DAE40563965483B66437B1E75369FF6AB31ABFB34581CCD00CA76CF72AF7ECA65824A46A48FB88C8ACA06CBC5D3785DB3AB78BB1174354C7AFFA85086444D3EC92538CAB178023E46C7E5E5EA2FEE1A970F41D374A73FA6D477D224F095A829AE8E0835D197DC66D1DEDAB9427DC085A6A95C4F065CF656AD1146ED0C45EE7BCF9F6185358702685E9539C921501E3338C2A6DF7B5F25BB248E567F2173164CDCBD8DAF0130879CA8362CC6CA28F531D81D607258B66D589EAA9CD5A22FD7490B9A01CB6C0958C2820FF832EB94F0E0CA959B93DCAE56A4FB52981F09")); test_hash (&nettle_shake128, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("EB74359AE344B26E3533947E26CEFBE809935CE7CE0D597D1C4125542FFBF1783052E0F90A402D7888CCA5F96CE9D874C600B2E026BA4E79ED427F3DA96448BEEF4701C27CA31860790156E93B12A9F42929A8F8D9771CA3BB59ACE00C4732983997DCAC1046E574EB9E5C912AD4E3813001C86C91B6385E92DFE92FF5CF90652680392A33F6A1937A77DF9B9EF2556643308029DC5B5FE23AC9B567E6C81D0E909A279E58215D22132ED83DCF743065C0CB16EB7B991F842125254BAC71D80B64F205D799F698F0FDF7EA19C9234357C5838A0BF6ADD176416DB3324CB07B543156C38C2FFB0DF104FE3884A6B8F03B0E751B3824FD097FBD3557C5B9C962E9FB29175D1F20799FF6AD9843E1A5B64B2E69FE39F77C2D1A3FD3ADB8672D1771FD6769C54775DF97B0964E14B2B326362D9792C0C4CDC37AFF30DC3D007AC62141D370F0984F4B3D16B87FEF8028792CA92CE6620952D766474566C1E96DF672F3C335BF2949228006BE2B1912C0DDFE66BA6648EB6EA8624B5DBBDEC70BD0A745434DC5404C7AC7DCC94197F8C48FA381A5E8E7FFD1C35442C04EE2378D2761B3647A7637423300CC09910B9A4EF90D4992A8FF8FAA3B6138AD01E7C3C89660E963BB2422649589DF53D5181479CD55A55B1B2807ED120FA9777ACFF785225129AB1802EC247C48DB4BBC284768BDC155D77B072D686462D831491C80752E13")); test_hash (&nettle_shake128, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("691033AB5C34D52ACBB6EAE6A669CFB53C39A8020A6EBE9600ACA2D9A2ACFC898A0DAC7796D46E6F304550A8894A9E1C516A1A127287D4EF74E9A403D326DABE1FC548D1AA1323C2AC40938708D7872960E11248235D2AA39CF3ED88A18F8A2FC2794174DBD4C1FB8C686B37641C7CDDC565683F0D173952D2C1DC26ED5F5B806C127114910892B1BA0B0EB07C20AEF016AC83A78C152B4C4EC41CCD8974D93E686F52CA8656DA6D85BEBDE10C4447005278630595379F57C529C4EE94B8E4100AB930206D9CCEE8811FAC2F1B5425B6F0740FBAF2F8470A9985B77865750326CD60F855F4427F6EBBAA27CDF0A0444FF278BC22A55BCA5F90A58B27D792EE6E8998E94819B673B725079C95F0EAE473F62C09D9BB1060EE9F6263950150461A13D758B8DA498284F8F355259B2B332AE9117D2A35E0E09BC8CA406C14E8799CCBF0592BFBFB40C1DA7B5A88609D71093B46A91FBE94C78A6C9CE9C81A2E189BD832DD746CE19CA3AC9F56572FA691CB506CAE417F405088BBC6425118BDBC0C99F97702029C177D8EC398DFC19A98AE3A3F86AE1A8122ADC5952B1891269C46821C1561B21E4B47F36904FF7C6814C0A08B6045400BE72EC1E647887E27AF46EA49C9EC4FF621E544390BF60429CDF1307C93A3A1C8FAE2EFB6062B9314A06FAAE8F84481A369B64234ECEA944EC6FB3CFA31258017DDB373C55A64C0F9E74F")); test_hash (&nettle_shake128, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("68E791106DA01933EC70EB650AC2F03EEF1685213522F2E88EA7F8DFAF92AABE75EA0D169D9BC11D13E294338A57295279B28B41D8A4B738CFFD629FD4D7D5D8AC7B4304E384DB31B0328391C19CA9D381E66D41816E647ACB66F312A418795C0D65FDAA6E25AA24811022C2BE529C83BE47274E8C01D4A2710D6AB8BDF095566F1B3DBDA7D4F1BB5BBD3EAFD4486AFE67B682066B8CECD447B9C2E9E9416F2CE5CA8CA1282B4AE9BBD7C842F776BFF7372591CB3EED785C82A27076470ECA15A33D5B38AE02FCCCE396326F1BBE28995C0F8DDE42C09182995F143A0F2D4427E8F2497F0B257CCBBA286C2FB7885B642494F933B584B0CA83B545FF1521F67EC8E5AE4D93FC82544FC20778CE197F3A2F64EF3D9CA583A0D821A5151F462CD70C83724F9976457EE49D3CAEDF9B6CF0AB72FE7DC0C9F41F9C5ECD12D5F2D8BD6EDB2CBE11F0462D36CF248A9552B0265E386DD44B9853F0AC63FECE4F860107903F8DB2E1F6F4017F05338FEE8467C0C40720663B54F556464F4E87F20192299EFC178BC73FBBF350782520900644265863223BB42A5ED2E416B9D31F3021EBDBA693CD56C4B17EAE16D1A10A381713AE39D5AD6A220CDA8A91ADFCFAC51C65D03910DF4AAB7F7BC1CA49CA6AD08EDFCC976DE0229AE9D379E067AA9B3FC3A6CD0DBD7D1FC63C4AC2116F9BD3CD70B94A53B71987C17F65D5E77AD5674CC16F")); test_hash (&nettle_shake128, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("3AD90F57FCFFBB40076CB98869510BE446F8161AE4F37F57939F8084CDCDB4E64DC7F380FEF8B68CF274780A6A5FF31B1D573942E717470742E891B084E24F9441D27F7FAE86A8278E84601B9D4830AD9FAEC738FBBF86AA299653C2ECA3B233EA2D1350DE9FEAFA76FB8986010A26EDDFCF33FE976071B3C719EA15A2298D060F5AF88E3F06FFB4C70AB13886686B8643843C65BD882C924E760B9D78D705B78B2ED14980E9E89D6E99E8945B3A92B9AC282642651D94600D8E5E583A59BAE4CF6C4A38353B90894A7AFF2881BBE06464FECD3A54B2726A55FEC0FE5BB75F403DEFAB989F75DC04123F5563999D1503413412E16D671969AD0D97A6808B1957A7481D32BCCBDEEC7809A90343EE59C84CD6AD134529CEC5E42A31843BCCA3449DD3A2E075998788811A601A3661E241A88406071B90C88799F370DC83B440C9247DFFAB2955DC5EF8BAE47C1AD9157CD0F5DB61FA245D7179A8768BB3B2DA7AE28129258FB8A22F9FD4A7906432EAE33158D4AC1550E379EFEB091C883A0102F7DAEBEC2AA4EACD277A7E45DC03CC85FE952D326C3521BFF980E16BB00426D2138A9F32593CD1355EB7CCDE7FAFA16AD8638A9C16CE34920879E753C723C494E4F8B18251D20EC437FD42FB178017E7569647720D309097C982AFF3D6C54AB23DFC665023A01B3990E6A8999E7037C0405A4CAB91876BB660FAEE8AC30FDB9B")); test_hash (&nettle_shake128, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("58B040B46002BC13D05C76E840037B3EB08DD51881CA6281595D39B8B12D1C15F9CD40D94DAD00469BF5EB73205FC649C501B57A33F4EB39A7FD76769A6EB0F84BCF985C6ACB281E4989F5EDA5E823C31E94F41E577B0069809E1C3B09F4480677D56C487CA148DD5260027BD9EF399A3F08F5F5BE869AC7A403B53532B9775DDEF6B80918BF367AF8700D6B9E75FDCC45EB405D37E9A9D7F9BFE2517FB5BA5225C72AA292AC7835A5BF4FA245E782EA67081448F31854F91F21DF99BC13C615A67ADAD644FA6336B2288F1E29C649341C6A4959E5060A99F69981A10FECC30E29CC7784153816BD228FD7859186375FD66DCC78EE4AA5E9DC0B190FB8A6CF2CE15C7F3E0B54597A559BDCE7BCFAB8FCD25EB0E0C7DF02882CA67E2F04E6266558C7F36FD0A2BED459B50FA2D883C9B86AC8E40A8E92F4099CABBEE9E7FD1282F06B3D590897BDAFD8643729B09B47544BA3F3AE28DEFC3DEE3CD6586B340835F3AD34D6E16053E2AC94B5CBD4FCBBCE2D0245421AF021E6E0C55C53584CC917D99818D4F0585AD66500AFB13C7CF90B233D01DFDDC738C325E20B63CF82A307F44C543BE58974110BDAECF43468C902429DBFB0458936F67CB59C4E4415B5D03109E88451989CCED136DBA9002752CF608423CA52483B4253D24E5B45443016DEE2D75E7EB9DE415A148C439052621AC1DF79E60CB585A4B08CA70286C77949")); test_hash (&nettle_shake128, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("D0E4650C52BD1FF64C2F5B7853E8A906D7457B67CBEA12322B5D1D5BCB8C3EBF49CC6DFE8FB41895131956661C772D2B90DF4BD6B379715278C9E72B6FD93C3968FBFD3194C2C527D15C6311F1990DC2ABEE5B6645711251B3D39202C9D3FB147B39D1D3DA108254FF8DEADDAE6599E17C301BC18DEEF2A9BA8FD035A084D5917FB9E4E56FA6EE7731332B50CA3D2BD069F793AC6867448697395CC5147481F9F6499433D6242502EA1E6226A88068032F656FC8D509D041F1D0978EBD4F2EB347E75758A29287F5BE37F9D6C14E4934E5E16806D6DE41FF8268BCAEC27E999A7BA73B2131147FE05F9EE8A491E47A3A7C8CC93E6D2DB374BD5E091810F0D7103215726A6F80D62C19D9BEB92DDAE8C459002376F58511792CFBE7A2158EBBA922656ED88163072BF6667F121747F05B84D470193ECC8BBFAB750D162CEE7139EFECF889ACCEFB6CEC328A184F5CBAECEE51119A87CD21110FC20EE85560CC979362C12F1C7665ABE62D5ADA62DA0FF3682B32C6DA7150841205BFC43735741E07363B9CB15DAEDB03352BDFF62CF00399CC429A8A25CA1CC765AED117B72917B25CD2729CF46F92D8D3F1131AF9B6BF16226140CB57BE5C96CB2E4A369D226FA82BF0DF3FE2A4EE373434C5CA68682C0C594B783A0B2FA6604EF3828510E1C360A617588AC81BA8D1C18C23A30D245DADCD1C6893D3809D6EB305E538F39DCA")); test_hash (&nettle_shake128, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("1EAE5DF54490647FF03985658785B5BC1480D5DDF3EB3A1FE649520E07C0174FDF1DDE9A8518879833D64A99F3255568223E2DD0C9A67BAABDF222C2A314936CD57578395288D40DD047D67ADF8289207C6C672023E25A5F66D2BAADBE2972EA32516AB753CA37AD5F436A94CFD62182B7D68EE0E7A016C8540840D1EADB3A158D88A9E7C90F551FE857C17265AC59BBA6947F24582319490817B99A591978CA945D4D0F23499DD3AA73216B7C28EEDB5C8F3C0851859D6BA9B04DC67FDB4BAE4D73BA540E66536BEFE2FFBB5DAAF91CEB627CF4869327C5D3C2CE79700795E7975A8C6F9C07B95265614DF45E50EA89DDF9FF5F2AB150629937B9197E543CA30086E829AFBDE5524DC1064AD96FFB4D83EA91CE7CA8843C4B1A9722872057B0AC9CE57E7C97D22CC06FF1F74658AA28BF398EDE9F186AF6E485D6408CA4A4564689183AD52EC0F38250CDD837D684A1E4FAE12306D066F2F1ACD56797F1DE2A9DE8095DD464BA58D5B2D58F9312F1779EB2B2ADF1773F82FBAC43B18EA5B0CC9FE2FFBD9D2AFDF61026363817B795A2590336EE1855384E2A26C7E15E8706AEF41C671F2D8E2A0EA2B0A558CB35A80952825C845875B2A907E84397E2A3D125F64C313C15DCF0CDC6637176A58FF6C0BE30315863C64A21A1FA147AF0ECEDC22FDBFA9CB892FB17D26C460B7ECEC9713E90A46499BC30CD2735FE98B13E5FDF")); test_hash (&nettle_shake128, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("A8A37D45AACB607C3A2DD97A43E22E226F11EAA21DAFFB8ECE97E42DF057DDC9459EAE2AD1C04ABD300833E6D63600320EE9E368CD2DEB5E38ED7726C583FC9EB411C193C42DD8A1D5577ACA20B889A5382C0F1A59256BEE99AA09A6B2CC7296A8DE514CE14173E683268746738C2F8EB29D6F51AC434BF51872BE626241E43183F6C7621479B62739B975B6F25E63D9668D3198E82E66E9E5FB871DF0AD3A06DA385C4A7FC914CB371DC1EAA929583F14DB910C8883C7B90635E5D3FB5A3652E98AB62AC884C885C4606E8F453B89BADB15F7B9DE49EFBDBD210859AFC079FD2A1FD82ED87949AF0906B5E75E561102739D4CC58AC9420694F5C043DDC463E0438E3851AB841CE31D994E1FE378EF75E7F979B7801A284AA8BE26222B2BAF06857E8ED6765C9C040798B2A6520E56877C1E4297AA43A860F734A6667C1613C0EA76EB70435BD64D34B11728113BC5CA24734A41F3203641D931CFC74E46F3D23037E3878740A6B152A77BB10791E09420B288D89E06DBD6B882913589D82DCD808918AC853ADE79B7B8104637F8C73940890AB44E31DEA7830F2BC08C26EBA38E3B1B198650A9191F366D90BFE1A4CAA7E03DB8357BD8258F13E5BE051E638689E99BFA6DBB5E2A623BA8B2107AB7A4C7551918A1C023F1FE7DD5564861FAFF0060E30C14941379117A3D1845842D935C4072B28913A3C89D1A63D4658048B8")); test_hash (&nettle_shake128, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("140DFA98962AB4D69B6063B0252DE5E4D65E4C00A9BE1F8EDE781A54011D1DB01366193A4235F6E7D684B847B2DC4A0A5239589B4C0266817DC37D850E5B23A40B50A6D9D1BAE6E64FDA20A3D27F933AE866F9C8F00D455D97BC71D5F5A7C9778CC8FE1596191C2B1882DCEBCD37A9A8C3605359E886942B04EBBCAC83FE730B84BA3B4B3022E0B1A1110EB4D23D2E2D05D77C230E36A1ACCB885C0FAAA312B7F975CF8DA5D6B118ED773C5F1C75366E16A1AC75BE309EB328DA88C9FEDD1A13C84E2F856EB0DBB249B3C166F9CFE917A93A3EF624DD4782B1F84B3E2ED70E493615D6BA9928886A59617A35AEFED5B46D773FD5B22CBA302205CCD97426B7095872BBC7D1932F6157BD3FC9D4A2182FBBCF4BEAB71A026AA212BD8CCC81EEE265E4F53390740E3E9B1E37CA3A7C3A4FA824D0AFAAAB7CC89C35756D8F80896E8686260CCD94857870490AA8AEE2FD3842C62A256107A7A06F87894EE70D218B6166EEB67B6F711D421C45FF2CCC903DD1683D12EB5EBB9464EC0B3C92CB62EA6CBF37591B61E6BE15FCEB0C1731B42D8D3587762167C3A43F62FF57D58F2A2247CDF43CB756F6A25FCE0084D74BAA73A8CE12E41953C03C2A9FF94468A69C03C2B5F6B85A2F16397326C7DD562E90F8439E720C1AC0B4273A7DDCB71581DB1D6A57BA4E028BB96462DC54CEC9EBE36C704C44E5F60D04B993454DAF405795E2")); test_hash (&nettle_shake128, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("F0FC5662D4D28B3235E49CFF708D90BCAB50764C4081E2F30F0479573ED4FCADA1A85443D1369E09CAAD970570A4CE3D8EAB46CCCE3E48DF5F26C68C7485911286DDB1B369D13079498653B21E3BA7FBA9007500BE927490336082C1D7FA5B78BB741C459177C05E6294DEE054FBE526D983B496E731B3379DE525493733305DA1E1E09612CD179EFAB1E6E67AFCCF60776E319651CE1A1FC66AC945BEC6C45A99A5BD7763ABA920314F04E67EE193484E54461C68E67A922DAF9205FAF10F4653541F2A5CAAE6D28449CC919341CE63939A0433A9DBD307020E80B65AB7B2AB39A9C29D167DCFC05624860B50B0C3FC3986B020B48F5FCF00C3A6BD8FFBEC6A34ADD7E97B106B4C1DAA9E5EF91B797C55DE36B88E9AC19B301979BEBF36FB86F4F72A6560A4125BC1F657769F89CFB1F3A29B2A0287072740E52A60C1C898EA42CD9FCFCB3987A015DEDD297F8382D639CD7118CA85255D1F98ABF1F5D94649A161082D7D5944B2B4EFE4975D5EA38138B91AB5B61A790349D5463D2DD278196364115C18B95F916EEEBD71A21DE18C9AEB22566D3AEF009A84AB5479222EF8F37DD29C7B22D0F1627C25EE467607F86DEBD8267A493CE5C361A6F6126DBC8263B6FA5D5C9B9F8AC9FDDA42FAD433BC9A76A218C1134C1CB5F03F3F7387E245089A5B18C96DF31211B5983214B64FF3E1D90BC234A2F5EF7E993C8F4E5FA9BE")); test_hash (&nettle_shake128, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("AAC37FF9FA6F64049B4D72457C87BEE3FFC23044ABE0F1D121392401B60E3FEC089D4AE3340961915BBC79DCA9337C4A02EE99AB932B346375169057E8BC731FAA49422CF5296122471580AE4263B6C01D8BF9C7F736A4CB652AA5E3521BDFCE2CE11332E53236EE4F613B2800C28E5907D2C3214F6071611496F80594193DCC09AFCE3EAB1769A5FA2DF9ABE16AB019759A07154D21C3365DC20BDD7C9ECA82045092EA5405B56861BBA693F322871BDD64E2E41985775ED7A3F1095C74EBDCA15B9EB9F2B86234967DB868A082A146A439746901EBA5DABDE0F133D99C89A4D6F769D1C6FB1758B3CB1E8986A025F5AC2A8D6F1A9AEB66DD3C41D41221706A4824CFAC6A6DB69E3D157244294B9D25B59274B1FDF992988F3F18B91FD78767ECCD352B7CCD335F96D3B3913902C885C470C2F7D2B00A92269709863E77D3FB4EA1C80CB58C9CFD996E0C6FB85F3BB5308B95E8B43555CCD4B589829DA442BBCBF0A5C7B9B24E3DE846E9E8433F1A4A326ABC7AF83A5BBCFE9B4BD848414B2560C58B3E9A3CAD48F860BA46A5111D0AB629B91369A964BF22B5C2C6DC5C3A521DE18DFCC43BB2E641AFC466B75FC3529BC4B99B843A809773DD2130452E61EC162FCCCB0A94B3AB0848EBD59C9FC25E84349CD2154E5E326CF2B97071E7C47F0F574D11729EEDADB3D0DD0FC69A7F7224891EFABE76942808D6459217F06A7D")); test_hash (&nettle_shake128, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("3930D75F8AEC436928F62AC548FD6B215C2E6FC22E918690F0CD699A0CB1AC218BE324232295546CB3C421E939222827890A8FC563F6DC455B7D0CAF24C7B1BE44256DE645EBFD281F263C9006F78A69E8939809538A74E646E75C4D23CD06EF68B617E6C5D36C85348373FCFCCF19AA3BD69E18CA670091D2B50B0C2A3AAAE21FBEFF894A189512F4EEF17258AF048D073179F450D366295F609567EEA83CB6A2E2B8170F69E739DB47874E1F249AC9595442571D100CED32C151ED4399F5AEC97875142EC1E8B748A9FA5C3EDE5548B875E60A224D9830419E233FC9A88CF0F937566EB289591916C1D159BD68B380F784BD3E6A00D4C785694F38FE3D8FBFDE5063B91FA397AFCA0731B97294269EF8157B531B08E15CC52AC8E5E768E6DD3905BB9E1B462481AFA989441CF0780CE6B1926D71940D4EC82521A4347992B37AF9970F47658B05AB54A617275F51FD723A35E72F9F965BA4330569573A58A0021E1DAB0AF22EA03E1BFE1E88EB2D2B97E5857793FE7B63371F3569C77A77E331924DCFA9FB8072F4EAF3A78FB6462A5C68F26D034BFC0B3BC8ADA4992C66B4C8B2F0489A446B26333146B4420CF2B5AEB41934B3CC05B7ACE62AF74997B797C82845F4C4D7FED571879D255EB34482B86383E924D45B4C9EF52E76FF236A0DAA1C9F6D342BFF82305FCC88F8B13FBB724A9FE732CB33A6D53D95753FB350C4")); test_hash (&nettle_shake128, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("1C8C8643B1FA6B0D217D21E542850127895DD4E455DFD136C4E221787A8F3CAF76478BDE517C7DC3EDB97C8AD824292EDF671BC4874044B96A109BB5821858E544090E892B3EEACB739AF35EB05DCE51B131394C9972247F1C0D7D335D18B9355509BBE94C4DEBB0C1B18614CF3FA8119B70FCF5B59E37673B470CAB14302D805BC32352B340FB71F7E824EFDF2732EF3D74998A5AD70898115C9CBFF3D5067EF05D859FF932304A5AC5F6AFC46C879F0BEF369ECD7B5065ACB19C655F7FC2DEA4DD7AD38A2AE841A67EC1EB4869EC285B5A517C930350D7CBB9C61CDBA188553B9D4EF140DD1A8ED312822E79EA68662BBB1AC3643AA56DE5991F5F128F036B32023CE34B7A7AF7CC43D6B67DEADA4849BFFEC361699AC7175311195822382051BBE20565552014D6A4343CD94F7F4AA705E1D5388AFE2D96BBE8010FA0E82305B94B70AD954BD5F6FBDEAF090AC510B75CC91DB450EB522183371D6B9D09D3FCA171FD10174ACF3FC47D915619DC0D06D8567C4E8875D0216DE9C7AC1E7D1758DD59573273886897382CE8E77552961D51ED0B87FFCA38BDB6734A23FE0C9A403ABB4FED73DCD504289E7E14906A10B121A57B94C2C37542EA833C55C1130AD70F753C9A368F7C7D1B51450BBBE794F2824713153F83FE6AF09545ED91F0E39FA732205025A49E1538FF7DAAED5B72EEC88862DC0213A012239DEBD24FCB07")); test_hash (&nettle_shake128, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("1DA38DF421AADB3DA692F4987E171113E15D3685DB1017EBBFD07BB68DB236903F3CD3EC679B6BC9004072E90ECBD0FE0F2FC4F5531D24FA6F25BC6EAF4B545A2149517CE19971E3AFB866DAA702DCB94982446E7AF77418164C5E92EDB14D98EA0DC32A3E0BFEA4E71E9C8F58A751578200772A1E0460083021552FEDA426AEC69346E0FD31FAE18B894B67DC38D7E54B662CE051A8453C1DB20F55095C177F5883625D40BC4B49965C48C4A1188954C50DFAE423A12315DEEE0FEB3548AA9752432CD6857AAF42BF80472178D0714D777135898F71D838058F9F31E6AC92D819C44775C2EDE28038E565DC33F1A157D8715AE67AB993179469D6C98E8574A7D8FF2A5F12353F18544E2D623AA42AF85159438F247AA947922A5AAF98BD562AE54599783853CBFA5CB67EB1FC36CFBE5AF1C18C99D867CB02966D90EA8ED648831A2228657972642A17DD34FD43C11CD7D407CAC86E20D8816E69763B60294C19497C151620A2B93B3B3E87639C233C17B9B865E920F6EAB6C72218A182DD46177A7AD18E3775FC0A5A0EC956B5E92D8B48A22A6364006BFD2843B3EA4CB63B8C0AC10970853D196918DFD513D4E1A1558EBD3D4C60BA253078417304A50851BCB6E41B5758A08BE338D62B0021851A42962313C11BAAA95E434F6329FD5D6C85D67A665A675CA527C555C77C7435786BDB8D9642050931C57CB79AEE5973AA")); test_hash (&nettle_shake128, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("660BA471FA9414C985A47B1941804295ADAE88BC1BA145DEFB407AD66F193BE41EEE4E0F71D175F6D1D65C4B227A899E0D282AC714E50E3002AAF8696B00A736A60C9CCF94D15E46DB68228BA174DAE1575138D3F9EB76CB16FB09A50A6F7024206D4A02277D2D0B53F189CD8E45E85F4C0FADFA235C963A9A63743D88FADFA6CB99BF47F32488B4E009B47F7BF59A01BD92C0B6E771E8784B67A0AEED96B29E6A1B110B868B144105B85C11CC01C589A89342DD456E154A0D2A638FEFEB03058CCB301FD551294251D32B3F03BD62AC5ECF5A249940C2401F751A9FCF036A384ED26F569D227235CB47673F7003C4EFB36676044D09CD586A54D744AB4922BB337D4436C4BC76CF4A478D1CFF7F7D97EE2DAE912C5BEC910FEF7BAFF0BC9E32DF5ACE8DAB30840A31CA192E258A4141275534361977D2FC22EB1C1BB62A21B893A65B16C45ADDD3032F2CCAE38BEB6DE32E1B5FC70214E2BE1B7BCDECAFD744F82EDCEC99F92D46AA66044EFFF26EF3BCE081A19F1B7392C68D2414D92D426D78B4BBED4AA32D05BEA547A8DCCA688CEF6B0BC754FAE7C13915B97478BFA72EBD409FBA5AE48CC89B37918F04C068AA1883F2A950675761120989A9F7821799F5EB64C07299ADE85E1DC1BB488BCA7B96BA7F04D49CAB2B41803F17BB94CBF04B641E140D8686EEDCE954ED1A712BDE789C31F02F721F467E167C3E9B035687")); test_hash (&nettle_shake128, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("9D027F5434C6F6EC15B26BF3D61F31D81D46C0FF426D4209E0FD3F9A3E01D0AF5BAFEA98F9E3FB66E8390AA2ED009C0D6DBA82B3E36CED600FE79C0F50EB1C1F7530F20D51782C13A79AB1D0BC655112D745043911B5A9524E6EC88122CDDAF702C34FA8840E8785A7046B6794E623526826B471CD9F62CF9AF02E398C077C7F8608730578AD22A44CDA39DF8F101CCF21052C52FC12967DDFC77C153D8068A2B0B783376FE56B1DACD9A0B3E87645132BEC0F3C2C9A521DEAC286750C2C42B4A29B29144FB1B0F5CC997AD57D04BEA965343843788DABA5600A7AC5403D649097EB402205CE4BB12EF836FD4B7CEFF704F8A2BACA5D6381504793F1C6B47D15DFA45F749A28C7FC16C695A0BEF69437AD3F8C8D3DA5386A6D9752529EBCD84CF92D641A4CA1755177BF7E16CA144E270E4191EA26BFB144528521D32DFA8319FE37CD026E5F707F81DEE84327CD0B74C05CF69543E94848CE616FC118F73206B132F0257925B8D93DB60FA6E034D27A65EA0B2EB18056CC4690BE78D9BDCB4DEB61FE5089C58AD8CD08DB2AC9A2C2B0811EF71309DB1831D9ED1032A1267D3152E4ADBF2042EA48069D0519FC5B03A5375EB355BCC327766B4B3559737DD4EACDBDF5B28F121E7C13EEE9A8C10E66F22CC80EC40AE72CEB0B2821BB7215CC9E645B65E766076AB78D04771DA21B501987F8BAD685C6EEE40C9F60605DA631CD")); test_hash (&nettle_shake128, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("3951B52498F3C2E30411A6D89C55340A73066B36B1AE55D9C95142FA1EE13EE8B7296074D82E44D752EE29705606D823809786DF5A2312F8922E4C50FF0D7297B864FCC3BD81311D69D2657169773C41A8F7F0E62E076F5C0055DA042DDE07D82172BFFEFBBB031FB715546CA47903895DCB4807B9C435D16F90C41AB7836A53454E089A25951545F0B39A849F329AE9568A3640F08329B0422807AB15461F6C67E1A1E5B8439F4D0613C5B4A8CE10AC1DB59DA2CFDC1F8FA78C60E88A7E6C0F2488AFEBE16BBCA680EE65BB53421E29C8238B7F0D1387C60EAC50ECB43AF4FF075520199BEE31641CA433F35D62B96FE477C304265002440018E4A4C656679189ECA635FE4090724784F56DB38563EF05A8EBDA4271ADCE14B8644BAF09B83574DDB6803997AC473BF537F0F93A2FBBD0E0C75C387F21EDB2EEBE0088CE8886E6FA9952DB209BC16E624A72DA33878538549AA8F955CABA17947FBEB6A304EB9B1B494A197814EE4281A74334F71780455A352EE1586BF298361C40140C3B6A384167632D7EFD7F3FD327E18769DD481444400B669BE07EDDFD2783962751896B703B3E196EDC111411DB17531B96D0557066DD6D2FA3EABE0E4735837D1DA7BEA7543D6B591E55B2D95D46F822CFAB994770F8F51A58BCFC10B4A7DC9C8A645937F5AFF66A59687457CA35C42DC2C9D75EE0AAFD9BEF334D12DC33BC0881A9")); test_hash (&nettle_shake128, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("B21B2ED68FA53BF4EDFB8EE5282964C8FC370A702A229D3C4BF87DFA5279B1AE2FBC85A00067F8407F586B52B5F1AAF97716025EC2E292206E18570AD50CB51E072A7A06781EB9E1B1B23C576C689DEEC4DA40513361B413F513A0EC21491F0E6EFB792688519C1E6B0760B3E1DE34890C2BBB5C3A44DAC9B0B0EF2B1B4CC4E30DA7F93F52D656712EB12DFCF30C80273FE5A8F42B909AA2C9E1E9C82199418AB858E1B8897AD632C0C030C9F56776378A86DF63A5CC284ADAFCEF50DF97847DE927F296E63933FC174EB3009C5580CFE39B77BF359A865DED988D3BB631256DE6EB736C637693DC5798429498609A6201C6E9CACD7782DEE77B3BD4728BA32A0DA88A14212BD204292B6EEFD0C7EC1814B7002D8FCB08975D4A9C62100F94404CFD32EBF49407BA4C6697CD65D7C40951CE7774234C4A793265CAE9037020E35D38C9C016B15D214550A94F6B245DC4F5B9B1C8298D683AC59ACBF177F266F1818628B4174D66129C057B1336F718F67D5CE7A3627E31D8E64CAB4BAA5E89B7B2971B4C82D23C36305B01D30F830BAEB2CACA3BAEDA18F912E4DBCB1F5CDCFA9F562E3BE2B01826EEF5CF0D80DA116765E0D467352264C8A9C1242F74D98D35F77472CA4DF8234E76F7600B6052E7516C514695BBCFC1793A9C9AF512E1D2EDD7490D8BE500710B305F9F54FFE4D87B50776A29C222B09F1913E71F63AEDB32")); test_hash (&nettle_shake128, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("0A7A5CBFC9ED4A55B8C8CFE99E9D71D4EC34AA1C4FE8A69A39DDD2C0E1923A3D4D7EEB8769709172866F0F93D96504307700D75F4922EB0CC199ACACF31E8BDBFA166342CD7294A723608528732BC85D7AC57307C37D07AC03D99009C2052DE7536B9049B0750A5186855BF41FC58560EEBB743F6572C102F21D3A92F8908434519D8F797DB47CFB93BBE9A567ABA819FA035F64E2A718497FD815968F70869066AE8DB9314F006466FBC53660BCA5CC65B6586CD75E58427DC7B3F7D1A7F0A5804775234C8D0907C5906AEB4EC4DF01E081695897B324A97485C22F694E48EEDDC010D198E5DC4C65A24F62D6FE7EE0E60B2E4F79A6BF349F9612303CB272C0F1D0A952312F151EFBDE16D17D3B2F2BB9729F444DB0B1B993A6CD2EA973D430291D276CB479D8F07B9FE022F384743EB3C1593F062994D2853AEC6267E68C724F959ED98D9DDC0919F53DBD54E28BBB28AE5F0EABBC36A81E25A02174C14387E8C1695F97DE66C74BA20CC8EC1EB5D3DAFD147A894AAAD4B20DF7A06EB9B676846133868F02EAB7102E6D7EA8BBA678B0DBBF1F6D6D6AD0FA43412A8A53C6D814BA26388BEF08F89042E573FACAC5588E4B5C4E2806542F2E68148F4B7CFF1EC3DA21F633372B567005F2CBE81DDDD450E597FAB577A1935281F758193CEF43961C380B62F0CFD084FB4FF19045CEB3422C01E5CCF9EAE9C3B300A117F1D81D")); test_hash (&nettle_shake128, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("0F001A78A98382078267D5DE881F8717B55A31C1781473BA089C72CDB201CE93B943687E3863BC24BE5D255A4C02E43EB498B9EE4D8A0CB4778A742051DE21C4FC7745525ABF188F38B7B46DB5DD7AB30906F7A31E0B030DDA800C7766EB48E0F4B12C474C3535441985F40376EDB99FC2A0BB2BAA9ADAEC49C1F5FD3A604EE8DB5D0C51AF7EDD29306686B3795653E2EBABD2E9118B789868A7F821FB5BC5E4CF732456448417F43F6027337B4E1D481D65D239DD15EB66F5C6C289EE85E065FCA3DAB1126E4522DFE9A1B428310C7DF543BED5D4439E87549AB0BE6ACA17180714D2636FBAD2F7BAFDBB1961764F48518EA1ECDBA3328DE8A6684730E747174345B77052E8CCE9765ABAD9F7B3AC4E8C2155FA5AF14FBEC002B20BD2EE417F6CA5EB8B95087C34EA52C8D1DC95453F6744272BBD1F14A1AFFEBE475EB2D20CC26C5893F71995B63E725E7B02FA02B3145944D9D8A32F898DFE1F7FD7A73ED1D67DDE341C4F95B603597F74269835762A1F348E10BF5FF15B7A325077AA6DA99A8B92885A344AF35D9FE34A5B5549D37EC1C536D7B71962E1A54E2601E0F0EF19A2F81151A477D35F36374E7F44E00B25C2F7C4FD804490BBB68BC755F19EB25F04FF370107237153E50BB1F8867917CBB70332B41441B6434458C848970BBE860A07DCCB6E6F9C076998B54AD88D500634948A73A3478AFB1CBA9FBB399D39")); test_hash (&nettle_shake128, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("D442B526EE0DE0A7977AC04F9C822EF3369CD2CEDACC05ABEBC71128F0C0A2F8D5C2566CCDFCCEE773AFDD2C0F8AAE2E59B56995F219A9B06B638DD91D0C2AC8D11ADA3CC491A5985255716C75B474FBFE4DF204B75176468511807478FF873F17225D022A78141B962E1A4EDC7F93BDE19DC7D804C11C49942A54CE606322693845C11EB0E20E60AC7A15287848C37EACEED986F98476AC62A23E366804EBD5690856D69E82CAB976A79931FD5058F0562B006E822087DD8D277338A6E555C54A536D29831D6587B4796179A6F45C89DC9E85DD3067ADF043E3CC90E96391D60145DB31BE7778DF6402D7808F46E42C8BBE987591EDF593CE50515D4DFD647AFE7A65579E894EC6951C2F03CCB4FB4F4F212F3D87E953D4BF6093E4D390260791924EBC438B56693ECB11BEB8B10B85CD56D39A95BFA7924B9F78E181337E550AFFE40CFE99C709994EB9F81BA4E14C6663733477320EE3A62955975E5F3F25EB3922DDB67F0A312D916B8FF2C14493981C7A6FAE0E14F222F194B674173C051EDB795DED1041073BFAF62B76D3623D065F797A82BA490CECEE1136C08193D46FF6BB06B414C8A861A4604A4CBC87CC652EAAE3D648E4D2CEDEA13344AC22CBD4DAC4AC9D6662D3694B38BF12169320B5249021C85A7477E2587DF9617D7D44E09BF7FDAED71E3D5818DA093E6D019243A17D9F32A5046FC6BA19EDB0AE6349")); test_hash (&nettle_shake128, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("6EC28683A74038F869A23B21669F27B746A1AC2BD41E3BBAED1CFDCF79D7D1A9499F2AD4701F64830F14C27FEC0CF645E553B3D76D8512B879D2D19E37D93B0E9357160FFC00F20CD96FC1AA520B0870F853B3241B687549DC2D1F119198CFFAE38402CE4CC77A973CF49F19A52EF7232E39B5638C680D44334762657397CEE9DC65FA37CF9FA1F902AB290F8CE4CEC82ABA455A794B576BE404ED24BD50B9A4923D04C3F19CB812E00D6D9DCA00A906EC0F3460F14D3CCE6CFEA1C78E8400C0FC1361A4A60810BF51AFA3CA21B18C7DF5FDFBBDD8FC1671D21CEB404F9DD37008419CDFEFBF1D57F7AB7665BAEFD500C38A5AB04ED47E4B3256B0B015D0511657290418D5DFECCED4AA47FA14A9A0E9766F3123C80B65FDC07CBED2C8B0753F2B20EE271D11D28FEE068BDD3C4F449973463C17F21F60A5E59BE4FB3A3490ED87AA1709A62643E65FF82F2980BF2460FABCA0719E575614A1211D256C59F86ABBCA382B36F970C489660C484CEAB850A13011FAA07C93D2FC2E8E447A997B0BFC286769017189A68D7DE05CDDF696EB93FB8792F25B2979AEDDAEA7A935589BE4825E83E9BB302C3A6E88D83BBAD06BA6BA274A672CED23276A499DAD01555D85C620B6FC64C62282C545195EEE61C8A127EA8994AD5A706A2DC17AE5C6F165B477655D067267D88374F674BE12F58A35DA878346BD48351175EA72A0CB5E40")); test_hash (&nettle_shake128, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("FF0DB45E2E8959375D3915DBB45FC32DC6CFE7D2BB227647F6877619BB6884D8BBF9668F407784739D34975576B99AB1325716C2B83212DBE9E5E33B5A6EC68FD75015124F1DA731F519F983CC783F176286228E59068AEC6241B24808406CD60F67D5A1AB7083D7854984A1F7030B7D700D5D48EEFC6BE0AEA46C8022256866CECDA897DC22D4A18B28126444D956B93190D7A060CEBC2E8BE65D90CF7837A90DFC9ACF4BE4193A892DBA8B3A068E7BD20D12C47A95E0482A2CD4252A34E1F13BCBCEB9C0A12E719A27E2759FDE1B2F6E75A0A38CB80EB44C023FB0EBC33BC8290513D95C431D72450951EC1A86A89D59D435CD3D4B4E069556A00A443F045224D46A8DBA8CD7E8BBC89A21D3CA024C4EC96BC7169E6AFFBB05DEF58A0F2535997F345C8660451E7CBCD83C622EDD0D8A8F30D8377BB31BEDEFB546C989231C53447B7817AC3F822D596B5C746D5839D6CC8F6D45C48281357E87312C33F62EC568DB4AEF7F194DE67981D67B2B6659268556EE38DF95FEC4BC340A3BB9539EB6143BFDDC12BD233BFFF5FE0743DA3DC89F57DD159A475D6D8882BADE66E4C93D6950ED026C747968F84DED68284F5F02A9F7549B88F244FDC261B34BD66CF2FF5A6925565A08BC8A5F8828775A5A35147C57CF327C49CFEA4797CC130D1E8AA278256FCBE416420FB7683E6D0A5B1466A586E98C144F4CD5FB277C1E59B190")); test_hash (&nettle_shake128, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("5C00245176070CD2F23F1C5E15B21A9161BEBA24BA71D989BED890782ED39EB857E325AFA269ADB03FF1AEF7D26EE524D6CE821D2C842C43D0FAF47B602E55B7960FB0A9638E6DA8272DAB5B8DB784DAAC730BF0394D50A59C87B422080191769C21BD08A32AF4C263B09D61A13D0EC26B6D1D63A2EFA5B4FB9CD4214EA76B2C915F20E242D104745EA9AF73251F2CCC9E78AC8FD3C5EAE80CA665A87C517EA620CE5217C215AE38CC43F2756D9331B0359FDEA9CEF8FBBFD3606AA5FBE2D5BD31411A857B3C8E79A2FF1B00E3EF56BC25D0D83958B64DCDC095241837E333E58E4DA64F3B5B57308B165924B4C5F70567779248EF4400BE3E80F699FB3B6E40C36BADC2BFB504BC777733BA9B59659F8661D57B3543BD26101FC3DFD6CCF430036776DF0F2979B03DFF7E6B2E98F161E050A38F71EE438088D953EF72D5651B5674EA6FFD3440AF8AC94D5A808EE426959131E460C858A77C4690801B5B3A28C6BF555F02B5C60DE30C4301363BD6322A289F36B30E00E152627FF7485F032B61041D4C1EB872365B8BD22F1A6308F5CC56D4707752DC3E32315C8559A3B8083D2F743779A3EAB10394F8DF71A878CCE871E0835B57DE865CF16AD2D2BD1E5E5705F68C6BAEE103C785E43F3582F591DA55077C6B9EFA8F93300822C6EAAC9B5A71FB676C0E73928ADE3102B61284C676C140F33A17FAB48002394EB36265D1")); test_hash (&nettle_shake128, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("812C14B78AEEE6820EA1CF8E0F3C61AE7CBD2AE493017ADE0756FBC57545830910DDC27F3183DF48C1E1D6D1A9F3DE220F17402830AC73F77AD2977BDEF013C739CA0E9EC11AC4FBEEF624F0FBBC534F0467F09E775BDBB8ACBCAC8B3DC6ECFA92F35EBD729A1BC90236F57AD32FFB46C055C93412D33CF612059C4D5BEDB6E45807A7CE2E5029C0594CBFAECEC3F9178EB01D60ACB5A72D5DBABD6F95691A1F949E4DA7B48AA78C1BEE810B175218C5902753B88253FEF57681E60FDA1851A18EC1F3953CDAA6B9C32D085C7EF9BEED9598354CEA388F3D8EEE372312168B590ACD0C330816949211D8CEAEA737EB87BF9E6D4929D83B87E287C887E32B66FAF1540B64C53593BCE073AAE4BBF711FDC7AF6E7CB0FE938D2F87643FC4DAB4A7D4154015E82422C14600E44E41D005DB80CBB4C297335EE0E616E32D7E9BA5BB0D88FBB05B4D5799DF5462E4544D3883CC2C4850FBE5B43613841B0D515093D246B714E96656E1F6227341E76051D5C9C52730D66D075DF0A9EDEED5D8E878A1FDE3AD2C962608CE17655AE769C484E676904A29F22A3B4524DE2894AA633DF9F65CFFA329AF056E9BE4E67E7EBB786AC3541C00A792B4217E5EA2E51FBD979CC8C6E40F59B6A665F1BE6E6F2FF4D1D48250BE44572FC5B731707B8611E8CD7679037D565BA7B066781437FADBB47F68AE752E879286A25020F8E00FD7E62AF6")); test_hash (&nettle_shake128, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("CAFA188EBD8CDF392EB8E67776D6F574F72615ABBB5DA35999507460FB1D357938F521BB18699510D353D3B42EF72E704EE769C02A1EE7E366871F28B25F798725CA3FD147F7DA2B49329FC5A00E486A19E9465B782B1176B84465A96F083957F3D55512F6CEF4AF5E891108B468326C1051EE1519C21051353F1EAA2AD39A32E5ADFD30026D4B56A2498309C27B03A195FF5A7CA27E5184E322B9B783C44C4E0842F6695BD89D5648BE09B927990DC3980E7F818392380840E1C4310EA67ABF7285CFE20C50933A92E74FEF83AFA6B6CD6A372AAFF36DC582040B34E8521285EE9A67235D016CAFC9478B80D7B9778CAF5DA4E7D1865BDFB903DEDD7FB8477F007E60AF960BC04A81E77A74AD25641FDB9D81AEC87634D692E445807C0ACE094F99DB07FFA01C2DA7517D12C830973D425839722EC0C5A2DF093F01EB9F5A6D2E075CAEA8C7AA69BC899463D0E55C81596907F1B0F81BAEAE734B24FAE3D99984D5E39EB4822C4ADEEA640228D72387656938CFE5DB953C1ED993FD9705CA9C9C70E6DF0075392F965682BC163BD85911C99511896BAFC35D9378B12E00628EEF3EA11E908F92498C90314C55698A6B9C6D8FD88AB4D7250166FE57E9C106FA674619C1D53CB3DE576806742FA538B5653BE7D0C08282A0159E7B4F3273C4CBE1735F3B07AA0004CD5C7F763983CDE554AD9926FCFF1D1AC48B9777C7266C8D")); test_hash (&nettle_shake128, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("105ADA0018016331E288A355DACA7426116C7C0AF86060A1A652AF34C6D6BA4504E5C681F493AA44BB869997CF024403FE9516112C732C26DEE54865ADF6594BF7A546B5998EA1026FEB209E30D3BAA289B81651B29916EECB48E6B4D6F8CEE317F46732B2BC865D78FF0237DCA71EEC837215D67F9B7C244232529FB1801282F77CB08DD3B4992A0B4A551175173BD50FE8798836C60BB748E6D3112D7EAB27F0AC52F48FB776F92D89C895D7B1F148F27EF57B47DFEA43AAEE0C8507654DCA384FC7C64B39227B6E750B431588D56567EAE250ED6AED8F987D5A6140F0A7C9A4D47DE2B2036038D43D9630E849431B7A3F7C853399871BA360107009905164D9707C0A81D00A276699249ACCEFCDAF118A8D28FE791FA0FC4D4A2CA862913400FD550513D0CCEC4A487521EC53B33D4FBD2D5F6713F0F1F3C1E6A2895C4E2B56D86904CADE3EF04AF4CD1F3E8AB7876DE83D133170E3918639F508858A335D4244C8DA8893D51A7D6CAD5A2411DBA3B95EE3B95F3B2EC6DB652868A8158FFAD739199C47C32D9A4917AD06CDD7149738E8568B0EB6B7A0252E151538286D122AB6A6A68A6BBABA4958C0572625E7F4837BDF970DB69A943E5C80E5F98DD0FCC590B782308650B86E0C12A0CF2FEB059A2857118507639C4B56C749F3840AD13325C5E843ED1895F6CCD47BF2FD68D708C1B2001A083777896BA92BAC91E280")); test_hash (&nettle_shake128, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("B37F11D6837064D393422AA32CA502E6FC0DE85697E9DDF15B45648D99CD2B0E35653FD071546D893ACB91EA8438E768BF446781A2BAE49C6CF7E589FE80B2C6F35628A9577CC1F902F061E425A84D224D2D8C5FD4C06F1C7CEA72BBF53F982626DD1208CE375EE4F593EEDF93F72011CAB8281049A76EC1F90528D53AA2E0589BF90440907B0F02C51A1A1D9A4C4B31FDF378A548C4D65CE4EBBE77B4F95E9AE29A3CE0172A4D80C370D6967BF27DDDB29065566B2C3205FEA1E2871F6726DFD8FB5BE9199C31E77615BF060A33F3ADF9A1C86D205C2496DFA694D343C058F7F212D9E056D6525479DF0C4C184D2D8191A9FA849FC0DBB2BC27741CD5B43C65DB771DD99872862546B5D1C313456423E649E9869A43B6ECAFB030897D049907F307C767885014F7DCB21FC4C7E52E1F6E95A017F9AAD349BFE109AD8BCCCDA1E4FA761317BD7B7036A09095164A79A7A4952FA2512A5B826009414BE0C504A27CC3AF069718DAECDBE4F43D93A1AE4E1A9B28A48F69533E6EFCEB17520D78EA41500797B18E193C98C574A5339D2879DA6340D8EBE07723549E51F71BF956BD90E74325BD912FAB8C63150BBDEDD455973C084A6E96BE7AA3B8BA503D5215B77151007A7D32ECED117503F1F509A2F6750B242AC63D2A53873D8CBD3A30F105078F0ADCA870DC906C0CF7CBE1197C13C0C65FD8471BC52ED07D8090C83CFFB4")); test_hash (&nettle_shake128, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("A0042E6235AFF4430623E540E15655139EF9FB84BF8199702EC9A68D4802E7F37328A5CD7AF4153CD203938DCD947F0C7CB7F398A4867FCB38694BC3CFF4C10971C44EC166F225CD4B0F1C264743815CF7BF37933EDC38C3A1453852E3B220C5D5263D67C82A7E62FC19D24C9B32C10A8A6B2DBFA059197C97DEC62A05456A26CB555546A4219A905BDD2A0FFEFD1D63A56258F5A9FBD535276A163745E8911D55A5E47A4C3411A128F461149B3FF20B9EB422661A67B4785F38CCC43F7B87F5844D8E4665B0F010AFC1270B14176913DD56B76BFDDECAD17374553FBC5C31A7A28E98F58036171BBFCF79CE10861CC0CF343822399546E100C532BA2E5013126976E02C7783193EC43C7E35FC2DFF6AB1483F7B5E5955C91F7F7ABCB52A132A038FCE9387C4635E1A3394BFE589D6C9561D05CB210B25D575BFC0251374E541D72DC2C43E8FC51F98DBA46BDBD7A4C6EFD775E1E5CAB94C8E03540FDF4D1EA7AEFE8298958B618A288A31BBC9FE7B2381200652D5B2EAFC6A89F806102F753824ECEF4CDCC3E7329DC8F7C93D94F98BA5CB51DB8F615D59476B32BBE20111DDEB7AC6B9AC8CF66CF7B338E225BDEDAD4A2C5F0C2941808EE7BD2D2E59DA7010CE6656F6B11FE5925508E5A266E0C6F079533C97FC0FB5559E06793AE9BFBFEC8BF4D3114783ACF6D0E709AA1144326D08D415E7AFCA80725DEC248313E982DE")); test_hash (&nettle_shake128, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("439E31ECAFD806B8E573AF44AAD0B7143D82FBC725C963633D67665A2116949EED1BD5338839CB0F41FF79E4B5A7F0B3A2FDADCADF52D7379A935AD0357E7658FF2538B99A993EA6E9AFDC9A2B1DA9B68F9C9377DDC1CAABF7334099043E0997F446DBBAEAB14A507220CE36EF110128E0ABDD3DA6F98D2413E4742E82D749433C545EABA95151695B38D1E485C49CA747A11B83CAB42896CF35B275490CBCC856B227C0BBB11EE110E37054B9D8E64E645E1BCE138EAE18118357C362AE2A729407EFEFF38AD2ACFA4D17203D17B933479946E39C4E4BBC467C7B623042C4B770C179991BF159F8A1DF1D3A13218A441C7A3F296C34B1736A62F1C09005CBF972A66BB46D7DC124BB43CEDCCD07F9C7993C9E365A13ABAF64859CD4244223D074005906558147EE618F8C68403B3733AA633DF77F4F743652EE53C26FA64D251C09C8ADC99AEE3D6CA13CAC5C6A4B95B389E2FE51E11D85E060CB76E331628D0494216FB2378917D09A7558262DE00A345D7AE026BCC7938BC3BC039E9C50A62F8FA7AAB5AE44E8B9A1FCA0B65DE335F5D72FCBEC9010BA19040C38B5B37E1F03CED896106C3254663A5AC8A547E5E94738EB86787CB237A2AE65A0D7DC3EF44711325BD1BD4DB4ABB1C17DB9FAE2C7DEFC2CE08AA1E7B68654F936355EC50ABBA8A1AC45C9D95F1C0669E8812F313D63DBC7F7DC40D2EA71DC8F9F1581F43A")); test_hash (&nettle_shake128, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("91349C4ACA2EE1A2646A6A92E4335E7C1DA9F8482C2791FB96734E3301123E4059F603BB4C42B4FF5584CCE75960B5AD5F667FAA54DA85ACA5FEBD5908FFE7A1EBD05AD9E4DFA8C8D8D92B7F94666C119DE471326E1F673EA67EDA5D66C8035E047AB08157E1228B4B09309F19A0208EFE7BE1788C2F77347C644B4394933F6AA3E10C1B9A984D12A6D0C68E280785EFA11F1731580D6C71C98D6E6FCBCDF56DD55D87865ADB395E7913DAD6E9A4EC938A1D7E2391FB11CF6007FC9C02EA70F44B67EDB1206DC86C00D1DF6906C878FFD93B034F830C05F8571A6068D87A2AC42692DEC62F4318F8FE6DF3690C480E48FE406B85C9FCDAF558AC040FF15011B6C1AC183AEDA7B00BD48E16B7977098BA9412B470B7E7F4016209A02F0F585C29C554B5CF8ABA78E7E5E71447929E598046BAE2BC32958E65A7F7AA29A29C2EC8B34E521BD3601F755BD42EDF60B0D04539D4BF63ECC09943E0C12860F0C5665797A840E85496C4E3DF04B36CE8FBA42DDA559D630BC2CEC7459020FC32F1545B520B0806BAC854E6974A28FB95B41EEAF1CF01DFB3E89B8861F205C100DFC063CD8393330F6A00FB379901D0C47EC2E4EA5D96722EF13FE456E03107AD1179625F968864FB40D7B64879535CCA63CFDD660651FAC389CE4864BC3B382073D74D5346E6499801FBBDB590C1D4D983BEA74FA6A26FAFA4E57B65BE886D55A54622")); test_hash (&nettle_shake128, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("5F8ECC71A5D264ABDDAF1B4895CB11EC9DD50F3DCCB1E1562F1840A0C196A85181BE2B69011DE4A3C75087A3A303555C074A281BEE10E66AA2F15E6A531E5133B6075F84A82BACAC7D771C3EBC74DA2A1CC1921B3C20E99E2866031BF725D08B4400F38BFEFA0F810F82FD1E4BC12DC9E20B3295745B7F132530583C44A18806F537D96B3F352E61ADF285810D32758284D29AE60FF4845893ED07EAF2720282016CF95E28C9BD49F0AD80B87A4C71179ED9D5744843E811D9C162CF57013A7FA9AA9D0A313D44C6BE7FF069506067817BFEB731EAFF820C812765614F3C1A33ABE050DCDE56FD5C6FAC1A43515E2F5CAFBB00A75DB2FA51145A994045B8F71A6998E6FE47CD467549E548EC4FB43C23E7759445BB36A444FB0C91DB3F9A81F1048E21CF32BC3E427A6109DE84FD0EA8B006CED78D08BB7C5678EE401EB2B73F0CD2638B2C7134EDF7F40166EB23D56F7E4BED122B70981F8133B594121ABEAD3E6C96E0C2D76D93B4323DC8CBD869A1811CAB6285E0CAF2C021792A759F8FB907FA45E2B276383F6A385EB299FA5C070AC7B1B713685D6454AFB9AE4850AEEBA6A042F25B1902D18CF5069EDEE770CA2B342B3D3208BDEBFD50822B1CA0C9526306C061B2B4EC6724A35D86B352504D79F44EA7B1A8926C392001EAF2018D4840500E5500472AB05593F3AEE0250C27EBDB3EEB5955DD7D73DDA812D988FF45")); test_hash (&nettle_shake128, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("FF65B09E0A806202E10997EC4F42A049E0A97654626056EBF7B92A44E06AA3D11769160A5EBF6357DD6591B373F9943110F609BA15B5893E7869B17C381B549267130047C1286ED9C56F83776A0F99124F8E8939C8EAD777DA433F8C786BEB7B16B3CA4E4F13CEF93B4236D82E870CD3C6945FD7B8F0CA527AEE5BA66B753D0E6DC84E4ACC7D51686C2D9E7E3A31BB0731FD0EF488F1CAE2A8CA588B428068E09E63696F05B71BFDBD89F4E7DCAC2BB804939868DFE7849FC68B095C8C6E7BFDDB3F35E9A8C1B353158C1F3533A0A327789CA271F6B5EE1711ADBE112166ECF76BD0BC91BF957D4B60D84440BEACCACBCE2C2775AD1A2437FFA3B7DCFE2B4A0CBDE28B09E4C306D8133ECA952810D22C132BDC680CFC7E74BF5949E7D532DA24AA71B22B4576CA48EC1FB264D157A0CEC81377ADC125F29B27CFF0640E0CDE89D3875B749E412A50A919A08586A62B8788C4ACEAACC2842C7799D125E99C6A2C1F6150CC503FD420F5900DC509B4815A54B893B8F36B1FE27052A5C66324D7EAE83957DB1FF627508B77FA072F2A01C4F406B6FEFC5F552CB38EA06FC2DBA6A9428F4980D880751E459A1D5B9B3E637917F177920314C7882AFC3298B3E21E18CC126E690A594FEFA0AB722E2B1EDD1C24C0EB118F9C16E4964D637C4BFC6865B9E290C4DB71C510A1CE623132FDC742CCB5C5BBBBAEFCFE6F95F40C861964F5")); test_hash (&nettle_shake128, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("0C3F7284A63D46A75707ECE96D5DD51409A0E601765E8760F696175433BF34A781B7DCF131E425F25C5CCE52FB457CB5745E62E7A8F9BCBCB9113FBA1299D82E403E34A6E7438660D0C7930B8A5CF3F127084885447A91D1F5D5F117E3EE8E2C529ABE188745609E9948E02D82F1F87855BBF46E8E4FD39402F749AD00FE886759956FAF77E0689485C08022343167E23180F5F1B1D33B8BEB5F73EC818B92426CE60F5016B8E644DBACDBA9900CAA61D75985B5D063A3BBDD5B95937483A970BAC40A0664E95C7C4F26A2791754D77A6FE5C8A80DC3D7321BADCEE567B7950A686B1490FB0CA411F08FDAA06753B67477F67A1CAAA38F09530FE58184CA552DECC0E54B4B0073E77FF4351FDFC5F7C6E6F153935C1E5288ECB57C3DD6022DD0854B2F986E292FCAFAD0421AAEB47A7BA53C981DEFE9CFB53C95EAA02AC7F1DD155E476B6746DD2F1692A7E2D6EDF79E795924A0B919BEB278A2E65AF71FA1CAC81C5D5EFB138B1DD374F98B98CB5A14D96D9249F0F9CD42856A275F92075330B1926DDE0BDBF123A8BECBB6B6B3797DD89BA4EAC728E6B56696A752A07EEB1A09810D450B2682F2699DC6117BFB45FE306ABB889976838DD1BF31791402CE24F2895F70434FAD1AD4DC86F0F309EE90FAFACC7E72C0B717289D695E4000FADC058A119D9C4BDE9AC0F8B45CAD48C78BD2686105D9A27680CB82800509914206")); test_hash (&nettle_shake128, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("88C391F4788DBBA363859497F71794349F3A81CC9D1746CA273208680A0CE4ACCC12021E1EFA31AE40EA75A009E95DA25F9F0CF451F658739E2453280EC6253BFC1D8DD72E91B4ABDCFCB240C6EFB4E829934BEF46069274A60B268DF86A7F265B23089DCC09D77B8BF9A02A84ECFBCA193208AED46101F48C10778619C154F880893FC0C440662AB04106B272A9FD18B8723EACDB8AD190DD58E9514BCD43A9299FB361DA76F7E079A0E83615B6CCE6E69CE3E724C36561C728010134ADE4C44B18D1FCE86289310D30195A936BB1E23C0CF98DFAD41E6007E56C905F5DB8DC13B56E16C3454146C31C9866628736B5F537268E0FFE463DBEB2F3DAF103D24F95CF5BA0A4D94C68D61B6319389761EF1A0F22B3D416E67AF916AA4772277F4E51D3A8DF919300805A0CAF8C36A43215E7307B49AA9697B6FEBEEEC4F4F5F7F664C120FF27C8DDCA2224CEA4733DB2D1A1C28F8C030A23039BD0514AD6808805FB5111F514A10EFEC4F425E1C91B0EE3DBFF70CCF6346E6F4640DB8184DA28FD8C63156B28226491C1922B862203F23C870A2D88EB5FF5A6930820A4D81A62DD8C4F381F35C18012336011DCF71D58D167F8C5BBD3E5F0F278507D085F01B0DB2EA2860490AABE253DF4694288EA862F9AB78FC60827241768DFE617E725482DF62275031474592A57FD33FFFDD837654C22C96424A09A62A5F146FCBCE1F2AD")); test_hash (&nettle_shake128, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("20F8FCA8BC4274E6CE95C558FCF5EFE7F6A43FB47BA3A4AEB4AFBCB53DBF5BF224654A242DFC1F318A4A26924E5F2759ABC96D8B9C50C7185B5A7C3ACE2BC0ADAF1E39C6EEFD79CF89D2F3A8829F180699DF802662F285960EB6676560655FACD507528D862473623AAE970E559117687F87AF4A981C7F2F1E40A1E01F2A3AC0E89D1C62ED751B9B178155F2A72F215E51E49A4E585F4422C757F891AD4004FA618DA654BA3CE4C6A7614924B9C0ABB8B2C6CDE9B8CCF22A1E30A21A33723992ADE39424252850535DA5FEF4F047CD998EC7AD87DC784DA7D755BFB9D5F6CDC9EE52BA15CFB7F1429A15F8F0C67F98D6E44CBC8BA16D0DFDA6D72FBC1A44932AEFC2D8A618814957D8B748E0CA0D3B5095BC8785B6C20053E4A204343316D74FC96E16C775AB43CC33FF2B4F4CE85086D47BCD132C0B0E196344B01CF6E8BDA3E06E2618D5604BB5040474413FB54669BB744704D89C5B06DEEA58D4E29F6DF9C926A6CEA1297967DC66583654FDD3F6449033A496199E4B6F37E0FB31BE50747376122951575095467010006D5F9EA709D0F15927A060D828AF4180393EAAFA27701B919DAF424BFDB3F59AF0B40D0A4890006C98894BDF402861C76655414AE631A50FD80F0E5C63002B604AD1AB9684C094BCDB82C0540FD6E5924AC51F3FC6DA074AC7DD7DA1A87A633C16ECDE716641975182803039231320E9FA16430B")); test_hash (&nettle_shake128, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("F0E4F184D33E8B5F8AABC173B04E61BFB420E34AD22E3E8AC318AD06D92E8B5DFDF4B0F28157FC9E7D64545F527C805D9F953626BC35923C922FC09E7D2947D342BF91E54EF34FB5987704F7D0C36C9A9347F3A99027E192907342B2531BD1DA066D34ECC1FB50C85C261DA65F4AF9C2C9E93775F39D632E3DFC1216ABBBCC8DD2680F8081A2816BBDC1646540CEFE4881FCE2ED57B4822E11461B5E6443AE2DE5CCA426258D68B01520594B9547A714B0A377AD398F42599358F7F33855E64F12F88D9E2909E6397ACF34ACF79632AFDE5711858814B84F472EBCD03EBC9671F3985C99DCAB92FED40DE97A3C425D38DBC48ED34C2023771EDFA4F988931B7BAB6FDD612D4AB6DC39D43E66D74307EA8A9359AD73E0965E885AD919F12E6C645C0DC9925CE65F5F3EB132C7090BDFF4230CB16B6C9567AA62DD92949AF10A6FE66CC50B29CF189DBB521477A99DC45C937856DE855C303A5EEC572DA0CB0F584961971A15D8B0907151A046CC1B193E55F7E8419601C1699DB52BBFF3142270F22D628F53A18E64736C1DCC09F7497CB56ABD9AF5917EC07C35BFE8D041D00B379067F2D85E05732D5270C61C592F8088DEDA0CB76BB2826492A61BE9270A8CD7F9D26F51DB2207763BF41A465ECC8B877FC53139925D45541EC090DEB2622864D9E3529F0F23B090912E04BB95F56B1BD33381611D973AE347FCC232CBFF00")); test_hash (&nettle_shake128, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("1893FF8490BAEF747390ACAC15D42CEDB909C2FF3D30B2250A3F9DE11E79943B9AAA5C5747736E29E559F93115B0C029AD6AD8779804083C3F211C8D6CEE56AE65F0B650CC45B9DF5436456879F62648EC81FBF968583582CF4063B5F007E1B04A9BCB2249833170C1968E3040C808F2D9EBA238E74931CBAFAFD94690A275D1A1C1C29F71B8DCCCACC4E9543FF05900417D7E46C64FB4454B3DDB7A0BC01B85A0AECBDF9272EEFBDA881D2ABE77ADC9F17A26C50DE64DEF1AD2A09A79EC9F9C64895540FD56E93423DD7DF3E566D168E2560D8336177937F46DF87AC29F9FBDEE919DD8D2462FC1DB70E27B992E35F1376459FC15B76FDC3C6D9C3F6D994B300423F154B6FB28F845AA3DC8537DE62D81C78326BBF8A89E39C865F395BE31B38BAD26CFD4CD866B872D427ECE798968E66658839121301BC52E07CAE272B6C373B01C4ECD42F75D3CD45B2CB1131179A9F21F8CC84C08368547DACCCD56985477B4067B865B0268C1366D35C59D7C4EBE54E0C7EB383860EECFFE308A2E71858ACE60EE4A2898FFFFC507F0011F47B16BC9D696955C8E2C7FB64F4EE9DC9F9CF9987EE2CCB0FB780BFF780C4253E398763AC6668FF7082A848BD5E1E31E6B5E1E771F7AE21918C1ADA32E788D89822ECD3029AC5604132A681AED4348B631A2C9CCF19D14CB10F570E3B7F9F301B041E6B901CC007CDB125AD9CFDF7A889AEB")); test_hash (&nettle_shake128, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("56758CE6042783CF0D18A2C44FBF953065571BCFC3D19DEEC28F0D6564B18B227B6DAEBAE658DD065F414E4FFAF756D10820FE38C61A767BF2FD0C242EA3E994CCC6516FCF68BD7514833E061A65392D175CB6EB87374DE426730E4E771C7905706BB5D7E3364F946B8A061462519D0BE6F72B0220451F2C6C6E5CE217262323E4FC81DBFF169DCA043487D88F02BB5C22434FC31043603A5140364B7C2CF179FF13241CED0911ADCE30C4D7B7EEA34E094C86B522EA88F0126943FC2E3F8C1C81753C4A10B844ADD7868457DFC91094458806B2C115A052BD616161AED4BC1690E5DAA09BADFFB3BE59318D7ABEC04E7B5B439B92E63BA3EBDE71AAE8C5BEC81C9073072EA49E85B53539C2462A446448F4D362136638EEC10F227A0A977B3460499A77A9E951124B55340E49F9D2B0A60808153D357B585F2C940398B12BB807E730DA556C3D156D84E5C0BE2C625E3FA725AC5659E07348894842711A704A15201C72F4FD2E54CAE47531C07C7D1FDBC61446E35666175B2CB7B25A5FEEDC1E5FEFD2547F408F0E91D65C7AD0E636FC7D8BAFBA355275AACD0E2BFAAE9FF7B750AE20C828D66793A7D275DE882DEB8A97002C9B7B90F5ABA4D1E7B9D5E4BAB59DCC44E487BE10854C76D2EE6EB5628F1E791B731E5B1CF339270E90B3F25AA78B28EFDB906AB2D5560D976AA8FD4A560A29DE12C47A360131BB5F1F8FD71A")); test_hash (&nettle_shake128, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("D5076FE06DC454041F41D77DF1680958CB4EB8311940D58CBA2D6CCC1B57EF7D66D0D947B068928E0284A292D6F3610BE7CCDCD2117D59EDF468F4CEF33DE2BE52ADFEA056F586047F8FBD3BDFDED58237C4CF541200488A3DE301D5F36C735C387DD852959609A9609D370F63EC8E1649119F6966887C38C99F94B2293CE52EE234AA5AF55B0EB3AFB8B5A1D283BDE8F3580F5AD1951D8BEDB834EECBAC86CA72435B52519091D94647ACBBCB1B55DFD9A531C6C966B481FEFA1396CF42FBE362ECF403FB046AFF1B080D47BC282F4D053BA30C2A00364E11EF82FEFFC4096DF1F8AB109B45331611A8AC84B8DF0B7B94952A5AC80B075BFFBF16065D8E5A47F771C0F983E045D4104B7E8E5226EBD9D7ADD387DE852DF26EE9DA3EE70C7E20B877A45797DE836548664026A380F306705232ED37F4104114D58065B1C74441EB9CBF00B8073325B40851B44033FA4E65148161B0DE0C1517B6830CF5417EA3C004B7465C48F9B2766C43CCE5738E9EEF6D9D0F296DCBDB41DB35924EC1B746225142775268908A63EBE1240CEC4F02972523C8C7DE4B44530D1821BD43694647F355FC0473D7BD4D3E6D30EA453EFDEAC396E0DC03F796F70709F118920F8A76D4D85DA2B5DC2964A8824BB96AA892E43FCAD95470CDDE85433D5CAB38424609A9682E1FEDF7776F2D77F2FFD9707FF110387DE49F9422F11933D6CCE6DDF1")); test_hash (&nettle_shake128, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("904786DCB5A8F3C4BE4DC96CF168C65EFD3DE65FBE92DFD96B1CB99F33581F561E02A9D85740FC7295726F36F966392956B2C61122481D7DA372662D0F2B42BEB4228877BB85A3AFB52C689B3DA75637B52B81B9182EA56980E2C0AFD0D27644D0CD86B770FB3F4FF2618FF000FF7846055449E1ACB3721F03A0E65FC377F189824E06B13EA6A797DC7E8A8AF064075A9424A709456CBA62C43B51F4145D6F5456159678B09FF1A97BB19F4A41A836B0E6090617A2BB9B9ABB7D4B6777489FF1CC36E6FF828BB27B26DD61245A3F583839F4EFA1C453D6D5E9B2B3947EEE25D006DE476BB37D505FC5F0AC0AB97F8B56B8587A8FF2EB61C3F83598120B469E9CBC5FC03AFE2F72EE0B117F818EB8B33CD538AFAD801CB75D4B2F51578D628A1701DF56B9B9BBF10A30DE0893B6E3CAD4E264C5829B1C5C35B3A1B859BA7E49C29C93F98E69EBEBF8909F535956DCF767C51E2AFC49103C052AAC1A39D02909383AC02AB8220E4985872916DD6DEAA9E3F57475A33B0DEC69F266F1B990DF7F9F85EAA82FA226DBDB94292B91C3F124B8BA13C3ABE0908E52B67EA7131E61AFBF20293A61CB3659415EE890C151A5628225D61DED612DAD545B62D819A4F3D1ADE9CAE43B9CFDFA4C32A8D16116A58EE3743483663E9401CF1280DA465025EFB103139E4E8850D1329F1B9BF5E1A8C05D20E963E824EAE0AF586635D19D13244D")); test_hash (&nettle_shake128, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("9FB52B8120553CA1F4B801FCB753DBB0E45AF3F160749A05FC2ADF8FF1F507DC304214D785C5E0797C2F6F767D76A3EE22CBE0D114F5F8C32BBF8DA8505090381E16064C001F1807289D0DB586C09A85EF727F393BD2EF1F95CDC1777E137B43DE60D425C5F5D685D43D5F6912458FDA3F4ACECDC2024CB7E6F4340FCF6333CB29BA1801AA80C0F8A248A21305BA62D62E689D55D905EB03368783CB32F765A55D3061774C9344E85C35F8B944420F47070B34C9E8996C281D890E591D5B5CEF03463D86E88211917E7DB7F5BD4F36565BD855EFDDB859C97C206D5F3836840FF3863B93E17AA19281202AF6EC0B1B5DCC7C00D9DC08C2DCCCAE41EE2FB8E591A4AADADF2B28FC2133067D45F98B4ECBBB234593159888F832CDF1BD4864B8B720E42219A220C7FEAF6C0D6A1C14AF2F1020218C65A475386A71788F7BFDB172B12819F2D78D6D200382992D9F39500C4F15E44E1E48FD5734D110FFD1967E098F673492630074DF33434C36EC9FE067E8E794794191F355C2D564FA4BB691702DC55F4E6C83D1C487ABB281F0246814A1EBE626F05F06D09A371AFB4E746653872F83B42509504B057DB7BF06AFDC913F679EAE1FA4D945B93C4BB07E70F48F147BD668B121B05A777A5637CFE24A2BC155C97B9330B3E3B848F689A00AB1F916F321FEC05763DDC6D6563E7AAA3CA309ACECBB0884DEC5815558D8FF72E820")); test_hash (&nettle_shake128, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("906BFC0B13DBD86ACC32B93C56C7187ACC1E5984C1A7AB8CB4EC39A00355837F70B6790360AC9C447E28E93CDFB58CFAB3DC8EE4C2378E68298ECA240869FB5652803F590245F8F40810FEBD33FF25794E39758E9984E47626EEA8AB2145CD2E260873D4524759A855B2DA0C8A80C6C365E76E8B37AB4B9A6D9882870DC22F61A341FC932152BE5C84AF645EB71E6713B1D9B582491653A8365BE531D565B27159F9C5C7FAECA04FE1E626C1C9A7E7FF3882662B084B827BA96E865B753FE73E3936E47EF9F1EA151878F671AF51722A4755041960EC2A7C2C4CD364C4914F64E90BCAFFBEF147E935A6B03166065506FA7F20A707AD4771FF026D7BB0DB7E744FECD63782DCBD9DA7573D77F82E6A5446B1595F7EF81084CAEAE91E522FA604A370612A6BF464D5872ECDDDF46285A407D7835E22438E82E62CA0F1FDF7B420E15F9DC061A3519B8F389022BD06E9B31A34F854F0F75FB9CC538ADC0AE1D981DB68C17E6F3A91D6C60EFBAA357A49FBD148AB7EE2D96EAA8909782E74A9895890D02FE8C8B09B8A9F2A8E18200825C51896C42C59AF9AD93D847F4A4FCFF008D1BB8D6BB2E7C75912A086A23646939DE69D7BC42F568FCB076EF9C37912BCBC0259FFE04CA17F799FF7ACA1D34FBEA76EBEFDCF8D22BDA634DE9B6852A5DA831EDD0B92AC09D9D8235A0AF2BD5FA6B0157722115561EFE7C14C22145137D729")); test_hash (&nettle_shake128, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("E2746CD339332913E436FDC5B21215B39D0326E95882F291849BEF33AFC6C7B9A02F438C2E6F4175DE5FF04B79256B845213B917B34A0111814AF58B06C8B5AF9D2478AD18F012373B9F030ABB79BD7BF380C2C2EF07061E75D7BA113845C80E43BB718377732064B80339E8316068BCFD37ABE6AEA6EDA3C58BBF95A77799155B30FD6776012F098EF9F29DB911E11BAA67937A52EE25C429836FA45A2ADCFBC704A404AF8421FB3B75DFEA979F65415CE0E9B6D17B2E5825929115DAFA8E9A51E16F8E2563876702E04854D48AC2159BB782AA6B1B764A8359F7EC423CB00E9915BC63B27F6E758402B56799D7C3093B1A222FFB8C0F08273A6D5115D2CC7429B9382763807FCF97BA5EE82F78F835BCFA65645AD36F56D595ED06924574B581D6C460BB0209CD69581732EF9D1DE78F0B8109A6D4C271F2AC07179A84BF36AE328B1D0862F65B4ABFFFC0E4B6A17FDE288304234CC2447ABAAA223D16DB5AAE8E026D17A9ADDBA9C51F3B63446DEFBB9CC80323E6B22DFEE9D9E438BCF5E14EDDC490D9DCEC2F5C635D32A1B6C64D1CFD07DC72E954C97DB2A6E82DB75575172F6AB0D4519158F84C836F3B7B4830CE0856C37839DD7D7FAB6A9AB00F9DBC020AE45C6450C257B7C0661CD75F515EE380C2864F0610A682D49CB4D19409A317AA0D6667E3E61FBC2D9027F4A5BF4FB1A0D142183F84FFEFEB92EAD6ECB2A9")); test_hash (&nettle_shake128, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("0B82455171770082FF4A4FAD8A5DE99DF716033D27071278E9C1256D63C34778980889FDB7661153982EEB0FF904E24D31C8D48D89F412178E527D054F822DD2DF6C4FD555E55CCF3452FEC05F9CB3BD4F0B4D2EE851EE3E22ED180F0C02E618563BA89E42C4C6A7DA1A9256029B6449A9C63625CEFCD003F936613092CF59F676AC91298C820436F58BCBB2F61F3945E67353C854CC384D607DC11B906A1C1A5143D9AAA294CBE03F946CF2703C0983727FAACAFAB85C6725E8A9CAA7AA69891799C560BF6B885255674A2940DEAE220BBDA252E636C4526449BA895DE17312EE0BD0520FA68DB28BF122219E571C081DF18C2437E4174D1D6B529E394C4090E5FA957A996564D11A3B4652522FE2999903F6095422B4AEE2D47F2CDD4301BBE42AF671F58228D76D7CBFDCE870242872EF85D0D1E18CEA60C87565E48A1463030566C9E34DF8829A58FA36770E861D6543B50AC6A439ABC062236A065BBDD866A237C09897F3CE2EA5B0B1D8B576048685A53DA7A409FC6F121DA36AC23B9419F254C76E7024FAFF9D45BEE4392CE4C968E737E8F9EECD4800F7C928E30EF664FD4D2A7150954E0599CE5C4F07B9351A408CE35166DA4240F1E751CA4A7CC4946F5451A0BD137857DC003B61424A6682D942F4DA9644672ECE7A1EEE295EEF46B5AABA3F46099E93E01BE7AD9A5E27D378701CF9514B374204D387145349F5")); test_hash (&nettle_shake128, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("4167BCE24865262ADADC78E611A960807758EC6D0D46E3CAC221B4FE9818937092BD3AC5219F0FD765B613F2EB7E36A5F48FCBE3CECC67540F9282DB1842F95CECF0648C12E52E7EA0C96FF7249A8446D0DDD7625BC55568642DA2F2CC897B14D2995DC382293CF2DBA9A63EAB9F6940AC9CA87FE5CFFA196DC930FF3353E34313894A3D2A0A86B0FCF7631735A2C663BCB71D5947C4B2E97441982B791A4F20BB86F7FB033210E4FE58DCE7256309FDBECD7D7F3FEF2D1DF7E0247FF981D417C56EB7B14B7C9453786C7B30F173C372275324E834D94DBC6D10714407EA7886D92F810F2DBAFD57484A09D70951CF85C0B7820643D0E7EF706934CEA0CCCF94B1D1F75F1E05B5D033A5CE1F804C3BC7A9CCF00C8CFEBDB62F8C654805C5ACD4FBEECB6745803721D17F2B8303A98ABB9B8618107B4493735B4001757890D772F78093AAECA244E5297CFBF0B9442370C9FE0EFEC199201E8667D61FE4B9CE20EDE827433C91F521EF2B296B15CFF658E18226F17DF114675F57E988A14B9F104F933BB685A3A9DBDA96A9B87F2EAFE028A7C656300814692C3DCF00D9F07CFF361F601BF2A1FAC9EA58D7543604382ED7CF35DE7AD7355247318796466081FBAA05FDAA65665448DE1FE67AB560250A213FE60F506E9EEE720FA762AF7D2A23492597BF37E0067997095FFD63480BFAFF67C084EDC5BE6C0BFFF969BF06E25E")); test_hash (&nettle_shake128, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("4EC44E5E1F62935ECA450494ADD6AEF7DB1C1C8353F1354C4C9366E9E56A8D5BDD02383B9A04BA4927959531B9169606CD982B6B72927D2E433D900F3B402D7F5BCA979B3742E2E2C1DF8D4E163628357AEB37C94161F8A9269832DC28A4E4983B45140A5A7C9A4313FE39BB2C117453C2E5CEC3C0D4D5C1169B042E319C77712C0171E3487C590FE9B223B7F681F6C4B46ADC912BABA3F1E190CB66DA0B38B3389ABCACA3D4EACC26046CC71C4B3EE1520EA84A1B8897A7E39B9EFD65130DE8F694A0A81F4CE994A0F4FE1CD94439D6551CA8B695A5F22EC51022ADA24C3EBF42840C42B2E345F8AC07BD5561DB40D66DA87FFF248909EAFA8D35C380133AC87303C83A8368492406B45424CD0C7143BCA5BF6DDB6B2FA45FDF45B96BD1CB33F16C1843985C5A8B1B902361D10B235F3965457CCBF2ADE247CD371B9AD808FECFD503272D4918BC3CA6EDF09BDECD56DFF372DE8E2E1D35CCF55E7E81AC5DD717C49F492BD1B242331EB66287F10E15D7BC69DEE9C3F1032C162B0845083ED653D38F270747510F82E43F0EAE6EBDFCAF296D360998A5AE8E735FCE78AEE2332F7766FA8B289B46CD1F129BEC02DD6C3D7C63D544C22687AD7E4802E0363D05B8B7965C1D9C9EE8D08B0B54A8D55D2A52E0A053D31857EF350C713CAF7D7B00FA5513CBBD6FCCCAAC97501E3964DDB3012D2E101C59CB8FD8B28AA567292E27")); test_hash (&nettle_shake128, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("4D2597545337647A12662A7A13065021A6D206EBD13459DB348C1F5361C5990DAFF469677E61DA9A4ADD24A1B4ADC67A092BDCF80D98C0A858EA96B0BE188619A82A1F5055B461660CF805AE75E4F869CB830E153E840D6F164DEABE9065695F6C8F982BBB7D2ACBFCD7DE93E8028AC978E0D78CE878D3F813ABF1E1B51806099DA8D76E16C47D0C1D6CB70E766F5F3F2336642B9BDC2958DEEA3D6EFC30FC4E54A90FDCA6BFA5E8D4410D38CECE522B3A32F11D4599D464E9CF16949385110D71D86A2943C03E67B19DA04ECDF7D30A3B9E16D256D5CB1545B1312B6E62AE028D61317E689CC3EAC351B034E83CBE91140E20E292A3AF44C27A026DCA5674B9497A10876CA0F21D79184922CE71FC11AC98072C2368F70D113A413E2B9FAF616E3729E515FE22146A35CB93D0178C1C07FF9F403BA947759CA0FBB09FD66C7EB562307F46C074501EA7418FC64911AC940C28E75E2146231E0B94893EFDB0DED97478796E87DD906FFFE9232368CD0673F9966E7B312C44F26649355448FE2FAEEA198A5F6EB45040D56068E5B98C02DD948277E1FE5061EFFCB028B61748E2D10128E0E0F7B70EC8CC6FFD071C65B5C1B9CED47C9B0DF76D3B0A5255E27391409B07B0C112CA444E2E926BFCFFB1AE7B00252F6831FFF4992D63BA2114502DF0A3489AC58F463C8F9A1B3CBD3C8836F4CAA301B7336D8DCD255C0762C15E24")); test_hash (&nettle_shake128, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("05A819096B5B6835090CAD5109CD34F40A234F1569B226C42F0207AE06E6EB37A50AD688C81A98C9E747BEB1BB2AD741454430C0E36A8B4DE03A1DE7C3D1FBD836F90DDBF10B10AD9DC427F0039DE7C0A8336B10A5F2A24EF2A0DE7D5765ABE3ECCAE743AD3339521D78006F5859339F15B5A4C82FE758294CDCAD306D30E57EBFCA0C22042FD0CA678BF2E5D59CC39CF1174B1629243115B9247B620BB14217C7EDEA7CBFACD209FE77206275CA39D15F6995E27108C9740A27E98BC205606D68F4D5592756390DCF9C3B5C58585142BB6E31928AB39843538001D792DB744145E5E148F15336C1D6F334608D514C8A0D28515C17CD88C47AAFC95A7D42785D8425AAE5D2D8D74A90914AA30BD428F0282E51445DEEF80B7C1A4429E4E810C753DE4AB21D2E6E895FA4797F3B4C267CFB123C337CBE0ED977A9C3D4147780DD20B2E0C1781E3A8EC690F3D32F38D55D8AE641F61537E0649FD681857156837DD46D1E6005F5747882F895684A6817D40EA1DF7B6B049DB621CA257A3705896DA9B5E38A6D5EFD1D2FB4906285B1AF522D34A5F141C1B72E74FBF02C9BFC38D744C4D6B77C32317774F4F3743B7E684A72AB54BEAE64994F20DC8AB350FACAB35726B55667ABCDC7CDC18576076B5FCAAB6264687D497D32EC0D0A5C42FEF8899441F36F7B72925326885E1B67D59D7BC7DE352F8844F44C3B634753812844E5")); test_hash (&nettle_shake128, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("B83D4F95FEAFC7E5AA60BB1035F69C8074B1A25FF516AD6A18DE1808AE64AE212B63FD05F983A65BAF28B228EA3AB587B163E334A70ECEA2691A77AC940259827355C5459D074532A3EFD811F419E29FD67D8CE82BB4F79451F6AB0A8EAC6BC48713A04F318AA45DA6246FB8CD9C866FAFC9A48C5E6C6D05D501D00E08F7D4320E5E294FCA2B6439DD7EA3BEF65CFCF256E9C4E6F902BD9F6AEFA2AF303E0028D0DD0B7E266F31E21A23F546FC4CEB9BEA5A4034D3DDF7BF63B546F8A1D73F9F56E1C70B6B5E1ECBC244651322025086A933D94D1F21C9BA03493E38D28CDDF351F4DEC99C734589CC45684DEE9AAC79F367B940D6E1AB57AFDAFF422F9D60E83FD6A080D60267D19DE6626FCCDE0759697DC7CCEC6384B7AC7E936A7F12E134C053B80CFDC38609149B277B9F6881495562EB466B99D4D4A1B80C3751F51B3D53261DD5BBDAF1B5401373140C35D31907EA197397DFEA7C420A80C2151E73E0EE8E27495B0C9EDA13B93E8DDF9426C26995317CD273960301973FAA9AAFEBDEC14D92466B059D3FA7CDD533075F5861C538D69DE08F490616B650AB5A0FD177B500F05E011AE3AC06C2480816770D0EEF7908761AF08302DFCAC984BE0B3E60AFFCF5281FC6E28AEE30421E1DBEF6775CA9BCB2803954C0BE501D55D5D0A1CC7882AB5F1287B5A3EF564B91735B9CA85D5E7103D0175B2CA00EAC7B627BAE5E")); test_hash (&nettle_shake128, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("5A81FB81F8CB6473C04930BDC5C0A9CA96D4A500A7BA5A9167491573AA7178101D64F46A93486406614AB9F397E78B0198FC988CCA849EF70C39B0B3A844493439CECA2B7CFF8A32D18285BBD32B1E5EE26AB0F82626F4130C1B40CD6E2C9DBD6677E6644A1ED6A016DBDA139B868FC2F7C9263BF4535E8ECC24DC626B1F3ABF4B08E229CCD076DFCCD89C8EDDC77E9FF0252BDEC35DBF712CF0A5BBBA7B4C7B702CB9353EA4BA3D0E0DF48D6C56D0B51CA269C9E428B22951555C8CE65B5704CC3F4ED38649474C4C049A63894405186E116E616D686C7C033CFDB75B8202FC6B6EEAEF697A4F5277DA6C5E7EB9814A6798262535292AB6791633CD687E68EF223464493AE8D1E27F8B2F483F5B137E48F4390CC27D96A694971B28C9CDB1A24648A0E0573141DA6A1AB54789199E8E909F6FDB0766DEA735E2D87CCBF975FE8CDD6C728DF888FED6F049008D349A476EB63A87E0CDA622F9B611278868E8396BF4E878BFB58AA847F04C2E3A90DBF386954874BB7B1E8CEC42F1AC16C1824F328AF9CB154CAFD4C9E2348A02B0F9638C8562655CD5E3FC2BDED644DB61EA0C4DD27E8B79C7BE52F55C321619B5C8BEDA60D00DD3DA3C19D4C226ADF2D5C4A66518940F2441BCAFFA704C80900512516BE2710301579F023393892FB27EE9DBC71AD34EF26651E133B3C21D8914BB6E9446F11288E1A76431C3999686881D62")); test_hash (&nettle_shake128, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("E41027E76A055F0A826481C650FC24F7816460ED519AF8802AB191E411ECA719CA1696EA14CD62306071D4E1DD65333619D0193D9830B6E8796234F892010681923BF30A1A0AB89D82E36DCEF3ACC00DD286B84240D0282F5AE182FFB84BDA59531C519374ED5A2E80DB2137BEE790CF49B9FAA524F75ABCDC5AC3C3027F6DCA443B2CB5976B9B8D66E9EAA1F9F62A23D5C9A9D5FEC16A5925ECCF1021D3253BD67F471BA1530C0601DD96A4D7ED6E37DEA3EFB24284B61002158AF78E35F8BD617C9E7D33FA4128C31980A6D8631A009FEB0039B635D1030C200AB651C3701CEBE8F2CAABA57E452C0E8FE41FACFB398A2769AABCCB21AD2AA39DDB53EC706E796E7327E30FB4A631E6F2A35A8DCA86769BF6697F8490EC5980F3143EA2FB79FAA9A5F2AC7B5030170A4548AF817CD80C26E1B013BDECE9CBFC553464F1597077E3ED435804DCFF5FE05BD39E87B9B35D9F2810C32EEF8E30459566EA3CF380A7F9E1E2BD3E4843D06B018B55006FDB22EE1CCC0AE615917E8D17FB019F7419FEDB242F0676FF4815989821135073E5CF91DF42CC6C6F532D3BD8BE9118EA6E583D360F1F8C20600A740D9310A984AF3C82A48FBA84A84AFF42F2F1EC8C4115B5704704AC2073F2014BBEF1913FEF7862F514B198983BA63F4D38E81D822CFB548AF76F561EBAB987B208B11824481309B7AEDF0EF44376847162326193DCAA")); test_hash (&nettle_shake128, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("28E204A3450796BA182A339CEF54A3B224626681C51297A71C2BC0ADD56BF57C7653BADCC1438E3CF7156EF7ED4EA9A084F3041A8157E1FD2AEAD827A5E79257C1BF7E37D4FBC089422ACFBE116A2E3889614B8B01BDDCF63B66589061A690790357BC31C68014CE422060CAB07F2A254C83E1A7A9AC1A0807462E6DE48B194AE5FA0D6BBF39AD1835C86BB25F5C273CB266DD5167350904EA22F912343E261E38B298495B38019724A1EEC356ED016BDE8A81B3764A39D153A5691C196557E6FD50DC5E42B6E6376E388D9C14970B67E9910499D94F5839ED933246DAFB712A122043D7D5047F1B53923C14979244DFED3CB742C1BD30176985AE2F76B912A6A3AB059F2BDC49DA4EB6A9D3FC9CBA1DFB1ED0A4ACF46829D51FDA861B8DCD62424A6E4272A1BCF28AB878FA9709DB43D800E9E6E33F6D644B62EA30BF758E496BD152E41715E6AADD766F1FC6BB95DBF19F497729BB30B29FDC4BC4F5502396969CF6957BE8FA7F17A4F04A6FDE71264B0F1B40EFFDFD560868056DAA10A6CCE695AA8A815E43121C971E4C4A3FC5E6EB27170D4539F3A37A4665F179CC6C804DBFB199814FB2D5121FBF93A472DE6F4D1DB176CED29F254F228538B065F8494ADCDC3D1117B33A1A51EB1AC3F6D7C8315E5A674703827C0C506977D1CD68873B4F18D9A03CA54F74D7F82900A27E8863CE13E92E0EAA86C2CD5BC99121F1D0")); test_hash (&nettle_shake128, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("FE3145A2E9E54B8888C1FB87A70402EB4600B0A2D636DFB23F869583900544F602B9DC325B6A9E8C0A9192602EB5EE581E3B0BE65E918DBBB49EF017F174C3AEB12C20D13D20C3370E1CFC19634899833A91375631713DB2954A8E33CA839EE5F12703C814A63496BB438195D89AF5CDE1F22ED8AF340B72B6FD95660BB304568AF54F162D47CC3783806274F967835038858719A4E3115E76690B4E848FD6ACEC695B3174C7BBED140DB8FCC2187FC0585F4E975FA5EF3907588E415638F1487E6244F3A773F8E2B3D9C23B4154509F87564BC76FD437C718BFDEDBDAD24E3393A851EB30A82A641D3B144E3D9D223B1E92813DE477DAA28BC9CB621F8B3D06B4A3E3F9A52EFD9095365976144325269160F7B859EC570A14DD43057BF4AB3CD2ECF13E921FB8212F4379C59B332FA1817360747F58A63E0F635FA52C59E31962951AAA64264DD3F26ECA0AF7C423C0D3DCA624A4D33C383BA0F4E04630D74A40F760349116D6CC1A8BA17F228D7BF24AF707D130D13AC825DB8E6ED4B97B4AA589230CE9A471DECBB2DBAC9F68269030ADD24C712F1C2CE7E6DBD330DEB3249F7AF42E31E717666236DE7299283063D3DD6CC88D0096359A1E83795844714BCC9D88DA6FBA06D1156114C62FFB5D9A58274AE471D544D7E9701ECDAB9B63B2EC4FEEB07126F8C1CF8BCAE823E7BB18A9566627CF95E6D8AF7BE94275932629")); test_hash (&nettle_shake128, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("4A021C69D45ECF926FE7592AC05951D86FACB97509B459D0459CDA7DCF2B084B91C8550A9F2A92C490C270CA90C41018C4F205E5A33B1584FB54BB1F163A3BE83DF0C721235E24D4410F73B2680C0835B840DB4C4244C1F85598C2B3A50A896F40C8FD249E99588A8AE1FD6D706A394541B942EC543343FB377854141A35BD35F10983543B17FC5C30B31F86C48F601506C21EA462420C5992F5B5DD12AE33CDD99BDD92667D4BC87410B1456929350D06C91A558A2A17964C3EAF7BDF67F743AF6ADAAA92766F36655A9496263B38F26A7F1DADB95B6A5B63F3FF9E0081F61D0351EE557199851596E5D221EE891CBA27349B4BA671EAE59473FF0C30F0DAA2F9706977C79746C8C1B70AA1397DF9F692DC4D1182EB479C98343DE7BC11D940DBB778AE8A75FF09D3BA328A032122318C021BF07AC179BEF0EE42FDE3D8A64FA0453057B1B2FF6804AC6719F6823270647E142BE5D338B1458F8CC7AD7637942AD4F0FCAB36EA6FF768273362B8EF001D50C4E5BDBE74F48DD91854A92FF02872C0963A2C2C52D0156E58BA1DF0B7FD9A178DE79CBCDEDC20CA2A226551C86835AE9ECAE09FFF19AEB6B114F7CC602065CBF6A6A740874FBD6662A3EE1D407337B935C4975D269DB7C54C453AC4674B9CFF128DC20C62CC86B9D14259E06315EAC81923D415E1F35BCCF48F48BF655E6B87F8A0B55A21AC760BDB828BA351DF")); test_hash (&nettle_shake128, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("2D008F8ED51C6A86910C30ECAF2B6441262D7CC66E54B39B9AABCEECAF2E96A0B5F1CBA234F45242BD8F96A57BAA98CAD302814C95E067CF8F47B2A4E6FB6BCC5C70A7A750F754824E9F970E4C54D43CF8F4E0D433B931DF2B6BEB10FE5B28F2A6B5CCE24D0C6B414DC8E3C064BD3B26BA82E4464B34C3735E935EC3B7AA36E6AF002A0AAADE986B0A15AF0E9F1AC5B8CDF3E9022CB6D2BE9CF5B30AC8E2BB5E766F528802FCAB3C3C3405F25367FEEFC12F1C7D99717F2EA62D7001B4845793B288DD9E777270608FE40586605AF8C9FF52D0FE4111E8DA8C315958694ABE386C85A86AAF2038DF6281D8CD73E201973704D314DFF7A5C3B4D6543A34C6FFC561195CB3B782C1ACC2793BA6A75974126BD3E4188FAA0E69B255336366DED52D809D6F70DAF11BA57B604DDC8359C1E5D9E8F2863EDFE71935BA18A4D373E4ACB73CCA7887B0F3A84B2BFBB5340AFB87BEAB7E3708484BB4EA2E17CFF49DAB7236BD83DD11B2761AF3E7E58452E9BAFE5C665ABC543F41D98C6478465BB67C6D9ADFFDEFECB1ADC2E22B97504590D07FC112E03D1E221CD860928D13995FF1DB025927B2B7EDB434DF01F1692AB329D07A1C6947E64258E53A8082EA6945E1FE21ACBCC1475054A0A9493ACF37E5B607C79A54C985E70A99041F3EB3D5511390A1F81FC845C9E29FC39F12D019A0DE262FA9426C123EC8C2C733ADB2217DEAAB")); test_hash (&nettle_shake128, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("7A46B367BAA023EE1922A3408B145DABC97A55EBC78CFFF95FD8D6206E5C10EFC9CBE3644A49C200097BA79F68B08193C6914E016DAB98361705D27B8B046F087DF7DD998C02BC80BB173772843645C4F93080B0EA657EB0902AFDDB28963BFC845ADAFF3A431705C74D92346BD678EE699FC12E9B06E0C0E08785A419CBC944E770CCBF89203FAF5D3B629D541BD51EAFA5857F585537CA60ECE26E09D6B9D05166360417B5259DFCBDDC5B6FA5B653423FE052E98387C97AED7DFAC41274D9BD912BDD661A02CB80CAAE1BD1704320BA54ACCA5EC6854D4F83E938F8535EF287AD26F9D47D047C74FF6E4EC338222BC7A1E346ECB50A72572D3F7A9621DD0574A9A109979992F18690750D035A65B29F0387FE78E91948B8EA8EA31A074FA405AC30D44FA3CF16BEC6D44B5C5791DC2376BD1C192175058C4CA5B1E0D989D866D9E076E8252AA53C5B89D7AAFE5B753705020DD7F79C93D31F768ADE1F54496B62F6D7B126A2558E4B2A3B7DFF1F046F9FDC7BB2902389E1C0FA49E00F4E892D75FBB5A18B22F863B7D57A8F1895B13AC99042B8BE114308B730ADCC2B8E5C2E6DB1C7DF35CC9E8160DF55BED2C9083A2BF79C8F141E44D48AB49DA6A77D7AB22F4E8A6401C9A600657C4E3D66700F452219BE1B5008344FD3B6E76D10445853C2814D7EAF753F57A70E0644C94A2E3D21478ED44D6C5D568E68231AA180BB")); test_hash (&nettle_shake128, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("224E3495D98A8729F88069BC2578F98F76EE3D73B1309F75357EF595D217E4D851BEEF015DC7BB03F9B8C80AD1B132AF1B99F42459527FB67ABE4B5EB3DBECB90E679454903BFB51E9ACE93A4784722B2D0453F3400632A86870A427DF2AAF93081AF99CFB012807766C440A010E6EA068C2BFE388F26D95BDB1947BDF1E364D252C81835AB7083AE5CDFC12EEE193016E5BC5A90C2529419DF2C0E14F8FD900D4B9519705221C70DB7178B81817B0BECACCEE975B396E63383F03FC8097CE6EE9A612D53EBC572738B17442C8C5F2D8E7C67073B6FE241E6DD00D356641552EED0D1C32A09A34223F1D3E0305A38675EE066B63155BC2B7851E0F51967DF90AAC3ED7F88B1EDBDF123D02C2F4BA23FD2F1DA2CFC2410CAD5188975BB5465F502B33A4F41D7B2DBF63B71085DDEEEEB6B9BD0C9F89F4424F55DDA4804E86E2B983130B46403FDE7B70C5006FEA04CF3350FD6124C735613DCEC7696FC3F75CEB8238D09D1B440E759AFA129788A91C43FF7423F05C6E9132F644458CE8369DD714CA9E4841DFBB29B942475058837FFBF1F59706915EBC473868A718F2887AAC888D2C7FECFC1F8E5CFDB5D3B2C71CF1CE400A0CAB18982BAA41B84415A0A49A25E18A8F4575B46A544F1079431E5F07915B92D8BA512340F2E43B689DEE6118786A2410D58CE5EF6E8446EE49CCD2A50557D32FD1E9E0954A4373545DA250CC")); test_hash (&nettle_shake128, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("CB85425A1CC6A4FA6D8593BD03206867737F8D749D2BD7135ADE0D7A1F216FB92AC5C4897CE355835490699A0F715A2357100CB8932BEFADAD55C0B5D90C909F0272F16BEEE79CA7F7F1002F711BFA3BDE142FA6D5C908E8F5923291E0D48495E50DE065CFF609A24AAF17491D228E5AB226E21E790C13F8917C1284BE0434C8B2B2A3CC672D484A25A47820390FC50F2736FAF26E65E09DB68F52A9A65280789017F1336250D41C0DF4C93AF9E94036E598E6F06494068F4A59813D1396B00E65E179572FBEC6D30DDAFB3A898CC244E1B0E82043C1470B7602D0A65E455D297770265F72D82D584657316E52CAF4C8BA8CB4E3ECD82433DBDCE526EBC60217529CF03548CB114D7208B93726B5556E4DCBF2764712144024510AF30265FD4FB13E38BA677B34D69409F91F6F44DF602C9F84362767D1E1B587054FF7CAB98A3CD4BCD2319278F0144DA884306660DADE52096A10928C5AF800819E3D890DBCDBA7CDF1BFA4D992074D60CD6BA33C98CE2D9D849D60EDA8307B0F509AE78215BA900D5A571B3EAB6DF1575D7D2B8CAC2F03C4B552E5247AAFE2349F5EEB0AAA56627EB4D5C33C92D8B1FE5D591FD25828A5114C0F8B3B6E799BB69ADCFD03566C7959D1DB21B6FEB79E02006D1920CA35CEADA75B22A0B8235E9C6182872377B56A762AC54A719D8AED8DBA18AD925FD21C77E84D92A75F3FEB8692144F7D28")); test_hash (&nettle_shake128, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("93BF13DCDDEF177EECFAC1D8731237CBF8CE4459ADFFC34289016A689E88E5B000553F08989EF2B007ACB4AC69EDEB6CE2E5A7F85C9D75F7656858A7B824472BB89C2D25701CCEF18E8707D2C3444A28AE245D337CB3DBD4E2000D7C44D474CCB34033AB203D9B1CA69816ACE4569771E1F7F66C7E482F81A332D8D16D0A4AB5142DF5742570ACD048C52E8BB777D68041A67E870946AEC83DB5464AE2863020A4126EC32E1D64B5B1A21425C66471C7FB6C5CACA4091A96ACE9BB25DFE5627562892149EF463ED60D03549CB9643E9BC7403B244A0E9A5A8A38FD785984661C926FD959117C229EBD357847F853768F632A0A2A0F1703AB5E130524A33F825731740AD0B08DF92F8FF6EE73C1E60A35DED2882675C6A7941DEFF0D934BC2BCE9005DFD49A9CEB0F08A27CC972A66232A068A93C2B4A143C57387C257218E850CDAEB93C474C8B5AEC355BBA3A4D0B09FA9F7F32534CAAA727120C2D937CEE1039DE63AA5AF5803F7A1BB2F203C87DAB85ACA2E68A88C9C7584C1444024109F9E02CB994CD7C89E87B976A6BF7D75E570D4A11D15640A4235667669BAFAD64CF940158BBA56184ABA70E6097EE4F2379727F7BFC5FF67595B3DBBB7EFBC13EA4AA9C1093EE2174B5F0304B10A089AD1980C8A64A9B4E29F68F2BCE9AB7D31AC30B9ECB5E009169413B64D661E7BC6D909396C25EE3E64DE744FF937F2498A361")); test_hash (&nettle_shake128, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("0DA9BF94215FDA7F85A36B7D31080F48FE09C92514A844E7F8E5A54E422997BE17E0EAD0C8CAF75A27B4D721F63DE3F4A9326E74081EC77A71DE52AA4E7DF346C7206C8ACECE21F739352B2EFD6446878075B585735471A189B32F41CF0C48C0E92BF492752792D05E324FDDBEAA786DECD3C0E24BE3CBFDF160F45CD87CF73E61C643E46772EF8C62DAAE119E0010FD84530025ECCE198B2B86FB6E8EE88F6C47F6B4710E5764F405E7856688EF030E5FB84B24B48292DF29260B918DD4FC54C325708B83A9E44AB92F67217B9EA0A488C9B45920B76A7644C38D36F9AE1A48F56284CC354BF35CB53F0E7A5745955E0E9A77400ECF97B0DEE9F4B32E8E7DBB100A1749762821AC0746CCAFEB49162B0115B4E3D26EB3B9FBF662CDCA1CEDAF5AD8933C7EC1CE6EBF154474FDECACE144F8B86E24B85C4FF0EC29736BB0B778AC071D2286EA20302C98B6883520D5B4BA22AFBEC4B6188FEFEEFBC487D147622B3E97DAB9319DCF6C7EFD3374FEC69D575BDAC70D400923234CC41435A803DDA6F1C1E91802F56D048B5147A1B9778FDCE25AFA4B0846D7D5FBD04614EA62263370B4CAA6E87E0B6D2BEFCA78E6A0B7E5A6B5E891F7BF4ACCB221359C98B3091C75FFD25805EC452F7251D8720AE51AC49620C6AD376F13A16A269942842FACD25C2F68A4B93A5A7CE9ED38C7285B2777AF32307D84A84CC5F937B7950689CF")); test_hash (&nettle_shake128, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("5BC15E410825D711C7219161491C5F068DC27D0B66B5A7F0AF4F86DBA7392037E886D236FFC9EA19511AA43FA27DD2C4B8026D074B3033D7184C95858DB5F237A84E93065F9AA4B40123AAF318356CABA01C20C97DF8ECF528F56B22A927C705F6DB6C2E64B60D36FADB2D867C0F5A515A2DC7DF26B151D700E43540B82A0CC2E105269EB6CABD3148871CCD3B2F36B101D051D60E28FA838C67E8F655B1532976E512DB752A2941DBF6FFBCFC0AFED99D379D4E86B8C32327F6105BB75D7669A2D69BD7A2C40DF3B13899377A29AD7D724574F545CD91A67659B3781B788B4E9EFB137BE1B3B8D93C491BC70581C241B184C915B651737A0B2A99B50E8786DF067CFE443879D4BF2EFA9970A2C214E538C2086AC7BC47DA706513BFCC4CBC6D5F387A9E3BAC080138F2D713C6C9AAD2E0CE7A938ADF4BFA3CF688CBE7E22FD5707EEF2D707E5004CF90DC880E3AF23A435A2682F9C117BEAEB8F5A57F521708EF7233BC6AD5750DF2272EC379142283BF5EF492240335740F43DD5042124C9B37E726438357472013ABE81ABE2C32E8E859E4D064C3C4220E5F0B5DC984EB1A8BBFD6DB41470174BFB8A1ED5DF559A65B1FF02CCFEF42DD546CFF79D34FEE13317BE00EABE8C6FF6D722D048EB757E7A38C65CA1A7B2418994D53CE8090122C94A934554D0BC3856E041D0A29F8539246924F7634B5265708208B4C59DCC084")); test_hash (&nettle_shake128, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("D289FC6490F9DFE3335FE9F43131ADE538280B78DC2E16822D5FCE70E0BB307FC497E1390E04108C66C682FD6EDC0B47450AC2FCA43C151982F2EDE9F82196CAB4381F873AC6E21085B2B64C21A1A5DC59C440ADF566159798D6773A09FC737B6CF1BFE0CD0C9B90346F1290DE5E6AECC1F464E1B3E522DF1A986D8AD7C2A42B1A6067A3448FCF9E4BBB2335A3E4276B330C421894BACC448DB09F72751D2EA50873A9DF900C775D5E36579DC26830C37851BF456085925185B91CCF9A35B36E5358C4CC4F1C807D285421192BE028CB7D5D3DB67AA11AB666382641ABDE3F1690490DE0D556B0A25016D5B7171AE26592B5C460E41296C01222D074B8C53A9F73AEC29C63E54EF0D68FA1E57C604A2F4302B7AF05B20D28E5722B0229EAB76FDCDB1D2F7E58EEBE4BFCC82B4E4B6D5E6FAEF0AC442B78B483622EBCD98EFA538527D4C0E72526D9CFD1F13E24613BE03A79CE2612B19D7C9B639D3C2BAD28E968E7859D224958C017637458526521C770DCAB61A84181CD0E92AA485AC2D3883070E8DB9FB5F06EB5E71D10C175E0D7EC69947D1FBFF8A857362383368F52C193EFC3DF83F5A9B6DDD53D736A3543D46388B2845632C00F0676715CE8C1AA3329515495EEAF860A9AFDC9630B06E9B5CEDCC7CB571179F35735D02D185D7B03EDA48D30FC86C239AA3580816F3AF360FE78E84364872C2CD9AC5EBA876AF94F")); test_hash (&nettle_shake128, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("B8C21DE1F120C5744352EB71EAEE81E9DE8A8CF6EE3E2394438013D9B1D7780803C28186E334A34B4CF17550AEFB58DE785E358D2AA6A61BD59BEB1B2F494CC9976D67085210D64FD1C8FFB0FE69814C2048D0937B17E79AC9CE6303562065D4C79438E87C7687B8B10AD1E8F9364EB9EF997B09B963C7A57FA9EAFED8571F5FF9B7981418AA8904FCC2267F3723FD67A427E7CD3D5EE6620BE53367ABA1BF9D2EE74C33BE1049356CD8A3B4AE481748872717394D6793A25CF02F95B6EE62EFD8E269841234F07041D5C3940C7BDFF37686B8E72C23342578FA0DB4DC21F4DC03D3539B851F5441B54BCD991322EF0FCC85C14DEF9BE72B8B4294EF34A6620854C291F91CA67152B48560683DF13F4DE00216180391AEA39BDD22D563E48CC622BDC72C990F795CC6CDC280BF917743A04854BBCAA2CF64128DE9C42E38B40107A97F71CD1B89DFEAF194674CDB35E036B45CAC35C45EB2ED6BD9F8ACB9402BE9E57ACC00E0AB6C5B32EEBB9867878C23F4275DC2A8754328DED15E206AE31B60BEEAF27F7E2A571C42994414355C28715621D39566FCAEBE6251EB5955FB8A9B1BF4D897A4931C5E7C29F27F28AB4D2B9950A81DABBA7EE63B679DF6E5C1DA4E23BB9529946E4F467A73EF02D1FF59D7141E6D59E14450B7A35BB4795EAEEE51545563BDF99BDB5DC0B17CC60FA04DFB3070930EE46577250FFA863528A498")); test_hash (&nettle_shake128, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("F1E1E702011F4A39197D769A6AF63160BED980DB70888266AFCB744A8FE41F1BD9A1B668B4A96A6C3C2FEA3EC1564592134854B26E31102D1B95F112118C959475AA6F2DFC300E389FD061FD6667DB36C32055901609EF59B3A8DE4F9BC05D52745C78E8D155738F30EB3A8E3B61B36AD34A6BF7C59B59C1F973B9F94C9ED61A746F85610B060E8BD04CC9691E7979EBDE5E9833AEEF21F9DCE96F61A21D2B8864F07FDCD6D3F2BB3DB29CECB6670E859A4962A5FE0179236BE7426E9C9B2A0B97D11B6C9E049ABAAB494513128471F88914E506C6A5006ED295F436410CD24B4CD1EC5AA0CA7A66E29DF6C362389C7A9B731E0720400C0923BD8C4A98A651B62AA8AADAA5FAD481E08A17A2B3F86AD23FF6303463DA6300B47483F7696962D33AF1DE2739C30346665F60C90FA35B74CC240D3831C01ED8CB91FA34A584DEA37846CF4A0B43B5D1C26597B2AA1C973A070F120F08C78A9FC8D524FEC1F10274F03A4A7E8E8C4C1FDB415A1AB18B4C1F07E1936F81FFE7F2A0A1A815E2F29334F1B1E8029E7E12A798187CCB20F6C1EAF91B14B61B2FE4C3852BC670295BCDAD418CA7FCF39C69FA9F9CE54AF17E695F1D614BCBD49FEE3935238CE59D9E378F3E596B34149149E14D9B81F0BB09C2DF8E6E632436EBD525BBDB657822940D25713B737A2DFDCDF0B4F6DD7920A8D1E69EAF7B764D0A469CC1CE6DEB70DDD69E")); test_hash (&nettle_shake128, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("98326BE2F713456EC96C941FA0B58E311C226474487F78734C8D0514AFDE43293116D6C33FA3EC687D1E9087572C68479AE1080FF8B2238C11AEA13D9A020A7B3FEEE56FC2FA69914489EE11B17CB9D3AF448525C3992232B58F2182AD27D93AB88B22DC94368D10B112AAAC096DCD8AB76250984EE4E4D3CCAB7FA3124F7B02D05111D97EF0CC52C5B8221383A6256C42762E546ACD6691DE9810FC2271D92834DA1992CF4031B98CD0919E01D35DDDC738D6A305C6E400049A97E14AFBF40822558832D23165CACAF16A514EFD6D207A95F97C330CA333C810C19AEFAE12F3AA267CC9FCAB0B73D2B7E5F3B007CD8055D0C4665C9C53FC818A53ECD9C0DA776EEB3904409ED63B337F755CC7783DA8CB713B51C720C2826711FF36D98723C8B00C4853EED1B3E2F8B8D74ECFAD079A49F37665DE5031F2FBF54DA6F1FB796913B9DCE2BA1206E4255F39C314A34AEEA01F1965C36CAF89A2F7FB9EAF7E9C97E2B70636ABF0ED00F59D1DDAD409AC33055E6F7517E962BC535EEDFCBAEC203F91FBD2B13C26A20F9C2236C55F4B506C7AEA579ED3A0204BC67002D158D80139379DC23DA06B0DEFEA079E8FC1D51976757E9A455719C45B8965959A2958E75B7E6DA966B86029D22FA50841494303AB6B16600324EF918AFF9DF161224F1A7F26B7DF364772724D4B1AFBA11B5C114563F9DA2604A2D1B60BCC3C116A5E9C58")); test_hash (&nettle_shake128, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("D539B406312A6A14A2CB8C2B2BCCB28B7C164DCA4BC34564E65B807F59809E0844FC897BBDA2FD7A0082BE317B8CD94C2B2DC8A625691D56AB21A2C854CC6952A4374CC34374AAAD9090326D493EAECC945848FC4653A15E2566A960CDEFF139508882B766A1ED60CD292C696CC75136A6DBC0BDA628ED1E16129A9025D715B7F83CE3A35F4EFC7178BDAD06FE6030E086D416775BE9DF9DB66A365F56129F7B25A8701502BD36CD439A4CC122DA4D78B1D832F5033123D9A9D72EDE2ED7D7815EB7A3EABBD21E2E507DE4EC4AEA0B40792337953DCD9D7BB952F710F8BBCD7E8CC1ACF3B7AB4EEA9C066D9D0D27AAD600405AB5DAAB1FE4551CDDEA659307B7ED1913BD8635AA409754A1860377E0453A63EE7C2C6CD1A33099A81240B92382572CAF3698C809237548002EAFCEA5BD042DB3A7506189E3FBB4DDA6DFB1C95BE136011FA127B0FA3A4A386DA3C327B072417BBC5346A5060D770933142B6CEEEE1021BC0DE076C2FC8ECF7A16A6CB752F39B8FA1EAD88A7D4364204BF613F5B108E2FB60854F801210180B9DC4757D145E715D4E2D79A7D4E8AA891977DFE08A92AA423A05D22B06C6A3D1EA5953214855BE7CBE9C2E62F2A7171BF014F3F077AD244FABF9C1584EE12DFCBEA4E4816C470AED4FCB900A5175C35189380829E92805E47969FF5A1C3B52FD850FB404BFE189866844E7B586DCDCBB236910011")); test_hash (&nettle_shake128, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("60565A24B70C76463CDC5397BD0C077B77CC70CF33128A0366A7C30161E21C32F2F024511A9605040D699E1410311EC3E8952938C91D73AD71803BE3F7AB60E2AAC7A91D62FC0729294BCBB031DDD5926F775FA85D25C85E1CBC349237F9D1E400E64C15A797C1651FBE5B8079D586BB751E1B765C36A40008C9C612A8A67C49A2D4C15001562D7F7197CE107AA7601E490FD3CEE738D397A5D9E1A9568385A243975B9AEF5E24C4235CB3612527B7ABB7DCFD22A124F9BF5E1E169F2F58512B8AB04F4953D40E6B1D4FFB920186E4C0751F5D8516F142C426F3893B6B4F45567461059968369B3D333B74F9A596E7585C6646AF458173500B052213EC6074890AF149A6554A92106868A64C3957F43C8730DFB3136040EC688ADFD0E79EA74E07F6A6418656343D24E446013ADD76058241F19F5CD42F256F8E98C7A5F7B9C4CE3F5D19CFAE69AF8DE868FFB5807DDE0C4A5DAC1409297C5B8AD27C1E1B8FFD570BC41F71F21AF7C9639BC6502511FF9D6CF63BFE2E8AE791B50527D79334CB87D9BCA919833D7123B8D77F96D07106BDB50A3C4B9860E5E1CDBFE4B49CD4063D0C4796BFF2FE1507F43CEE6CA6BD19038CD6B7118120C25EA0DD1BAD05018DF08DB67AF168880C284DAF7DD33A7BF18248BA7E79BF18B68C3E14664D0E1349D458CE7E128999CDA5EE706FD48FAD8D0489CA8C5718CF3D2C16563178AE3309")); test_hash (&nettle_shake128, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("7FD57AC85310E74667C025609A2CD37D12EB3FA49F9D9B9AA4568C1300C4B5FA69B6591F82D4C7C5B25EE6F4A6E2521090ACA1588D75B4F6BC1D58B106E825BA2409F84BE64AB520CF4513A7BFF52FA7A67A761B86E9D749FFC71532F202A2B619FF772EC25C00C269E7FF10EC38B93999DD8BC7B3DB40CBE870CBCEE6C0A6842A72F978BA9AF677CF4F055762ABB1C8DA60CF57E9352C48B0BDC0031FDE8A146B8D881DD4D0D05BD5D14B52C89ADB6A27CFDA2B3D7650EA650BB75D86748A722D7E3003E10E43D89AE21E9155231556B7335F576A922248EA2040DE648A0D49D8EB88DA240E586DEAAF9895CB2F35CDFE60E61D6643E5B38FBE40E82BCC8462FAC98F078DFEF5D42E1D562997EBBEAEF637FA8F65510E604E99933D92798CA05DFEE0E935910BE5086DBC8BA9493CE52CC49B85B062164F6BE8EBFB4F0C27641B65C397B92182A47D4E926C6D6947AAB598EA0D012EFC47556EC7F6407A2DFB3CBAE71237D968EFCF9192379384FD2DDA510BAD5B30F01852064938A17C38B6166170FE15F09F645CC740383715DC35C98F6E2738473D324C7C6F63E76124824554B0EA34120FACD2826C7F2A717D2817D871BABACF1F061CAC045EA61BED8D4AAAA1D41A277E50C09606B1786BE65E1ABEF10F6DC6D28EB8206D3E3B8A56FC83728291420ACBF606C34B2B3E852381EF31556FDAA341E05BEE90DC9AB7173D")); test_hash (&nettle_shake128, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("CC03A5BACC26E1580F37813E60005111261AE521159086C7A6C3087E238D2731A02BE233200FA54BDED93D6959DD03B71A1A4C7CCA20E9685406F70D722DFA1718B3A169BE6A8C5FA275EAC81667046A605AE8514BAC24F216358A27F036BB618951A1FF5AECA2F64FE1571CD01EC7139F86D370BCBA6A721520BC115330398F55691D7A212BE824F27AA10305523F7C11262D2EA2520D72AF1E34A887BBB4A8DF9966FDEA757351EB67DF1DF9F9DFD7D7892D3CFD1F0B8A3A16AD5055D5904DDD900E4A5F94941FA796E8F32A04E807EDE1958191D58551378A57087A62F48E3AE2852EC03654CB142D2B851C5995324D15927F3DAAAAB188DDB6665E08596B71D9C2B740A15F8E78F02C6A820C79C3223A98D79D225375F6375EC21A5216A9D01D0238FB456857E7D6611CADC2DF844D99C6380CF59E7BDC268CE91D733FE00EE99A50ACFBED98E6AC17DD8A377EE4AF9F318BAF14143AD4873422DC56AA6E4DFB6B0C312AB14F16105D8CBEB7F57DA85644005CA4294FC8667C1CC1FC78256562CD7AEA9779899F431FB581AD6CE91A46F003248A42BD286E9F4A0909DDE99E2FF674D4D5E71EDA126995DA15F9C00F11BA6691E3614CE6FFF05AAD6B7C63A72DA235E900698D09BA3787742EF61701EB25C3D70927272441709D2625B23FC97FBFEB1FC06D3693509424FF5DBF005023CE06D80D7956D1DC0030BAE8D0BC")); test_hash (&nettle_shake128, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("FDAED26927DC53F12F002A9C47467A4EB53D941B08106D6CD0BDFF6021B6AE116562D2255562F70BE884427A8B6D593E0CB7040ADDB87663E5F03981992435C2BAACE87C49CDABDA178D0663CF81E96C2EDFCB6D50D48ED128128F6F3B56E33BF33187BCCB5C2BCEB418DACD4C820EAF880B80E32F00B7105615CE305065716316221019A84CA2D29FA57565CEA5239484B8E9740AE07048BD0F75B50827C138979FC9671B4E684952DF9A681E0C7ED8101DF50620DEFD82132EC81F5073991E65E1DD72A52B596CDAFE6C5B6D9205533EF15D137A1FEEA7564C03E3A19E2B9F40600FF1A66A241737EF7FAA29EB83793BC40D1E48CDACF3936C499B572AEBF2DEF5086354DF7DFE682B9C281F4CF68405D0268168F5495913F930B6009357867398ACC5F951D55D854B0C42D2E2127CAC73AD0B75139111414F6D6A68E01CDB794EA6E524E45A62A82970D22168F37ED72575A513751368718AF490E28ACC47D2BB7D59F567DAAED80093929FAFC0EBA01F66D67DAC97A99886D0B11EC0C4C23A593BBF05F3F80A047A07C883063A9FB967CB9A796D18168D0A7F731132AADB3D105B1475C583BCD4B939015F460FEE9B6F23B0D3BB3E2E7B7C5615AC8EF7305567397EC4C1DE8EF5A05C2A14196AD00660DD0FD11838A707C0FAD38D343AD9D65056A4C3701490B3CA235063D7D21BF02FFB2E0DA3D9B9092E20DA716BF450")); test_hash (&nettle_shake128, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("F375FB504784706DCD5BC3A500BAE8DE6630009D865739A0B30C81C74E0379A59996410854FDFF996B46F9F30BEDD7DBA1C5801A68D1D3792119D7FEB29A648E08502CA04637AFB9427027D59E9DA235BAA4D602AB2FF257BB5FBA4AA79C9D285E99FC4314685181020C2E9C1CFB22D1E7B1ADD9C037A7F81B7E0135F9628CD67B8591271BC12D025322BC21E7BF4E91B049E291DA2828DE012384AA65E3CE26F98186828A3C144A095D82BBF5A325E41DC28A33828D9717BAED4BB8BC50116CF39C8EB6DF037E29ED6A32FC5039EC1704E199AFF83768E58F1858ED741DDDCF75E8B2621BBBE14420217CDAE7561C24213F76530204141EF5C7CE0A76C587C2223181F5F2DF58BA5D89EBD209C004F5A2155CBD896A17701B19D5CD5D555F2A964BFBEF27D22FB428DB161C0AB99D040AF196EFB7640EFC55B7CA8E1BAC86F4368F612EDB120E2A7CA084B9F5EF8DA0A11136C760DCF4426CA98F20514049BEE2F9E6F66AAFC4225CFBD4397BBBFBA872A47BE903EE0DBEBC7EF85A1395B14504C18A8B5BC5416739DAA543DFAD6B4B8A88BB87B388A6974AB90756E836DE528869EA2734E75D8AAD84EF1A60BD371190808436D5C7632A2F027C3CCFE8F3D94B0C262FB7AC99103B0688238BE68F26B8CF35876B6E214ED1973FB44B9C3F3DC7D7296BE8E150F82E80594E34A3E008EF40D9647EE26E1E4CFDD8DC673F2AC5")); test_hash (&nettle_shake128, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("98D27AC62145261BF2CDF99F8F77AC04697D2FE6F1531D3B1E113A7BEA4B9BE780394CDE5EC43EF820B0D39E20A287B29390A68091A8938EF5640437A0F09F5262BFB4C55F703D44E7E21EB69C27566B66BDC95A525B988BE281243DAC0CEF5E04195B318CDC96035205CCC556AD42B220FCB0E01516E66D8CA2D045AE0AF7FFF91119CD4C92E664FB339203E8C0B3766C78874DC85D48FE668BACE760A96F5D562FE4ACE97FB33C93F160057C0475EC440111C46777B0E2C95DF666EC753057596713FF452EE59DD7E1D4DC278238518E23C78E8882393B86427E8F6188D7A08D770B2D19E08CA672C89582431F30CF4A0CE89E87A635EC2E05765DA600115B704E35B787FA90AC545877EBC8A5616EB998380D4EA1C6B127844A422789B9B3A41DAEE940F75CF975B464736616D80D89387C171D919874F38453AF44ED16888212AC279D4890CBB5672254D76D5FB922412A2EEDA598087558B1E89528FB1EA285303ECF4843B18EDAF6130D1374273DEDE9EAAFD6E6F448547E96AA385235919600E4BFD04CC2BDD89E6860ADAC61E73E37C563709F3187439A305B9EA8DE8EB552A615712451D1DA495A8E02B9733AA1F7B78DE6C0F0CF6A379959EFBFA8A78CB6E93A758889D826D7E3DC741A10BFB55544993683B2383419D3F5BFBAB13EB1EA0575E528FCDD10FEDB0C0133C8E78FA0DDE413FD951262E0CC958D2850")); test_hash (&nettle_shake128, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("6095C8CAF02D995DAAC5F6CD94A33FE0CFC2743574B352FC35A056135D20BE12FA7826DD41BACCA18C90060C08C5BAC8B3E706622A2BC8AAD1FB6EF93259A5B8092540F68497F09E47476F9D94111B2FAFE27CB04DEEAFF43A435E2A5C0E44AAC6DC3104453896C9C702E8F59BB61A62ACF889174955BEAC0319FC897BF989C97307A997F4570F3544E5A003F22A7C5295705201F025EE7D6B5B278DEBA559FFB82F22AFF5DB6D534E6C50FC4E55FDAA0DCDF977178DB7AC2D98416A6E0F5AB5A49C29E414BC0AC0122D608A592C605E418EDCD083B26429BA0A1A53584EBFEB4FC005F144F04CEACC971C9EDD23950A1B7E6A4A9308C517FF80EBB1610F8E78D963E222BF148659BEF6B0C8BE1F466FE786128431A9950D3C70493D1CD72731D0A3C956E34F35339AEA578F614806DBAD3C02389643340DB162661003D2CF42F1C913A7FAB77EC3B9E8E3177DC0394305C21D6E9713F34516CEE321992E4BFCA4DB5DD03E240A7FDBC83826EFFF82E2B36BDA326D8FD0C858B00E02A83D0DF7216A475CDF0A37B0389095F501CF47C497E23F199D711991FE71DFB56D789F30C86D3BD17C8BDEF8A797BCFD3EBCD5E62CF99BA0403B79BBC8A0FCF4FA7C4E65B674A796AF85E7D09134FE214CE8355EE337FAF6F04660753C1A96D95964E587F72F0FA5BFF435778084EADB1807DC66772850152AEA381866202C8A38723121")); test_hash (&nettle_shake128, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("765A48E25EE43AC1630C65BF5138F5F792095E182483DE8887F0F56ABDFC0526A5B9EE792A2533409F3FCAD2B9CD43D7CFB5454194344169DEA3FC67CCB5B9969449454E18869E7CFD821ED0F3D655F5B33C528BED1778BD504B2C84BD38DBCBFBF5CAD7E46F37394622C4B065686773AC0171EF70717E8C6A887AD952343D02EE96B4129B3F189C631A719910F543540DE4AD65993B634AFCF313100771468C81B0E270769ABE2BD6603E525682AAF172CEDEADD12D9389B86DD6459DC490CB89A637F6E24C5819DFB51C817A3AC9837092D408C6816B57A4B0DCD0FD1C7AC49FC012BC9C22D16C779066A670252515938764F4E05FC57908FB67A3C6927B4639014AEA06EF91F8D43E507C48A567F36B94591EA1319D7F266722BC9AD6F5CB8196994F7DDEA570720EDD94E6C56D215D8290CF0227DE007B71E80B65301D53363D51C73303FDFE76A064BB1169862A02F541D782FC64C3DA45FDFE2FEFBEF8A9383690F1D6C695855387CC206B9E7266D6E6C9A2160074A962DE01FEBFABACC6E88CF7F724CB4B2F09862D63CFCCF1D880D956E7E5381F44568DE6BADA3923F2F09CAE80D25661B9431201C1918DF1E442F26710314D8B3F88E94502E6E9514C2EFEEC7A816E82517767BF7972D6329BB54AD1BF67842C449F54C8CFE2FFA312129995F17059F59E7AE05D21EA17F8E93C1FF4D9E2E71C9ECC9DD5512FD374")); test_hash (&nettle_shake128, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("270EE64E434D9CFA8A81B256AA86959D6D9E92B10325A1816776A309002E7C9346F21BFCBEFFB2FB31BF7214572A7F437E3450AF26743B418CDEA45AE28557078D8275E406864BCA916F178181CAA3396B8582B04148249102D761111507C48722506D0314A05767E89B3D9D5125A43A2B13EA8827CCECAECA6CBC864B8B7591B15BBE0BF1093CD15C5C14B4B3705E37CD97752CFCCA1C1A4340C02298B028A633CAB0E218525E94C3E150EEB8BA36C3AC4E8EAFA5ED05D9A79519CEE2A8B8EEA9D8EBAF54624ACB2BD593CBB353BD2F577CAB60508DAB081BD29200E9A9E9357978CC15F4B98A383C4A46594303143AD019D5BCB052504EFD2ECDABD1731DB02D6FA4AC9E1D3037B75B7A5CFF8702F8EDA7F2CE848A0B96EC2F7C62BDB1E23DEC39AF110A4E6C0597D61C8AEE900276FC7B1AB2F63BC9874A00C79705D87DE2135218EF233C8939671399A32C02DB4A6D779F7F933E7F7A467D236178E2137F1E5FF53A3E8FBBDD8D01B737EA95C762B4D4D65BDDF50C527E01DA1A322151757E0F10525196D3293E1443BC7282496F3DA971869DED47DDFB7BD99E799EE60FD3CC31BD4B3956DAF6D70F79D4A5E4348004F526D90CA47D7C3A9EB09074EEB00D799F14DE7AE5A4615D87496FAF2C60D1074C194E7CDDDC0765C7FE7C6FD419335189C2D584438D3879C50D43E6CB25D5776B4802819C5DEC7CB2197B334615")); test_hash (&nettle_shake128, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("652A6B87D0E770909BBAA2172F47CD05B7A07B57D9EC47396E9CCA40EDB76B99BAE0A8FAFA517D12ED62B5E95AD89560F3EACD241A2AF24BB1F02BDA6F0A5ACFA85F4F86CFF75BE9E7A57E0F182890C39ACB6DE889D24EA360DD5A4C59E54DCA7306AAE46768205C3440AD777A853DC8FE2D2EF2E6A5FDEF23BF514472B89405FE1B7342AA4FB448E0EED8A46B6F259073057571B03A4DF2EAF696838A51449A5F7DBE9644A9D092AC68B9A30034460C1891A389D06A2AC3165ECA91F203DED47B5192C8F6AA2E5FABDE178A012D94A8A35A1D446D08EDF55F4E4163C2BB9C46025D8253B3F062926D17F853728EFEFB10D69E6846BCE7E7A037996654E1C36C3A55404A1FA579A1D55FB95B30EB61EB14A29BFB54878C0D59A4209E1C746F7B2A2F2A28BB19A5F0342026BD807BB366363623BD68D4C9D9BB42D2AC67DF49DD3727F4D2AAB52A678F6F98816FC86BA0073F4AFA336A32CD55DAAFFF5D993926522D770AA44D62F6AFF7E758AD33DAE3C642318894C2DA99F43ADF2F97E53BA48657604259A8BAC4268933F1B97BD47FB30F95AD284F8345D6E013AEB9DC2478CE49CEB054555D25E36B13B322E51BF1C1E7C062E328AA440F87EE883C7760FE2F86B487BBA73163A13755E6CBA804F0EA6399E875BDB2966D427933D66D82C4D17FAF6CDFBCDA36F09621A3923B4EB93A27E44796CD1C1770835B83E89D28ED")); test_hash (&nettle_shake128, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("2716A3A219BD690B9B0450CC0BF4F0713C46C4C02744F8F71DE261B94159278566583D4DD04CD573E79C576C1F25834C91D3AF69F3A301AEFA516082869F3CEB0F916A903D902175EF29A0B29AEE92CAD8555A26E7CD0395BB937750246A8D5A722DCADE4F44459A15ECC29B207FD8FFB8510722D925627372D86528B9B513967B5BCBBB233B459AFB5AEACE48E5355C3E7A387F9DCC9A55773276D14C85B8EEBE3D211FA08CBDD8AAC4656F028FC16A6D6083A969BD6EB5247695D8F6DE51C036A743D2DB7480DEA41C228FFDFAF129BCF0D0D5F7644405FF8AF778AD9A63EB54F62E1517EA4CFAA92F2F25E5F001A562B6B4D28BFB398C26DF8E88C288AED5B7AFE8686AA4AAC77C032D21203FB7BA79707A7E00371F56FDFEB0E607252448CDA319C39447ECB7C69F36424D74E33D723AE53996B35E5554182015493AE03DAEC5C31B00D481CD430F4723677C7B33F6E325A855300E66DB559DDBCCD550DE02D797D6B28A1EE01FA13A62F721BCC577A6C3363A03ED976391E969379BA3BB6BBF99271F3E5DFADDDBF0BB32DB9ECD658F0DA2863FE8F48CE2A13539D8E8276C083C4CAB1AA9D92914ACB238C3EF0A5952E5686E39D2804DED740E0457F69FEE9489B7E548514FEB18FCE21F265DCD56F0081528A24FCA7595E96D31CAEF0969F56B122749C74FA108C41D34902828B22F814BF352A1B5B52E9C65F75F232E")); test_hash (&nettle_shake128, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("6995A90158EA5FD54F6D4DA0C129B92EA3E716E196DE4AC014CAF106EF4CABDFB9ED799545A0E53E32ABA2EA78A6C7CB936947F79817D200F32053E81D10131278CBCB903980E13125C99B1696F26D355882A107FA65FA43766C929485696D56D49D371643E9D360E25668B5B7BC7CDE13B678723FDC4598B60B6B19B47791BA99F4258ACD94604F26D5587EE8DFF613DD53E083CB2B0A202930D61435601A1D3CA8D97C198CC278967BA493B675D2F42CF4F41072B7A9403DF36E0E15B8811E37CE1119542C5168C95396653F72FC9E59727DE36B693CA58FE374AEE8DEFC657035FC874B7851EC0DEDE274BE064D258C0B39A238D2863BF8B7EBD0F7E2C3FB2A7EDA6800DAB2DEF61FA8F5E6891652796C2E9CF586BB0549F6F73B3374A4D7C6345FF73FBF99FB25CA47823A4B0470738AA67CD26D2EB954EF40A4121DFED58A1741EF335E8ADB32A588452774FF26B04EAE29EC1AC3BD83D2F3A27AF2A464D29589AA837890D7711CC0AF76ECD6142EEEF1C904C0CFBB287BABF951B8A10281A7CD1B49D766704350C7612A74606D2BB80DE11A37CA9AAA1CCB91F4AAC8D382A5A16E0CC7B426065F3AF566592C51B52BBBF007F4F4B7910DD0C7042406F61E5EFB6E04EAAC76E07A7E86C6E3A5706B833C52BDDF814E1261724F97DA9B7887399B7FDCFB14321D8A16683C1DC615EA8C738F0BF6076E05855F80D8DA43F0")); test_hash (&nettle_shake128, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("791C8B8021BEE5393FFAF003B9C429A5ABD2E35C5C7F556E843D735265C5B7807343EE946BFF31F45B5626555CFD792F55465AD9FF95647A41D9759DE484A0564492236FD770ED3F78C92514B90636CEEC76D3FC44A6CCA482BCF45D3B5BBCDBB1EEF6D5D6EABFD0FD10B0B4AEA88C5FA68182A8A9805B5E90B1767C9E79500237D07BE59C0F09A9AF2236AA954F9DDAADE492D691E36F3F4043F28BF0BA6349591700C4211185D99CB25553E2F6F405F9D8E00FB658BDF4A091CBC7092934A6DC6D65E42CC9042F90D169662F80D66386489D2E7F750251130E1529CD8BA70929252551B0617C960203EDE536CCA5EB0C5217E9E4756D7B57CCBE5087A4FB9710EE89FF62355203DF415975AD106D84DD5526B3EF3432770B163856B4D46F7315F1ED70055CBCC4C78C5C0CD4B19FCED545EA00F0E2E9752A227445DEC6D50B3D73ABD2D81C9AAC6B53E108DA04C42D491254AF39584068E34CE2F4026FB63C29A52B913E5D2FA42FF7ADF413227B784711A3513BEA6AAA97DC019A25A0F09EE27A46FEAC4EC13B43E341C505C308ADA1DB5D72E0609A0A68698C809067F2EF17434F3205E03BE67433C1D67072E8CAD0E2276723AE7D9F552DF19C142A68A7B875CD7A73FB586E128856A9259F7373242C498E621E7F16E7AF57F36953001925115806972ED2795B9A2F398676BF37F2EF8FD4325863D599E10FD84D8D77D1")); test_hash (&nettle_shake128, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("42AEF4301642ED54CB1FF9B446BFAB73CDFAC0320167CA3460A9AF1995B5DD50C1ADB402A55A3E5C4F7BE66BB2041F3E4C9EDDF7F08826F8B9C1163B0CE8B31769AA72AB4C598B3BB1CD5791A6BC30D11F0591D0EAAB34D80F134734D792BCC6EA61AA535F4F28331AA6E9A572D43F776341C971829C67C0E7D9321B09807965E1E9C70E611A4BBC3C42743A2D04F50804730C857F02E631C1B81DBD33D3EA2539F9AEECA9842B3C95FA1B8B1C330926FE5C6A396214537BD06B49B7951AF0F9AE04D158F364757A52AB1F21B4155895929480D87AB365A7950B321D5FD0C18FE3FF63B10D3CFD74AF45774500AD3FAD98DA5D240D613B386E677D57211B8781AEA7EF4052A25E122064BAE6DD59B00D533E6B041130B89778DB87F88DD37DEB78136B55A958744B9769612A0DC6D29B6C0EF863934302029C800B50AB385DE742D436809C7665B868C83DC450E438E94EA3124DC080355AE5931797E75DFACD09A7C97345608E021BD2034F7660ECD194F628A9868BC0DEF0231DA66AB89E2DF1EDA2C403203F971C1E61E4098FD306202B9F96C78CCC37EFAA7983C5D7712034328D1E65FBE96DB94B3BD88732E60ACE5EF946E896ABD4E1F6978700C12C4A8A372CA54B6F8EFB3402B898838A26D8900F69393E56D2ADDD2A0EA26E7F630BA6D19C46DE493C516277FC491F1FE273D013F4A32BDE43994B031EA51C2CC8F5")); test_hash (&nettle_shake128, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("5E0693E64DBE678055A31D80DA85A81A1BA5EB1CB6394B7B1AA2ADC2B8C1FEE4F41DFF3623502FCC349D4B2BEBBC1311EF291EF47F490C6FC1323075B519C87DBD77CB94C213EB548278A6C11B0C321C941FBEB9742B690A9777875D8A1FD0627B5CE3679A6DBCC8B53D775E73AC9F951749FC353EEE7220CAB40F4F7C2EEA311CD0B50974AF188EA9742509C4121FC07A70FC28F0633B56BABB451554BDF86396594B57B1F88DFA07DD4F8C47AB5FFBAD03DA1DA642EF4A6E75A952E8ACB3989136B8A792E6F33B24DA2CC4E422192EEBAF121561BD33A6D79DF6517B3F001E674F39BB98D9AA0E15226389B17655E7B2796D75EDE0430A0E7D07039B8E35642570F6457F8344A59DBDD5128F74F9AB83CD152DB17987019AA0B27B6E7951CEF67B574D05535CEB5EB023A39B5731B6AFE6CBB8BFEE0F71819D791C288BFE9EBE6706778FE62A80AEF22CB9C0920938502F30A20FB4A4822D0C0D42D50D67FA6A76EF919C985C6306FEA73A3BF41006F0FE60C0D92B80106D8C715B97E35E39FA8ECA59220B86C2C46B9C61EEBCE07DA4B64CAD247A67112F6548AA693BFC4BFC9AE78144571CBE7B81B83C8832938A71FD3AC6B8E4AECF17FD2848FD9558DC5DDB261CCAAF083AFFA341EA295C7264F35734F5179038AB70C90E03BF53E3FF438A9C0655EC38F5B9DAB7A4C3BA852A2A0593C80999818B460015C79093B1D6")); test_hash (&nettle_shake128, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("B620CEAA437E16A85BE761A8563AC80D9C49608DD0EBF9A4F049B9541623F4A3783C9E67B85820BA44A80F1AFE3FD835791D9F3C785BD8A77C9623EAF11F695675E3A2FB951D54050D0500688860BD270D3B723BE51579B81CF4ED94CEBC294A97BEEBB5A851160012514D3BAFEE6E275ADC7BCC64EB7879C32D8E0605241786DC3CC1BD44DB64BBB2E9C6E1FC581A5124A734625CD811B6BBE00B203319A736EEA07AF977190D777C12465E1614FCA56DB7154F9C456F59989062D60899D7CD7925DF1E1AC2EECD9B070F7E380B0775089F303B864D5CE049C55177E3421443B508EDEEDAC6307967A4321121EE2227C47E357FA92B741FAB390957CCD9337B42BC18E6981FD9EFC9241FDD24BAD0C6772216BCCCB92C2EACAB3A312CE020216DDC9175F3F86343E204E1A76573294DE6EC6BB75679379645FB973C37354323E15202415172D7F3D6A1060FCD35DC011B3B2FB4FAE21C69AD0119191BA4277ED6F71045FCD69F267E667DC4D219FA256BF35ABFA06A05738D212C42EAB91C2C993A5B6ADF9ADC0F276E79EC9EED6F115AF4BCAFBA9CEC43B0532038E863B2686996E997807ED67DE7F48C14B17D40CFCCEFD9A943CFD7C96FC665EABC70E606213DA37CD7EB6F942A6A5608305B8CD8B9BD4D625DE5D7DCCB554D3CE466D6EA8C1D9F111FA4E96B253EA11B4DEE3BE218C880844006D6401659C35C2A293DA2")); test_hash (&nettle_shake128, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("224D0DE7B21690B72A375907A10A4284E9E730A20CB3B4FE396CC6078D9DDA5D1A8E81934745361D8EED0B31B6276DB8F280104CC0E0FF4B36723CB302381A9BE703B0DE4C624A27996155599204DD2E219FF77008463BEB4461DE2DE3010A002FDB300C24B1A80C8DF311C80D174590043EC365FAC147A671DAAE41F38914E1E6614CB62C4DB154735363D7C7B7135096D7EDC6DBFF1DB407C0061C3135BA4577D5682E57007AD6E5B9ADC87DC27EAC3D03B3FECE4D9B4C2B2667E6D9311E342D037D58BF67CF38A4AB448AA4DB2C847E678F66AB45F0BD1B581AF6E881E63FC170F44FD0F8D87D6FB160A78097A4896BE055D0167007D9CBA610DA08C8C342E4BCDACEC6F0BBB30108F29A21947A9D842510E68FB175078B9064364046E544023CCAE9448C0727E8FD26330F26FA60EF891489B8CFAA623086372C09C0373C9FFD7E3648EA0F8DA7FA99D9F2D6617C0467F2F069F85ADEE5535100C519A528C690EE9192A888ACBC11BEFEA2B81E8FD380CB8679B6D80E37CBE3271AD1EF633204A8B97DA2E05565F8500DB9B1FD8032C69F57409251932CBDF046E0AB99896109F2EB1217351B242EAF3236139F20EEAC594750231186628453970F3C8452E454BE3D4D80E99503F350BE1EFF8778ED13F3D8828768E2F66E03C246B4FB59CC2CED5CDD266D320195A601C4E4928D84C62CDD8AE2EA357E4A8F34223FB18A")); test_hash (&nettle_shake128, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("78023C45DC98541F14C21DF4148A80ECD01F52EBEAECF7C28E9FE2B2C69B4B882805515064800089E6F18223A624155DE37EC8EC07E68E282204F3AC9BC33F8ED6DD98ED2FFD9EBBD0627B0EFC88F7BBCB7815795928766698DD530BD0AA461AD9499971FE935BFE38B6A84ED2D842572EEB97D7290ACE13C41899656BC30317A95EFAFE163494EB7E358FC31A39A20012A82F564813234D598EFDBA11EDD2B0F3A2554BF4FB216084772DF94E3D43E55F188BD8B8B5B297E406F2B8407FFDEDE7EDE9227ED6AD78E098147A658269C26CCC0F2988F06DE00651A7156407CAD75884EDDF56A755EDDD45030A4C43A82D55600D8FDAD155D13014CD27F827A30F6031E0173A2E8DA9A8FD9F7590ECA5F37747E5ABCC9C0A0EA589422BF9647F3FA9893BA3616C38C15ED6CF1F9EC2A64B616A3C5E6C5862FDEF36E2A44A911269F4ADE8F7B90272EAB51FDA36D9CD0B88DC8951088EB0D7D68BEBB332D22C4240F5DD354CC67650CFE4659D354742ADA6828A7CDFA82F77F1C846361087D14173775F44C8601A56774280D941F256A89EEB850056B38480972A6BC0D893A2105C584BCC3E963DF2DCA0B39B82823F5A4261FB9D4412ABABA7785FCA635A84BB757E1380531F5EF986F3A771E4948653178B240A32F8672B8B655F0BC832F853C206D2F6E73DBBDC2669DA67666947EE50CA82CCA023B5A3C485A9D21623D8A3D8")); test_hash (&nettle_shake128, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("31EDB63FA182A6DAADAE56C08BC794E74677457C69CB23EC82D2B8F74B8649F79754A8D9BD42BA3BDABE0C4A161F7464D2CD80972824E6A04BD9CECCA798C2E26937AFA93194246468D66BC8769A26088513962435D3DAD9B1DB5544E6A2050238A242397FF6E7419569AB3CE2EC14C54481D634F56D1F32D453AAEB23B2078502190C8D1CF54E467CFD51DCBC6E82F95197AD1F6CD301849B76CCDE540CFF8403D19ECB88DB81A45FC13629800D000FC5CFDF508014D4324FF6D2414535E5EF3418555B81AA3CCC74FFC80C6F4F170A3DDD304D1D5EFACF554164E0EA798572DBB3393F63A7B9C066AD68CF25AF0D36400E427A5DB9B3CE639BE2DB8EDAC6AB1EB2E362682D6B0ED0D2B84CB28B56F1AF4F4A9DF0FAF3447DE9A2841B49CB2AFF2423A2CF58930D0BE6331349511C26D6F07A0ABD32A54F70BFF5F43C599AAD00931EA7F28A85010ABE8C93F941B4B4931813796419FB41F3BD0A6203B14BBB288116736B3A31CB53FF26EBA377624C1A0A280B768DADAAC7AC69835D8C324234EB907B64053678F629784C6CF34E0AB5522D6E9326998AAF24D1C1C62B93652896CC6A9BD7DE4F4CE7F6D309AC957C2BB446E6BEB8B026537F7FCB7E45BA1083F1D690BCDA15B1487DEFBF59DCC1A5A6EDB3DFC783B4224702A7F6E466B4E48DA6C1ABDD918512783B6A7FB6446D32FB580FD292F2EBF8E3D0302545B8C163")); test_hash (&nettle_shake128, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("2611992C1226B5B402F19662FDF3D9C44D118B949C8AA1073B8BF8A5DAF30D9802DF7B1ECFE6A9A1E9DB9AADE3B308867397BD48B89EEAF36C3EBDC97B35EECC2C241941CE702A0AE96F02E881F82AE2842E1A7BA19D3390B2D4B5E2BF3883ECADC81AFEB6543DCE3857FAB5F926B1621D32AAA0B1BE10452A4E4D2229B0E50B478E28595E564122318ECA4DE680E354A745501A8A11AD263E22B5A69E2F70A3F53594540B2B9160C3057A32E633C616F6DBDF8D6EE19936CE8EBE8BB7BBC118D720EC88F3536FAD10FB623801C720D07365148672384BDC9039F0118C356CE20EEB8CE68E7C85A0E4BA3AC5BC7B21E6B567F13FA1D5A4DB953589913CF2424B7B3DEF3B234388B7327A4E737B590B9AB1EE126D949C630420A04C32EDCE22DA326236980734249CFAE18AC0FC2A253CE77D2813694FFC66B0E60D3AD245AB4ADD0BDB1CCA7E4228B73C18335558959A06BBDF24DA8095184B31CDE2F4DEAD983C9E29DB2D4A3C5C40C7775EA30A80CDCA44B4DB2783379074017FFB6F27E45B86F26CA42742DB1B11E11BC5B99D5642E482409AAFAB2BC833B31774A8AC578BFF32131D714B2F8DFE91F4DB4448C34E341D26FB64AE00E5E985F16A35857E44B9A846402858A192EDC0CEB7A6FBFA90F0EB6D743BDA4BB9C9E621D7433AE693CFCC991B71EEC3B03DF1FB03BDBA05A63B9BF17C3CAABD40808CBEA2DF0697C8")); test_hash (&nettle_shake128, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("6E722A099B2B47E38C69A0B967420FC5C1CA2926568BCE435E5F97D945B261C61483B45F517827DCA03FF3AE670883077D5625112ACA377E731364932767E5B3AE406ADC06283549D64FBF3EEAFBD79064420EDD544914FA479355F6BC6CD0A88269EB1B4C5E6E2F43F380BA5C1D343338FE73DA047E9AA9A06C4A14AA7096B5AE025759244A99A8FBE61B7E326841EDD3779A84591E9E44E810CC24870B42BCE705F06039FE93627B51DBB8163CF8D4AC0AD3983ECCD3A90A85C58AB222463323D5F786292DFFE07E607C100D2C830436AA1E4741ADC7A7439053045EE3538822CADFE37413EF7948B67F858951DF901A7E3D39EBAC040EAAF4C6277656EFF711034EE862DCC247672DD0BFF9B577286750083FEF332F630348119461CADC2089C332F9A0078D074CEBEE2E8B5B8A1A5B4818A53E9C99C330DA1682073A7631ACF1BF621C59AA45935FB82E634D2549FF405D36B23327C66F9B4C7E092B409228F8B0C95539C3A9D89FD7FF92D2F811055F6ED23CFD984445F7BE0B906F6A920EE0AF326F4F60D8B5987C736710796B33E58D2661AF11F8DDDDB12A12B196308F6493567904D49124DA69D291D73B104B5C99C002A6606718EAC2CA92F8A6BE6328A5DF6968DB53CA0DF2990B68F0A15A7F8B006BAFF2483A0F6D93281C62FE689F5856909CF3C56C5B16169482CD779A3137B6C702C7641B2EF2E9987F5497")); test_hash (&nettle_shake128, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("7B35855B74D677AB6DBDBBBEED8F8BED3B08DF15055606A7E7FE9F5E319BC70BD9DF00A8571ABB6E6C202461EA00A2D701DA5C3942975C48D78CE565689E36379EA603FB1C6C53B508E0952B892A5ABA6660980A38FBF7C91D43BDAD1F3EB20910BEB91502404B21D3C5283A0A88403C6AA47D9DD0A04A23DCEFCD3527E4E961782A0E585AAE6BC9B7E6ACDBBBFF9CC76F757887174CEE9CFA531C380467388FD2153BA8ACC2AF706F35667253216D3A1E623A747748FAD46AD65265E4530AB84D39D9988EB876853E976156900D9DE464CC2C57385F55242608C9E9C26B67683293B1F83181C60BD77549C576F2BEB8E54B3EC5BE2FEAC8CD340CF104B0A49D9FB484B538296B31E30E55F7A8421E5E16B91869214D2F7F4DC68736E09FF2981518FF83F24D51E5F9D9300938600EA6C007C9C98A392B2E63216DC1F07EF4D602F47C1F234B857D8650D23EDD344152EBB5DAA47BFF8E394931397AB2231DF1E22C566384112E8560E69EE422758E8A76E03D16770E5D417B6FB5C68D9CC93E16759987FE02BB8C99B8D368248A6893ADBEA888315D4AD251FC57FB1EABB2AB314B24ECD374F4566989038134788F344453714F05A81CCAEBE92C75200FD8A019E33A362722F222708C4F3894307D09A4B4D3666002A8EAF2D6CD19DB119A957D2B66B0C788241CB7702DDECB63142AA7CA5B028327CB51D72904F2D819B707")); test_hash (&nettle_shake128, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("5B31C72A95D9EA4AB6EBFB2B2501F14EC41223A010E123B68865DFB7061F8CC00F69BE86E56A376A377E9544860F44B543B48C8A56C6A25546AA7573C29DABA9B746A94EE82A33825047C019EEAD9E7A79D50362F649ACD1EF27DF8BDEAB02965AA0C0CE67312433E0511B19A5D213EF9720E688A80CBDC7BA1C50032701676BD4AAB79675F85F76B7458F3E6D723C62802B1892F0C2B45138142AD9EF329D771E6873BE098CB8C501C3732836EED9165B69AD40AE5A642D980C7BC843FA76B605FB68872DE523C591CE09F21976AB47FF64F773B5D7EB54366BC003FD6F75745C4B14EFBD1ACDFEC8439550681208543E469274A1FDDB16D4125A01E9107855149AEDDB7E21298DD8C309AB1C1BD506F2D377042F27FC275017B642456C93FC882E3CF44C1978307E7B9BBA16F612E28E99D2E18D2D85DDAA235FE65EE40D905A845768372DD621E6394AFA4C59378DB5FEEADEE6E342D004598779F08EB9A231BA0CCDA0A1C7D19AC741505F0D931C73F241D1999EEDE40AA53A8A47F629937D29D1A6D2AEF1807BE7C333DAA332B4C5551A7F37177F484740BE772EB03D04E82B2487AA65A2E4AD00F553060C6A9577D21A6C3B731D9D1659E54BF14CE4E4B7932250A8F3711FEB7D9997A5C554DBA364DD1F16AB4F34B37FCF5AFBA5B06BED58E6ACD232D69963AAED993F51A1C4A2347D8119D381686AB0942190680CCA")); test_hash (&nettle_shake128, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("D4D8F990ACBC762BF3BF4382EE78466D36AEE8E7D3597C8ACDAE9A6245020BA5D936E82C2C8D7F861186D428F3ABAC5E1F5F4FA25EA3FEB4FCB850ABB7F654167118574A730CEB1EA5D4A3EF579AC58169CD02DEFB896FB0E8C0797D9A326C1AA696EB1AE150EB2ECE9B49725FC6C285AF8DA2908EED93B6B01512B80E03BDC74E9A528843ACD2B9FDEB352230BC1BD9F0F94EB5C9356259530E8E0060E0EB0751EE2F5CFCC2890E0FB8E5512530EA0D6A7475AFD535C34BFD14EBC48A0268F3FA671E87EFFE404D63A03EE92759C6490ADDA245BC924D582209E7406905678CDDE5529F68DB56602D546D2E36F5417DB7D3ACBFDAAC622A65560611FF98A262558B304728CBD7BA748174C0EB2FAA8907E1056B4AF0F820B849BD9411129F4FCF0CCBAA3400C2B7B16A2126C53EF6CA35122F8A8B92549E6AB330C4436268080898AC9C03C27CEE9164EBB9C4B1E54D211B65284047F2C535D3F871FF50B81C437DAEBC09507A318C296F1FF48572E4BABEAF96082B177B4B80BDFC2F99FC5B5BD6983E0DEFB28C98F5EB2ED1D4B36641D3DDDED2D8268C10900284B8146359694F4D09F176EEB550B7629E6A936E0BCE2877C8525CF4983327227E13B119791D465F9FEBAAD25943ADE5631F1DAB35AEEB7312EA7B908D19F257015C1CF6BFAA29728437F7620CC9C0B00E79F684E4F4313375845B9B524B3842FA0DD1560B")); test_hash (&nettle_shake128, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("77A1157DFD30A79C34D64CC29B9712C9E1CA76CA5565D0861D337627C20A25D85AA061B876A850B43C5EA74946D03E35B6669336AA47C5859EBFF82333C03741BDB0930375C34275F2B2CAEB83CFD28965DA12F60A646EE52372773DE04613A3DDEE266E20E0AC047B09260E0B69F4F134B5AB8EEEE481F887087C0F8639CD32C19FA514A3114E938EC70E8E7E6CF40D11342775C0AEAAFD8F8B2DCC884CAA603BC8FFB7A282FA6291BB3AA37F37CF9707632879532CC93C6F5C46FA6D6235D7FAC64DD9104FAF484275CC635C3F732C30B155E22552D2BEC2967AF002683DF1286F98F25D916EA9972DC6D2C5AF1A1572BC5363023621A33C0FE41285148CA9BFEC731ACF75743C9C64B48BF98FA32B6D92BEFC777F6B29996319BDD632D56F1BCEA5C52DB9E72BC71D6CC4D1CE7876B02FD48E4EB1110D727AFBA35AFBF8C43E3445B650F06C91B90B12C3036EBBDAEB3D2193129B22E188469A3C2D469F24B530200A08E931B2E95891D966C7A50C2365A73D169D010FDCCB7F3A739D4A589A84780ECDD84BB34D54EE5CED2C729A04B27F9C82DEB329E491C7B462308C397BEEC649E4D76239A75BC8BF28B1A8CBB81F25F73E53E19B882F0855AB1E93D45F9293508C66C2211E978267686F5F54AE987D59D73DB8144834FDB2DF2D52631C7671ACA994A99B8009C98A4F847B71A29B3A0636670721AA58BAA5A11B6FE8")); test_hash (&nettle_shake128, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("4031B77C2A88AB9A31A357652B5EC18239EA42FEF5B390156D7A50A1C1D826A52297B169BC808725B00A671F83F856FC37AB8C48E5D12E277558896F19FDE5038C03A95A3762FF48DFAE4D644B904845DCBA1145084E6B7316FCB5742F31325308942FC31D7F465F6C4D686BE9788DE37FB57A6CBC67CCC39F09831ACB1B1D8010254E131FF7A05031F031E6375CFBED440BF0D66F7021A927AD249BD3C78E2596DCC4E4FFC58D0F7331BED5BCF249C8092832C17C701C65BDA1DC9C50894726B04661F5FB4FEB570D5D3773E33D2DCD957C171ED631E4AC5A8F42B3828F78BA032630596DD8B8462A2F25E502B25DA1747D80F96DAFFF366E787A340A0AF43AEB8D95D565B1BD8D7F8DB4FA4C76F5F8422E6C240339C3DFE8D4D13E1DB745D8212BCFE232AA5C519BECCF64B38085109753E2FE5014F9EAE6761D6D600EA05CF0AE6D4300C7670FA1849333BB739B43A7CE58998E4F834309E9505856ED020EB8205571D3FCBF3A9D316A4A8B6E3A397C0200977CA95E854AAE35A5581C88448966112FFC0128F6A7B5DE197019D830C619D70803B72D318D78FA067DBCAD646857FD8CA5B6FFBCD7E0E3D02B6D13EA02B9C346E0000C2488FCA6E8E868FDEE7891FA12B095860B11B7C5459465D09B6A7B388D9BF6EDB0B99486A8C949DCB2431CC8EF13870BB15956B17405DD1047B6D54CC74D0D4EDC3DF689E09D7381C2")); test_hash (&nettle_shake128, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("31B51A74B7392B14E2FD94E248E7FB7740536FB6E88CA508D019066C6CDF83BAF2162F4DD175BD7E78326F1A5D6BD3A9D9B5874C474C08612EDC3935EE24BD643A0A3ABEE5626C43E99BFC73EA434872AA22BEA87311AB71880096CE23085DCD489FBB2CEFA4CFBB06D12CEABD4B1D28611606CAE04EF71E7B37E881C2C1089E08268CE45E0D25AAF6843B45AA50F2BFCBF8FE291FB2745B770CBD758CB0A86C8FA439893D93B5667011A8EBF345FA5059F062DA72D0E5C3417BBD3C6ABFF924EB6BC74F6DD0B30BF48848117E7820AC9892EC18DFB1B567612627F9C2585342D165418D211CA7FA4A1AD6511D3B68539CF2DB2F6C3A4C1055785517E0528A6CFB006B54808D7F897B0386F7514897874C5A4A3A30D8D8A277A6A59710D0BA870DF52F2A0916AEDB0870963C205BF49C6A2251EA92E2F9B4A9B9DF98BBE752A5DC258E55A8B3854BF19873F1908E95B537DE470319CE3648BBA5A038D11C87B4FB9DFC9ECCA1BED391C0D48825B022132DB26FA3D17D60985D5D0611353F96B03C4B5831FB9BC0C411D1909393B54734B59B15EE26A1952438C886D61C5FAAD119EBE8576AA904F18FBE19C549ABD70F02B1BE98D343CE0082CB6005DB51A6A10AB5E50A89EE44F3502AB19D62C04637ACD5C49DE78F5A509674AE8EAE906693FD8110E0D750F61562D088E0B87DDAF96FC775CEB0F13800669BF2A00424E6ED")); test_hash (&nettle_shake128, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("3CC7FD2AA14A9DBA70ADA029992842231C54ECD7D14FA4687424FE1B54A58C7DF8A1E9C87569B695CDA9B2A27548398440C77A5A66BA94217DC24854462FAAC1CAA8D171E610B6D280668BFBC87C8EE2160E148A6EEA29DC04A57FFC139089AD5EA85F89EED89212EC7439530767563137A4C028A5FB28C1AC53B3696282560E15C1585E51B799273709CC5A1C1A93C774BDB19C4E336CDFDB696A39EF6A8ED8EEAE92C5660718A7E90C691C84A56BFFF85DA418C9DF7A913352FA53D8635F9FF4644B8EF03892FFFFC937BCEE4B9D66154964623DB90BAB15EB783EB14888411CFE2EA417A373BEB4BE6CA5771F6FC0EA8266D56275F139EB3A90C3915AD6355287E06FFCE64D84FD8B0E06BAD9DFAF7F7EBC17CD7ED316977AB481AC47253E2508D349993FED324FBF97067AD19C255275D7EE2E119FC0F4490C62EDDA700C27B5088D57A7223729A64AC1A418071F4365C61F898A350CB9B82F59562847016A40E72F862E10398FDCCA0B86FA1F92D17F35A07C46B3ED570738D231DF3B80B0C2261ED932822D811970509D7C664D20BFD597543B3FF61D6CE3B6CCF924ECAB5FDD9D0B0DEB0444E62D950CB6A688BF470C53930B44FF4FC9B4DC7903E97BF29C5373582DDD79C115F66D31F839D7BBD34808539025AE3DA3FFD56778160E18F8FCDBF6744431D42CAF155028E96CE1096F856E805D7435AB1DA522708411")); test_hash (&nettle_shake128, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("4144315DAE1FA8FA09E41ED69B72FB8FC64A62F8133EB9C4BD53D6CA7C3475048AFE1D0BC778672D715ED01C5532B393888BDDBDC4D43DFD82FBDE560A80329D03AB5F4D62358E65D36EAE4094880E810D022529A8945AC9BE8255CAC708FC435310A7741825257BABD70E84BE8A0099CA66754C135476340F1438237D7C227C31353D3878E67A1856868C665CF049E16FAB2FA6A2316053712C3EE808762920FC814B3F336FF8C9846CB43422458F743ACC398F922EEA476823CCE9AABA48D159C55BDCE636D231F18F49C9B70794FBF1DBC4F71D87B917EC9D1AD5545A4471592883D63F91CFAF7E64805F82411E715BB61CD96EAF2AAF6A22C14790FC76310FACF3C2FB78B34D3CFF50BB3F3A19227A18A91E7A6D3CD38D5281CDA2CEBE333C7EFF4D357C55889109D5E0B762471C565E1AAD50839D0298EAB2723EB4E9D1BE73FBFE507189E5F20C54F256084E5EBC04CC622B080EF52C38329F301F8F97FFF2A7D8249E2EFCA30BF77A8A3B9630CB5AF5E9A34318B94E17BD8248EDABDEBFDC37E3476155434D32B7A7905786487BA232786C290BDD790AC255BD100EFAE4BE59FA6B1674C651E8EB9FD2ADC4BF5BE6A763408DC558825B3A22BF141FA45E6DF862959F9F47A91BDE715AFA65099573F1062333FFED43870CECFAA423FD2211F82389BD80F0F033B4FA12964448846E55AE2BA46AC9E7422C228D75A1BD")); test_hash (&nettle_shake128, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("95597492CD331A89C013D6179031DDAA08A90FA825C5A77BB5E27E32EE7EB1F02EA0D348B5372EEF60A45A84B84D45C18695270FCFC07F3EC95E00A2FFE901E5C9EE3DAD600273AF0D73FFECFAF141C3B63F3FAEA90633917E260857CD1C4ED198FBD4753E82A42128F2525764B5A40A66E1623B81804BD3F17622598BF39FCA57D8C8D0E2E2EC45A4EF13A2B6B0ACD6E6878BA5BAEED796E3B3498385AD7E88576EA08E148698BE845B3D7483371B43FA9B35D785A0028BA84B0C8FD81122935DC09869E065D47D95287D3CB4346D8BCA8BF5D4DCA3BEDB1AAD70EA3B5ACD48C5C02FED30B4706C104DC159EA96971E8F44248501BB782DDC201569622C1F98E893F820D149164F9C465C41A998FFB561CFCD7B3E327F78961636192D6158DA80A7987533C01C2DD380912C1ACF14330B85E93CE05F2238AD0C1A05995B631ABC9CFBE70ACA565E9A1CDD424D3F8DDFEDDC0D3D3360CA917B30D7216A85A14BB13E8DA29228E57AECF1906B084C72236B91D669A312F01A4B7787C4DECEE4F63CA276F63766EDD2E46555C328D538581E86F2E3D74F5592C1016396082ED06ADF8DF9EA53B5E0C020AC75B636A828CCAFFC064657A657F24E62107D772AFB24A5EDDFDAA4EAF2B99341AFFAA1651010E15F6F4E41A67C1EA2101BF5A61C491D5A88577C1FA3BE0A0E0781C53BA9F9BB85DA59C5D0F3B2AAC31F45C9CA283928")); test_hash (&nettle_shake128, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("E7814E78CF280CD8D0B27B311476F21D6185ABF37FDFE2851143EC3425F12DCCCC0FAA95B2E6F8ECE8C4156124C9DFBFFA77624E5A4A9553F11675844C3AF0E816CEFCC3EEA430D7C730CF135FF6A34E542E50F25FCBDBF3A051F39CB028F20B8D6F85221B7DCDE00D7E45B78529638508AB2E6BB8D885752CA6C97455E61564C2FFAC68E5892BDEDFBADFCC88018A92B599807583E9B8BAD62306948FE52B397CF88D20D440898075E3674FD09469D1FDBBB2350751F21E48BE74F2B04E7A148286FD25A90995B5A95716D67AB566B78394746DA84326B83CFF482F82DF9B8CBDF3D92992D0F05275D37AF3FCD4CE211A9480DAD745B6CBC4789C9015AE23D1C3A25D067C9A9F7E611AD05B8D44940AD622C48730282789A839AF93D0735725CBEE9DC4231E8773B6DAD31178053014F11421AD0ABCBF32B1E6386691759D58EF7E2A6E2BBCC11B5E62CED89C4BE975FDA74ABE9395DFFD9E8C102A5142933252D94B0266FF776E9224985F3F2C96F7BEED03BA881B99479862F8B7DFA96AE0B2D2A97F773164E1B473A0C671ECCCEA64DC67F3A53A21E51B794AFC4531AE4F41898E250C80622E123B27FA28EB7F07D4B4FE63D75866FBDD730B54A9297697F541FB429084AD43DC69CCE73C6C17253C481A002AD7EE11FE077554A4BB45ACA4E9D8B8C8E8407866C011B749C3DBA372C2966AA0C20F43C86C01EA74BE5BFF")); test_hash (&nettle_shake128, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("50F678CE2970C84EA11DBDAF399535A692DF95267340A394616760BA82BAD865F920932DCE65D0F10B5AF1B378F76BBE05CD8C8E16E5720E527326FBF375A5F08AFF54C4554282058636C69B6010330C1DEFBA22F175BBFE434B6430C24C06F034F6BAC59D1063A4DB1FB4243162F368385C5083A93A7E693009BAB0F3D8F24AB45F3D20E9582D1E9D0AF578BFC8C9A0F09A92E4D76643EBA46E71AB177307EDBB2DC46139DED52FAD1459A41114EE88F439DDD064600402E237835797B4BE67EFCECFAC28D9F3F8B8CC773147400526202984C0CC2CC6616AD2EF5E0FC16509372F9EFE63D66CD41C61AE88928411054953BD95813E520E02ABBB52BC49CEF99CF09BC3C83DCFECF2F6F4768ECCCC8639752A28531C0A4038284C174B34978850B02E45D7810C4FEB224E3DE0C89CE69B06DFEE9CE2ABE8AFB209E29194ACB6C526EAC490D5A9518D5A7E1C1A7CF734C92579D162F2862EBE0722E2DCE53DFFE84A52A459B9C1D0A677A41B0F1A945AB597EBD8544AFDB1AF97CC1E3027EC287DF62EA1E81E91CF4325D202DDAB62E09E6094FAB327CDCFE2BA6F760C2FF7D7992A3FB675C07F77DB5BAD69056BBD3A50A0A24DF64A73ABC3CE3C1F131E7E6C76F0FB207F6D6DB54C8D128F2C8B670350602D7B0A52153452CC92EE4F185F4570405E54CB95647758A31B8434EBCEFDCBF00A43857A58F6506CF8B7AAFF3B4B")); test_hash (&nettle_shake128, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("C860CD3E9223E1CB941E130F9F71C376EE3A9B89DA339C61D90FF2B48D1F285FC48A4B6D87C199989D3CFFCE4FD84699FE385C7CA018D4F31F00E41216412932A833794AF207132EA430B07201EED784C2FBAF9506957FB9F7E18EB9FDB06F051419BCC7D67ACDB93A9F78529D9B5344AE3C4FCCFFC406350847E228BE20C93B22760BA43977451B3740BE9E3B283C86959CF062B69D5BCCA35BA5362EF0B2ECFDAE225CFEEAC473E420EA1AB7CA03D4F4A82F6C32FFF843712B78476ACC46E4B88F280E3612D5AE2FDB94FC26D5C40812B0E9577DD995FD4F5282E180C37A02D6140FC88EBF5972739D591F13AEAB894F240ED4BE309DAA4F3B0E2D536F3DEF87BA53A881794B80EFEEF855BD35026EE9D8492C90208C313288CDE719A111BBBDC3BB56AA218ED1B466E6E01728DA23950F821016F313A69665D43BF2C619884D20E83D6202ACBF85BF86D271A1633F32372B067BE55570CCC2C7600B0CEA6133FFC787B743F3D2346564A2D598049D92F9C4160873AC7E03143BC3AC5366EE6C4621C25AAC1E0AE4EFF6A35ADD223A61DD044593629C082603847BF2B7F07A4115DC1C87AF0F7854563EB18FFA8E24EE09E299738FFD4F1E79019FCE4E4582B063EC1F36442B085F82FFB99D409B4F692A8EBE9AACF2589306204FE0F168373476393783874525FB808C2B90F1FC5D7A368C90AAB7AE46E21FEAB48D667A5A")); test_hash (&nettle_shake128, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("97AFED51EA7CE6D0082A0EF242C37FD626DB617DAEC0C967076D8E63E4861DB3AE1308F19EF4B9F0B7246AA0E255E7535B5C70B341BE15EA4537CD1F0235C0F9E60C2168C2B04FDB3DD871460E0BBF1E3193D04E171E0A24BECE6517CB04A0B020AD042F28680ED42EE01D4A05C3892B0654C961743591722054CCB0756341B54643817802B3E05D70D71E339E487206EC34765F5C0D2346135070F50D28B8AFD91EA2E88FB9DBC1A932FEEB781F13FE5E047F7F43F51464B9D28CEB8B19BF34F03C1C9D1DC77A8FE475B349251E7AE0AD171C1FC81B862F7F73302F7B48337EDC72D39C59785C5572929A6E4F947632B41ECB4EE9BC5E69CBB746E2512986D3A23C7F455FBE5F1891C7101BFD3AA738C5C84BC194753D9671B8F3EEE5A35399615537121713DC85D23E0A7B47B55DE82C8109DB1E0CA96C471F366318E5FD9671D6468A36BE694635F65249D65B9AB9A6E6A5361E35350CD258B8DD145A3B68DCC900673BD1A13369163E5B5D3BC524849F73C68F01C7C8B88C9643341D225E13DACA45C62D9B5693E2E04163F96454A52B4BAF64DFE2293E438E511854A99682059BAD034712FA3E99384244F83AEF74B96848D338CCF439BB073552137E903767117959A2D841A157F468E597522515BC43B121B257B698234D19280C4F41EB865882E4ABFB4571DFCB2DEC5A30CF7D6E867F8B5E0880DADFF8DA337230EB")); test_hash (&nettle_shake128, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("1A895365874A70F2304878B1334BAA09EF898A0607F3243410EF04B14A8490C193A18FC2FC0AF0655E219956A8DD3C7055DA00345CB411AF9167CB9BDAB8939D1565647EB251B7459045184BB050F3700CEB6285114509C8167DFC122B33CD3DF761F37A3573A75F5C16AA2376B3270A26522869157A3BF26C4D30A9C1D7B4E7490FC9FC5A4EEAC331996B16574A27C32659D0AF52E0E50F0C221342BBFE2AC04455B659B814CB888DBBC90DC3A899FDC538AE8E8FEE2FB085FBDB79830392084FA1761A49619018F5EBFEC31BE185F0945F4CF9F5A21AAC1DD3F1F3C7B9FA05069264F6368EE4D3BE24ADD6CE5B70E328DFFE08043587C39213DD66A6890FFAD586F9B13CF08DE44834278E04DA2F91DE05257E0AFC44B5BA9BFF15CC6F7EE306482704DE0FB80B93ADE6537358B252D050BEF48B9A246CA75D62CEE920272B9C4B06FD39FDA8DAD4D1C3B01ACC5D507299D44DDD034D21802E1FAC9E02A7C7CDB00F64FC7794A253B1BDC042C35416EC64A3392FDB954D63BDE0C1BD7E08CFC655BCD02E27537EE61FAE64C0187CCADC045F91F3BFB1758F224AA8768981617F20C889A390B59588E366648BB3A8680B3431A4D0596FC5B5F95C4184BF361B7A2CBEEB424FD08A98B322C37F703A73FA874946CF430A4F068BB1D16898DA8F9BB04C03AB3F068A36EACE3E2227E7E92BB189B1A4A14C9430EF5833214A62EA")); test_hash (&nettle_shake128, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("97FC612935AA839179BD26673524AEABC59FA66AD4F719106826D62D56EE0201965D4659877928087D079948D4B3FFE6CB55BB212E802807A0B9DCE7C6CA2CA07C357943891A5ABE2DDA248B8F703236FCE8EDE40EC6609DAF6E012791C53E10B0000EF3B8DF19082A3EAF5C0C0B524816B66BB7B08CB6B65207D0D7C84432AF10A552DF425FCB2FA965728EF2B974FB59065EEBB105719D2534A58435651D743C91FA1953255F777CF6F92D3345AB9AF11BEF3ABC00FC46DC4EEA0557DF7B683FE58CA3887311224567880C7FB5FFDD5B24B3B8EE66E63FA09202D3133768AC2A4933C923159D651D616791A1A2BDE91EA53736EA6B4A097BEE70F0EF943DD246184EFAEA018B9DEE2C4FADB93E7A93E40273B5938647A6A10D31A0354DEC08A03937C9E5AC71F52DB0F50F6D066169C03E883476EF512ECBE2D109D5015A1BF660EA842436060ACCA32E846612E8FD799EEF914E1EE2093BB2E30257BF432D5DAA8AF87625B07C3C6327768F0867AF0B80DCE96888FE27203BA076E5B8B90ACB51D2AE442B424D6651E8BB7B36BD770C3059CAF189AA6CC8575F16B58241FB0B7454E089949FD3AA8B347E0A76D2C5BE54A60D9DA4BE789656FCD7BD5ABB9851EC7B72AD4BE53D9D2D771EA11644A9AEB6061D74293866CB112D89E93BA0CDB02390AA66F5CEC4F9651E306876FB5100F8EAE6ADCBFB87BCE433983768D2CB")); test_hash (&nettle_shake128, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("531D6B06BEFF0AF847CBF3484D1DC52B2E7799D3C5C384B25858603BE71B0C57AC073A330B816BBEE8164116424AC5AF8E5B44E875E9A6FF54C54E4030CF51215552D53FDF24FA63E95590D4B11A86E305AAB52A62F7F8B62FE3365D239B53B540ADC34303D5FFDE35B702844D05B3CC804365BC38C76F92F1EF81660FC8E8BA535EC58D2CBC4B0EFA6D840F537740675A1EC1619A8956BA91D3B91D2417C4D151AFF2CF54880B0F7B8CE36A432FC44B30312FE9817BE795F07C8E521A183930EC5422079B915FE6ACE193B7F59928A2F85605D257FFC3FAB1762CBAACE675FE130CD4FC90138AE5303332DB73C0649459C4F8E0C44291AA61EB3D5982E77E1DD1EA3646C2557E62DC13938E805DA7AE0CD2B3EFCFF6E6E61A8F2793E94665AA13456453282C7DB7ECCF7C52BD5BCD1A7A8D0FEC0A5D69DC71FB78E8FF08C7AD7420C0CA52C80E274D9BC623531E375FE41436B4062EFC72154657536391B91D43CEC7EF9B19B901183B70866EA2C4416021A339B827D23626380D72AA8A3D66BD4E119B2D254EA426F1B40CC564DB0605E015773907DD964471710E7EB3435C6CC7951BE6AD4207F40485693F57ECB41D6774A840E495CA1DCDBE1F112F61F8E135F1245FB09059DDAE40250862C79BEFC5432B50B8B8A4CE0804A3127697BDF3331D3CADEA1D459F565E0F2AC133234160F8111766D31A89C64351817AE4A3")); test_hash (&nettle_shake128, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("4F56F2BAADD2B624F6643C1DBB5ED95F05FBD0550C3E5829472734BE3B4064529CC3DCB3F886C65F074539D3F1B13215256AF4952784FADDF00E184211DB2EC238A5EBDE55DAFA606B0AF6D108791F63121865B6D064CE12E446C0B719A856B1647DC4BA13614505D9B3A91417537E0B110D086750325AC8A1964B8A36BAB91BAA1141DCE862167A1EE4DAA01DA6B3EC875AF9636268CD995DD980DFB6476C0BCBDD8430462AA56BFBEA69130DD43640E23DDC4D9B469A521A533DCA9E8A197130C3A9503393E958A77CDBF9F93FCA6921283C96EE38C7EE92C7F0781AE962C68A07014D6C623A3338A1A19216925A432A9971E7F6366ADB701EFC4D4404E02DF452F9A6B9AECE18AA61C56CAB2582409E4E741B0CE17C6FF881E3F509F536F8F681268E71AEA6376767F5D49DF3239C65775199B68C84389D1D4A426AC10D42046FD6AEE02D4E0F48BA2EFCECF83130792996801E64B81797214A2EDA5B2296550A13E38E7DAF36F9F2A7B89C1DD0A95590E2B77415C3A35B9EEB89BE993333551D52835FE36D91D2F205F626FC03CC4F9386E4D815F6B8B128A9C13AF40386538AFD481650EF886D3DDB7B0772252B73E9F44D7822CC99455FE118C6D1003FE24F304B83E6C76419527F1CEC5E5CA57F7911554D1515A026E573D9D4BF5FF7536475AD14BDB8490CE353E1EDFCB038DBC2819D4EDF325D6C3479F2C3B02E67")); test_hash (&nettle_shake128, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("F153AFF7498C363D04FF8BEB191E394852B79F54681E8D03F04B31BC037102BFCD4E7D709A387A89C7DD124FC0192B586F7AD7755C36A8D5DFCB6DD855671298006EF379D2CBBD12CC5C05186717A3985594F19FB4AC62C673CEC6D374114270EC32E8C0946C3034AEACCFC38B745D758791842995BEDB09A4778BCD504A961CFDE3208728B57D246ABBC99DC632A2396AA5B3497D4F1F94FB2C90A5A1F51DFCFFAABA610C747CE10E5EF2ACC9AB03383C8B8DC73517E4D32FA7118BFF599A83F937358F7407B4EA4771D5C504311DCCEBC1262B464415ECA2E3662CA7DFCCFE38157F15B36682221F65B6F65877726072B9A30C0028DBDFD14C7842D99657778C339A5248AEDA1DFA8B9ED56B79F107CB3E690D56A3DCD5DB03C47E46D29C433BEA894D1386133A78E8EB83C2E6BC2E7593CC3AE4D2C0BDA573BCB16E7C44732A370FDE3AF4DC452D029F44DBE0F539811DDEE2CAFA9DAF752169FEC82EEC4F35093237F0ED1CA6CE62A1221AFC870020B0CA219D03E5ACFEF2592DF5916FEA97154E62485A38EFA4DF203EE808B12692064C609F29EA0C6960569E102122AC74E99A992F37C1A090A9927DEAB998303E47487E2910760A6D604A73C78D66213A5D2C28C91528340B2D6371A391C3330FDFAA70C5D109A209152D21B63CF616C9C78621EFBCF52064DA08D90510EBFBD957E28053EFD0B78F28DAD025A72127")); test_hash (&nettle_shake128, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("D44138D25419FDCEBB743314D267D3AB2839CD302EDB06DE0EFEB5B837F19D7CCBE8A1F22922437FC4EB591BB23EE25AF00BC1BB3FC6F43D524D5B8447AFA47D966440F620D45C3CE7B482FCCD768E436AEEE5C25E9CF4C3FD814949B61B40A54CA867825BA2A55E6C3E778FF5CDED4346530BBB8D1685A3300E995291B06AE05AEBAE336C37ABDE854E57180A79BF5BE46F6C879B11FFA6573717AC168AC16CBFBBF5C46F81A4EBE14F0A0FAEE8D09D8664D26C327721D25E551676A00492442E3F73E4B748943B188ED3E10A22C54C16BDC78AB1FA8A50D6D46EB057DC0FB048EA4FBEE4E5A1A653131855A03DB2FCC39F698D14D28FD9C361818267E222ABCA88EB0326F4672DC1305AF072E0B75674596A616401DF9A53D44D53FA529A7C28CE7D5A71C97880725D51A58A065136034DC3D706F13648A68AB4665AF00D5D0FA0FF44D1D1A4EBC44B3A13D273848A3BB558BBCB599300728B7FCC6FE16C5A6948BB09FD1B8185BC6863C1D9F5FFF7F0A82EDFF0CE04ECF004587AD52AFDED64E4E094B3BC15A3F7511620958FCFAA69E869E85DAF7DDCFF6CEA52C1631ED6418C822380FEFDBEC1255911829E780F99DAA9C6F4D729A91F28EF1D3DFC505971593663710F82BB95FCFD1BFD5C3CBF916AFDBD7CB89FBFE586982D0BB7E78D031EBE310606557F83A87FB1070B6839499E4D360E2D36607450C720AB8A72F5")); test_hash (&nettle_shake128, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("D03ED7399E6FC424AF6C4F08715B409BA54237CFBCC4B27A2D97811F1CFAF8FE8A1E72B72C9C0C04587D89D9D3B46487EDA3AC473DC325E2477FFD14F37DA4AE638A2B14E103E2AC9E2F94A8BE49B28DB4144E2EF8A673412B214EE502FB517C480123289DE425543A51910BCB3B52E9B0A5F25BAA700A3DE0782D4BB409938E7BDA9B9A31D1ADE69571E4F1835E7A89C41F35606B9FD7DD513200C3CDAAA0B25B6B2BAEA99B79380D33A21678BF7FD80B2B714E894E61321E559645047F68597244AB611FBA697A079634412B64E2AC53EC230859EC86300B4544239BBF88558CDD48BF183FF1026636A1A28B512704C60E805CAB7E1F8534BCEBB1D40EABB8B98877BCA3A98375F2C305803637B75E77EFFDDA79991F059F697910453D2E986C9E6450A6115BA82506376222FE56DA466FA8740707116F50F27911BA028A633E30A4F83558EF664B63B6890B766E46875A6AB2FEAF64C3587A3F3872D179E826D2E8C6079F159C8A54F36CB770025E7628E936B2BCED01B339E13EEDF21CF01B783731875BBF199227B9A87E5DD4EFA361B86BEE1198B54626D105FF05B293308A7DA89398F50B736D04113F38E3EB803BAF06F049D207E1B6E3C919139BA6A94EF97649151327B2649F7AE1CE88D42CCEE07D826B34943CC5D240C20D084391EA0F3AC7DFA5772BFC3DD37443C14682ACB0B127C66C284F341D5BADCFC381")); test_hash (&nettle_shake128, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("5C28103BE52C28589EC6B8EA53EB4769AA91CFB8A8F5875A6201BE4F03FC9A1CAA8E582A11FFC6C9FD4CBA3F5E3F21549514CBF8470568DFA2ECE224181B865E224F8F07CAA4A0891DCA60EEED7CCFD23A62731892A1EF32D515165BCC4885997ADD88F59D0124B53E14677F8C4FFF979E9998A76E7A3041D3FB0EE9FE528D08C80481B8E3EB77189AA29E64497269F88894DBF7141F21175132ECCC4E56BFE70CD2AAC208A6A0898A474470A5961324E16821A78AFC25FDB7CF1684295C5036C95DD52478BD2FDA24A733FC7E08BFFCA82387327E69BB63F8E769B423CDAFA965734B666C489044C23617594B309AFB2F262BEBF447A87F41E3824972FFFD9F4A0D06B4BDCE742123C6FC7B85939DD8F837ABF2990C6DEF398DF2B44E40E3C25A6D9E4987B1BD636FC276CB0000095CF441BA3FA274F1F95AB321DE9A5A9BCF219449EAB4E91EDFD058674A4E8CC5F8C0831969DE0C17D0EEC98DF883619FA1DF794F2D09372A7EF20BB06427125B6C0849EB80238855CDD3CAC4C4968601D053D7E972785AFF96D5483ABA9D55E3695655FFE879D27FF6CFEF0328764D87F786F6BC74CD40B48C50BD1428BCE5AA96A477EA02B70D17333FF176F2E70B6EB7BDEBDBD0750414E5F32BC521F381F1827214F4D5746A40558064D49E5484D54442F7414BF25DD469181D524462AB73B9D31A729DBFB06DA0615FBFE49869D98D")); test_hash (&nettle_shake128, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("0AA13616E9EE0C4C35FE2B921118C67145B8458E6179431E8145DA829A2EFD5B8831B067409487FF6C865B8CD69695FBB2B1C4AE1FCB014540B842F5FB3EA40DCF7C16FF295B2271215F5367FDEA93C17B530C472B6200362ABF8D81F3840738EEA11961F7262C163F5BAE5FED2ED42A936CE1A1917DF2360DDF4DECDAE45E1522400F37D55687CD334B47FB8B55464AB7CFF75E9DC0CE51D60B43BC2D468F1DD5BF489B690C7DCFCF6E75301C24BA534047739FE592E8637107CCCE1B3D2E4BC037AAB54B3F8DFE57B9580CAB38A983EC5DE9184AF589D939FB7F6EDC886790D1CA4C780F82437EEFE261EE4737545EB7379FF09B644936F8EC9775E9F118A1958E7E4687C205424E4A31C08BA819F6827654EED2451F6A2242F81AAB3A9AEDFA71437E5AC288BBAC9505B07E302BCDB109FDC9E2B753432AC6502A3FAF9EC54BFDA1CE399561410B62C4FF8FD922A1BFBA071348ED9F1B242DF772BBA66A76C0C1CB209CCF7828051F0A85BA54D10B4DB0D71E37A77ABDD510EA1FF02EC72BA6BEB54523DE49167BF01594D0C49020CEA7809BCC89A6BECF9A6C655D9D1F06C2CB1D2D15128FBEC2FC388DC39AEDE65029954735285463E2684226A10770358156C98300FA70FBE2C200DBC0D60F3194BCE21BCA23AA6554D56503C56E8D4A4B246348A8DAE6FD1150CB6663C113B3F15FE8DF8066C9BF3979CBB3DBCA43A4")); test_hash (&nettle_shake128, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("E27B1C3BA27DC48F20B9605C4FFFE0F610FF909B482D213C34B49F0FCB04A927F0B1C4D2C6AB6C9BBC6E7DB696F7E41FA1875D08A65E21D0459170E4BC955E7E596AA01C8F52127E858687E53F17691AD1B1AEF7BBE75D09613281CF96E86EF93850AB4277A54B45DE3663A906B55BCEB2528A55CA6E17094E5D0D63F3294D8BF4DF2DA524296CFCEAEC6F1063A7BFA92B300A1C4BA7E2CEA76EC4C7FE9531E7D9205BEB4E2B5FEE32CC0881401C573A88BA9D29B5F5A5CAF044B0A7931BD605073B19D50F82D822ACDF1A6674CBBA6C88362BAF769F4220D731F3E8DBE707B12D44208E646A441FE742290E9FF783744B0F5627CEE1B91DE431DFDCD7AEDCCDBE04EEAD6DC6EF9E9C50131FE37B6707EDF8A021B3D9BCB0F62AB331F43C80B49F3DD5AD47CD3956A2B45A510FEC358BD211B2FBF06B6DCEB82A3190BD0AB28C7CAFCFBA4432102CA3067201533D64D44DCE8A632C204CCAC68B248F0FDCD54BEB300E32CA76F03413B4401BA4721863577860C892252DB31774EBED6BF8418EF0A12508BBB15B41DC0F2EE5A890915ADB2D0F6E28ED207EE8B6536015B763A60A1A96C9945AEB4616613A0EBA3B87C02FB1DA1F9AA169EF4A5CCD967E811BF83D2728B88BB5CF2A5FEC6020137C668EE4F21EAE6D2759F054AB1559F9241EE2B65CF36A907720A7DCCE655FAFB5E534EAD32A4745A947BA6C4B20240DD1FC40")); test_hash (&nettle_shake128, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("B0FC5EAC13AD8A3CC49B96E1D9FA96CE4658EFACC7394DE19AA7A28CCBDE37CF1201DEA78B4C2F127D397AB5EDB08A505F72C70B61678AE081E139F761DBD5741DF0CDD04D5A9015C0A65975E7DB09D9999FB77324366EF22BB63F2776F9A783A263CE31583D0860F3B91A6620312ACA03EAC2C38BA62C9C9FA0B060A4F8CC0FCDCAE1D414323F2D649A8E9F808FB02DBF926DA2FD36C64ECCC04909E2308D2C0367A069DD64E2DFDFED7A5A941D2B84C5B6A69956D43843C9B7F14A0636036444870B1B9329B38285A1054A1019B6E01DB1C66A39EF9B20EC4E51580EF546E885B99C0E3EA1CD724F8BCF56D1D00D1AA3B8D9B487964E773330B3F84577DA7CE9385D37A8F503456897F8BE8DFA9A60D129E538AE0CA2F6BBF851F1E56CD3F14864EE0B119A1BAC4181C667EBB6C464AB76A6B72681758C70422207E6F62EE438ED6FA467408CA04E48C53350FB11282E89D41A35EFB31C80B18BBF4E28CEE577798B9726A270245F35FAA53DA25DCB9E445A842D843DA21F197F36D6B43E83C3617B2AC92AA937697D5589564D0FB4C225857B6CEF6EAD6F193AAD457A5F5F7EFD7FD88B1AC34B00F4788C4A549474A852403EFCFB151D941C949BE41151A7130D54730F615E638DAE243EAAB7648A028CCD05A542054E66B3D5507D78117734180D7656D77677A2C61040DC7AE56819489C0D106B798B9C549046251163A4")); test_hash (&nettle_shake128, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("7B6BFD2981CC29669A120D28930CC39BA577D26BE4A822499FD5D36C7BE1528DBA41F2A60C0F1832AAE0EDCC384B5552013BE17E1C81C326CCE1FFF5E32B24985A2E2121B072902BD2FC6CE05476ACBF2D2719128AB1C35F93EF82290A56542A044B295A26C85E4BAF8B8544816F0BAC4753D405C9CE02AFEE0B312B5EC8AD12A07BD3D177F4BC7AFEF6E092D23C7D445F8B21DB59C9A6E819AF9AFDE919AB550E1A6640967D296D3DF3D987B6E62CF781A65BA41177ADB60B7CA83F57C5FFEA1D1D96BF9EB2914CCD73162A8B61B85211D010AFB8AFEDE8EA96473B080E98EB7A2F000485BFE6E1E7E6E2DDC1901E77C60DB3A65C2F5E57AE72B0CA4BAB6E2EC40F62F33E865F04598F66FE14039FE03C5DF379319413440A31782C2FE4092B0B701E4B792EE449FA452C023FA79EAC7A11A458B497213E7FACAD5D5ED475E71FABB4D9F6A2C2613A8D4DF3F574B5C2A884645B6D5FEFCB355FF18DB8ABD8A85F2BC531EFBEB96F24E204733E9EE3F0ED2ACDAF99713ADF32DCA518D5D86659F25EFB8EC5E5D82E64460094B88DB621962F76C9F12E739A5061ADB812043B9BD01FE9B4E549BEE9E304940DC7F05D45ACEDD417B9B37F214411F75B427E2E9CE14B6DCA4FAB0BC893001CB7A0529C1421E5B721A9BF9031D164C6C6192FB38C229C852474CBADD6924CC8A401662DB173D7FC9FC0028C905574802EA77820CD")); test_hash (&nettle_shake128, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("6D3173F315362F961F2728C60EFFD5EC721D68EB7D2E11C1973A84A19060EB5E64DD8FAC20C76A89D811CE260D7020EA9F7ECC78EB3DC91171CBBD0818B31C4D717274DC164EC5AF48BD1916B0440B4BEA6E4D482329C17AA557DCB4DBAD69AD74BE1560EFB043B78301B3B1D42E9C2B096CF5D8138811DEE6FF3753055C77FB2C490BF79E2F7C48D492E59B5D74798A1095D9BD03EF74CD171E615DD3845499A546BF69AD263C1B845B05B5B3CB32351CE01EB10B918D192D1605802A6607EC5DE09824790B5750685A8C679B54789BEC0D6FABF80E5438F9BED0DA8DC5773FB21C4CF231E1163B30D676A68BA04F7C6BFE5AAA2807A52A84E1D12855EBFB2BDF44C34AD846293D71E3B05D17C1D4102D5C7775F30D13F8290C89DFF886B1D126834516FD3ACC848B988ED4C4F046B39CA0BF2F17A0876B5EA782160DEBF5A2709BD38FC0F6BF3D1E286B7A34A59AFDF4B7559AEB2330D94576BC10BF5D1247EEB12B45516C2287D6738080569FE9179B83A27F007073428C7316AC974DBD98E137E771FC7F4ED1B779C3C6774A2A36A5CABAF10CCC742D9190A3278A33D6AF490278796EA76D8706B99561390E06E90396C4CAF101AF1D86748171D07B5794FA831ACC94A2452769C83203B2F845AF987C81BBD02AA91A1CA481ABB0B25991C0E61836ADE076F25DD1852A032A223B3D8D12CD544ED0A2F97D735A0E1AA9AC")); test_hash (&nettle_shake128, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("07CD8E0F1916D265A748A8EACBC81B045D004FA104FAA1E3752B9AF131367FF0CA7F63DB46480B67C405EC16EB2922E60667018B9ABD91FCE022AE9B0FAA249444B12223CB43750A42B1F9166F54836C7866BEE31ACC681B521D61EEA57C2E84A8F8CB9826E20AD2B14377B313225B50A1B49AFF085F89AAE22D3BEAED142C585316615281D88C5482E9F7E23770DA82F27D2511E30DD1958C903EF7AF6B2077252C7701D474F8DA4149AB45D80B6CE9EC1CF08877B6AB13CED7FDE405A1DED59F856068D3619AEA92789E8E31BE67DBC2F402FDDEC3E3E505FBAA396BCB6DFC5861E497EF576FE4015EF743BC4D5936F8A5247B7667A321614539BD4DFBFD79F3BC90E6CCE084E8AA6C9ADC17C2E1704E4E2EB879DB4D6A7A6621C972EE54CE582F3403C76BF3FE60ADF14D21D6438146EC92673B4D277825F1BA515C86345CC280FD66A006A387488BCD537C5B0325B21BB69E629763259884E9C3202A16ACB5234CAF9882ABC9B0935466F0C7104A04981F75488EEDCACA9EF55F03E3323FD4086E19043DB1F7ED7F9AFAFC968B7313FE6705673CC31387935F92C26AF140D2AABC7BB76F976ECB2A6F6DD1D0E65DD997F8648B7BB9F1C9ACEBFE1988E9514F8770DA4DF0B5EF397E58470C656898667A2E0218C70CEABCCE94025C3914C91BC1BC76E82B1C17A7B938E92A57E953CB80AB15726776382C74DBDB5FAEEA56")); test_hash (&nettle_shake128, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("16CAA902C04424D5FBA44B3ADDA34326EEFF62D6354E3EF5200DC07A0325B2004CFBC3C972A453FA32BBD68AF381F78FD768158194ADAF9B10A2A95D9EA9E8D0266C5D3271BB7B59226C8EAA9F15F9ED324AC91FD88B9A23F50EAF0F17D8582E8476E8806F31B58ACC36EBAB6B856CE1738704753A7ED31F822BE83E4E08F2A3F3DD52D4BDF8090DAD90A015E9184A3202974897D525F23A4EAFD1A565B76411D8B78DF548AD2BEE3830FAAA3E8ADD2DBDE479236AD2DF12841622877EB4EE895A0AF9799DD727ED96ACEAD478C8F4B9AEDDFE7FA3879529C60026BA0A7966799B372B922B4CFF3F6213C5D73C0D778CC4B9CE67013D905870B12CB3E2326223F57FDDA8DA32F3700E855FDF3DA47BCA440B219A925258D6B38625AD1408AB303855E3734067ED188FE122C5C279710E8EDF954CE4F43F692DA7EDDD3B84164C567B2852EFA262AFB09F49E50B8DB278ED215EFE1F0F43EB8BED5C3F1ECAB591E191CD36B6EA75260285F667C204E159E72072E165457A170F32A7FE29664051396BA1BC202663F1CA8F17A99598DF58A512B6685798E5E93FAF9B49C9AF0CA8FE4B6544492027CB5599448643E1EFC642C7C71821BC06D5C600A80CF43FA64342CFACE0C57071627903DEF82A0AB3A3089C06F89F99A5B3E11524ED2FAD86B73F3F48BC5B912CF31286C498305B77CC8F7D54F343993888CED370DC93E0CAC9")); test_hash (&nettle_shake128, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("1E8FD76A766A100A4434AD568DA7E753C08E76E515DC7A4D42A9CBE5369E3CFAAB7A09799B9CB66940DE779266051581E6B039E76F446327188A6B34565D738F1A926DA3BE16CF6EBD6FF7F788FDBABC0961158321E34C26207ECE1A122E73D5F9675A2FCB2E4871FC04875FBDB9B6411BEBBFDBE71DD643BA6BB2E2CCF46D1C1DF9DC6C0777E7A19823C1D55A648B847E398F52D02D5632A69323E588ACB113289260752BE85A42746E62087B5A32DF812817D0A2409C36F6C80912D4AB80D47C7DE7FFE26E10B1C850B7339274DFCA594D418C3C4948BB3528F4EA463CFB54F7944B32C050C1C3651168BDDCC873ED8057372743A6CC8365763B523FB3D9752A4FDB167A768E96C7D4F277BEA031B941BB7002DB130B76123A0EDC4544DA03D9255BDCD896789123D9999AA6BDECCA01E4FBFE33860C74ED2FDB54412DB927DF2D896D289A87591377923EDBCF2D2AE204AE6EA85B1A9AD2C2A2729DBA3D6E6FAB6269288416D569532793E49F61E7002871B8F4A68DE84DDC42D081D1C4CBE332AC58C3D81896A438D1861E594DB79390AC2BC9398DC21B27E6F7677A94F91EBED0103B2E8CA4068D6489BD0AE5D6B77053616335ECC7D7218B1B2DF70A279123268A06EA959965CA1AA26E1DC273142CFCAD570330AADAA62E04C383A938CE349C997BDC41E9BC38C29767B964FE2D8F6DF96EF1A5BD0A38F06734327315")); test_hash (&nettle_shake128, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("58407675270C110F4E998D9EB9F9BCAB175E4D17F2C3A88896F31CC97A389728B3A93729ACA3AAA426E2CAF11AC9D121B3239915C857FD377FA2871F76E533A954E6790847FF03531111A89B35192BD624A5FE0823992F9A7C25721E10897FE397C2DE7828C258EF6083544AAB1C7FA5AFCB7B27FC37E64DDFE827883FA0389B8E785676C92396C3E1C1E161E2776538CFE4B6E20653F5706F034929EA002926C0BFB6D9C31857BBBEF51CA094FAA6A7C9C6B34DD92182E21AA47923C908FA00617F9E910EEBFF2BE3696B6BBD489D72510840F075E24C81F63A52772B8B5F3296C7F7095B4ED732F5DCCEF632A37F0419378EDF651DF2870119A4F1EB0C961AE792D7DB1FEC88BA12BE14520648AC3C78D7304305B75D3B1AA631591C1B8128DBAE0EBEA7AE1DD44ED1950A87BBA1BB72FD0BCF158F7CFA4881DEF36B30A36425C429E3D4BAE81EC821B58B6EE1C5FB9C9D93993CC1C341921797797D39CC523D32987EB0D75C0E502F52EF1FFB3DC10A19766C2117122010AA729326AC5273BED622CD04B924C60CD405A14ED06ADFCAF35B1AD5EA469CDEA963D7E97B2058D2588BD866A17D701761439C491A0AF937F7B8B5E8FC781737986505CDCC593DC0627C0FFABC0A1737AFAE194E24888377AF99AD33AA8A0455CBA1411A40D1D66ABD03F2DA49C34C74C65C830BC68C36F87F9E578072AE67A60C23A6AB0F02E0")); test_hash (&nettle_shake128, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("D102BF50A47C12EA4C8D5169BFD14CC92EFBDC10B042631B1E0CFEDB32DE59947EB35402FBEAB157062BC6E89E0CBAE88BC68190B51FF1F45EE278A486E8535CD9D272A4439EC3F7E65F1C11209B77028B78EAE7A19CAC0BE054FE0811ED8A1F230954FD78130D27D909555EC58DAD0A7494BAC5323FC56E616795DE5D16C1E6427A02E7C33FA8C74459A24AC3A377A7D5D9036AFE7F23830FA3ED8F4762E86B3ABE0F3159377CEBB1E6844835374534F86C04B5215345947ED2062872F3C8FCC82826B0AB63A9A5EF699687C44602F61BF1E9AF303F977BFC3232235D95B5B6AEB5241010F01DCA2807FBD43D84675C5839A6E2D73B60C037A9E2D98F3AF199CB28E4EA6B3BEB9DE80A702C8B70C039B32B7D63C892A6DB1B6FE5A9E2638E8344E4EC2E77394FA03735C7201A656FF0A95E19A6F8D5A8C41605A2731235BA721A4A74F7BCE9CC2B1FED1B92F42C2EB665A41EF09B83E75D1B3A438DEFB704BB360404BA7D67BC00DDB8541949633A106A2BA75930F30F6079BDB01568E46435CA6BF80CEAF3F0D878A560C969263202A8EA9500B71369C958737D85BC3BFB4C3452A47CC9ABA4D69570AE9A2449C1CB84CA47F226471423F0AB54516458C23E31DF0F80F9A3EB37B0E74DABD4B27BD1DDB50650C92FD01ADADE439445A054D463F3B068E0F890C33D9F9BB4C31A15945080717CCC0CDB71199B7CF607AFDF5E")); test_hash (&nettle_shake128, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("29F1559D1AC3E5F5D6F36852E6FA06AE720B939F3EE14FF2B354C9B941A4F608313FD16527486E4DC5C032D0278297797CB591B80F3190EC0F1FA08F87A529EB22A2247E71F05FB4B1ED4127BE219E73B8572F9AE21356D8C245FB3AD4DE33A743536DD852F2772595D2CAD5E85928B6199830EA78D6D0226E7D2CFC35AF41EBB590215E416201A58D990A848125247A1A8319630DB6FD7F5FF4CF2499F94F1C0041AFC9764C2BDF2B0FACA97B3A9F8F508162077FB21549AFD5095AC0F2D744065B90B9CCA781640213B3920B284C6AE6E9877366AC4695B19BC7DE88F3E6113FE6491E7830B4CDF74D3E170D7390D9B0403923C8B6471EB5D639E2704D3C360F4E38F6774C6A440D68C2898D11F17601F33EA893C5E4B42D2A7BE5D07492D20D1550BA335E3D105B4898A2707E5C97B61011707375D5AF0FEF1477FEA62D383C227E2DB4CD59B85E45A81A4562E7541DC2814F20C969028CA8A0E9C14386A648346898DBDE372ED9C09A40A2AF6E0AC541BE0ABBAB84B2DD6A2FDAC9EABBB8C87F58DD95BBA7DB96403B9BD2274367439775119DA7EBB8BC46FBA2A50C75454E386C3749D03691F6705E70AD716095CB30326B1E628B0E29D7AF932F554A6FC0D0769C4D0A56779A1878DE7C3671B68A4964C5A9FCD86DAA7BC5B95C6044AC825BAEB4F073AFA2502CF3388290F5658094DFF31F9C68EFA7AC1D74881CE092")); test_hash (&nettle_shake128, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("C73D8FAAB5D0B4D660BD5082E44C3CAC97E61648BE0A04B116724E6F6B657684674B4B0E90D0AE96C0853EBD837BD8249ADBD3B60A1AD1FCF8A6AB8E2F5AA7FF197A3D7DBEDEFB433B613536AEC4D655B7BCD778526BE667847ACD2E0564D96CE5140C91357FADE000EFCB40457E1B6CED41FA102E36E799792DB03E9A40C799BCA91262948E17605065FBF638FB40A157B45CF7911A753D0D205DF84716A57112BEAB44F6201FF75AADE0BAFBA504745CFE23E4E60E67E3993622AED73A1DD6A465BD453DD3C5BA7D2CDF3F1D39376A67C23E555F5ACF25BCE1E55F307252B9AAC2C0A39C885C7E44F204CB821C0D37A22DE3A71F3A1909B11B7181C42BE9B78AA0D0A15444F330007554BCFCC0D8FD87D6431FB93C7CC38767A55D30D3545560BD380DB8C4C0EDA9399F68F854644266C1B7958B270E75B79134AA01E7DCF1E6FDB6D9AE5D02CCE8CE8E480475E9617CC42A91C08D9AF6E5101B8AC5834ADB2C66987F42A580BB503A4B34A9F15ADCD0E23D0D4029479764831D06B5CAF3F14B91449F15A291F4AC250B270B6CB3C304725C99E32645E1FC02A0CDDD9E717911F2342D9482F8E0979985A0170D725DAB4EA66D44F626BA475925FA39FC9DEE929C06D009416C0ADC1D987CD625A20ACBA4CC87F72F610867C3A7A928A3A0379676E8FE257107AB2F5C030BD2480E3D1863562E1FD0790280333ED9D5DD5A5C")); test_hash (&nettle_shake128, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("4A05F2EF1AAD5FF4306429EC0F19044077FB64BFE1DCC50F74C3F045E9A9C3DE4A3B5963AEF771B049111B7B4640E20B1BA84ED7AFEE325571ACF347E311F33C1D421F21D663065C4DADDBD1785C5DAC0D554CEDB1A45A32E28145E98F49DEE285B33DE14C336D10950ECC30966B79E8613FFEBB702FCC00A1C4250DD385ABB537A284E9108D16B6F08F4E103F2C5E9E5C879CB5095534151E3C9A316D06DCE53B7F01B424D375B564FE6839D1D1F00A2E62604060A9748BCDC8143737959FABBCAE1851213E6DC28BEFDA48149DE6AAF4A60D4615BED67D11796F6173C3DCF139037B31EEC9A8404DF07597BC266D3C7D9EB9A7CABF749FB44E40D746D0E9DFB5C8BBEB25E3F1612D03D3EB0C154DE4B2708C4F8A89762E171F744518AEC134A02EEAF49DB2E2C6C9914711288D6B0CE877861D9B10ACFCC19643738287DA005282F3FC82F9F50AA681F2F55FE1809C9E23A3A59E51C2E894F718372F9FA1564B47AB3F43F0747A17839E933369B6778053E1764F52C5F319E33C8B25678F72332E33CCA97C68F19E058E70C31410DF4DE7E08169D6096B7B4EA48271EB684FEE9FC8B561C3FEE2DCE83D092B142BEC1478D26B48C3C6E597A7B2E44027E1ECA23178D3AFCC67BB530A529C7E1336E1ADAE74EF0BE9CD61E91C6AEA57F7CCB23B64B2F84861CE159209FEF7A897A16A871AA99E63A5126DF2B03387E42C3D18")); test_hash (&nettle_shake128, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("D99E2166E72399F4B775C8C446CB809F149095DF22378DDAB711B867E3CAD17830EFC3B9F7D90FBA1327E103D3191595AD415EF71604C7A95DFC417F14F5B5AC1B6905396ED94D56ED993E240586E95D98F3D34630C32FC1719E7754BF4F12A321691EFDCD42DCA695BDA56F975EBB08D59F76911ECEC5B503E7030D1E626EC89CFDE51042F1B75063AFB50FF7B43563A09E209B7842507B67E85E87A99FFFA72DA7229CE5C9F5303EDA061A209F46C76BE4114BBF5EBC5AEDE7E22F5921DA87265C19F87F1E37CCC218ACB903BFB4D617CB95DF94255F980924A045B959AAE9C58DBFDDAFB47C9AD78324D27495EADFE665E8B7154EE52AD0219421014FE945AA8C2F3B6223F99E170D2D169C13C0D1CD481B6901A1770DFCB39ECCBB40FC6790E69C61C9EC6E99AF6E557EEA2AAD2E73D8A82FFDD2FD32C63DBE4858D97A5955C6B3420FA12AF5CDD10DD8C9D6D3C230272187E855B9F405853E6B8E199F071F0EC781BE8DFC29E93288F22F600302475CE1651D3CB671A0635BAA3DAEFB73487A813A0448EA5F2EFC915C847795BB0F4F5879DF7B5C95A2DD3A5CE79DF85BCFC1D99AE98748052A27B775B690FF9B0240E0BC0B79935AF998BBCDFD37A2829482A9F51FFB253152ECCD35588D2CD96BB19441A14D7CB3B7EB2F47CFFF6BD8FF73BDF9D9C2A613EBFC5D69A3D7912C4CF2B41DB244267AF889D47A037EB961")); test_hash (&nettle_shake128, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("CB7A1F8F3B4A92508EEDA0287EF3407C5F1A51F2600D3F13C214A36F54F5FA63878DBF6E76E570B72ED63159E01BB948D0ED7602E9D649AFEA2BDD4C97C7B22AC32485816D9F0BD8FE1443C7709884334E4AEB5104FAD05B6C62FBBA4F5C5BD2CC9CF576991DA24AE01827F3EA70509E45E1BB0742F3F21D673A34E9AE992ABFF4A33EFFE61C2C7ACDD0B653757C987DC1F575B7181E79702C82A389B0DDE618DDE5EE97A1A515365D04F3413BFF31C3F9F222BFBA2061993C7562AA7761175FD51D48BEAFE94E16AC34179CFE68791FFAD63358885C289C0D1D5C99DC42B7DEE58D9ED595CF5158D4D5055CB249025F3FA9690A18C9459D7E8111B88AA37D26B384A7BD02E923C2ACEDDBE31A6F3237CCAA778D5F7C71CA96E72E11920377C785AEE9DA9D8F11A4D4CAAC6CB66AE4F251422104E5330BF06C004791ADA67D687A0462070B51C0860F1AF7AF4968FEAEB157A4A4448B69AE1166578804D384720A2BAA55F06AB17FE0B4A5E4EF058A14D17F99BCA359CD1E95DE00B5F309052FF4231ACE9E1BCB6684355EDF7924BCE95264C3FFC641588FECC3775AF5E5361B5EE995F85F9A612A0055B22F2D440DFD80E91329A2FA02E20476CF84120634F9C320E6803992817947EFD9BCF620F4B038CDFDA1CD559801CE76FFCF4AF63A4AF6284293789B548314B2B88C2DDD31A6C92E4E62B705E196CFB2D978D6F32F3F")); test_hash (&nettle_shake128, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("908FC63FEE9E11D44E7BCEACBC161269A96993D101265F825B86C107C61CFD11EBA3CFDB0983BC9BA3A81DDBD8517D2E313997ACBE48A47AEF48B3BC1A56EEC2FAC280C96D9ADB557B14334C6C555F374AAF9F9560815EB7278DBC81A78E3DC4144B879119C310A2283862574D055D2B0D8D53219C479E8C2F6DAC3186C1EA36A6517D26E14F2230F00A1B30B44BF987B3A3F47240498734E6858444A82ED1098442688034D38C578E995424E1FC2386FB10E682EBA287F3757B8A4CEF19544CDA032C3592E13E07241AE38F0BFB77B030273B28D09637B4AD359C7798CF6A76980A3EA331597DAB4E18ADD97B8404D4AE4E5EC874D0F31A60636B2BDE4FCFCAB9569205E7261FC728A701F19E3791B538BB1AE8E1435A85F7E8F7B95AA45D275AF770FD9FF856F6666C8598626CB54404FBA35B523F55EC971F70E10E09FAB0A88E39CA1E7180B482985E82EACD81CBD2C8675F8BD41691CFBA39228D4FE2561C2E8BA1DA3124AE3204517F09CB4ABD54698F1010E1836E141C706B9FF0916BACF70010A0F75110E79E95A48FCF4724BC0674C9AFCF12DE59D31C64E532572DA4586BC73A6BEBED22752A05BD1ADD51464180DE96CDB44D11611FA661D0EAC1080DBD25DF51A2C7519489E05E1BE5B05C60070EB8075A9F0B3FDF6C14D6C07076578ED3A16D8E048350CE9B2956ED00AB61B024AEA9E07C87665B7F33E2F5BA")); test_hash (&nettle_shake128, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("080C392EE04A0D4EFE020FA6C20236E7C1290088BF6FFC2CFCF72D1B16A21ED000FC7A064491899BDA1AD4856449D89AC7BC54E3896534837EC4BF950A18A3ECD5FF286D1D0A02E90531298F2430484A667DE0121E0D0B392679AD9168BFB4F0D020E7EC1AEC006BD0E8A551BB7EF0B751D0075F615C02775C983F45212E4F394E7680D9F81254431BFB9E772EF2CA54600D2F1F4DB12D6DB49BB9ADF03BA6C912E0A8BFAB20C0F4D3DA675A908277522C8964ACE05F138D192B7A2EFD8FE663FB4B2486339555AA1C35DA18D8899149339F1AC47555080627C3AEF75DA932BB063FD3DACB6E0019C7DDC5627776250033E6F47EB5930907FCC1F1B627B520AA18B22B12103F3E361801C6EB8B72E18CA9C43EFD1E8A04948A9A7AE1B92E177AC6D3CFFA217E13CCE790EFC636153FE24821A7FB500E61F3098711F60FEFD6EA90F6F63D6822331D8CEACE7C192E3482192B0A408E5C5A36A7C7A5490756FE4022C7D16EB28232A70EC1BD675DEFE9F87A52CB633DC5BD99CA49D2BEE54870FB0919217810AC08312AA2DD16556089FC8706D0293EBFEBBDF11204793901190BFC7AFF9C87C9B4FE9116DD1E1789E08776EFEB71F619827A89287E183DD77C42D791E7CB4ED2E051F2CEC42D2AD83B50EF3C0FB6ADFCBAED484886A4DCFF41844ABBFA46016A0FBFDF2D891B982356B315DC17D9FB62517E3163A93AAF05A12A")); test_hash (&nettle_shake128, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("85F82CAF1A3D6DB8E7C6CD49C697DC314AEAA79309FECAAC21FF46639EE5CDCB719A6379D871138041F2908D4DD605AC31FDE9F89A0136018682FF1CC0E36A3019A260FDA0FE430B082445B7F10F56A50E69A8260954F72B356B710A35A5A2A22FAFAA5B3E4E3F0919A1FD44C24D33EFE5790F9FA707DF0E06CB4F195F1AF7B2578EEC38B8565D34DE9665987F3710D8388176AAB6F3D7CCAB61713B175D5343958419F7C2D65775B7BECADC1AB8DFE486EFB98D336AA17EC4083DEE1253A7E2B32437D75FCBD338F77BB1548C704090C3417DB225534F85C92AE1E9B16F66A624F5309297F2FA3DF12FAC8AF36A1F2A11093D4544E0A67C826D7CDA89730031D4A35C64BFF9CB9512C09FE45F0D628C075737819252B38724BB5A341D3045B4FA4B8BA742B947EB66A9A9121A48B8CFB83B41C90A7A672A4B9BCF2D1A32266C8F13EC46DF4D80384C117A56180398D2268C8009CF586ABBB7452911FD73C9C3449004A11AED41B557A33D7825C42575C75C0641393346C753B1415D4D4AC224C831F185C2B635C4B6B1C388358C232DC629A090FC0D472A4CCEED43FD9657EB33850171F9D6D2DEA433874B47F77DCA16CDCD782EC1A335D2DA3C235914315A243EAC2AB81E06D97DBAA25EC029A62F58A1DC78D586C226046886C23A3D9681D68503893F8A9ED9A5B53A22A1345DB167BE59A6AB8295B41FC464329A6CB739")); test_hash (&nettle_shake128, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("E07CAEB114B9180ED922574BADB071B5962ECAB18474D1A82216B152DD0DAE5CCE14001FBE59E25F55604CC3C26E5D88A25393303FF47C1F14C87EA4D16B0A435A43A3DDD22AABC7ADB4680C8FFA05BAF28F45F95ABF93F8453E267B5E584C7AAB8E2CF2723ECF211B958DD8277B89D3FF2470CDE45077DE7535840B0BFEF8D2AF5FCA3CD91FA6EA83C5F7B58C75DA302A67154474B563AE9B59B1A3BE93BA2BC2A5484BA24CC409896109CD57AB6357376FC0B65A46506D34DCCA170DA71CC52DFF4FA34BC4B979A130EF5663CCC28FBD3E36B6CD103212A96B8710B49EBDACF4A8C41A5860175B694F75F077718C93170A98EE9757237EE90E8692E4AD6C1AF6979D567C104FB3F30EBB5BC52B99A934D527FD44704DE65431D8063DF25E4B31A89629E1F7B7AED0E49C2AB6D3055675C7C63AA4E7686C880F3AF3F6CAF7251BD8B9EBC0A3C46C72B05AC4DB44E85068811EF050F042BE1E7EC841DC8F7EB2A7D9D2C10EB3603F952E307289C1634C7D9E648C36B75F31EA91C7125DEBC5BD3F70F7CCA9330484ABB5A73523013DC507E1FC5689848D6985F73866ED146506DF21BC98D35BC24256C4F911C3D4CE437798431F68E7EA9F608E7BD98D7DF892581B2756106A5C7590F6C33116B7C269D4A3010F121AEB0B10666AFDDEBD18AF9FF571241EE39E4F2E7802CC75DEC1ED6E7F19985774F0733C833CCB9D82CA1A")); test_hash (&nettle_shake128, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("1BA3E5682B5210C2503367CF92FC02BA6FEFA6C43CF725D9E0A5A796F949BF605C9401D6235C09265C000AFCCA9FACF32B1C6CDE831D051DBC604B72B90689CFF3E9179BB0A8D151C2FCA7DB9147A8A95AE8831C475B16B2478FD794087D0D979FA66DA5240AC77BE4CECB3DBDE50FE372C5045BE23FDE7CC0B6B86A0007D47DE80D59A2DBC7883BBB2F76B74E7EB53E8C929AB73819BB09CD61010689DACEF17BEEADA0311F2F6594922EE835DD09A61B41AAF5792C63CEC79C40EC126A68DEB00EECA6AAEAD43072AC65E7101B4C7A3FB42101BFA922E43329E736D1DBC90EF45032C82E26CD102176CF8490B554AC9C6FFFE81D281CBF29BF5056C06CE2CDA918BB3C9F8F49A045DD2CC4D680BA8A22562F1DC53838665720EC60E4E3BCB76014B619EE24FF41B2860B3BA4438527D975A1302E8FF1923211F36673B0BE8B58BF0C7FEFB0CD50A28A386CE6DAD7C30B8F6A3A437E864143143E638FC6474A2A8A6640862FF4C4491FDD52ECE0834128137011D46EE7B0CF611B237AD515BCC11FB7B0A4650FD6E60BA8B6BC601DE5CF75A66C3F16AEAD1EF19C47420A9840CA4B1352AF4C5C217350840AD035621EABF2EADA2A517250D3A6AD834CAF2A472B2D5DCA3829C372EDC64703226EBBCCAFD316E4EA3A9BC9AA8DD42A9715B29702BBA9AE232C7806E5C0C02AEA68602F4B580396B27B94385A3DCEBECE345828")); test_hash (&nettle_shake128, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("7F8D0AB3060B5A6ACF3522A83AC1A432DD9EBDD62BEE5CA14CC54FEC0D3AB6D1EACC33603F214C35E8C256BBE7F0A1C110A65A6E7F5EBD6733350DCBBA851271A0EA684A0AFA032EF530511B5FD923399DF93567D9BB1EEC74D6FA4AC5451D81FEEFCE00A7074A1F32498AE68380E2D9800AD3DA75E0BFACDF66B9F34CE4C60615AB46A8310F85C2A7F9A737E8E19E0BCB540FA9F621378C44E2DBBF57C059D52F79FDA1DB8A3D5B44C558C8CC70901219AE76CF5F6DB962ADBB6515B25B5FC81CDCA21B7A51911C5F5C52E8F2A863E9F09E927D8F66B063AFC73CFA8592B710063544143A8B5D06CC78A604E9B72771DE91F48EE55C9FDD831BF91171532AE5EDCACA1BDE2B96362D4E30115E12ADA76ACA05DD128FCB524CA8831CF2459A53D97EBC3AC5A25517F254A14316A402A509FF5868CD290C88F43229BE54A3443BC547A093687B3C3D97A4D1A09004CBAA6939E86CD75F5135D9FBFDDE568E651806AF401095C3602BA958FB7A0F4276791B28A6BB75A6944EEC6EB8CB9A7A9E288916A15A496DF80777FEEA0F42695AC62E29F137E355A13B630F30E5D4E4435C3180EE86173F59BC19B79065CF3F33F8BBEFEFDE35A8AB09C13DD9D326E98C9730BD033CB2DAE20BF076EE9CE764D48BF8A0F7BB9181E60889293866E1C601AB38122220A2CCAAC996FB1770CFDBC4E628BBA2B3122E0CA351FADA84F8183FF4")); test_hash (&nettle_shake128, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("C625EC73E6D951EB899E865B5012ED72229958F2850A79CB8221AD2248A8D670A8072519AE6DFF8CFBF7A20863FD01183D55093C80CCD14106426579ED2FD99578532F9B4D8E11BE19A0F0A8336FCBF1BB1D6D91247DC87B563C1399F50144F563F8583DBC208165C106567EC51FFD321D9F2ABA7AD2E7F2C1950D04E9027D7364ED831C2155E17C0B083B2EE2C4E720A2638CBBB971CCCBA1DAC6860917D28D341A49CDE2B8727179C8B596C045382E6E7C23A35D47880B4A47D3DC79687919194397C3EC00D9AA232E666BA24A1A39CBE847B2E864478AF2F59F73B2ABF2A98481430943980BA197DB6E67A87F3782B7BD99A6E27F82F133DBC6D722B5CDE09277F2407671FF44C1117E1265F5EC9FABA0A946B67DD268C3B97BE198BD2B5185EB07378FBDACE2B4B97C8DE2C05176CD186B0AD3F7D54DA7701654EB1D1FA200191CEA96D0F02C86CAA277FEC59E1C93097FB5D0D43600E3403C53798A33EF5CCAB3D5405E5DB570A26C3A0BDB304328FCD36E327B5D957913AACDC4D938BD00577963D5FA343109F4719D8192B12272DDFA338612AAACDBB4CB91E129E4401E16A673D6FEB16294345FCD0E9BAC8BDC30EBECC3BC6DCFDF25ADBCB42777A6FF4C05B5981571AF8A33D9E7D34534F8F89F555A1A55761FBE2DD66B93330820D3EB032D7A56DB79AA7CC372340B953097453509F240BF9AC6DCD0DF08D21E10")); test_hash (&nettle_shake128, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("5FCBA2303DA2ED78B7A3B3DBD3D7D57BBF37B25B75BF8330D39576EE26D830002F5FD36102BD09A6025532371A6246417F94A527220194F287BAB34A936836AE84D87C251674F1BD361FAF5ED3C023A96AC1E089050C7975D4FB6DDA11305D73F2D9BF03FCDB4ADC31C5356E231580AF9E23B8AC79B28409DC4EDE2CDC5D98C67508ED4D688377583E06FAE8F195B10C60FA61BA10A7A57A8A52029371CA12C9FBA5EDD2378FE78E5CC119695FA5F6ECB4F7C27B0552B1231D4A1BA31196CFC7D30E92603CF2BF14E2D4CF8860A3B4B543E48401D9FDC6B8D0E1AAA559E91ED8FE3D6DDE2F8A16A59AACA1FEFD304D0C42B78441D4AFE148B1ABF86C92706C5C1528D54566EBF0F4F7F6BA0ADAF6ABAF5BF8DEA607B6C86C789E7EA3229031BB69E60BA745F561208101DBE4774AAE3CCD7DA3E6C4625B0744B33E6697C31650FF94095C5CFB87024FAC512D81CD395D8A30FC562E8E817D5DE70E991E4B3ABF091591769EA3B42197A4F4DEC475F3CFFB47700E832FB072B4783DCF44014642D9930F09A2E3C4984A20BED71E4D2ED1C5FE750B0F803D4891A128731F48DF37D7E30EA34F7ED816C51F3DED629C7F430CB3F1ED74610E4D6535DE05EB6E7520B1CF6653DA236DC9E4F8CCA8BEB696AF2A3C15C42E6F87C2EE1E9013E7FE31E891F6F9658F2E270A423154824CCD6BE7498A6FFB8EA6C4E5B8A6CF1C33314C03")); test_hash (&nettle_shake128, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("07F4933F2A7C2988B9D753240C1EBBEA38E95AA1029508296BB49BBDF3BC164839C76D905596EA153C4746B4FEA069D2A784D9CACB598A24BAAD6D215F83F72D4B52604EEC0066344FD062B1835570028C1FD61D5B4785FF5B904F5DB03C4EFB61B424226578392B9E6259FD86DC979526C560057B9395E32116371B3737825A9579B92E1AB5FF9006AFDE8A618687205438D99B7E1BA038922B140BE0DAFB7423092F362F537CAC8272AA5DF14B2DFC2B73F5F4104BA1FE603E00AF8E47898C0E955D57DED792C3C93518CD84FAB72A2022F189773FAE574D5342EEBB23F7D7497F301023C1143CB3481ECB0EE732D1477E6BF872EA0D0DC0623A5C0AE526D8885DB1D3C1CA0A513D2E4D53E13BFD82129DBAA7A2BF6004D2091E627928203D05B11D9F6335DFC73CB9A7F5C3CF43990E8DF0269FA9BBB1FCE7646C6BA85BEFD3F9ECE88A93CBECC3F8F68CA4D0AE8197CA479EFE0327463AB5B78685BA4000482558CEC55D8B934726B820EA4FA9471AEF2962A7E1CB4B2891C0B545547A146CA28AD3E9CC6ABF69D7DFB87B298CA252387888E20CCABC9E9ED484262A3B6A1F857E6900330ABE74454A62E2DEDFEC3AFF7BE28E4351C4AC0738032B81C0FF12AFB4CB1B94F7119A6F2AB4157CB7C2FAB41879943A075233CEF8A64523F70E3C6F66C5EE3D5FDB99222B2A3EB09FFABCAC867E0B2D06955CB80E7EAE176788")); test_hash (&nettle_shake128, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("7E3FBAD2449B2F16426651EA24F642FB8CBB40B1969FBF10C5A6C3E7B1AD2D413C1F8A78CCD5F4AB0BA0A04529EEB3F72B656EA1030CD94DA5CE6B6D7C44728C0CEFEBD7FA597073F8BEFD6BAA5325918C1BAAC3B8DE7D1E4B723C0518936CFDE3F039941FFEC3979AED13C16E5F24A8C01F4D87E07F797E2DB4D5CE17E4AC40565D32896E3B6DBDB50FC2BBC4D13C2E375F171D8EC62C423A126B45D3C13B6E3EF9CFB9B8FD25BFA74A1793EBBE1168705B7A26EF12C2424E9689D993BA8C02790E83CE166DDB7C838DE164744BAB16743231569645B144A34BDE3A40712F01DC02E476140D07BA3DC4F51DA894727443892E7B12555932AAA5755FD9887A9EAC8C949E71EE35414150B63B00247CADCDDA9C2FB245748DC519C39EC8877C860729D90BBEFB89C5D914F99AF63725E91401ECAE6F69C67CAE0C94BACF3D6B13C273019CC3B5D416D6A24D314EF01C6348F2E539578F9368C234EFB559352E5ACEDD53C14A35F680428BBA25A252F056C4E452A921E4F83D648838ECB076F4764256912D41D504044BA68F2734D7236FCCD924D22735F6CFADA2349421BFD51341EABA98DA57B3F1A1B9B7B4588CF3A0D1A7E116700FB90C3DE339DFB9EA3662364807B91F7D2105D59034A6F5816070B5C4B24ADAE525C1BF2D267EA4B03079405A436DA4264CC50B2B30A0881E4D22A1904DC7311CA397AF7399734A0CDB79")); test_hash (&nettle_shake128, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("B6869F1189F52EAFCC0353F7AFDB8076C5CE063E2DF404F3D1314A4DE573541927E9F4C67A554BC82E97C3A2F6C679C812C9DA6542681461BAF009F3ED10D7D2C571288A41EFF6FC73DFF8AA3CB40288C84C9ED5CFA70F59395E09CF3CDD58B4D2A65187CF38828B981EB5BA8F7E591070F97B3A567188AD4C455FEC91ECC2C9829E00639BF6CE1DDAEE45CE19D9A183F0E93630886F511125A69218D86C5008760E8EE0CD299062CD1A06D0D2A5E07A0A30DA7DE30531136B4BAE8546290469FA1B18557E3B1316ED8FF1BC94131E9797EFC0A2D997F8DA22CE6DE0358128AFAFF496DB6466210A8682F9D286AB66304E79CE92174ABCDD0C4DB508F03C2BEE0C87F6C39D0FA2EF7F3DBD4201B4A46F418CA1DE312A2FC9F82E6008BF06042050CA302C9A386AAB9A3A8FB558EABEA6771C6FC301F7DEA5C13DA704E4F41DFC2EA508F1EFAF743FD4A3EBD9370CC3C872A41C4BD40EDDF311C2F5B7C208BBDC7BC4A93804D10B32769A333E8BC2507143912CE4D918D0DCB4D6462F0790F10BFDDCD7FD711E14F411A6CE58D50E70E1EA23645E97B6C154E3BBA3AB35411537BC8830ECBF953BB8214DF95E6FB5AABBCE08F8D017958848916FE04B3D2D5F69DB9234220DA3388E3385CCB90194959027093A93F7048F35E3A5B0AEF90A792820B242C34700FBE7F7E00C00D6ABDFAE26DDC95CA47A72133F97924D67291C6F")); test_hash (&nettle_shake128, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("EEDF8414ACBA3931CCB5C41B045E708926CC68C513372B2A5C9F8BEB76C060461CDBDE486F81952169B465061541E397192CAB92B64CD5AE0072811017140D53861F56A96A66211FB30BD1E911D31FDD29CE66882529874724A64216C13AEE8110B963ECC99CF46D2C1384CB39B27F2EB85B517893AC45A126F57E93DEDEC78CD2708E2C718D783D847E2FBC8B3FDC67260B33852576910D2E43923BCB8882D318AC5421B99BE5E532101833585E744B65EEA3104337FFAFFF4266B6ADD5F081E42A46C5365CC2F03DF43C3AA3D0F9A9C477D65E5EBE634C806246544B97EAC179C932E37948BB5E5C84DB32450F3B9FA54C89FD03FE58861B8E8A6C8C3D7205B7A65A02B90E0412C493ACBC3385E1A197DF785B02EF42B0BEBBD5431EE59DF31520B88E30BD376BC4E720D71F1C0C9AE4C2FBE126DADE6F667E2CE825CA1118F5B82F2A86FD5BD80621FA6FEA14768EFD08D75E4C416FD1245B0C07568DF42244DBF76614E0F3010684210E49D0868C3ABF1C89084510662BDCCF932176DAF9393B00A4FDF911EC8BA14E81B0648E5126B7B6CC1DFC902A53D0BA7204C256DE67FBB525F6C2D4C4DB08484A14431B350B76B0DDEE9924A8E0DDC4E6B9DFA90FD9BE0BE70BFFBF6F9ABFE0EC489822B94DFEDA911FAA7626271264100E2A40A2AB932CBE92BF2DBF57D273B0B056A6DDF29BA36A7F8138390865AD9ECC76BBC6")); test_hash (&nettle_shake128, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("61B6E091F3A8BEF3886484730629A32553B1EF7EFA8689AE6C01062F505ECF48E8460B66448D355046FA728AF5778FEB8B827BA30211E5B1BB82F6BEB7F2ED7450E9EE0A19A47AF63BB687A0A4E611B3762B97BFDC6E212EDE1F874C33636AB4EA613BA991E8B9558F24D1C02C5731B155DC1EDD6E984C5CF51BC59BE5E084AE89C87AC2AF5792C6DE0B76448AEF8C5F248CA6FD1525770C8B4434A76552834CF1481843A9E3A2051108D3DB6B8265F736395848DA2C5755B504F4B958755BA1820DEEE9EAD314C9515B996AB96C8F349BC12618FA4E8A026EFC5508707F642F5CAFE1EF135764515F4CE2DE357D93A0F3BDFE8E3A7E01140212A735FAECB49659039AA05F0C5EA0690E304C155A64804954E24039D001A1F7C2F1691E81120FD275A6FB292F3FC1BB16763887E3BF327FD36FF14D8B89D02990AE9D4B2B4F5492934079D17945613AA03771605B259446664FADE2292036ECA5894C4EC3D6673FB95617770AF54CA581BDC6B52097938A98BEDE6CA627A9322D4FF7390DF9A3E46FC5C0663A88A16A7D4EE708D92EB5EA6DE0527FA5BC3454455B678791E07586123CEC8864396B4B972BA29C935E6D3BA2F7B2FD315131C0F008D047E6CC234535D947F068548287140D4303365990E62B4845A3E7CD90667039C205BD1B836C4240B2120B54DF12C462D2B10FFE2D61B456F090EFA26C53E1F51D2292D31F")); test_hash (&nettle_shake128, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("E4E5622998509E275AED8D103E2581877B09D570EFE558CF03626FDF3A2C04044C1531D3F92A025CA693FCAB59D90ED2A2DD33F4768F56B972B2E87D34E8F293862C22602DE928714C34FFE22C118C474467005C250F77971D59BD93581E5EDC4F2BE3C61F5414DA40DDFD3053595E616AFEB18D3CCE87691AF4C228DA5595E2C4498FDFDE8360DBCF014B368A88C5ED7A71EEEB003E8839A371B8D86F7B58DA353EDFB2891BF5A5CCBEAC1E5F2EDEC1442FD79B6A31B85E4702DF68ED3A0504E26489B15C0C1A52B443581BD671FD207302B4BADBA9F41B974BA6179EA1671E4660CC8F5A35F71A8B9BAAEDC457FF13263B062DB6059FB4275D2831218B04B2E24F1E3B3DC4CEE9261A1919343D5274D64CE11E0C27866ECA3C91BE98762834142C730F4C3354F0866D9F0CBDE0E54BF747E0D8E50C8654A1C87FDF7EB6D13C06A8D0A02FC6EA72C77D1D957B960D6726EB5F1D4B3C056B2B67D9C23DD393A25D03129FB4D894DCEE892D4D7CBBEAF404FDDEF8707C5850B319E04DF5D64BB9F256A6B2A7BFABE6487B16DBA0CF415F8DE98AC8D63498DF68DD9E209B23297C79D108BEE3756989D751D91FD0954A7F5B166109FA11C7AF4BB18B695FF6110659E37683F92BA03C24DB9276D88E6FA587543E785A4D49F37240CBD826162E0C2AB12DEEB71552FB1AD45E7E5780F832D831D2AAC556A3A0005C37C148C41AE1")); test_hash (&nettle_shake128, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("F3ADDAA4382A61CF38C2963346547922642B064CE36B4D424F41ACB02AFE7AEBBCA83DF589208FC828EF58300E96A4D20592BFD58640CDA4C970E1AD58BA410ACCC75CF6D2566B6A10D7FDF02D169E6BBE8953E5812CEBF84E6E79B952680B4CB59373D8A6741C3483389E611A290D1CA14178556D0CFE750C787C4DB1558A1F39A2F39F9021F1E420F57CA91CD1EFD2D61D0D8CD34AD1FF7E607096B9787A51CB7684D8040FC66710C63D85A510DDFDD3F60056051406E7F217F12867312197690EE8EA33E6935306B76AD816043FCD52255976F9691C31AFB361612886758BE8AE9112412456B4395017AE96A3D118E351EE2D17FBA96B3AF726AB1B2EFF01FC3B8B4DCE461A452F0E6885EE4937B34BBDD357A83A68A95D12BF9CDE1C5ABAD70CE7A30B76BDB601B8EB533D57E4DAB508956440FFA0EA3EF2773A446E2CB11F08226385A71D93CA67CF6CCC8EB8E48444D508EA035AB59AFF79E076FFF850CD497798F49BC633EF41B0A4239681DA28A3BCFB2FFA3A992909E0A0148781A1BC03FE3FDF9B7B9971213F9BA331E5B1235314B3F173D48BC3249E946627F84070AC2D8B57E184B0E8EAF0321B38857383BC1C27CF9390E79A2E09A3B5552A7AA9CC55AAB534BF7D7571D3ED97C258EFC9E2D3C1D34DC84EAAF55D1725AB388C0A5FA4DF270630E468980FEF3A79A67CBB2289BB03CD239C14F15A50403787A3")); test_hash (&nettle_shake128, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("EB6CCAAD9EF05B657B6835655748051E33250C4FA600B3431E96053B0AD6ADEF7D8E5CCEDA256D96CBCF713E1998B19F8033BF032C9B2A56309B31755DB88A5CB11669A49AF4999C551ECE42E69DBC4D53B0AB2705295A649364E8AE495C793B73AC4F5AAA01A7A66F4542A4A5B29AA266158D3379ABB4C26596CC3E7195EA9112507ABA0C1BBD8EFA5785254681E11ACBF65A977199D0D489CD4357CDF61F0DA3B640958FF3EC7CAB5ED0C3E725EC64D18CBC8BDB097967FCE3AF9A717F591DD49AFC38FBB4437915D7B161E6800C3D8C0EAAB61C5ED05D8711B00E75892AAC5169E42B95AC207A27981684A7A26B9C7E00F7AB9A2DD84437940A7169BC998A56E0A31693345AC53F45B9A7D0532ACC80E093624C5341312E7F2E7FFF5B0712E2B119F4C6F5CA1E55899F394C850EB038BEF7EB1DF1303B7C97292732F96F4F6B8CDFBAD6C8D6FB5721A5441B4897FCFCB2959026DEACF17A99A27EBDC108EB1D77518C342B8E9892CE44241F94B88803D7EF72E26E8209BC251FAF58B8E0E2CDACA5B4509174B07C98AEDBB2C3871FE972A4C31DFAFCA4109985904DAACAB1C124E659562B77287B6D9DB73A38A26AD0E746B71FA086F6AA4E39207093A04CDBC69993C2205CFEDC4D321694D3FAB832CD729EC2501EF2D386EB170A011BAAE3E83A7EFD110FD36C9A7FBDDB835FA033891FF21C4B634368FBE8AD991649A0")); test_hash (&nettle_shake128, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("28721A5CA8A0B2F0EA39D1E51F18FF57F838B0F7F95106E13950D717E3BE00F9CDE1FB3EAA37E3B0DFB080B1A08EB6D07B4C36FBE73C248FB86E993A7A44A42501593B8721082AF6836EFB165084AB5DD13C26413AA4303D19183CBF09526E9D6F590990C7A61103F82C3E3E58A673F8EA1D00C85EFD867D4D7F9A0E295636933238C39A721ED301D4168B2346B115998279BA080D3D63A7F8A5BEE1DB83F415F9FA26CB0C6511A3AB2CA7CEE4B30188570FEDCA952B91A299DB985E0EA5D884646DE594F5A3ACD3CF975CB8987018EF6D5CB6C7044D946111D250B0EE5F40329D6EC2423D085DC8A8F8BEEA38EE4F3E4D7E206B6D1B988AABE52B074673C1D74C6DB329CC978B88B0C88A41BB91D541BA4D3ABF38F892E90639ECB37C79172352FA2273ADDF88BD6CD6A76B305E001F78E9D6C29C46477DE5ED69FD0D398C8008C839C87FD95C51D35AF3AC874F9E33E60813A984FFEE299547BDF305756A9F7560411B7BB475870D8ACE7671C093E210D3BDB10D31F48E0A78D1D9E3E44199CC49B7D2A9E2CA0EA8EBED0D265FBE461A12883EE515FD738BAC8299309C86B77ADBEA857C4C92ED8E0F380733B47853CE530091A6D700B4D1EBC9830C2443C7D82C3E0E446CC72D4FE75A5C3AB4E38971EA41FE993BF270C477FE90E2E207DF59D011E23777FBA3B454138B31F1E055818CE61649F0D4D06765247A9B8FEB8D")); test_hash (&nettle_shake128, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("1E98D0535E8D9201A8E74F5D60FE3151AB5C246993D2C39AE2C906720F898DA70500D14E94ADD0842DDD949FF614C1DF73D57879B3649CCFA780D22131DCB51E14CAF79948D497D0A4B8C3BE023551C68D88DC3E36AB8D73820FD880F3964964FABF60BF9009927F25D3EBCEE347C54B3E7B9A957F0CD10AD15D0A9A2DAACE6715633A9400DA882337E8505A431251BFA1B31096004E6E0F40F00F6C389A9FD5DDBBF7E7F26F1259D25F2C176B4B71F0C00DEB9185FF0E4508FDD0E057AF4F4D2DF3A15DFA5416ABCAF086D0118BE1AA70C7A14DA41B9612814C39B6E7DBEB9A415FD4E7AC8F3E046F0BE25BC0D05A183A4FFFC498100C21D013D712D7FB48667454A4A54BC6CE355107267E245675002AC83E00A26A76EE6081F8C621620C37A03FBFBDC6F7BD88A5D996BEA811F9F753A2486262E6452F896AB8F40B2BD97F95038DB68FED4A52194B9E85815E67DACA1EEE6B0788343999453E8758AFD73DC3E1B9088561305E929A0128C6D229743567C7885EAABFD9BEA8644FE8DB4D19187FF46388DB5C1583DFFE70DA6349ECA26E839DB999F75C1C72455643A902466C24717069EFADED38C138D6A499FCA999AB653F5B5DEF624EE990F46177FEC751F55833E721DF57F6B813A55C2D0C463D25E96A53DB14E6CB4340F6059C924CB7C4EDF94812959251282B5F46ADD9A97DC8951B6AE72F7FAF6EFE2BD11D9B34")); test_hash (&nettle_shake128, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("518802FDC9FA52A2A70FDBF2AF1B43EDE346E59B2709319CB57FE6480C46C7513868686CD374AA43D656C6BA98A2A879A1A3D973C46A10E95BD0FE28029E5BC8AF03029D744F4B2D9BC9D83CE895618B9E21E6C4C2D295A285F251C26D22CB1662A2AA4E8609C8503CA9C908EF853BA212A87411059118596C88795C972F8FF55607BF82B8C128AB5D041E86D5784B35EDEE160FFCD06314510DC4AF9B9FC51999D70C9A10449C5B62B584614742032BE710E50B42ACA942C7C73776EAB51B0FEF37F5447E8CE2198266E7FD1E378D5CB2F296AFB77600B64677FA13BBB19DA426288F423EC6617BD19A77833F01CA5B684BDC5BAE939A79B6203B22F4FB27F4BE92EBF337F9153CD3D78DA095C0E76C9877A1A80D2AE4DF7CE56A8F876F32E1134E0C51E52798389C35646D3165DC164C5F77ED519345D21D055A332F87CCBA7D3EF19BE950977710E9706AD07E30928639148B1250026FF23B04A06E62C2799072A319E8346EE80F9A0A2389C4B80B9A397C45BC1F0E92620455A1A04B6BED80B1BB1B78370992C5E41FB56E984421FB1E8465132A33D6D227C85970DF92D7159E6F59EB766C3511B84C85865DE1FB3FB3405D2102F1CA0AA4C1EB6A0EC90F6B89D783423D848BD70C8220C7F024A43888B9947D1E9E52A6204CA17B04765F503A887EA929AC4866890110FED0713A0479C6FB619C08BF2CB24E026EBC6151")); test_hash (&nettle_shake128, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("DDBB83438554C66AA9D9569AF53EB13DA65440E0B1AFD88B80DF59E767E069AE4C70741F68ADC2A674D66E1829AB7DF21BAD9665E5ECD655F756A78EB9F78D838461A03C1A6D1836B27DDA6D269ED65B7E352030401ACC8266F41FBA4E234D225EE32BFF12406F7F620CB3484D6757EF3AB69ECD675A9250200735826B630B72E64F21E3D84B135A35E1F4AE48AB2E80424C10BE6BB7AA78F8DF9C91537FABB91DB4D58428F6DE62364292141E9A7FFED93F16D1D36C3CEB4960E7CB8FCD8B91EFF75B027159586DC304051556E1401A6C555A804616AB2757D699BFB1E37426983C39F34DF6C1FA6C084FDC9C633B6AA331C5E5028BD185A4EBF3EB0CA4CC397D481F404440F4AB2AB7DFE0FFC935D91D417D94D9858F89D28B4900E634A5CAAADE9F149C6CA1E011EC684CFA3B3042F9A320501522B6211DA5F5555C87102DF37F17E4AD3BA55A37381D204FBA5711ABED49EE51F3985ECEA7E239FBA0E8A060A4990590795EDD1A936C185BF37AF9B95FA3E6294A780DC9FFFAD7D9319002D18794FF0DA59CC6AD9E3AD9D74BDBCA343EF694CFD333F87278E59CC445FBE0E622857F3745FFD8C90A161F7F49EA875BB1CB234C63AA0C55E530A72B19CB770FE91872A91420FD1CAB520EE922C2B6FB59CB8E516C303F4C74852769EF1787FBD7429D33B2FC0ADC18B23034736FAC59F926E88DF27D811591F03E7009193D")); test_hash (&nettle_shake128, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("3A0476C8E248067F0F96F01561CD0F6E55BB31FED70D2AD5F282F030044A331C6A20F14F254D1CA11EEE4226323874A1035C0F522284627B51F29EE43B291D24001C4A44C638AAE5A89045C141E16B562FC1893F39CF49BBA6D17EFBCFA4919A1C60D60CDB132CEF068A05A81FA5C374273FE366F4CAA16887C5AD1288BD066B741D234FF63AAE976E742F5DCFF610CAA33826A7856E5E5265FDBFA04007FF3F0F701850DE3E911FD71E00012DE9823D78E381CCBAF09976FD686811255423A7CDCADBD854BED848EE0ED2977FC192573F2F36C62A5539CE807C2B01AE7220C6139D1ACCEC6CA37F2C964BE922547BC692274D557ABC1E7D521D1215CC56260D0C7EF4C3EEFA6D54182FE1928D8179FD4508B8A4C7A3F78D2D0CDF76ABF581F0689D1BBAE1F7ED3A8AF23D687C369398C715F71377DA92A518EAE81C7587876691AF81B982340D71F3FF3836AE9E87EEF7DB14AFECE5F57E45746173E7834132F922AB5AFDE73076B67E446A0F096ED2BC87E12216BACCEAF1E912CBE89483B5E0BC35DF7C38F79F31C1567D16A321920B2D0E6F3637B2C65AC762239522433AA51EB34A2A174C93A693C187E97B3BFA4C8C9C7DD512A74F26EF74EEE24D3F425F0CC05F0A3A630806FB960437F6EDB2C31B0103B3933986BA9E0B2D26B554FB9AF7DB5454A18A8D52EA8445F6844BA7371511CD14FBE171BB4045C7377553E7")); test_hash (&nettle_shake128, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("868C7566EDF719D04D7457BCA5CA9B4B62F309FBE1046A7351F24DCBE2E2224E34CC23E2C859E83B8B09E15FD575FE5225A03D1869CD1879728825A67008CBD1C7F0535086DE803A3E55DBAD1BD9998EBEACE9CBE63C4500B5ED3380153A41C33948E82E2D375E70E2A8C3F1C1AEAE72D000EFCBD7F9DA3FE0422AEB9A10B81B07ECCEE0C227947E7DD5E2B277A80718015BF5CA4C9B3EA5EC7CAC5CBDC79642CC0B547729A0956C739C956D09FAF013F402D764EF87A5027049C4FA0BD8EE8D77D99F3124710DB8B274B1F8878AD74CF88F21ABC520153B2668B79F824D74C4F113A66A275FF882B64794E307182C5EA6C96A719FEC5FCDDB619579246EFACF142F976DE21ACEB21136E9AAABF231706C767A664602C676EA46C70F0BE2A7F9907A484BD6064E1BF132FEE115362DC13566F763F4CB29A3CCB68594D9E7427F2D29B1A3D02520A81AF9D41990E04C9766260841E86965DB59B764E1867F9F2B4BFC6C13BBC08C4DB843982E262F75CE6F0E034B58DE6ECDB71A5E32E9F91CA8398EC286277B0DD6A518031C16AB864971C243CEBCF3755A72AFCC186C5D200873EB27B070603A6FE494ADCAC893162CFFB544C2B69083693A407DD92CB4F6B1B341EBE491738258EC5D109856BF106B56E6B96481B933093DC4DBE2CD075C5E3B760D36F3B92A286F91AF57604B70206C8922ED21006E05A271F1415F84F6BA")); test_hash (&nettle_shake128, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("49D7FA3A63EE1611E9ECEFA88F80DFCAD8D7AD69E6A899AD04D102885AE1419F8E9E6897F1D6937177E1BD8CA104A7C227B8DCDAD473D0A2BC12C1A2287B5DC66A0F808D02C452BDFBF5AC4F43B38105B5A9F2E67A4C6C81FE5DDCC1AD3EAD625B29031FD5F1EF18F4AAE15EECC2B6F5A4336E5BE3FD7D3970D50261FF6F992E5A0F818BE342B910B267C8740B7F331E0623B5793D4146DBD8BA3636D12914DF35CCFBEEE62BF3E0033DDD26114EE709A641ED54C21A130C8B3E1F9A49965E48B8AB914AA2B2A377DB1873A1882625EBCFDD1C366360B8DBC631DB94BFF615BCAB90D8BAB3C14F2CF4A6E4C4130AF4255ACF14B2B3699EDF8753C745F9D8DC23AFBF449A05FE05FCC83FB609856A5BE79B06E57D3E42531EDCC13B1AEB76BE54CEDF8665439731CEE4144CEDC0E8ACF9EE2AF245769D24DA6261E368CF0D599225C397C61A87EA8C0EF648A74CB1E3C5ED2C6CDB766E83BC68299B1AD882CEF5B436608847548141FE1DB303BDB13771EF19674F196EFE3502B14A7A47283EE6BBBA86354B88A8FB15187E0AC84CE0E9CDF737F62C15ED3A4A6FA0708F91DA2190268C0923D1E696B5E98251A6783479E6BA28336C39E27680BB86BEC2991D82EFB40CFE6985944ED3B18E2ACC7E51BB24D0F2C19BDE84CB271FDA6BBB5DE6B40203AB54CEEAAB0D84A339DD84108929663A50EF23BCF1E79909E2275FDDBE57")); test_hash (&nettle_shake128, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("815BB24A227FF0B94478EC10D6B4FAC313D56FD9DED13E94A57869D8BC5E542E47CD97D42F1387757539A452C5C40492DA8A4D65190AE36BF2E169446BBE5CE0742A1A9865126EA07AD3875D47C5ED5F85C1A7A57CC350E05A4DCB1F052D9FF4AED38C5E1D65C05C3C7DB8A9A6C00AE2B3B45FEDCA8C309B2C369A7B9608AA365015AF193F33092D084B2A7AC5CFCC018A045A1D89989FAA5FB16F854453D9A6336B900ECC4D9EAEF9DE4C6A287C44D0E4866CC8E4F8CDE5317EEE01113DA6A64B88A1469835BBA057760EC1D03D63D9CA40AACD7CFD8619E92739CDD72C9A11B0705A4E50DC386D4D378E624818B2D36B4FFB6DD1AD2C9F9D2A8BC4A7FB73827930E98CFA03C221B7C9D648463B8C2AF1DD195A817C0E986E8DE6C11371AB830EF74CC5E734B56C6C013350C1212901322BFCB0CDDDF13344473E3950C393466DFDB59FFF9E582E9B79F5938B0476DE125FC36FF74C03CFB685CB09BFF4C234F272D9B1BA6A2560308464CE36DDC0EB6863AD42B7D0490091C05A745CA5F288B303A0FD08BFF7BA2265B6C12B25840357DAC735CEAD9E6087D38A97421CD4E54518D7C0CF0968860B6348D1531C56C1B4F6B5C7771377194EF24E91F9D9DF96253B80009341E10122C14D919A037C820822A23E47620B35D0DA729A1AE329F99EBCC26FCD8CB9C67334F8B04714D2B76D5D0EA6156187C9017E764AEA66E88B")); test_hash (&nettle_shake128, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("47A1ACF4036C3A62A24F7A2E1147F5729DB886339C7CE7A9A6E7613BB60C475724D573E64E4027F296023E762CA20F880AB6C73142D3D1D36C19905BBA147317880DD9210A75FD7C552076F2419432E46C858E69B7F7C72372BE510F07F21977DEA627514F6ECBB34DDCD6CF5D86B01BE3DA48481B25D56071CEEE2142A9956AAB4760666DE359A36B8808D1DF3F3C15F22163CEC7C1181445DF7D06E79BDA799A6C4F278968B677FB78C8157CDA2FB7447ACC2D485E6922D82E1AF596C760FCC2D7D83A6A4B52400E3FDF64A2A7E4D9D9C59930579D4516618FE9979B10562B35F26CEED8D53DE5B322B3BB4F1B989EAF31517AD896CE3E57F879D6DE9D4A847E4F7C9EE093D7AD482D84D947CAB0B6619D8895FACC2DA8BAC086E054B3ECEB72689DF5730FA6E51F98205B1FA5AC9DAF82A78867B655B39792C686518BE3024A5F975E97A021F64FC75014635371C9DCC8952F2B5404582855FFB049561F3E20013E74C8A05FD434516218CC6E463F62515B454B358C611F2902B9D11BAD43862497532DF84DE73A02054459B79CB956E6DFF229E8FBC8CC558D666E10660B87B9B0831DF729CD87A22FA33891D9CEB2CC7CEEB1F316600B9432346D1FC211CE1946946F33BA59D6B53F9208F8F1FA8362524448CF87A851CAE07D0CCE86E594B5EACCF0B4F10F8C4D414AC194909CFE526CC87FCCE1386C7F5537D10352F5")); test_hash (&nettle_shake128, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("2F06C83D5CBC776C9E2E490482D92BBD8D32B07B1028E046582DD17951C13CDFA27C065A2821D997F37CED1D3F69ED8A8EEC35A55C1419B28770800A66A8CCC05332C64B0A310A1F4A99EE9A18ED342CC03A89193BB63849A6F0288B29B0801000EC0E3961FD85E6CF488031F028232B8FEDE6827C7C24FBC33A26A87A9B6210004038C67EECF0EF9D19C3DC8FE2C7DB8A449F168A98CFC190043FD6E2FF366CC35556192E39D1664194D6943F9EA5B4675D5051100E1497C1970C2927506B5B717D2DBFFCC9F62A0AC338340C8C473B397B98812BC77202A67426ACB83F4A103687425D9F793312570FF6CBD897733CE7399A3853887918A9EF8D0BFAC5A303B9E66CEB5BA52B826EADA8E5E158422A6D42F89E986C30F9D8E14C8B3FC7DAA5B012452666612ACEE1884C069F98E476F89E74B35EF94002744108A0EEFB9A9992104973E1176F2AE0F560791B9486E7A27C75BAD42054047E87FB95F43AE211FED7E3948745624F8EAE4A81CFFCB4BA389E169C9B55FDE64DBC31E6287144D0803EC3F0E5A86DE5FCD0CBEBAAC40D7103B3C0BCC8AFDE491B25AA472BEEF91D2AFA59D980EF1A833002838A2159C0F9FDAE39489B6E865ADDA3EA6DC8E675E45A45857111A2EB49FE3ADCD52EFAE414B6EE423440419B310E3CF751F497ADED9BD3CEC9172A23FFC878DD9FF6033EAC9C4CE7697BA9EEF60B67665CEBABC43B")); test_hash (&nettle_shake128, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("ACB6638C5302BFD244F9C4F1ADEA0461562CDBC92670F2C0C9135BA8754BFFEDF6621FB48B702792F71AC3B800BACD3A18791642865247B75D086AE816CE17F6D0CDD63D0A2FDBA9C743FC9E3273E6834D21F12554B977A146906682B5DFD85F41BEBD1ED03CA3B67DE188A0547493753465D76145F5F860EDD2F8F3C09ADEA139C3E057AC64487962E3EE38E1FB9F29BB5FCF2D70993AEF47E56A26C70D200D357758A4B34BD9327DBACF987754D805CCB5D2F4CAB0E238DE726E6FF78239C0F2E020A1FE4D4F6CC27C0747ECA37B4F72A110B3B8715E3DB07DBAABB0E580C4F20DDCB7ECE60B295211AB7CEF858153DBF3F8D0E27F621551B317534E9680576D629C5928F1A03C9928A93B67B4FFA019DBADF9AA71D37E79D40051F6BC6DA2D567E3E48706346275DAA4506A0CE668C2D4768FFF917A11E4C1726842D315DB4D189FCF686C8BC1061A63FB05A73720088C9FDCA783EAD1FB390ABBBF0B6BDCC775CA9AC32A1CBBD66BD80DA59152C97E295AB35DDEB7048B975C9E2A794993852F31A18840528D2F297454598A3F31BF9973B9CE54D5E2A8012EB2CEE9D49FD8299DAD5BB566629F6EE4EDDD71E6D08C223D0A1F48BB804096B24BC6DA27B80AC2EADF7B7B39C29F3DBE556AF66463785707A23495E2FFAA815640BC925230DDE6E5E545A7C414543D55CFA23330BE5CC1720A816E4064FDC0BB45C0D9A426")); test_hash (&nettle_shake128, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("2856032A7399BC2D4A4D43D7DC024AA3040ED171982042E0D1A4063B6603526EB4DEA45FDB007AC0E61043A11A502D4C49440C174BB183979A5D3A35C593E1A01886C60472D40D161A0512E3372BD5F8D35A217391D5AD14DB17EB23BCB74D7701286A158B03A927CFD03C4062EC0461F8C9C3D4B8DE0D70CEC5EB018375E138278ED9ED366D546D896DD885DA0C3513C5AB7EFE2ECA848B270CDAC3D2FE7E14F3DE6848FE01D64D841F198C85CE57E16B06FF41FFD454B6C61569B71D538CE5729DC5A5AA1D4DFD5F1D3F4CCA0F424701E8857EC66C8DC3D44DAACAB9D05626751240E1E8F1ADC1E064AAF47C66D9EDB0EE114A6155E28BF4769F88C053313792CD9BB2D9687E595D321E152CFB42F67EC9DA6E373E7621E4379A3C22B4828412223AED28946784CF67B6CE99918E0C1217501624599E4E79E90016ABD265E21E91205824B7FBB95E9ED999C50F90C5748F83E71EABB66DC2C16CAB63C064BB88C865FD30EAB8FAFE0529312BE74B55BADC4C944C69B89D98E7E07054A0AAC8AAD91F53582B91CB22A56741C41998EC878B11671AFC9DF26B5261BE5EEAD565BE962E87A40A5200A0856123ED7D248431EFEC79D7932407A7D762137EEFABBBE0C6C482CBCE115FA9CB7254614DE54E361C5CBC4EAC03757B83F4E4A96BD47D8347ED5E2C9E96DF3F03A9762988D671AA75EC9F3B5E833570F13CEA7C323522")); test_hash (&nettle_shake128, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("6AB8F0F45B860126332E32AD1819FD5A23DFEEE2C7FE47081AC855901D2DA3F590FB64F989EA616FAA0533E49A3B08589FF2DF8B8A27BAE25A23FA93710032F2DDEC4E3F905CA8AC37CBA1D9D225B2F62343DD5418283DB7D6E427EF537650944723DDD7DFED6394BA1540B2FE72944C330CFAEF76A9CC3998C1B6C38A83EA71B075F1E65C9209BEDD565149137A4BE1C640F4EC86A556B196BDF14F5C336418DCA1330CBE1781DFCBDFC26B562025C9DB90461658C4F1947A1B1374D8120168A1AB8D0CEA7527F0503F19C4605463CE134CABE1C72866F37EA2F105D44A3F2080DD42DA509ECDB1EA8C0AD439820D4BCFFCC5C34BF78CD8BEED8E394567A78864517CD183EC4366249FA9340FE4A112DBB418B32AEF24426CC95E12BD243F3BD4E744407F3B461B7E8C7FF096F2279962D60E778E1C362A5F47E4ACAE0561944BE126C8ED384BA5E71F8C23FD914D525D3AFFA915CEBA52CB3B6265E003D6B2483C7C331DB0F56EB5F4D0B4A7DB558A154E34F539136C6869126FE3A7FBBC07A92CA251A6ED301CB1A8415FF16CC28D1482FBB7A70DF1EF2D5AA55A084116577301EAACD88BFF5139D091D0BBAE55E31E50FBF28952E7071594FD81B626FA4194D97572058F217ED070B97ED42D8C7D9DCE730D270A01BF847929FF0E2190446D82F93D9C2BF309F836811DE1E4700D9BA736672B407E539219634F32956ECC")); test_hash (&nettle_shake128, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("6E9D7E55E8B258208FE6C1C50CE490BF81748DEB2B4401800C2423E9479AF3BC1B4C37249A2DC00F120DC5E2114ADE14C830437D6B0190FEC5AAAF57D4E9C5078B867B2905D48E6748E85CDBB3F1995389AB373014E6237948B8343AB418716F0E9971DB6A179B11277ACB2DF6B6B5903EBF311F2D94B10C3AD0BEDF2ADC7486929C8C43CF0ED6673C6468CF69B493C9EAC2ADE0AB3987179570886A28C08D0DCC83B0162A8D459680FDD2422C2C40A44E3FE55D0AB24CEADE4063C995915794B0C842573E2E7C4BFF8E201D3F9B3E8F49D90186AABC9DDC6110E98E3410617DA24FFBA5A7E5C3193C16B70CD6CF919DD6F15DA3627F42B6225EAF4BF1851A570E099FE3B8E7D746C34573A74744D42135332DAAC9A9341E598C714FAFBE052F7E745BA1D424CBE0CB1932A9E497D2111AC597F7E5010A86567C51218451EC3D1461D1D2D54F5E8754C854CD4D60972BC09482084AB865DFDA01D1C7AE4C749BFBDDD19BBCD95E8A53009529468BC4C47D9015A119B9C37DD2C149C65E6C99699C69C3CFA405C65E0E51A3585D35EAD701FEB58F1AC72D74E87D2C65FB072C11B235FFCDE39559A45F881DCB292CAED95B3AB6E0E468F86A235E2D83708044D75E768A2F3EB13523338761DBC38A8E014052DBD46A0064AE0255BAFBA6A0C8FBFB40CB41DCDACBC5466787638B901AD452D7D50A0C610001FBB6F126902D2FD5")); test_hash (&nettle_shake128, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("BF52ACA76D241CB569D39EB2D8669D1B2642C0CDB8B141E87C3B1BDB1F202641A1600AD388806BA9F5DB50A7CFFF97CB23EE977C0D3899F414FF5C47D689840F59E7E7DB2EDD92AFF3FB36FD198E7BF5D81FA279F743FDB6B9C00E974065802903DC40CC3E216FF727A72F267624894F114C62E7B101D9DA391E3A205C7B492B7EA28D836AC6657960CBBE4C38A73F87EA1F8A155A62C0A5D5BA821D9ADFD42BCF42CB3150267AEAAE507A4009BA8DCF70A13AFEDCB2121503CFFE786304E3AA980D0FCD7C908406FD2CD9CAE45DE97414647DE04D03C1214C967A14756830AFA6F83AD91CA66D9DE50B8F0483F99572A284BF9468A6ABEB45F335EAF0782C04563DFBF231956BA4575DD9BDFA10E2F6DF8878415B357867E5C22B9CF349B480DD0CA1F7CD432FCDA057A5F9AE580814A7CFE843FA831A5CDB87646BCBE70229A3EE7CBB3094E591FACC8680F298E10E1383D3A6387A503FD537A6ED924903CC9149879A95A164A8B3BDD385A69A93C58AACC066FBE4E59C7F6E16C00E45BDC19EC267F7684705CEF34D830ACCC03822EFE9C1B3903C47FCFA91FC7A7B58240765EEF217341FF96F0D0CDF5062D8B1939185C47FABE5498A784622D1B2DA0DBF06DAE6F661206F98EBDB257BB2FC4C86EF6E7C6E31E7756C8CFE7C4842CDA9878D6257EDD7F204A009A9E1A492F5ABFD42B48593231324728F8A510C47F516E2")); test_hash (&nettle_shake128, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("08E74B227985F88B7C1884A179D0B9C9F58BD2078F8938519F460511B00003E51A8EF4C93F69B716DF11DF2839688108ADF72476D1675E4DF3399C05257B1DB542D92F0E27FC59A927F00C4758ADA0FD95DB9D3251C01CB9167B2D6310E051407A2EAF415A2E478BE53C3945A702F04E25713EC2E2E1D51D636870642F6023A43FD0859A3B468A9502A8EFECF19BF97906E199C095464600B0B7A1B180B841158C6C98D13C371F7AB56496EA14CFF3110AA9D33869069A1F9215A6FD99CE9226EEF5A272B004827DDE0E1B1BF4B0C0CBB670CAF16B1840C6E88E577ACC2ED4493C598B938AECE1824717964048786D9CAB9ED14DAD9F87DF1E9C374010D89D4A8616CCDBF687E12D7CDFB388CBBB88B56FEE3AEDBC5360088A49FC1B2E1DD5518E0E00F50E3C922C8CA600A41F72B985F02E32A1F9A1FEE1E1929F5746FFEB87EC41F08861EA3463ABB9803CCE8C8257853FDC0B0C077D4255DAD1FA9E5D865C981BA15236828E7E425F5DACC4B738DE18E6C68A6C925B72C14E3042916117E91CB69311081E4E845B09679CA0607BBAFCC1341B283BAD5465633073E5DAEED6541B1FD09537EDA2F0D2A51CFD8715D3064FB074B52D48D4E7175B4AD0A0A6084128424958275068BAD56B5AD2769918B6AABA7AB1E8C9F88859B3DAB310FBA2FF67BDD3FC9E0B2EDDE0B716897220AB75611975E137DB525DE4465ECBB2D9D1")); test_hash (&nettle_shake128, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("3B3E210E0FB73556801A2250F1E76C45DAD31E12F9EE3448640B73D5AFD6D2D6FACDC1B0CFA53F46A56923CF16B6BDCAB566F3A0105E442ED7E88C09D705249BE34463D435C14D5118A7E028DC35FAA98112F80D816ABE04F7345EA55E7F7652995FC047AFF6B8E4D05C24A0C78FD9FD40835E523BE7867312630993FC9E5CBFB47048453C205880EEEEA2ED9A198AC145537BEA2C216A60774C400444C07CF6546159EAE47FD6CC79CA43D0D26C79DD13F39748A696F181984B5B8EAED82976C9B0C63C915BC2A2DF91139618AC82E4478EA26F9731D422C692AD1BCF483936D99F65CC8E5CE20CD94ABC2C4176B668D1813AA3ED84CBE68B8C982A8F884671CCD29B70EFBA765CB4BE7D0D139798FBF344D7D1829F3AFA946C3558B4C958A9235E4E96B28BE25641120E00EFE178304804D90946CDD1DB6229C0147339A1F75FBEC606A3B3FDCDDD9235EA6BD3F166AD132F8C222E45A805D166F8FEC56D488A2AB66737E3238E67419E194665DDAD4D8214394A4DA1AE09E0EC4EC5B209C18004F4008ABFE997E456BBF99F1FD9B31E69B934BA694ACADDD534E4BB4472179403BF9014A9EC311B16CA2900C669A8981BE3B5A8A9D3BF4D05028FE6D3D97D54B9BE443F9B0F73E59780D09AFC937D1F36C4CD8CAA1EB2A8522AAA175FF2E4A3285849C059991174BEC1BA6E42E399C4AB0A566BFBC09CF1B836BF42138026")); test_hash (&nettle_shake128, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("615FBF41D7184EF0EDF7AB0B079B76A4A7BF2B10A79A2FFE8D22E2F0A8B6280559BFD74E4F68E7691264A5B4651AE0EDC504F6AC0677E14389D92913660E75626615622DD458B7CAE4EBF1DA4F7ADB0771A809BDB44E918F7D681711EAE7ED84745A1E7F3AFF0931162BBFBE975C394AE6843CEAD454A00EA54DB5A55AA845413EC88BDF9119E238E6C84BCB76342FA8BA1A448AF7CBA6D0F1C964EE981AEF20C5268BC1C3AE3F723E48D1932CDB14B95629DCC5269F2EA77F277354BF910B05BDED92D6B8BAF9601080156EF0D1600E80D8050B99243C64221E9B8AE82773C6BE95829203FBEE6CAEDF299509D6A2DA570320CA6410E9853575A342F9E9AE76E27E1B0C892B2C932D80AD2B91A8D62D805FFDE196DC1F169D2B9D51F28FAE6546887182B91298B7B2FDE472BFFD86384EE1B78B4B5654F3DC38FE4400CEF50338F1D79B478C6781ECA2130CF3A86D9124C31754989A22F022658CFA62833CD5F25A021B03A84A7AA3F8890922AD179D589E46B535B0E6033C8383CD6B80324EF8EFB3BC6CB9CF5BA0BF5F6B185B83EDBE3F0BF27A9942FA87D172A5C9294BD63396EC8E1A5C7EE0BD7DA1109A69E2ED928025B8383C55C6EDED0BB9E23E15F50388209B3508FBACB7DAC520E0327F2148FE27450D0C5C06712A45011C95D7B02C0E0F15BF8C222527451C1DA4AB70CF649A025F8C95CD919E937B079F364C97")); test_hash (&nettle_shake128, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("8043574AA03D7C6409677E5E579FCBCE191118E2161C214640D725D384A3D941857498CC75480574F9BF4F7613241183B7B1354D4D08A9AD1AF03230636A14D40A30A1CE8D1DD9CBFFE41011E40D3FC3DC1ECCB83374F14209EB83BD16861E161882CFC86A5332BF0357DE84D38CB6FE65FF8EC3C8A01EBADAC09FBE960E5D55F752878A608B3E67EA840503D59B6625B42570F74671B4267246995B5575294D20B6E693D02395AC5329451F905B14D7FFF86A4401F78E6CC7B83806C19F30AF6C75787F56222B9FF673F5631165ED8F20DA13167F4DFA4C53476D7E2D7F76F4EA6DD77072FEF26AC3AC7F65EA2C4F113897D4F00ED38CBA8AB162B1BC3151D769D24A42DDF88F9515A04E3FE57FB4ECAAE26F608FA6A0E30166F5A12223C10ADB56803343E938EB88C839EF9F91FC7A0B9DF899AD3DC328166C8AF33DE8560EDE98EC371A22938252432FA57716C4058B7CDFB1DD7F5087CD45EAE5BF1A4C3AE03C19CCB580EC122DFD54DD2106A4E5A647558B24D15D30CE2FCA05673F8991003EC61270F279B7C2DE67D1930A5C948C9259D4E9DBDAB2D94DC1E1403697499544A1FA1109956AA22DA488B61A97E933FECAC59711E1BD5967DF18130CA394FDA025BA334B2857A1EDECB002BA56DCCECF9044E579143DC47BE03072D935607DE1E674C955A63508CB5D42AF7FDB80459F4A239DC78C31097E71C06924092A")); test_hash (&nettle_shake128, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("2ABA810B7512B1B3B179995F76F843BF39FEDB5B969267D5F545A605ABBB3F627B59550678B4E3C3B8E0959D5907F88B814413A5D94B0011FC8BC445096CF1B49D11FB2A4EA1EF1F219F7DDEC03B3678F2D95DD8FBDB7A1604AF0D8A5F3DC33E257A54CA3EB50C49C03BC55545A36F807ACE5A69F2D7069D3530F304F419B8D5DCB80890036299465C3C9C45FC49A73F9BE6C869113AC03DC5DAA116BC60F687DF7DB354201DAD9CD841467C27E6F0ABDF5EDA1F8B7646365A93BA71E1FF6C28D83AB5EA309E2C902A6A1A6396525A97EABF4F69C56B3527811046674F99EDD2779AE353654982A10C22BAF7FDDE401CE67E8044539995F528B398DDDE5132FC156E5587A9A3B3D5329F8DF4C55E86F3FEC30788D8E00DF696CCC46A564F2371932E21A45541315D8C31DED3A161E0F595EF47F8FB1DD7F1B57537FA36D105F1AD0E60C917F01D9C88FA0020349CCA8B01D77AFFE23CA4B575ABF1E42726B271FE77FF0FE81A8A20C06AC8DB699AA2E11F05CC5E9BB794B7E1F847F411FC4621281D257219709D38BA231E7060F745FEFF6B4BEF5DF477A24ED763E2BD49929E6C8C83EC776BE988A8528B1FB360BF5D7BCD654FF9A1CFE1EBD5F6F21954F155B1F6ECFAA7E6CD4E52D9B08C68943B29B54C5628F3EF3A966A94FA964A5874BD2FDAF65A663743F07EB0D6B3B3427DD419C8EF627675593728885A3DDB1E3C4D")); test_hash (&nettle_shake128, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("3582DEF5C0EC3C751727CBDFF5D9561E3A0F9EFFEF28C063461605140A2126265FA88C15B9EA3AD5CFD82378F78AC98BAA5ED67969473ED9177EF14F44BA210BAFEBFCA9C8DDA7E1AB5C6881AAE8EE0C824B47493C38EA7B5180323C7E962ABA1DE928A0ACBA596B2F8B7AF188265EB92C5BEBC9EF0A41F692E4B762990A40866AEC96CEECB20EF9F7CCBFB83A85485163789811FED7B8E0A43FD15CFA4BB13099F3CAB95791F8B05F5027672EAC2D397FDE1CD7E06FAD506CA1EFC22AD9CBB354D98BE5790B4021C7AFE6EF25D223510664DEC63D35158999C9CDCC513C8C7E93175A677A30259CB280ACA38FC7A8997B663A29EBD98D1C35F7DC1DAABD6770BFD3B84F1C0314E67F14E7FA9A881C21BC0E5C2AFD5F1B14EF4EDF9AD382F7D7E008934EF762B41782DCAE9B64448ABAE73D5A3CC80094B4F9983CB92D61C3555E58C0D24726E8073C39C3480FB2BA9F8679B9E8618CFA04921741B3EE72A276568068334E61089CEA277CF0D34EA33E02095BE33202EC69D2314128DDAD63F001DF3809BAA75E3A5720B34E8C7A63E06DA419A4818E48B30D8B0AE2E2405053C9CE76AC45C52EDEAF6237260F18940F0300125CE674BE744DC2A07262A146CB3BF595B59EB499439D94F8135DE7E58C0FD09744EBBB97BD4C10C178904F52C7481B4D808E663DDDBBF3235844CEA3DB323BBCEC1756BC4480C4FED0C14E14D3")); test_hash (&nettle_shake128, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("8C05C9635942C0661C29CDA0375395B595A82E4B1EF87D767E5A820CC6975F2B1AF87B76F69DE5BB9B77E14753C2EFEFCB735601DF5CB4DDAF5810BB89AC8863379192C578A3F2FEA30994EDF58F5A995857AF481FC4FBAA552E6564AE091C3EC2C5FB5144798405972C6947D45696F7E918D6820274BAC4ED1E721E85EE688E7EF7E6B4C87CA94CB6AD3221B5B0189D2F39A5482FFAB8A928A8FE4C117827E33E9C8B024BC35E30A9475D54293F196C83EED3B458D7E676A48D2BC2E09AD96167E556F00799E63C8C0668AA3710769C6533AF4F04816355BF4E88A2EBBA1B442BEF0BC9F7DD85A1FA42745893CD1F87614356E42E897821BBDE09CBA135ACE56612AD79A99A3397D2BBB6FCBDC505A0372DF7ACE31B53231887A618E4E846E3E458078B4AB9FA4D6D4D118F16EC8AA376B40CDD1594C0C41FEE2DFCC866FFB1F9B8AEFA04435F895B6D73E2FAA89BFF85FF14C133729B3789251E2A2CB38B8D5F9E6F8F0EEF26FA1A17A8255AE9EF58FA4BA9BD8A8FDE46ED5B0CFE9BFCBC20BDDAB37812FA44B0A1A99A6F10CF0E6BD931B6AFE22AF298483FB4D45BCCE9FD79C5A9CE2EB3359CBBB4673E0FEB2D1677F06A15F0938086DAA9CDF2B08FEF130BC793134369D4344D474F93C3C9EB877D0DE0CFEF351FB2589436DE6247B51352CA913C3E774B70655AD48BEFB6E4D494A6E610CD968E8CC613339D789C16DF")); test_hash (&nettle_shake128, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("84E7658F462F68915CCCC917B3F7A01F18E9E883CDA1FA6C856E2D3B77C53B9E9C3841EF72295CE3418319E1DAFF2F58AA0CCF89C1107C459B505A46DF314E670B51753CCE3701822C4FAE1F08EA93789FAE1A8A61755FCC17F57C8C8E344208A299995A3C3ED6266756D17DFB70E67F27621A6AF9EF926ED36F3CB169C9BFBB84DF0B2C51602902C12F519EA23C3B4B8BB2B1241798F72A748C6AE4E439CF4FCF0FBA17407D1366047B4A8DED133DA17A5CC2BCD4E9803DF6E5FC76A732EC64CD4C556DC97C8E8BE5BAD0FE5FE440E462DA16FB1C7B18A97F58DA4B5EA9AE8700A3E2D1325EBDE9DBAD97FAAD13DB86D8F438588AD1E966E4A7DABD0BA4A3907DBEBD2B2599718B885730BC1D7491A0E2FA468F29843EBE5E551E0CEFD21F85568D6A77B8515EF42908360B57CAD79B0004724DD117028BBCEAADB514D45D76FCE77FABFA64C11B9AC2BCB830F77C79FCB67A71D669BF7DF2F3B7F5F9FAFAA9571C1F2A03892E6BC576699806539AF01C1A840D6B168686C5F0874BBA3EDE49B161719927B5E32E4F19982D6D32A0453877F08C592EBCF7AA323F78A66EE81CE5297E3B81A01EF64FC9454FBEDC15C13A39F6AC8BB9A0CEB14E879181F72719F325B8EE60B3CF56CCFB42FFF90CF1FC987F4ACD7F052F137572809BDDFC6D6D0A7F082F9868F3492924F8B9BA5D924C961A4B9282F312916100AED0966523C6")); test_hash (&nettle_shake128, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("83E17CB699843EAA6308F12943513AB4E4912203026F4653EF6711E5968CFD2CC135DA5B4E87707CD732F538B904148B0A50BFDD3F72155D85A22936C2BD38BDBD2B13145ED531E85F2E0319B6022E8F2115E6FA99E8D92E8AB418A84AED36D574B82A282099DB5FBBCA069589A3EC308E76B03C8F6C3C5CE11DF0D5635740384A22F9047C52F8C561A9848F0104167D8BE0A4BC47BB8A6474180BBCE3EE691147B74DC57FDF56420848DECDF3FC5A06648C1C42A0172FA02DF905F8318482F8189D5351751DE1ED5A63512AE6A4C456FB7D55F83142CAC479452879E71FC774C9BD9FEA4560ACB7786CF56FABBBD3881BEA980061623645BCF1D20448ACBF69FAD1030008BFA7298FDE63963386AF5C2B230E9E367B78C4B172B142C7EF43022C866E975F71128719DCBC2663D892C6C4D888E66C67D9E767AF52231B93DA9ED7895B4B015D9D84623C3008871B95382EC788FB58222C4DD8834054C694722248F4A7D0A77E4BD2A5C418BB5229C0E2EC9ED3E03E79E3F824C2C6E1EECC72A13E341F46F3E30085B3A3FA0C55F59C56CE150537E305C37263AED88D8EF9BF0CDF9978636E03E7DEB701345D9442725664FCB38EDEF923CC11CFB94AE152D0BAE72E09A813A3C25002FABA1DBCC0BF5102BC466D348E6027F5AD72FF9DC35D9C27C4C1E5DD39A647CF24269E6437FA114C74B6C1604B906C8F5ABA1AE06B1BD9")); test_hash (&nettle_shake128, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("2BEF02AAAB7478A7F4B6E3C22AA5A979BDBA90CE91A42782E785AD6D06F82EF0017B54C408CD7027FB3057BEAB1DA1B150E54194BDEEB87F65EAEF6754AD8E00EC4B3F98ED2E64B85A3907B353D68614515A2A2D110A1E3249286377446C5339284B3C3EBBF8D841D49A34F7C79C935A69CE342569E173D87DF08B332F45C42C9B318C6B02F4550058E2E0697F1E1E76DC0DC78F1DEAF7A44BBB58152964DA263F633F09FEFE2C62F4A482209FC9715B0C424221F7BC81C67F438D920E7D9CEF3D98BAB3A27AB5E136439DA3C5B8774C01E6906416F0D48675751174F09DCD2185AD246CDD351414B9B5591E500B29AABC046F048BBD5776DA155B13A5970F26B393EACB372BD28B4934A6F252BC45F7217B29FD77A1DECCB20B060C9858A98485671E02ABC45DCF956255E52B5D21A59902A33425BD6853D56C18000F5D637CDE2F109EC6D9FD3C5427E6BC2468A71CFF6C57476FB1A850DF304645C0E64F969A541611298E1B19F95EA628937C2ADFD563FA309838EE470FA4810317177D61ED849B9FEA54410C877B1C5C59625AE5314E823CBC1D3DD79BC1B6498E22F7D15328EB55D0823AA19F0922BE4D6F545B8A2256EE141EEBD18FD1644368AE4DDE10482E8758E4865FC1845CB50155F574E177A3B0A446361801C2847FEDB035EBDBC0C7A67D216A4EAA7E04862D6C09D3D04693DF25BD2E3FE0A43AD80A9212DA")); test_hash (&nettle_shake128, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("824271A836FE959710453742E9D957981C2CFA672894C8A886F57F79608DD62FA4310FC0582528E15CA09C7A92D1084D45ED2A3020A9A2A10C2355FDF052EBAA1007B0C01E1CA19D95B1B05C03167923927AC26E33ED6A823C72D105A2B35085926BDED8E59A49CBD7C606116BF560FAC1364C7E5860A919167E844086D648BCBDB5F148CADEEBE2CA2D2C34E9BDE155DCC9CF99DB22785D8F5327AF41BA93AA1DD59A25F26615FD6EB6D57FF6475FE10BEDDECBD16CE84096CDC6AE5A6B7FAD0BFDF6E8CFC974B082A3F0C6D8C5B25295A81BD2650446E7447951F7002FD2F417F4F553F2733D294FF90C629EEF9FAF0B39DC9CC4EA6B50D438369FEC506BBC185D37DDA2EF1C6E7079B09BE893E6C1C62C24E6296C8CAD9921DC182F23C027CB753212E3EE41C401396322A43F4800C48ACDA4A6198E40B76F0F6CE78354BCBCC33017FB30C33D7A90AF566F4BD3BC2CBB08E800BBC7F309D749F9D2A352D9B284C358FF2109BD2C2CEEC6E85BC16B83A7D666E582C3E3D39A6A92C196A11A397203F9C5613E2ECC8B2B91C229FE785040A17485B3DBAD2B155C270AB2A510CDA80E99E1A79BE01C7262C217DDE69D068753F9E44A3B035E10BB7AA53F397D7A1EC95342DDC973CDDE9583B8348D832B976B255362240C5927D24A00050F970334AA404C531D93621516DAB81E0FD89611C238D85454C6D77F1AB5D7B2C5BB")); test_hash (&nettle_shake128, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("3768C48BF02D0DB9AADAFFFBD228A4119AC6B7A815D9C74C714EAC4B4BA4A062F7E9962B98C361A6B596838C671C95892FA4E82A95C60B9E8BA787158808C2C00BEA3BED0AB4846FD57E638DD29B2ED47DF5CD19699329626F6BDDD14BB709417A972AE8020D05AADFE12034A98F9121A191926566C499C536B2505AEBB97C9C49780E5E0007EE5596717E7BE42D40DB322BDE5B7FD227B15987B599C71F1F20EB8BE722DDBF3C76F9EA58B490EB11395BEFA02C259505F038B40E312B5AF1519BB6DA9E99E0214C2249A1E8C534D768A7DB9EF46970A64C6E5F746B7C50670CC8E7765C4B55B26F3A53E4C3178F9599435AAC9B96A203CD04988D1D95E1B5C29F632ECD66204B7BB2B7F776F2DE67DCBF7F0A81FFA1CD18506B8FD9DBBBD354E3CD388F21EDEC9A4EB319C766EBA3E1E8565B0CCEF3698592E19081472004AFE38FD8B17E6D1A5AFED52EE44990598CE17E09DED65965A380E3452CCE6D053F22F1E8CD24A76C74F6A69550C36B43890C7E239658B7DA6DA768869D3D96333BE7422AB7C2B5D90B2C3973D666B4E399A2C5F014566E3BA919AD1964A148DA2D35476B17799B82EA54AB6CA0BAA098D0734081C7D52B7DA8150AB3C1B8DD1174418700C46036E3918E5A21E70679D72952025FB52E9348509B4F10F412A8C8C11EF59D57A3A77C5462253C87475F38911AD2B08732DBDDCC6D6A1B438896327D")); test_hash (&nettle_shake128, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("EA94DA7FEDF4B2296823EB57F0FD81468F4476E6F9035043F84BA952015AF88E68233219E4D31D809A9B13A703EE6E99C230E1E037D777FDC6B4BCE3F81FF2E7A15B9DAD86F4816D1ADF0F5C34E6EE2FEC26353444EFC417BABE16C45BDE0CB3B06ABD19F354F5BA5298CD486DDA4C6216D4826C3EB1B221C24A63BE7DC751F8AB5458000C28937809359A4C49200949048156D48D537466EFFD085610F221454ADDD95519071C8A671EAAFBA7B6F894A3274599C76BF0964801FA38B601869D4C04EE9FC6AC7E54B4A6D8522912F5F3F2A7C6CBEC20FAF1E164388D932C5260763457D27525288BE09ECDFAA1A892B99AD0DA9FC1CB3D60B1B85DC953CE9B37711AE6BB82A1F96CF2479155BC3B328803D1EAF56EE0F02223BF167FB33E6E7190F41A121DE59B9FE9790C8FBBC2B1B77ADD9C316D75A7F4DBDB52DA2EDD9D2356C6AA77A1CECB5330ABC382A748C8972FBD78315DD2A4ADDF335D18D5C97547641F6B5ABC4C5F166265D6934C77879A5B4CADD27A8A7F9F817ACB1307A88970D29DD929D5B03A71D5B863A997C84D01B58DBA539CCF6693B6004812727B254D22480BD50C5E07F162DB59EC112E1DCFF813BC266F704357202AD0723B373BDF49B1EE3D4E24D942D2E8F95E41FF496B9F4F535601980366FA79B662507CAF88AACE17ED6498E6DDB65C799EA698C7B8A49BF48021CF3B41E96225C43481B7C1")); test_hash (&nettle_shake128, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("73E672E46B274D309899FF2C8186AF4A9F42872135309C85621347C55EDF8D3B5A7DB51B0242618AB6D750EF75CF816C23A0DDFA21ADC9976CF47A6957E914BAAB02E4C2DC809C0D2F67FE759E92D7755CE965EA4B4045D6172E1A0C749B4498795FC375AA6894118A1BE2821A7878D25F597633CEE5576B3D15E23CA7D664709ADA20E3CC182D3004B102BDCF5566AF522C5511049FECCF80D4A6C21D7CCAD1B24DDDDDDA0DAB0C2FF40E056D0A715A31DD35679FD4A4CA8BDD17293F7FD63319BB5B4ABD3698D574BA5D36445E7FBDA9EAB049F6A8B277C0593949DA84805036B776368566F622DF37FD3D42EFD06EB1D5C1C2847717F51D236D4317498514D95E1F4587669CE819DE249EBC8D05D55E2C35DBBFF3C017C7A8D55B1B184ECF72F288948027E2AC2CBE6589B351437E185A888EA5AE7219B9121E438EC3CB397133B75330B1418AF085E7B42FB4C3B0F41A95BC6583CA7DED8A470E2CEC237013DF9CBB866454F276648B1DC0BFDC6BC5346348735764F19F08905F1D17FDDD454BE1B0E8DF34879B4E7709BCA044AD49A14F9EE971283F2A20CF6377C648E9D85599FCE482697B8FEB218418B1EF0979935E0F88EA5A2D38506955532A0B9DA8AC1E7641622DCA9F2E31642AA41DB7FC73328590B69459741998AB90D796293999BA8A2111DF20256D2FE50AC6B0BCFD5EDD61C260512EC357E844596EFF10")); test_hash (&nettle_shake128, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("BDF536D8B28E91F00B710DECD109897B4E96882AEF06337FE83B053EAC20CC54523D246C41C9DE3115870B82A1BB2EB2B1E02CCF7A4E607BCEA3DCAFCA38F237DFC72D447CF8C544F541C1B53E7769B0CD6F2EC6D756891DFC818323CC1E1AD565F9130F59889798E418FE5FEB176E77F5FF8F10C6ACDDBC59C8D084AB19DA2EE5B737E537609BFA6F81DF1846B033663D586CED1F4E86D99131D37EA5807881D2DE749803E333AF2C360F8EE9FD99A166F3FB8F0C50BEF02DF50EE615C08E88299A1F3CDDF290A3BC9E4357F3D93D76EC5DF462175EDC5DE421A6BA456EA7C42ECEA24EEC74011132C27FC63F1E969B474438222C7DE33762F5377C197DDE9AFA9912900FF25373EFC3A3D023E091350D0D269BCBFF64EF35E2E1E1C300214C3671932CCCAD7C871FEF4C969B34CF6E8B0881C2F7704B455F118E3BD37A74BE89354D8C8DFCF649FA03701AE17B705A865C7CE9ED81E4FB374EB643294356EED48B3579315BCB32CE6C7F302ED5BCD68F2183110EF7FF60AEFAC6BFB8252BC66C0F4026DC37EBE4D9783CA7459394E929B8A83FD8378D9E097AFCB0A7163F16E5579E8F5546898C4B521264CAA006B3FCCDF46FFADC1925752EF47DA30F354D66F763AAE46A0BFB385FFBE153641569E5E222F374F8E21EE3EF8D42663A4C424803E7966F2F0A1EA723A06C92AF2393C8FA6711D89514C20B6170DCA448FD27")); test_hash (&nettle_shake128, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("B5BECCA38D903F2D87CFBA9A80C51D4A0733674C78EF85BB236E8FA64BDED9BDD01DB1905E46F4210BB65BFD26965AA3ADDDC893087AFB56089083C72F7649CD5987F449F9668CE66ED21514C05E7F09F52D84FDE30E96353D48DF0208415DB51EA5D120A7182DC9458C471127253ACA05D52FCC18B73CA1C3A5BCFF4D3B6A41C450826397D9B38AC5C8E301C7A4077EDCDB6A46B3979128F20B1080F7768EDC1F651D1D122F97620BF2B4E9FD20189BB331FF9026EA58D7203FFC49E901FDB9233255F349A19AAEDA9EA1E4F3C45EA9C54F41CE1625C0EF02DB370909949BBDFBAEA49FEE3E3CBB74E1807F553A2000A3C753BC5D529B4E25154E2C86F755645304F2D18ED0E62B62C87931DBDAD5D1CC9CBB64430D56AFBE7D4C708EC992EAA8E13C5B3CE0343C30AE3F09EA3ED5C0C933A0C76F0FC18FFD4BAF93BF95B2C1023DC87D4D641EBC6E1CEA6E756F45FD2E58E0562F43389A1048A8BC12C8B3B19E05180597B5CA79B7531C6B8FCAB88AC1AEA686494B98E211C975B48B7157F985F25B168B93FEA82218A227D0B89BEF905A5F13EB37438831C2CD871FD8A36A4EA22879570B22C63B67BB60EC1E415F4654F6A3EA5ACF74DF41FE09DE398351FDEEE499CD98DB89B320A58EE62F8569E10DA4C68B9B61620E9D51A343D06CEB484CA532AFA8FF141A4ED8EAC22870D72F5E1085107781D2E422B3EECABF88FC")); test_hash (&nettle_shake128, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("EC7A09A04EC20DE5EE683681D42177715F85562DF50177CBE122DDFB9C5E81EE349D3E2A18726BE2E46287759D6D28398851ED22AFA78BB4B3A41C76F7006F785887D2D030428ED6ECF7DECBE20BF09B1A321B96616F9D1F4ECC90BC2FED1C30C18BAA23455303074F10ABA5BDB596F3BB5BC1FAA89589A92AA95DB198915C1FEC3420D6A4A5E79808012DE71B41CC7A77AB96821B5BD1E822A06E698101E7E4DE1E5E7CCF9093992C0B62419A660E1AC4FEE0B1D0C4735416C18570697220ADBBCA56289C2475E17AC6FA89E96AAAA8D5F174D6D9A3EDB4A6BEE4B606D0B789F942A1F8D5BAA758AF6F6DFBBE59686FF6A8D625302931C34C8D908BBB0C5269ADC95715F90259384A0F88B6BAA1FDAA5BD57F5FEB2FE0B968120AA0206F911D211C2D77CC465BB6E1839C0271CF55F12658A1FD1F2F4538BF7E9FD784E4C12AE95A5A2967D2847EABE150F2E113D8542B9A7CAD092B3D86AD4219632C5F3740EEE45AACA529D83F0BF3CD656384848AD577CE603D31B70C40A55DB571868C1F5B7ABA3CF853CB0ED682BDE964C3051E7E81D4454906DE1966491E1CAF7073035268311BC1CD3590656B1321D8D6885D15C0BF840BB40C0FA4D127878E422DFCA7C3BBE8CA4447D5228F83E453C94002C43F5D87E989627F89CF5B6057DE6D86D2A82ED982035519F47807CE6C61DDCD9160FF0DDB3BFE08ED966C08317E4EB5")); test_hash (&nettle_shake128, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("E65D36FD64B13DB62CDF8640E6A217CD4952BE909BE1119B04CEB6C8A71550E953BE0ACE373231964D61B89A575AF582A66D7BB1441EA399D59A7C585D762433D64F44C53DD9B8FE8F357A26DC66E04B15B9FFD0FC7C1B4ED07DB3E4C80A3527602DD16BAB1F8ED85A821056F97FE2912411F7CF6BDB9070997CA4D5BC16B0B26159F7F3CFAC7252241C079633CD8287CC41FB3F7CB6185FCCEE1E3467E90788B9E943C936C1C82115EB5B5A1AF3FC6B0104959E98E0EBB0F72FA02FA5745380952A6C2EB0AB84CEE35661F34CF0DE4E6985BAEFFAF545D48ADF065F13B9272098D5906DA5C8B688A3C922AA74D840DD9C1EE31BECABC417EA07E2C45A90E1AFE588E65109C8DA674533D506E17EBA1ABBC25DD84CC79A4CA0E15013D9D014DACC5F696A7BECAC187F0A7B233D59A7BA6821B3EDC71C8073F2EE0CAA8C9F96032AEE6D9FBC15BED15E879D0F497BB8DE468B4050FDDD15C97AF4413C4CF60859EA04103A13704CC9B7076359E28A1B90949166F5B11055B415EC8B9A552AC94E4D1F45403AF5EBAC0762D1ED0967AE032DB30DFFC8132942F45626C7E50BBF80DDFAB80103E423BF00AC575194489BE02624BED16C4D1FDCD0011D0C64FAF6BB6FEB21E0F0653F05D8FB69CF891347DFF0A39136BB5D4D20101CB3EE900B508A136185FDD0FF54FEFBCC6C069E1A433742D51129A1B556CBCDB8A7E76DC43B5A")); test_hash (&nettle_shake128, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("2B6D5B37DA462A050946D447375EA4DEC9309EC30FB6C7FA68F67AEB7B6E1921A74FF35ED31560E695499F2A5AFCE3E900E1C6F199373951A406A8F57DEDDA8C9B9D2038E787CC54B62CBD97CD4247ED933DE1BD68FA670158701F088C6E785E8DDE870306B80DECAD2DBC40A8C2F02630499292A19339E4D63351EE5A44E36FEA062D2253674F5531B1C51FAF694A0E963859B26A11CE890A3E5C03815BAC2CCC43AAC806941BEFA00CC6BCE72FF59F60C85B5096BD7E9D4B60D23A050D3B4333A26B0CB6B69E62F33E87E65FC1562E5D1384F439D717A940E2A291897A4EB3F941397EAFFCF4EC738DC643E72721B5662F698BDD502ED1A82D924BC0D780A049F7D965BB585D0F674A06FE03F0B18AE56B7AEA705328072E4A374B7B9715882BD73C34E99656EC073B653C2608A04D84ADFB4607B62B4B504E43F07F9D4555935E3D432DDFF23D9AAFC87C743C1BF8A91EA4671A03E5461CF13E76E3C1779CD97DA4055EAB8E705556EB7538539FC6FFC1638E702CA2A60F0506693D54A35F7AF6FE0773A67767865B3F1397674EFF365B3849D261E29B160CDC91368899867689E599A85572464FD895CBA2BFB4ABA496F395E7950E064CA509AB8D8491BB193661E250F35D5E2AF12E1F981970390F456953A8FFDF72BF998D0FD7393C33FCBACE063C0D63F91E741F95FD542C6C509036824B2784F394E27F6BCE88B1FC")); test_hash (&nettle_shake128, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("E8B51670E0D27D9F7989447A97C07D8D142804F876E701A49E6C4A0EE149938881900637AC7329EEAB1F1E032DDC2194B2417856401060EAF019AD4D9DA3BC702BD70BE5FD9D9C9B86F4044AC441560E887AE21E3C3EF3F05E38C7F8B078D3A66C6FC8B98E33EA8AD1D029433626CEAE2468E3034CB44326C89D7A7188A5272C116D3783FA16AF98BA3070AC96C07E459F1127304483A2394837EE1A10020A79F8519795895F4786F5A15134DD44FCBD9BD1EFD0EBEE9CD991001FCCB6A92E490793B6F16471670E1D69F9CE49020C1E8E3B453CDC1A8498D8C510B8D21FA00239088E065B742C51257766F19E17B397362DEC9453F50328C5E14BF800396A0A3A1A957B29CB1C8FA059BDE39B995D45900B56E2C8CD2F4E8BAC756350DE38293D1FE4436489D9B23860E1AD35E2411D0210DDD1C3D8994635F29674A64AA5F92B2088F3E7B4FEC26485D93483AF96FC4C5FC9F34254E014DDBAB361DC55E0F5019BA9FF8ED7B104E09122A80BE3BD29A3E4C4C26A7D2B08F8915087D9A6A2E7888710A5B2B87448B81F889830E26E6813385B761FE97E3729AD04BCF08F536A152039F04C283DD36B9544C4D6CBA97E26B61E034259CAAAADCE508343DAFBD4DBCBCE25957406B22E13DBBBB186C18DCBD5B8AA18C86D8660698AF26997726FB7AF26C397DF8608708AD5D6524001634575A2F1070A5EF72D327E91C7184B4A")); test_hash (&nettle_shake128, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("120CA7E361A65A0985563012CB908028105ABDBCB51CD8EACA141662B0C184E9B2D6DFCDADED7D7CBD42455B3F5A9F15596D2BACE19510256275209CC9899A87C6224DF8E919458EA46A35CBC8D66A488069703CBBDEEA6D767CC315FBF518F7B0A0154448F8D7C56DA1B116730A76954C288B4891B56FED41B2EFDE6C27DD4B3DE9BCC25A2A901D4C87975E82372AF173982601B605D845DEE7BAC94EB410B369BBBDE500D458F9F8A3933D3BCADBCC85EA05ACEFC9A7A77E26E28E82DB157EC1CB2C99C272F33B1B2685533CD988DBDB6E850BD3C71E0589A165FC236A65B1F1DB750A3FDC1392A76E7714469B47E20D8946AF7D68EF9B16109178F662320D60A0D843EFCC5B1E56CF6D8FA8B649DDC28E58983ABAC7B2CE019AA0E07B387D8BA46CD3FAF47B522D766971BA603C84684BB094E38D82EBCB108CE0353E38FA0A4D7294F7B7BAF745F3E036EC0231F6A194585FF7CE1C792E4879BB44E4AD65717952B080BEAAE1FD0CB8AE87E6F130F91BB06F95E54FA924E2D0C42921D7CA9965AE70A3587F12017CF1E4CB70D1704A51EFE27DFDD919C7FE70F967CF7044C62D6FF232B6680278E9498F247AD92D5E9491DB0F00D583C019142A8EB63678231E1273F0A263C57B98E0AF650FA207D4B21650417DDDB40830F89E15C85E934FC745AAD87BA35DC16B7A82CC97926494BCC1FEB4ED43D75F518ACC22D208D3")); test_hash (&nettle_shake128, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("F0715DE35692FD70123DC68368D0FEEC06A0C74CF8ADB05DDC255487B1A8D4D1213E9EABAF41F1161719D065D794B750F84BE32A3234B4D536460D5520688A5A79A17A4BA8987FCB61BF7DAA8B547BF5C1CE36B56A73257DBBF1BABB64F249BDCEB67BA1C888370A963DFD6B6A2ADE2CEFD14C3252CB3758520F0C65F4524682772499463AE1A341800183AA60EFA05118A28201744F7BA0B0A3928DD7C0263FD264B7CD7B2E2E09B322BFCEA8EED04275795BE7C0F00E113827370D051D50269580300005AC1288FEA6CD9AE9F4F37CE0F8ACE8BF3EBE1D7056255954C761931D3C42ED62F7F1CE1B945CDECC0A74322D7F64D6004FF21684149307288B448E45433475B1EA1314B00F1FC450089A9D1F7710C6D7652ECF654F3B487D0283D4D8A28EFB5066C4250D5AD698E15DBA88E925E4DE99B69BC383AC8045B7F1022ADD39D443546AE0924F13F4896096DFDF37CA72207987C4A7705A7ABE724B7FA10C909F3925449F010D61E207ADD95219071ACEEDB9B9DCED32A9E123561D6082D46AEFAE07EE1BD132765E3E513C66501B387AB2EE09A04AE63E25808517AFEA3E051169CFD2FFF8C5858E2D9623897C9E85175AC5A86394CD0A32A0A62A8F5D6CCCBF493DAA43F78362BBCA40ADF733F871E0C00998D9BFD6880656666CD7BE4FE9892C61DCD5CD23A5E4277EEE8B4AFD29B69BBA55660A217112FF6E3456B1")); test_hash (&nettle_shake128, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("2E27811D2E132C58A1D053CCFAAA2813B620554C49C31CF208964CFA18A3EB5724D4EBB37E37398CE9201CA33C5F6A9409F262AFC5EBF0970BE0618EC7E56C15C13B2F0270AB5A9536FADEB84EB2D934B989354D47FCD1DBFB40FD96485FAD8DF7C6E62A60866F154901E4427C2B5E6059C76224589A6BE352673430740903E4225C1379561AE5D361B67F3ACACA9C7633CCCD2601ED278B5C7D6A378D713BC549E2797CA34FCB0A00E649AC3A4B59001E5D8E1E2785433ED65C76F4FEC4B0579059DD4DA49BBE678279F534B84A280F89DFBDA09E09C073EA11AFCAFD5685A714EC31E8F86B49D2C97E6A2A66B4F2AA76D9DF2D27CFACC2423AA18492E2F4EF6A9F8971627839375307F45A8B26133FF1D02F100EF05DF168A2BE02F0C17CCB90F23A0FBC5F536C410923B154E81A6557935E2572165A7E39F64F57E2B8CED8D2CD1025EDD5DEA6DBDACC8860BD6A0C598EEF14619D4BC11B6AEAEB5D10BFF3F9D5B20B7F2AB8254DB0C1765A10A125E98D762851F05261DAE06B224E2076112A62B4C3F3A56074E01CB3DD264CB1F4B58EFF2A1C9ACC4764A68680A40FCACC719286684FE0A742F13B5BDAC8AABFAC68174C7E153796C240279B0ACC719158D1FE4F78EC3D47EA8B8D3A1B3A6842970FD439C09096E8B032E551DBDFD0EF86DA0537F4E72F78368B319B6DB735AFFEA80633F2F8EB9D26C8CFC321C7C346F7")); test_hash (&nettle_shake128, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("76A498F8112B364E0DB20CB4E7AEAA1C96400A3E1EB1A24ED865203C4A583CE5CA10B47E725C362696F0ADE5FD75058D6882B435849030868486318E566BE51B6D985A76B36D98D893A04CC715CD26C412BB4CCDC0DB6D1B13CC071FBFC83F114C72D3B54CBCFE57243189251A7C0608BCAA1409B243F2652CF5CC4386CF4551D2955F371591C0A04CBFDA2736A514E773B5EE8C5CFD820A7542CBA65245F729E650D085B3F60EBCE2CEC0D8C952ADD51A664788B3197952E7D0D9FDCCA35EE118BC0144688621DFB373C2BC1DE7CA7BC751D539276A119ECAE8AE2987E018E9FD70C632F2A54701302C12B971E0EE5308378669EA10D0E9A7B955BE1C1BB9E7FF6857C39EB6B074C061F28D1979B33AB8D2F81078325C9F7966806D2CB62903FBAF4C12AC4AA15F010034080571BEE9E863C1CB89CB01B86643DB1D1A6C224934A79D969616CC3F9C1382B81EB83A8CFA2CDF20BB03CB67DDAFCF9CD827D76A0661B85E82664BDCED0EF34D2F807AD956724EA2CBC511632D2C9E9F8E4FD71E127D581CBBB39782BE58902927B0C0D922493255F805C5CC78A96AEE84ED086AA93F8FBF7282D78DAA0B9C126216BD929EA4A4E53F78088CA154E9A63B3227A25705532F699606EE73A5FCE6E6C94DEF1324FF2E0EDF6807700DED2F088E2D77B7F690E646E7A73CA05FEBB2634D862D7B21AE2ACFE3A5B3DC6ED1071B0F3E5E")); test_hash (&nettle_shake128, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("760DD76E50C13B411D04ED9D81078F0E5B9FC5DF9523F7C2AEEB418CA328E047071852FC5EC2F96C2133C4AA7C68306FFD70A782490F92812E04A3343B9502C14B781A4800A8928956EA457A3CFB94A63BB4407524DCCDB6136C5228FC1CD426F75E1701F0AB7D7ADA8079E4761FCC4DCC72155B4B27370A7EB6A5E3995A729AD8D8B5356A084B0678B114078B0D43C657A23F09D0862D606A8A485FED68EBBBC63A126FBABDF36151D5A39BF17632B3D967983FD62E19C944400F7A68393603243CE499947F3EDCE7F30206BCBFF83615DBAB7642C5D82DE050D67C93B836B554949B96947B7D1534E0755859ADB7BA5AC9F519B18C3AA66300ACF9A26849665810250004529334169211624C6A63350B392F6DC6753D59A03997180980EE0E742388A2BDFCA619524DD16250800918E95CAB914EBBFB12232F1687BE0B46426E126787E394A91F775FA91EE1C5D57AB1FFA151D554B79DE8EE9A937AAF5C98497AAA726CF01A9DBCE6E57A07F8D098B2844ECEC9856D3D8B189D016B34C4AB61AA3191B3E4C2B44F6BCC9444E6093A56545230FCFAD19A2CB124ABF524689F4F665F2E84D10A2C93B8CA412B6D280C2680E946A6C9225DB6F97A86FA3415A84D52FF3A0A15DC7CE97738B0B2DC1430BD56BB71AB89EE108B5BDB706C7919D5EC67C487D9C8DFA6D2333C59248104F33F4C162A5156A3A666948E3A6DA13D0D")); test_hash (&nettle_shake128, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("76BBAC5E72BFA9B5952D4FA8313C2C8995F1B762B0855EA28417A04CDF1BC9A72038014F4D1AF37D6338E217DAAB8993CFC222510A869403DC46B5D798646BB76ABF4006F31BE334DF8C6DA07AB8C6E6523DCAB9367E6B747600E785EA0BD3480A07D7AD1304019C0F00F90B2A650599B0B416655AE1B1D8FACBCE38D0DAB5A6375144790B0F7E8C61B4A98297C78EE6FCA19051DCF60B4EB1F6FC59DFBC5BD1B2ED6B9C72D7B5DC33E8D13566BC67013CC7114EAD63D25ECCAD196A5C258DE23D82E8CB2BA6753C9BC598A54F921CA924750A45353BD44593415AADD251B604457A3CAF3DA681C0FBF43E4F3814AEAD086A72A4787914FD08BC727A69CA5646AC709B9E0DF5B56C8FF82EDBE3C23218A1D5382AED38B3BF54EBFA6015C388C8E92D57CCB97FE8171E1D24360311D5ED53545B541E7F24CCCA9C5B520FECA2547ED6E1889A05EBA1C0831D8BA9162B38491287B46BBCDE9BD2198EEDA5FD0869A83543713BD294D84371F1932E3EB370E30210FDBC2853F27372DF095F71A34FA4BB0E1FDDA682170A29F9E29C2BCF946CD2865865A70DAC22A81BC387B6A06840230FF8790B6BF1953DB882DACB6A9208709C121AF24A6436B1A5312B3E6D77892FFF968138DEC8B933E3022B4141A4B4605524C95468CD89AA56BF577E16A365531434FB98FD8399DDDB58C0E5CE66C8A8955AE1ED8EAE5251026861C825A6")); test_hash (&nettle_shake128, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("1E7CDE630A92BD14100AE80073CCE0301AA6566DFEC50400147A9DFBE921BF35B110BC9C0B7AD6CFB50785C63881BE1569495092866BCE9AE303B3719B14A47DEA8FA19CAD3015D320C678CBD2B7488E71180D967BBACFCA686EFF014B7EED274F678CC43825E79C81269F99D1B824D913F8ACBA4DABF5441A29C2E769B44BBE9954A7444BFA438EF1BA2B6A3DB11E11151A1736BB8CA22494D4A3D126F100A41D49E6114CD66CB44B80C2E3308A0B551B692BC5B693BA9634E219E0EE8E7F28DF196D8C517F9D71A58F1D945E03FC25426E13612EF4158C17590922CD6A8DE677398690A8A1816C6A01B162FE6E5F0F502314C542FB568F12CA86F5CA6DA7B36255451360CA352C05D10C293A8A35417991EFE965BA6F5BB845BE9E8C021B2B4AF2AE50200C60B7BA42FB5D3147615339FD71343662090F2E7FAD4CD0AC0ED49C3FC8685116A8D51D4183CCC9F39B401D47CDE7EF7EEA63FC218C96EDEF7190A2529126633A7F3EEE421478D66CE367FDFDA6A9A60ACA3B288C6462BDFF20DBF78A3DD29E73D1A3E8F3FD824A3616722EE0B87A9E393CA89159EA8169DCA108F8E2FEB35C9372EC3B9112E534EDF733397B7585051257A564B844C07DB5DCF56403E59EAB6F56759D50C47779DD900849C94DCDAAC1AF51048098BF95A0B9EDA23DF0520A3DBD86A0B59CEE20822EFDB9DBA6D272A7CD5CC95498E340062539")); test_hash (&nettle_shake128, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("9576636B4F4D13A576B2DD4FBB3092F358E7CCE04CDDA4F83A10A8B5D35B5EE034543098D9A063FAC9CD26CA46837C5CB6E96F7596D4F07EA6FDD8AF8B59F9E86611F1514D5DC0B7A4216C69B9C85366059BED3EA5CED38A16E4D6945C7C9539E062DE51FA2DEE1C666DB1916369FA6BC0D7A2811ED1BEEAB61397B8A9FAF224FB4ACD7F8D9C7A8513C8A93D924FB4EE027821AB6DE0415AF9BAC5CF3D5CB7075BE5A6D410F12A9BBC96BF3FF254812C48423F383E4D74FFB5EDD7AD34C6E0D64BBE7F45288A49F5DE9AC14F317BD4862E1F25E338A0309739C8DDD27839B8AB3B04B9FBCE65CEAAB460DAB0B969222250FCAAD072C445D472BF251C4911C7D5D2B7D41C9D2840826E0BA6786309DB6E8EC0FD94031E2DDFBB0D880CB780772A93C0B4C32377C3C8CE97C73412F5C3E1CC72AEBC050737495C703459B9231C05477CD9A5DF1662F5FC883A91B42ED7ADABE6CB1EE654FE9E616B40CE9035CD3B91A05E050CB2558645A0939C536A2EF3B5C8353729C3EE238C5C88DB75C05DB6B2FEBE0A598F937CA7AD4FAF495A10CB3C3B9E754A570BFA5E723B8C0CC107F0EDFF76CE07A2CF3ACEC4BB44E11C633BDBF89E5501D6001206D457962AA2F57C9C2F3FCDD1B76ACE292728F21A6ADDAD4551970B1532BD3E46D9A5160B1A55CF4BE18FA15ADF0DB055BBB21ABD9A5B0FBC474CED2B8787732FCBBB231475F29F")); test_hash (&nettle_shake128, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("68618F4B2868634D8FFD3483FA4AA9C200B43FE87D59107BAC648665613805242B1CBB4DB2761D4CBEA5337E5E07005B5B4E8C80038019DDEC76395BA981D36823522698C98B80D313A7B6110A0BDE7ED5E9268FA655B8DCC2C762510FF03506DC1CA8769B372F07D0E325786FB1C58206578E600E9093AA84468F01A2DF258E670959966B419BA5D4B6063C997822E073717565C6F9B4777E186A0BD6D72F65BB3CCA7E82601F25667FA0186208F7988611A76BC4D116AB3944D6797828FC5FCF17ADFA99D959F5013FB2516A2D3DC05508E9C28AB5F9E0770D0DB2FBF9CD3C8AB90F255B465A9B724D90C25E1EEF81B839A971DD84C4D610E00ED858C78B2FC6147CB6B1266ADFAC5FECDA9A6F78B31AE35BE6369C3E8290E6F297B7FDB35BBD59F0BFE16146CF3A5A75297FFD5D02685C39ED9394ADFD3C7C814AE86EB652D152B7AE980B328F3E16F883C7C6DF6672EA1EA6E08C61505E65852A1BE11DECB86D8386079E17E72EF8FA38B69EC192C0B90622150A5C43584C3159CF61189138089653AE6453D24F464D96A9BD0CFDEF7C1C9D92D46E854D644982BDBF0E5BE7C38EDF469AD3C0EBAE549322BF271590E38AE16A1FABDA49AD6BF8B1218FD9072C25027AB31787B9F38529156113A82A8DD27BD22CFA719B3AB0D31297A0DE9AF901A443057D34CDC11747D6576B7602D7D6DF58C292A69B4549ECB1518A02")); test_hash (&nettle_shake128, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("9A3CDA57019548E6A68D89CDEBDF96557DAACAC29C5EF8532DCA123231D0226D0D7F62042D70BC225CBB1ED8902D8E6BE75B2B37504990471FD01F4C656E6F6B77961C753A780D91FE03598FA2D5F60B772B34918DB836D2CD278FB41B223A6D1F25C91A4B98B64BA3EB32DFA5DC5E1CC5BA1467F287D56CE98478BEEE91087DACA1E2FE0ADCA38883C9A73699AC98AADB5C4B087719EBA775B0ABB1B0E5ACB4F79F0F75DCB2E7E25CA22C06B1629EC1CA989AD1F1F12C4580E43DA76B2B58345B61085553A827BA0D3954B0BEFCA8394B9D19022D33DF6978148234CD16C7491075517081261E9AF8FE42C66A7580132EA3307AF3372489D8EFE01C5AE579A92399B844266D13804B887538D70D2A4EAE3C65E09F6BF877113992C42D490456CEC22FF8C60B0C7D2517A49D2822CB2B2AB6BEF74F87CE134F78141157D0498F267C94123E1606D4CE1AE8D7847CF9FB23D8A11901292CF36FB975FDF34AA0CE10B851E116EE7129B06D3EF10CC1ABA6F761EE2F1E4B497DA11FCA3E844A8DD1A6129DB5B3F863378D3488CE7E208241946BAC2E4AAFC912CC46E5A6451832A2A43176E06DBD49E9D379A69E6F08081F609B7207C5CD391445E10D10FF2B99E0D672C19CBD9F5FFC6CA46AD9536973368A747A7A2F23AADE81A43E49D2E9CCED3F64CA24C012CF3A306C40ECF36843317BE8D29803A40F6F71E7E9229154B0C4")); test_hash (&nettle_shake128, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("2DEC1B61A2977A54FF13CEFC08F9EC6F11BE80E7F5B77C4CCF2692450CE86C9D57EA58CB34AB2995A6193935DDE84BFD62283A881CEDBF685CA26A8A727252223CD6E7BB8A3C7751B8721ED16D1209611803778DF77C6A005E1A05AAB97F6205E0C1C6B339F8D8346A84C6A6D86EFEB17B6F8C8E30960DADBA3DDDB860F46D2718C7307C55B65AEF1082B98E407F56B633A16578528B8211254FA6AF384AF0EE36BA49638386494E347E961D6D65CCDF2D5D221AC54F6A2F6C4EAB62B7B55E26192A2E223BB053558A6C3646355F3686DD1D3712406677F183E94CF822D0AFA9416815C14BAB7F5C5B4E44F364446E08464370E60A436653B2DD29E60562712136940DF4AE19617774776F0784F7E8AC600BCF8359E02B070C0480F372DFD69DF9C33ECD3484678087087C7DAD64E160B32A0372318AFF1668F5A0B03C940C384239994F546FEE94E3ED0FB8AC259002D09C3110806FFB56419CBDC76F28C8F828DB0AEC39A573A903A49C0C9F77F0504B9C8CBECA83B6D3A7AF24631F7E4B99E9B42EE201CDA0AC1FFB79AC24F3516D766B0F71E1EFEF8E6CBE38C24D86B83388D6D3C2F9BD6AF94B8A56B6B5CD53AF40837FECC5481F9AF1FE216852C281E068F0891908B583845B58A4CB4169A0F2AAB2C36FD184B15C3E4008E38E00C0B6DB256B89C4C373E8328D13E840D65605C44AE017B0876CB5ABE1AC4D9CA14A3B")); test_hash (&nettle_shake128, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("DC2038C613A5F836BD3D7A4881B5B3BFF3023DA72D253E1B520BCAD5162E181685662D40252BEE982EB3214AA70DDF0A95C5D1031DE9781266B1E0972FC9777D4A74164DA68A5D4585F7A8E7438FE28D8AF577306B8E2CBF6863C83431CC4C898DDA50C94EFD4925432FCA36A6304790FBF4FEFAEEE279C01B8B6A8D1C275E3CB4E8BF17D880903FBAF27BFA65A2E3DB8E285878A94955F6FC14F05A0FA2556994B8612BB7A494B4DD8B3CF1BC9E4BF833D4BFBF878C4D3BDC8FC70D26D7B7EDAF0AFE2F963DC6884C871C1475F4B92378B9824970E40DA0A59780E84AC5138AA1EFA46C1B50C3B045BE59037C6A0C89E1D3CF246F1362794E8107B7CBA74888F0BF4B905CFB9C33517F472BAC16259809797F2FC883FFBDD7CEDE9518F891B9117DE5DDC6D3E29FA56EB617F25E9EB1B66F7E46ED54C1D43AC07471D35C57B8C73BC68F5612ED042BFF5E68634A4FB81E2EF0D92FFF1E11E43FD6D9A935678D2FDD04E06061DA3BA7DE415B93C5A8DB1653CF08DE1866F5C3D33BE32A3B8D2B7BB39E9745C6E88C782F220C367F945828B9B9250DE71E8A14EC847BBEEC2B1A486CE61731CEF21B4A3A6353C2C705759FAFA50AD33FB6ABC23B45F28EE7736DF6F59AAF38D59881547274CF9AF2CFC8FC1ECADF81AB72E38ABCCD281DF956F279BACC1796AD1F90D6930A5829BB95E94A8682A51A6743AE91B6C12C08E1465A")); test_hash (&nettle_shake128, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("91ECB5133525E291736CF8F4793BDB00A4EA32F48C3F24CBD3238E6408FEDFA6E7A750409F197041001C1A090659F8879CB26912B46A0E7E4E791FBF5692FD36EC84A55462B7876724EA944CE7246261F26038B166668E6B7EAB0B5119B44E4581F3A3280508CD8B3789AC37F992EB9777B9E11C0F19A3DA5F4B8D304AC4DE68B3C2CD6659F33FBE20B47E1F6B0CE06EC0963F8E7412FCD84E3DA3867CFF08F82AA17C43C19BDF3BC0D242FDA4874DDEC389564345AD11A267D7A466925D1E9BEEC667B029DA0982B37B51413B4601CAC17A02CBC681F927DEFAEDDB0F6A69FDFC39AB735470E86A00F82EADC94018A6E2A29E7F393F30D954C82936E158A364FB139FF29E42F30C0B95BD5714EB7A535A5B1D1B3B36A862E35D10D1F8A5AFBEEDECC51A855724271DA9FFB8EFC6615C42B03A57A2D762B46D5D94E097DAFE5D7A2EF522DDF2DDADC1F83EADB72510E770735463495B0217B8BC91DB597683254F6E0AC0E9B1E56ED0216EC9618173B163CB3F393152469268C056B1A204567EBE7367F863BA145C3BB367FA3C01E556D62FBC8381CB3C8A9BED907D481C093F14B70D1BD31AAA41FA753CE31FC59740A47BF5980F8A0E32EACA8A488572A3A91DB07A25C34330CB7DA7E0FB7D1541C3F3C377963DE4560A8D584E11E9C6A1B917F907C34F211CD78904471199FCF30D4180F88E7BDDC0392197444ADB1968D2")); test_hash (&nettle_shake128, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("54A3C3F41FFA1A12309CCC1D6B7915E126CB13371A2953F33D6512241A5B835005A7FC8844E4E5BC097B9C5D8E388DDB5A55F43905E11C380B8EF1DC661B77593DBFAFB6B2A4A28039ABF57706ED1193E860CEC1F5D9C522839607A02F3AE0D057100CDDFE48BD84F60DB063AA3011EF8A6AAD3947D8F86E2A6A28E258A99D72E998E4148DC877945844094125DB2BE06B98508704E3901AD2D8D2CADB19291AF8436DC4CD89D97060DF9F7CE0738ED5C1456CFEF18862DABE84A08A22BF310FE273496401619F156EDE9311697566B11C38BB10D4AC5787D4D6491CB43B4D79C5F062645FACDD48EDF609737C7FFC226E36587B39759F23DA6CF94349CFA50B9E18F1C6CD42DD22EA04A4A7A73ACCE723E4E5948FCCC9857EEBF22C9761AB8AFF73386D470A34254750BCE7EDC88A46F54AB64F562BEA863488F846671503E5E305F3CC61212E95D055851A4D4A9A145DF52DFBA84D27D084952F7E12AF3C4E20860A479156B48CD65AB2BEE5407AA200CE205E3E46C35DC4B50205C11187EC81ECA5BE3B2E90A170D53E6637947470220B2A6EDBA8C0D0E3525BE456417E6EA0FD98BF54A5804AAB6BFB728B22A5D01BAF0CEC173821F5E075A0E4B7649E303D17296981EFB88327D5B1A3A8CA72129B979DFBCFDC45EC3D1BFD01D10814F225C6BF09962F0491756CF9607D3974C24FDA6DDF6E87013EC5CB2B883BD0A50D")); test_hash (&nettle_shake128, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("264A7D71BA8E67773AC5AB0CE3616F1147341EDEEBA1A177E8529B0DEF09C3A99D91029D77C3F9F85508AE74DE172F358CDD2BC4EFC8B27BF280E162B03A08272D0165D9012099B8EC0274801AF9A0D672FDA4510C09347ADD664505BE434469CE78DF597A7890381FBEEBCEE79FDE94EE240A2B3DFD60B23F4126A5FC397B4B4E5E21893CAFBABEC64BF53F603434F168FCB667828E79F44B1526E9875F9EC9982648B9C6FC1AD6527D7FD2AAD064227D9A85EF9733B2B484202E00F8929E18899BFA6B92C3AA8B05F9EAD25DF02E02C7E8C264B67EC07AB47A7D95905F660CC6722ACA28215AEE543FB7950F0204784AFF77374B803E5EA679F22A0F5659A363EE122AA76BDC881EB28D5E347842B2CC81FF0447B68989E744E187808D7AF0011A32B66F9050161168D6F246A5C7B212838B831E71D71606F21A40D8A9AEF42B21465689B7CE967DC2E53F869F0584E19DDC629068C1ACD7E6B986C3D1F1E24B1A907F7ED4E5B83EB7B0A5C6A4508E0DC21BE2C1BB5506BB2B97D9721B57DEB9D4D39D58B77DFE6C869F5FBFD74559082B5EFC3692E72A9B961B6A669ED700CC41FFEAF370F88373D5BDA8DB6DD2C3BCBF1D833F4B9CBD3B4134502931178C58FCFFA80CB496FD850352634F73D002FC4A6725848CE2541862B3C5566A915878E60B3B4C1EF7F014F0F32446298891A383F63568C849DF2A208E75EAE37ED8")); test_hash (&nettle_shake128, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("C87CC74FE777B2DC9A33473F88383DFECE2244A807FF92BABEB7BF08F37EABD9305BE93213A63A4851BCDC648C2EB31BD509844A56B7B890772E040E67D32A4098EFBCCD0ED6D25B2AB9EEFD0B65EBB76D540D0FECEC277AC98139AE8F67025DEC7AE76850E047098557D2EF7D9319BC153641B1D2A376F23E4A1F2FDF1168EB5901B3E11A0410C8563DC4BF1FB0F616CFEAB2B086384207CF1A10D51634874493DB0533787C0564C1400BC56CDB7C32A6FA4800F0E685156F2BB63A63B67F6D40AB574CE0EC54A4A533958B3A48266EE038E5D85E67F3BA429EA1671D89A083B406A568A0795C56EF042881AB67665258EDEDB97AD04B5A30388D7EF0DEA494BA645F8FE47E81A2CC4A9C6885ED80C6F6D37BB0E81A60575201C0EC3E9FF30F70AE746B86AA3EFB309F13FAD5CA2C824C2FCD34AF1DEA5E60E4A8CD92E7B653301721937E03ECC2AD5642A3922D4D666448759961C6D830CCB45D666B675C920AC2486B100B5A51A7659F24735C173F9FDF02B1401A03ED5BC45EF098E799E7A3C29EB262D408CA9A6D2C18C5636F3B378E63F8C71C70058976E880D8A0F23E0F2F1CAE00F4E06FD60673CF0968A2E3C5D97A79659BC81F6639FE69B18C6E4D1F3BF535814A4D6187F3F9BD7F7509B2EB899A6ED48526C665B706A526F0E5EE433DCB3B5C7BFC99078342B78EDCA9502D6F73566BAB6AFEAF63EC9A020A7EF5")); test_hash (&nettle_shake128, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("61390F3D091CFA220147B1C85C59F1D6B7D9F87DB3A8910884AEDD2DB4EF65BD77F1D091D8375002713322F3AC618126D47DC4EA0404402FFFE139C8163CF8746030B2E57BB2A74965159F4484E3A4C41E7F849BFE872DB3B47EB91E4C9E67DC09AB0FB88FDE8A9815BAADCA11238B97DF04A0F5E5570DDC87D18E6E33339DD481D20CB746478162CD1464929DCE1FB906B6545D846D891CE91358B9EA029F281ECDC557CB769EC8C1FAAAD10FFE13B8076072455BDE3A3276CA458E8FFC4E377ACA54833C31E906866E9DEC7EAEAF74AE07339D70AD34278B076CA541CEF4DD10F68FB29C17F030052702B7B87D857F462414BFCB9FBA427BEEF0B930DF09C7A6BB35620EF843C9866E242EB2B30E30C4427C1E5671F2390F6F9F42B77305CB9969224355FB7A751E2066FB8C492D6070049C768B5263642802D21632DCF50EDC2C9357A4A3CA20C8446CD322CB5D8EDF82D31871424575F022D8B7A6B7BAA4F6326CE757AD523B8BD1B4A77C5D96E7EEF9E2963B02B107F7F74C9341D964D70DAA7C9E1ECBCC354935EE07192F22C15D693E5E10DF094FA8B74CB2CC87B967F11237B3AB5D3F53EEE9BB9E4CA16B7DF02E46EA9F141DCDA939B2D7C964574A0E11E3505706C0E9FE33BE262A7E6589D7BD42276CC3146F0A728131E9D346B91DA1EEB6B3E34EA5AE180396E219B5FFB6F87148ED8D4BAC21E760861B49F248")); test_hash (&nettle_shake128, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("39EC35D31923584FBD73A715015CEF05B945A5AFD2D109E72E356BDBE0F73CDF666AA7B01E77BD3BC0C409991F1129961F6BDD772ADE7EA97AF0B88A8875190B453664FFB64FC4FAC3C1108A3C222F23B12B7613941B137449471BA4847EAA4A16BEB50960FFF5DFBB2E756938B38A93509BCE5F900A59E69FB0305A19E460FFAE88D74A727C82FC7138B88DB07EDB172B39566DD22F0E852F715AF9D3C3F0089E9EBA72FF6063357DE9A744F20E1DA367F27C6AB6FC9D231A606A79A621F8150773D1DFD52868820EE5BC28D286ED746BEAF8F13213548DF0A56BB0E01E5BF6BDD1C901EA8C791E7916E5679C88D4D85CB1ACCA63C211E7218FE6EB2ABFD2BADBB31147177F123FD111BAC4880F1224ED01F3259E4EB91DEB7562CB9C3009B3676998AFAB8D5D24BFE7D27BE7F3A57A932C895B60A9FA74504472808479F332FD9915B8ED0C11604E80457C0DE5F7015C19A607AAFDE448FC08BB185517E6AD7DD330A465F9043A0478E1CB4BE9185187604F30A1680C67D3A0DB1BACCC05D401AAA8FC66D9189089EB7DDBABA05FAA8DD83FA544FDE68A793A36D854752F22FA13333C6152F7F18ED789848A13327071D85D5E36C4FC291CF5B4B9391F8E2513D4B660B1290790AB50D12B73FCA21A93F8998D5706C037C387D662FC20BE35228D85E5BD007A7173BD06E5CBB7E41063AE4843BF3F5A77C44E1A36FD2E1C31")); test_hash (&nettle_shake128, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("9BCBAF72085F4EE5B2B237F520977C7CFE8780BD62B0ABA13C161D0E7EB036AB27E9B08407BD501B2482C280997EAE9C4B571ED6E39A13D74D7A1E2258CBF3583B28E738FB14AB2B60E6F1E188953D96A9361D282B85DDC243FE6C7CC644BA203B328FBC4E0088E40283B6A62122065A11A164DD1EA05F421B4ED60F44EC982636F0253AE4E6EA320EDA2351DFDE0285D1ED860A51699E702A0519B0C3119462BC9CB3DECD66647823EE139DBFE3EE125A6F74AEDF5044238389E0B0388698FD8D7D882D010C194F4478D6DA8FC195529A475932E4FB178CF318AD8F24427BBB90C0B08ADAB27BE5A48C9804ACD9E56E1CB2BFEB236388917458408C446C6B5F1D3BD55AC0F6F1AD06AB419460F525B564DC67BC6BB2CFD08CDB510161F71A29AEC95C67323259C214CC39401E483E982EE6576A7F1068B088348916A5C47D1378236DDF475733F394E14216D2AC112457295100EB70381E632876E700D355973944ED80AB91AC39F2D9DF4E338C02082505C028EDDF867E60ACEFFBA59480E6953BAEA105652BAC6D29DEF70962B6BB93E3D9424A77D31D3020FBB3BE37E7905A6360C1B624327FD68ED02639A2B54FBAFDD9804FCFD60AEC2B044C921A77B25B7032CF685475F503D00D9A8DB733CB6115C1BAD1C847C1BBBD342E62470D6DF7C21119A35179AD3C7F68CD246B8F3F51E2635DAC460DB83FCC5C0DD049A2B7")); test_hash (&nettle_shake128, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("8536A6C25934A44FF97C0A09E026EB12B9C81CC8357859BA736B29BB329B182B5DA8FFD7B855200CB9D64FE463317C213997EBDF1810BF37E00D56F75791375C5FA84DCFA37EC196BB2DD3C66C1D33034AC48BC7FEAF15F9702D7D11E4712AC87934E2064283D04B56BDDBFB3B56C3CDE69B7D736196B9DC5623A3132BE33AF12A386A3004EEF98D4487B614547BA59EDABB0B83B6CA39A5955F925F35A5209C0CD567369751312A6A63D0F4821D442C14CC26FC147E63A4656745663CD96B01064F60FAA4BA98258B09C09833046412221A59E23D5266FAD8C068CC949D172862EC30EBDDEA21E1CFDD6B5FE4AF566A19D0D41FC9328EA915D8B97CB1D903BC40A4083F6997439055B44A695450039CC00931CF3BC9FC67BC417A8AA270B2B4A410BCE4A2131523749A957D293C1438A993432941A9FF4210B33A5CF8B4434553B17CFE869B940669CA9F18B128BA354855F08A692FC6D23BF0FA12D9F4DF0A571E44D4221E8018C4282559E6FF2EB02CCAC7A7B83E34ACA7D554C33F05CBAEEC49D0516B10DE06BCDEDC09D0C4A9810B0797B62CFFA75FC0D3BDD796327BB1FA5DCB546630E9BB0457D024E982D6D7930391066C58286BEAC627D6ECA09B4F6DFCCC71CE589B1DA1E890AE0C5A0CF531D9C1D2330BC8397F09F248F9919995326FB92147959C3E6C569ED662F6968F4E9EF42B6C2FB954D79DA22117373E27")); test_hash (&nettle_shake128, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("7201FC2AF67D095A5E317269E750F965B8BEC311EDAD18DA2435D2872C0056617F0FCCC80552010F996E5B34084B09F31F35870486A8C53D220D7D009FFC2C58F26AC41BAE05EB486ED4A18E74FD1C31CEA640E8D47D88C5D506C5719A3EAA4716AD4FB906A5085AFD46570F2B048264D4BD3554F5AB0A8271D6529B9E2F1634B5C78ABAB6BBACF4F01A4E33377F9E1FB12FC20435DE0AFD62F90E2CA73BD5260285BF5CB9B4302A312BBE48C3B68A4DA6E842B7D87B3BE0BA82C9B7953CB63B7E7E86296B88557BEE2EC9576A468D556B77F872BF728FE3051E4932988029D88320088B70C8B19B59FC03F2F32BF34F42746A6E9672C21EA85087A46D5BAE484F460AF64F8F62BC615E79ADF67EFA9941DEB5B358A5833CCE4A92DA0F237A506D530D64435689E1DB79F7AFDA051CFC065397C9393B3A87D6DE9C08522BEBAEF1B33D2EAA746A5AE7FAD267F168ECE1DB4BDF453A100FA3743D9DCA3BD0C00DD7033AE1EB573BB79C6CF53BB38130AF279C0A0F8198C5145A5DFA32B322716EF6115BB5466CE54EEF73E68C4C2B1D0C321A03B6C7BD1BE98DFCB50C08DF2005DAD35C430004DE8E6C531368B5F37E53DF3D376CAAF854298657573BE7038052C2169BC907341CEB02925385A9FC03400F53CCCD6D3BC039BC49F7E5CADBB68FD5E1589CF1B97C9C6360A4DDE6474FF39B96CC2F4C698300DB2AD5668BC19F45")); test_hash (&nettle_shake128, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("C7B0EA1011BBE2D11DF8353D06A6AD5176DAC3E33039C621A635E1124EDF2425AD88BA552D6B6034AE3A5FBDC735E4381064925BFD6CB5E3E753D27C7A77F4BFD3D33652461F5409CA29C060AC991F3CA90A29B9F67502A524795F1306430FE7961430B431E9CB7C21EABE1EC3D1D6440EEA64496F30A3A44172B2C5670DA2F4DEA42F783F5138C966A642488231DCA509C144B59E0F4A40C191C035E4A464ABB6F4B9E0F9ACD86B7BDA0485238A56B2934C7AACB484287EE013C46E48FB648E73ADD7E8ECA6B2A8FC34EA0CEB46B0C360A6004B34403AE5FD345A78B55634B242CBE07A6FB13FAB721EF976B3E1F82FF4DB06F86DCA50348398F1DC831C70618FB387F0B13D84BC8A606E72D6B85991A4D7151E2D9B4B5E07D303E2D639D2A243E316B6C328EB01F52C524FA7D76763EDE5F0FEC6824D73EFE546547798D9C78B22765E69EE0F72B538C816B230481214099ACF758193AAE0688CB5A9E11B323704AB7724E5F1C4355C11EEB595312A25277794B996C6BC19C77F0A048CD31FC8AB70C7B6B6B0DFEF5F632879DCCFCF462908F04AFC8B440E9C4FBEB428B70A56511EB7B16053BE225B72CEE491366742A77152A9BB0FAC5D261C01ABEA1B632289F26FCD628598C1F9B6AB1A5C36F926A2B96BAF71644C0723A6A773DD14C66A770F11BD82EA85C6608C821139601F9B98232BFC21C7A3B54E0F7A2A6E4CE5")); test_hash (&nettle_shake128, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FD6ABC78D5FF667AEE2029F1683E1EC57E82E69E6F3963E38486590650A18EB3A6B611D5ECDD6F8E556D2F8BED3726DC51B2086275923E2BAC576625FCA0A10CE1CAB318AE80806929EC5EF10F3262F460DB6D39D6DB17FE364792AC2CF5B067F260366FDA234EE09761858A3C5EDFA7D8C8BB7E968BF78922CAD2A276096E06164D15782B74E75ABCB32D1D87CC5BA1B188AE777B5FA570DAFC393C7FA0CA76623543BA75FF214A0F01AE3455A9C454BB6773721DF3376BF92B4C6DB9FD4EDCD802E30CDD698A865C29912517E0D195B1D05C391BE04710121C764DF515FD0ECDEF0D91603BC2A3B9F905B5D7C25133657FB6798ABA7119FFBBB836028764298EC082FD36CBD7D32A81C549B32E6E82C8C897318EEED0C3720AE2B620A40ABC87C28613AA2322EDD83414B8A532D48FA5769E4E8A46E159D5BF9926C6647836527BF5AB23846EA38F321EE7303A1DAFAF61C97D6059B10314F09F3D5DFF337802EDF70F27E0224D1B110453902D3F4D5A074F2FA532856EAE37307507C2E9BE3952EBCCDE1599A3A9B331FE760D29720AFD9134B6F5C33CDFA60E9B700E0FF15E13D197830BD93E785482BBA5DCECBE0977433AD8625280F0DAC5C6A4963F23844C7EE7AC6C88D098B8189B274D49194727118D6E73898584BA8FEAC1947E0B0ACB81DC7B580F06F52A5743F8E7E8066F6C76B5013DA694072434508C2802E0")); test_hash (&nettle_shake128, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("AEDA7E54B44C4EC1DC28A305AB30CDC9FBB1BD923F41DA60558ACC8C3FB34D85EF153DECD3090860E383151EBD008044B20B20B0C6216D16EA221ADDF00B99DFA692CE79E69AC853FD70C6D077860C54FF77AC55962CF0D06888CE0A95DEC7CE760E8E0364AE935CC8CE962BAFB617DBE45A4669F0F5C6A7767FB0C9BDC853C84CDEF5F722DA5C31D15181725158F946C8D810AF7296EC91F3EC782D38B00563E454AC9299B8DA2C4D2FE89C0C2C6E094A14DC3CDE4B4B5A868CBE8C6032812CCF17A1E511E7E59C0239E6696C2CE093CBF79F641CF1B59D97B88A16359DAE8366E23E13C7B8F9CCCC099F9B6CC0A228223FBDD5242139F3BE2C19C06A15563E404428052E32ED5F6EBC61AFE642340625C29174ED962D6EA5D8D6B06DAA63CDBE674CA6ABF8AACDF727BCF6279D4AB7B2511D782C21DB7BA2543C2273970CC18C136D74D6583782FD44422A2DD01BAB97AF2A420F8F1DE60AC0F4727B91972289943B5DCB3D22030D93A6ED0863E1920DC8A6688DFCFABFC3ECEE59AFC7B349F5B6B061E599145E2242C05D63566906A40B98F8D280F31D25880D0DB0A90AF20108715EC9FEE5FFE151BBA41E594254B7EAF61C5B444094B307511A1799D2E983500FE9643DDC2652B7B77FA27DB41B50F788224BE4B4F7DED43B56A3BD7EB52620689B4D22859ED3E0771431168D12404B5C56347FAFFB9E133FC5730EE76A")); test_hash (&nettle_shake128, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("9FEF3F4FEFEF93B5124DC0C0D3FCD29FC5D6F680F511C682BD41E397EEA9147441E698E4B420CF2A165B15AA36895BE8AE914ED53FC9950F16D540FF5054C0D731789D126091A75FC5C7DE3C28478E86E05C7A604CE904DA8F7EF031DC9D957401B155D110745F3145C34754A45B7FEF94D0253DE536BFA0ED5E655243E689FF909DED44948A339CD55B897D015BF49E890192D051A13C26BFD5E8E71AE287A6E2C18017FC997BBC41A7D39A18DE8B30F5F313D449C5095314E740501E2101807EAF33F596D0AD639C83BF7037E27C1D8597B4BC9F335433137EF4081E381B831F17AB09BC704BF1C581F4EDAF9502290A92501CD7A0E5F0AA10674BFC9B2C9C2C812F4C3725D6E7975A1F181BA63349D18EFB824DBC4D7D6267E7C4855AFB5F4DA4B26BF74785AC1E97D3E78DE97179739481A47686545A7B81F9D6BCA18CC3008BE300C34134EDCB9C87870D8BB4DA18CAD8C29CA349392FD82E0BBCA5A06A043826194A52AD80E1C3BAFA28751338BDAC266D8245E055546611CBF929CC8CE6DA35667A66AB87EC22CF3B54D8EC1D7CDEC5C75E0EC3B53ED0C030AE30913C12AAAA71567C731AC8C9CA1279C7A8FACCA20554A506661630F2B6B9792DBF5C8FD545C283DFC65E9D758B4B86079F569AF818138304E617D74081D80CCFF0179542F6FFF41151B85F84B2DD18FCD8C2B7790B645552C94C0348315BD91E1BEA")); test_hash (&nettle_shake128, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("E62CFE44B169A061FAEDFE6CE667056BC0255D1F22A56D3DF255FFBB145433FBAC3DBC0B998A40001B805927BDC1EA47762980586CA088D64BABC0ACBD488C5F08B8C220FD5A15EC679448532BB992360C8B166BD8EFB59F2B5E091F06CB1DF8D79FF9B69C4A49A9ECECFD6403D6F984A987C0FCE8E6ED4C0E9CAEDE1C522E4F71495F8599F2864C42809C931771A32FCA62B0CCEB02E5D7FFA15754E6AFA27E568D84FB041CD35140A48F4B23204CAB939B5C48217711A5426F194CCBF07491C0DC2F885156B40C9F782F4A17BB7108E465D9AE1F52B494C74611A1D9D379EA8835E0F98AC6880C339D70B65436A07F056E9C118A89AA41A0E4463482B5B037E96736D265CAECF4764E6F206AB47EB83689E3380DB572BF815F7E2ACC67BBA3F4D074DF16D3B95AED1C4718EA77D1E38608400EA88C6F5FFA084EAEE206EEC8D2560A601587DDC5804D86912E4B844D87F2CBF10634CC32F492BBFC32B4E746EE3FE9E9C9B03DA7DE441A53C0E3B648366A4A997A28DF2A10628406C530175191F230A97E2248226ECF6293D39809B0DC0493CEEC48337468831A5EEF0038AFFC160732C097CF96BBB90F5A302406FFE8C0F1FBD7554C1C0679D2AF199E565D96AC5697F2FF748CF0BDD87A0DA1A9DE71020DA59BF69ADC9E7FB7D6B8A38113C3370A120815DDAAC8CE49ED4738C3A2805100DE7C6B2279AAAC367A930CADCC")); test_hash (&nettle_shake128, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("E55556489CFF55AE9DF1AB48F860E81C3EB95D979929BED9C747FD1467D201FCF041D0B3D72EF227C82C93E6346CB02A5C78AFCF0B9CB6AF551E9645C09244EA67E02E17BF1941F3910B069C04DCD5FF7B4B9C69BB973EFA516B4AFF0F8947DA042E21BF838A94BC8D98E6A30FA830FB9774D14CED360125DA945F44528B99DF2095C5186776D434A4AB2202A8CD5443FF2636F6111228BF1F5C5BDFBCF6278598733776BB589230D74314083B983CBBC476E4C9F0996A01DDE09C8341DA4C2382923FBF32A1AB8E37E9A18DA38F54154C44FAB88AD8857EC5FF82CBE1C9D24D6AA676978FE7F18F1C2503AF6981551710690DB902F46AA5AB3856EBBA8EBC644C7339D6E28EEB2AEB6D5F168E0447CBEA439ECC89743BFDFA88F963A6B57F28157F55CF46B57C2396A357A8E44EC964CA32C51FA5DC17C1E0F6F80FA2C8D26E04F03C32CD763F6CCF0F16F915D72F6E9159174B69535D2229C8A543E992AB0E86BB51DA378EB378A0F28ED49A8F57F224E03C9C1248F0133D70AF45AC7F0D27C5804CC99E982A2A583AE566262F3CFBDB91BB0C2F2561651A812CBE22F1380929F85A94FA721AFE6BA1EE27430F2CFE89966A9919AB21036E81962AFDA1026B3B4A95FDF0BA51940053F01EEFCAC57CD11C4C60D66DE753F41A178CC56A938A72A0791874EAB6DAD49AF265CFC6A03016F0A1A490ECECD045B9F7509F1193F9")); test_hash (&nettle_shake128, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("5C3CD7AEFDDD08E09F343A8226155BC3BA959998299AED4CE4E85C6758833685A58E5CB8002FA4788ECB673E810C98BDF71A18F7A2DDFC351056D0639BC600FA42BD03B1315CC4C9640A8D61D481BC7F9077C9EFDEA6FC3993993CEC88481FCBA0E4C519CFBB57B465FD1E3D33557D8DA77321CB21E584E677F3A66D38C9E49D9A9545D6B84AFA37547F1CEB22C2ED9D8D97693A69EAA2D15F376E6DE77B0EE6C7DC28FB1C1BCB42BF8751400EA2470B87F19830A6EA33DA0912DC894892C6C242E90D24238439C6794243A5A6512E3486680F4F9166150502A1BC049F48EC80D2694FF8334515EB4A97D483E7E401BF6E446035FDDB8B600CA7478B8C40AEC176B79CC671E90CAAE5D1EC05E51D5E7EF9D8B4FF3B3B319D80C093A83A3D21F22EB4DD3B88FAB1345B29AB527F8D69CABE8FECE7E26D40A63B3FA08340501A40D433D77DD212FFB48265901D9A05E17E8F24786C7C23E50CFA11D5AD497D98579B02B642D48FD74CA608DC32E76C3961E07064168B898FDA5B4FEC10554F32426DD818B7E207F3FACAD3525577B5FBC19F1CFD39FE6453B274362C456B8FDB3AA26306E306EF1BFF87056AE99FD0CC9BBE36EC508532E8239B3C33B1705D6DA65813621E8D319460CB6BBE94C9CC0A5AB5C9CF538775D42068D9665239E1FAD0EE8FCA7EA4829C8BE493AC2DE44B340028DB1F27F9E4470D3EE6AB48B416CE36")); test_hash (&nettle_shake128, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("83D754C973E2F1CEA0A8EEF4CB2340F2BF78CB88CB3AA458E7C915B5C8412CEE403CB18E062D2D896D5BFFE7DD1C3CA2E5E37E193554A176BEB2C636ABB687E867AF6B9EB5FBA57F371C167CF210956C5855F27FBE890708A28321BBF2D1D44DC7A911906CC4054D6310CDDC4573EBFC9F7227031EE0EAED3A810AA18367D2F6F56B478881F628897E2678FAC39F76A745460DA7913374C9AF81415592891035F93286BFF02DC737EB087DB8FE7E77A188C206CAEC84832A120547D967107A49AF42D422EE7364DB5B6592185C07DC7FBC2D0ABC2A02C3CCE0070C23F2DAFF0C8FC61563CB7CE0E930B75C706AB8180BCECD4E2C47859217B42719EF341765FF7C59C239C1752A3CA73E04DA7918B61A4D98DF5481F3B2A23A4797D66786CCF940ED96D6817D6172F748262448A69844E59CE9673CD9AA3F5AEE057608D4DF64042D78A03920FA23DE7BC65881465B31C4204F68D69CDDCFAEB9A5A6F4AEAC6572DF206802403D169EB5B2B69CFE3FDFCDE19B198385605C864B5F02BDCABBF646C5945899F52830C3CDA909443C96DF6DC1417677BD80675621755D47D076DF56DAEDA124A3D6B1C7B6E050F6D3024C5627A62C57C94438A8A3C14C5F572210893BAFF4B7E4E84C99C6CA09EB3629087F1C700513F2447525EE23622099E8D8B5D2CA8918CC5775FEB5F34FE5141CCC93EC172168638A736CEB0541A1B18369")); test_hash (&nettle_shake128, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("C6D3296ECCE00F96E8E0224FC094279AFDC51F4D65790B7DE6612A536D16DCA57EDF5AF53B7DCFF98910F8C41AF597692C5B9590B7EBD712076A74BA9923C364E042286F754143B2F1E00C47D4D01ED6A08FC3B62918D4C7FC8A5AFEADF7B83A02ACBFDAD3032D72C60E5FF342AE9376C60CAC094780D9F0A6FCFE63496A1FC660A33E1111FF441BDB600B37A33256A35E86CB245CE8DD2951E6B4C7C96C8561207D402D143902F085191084EE39E8FB472965F51C6E556CF4EAE55C540ADCEDEB9E77699C161A88DD07093251DBF403E7A26EA6FF93B2E5C61E5C0538CC29D69DE806D995C9BB59B52915A61B9DAAA3B21FC325AE7E1D5923D7E2CDB4F71E9C1E9DEB331916F09B22A34CA70FD20410EEDB22118D606870188BBB9800445B136FFEF3D7539B7104EED36E3E663B5167A5649B0FD2013424153B92BF520845972C146F8E15670BE40CF2EF1E73E23E404F1753833ABEB111327E862904C7CA969F5820B41C6484AFCE6374C72620C1B0DF72C043C1BEF6B33EB17A64B0FBE48D68E60F90CFA669214F96709777B9A278B65F197956345395008272E6CC3DDF43DF36B39E491897323CEA03B88D2FB8FB9F9F1219E951F4CD652AA28C1CD03A369D85C7ECEE4C3016C89885373ACABC20E40DEA4BCFA7B499941D8BD06738A71F3B40ED89FFE85C7C84ECF5F644CF1F3A434D2B12EA3339303353890B3C4C5534")); test_hash (&nettle_shake128, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("E7B210D8AC4395B2DE4A9066A345B1592A5C0649D47EC8392816A65C03B5717FFED2427F513EC34D3DB5AD59AF61E0EC5DF9664A1F24E50A31C6C146799745465E3A130C84B52EDC04140AAD1A8AFDBC22D816339D5AD126C616B55302CEA748E744C6F2F538E2285538697ED1B2E169D9B335B6194B59775CB19B14E2A5BB0754705E1342E25EE1824C75479D317CE844D477599CC6A637604DFDEAAA02A3CD2C1B707661DBD2B1FDD77D2187C1E2295D92D98D4E5AD4208DB1771713BBAF33E63F16163F63EC956C7DB48D265E53058363A923BD51BC3602B184EAF2B8855DFB15AB9015D5FA72999CECFDDE888F95252885988052C9F1666D4E90F82C1BA1C27E4B0FF07F99BC4A54B9FDE4BE5C3882C395F69AE3754576F65CA8CB03EB2890447CCFB37A475748742AC932B615537B7FFDBD9E73FEB1BD29A8039B1321F8B7F6BD80BCE4522174DDBC4D6E95F18DA7EA0D4DAE4D14AFDE65F8BA726662563C225DE20A218927E2CEEF7573AF8313DB530D5FEB42BB2FB7B4DD616D25DBCC6F443A9BC91BA616B858AD827B049A65916CFD0A823A2726243D8393E248A8E1A66A057350107D01B65F4BFA03E6F22A4C26645B7C2CC63767E89F2A8860632226CD6FA6A68DB79949AFFD3EF91758168A295A5342E10C402F2B2076ADC203BA107A177D6FA79F12DE20D084CB463BF0C74B9D3FF6ED9455301A850008499CEE")); test_hash (&nettle_shake128, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("8DD1F85C100C7F05B59A9A0A78581B5541ECE6A40672D9AF23E9F80A9D3FC96346E1B0F3DC309BB110E3F9F465E08371D93616258FC5CF5F3264B6F20CD795FACECABAD03BF361324E242F098FE715E14D0D207B5122B01E47238E8AD8CD9C2E874E816C970F8CABA5C148B9D2638ADC5D13384DD5867679B5821A37B77B5C8AE773F982D07F037E319B0C2A88B8716D8642EDB7C51AFDB44297AA2AD22ED1DEFFEBBB8A89A601B3C8ED2BC1894AD8EE27D85E4B88547D64394709532582EB95A682ACEB7C205F4A3CC9693E443D7CBB1E1DEF42905622AC0E12D0543BE1786C13A913D45C63CD7F06E058440B34DD44007CD2B7BA489D89358276A3D597E19A0B973F558B4BEE867712543C1BDC817495D3222D4472B00784D7CFD83BBCBCE7E2FCD0F9C1EC0FD003B3D8EC74233A3BF7E95430189EAAB5CE341739C8F198052A783B9EC0331CDC1E2BD8B25FBE9B471A768CC6B8F2C90298196BC65861678C7632B7914D365DE4BB2CF9DBC4A0A06034711086A0D09A9C139132556EFD7CEDA2933EB9B86AD5BA22196DF404684993A8E7FECFE6E582E5A3A4717753E5F3BEF462DD8820BF3857881D54AF1D0F2ACE27AB1C208C3D5087DB201F155164C398F2ADE81CE38CE0D741920364C57580522FE1F0299A6263C3F4A78E03300372D379A4A9A550FFAEEDA27B30B329435A8B2E3C127568B48B1A75462F576DAFDDF6")); test_hash (&nettle_shake128, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("16322D3005BEF6A6CD077C13F13A0DBA11CAC621605D78E2CA3EBB07386C0ACC23D0B21573123E1BD43ACCC1F12DBCC34874B5C18B6D037B339E958972902BA3174A9831EAAB3543B901B6CF4EF5CBD1CE1B60AC90E94F6E15C7DAD13AC4B8AFFAB3141326AE057852DAB28FB1564A7375204805747A45C0E96E2E046611FFB1BDDB6E6EF5C0BD75E4D654701BCD7F903DAA5B2D32E017C5A81A907FA908C8523D821A9947E647767F04FE6A8D0A9297F65610B1ECB332D3DD37EC4501400C3C1E0035A48652DE4F0BC038C90C5B4FC2D969B1951DE5400184E6C761C7129711ECF3F4146C2B8D662C96A30491771DAD21E0D9667F7312147D53B1377999F0274D239ADA0E2E2843676ECEC0D528C89A5E6C4EA111ACCFDEA9D10BD3F79326283A609F1E2C9FDD4120367DC5403D53A6D0B0DFC3A3726096EC7F6CE189A29F23053F79E179F275E32DB13567E108A63C7033286C4F6636AFA91C37E32A5B2BF01995133FAD11A96BA922CE4BF5192A0536F4F238F9CF0AEAD2265AE73FF3923682644CB414B8E92E9C5EB8D46E39E46A5A394D75BA2D01A18B2309DEC99931FD9C29DD61073B23A19EDCBACCA8D9227E8FE23D313947AB6D9C807C8C3BC8E189158A1815410A94CAC21D931560BAE3AFE409D4904C32D4AA5C7FF6463EC8C432F97EFFD812DDBBDE53EA65956C9C2AF72ADB2C7B5BC1EFCFC8EF4FF8A152AEB8")); test_hash (&nettle_shake128, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("14236E75B9784DF4F57935F945356CBE383FE513ED30286F91060759BCB0EF4BAAC858ECAE7C6E7EDD498F01A082B63FA57D22540231E2E25C83EFB3B3F2953A5F674502AB635226446B84937643DCD5789EE73F1D734BC8FE5F7F0883AB10961B9A31FF60DEE16159BC6982EFB08545984BF71FED1C4CD81C0914B4C19FCFEEF54AF4BBE372F18CFCD3A18657F5B9450F99A78F0FA2C3CDCA7461C4ED7569536883B66CD87E9C200962902EAA16A54DB6A0A5CC26D889038C0760810B5BB4F33F1E5D639B6F9BC7CA62BA6F8C9F8DE770260AFE47F4E0F82F102198EBA27F543252AC8DDD83E1B8DB0A91AC65633FD12A550EBE96F93AA6704ED5905C234FA6D9203910CBD02DE166C4C3348FB81EF7B84AE1455FE318B5FD170883F49BA2F24289C479A2C7531406BA989BEAEF3A79F659028642E9B033F7DEB9ECEC3A7A9F1DBD2451FCB47C81E21E91D20B924C6BD04C1F0B2710D2E570CD24BAD5B5DE4E49AA80B6ADD5507B4D2E510370C7AFA814D7E1A7E278E53D7CCF49A0A866CA3A7B5BB71EF3425E460FEEB29149F217066613695F85506A0946CF68979F04AE073AF8028976BF0C5BDC2212E8C364583DE9FBD03B34DDEE5EC4CFA8ED8CE592971D0108FAF76C8940E25E6C5F865584C34A233C14F00532673FDBE388CC7E98A5B867B1C591307A9015112B567FF6B4F318114111FC95E5BD7C9C60B74C1F8725")); } nettle-3.10/testsuite/siv-gcm-test.c0000644000175000017500000005453014633602172016506 0ustar nissenisse/* siv-gcm-test.c Self-test and vectors for AES-GCM-SIV mode ciphers Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* The test vectors have been collected from the following standards: * RFC8452 */ #include "testutils.h" #include "ghash-internal.h" #include "block-internal.h" #include "aes.h" #include "siv-gcm.h" static const struct nettle_aead_message siv_gcm_aes128 = { "siv_gcm_aes128", sizeof(struct aes128_ctx), AES128_KEY_SIZE, SIV_GCM_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) aes128_set_encrypt_key, (nettle_set_key_func*) aes128_set_encrypt_key, (nettle_encrypt_message_func*) siv_gcm_aes128_encrypt_message, (nettle_decrypt_message_func*) siv_gcm_aes128_decrypt_message, }; static const struct nettle_aead_message siv_gcm_aes256 = { "siv_gcm_aes256", sizeof(struct aes256_ctx), AES256_KEY_SIZE, SIV_GCM_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) aes256_set_encrypt_key, (nettle_set_key_func*) aes256_set_encrypt_key, (nettle_encrypt_message_func*) siv_gcm_aes256_encrypt_message, (nettle_decrypt_message_func*) siv_gcm_aes256_decrypt_message, }; static void test_polyval_internal (const struct tstring *key, const struct tstring *message, const struct tstring *digest) { ASSERT (key->length == GCM_BLOCK_SIZE); ASSERT (message->length % GCM_BLOCK_SIZE == 0); ASSERT (digest->length == GCM_BLOCK_SIZE); struct gcm_key gcm_key; union nettle_block16 state; memcpy (state.b, key->data, GCM_BLOCK_SIZE); _siv_ghash_set_key (&gcm_key, &state); block16_zero (&state); _siv_ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data); block16_bswap (&state, &state); if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data)) { fprintf (stderr, "POLYVAL failed\n"); fprintf (stderr, "Key: "); tstring_print_hex (key); fprintf (stderr, "\nMessage: "); tstring_print_hex (message); fprintf (stderr, "\nOutput: "); print_hex (GCM_BLOCK_SIZE, state.b); fprintf (stderr, "\nExpected:"); tstring_print_hex (digest); fprintf (stderr, "\n"); FAIL(); } } void test_main(void) { /* RFC8452, Appendix A. */ test_polyval_internal (SHEX("25629347589242761d31f826ba4b757b"), SHEX("4f4f95668c83dfb6401762bb2d01a262" "d1a24ddd2721d006bbe45f20d3c9f362"), SHEX("f7a3b47b846119fae5b7866cf5e5b77e")); /* RFC8452, Appendix C.1. */ test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX(""), SHEX("dc20e2d83f25705bb49e439eca56de25")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("0100000000000000"), SHEX("b5d839330ac7b786578782fff6013b81" "5b287c22493a364c")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("010000000000000000000000"), SHEX("7323ea61d05932260047d942a4978db3" "57391a0bc4fdec8b0d106639")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000"), SHEX("743f7c8077ab25f8624e2e948579cf77" "303aaf90f6fe21199c6068577437a0c4")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000"), SHEX("84e07e62ba83a6585417245d7ec413a9" "fe427d6315c09b57ce45f2e3936a9445" "1a8e45dcd4578c667cd86847bf6155ff")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("3fd24ce1f5a67b75bf2351f181a475c7" "b800a5b4d3dcf70106b1eea82fa1d64d" "f42bf7226122fa92e17a40eeaac1201b" "5e6e311dbf395d35b0fe39c2714388f8")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("2433668f1058190f6d43e360f4f35cd8" "e475127cfca7028ea8ab5c20f7ab2af0" "2516a2bdcbc08d521be37ff28c152bba" "36697f25b4cd169c6590d1dd39566d3f" "8a263dd317aa88d56bdf3936dba75bb8")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("0200000000000000"), SHEX("1e6daba35669f4273b0a1a2560969cdf" "790d99759abd1508")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("020000000000000000000000"), SHEX("296c7889fd99f41917f4462008299c51" "02745aaa3a0c469fad9e075a")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000"), SHEX("e2b0c5da79a901c1745f700525cb335b" "8f8936ec039e4e4bb97ebd8c4457441f")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("620048ef3c1e73e57e02bb8562c416a3" "19e73e4caac8e96a1ecb2933145a1d71" "e6af6a7f87287da059a71684ed3498e1")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("50c8303ea93925d64090d07bd109dfd9" "515a5a33431019c17d93465999a8b005" "3201d723120a8562b838cdff25bf9d1e" "6a8cc3865f76897c2e4b245cf31c51f2")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000" "05000000000000000000000000000000"), SHEX("2f5c64059db55ee0fb847ed513003746" "aca4e61c711b5de2e7a77ffd02da42fe" "ec601910d3467bb8b36ebbaebce5fba3" "0d36c95f48a3e7980f0e7ac299332a80" "cdc46ae475563de037001ef84ae21744")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("010000000000000000000000"), SHEX("02000000"), SHEX("a8fe3e8707eb1f84fb28f8cb73de8e99" "e2f48a14")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "0200"), SHEX("03000000000000000000000000000000" "04000000"), SHEX("6bb0fecf5ded9b77f902c7d5da236a43" "91dd029724afc9805e976f451e6d87f6" "fe106514")); test_aead_message(&siv_gcm_aes128, SHEX("01000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "02000000"), SHEX("03000000000000000000000000000000" "0400"), SHEX("44d0aaf6fb2f1f34add5e8064e83e12a" "2adabff9b2ef00fb47920cc72a0c0f13" "b9fd")); test_aead_message(&siv_gcm_aes128, SHEX("e66021d5eb8e4f4066d4adb9c33560e4"), SHEX("f46e44bb3da0015c94f70887"), SHEX(""), SHEX(""), SHEX("a4194b79071b01a87d65f706e3949578")); test_aead_message(&siv_gcm_aes128, SHEX("36864200e0eaf5284d884a0e77d31646"), SHEX("bae8e37fc83441b16034566b"), SHEX("46bb91c3c5"), SHEX("7a806c"), SHEX("af60eb711bd85bc1e4d3e0a462e074ee" "a428a8")); test_aead_message(&siv_gcm_aes128, SHEX("aedb64a6c590bc84d1a5e269e4b47801"), SHEX("afc0577e34699b9e671fdd4f"), SHEX("fc880c94a95198874296"), SHEX("bdc66f146545"), SHEX("bb93a3e34d3cd6a9c45545cfc11f03ad" "743dba20f966")); test_aead_message(&siv_gcm_aes128, SHEX("d5cc1fd161320b6920ce07787f86743b"), SHEX("275d1ab32f6d1f0434d8848c"), SHEX("046787f3ea22c127aaf195d1894728"), SHEX("1177441f195495860f"), SHEX("4f37281f7ad12949d01d02fd0cd174c8" "4fc5dae2f60f52fd2b")); test_aead_message(&siv_gcm_aes128, SHEX("b3fed1473c528b8426a582995929a149"), SHEX("9e9ad8780c8d63d0ab4149c0"), SHEX("c9882e5386fd9f92ec489c8fde2be2cf" "97e74e93"), SHEX("9f572c614b4745914474e7c7"), SHEX("f54673c5ddf710c745641c8bc1dc2f87" "1fb7561da1286e655e24b7b0")); test_aead_message(&siv_gcm_aes128, SHEX("2d4ed87da44102952ef94b02b805249b"), SHEX("ac80e6f61455bfac8308a2d4"), SHEX("2950a70d5a1db2316fd568378da107b5" "2b0da55210cc1c1b0a"), SHEX("0d8c8451178082355c9e940fea2f58"), SHEX("c9ff545e07b88a015f05b274540aa183" "b3449b9f39552de99dc214a1190b0b")); test_aead_message(&siv_gcm_aes128, SHEX("bde3b2f204d1e9f8b06bc47f9745b3d1"), SHEX("ae06556fb6aa7890bebc18fe"), SHEX("1860f762ebfbd08284e421702de0de18" "baa9c9596291b08466f37de21c7f"), SHEX("6b3db4da3d57aa94842b9803a96e07fb" "6de7"), SHEX("6298b296e24e8cc35dce0bed484b7f30" "d5803e377094f04709f64d7b985310a4" "db84")); test_aead_message(&siv_gcm_aes128, SHEX("f901cfe8a69615a93fdf7a98cad48179"), SHEX("6245709fb18853f68d833640"), SHEX("7576f7028ec6eb5ea7e298342a94d4b2" "02b370ef9768ec6561c4fe6b7e7296fa" "859c21"), SHEX("e42a3c02c25b64869e146d7b233987bd" "dfc240871d"), SHEX("391cc328d484a4f46406181bcd62efd9" "b3ee197d052d15506c84a9edd65e13e9" "d24a2a6e70")); /* RFC8452, Appendix C.2. */ test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX(""), SHEX("07f5f4169bbf55a8400cd47ea6fd400f")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("0100000000000000"), SHEX("c2ef328e5c71c83b843122130f7364b7" "61e0b97427e3df28")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("010000000000000000000000"), SHEX("9aab2aeb3faa0a34aea8e2b18ca50da9" "ae6559e48fd10f6e5c9ca17e")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000"), SHEX("85a01b63025ba19b7fd3ddfc033b3e76" "c9eac6fa700942702e90862383c6c366")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000"), SHEX("4a6a9db4c8c6549201b9edb53006cba8" "21ec9cf850948a7c86c68ac7539d027f" "e819e63abcd020b006a976397632eb5d")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("c00d121893a9fa603f48ccc1ca3c57ce" "7499245ea0046db16c53c7c66fe717e3" "9cf6c748837b61f6ee3adcee17534ed5" "790bc96880a99ba804bd12c0e6a22cc4")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX(""), SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("c2d5160a1f8683834910acdafc41fbb1" "632d4a353e8b905ec9a5499ac34f96c7" "e1049eb080883891a4db8caaa1f99dd0" "04d80487540735234e3744512c6f90ce" "112864c269fc0d9d88c61fa47e39aa08")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("0200000000000000"), SHEX("1de22967237a813291213f267e3b452f" "02d01ae33e4ec854")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("020000000000000000000000"), SHEX("163d6f9cc1b346cd453a2e4cc1a4a19a" "e800941ccdc57cc8413c277f")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000"), SHEX("c91545823cc24f17dbb0e9e807d5ec17" "b292d28ff61189e8e49f3875ef91aff7")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000"), SHEX("07dad364bfc2b9da89116d7bef6daaaf" "6f255510aa654f920ac81b94e8bad365" "aea1bad12702e1965604374aab96dbbc")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000"), SHEX("c67a1f0f567a5198aa1fcc8e3f213143" "36f7f51ca8b1af61feac35a86416fa47" "fbca3b5f749cdf564527f2314f42fe25" "03332742b228c647173616cfd44c54eb")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01"), SHEX("02000000000000000000000000000000" "03000000000000000000000000000000" "04000000000000000000000000000000" "05000000000000000000000000000000"), SHEX("67fd45e126bfb9a79930c43aad2d3696" "7d3f0e4d217c1e551f59727870beefc9" "8cb933a8fce9de887b1e40799988db1f" "c3f91880ed405b2dd298318858467c89" "5bde0285037c5de81e5b570a049b62a0")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("010000000000000000000000"), SHEX("02000000"), SHEX("22b3f4cd1835e517741dfddccfa07fa4" "661b74cf")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "0200"), SHEX("03000000000000000000000000000000" "04000000"), SHEX("43dd0163cdb48f9fe3212bf61b201976" "067f342bb879ad976d8242acc188ab59" "cabfe307")); test_aead_message(&siv_gcm_aes256, SHEX("01000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("030000000000000000000000"), SHEX("01000000000000000000000000000000" "02000000"), SHEX("03000000000000000000000000000000" "0400"), SHEX("462401724b5ce6588d5a54aae5375513" "a075cfcdf5042112aa29685c912fc205" "6543")); test_aead_message(&siv_gcm_aes256, SHEX("e66021d5eb8e4f4066d4adb9c33560e4" "f46e44bb3da0015c94f7088736864200"), SHEX("e0eaf5284d884a0e77d31646"), SHEX(""), SHEX(""), SHEX("169fbb2fbf389a995f6390af22228a62")); test_aead_message(&siv_gcm_aes256, SHEX("bae8e37fc83441b16034566b7a806c46" "bb91c3c5aedb64a6c590bc84d1a5e269"), SHEX("e4b47801afc0577e34699b9e"), SHEX("4fbdc66f14"), SHEX("671fdd"), SHEX("0eaccb93da9bb81333aee0c785b240d3" "19719d")); test_aead_message(&siv_gcm_aes256, SHEX("6545fc880c94a95198874296d5cc1fd1" "61320b6920ce07787f86743b275d1ab3"), SHEX("2f6d1f0434d8848c1177441f"), SHEX("6787f3ea22c127aaf195"), SHEX("195495860f04"), SHEX("a254dad4f3f96b62b84dc40c84636a5e" "c12020ec8c2c")); test_aead_message(&siv_gcm_aes256, SHEX("d1894728b3fed1473c528b8426a58299" "5929a1499e9ad8780c8d63d0ab4149c0"), SHEX("9f572c614b4745914474e7c7"), SHEX("489c8fde2be2cf97e74e932d4ed87d"), SHEX("c9882e5386fd9f92ec"), SHEX("0df9e308678244c44bc0fd3dc6628dfe" "55ebb0b9fb2295c8c2")); test_aead_message(&siv_gcm_aes256, SHEX("a44102952ef94b02b805249bac80e6f6" "1455bfac8308a2d40d8c845117808235"), SHEX("5c9e940fea2f582950a70d5a"), SHEX("0da55210cc1c1b0abde3b2f204d1e9f8" "b06bc47f"), SHEX("1db2316fd568378da107b52b"), SHEX("8dbeb9f7255bf5769dd56692404099c2" "587f64979f21826706d497d5")); test_aead_message(&siv_gcm_aes256, SHEX("9745b3d1ae06556fb6aa7890bebc18fe" "6b3db4da3d57aa94842b9803a96e07fb"), SHEX("6de71860f762ebfbd08284e4"), SHEX("f37de21c7ff901cfe8a69615a93fdf7a" "98cad481796245709f"), SHEX("21702de0de18baa9c9596291b08466"), SHEX("793576dfa5c0f88729a7ed3c2f1bffb3" "080d28f6ebb5d3648ce97bd5ba67fd")); test_aead_message(&siv_gcm_aes256, SHEX("b18853f68d833640e42a3c02c25b6486" "9e146d7b233987bddfc240871d7576f7"), SHEX("028ec6eb5ea7e298342a94d4"), SHEX("9c2159058b1f0fe91433a5bdc20e214e" "ab7fecef4454a10ef0657df21ac7"), SHEX("b202b370ef9768ec6561c4fe6b7e7296" "fa85"), SHEX("857e16a64915a787637687db4a951963" "5cdd454fc2a154fea91f8363a39fec7d" "0a49")); test_aead_message(&siv_gcm_aes256, SHEX("3c535de192eaed3822a2fbbe2ca9dfc8" "8255e14a661b8aa82cc54236093bbc23"), SHEX("688089e55540db1872504e1c"), SHEX("734320ccc9d9bbbb19cb81b2af4ecbc3" "e72834321f7aa0f70b7282b4f33df23f" "167541"), SHEX("ced532ce4159b035277d4dfbb7db6296" "8b13cd4eec"), SHEX("626660c26ea6612fb17ad91e8e767639" "edd6c9faee9d6c7029675b89eaf4ba1d" "ed1a286594")); /* RFC8452, Appendix C.3. */ test_aead_message(&siv_gcm_aes256, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000" "4db923dc793ee6497c76dcc03a98e108"), SHEX("f3f80f2cf0cb2dd9c5984fcda908456c" "c537703b5ba70324a6793a7bf218d3ea" "ffffffff000000000000000000000000")); test_aead_message(&siv_gcm_aes256, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), SHEX("eb3640277c7ffd1303c7a542d02d3e4c" "0000000000000000"), SHEX("18ce4f0b8cb4d0cac65fea8f79257b20" "888e53e72299e56dffffffff00000000" "0000000000000000")); } nettle-3.10/testsuite/ecdsa-verify-test.c0000644000175000017500000001504114633602172017514 0ustar nissenisse#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Public key */ const char *xs, const char *ys, /* Hash */ struct tstring *h, /* Valid signature */ const char *r, const char *s) { struct ecc_point pub; struct dsa_signature signature; mpz_t x, y; ecc_point_init (&pub, ecc); dsa_signature_init (&signature); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); if (!ecc_point_set (&pub, x, y)) die ("ecc_point_set failed.\n"); mpz_set_str (signature.r, r, 16); mpz_set_str (signature.s, s, 16); if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); mpz_out_str (stderr, 16, x); fprintf (stderr, "\ny = "); mpz_out_str (stderr, 16, y); fprintf (stderr, "\ndigest "); print_hex (h->length, h->data); fprintf (stderr, "r = "); mpz_out_str (stderr, 16, signature.r); fprintf (stderr, "\ns = "); mpz_out_str (stderr, 16, signature.s); fprintf (stderr, "\n"); abort(); } mpz_combit (signature.r, ecc->p.bit_size / 3); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (r modified).\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (s modified).\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify unexpectedly succeeded with invalid signature (h modified).\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; if (!ecdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "ecdsa_verify failed, internal testsuite error.\n"); goto fail; } ecc_point_clear (&pub); dsa_signature_clear (&signature); mpz_clear (x); mpz_clear (y); } void test_main (void) { /* Corresponds to nonce k = 2 and private key z = 0x99b5b787484def12894ca507058b3bf543d72d82fa7721d2e805e5e6. z and hash are chosen so that intermediate scalars in the verify equations are u1 = 0x6b245680e700, u2 = 259da6542d4ba7d21ad916c3bd57f811. These values require canonical reduction of the scalars. Bug caused by missing canonical reduction reported by Guido Vranken. */ test_ecdsa (&_nettle_secp_224r1, "9e7e6cc6b1bdfa8ee039b66ad85e5490" "7be706a900a3cba1c8fdd014", /* x */ "74855db3f7c1b4097ae095745fc915e3" "8a79d2a1de28f282eafb22ba", /* y */ SHEX("cdb887ac805a3b42e22d224c85482053" "16c755d4a736bb2032c92553"), "706a46dc76dcb76798e60e6d89474788" "d16dc18032d268fd1a704fa6", /* r */ "3a41e1423b1853e8aa89747b1f987364" "44705d6d6d8371ea1f578f2e"); /* s */ /* Test case provided by Guido Vranken, from oss-fuzz */ test_ecdsa (&_nettle_secp_192r1, "14683086 f1734c6d e68743a6 48181b54 a74d4c5b 383eb6a8", /* x */ " 1e2584 2ab8b2b0 4017f655 1b5e4058 a2aa0612 2dae9344", /* y */ SHEX("00"), /* h == 0 corner case*/ "952800792ed19341fdeeec047f2514f3b0f150d6066151fb", /* r */ "ec5971222014878b50d7a19d8954bc871e7e65b00b860ffb"); /* s */ /* Test case provided by Guido Vranken, from oss-fuzz. Triggers point duplication in the verify operation by using private key = 1 (public key = generator) and hash = r. */ test_ecdsa (&_nettle_secp_256r1, "6B17D1F2E12C4247F8BCE6E563A440F2" "77037D812DEB33A0F4A13945D898C296", /* x */ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" "2BCE33576B315ECECBB6406837BF51F5", /* y */ SHEX("6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16"), /* hash */ "6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16", /* r */ "53f097727a0e0dc284a0daa0da0ab77d" "5792ae67ed075d1f8d5bda0f853fa093"); /* s */ /* From RFC 4754 */ test_ecdsa (&_nettle_secp_256r1, "2442A5CC 0ECD015F A3CA31DC 8E2BBC70" "BF42D60C BCA20085 E0822CB0 4235E970", /* x */ "6FC98BD7 E50211A4 A27102FA 3549DF79" "EBCB4BF2 46B80945 CDDFE7D5 09BBFD7D", /* y */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&_nettle_secp_384r1, "96281BF8 DD5E0525 CA049C04 8D345D30" "82968D10 FEDF5C5A CA0C64E6 465A97EA" "5CE10C9D FEC21797 41571072 1F437922", /* x */ "447688BA 94708EB6 E2E4D59F 6AB6D7ED" "FF9301D2 49FE49C3 3096655F 5D502FAD" "3D383B91 C5E7EDAA 2B714CC9 9D5743CA", /* y */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&_nettle_secp_521r1, "0151518F 1AF0F563 517EDD54 85190DF9" "5A4BF57B 5CBA4CF2 A9A3F647 4725A35F" "7AFE0A6D DEB8BEDB CD6A197E 592D4018" "8901CECD 650699C9 B5E456AE A5ADD190" "52A8", /* x */ "006F3B14 2EA1BFFF 7E2837AD 44C9E4FF" "6D2D34C7 3184BBAD 90026DD5 E6E85317" "D9DF45CA D7803C6C 20035B2F 3FF63AFF" "4E1BA64D 1C077577 DA3F4286 C58F0AEA" "E643", /* y */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ } nettle-3.10/testsuite/umac-test.c0000644000175000017500000003752014633602172016066 0ustar nissenisse#include "testutils.h" #include "umac.h" /* FIXME: Missing tests: Getting to unlikely cases in the poly64 and poly128 operations. */ static void update (void *ctx, nettle_hash_update_func *f, const struct tstring *msg, size_t length) { for (; length > msg->length; length -= msg->length) f(ctx, msg->length, msg->data); f(ctx, length, msg->data); } static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, size_t length, size_t tag_length, const uint8_t *ref) { uint8_t tag[16]; f(ctx, tag_length, tag); if (memcmp (tag, ref, tag_length) != 0) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %lu\n", (unsigned long) length); printf ("tag: "); print_hex (tag_length, tag); printf ("ref: "); print_hex (tag_length, ref); abort (); } } static void test_umac (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4); ASSERT (ref64->length == 8); ASSERT (ref128->length == 16); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); update(&ctx32, (nettle_hash_update_func *) umac32_update, msg, length); check_digest ("umac32", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); update(&ctx64, (nettle_hash_update_func *) umac64_update, msg, length); check_digest ("umac64", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); update(&ctx96, (nettle_hash_update_func *) umac96_update, msg, length); check_digest ("umac96", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); update(&ctx128, (nettle_hash_update_func *) umac128_update, msg, length); check_digest ("umac128", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } static void test_align(const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, size_t length, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { uint8_t *buffer = xalloc(length + 16); unsigned offset; for (offset = 0; offset < 16; offset++) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; uint8_t *input; size_t i; memset(buffer, 17, length + 16); input = buffer + offset; for (i = 0; i + msg->length < length; i += msg->length) memcpy (input + i, msg->data, msg->length); memcpy (input + i, msg->data, length - i); umac32_set_key (&ctx32, key->data); umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac32_update(&ctx32, length, input); check_digest ("umac32 (alignment)", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, length, 4, ref32->data); umac64_set_key (&ctx64, key->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac64_update(&ctx64, length, input); check_digest ("umac64 (alignment)", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, length, 8, ref64->data); umac96_set_key (&ctx96, key->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac96_update(&ctx96, length, input); check_digest ("umac96 (alignment)", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, length, 12, ref128->data); umac128_set_key (&ctx128, key->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); umac128_update(&ctx128, length, input); check_digest ("umac128 (alignment)", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, length, 16, ref128->data); } free (buffer); } static void test_incr (const struct tstring *key, const struct tstring *nonce, unsigned count, const struct tstring *msg, const struct tstring *ref32, const struct tstring *ref64, const struct tstring *ref128) { struct umac32_ctx ctx32; struct umac64_ctx ctx64; struct umac96_ctx ctx96; struct umac128_ctx ctx128; unsigned i; ASSERT (key->length == UMAC_KEY_SIZE); ASSERT (ref32->length == 4 * count); ASSERT (ref64->length == 8 * count); ASSERT (ref128->length == 16 * count); umac32_set_key (&ctx32, key->data); umac64_set_key (&ctx64, key->data); umac96_set_key (&ctx96, key->data); umac128_set_key (&ctx128, key->data); if (nonce) { umac32_set_nonce (&ctx32, nonce->length, nonce->data); umac64_set_nonce (&ctx64, nonce->length, nonce->data); umac96_set_nonce (&ctx96, nonce->length, nonce->data); umac128_set_nonce (&ctx128, nonce->length, nonce->data); } for (i = 0; i < count; i++) { umac32_update (&ctx32, msg->length, msg->data); check_digest ("umac32 incr", &ctx32, (nettle_hash_digest_func *) umac32_digest, msg, i, 4, ref32->data + 4*i); umac64_update (&ctx64, msg->length, msg->data); check_digest ("umac64 incr", &ctx64, (nettle_hash_digest_func *) umac64_digest, msg, i, 8, ref64->data + 8*i); umac96_update (&ctx96, msg->length, msg->data); check_digest ("umac96 incr", &ctx96, (nettle_hash_digest_func *) umac96_digest, msg, i, 12, ref128->data + 16*i); umac128_update (&ctx128, msg->length, msg->data); check_digest ("umac128 incr", &ctx128, (nettle_hash_digest_func *) umac128_digest, msg, i, 16, ref128->data + 16*i); } } void test_main(void) { /* From RFC 4418 (except that it lacks the last 32 bits of 128-bit tags) */ test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA(""), 0, SHEX("113145FB"), SHEX("6E155FAD26900BE1"), SHEX("32fedb100c79ad58f07ff7643cc60465")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 3, SHEX("3B91D102"), SHEX("44B5CB542F220104"), SHEX("185e4fe905cba7bd85e4c2dc3d117d8d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("a"), 1<<10, SHEX("599B350B"), SHEX("26BF2F5D60118BD9"), SHEX("7a54abe04af82d60fb298c3cbd195bcb")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<15, SHEX("58DCF532"), SHEX("27F8EF643B0D118D"), SHEX("7b136bd911e4b734286ef2be501f2c3c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("aaaaaaaa"), 1<<20, SHEX("DB6364D1"), SHEX("A4477E87E9F55853"), SHEX("f8acfa3ac31cfeea047f7b115b03bef5")); /* Needs POLY128 */ /* For the 'a' * 2^25 testcase, see errata http://fastcrypto.org/umac/rfc4418.errata.txt */ test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("aaaaaaaa"), 1<<25, SHEX("85EE5CAE"), SHEX("FACA46F856E9B45F"), SHEX("a621c2457c0012e64f3fdae9e7e1870c")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 3, SHEX("ABF3A3A0"), SHEX("D4D7B9F6BD4FBFCF"), SHEX("883c3d4b97a61976ffcf232308cba5a5")); test_umac (SDATA("abcdefghijklmnop"), SDATA ("bcdefghi"), SDATA ("abc"), 1500, SHEX("ABEB3C8B"), SHEX("D4CF26DDEFD5C01A"), SHEX("8824a260c53c66a36c9260a62cb83aa1")); test_incr (SDATA("abcdefghijklmnop"), NULL, 6, SDATA("zero"), SHEX("a0e94011 8c6fea51 6d897143 db1b28c5 a75e23b7 44ea26be"), SHEX("a0e940111c9c2cd5 6d8971434be8ee41 c9c9aef87e2be502" "a0a112b593656107 a75e23b7d419e03a 950526f26a8cc07a"), SHEX("a0e940111c9c2cd5fa59090e3ac2061f" "cbbf18b799fd0f4afb9216e52a89f247" "c9c9aef87e2be50237716af8e24f8959" "d6e96ef461f54d1c85aa66cbd76ca336" "a75e23b7d419e03a02d55ebf1ba62824" "2e63031d182a59b84f148d9a91de70a3")); test_incr (SDATA("abcdefghijklmnop"), SDATA("a"), 5, SDATA("nonce-a"), SHEX("81b4ac24 b7e8aad0 f70246fe 0595f0bf a8e9fe85"), SHEX("b7e8aad0da6e7f99 138814c6a03bdadf fb77dd1cd4c7074f" "0595f0bf8585c7e2 817c0b7757cb60f7"), SHEX("d7604bffb5e368da5fe564da0068d2cc" "138814c6a03bdadff7f1666e1bd881aa" "86a016d9e67957c8ab5ebb78a673e4e9" "0595f0bf8585c7e28dfab00598d4e612" "3266ec16a9d85b4f0dc74ec8272238a9")); test_incr (SDATA("abcdefghijklmnop"), SHEX("beafcafe"), 5, SDATA("nonce-beaf-cafe"), SHEX("f19d9dc1 4604a56a 4ba9420e da86ff71 77facd79"), SHEX("9e878413aa079032 9cfd7af0bb107748 4ba9420e55b6ba13" "77facd797b686e24 9000c0de4f5f7236"), SHEX("9e878413aa0790329604f3b6ae980e58" "f2b2dd5dab08bb3bc5e9a83e1b4ab2e7" "4ba9420e55b6ba137d03443f6ee01734" "2721ca2e1bcda53a54ae65e0da139c0d" "9000c0de4f5f7236b81ae1a52e78a821")); /* Tests exercising various sizes of nonce and data: All nonce lengths from 1 to 16 bytes. Data sizes chosen for testing for various off-by-one errors, 0, 1, 2, 3, 4, 1020, 1021, 1022, 1023, 1024, 1025, 1026, 1027, 2046, 2047, 2048, 2049, 2050 16777212, 16777213, 16777214, 16777215, 16777216, 16777217, 16778239, 16778240, 16778241, 16778242, 16778243, 16778244 */ test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 0, SHEX("3a58486b"), SHEX("9e38f67da91a08d9"), SHEX("9e38f67da91a08d9c980f4db4089c877")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 1, SHEX("d86b1512"), SHEX("fb0e207971b8e66a"), SHEX("ef406c2ec70d0222f59e860eabb79ed0")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 2, SHEX("1ae6e02d"), SHEX("1ae6e02d73aa9ab2"), SHEX("1ae6e02d73aa9ab2a27fb89e014dc07b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 3, SHEX("e8c1eb59"), SHEX("c81cf22342e84302"), SHEX("82626d0d575e01038e5e2cc6408216f5")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 4, SHEX("8950f0d3"), SHEX("aba003e7bd673cc3"), SHEX("aba003e7bd673cc368ba8513cecf2e7c")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 1020, SHEX("7412167c"), SHEX("f98828a161bb4ae3"), SHEX("d8b4811f747d588d7a913360960de7cf")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 1021, SHEX("2d54936b"), SHEX("2d54936be5bff72d"), SHEX("2d54936be5bff72d2e1052361163b474")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 1022, SHEX("53ca8dd2"), SHEX("2cee9784556387b3"), SHEX("700513397f8a210a98938d3e7ac3bd88")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 1023, SHEX("26cc58df"), SHEX("24ac4284ca371f42"), SHEX("24ac4284ca371f4280f60bd274633d67")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 1025, SHEX("93251e18"), SHEX("93251e18e56bbdc4"), SHEX("93251e18e56bbdc457de556f95c59931")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 1026, SHEX("24a4c3ab"), SHEX("5d98bd8dfaf16352"), SHEX("c1298672e52386753383a15ed58c0e42")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 1027, SHEX("e7e98945"), SHEX("5b0557c9fdcf661b"), SHEX("5b0557c9fdcf661b1758efc603516ebe")); /* Test varying the alignment of the buffer eventually passed to _umac_nh and _umac_nh_n. */ test_align (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 1024, SHEX("3cada45a"), SHEX("64c6a0fd14615a76"), SHEX("abc223116cedd2db5af365e641a97539")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 2046, SHEX("e12ddc9f"), SHEX("65e85d47447c2277"), SHEX("16bb5183017826ed47c9995c1e5834f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnop"), SDATA("defdefdefdefdef"), 2047, SHEX("34d723a6"), SHEX("34d723a6cb1676d3"), SHEX("34d723a6cb1676d3547a5064dc5b0a37")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmnopq"), SDATA("defdefdefdefdef"), 2048, SHEX("21fd8802"), SHEX("3968d5d0af147884"), SHEX("84565620def1e3a614d274e87626f215")); test_umac (SDATA("abcdefghijklmnop"), SDATA("b"), SDATA("defdefdefdefdef"), 2049, SHEX("097e5abd"), SHEX("ad1ee4ab606061c5"), SHEX("ad1ee4ab606061c55e0d2ecfee59940a")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bc"), SDATA("defdefdefdefdef"), 2050, SHEX("a03a7fe9"), SHEX("835f4a8242100055"), SHEX("971106d5f4a5e41dce40a91704cfe1f3")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcd"), SDATA("defdefdefdefdef"), 16777212, SHEX("7ef41cf3"), SHEX("7ef41cf351960aaf"), SHEX("7ef41cf351960aaf729bb19fcee7d8c4")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcde"), SDATA("defdefdefdefdef"), 16777213, SHEX("8bf81932"), SHEX("ab250048807ff640"), SHEX("e15b9f6695c9b441de035e9b10b8ac32")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdef"), SDATA("defdefdefdefdef"), 16777214, SHEX("ddb2f0ab"), SHEX("ff42039fcfe1248e"), SHEX("ff42039fcfe1248e36c19efed14d7140")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefg"), SDATA("defdefdefdefdef"), 16777215, SHEX("e67ad507"), SHEX("6be0ebda623d76df"), SHEX("4adc426477fb64b1ce5afd76d505f048")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefgh"), SDATA("defdefdefdefdef"), 16777216, SHEX("42d8562a"), SHEX("42d8562a224a9e9a"), SHEX("42d8562a224a9e9a75c2f85d39462d07")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghi"), SDATA("defdefdefdefdef"), 16777217, SHEX("486b138d"), SHEX("374f09dbb0b84b88"), SHEX("6ba48d669a51ed3195ebc2aa562ee71b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghij"), SDATA("defdefdefdefdef"), 16778239, SHEX("850cb2c5"), SHEX("876ca89ed045777b"), SHEX("876ca89ed045777bf7efa7934e1758c2")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijk"), SDATA("defdefdefdefdef"), 16778240, SHEX("b9fc4f81"), SHEX("e1974b26fb35f2c6"), SHEX("2e93c8ca83b97a6b1a21082e2a4c540d")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijkl"), SDATA("defdefdefdefdef"), 16778241, SHEX("ffced8f2"), SHEX("ffced8f2494d85bf"), SHEX("ffced8f2494d85bf0cb39408ddfe0295")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklm"), SDATA("defdefdefdefdef"), 16778242, SHEX("1c99c5fb"), SHEX("65a5bbdda3b85368"), SHEX("f9148022bc6ab64f019e9db83704c17b")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmn"), SDATA("defdefdefdefdef"), 16778243, SHEX("ec304be9"), SHEX("50dc9565fbfc4884"), SHEX(" 50dc9565fbfc48844a4be34403804605")); test_umac (SDATA("abcdefghijklmnop"), SDATA("bcdefghijklmno"), SDATA("defdefdefdefdef"), 16778244, SHEX("8034e26f"), SHEX("04f163b7c2d5d849"), SHEX("77a26f7387d1dcd39378a3220652cff7")); } nettle-3.10/testsuite/ripemd160-test.c0000644000175000017500000000215614633602172016645 0ustar nissenisse#include "testutils.h" #include "ripemd160.h" void test_main(void) { test_hash(&nettle_ripemd160, SDATA(""), SHEX("9c1185a5c5e9fc54612808977ee8f548b2258d31")); test_hash(&nettle_ripemd160, SDATA("a"), SHEX("0bdc9d2d256b3ee9daae347be6f4dc835a467ffe")); test_hash(&nettle_ripemd160, SDATA("abc"), SHEX("8eb208f7e05d987a9b044a8e98c6b087f15a0bfc")); test_hash(&nettle_ripemd160, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("f71c27109c692c1b56bbdceb5b9d2865b3708dbc")); test_hash(&nettle_ripemd160, SDATA("message digest"), SHEX("5d0689ef49d2fae572b881b123a85ffa21595f36")); test_hash(&nettle_ripemd160, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("b0e20b6e3116640286ed3a87a5713079b21f5189")); test_hash(&nettle_ripemd160, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("9b752e45573d4b39f4dbd3323cab82bf63326bfb")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_ripemd160, SDATA("38"), SHEX("6b2d075b1cd34cd1c3e43a995f110c55649dad0e")); } nettle-3.10/testsuite/siv-cmac-test.c0000644000175000017500000002127714633602172016645 0ustar nissenisse/* siv-cmac-test.c Self-test and vectors for AES-SIV-CMAC mode ciphers Copyright (C) 2018 Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "aes.h" #include "nettle-types.h" #include "siv-cmac.h" static const struct nettle_aead_message siv_cmac_aes128 = { "siv_cmac_aes128", sizeof(struct siv_cmac_aes128_ctx), SIV_CMAC_AES128_KEY_SIZE, SIV_DIGEST_SIZE, 0, /* No in-place operation. */ (nettle_set_key_func*) siv_cmac_aes128_set_key, (nettle_set_key_func*) siv_cmac_aes128_set_key, (nettle_encrypt_message_func*) siv_cmac_aes128_encrypt_message, (nettle_decrypt_message_func*) siv_cmac_aes128_decrypt_message, }; static const struct nettle_aead_message siv_cmac_aes256 = { "siv_cmac_aes256", sizeof(struct siv_cmac_aes256_ctx), SIV_CMAC_AES256_KEY_SIZE, SIV_DIGEST_SIZE, 0, /* No in-place operation. */ (nettle_set_key_func*) siv_cmac_aes256_set_key, (nettle_set_key_func*) siv_cmac_aes256_set_key, (nettle_encrypt_message_func*) siv_cmac_aes256_encrypt_message, (nettle_decrypt_message_func*) siv_cmac_aes256_decrypt_message, }; void test_main(void) { /* The following tests were checked for interoperability against libaes_siv */ /* * Example with small nonce, no AD and no plaintext */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("01"), SHEX(""), SHEX(""), SHEX("c696f84f df92aba3 c31c23d5 f2087513")); /* * Example with small nonce, no AD and plaintext */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("02"), SHEX(""), SHEX("00112233 44556677 8899aabb ccddeeff"), SHEX("5027b101 589747b8 865a9790 d3fd51d7" "1f259d40 5bfa260b 9ba1d60a a287fd0b")); /* * Example with length < 16 */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("7300cd9b 3f514a44 ed660db6 14157f59" "f0382e23 ae0e6e62 27a03dd3 2619")); /* * Example with length > 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("020304"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("f1dba33d e5b3369e 883f67b6 fc823cee" "a4ffb87f dba97c89 44a62325 f133b4e0" "1ca55276 e2261c1a 1d1d4248 d1da30ba" "52b9c8d7 955d65c8 d2ce6eb7 e367d0")); /* * Example with single AAD, length > 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("85825e22 e90cf2dd da2c548d c7c1b631" "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" "02cd4883 2b00e4e5 98b2b22a 53e6199d" "4df0c166 6a35a043 3b250dc1 34d776")); /* * Example with single AAD, length < 16 */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("15f83882 14bdc94e 3ec4c7c3 69863746" "cd72d317 4b20a1e4 a0894fb7 cd78")); /* AES-SIV-CMAC-512 (AES-256) from dchest/siv repo */ test_aead_message(&siv_cmac_aes256, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "6f6e6d6c 6b6a6968 67666564 63626160" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff" "00010203 04050607 08090a0b 0c0d0e0f"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("6f740b42 1e2972d8 5e76189e 99842843" "ad9e6ff1 4ea97c32 ab315e67 464c")); /* AES-SIV-CMAC-512 (AES-256) */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("02"), SHEX("10111213 14151617 18191a1b 1c1d1e1f" "20212223 24252627"), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("c3366ef8 92911eac 3d17f29a 37d4ebad" "ddc1219e bbde06d1 ee893e55 a39f")); /* * Example with length > 16 */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("02"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("bbe4751a 549d2fce 410c2efd e0df4d13" "1a6eac0d 030028f8 dc16b6c4 3a557d4e" "3e846ad7 52c5a030 c75a85ff 8b07ff10" "71b133f5 edac3c60 8bb6eb13 dd1fd9")); /* * Example with single AAD, length > 16 */ test_aead_message(&siv_cmac_aes256, SHEX("c27df2fd aec35d4a 2a412a50 c3e8c47d" "2d568e91 a38e5414 8abdc0b6 e86caf87" "695c0a8a df4c5f8e b2c6c8b1 36529864" "f3b84b3a e8e3676c e760c461 f3a13e83"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("5a979b0d a58fde80 51621ae6 bf96feda" "50933da8 047bc306 fabaf0c3 d9fa8471" "c70a7def 39a2f91d 68a2021c 99ac7e2a" "24535a13 4ba23ec1 5787cebe 5c53cc")); /* The following tests were checked for interoperability against miscreant.js */ /* * Example from miscreant.js with no AD * https://github.com/miscreant/miscreant.js/blob/master/vectors/aes_siv_aead.tjson */ test_aead_message(&siv_cmac_aes128, SHEX("fffefdfc fbfaf9f8 f7f6f5f4 f3f2f1f0" "f0f1f2f3 f4f5f6f7 f8f9fafb fcfdfeff"), SHEX("10111213 1415161718191a1b1 c1d1e1f2" "02122232 4252627"), SHEX(""), SHEX("11223344 55667788 99aabbcc ddee"), SHEX("4b3d0f15 ae9ffa9e 65b94942 1582ef70" "e410910d 6446c775 9ebff9b5 385a")); /* * Example from miscreant.js with AD */ test_aead_message(&siv_cmac_aes128, SHEX("7f7e7d7c 7b7a7978 77767574 73727170" "40414243 44454647 48494a4b 4c4d4e4f"), SHEX("09f91102 9d74e35b d84156c5 635688c0"), SHEX("00112233 44556677 8899aabb ccddeeff" "deaddada deaddada ffeeddcc bbaa9988" "77665544 33221100"), SHEX("74686973 20697320 736f6d65 20706c61" "696e7465 78742074 6f20656e 63727970" "74207573 696e6720 5349562d 414553"), SHEX("85825e22 e90cf2dd da2c548d c7c1b631" "0dcdaca0 cebf9dc6 cb90583f 5bf1506e" "02cd4883 2b00e4e5 98b2b22a 53e6199d" "4df0c166 6a35a043 3b250dc1 34d776")); } nettle-3.10/testsuite/ed448-test.c0000644000175000017500000003515414633602172015772 0ustar nissenisse/* ed448-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #include "testutils.h" #include #include "eddsa.h" #include "base16.h" static void decode_hex (size_t length, uint8_t *dst, const char *src) { struct base16_decode_ctx ctx; size_t out_size; base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); ASSERT (out_size == length); ASSERT (base16_decode_final (&ctx)); } /* Processes a single line in the format of http://ed25519.cr.yp.to/python/sign.input: sk pk : pk : m : s m : where sk (secret key) and pk (public key) are 57 bytes each, m is variable size, and s is 114 bytes. All values hex encoded. */ static void test_one (const char *line) { const char *p; const char *mp; uint8_t sk[ED448_KEY_SIZE]; uint8_t pk[ED448_KEY_SIZE]; uint8_t t[ED448_KEY_SIZE]; uint8_t s[ED448_SIGNATURE_SIZE]; uint8_t *msg; size_t msg_size; uint8_t s2[ED448_SIGNATURE_SIZE]; decode_hex (ED448_KEY_SIZE, sk, line); p = strchr (line, ':'); ASSERT (p == line + 228); p++; decode_hex (ED448_KEY_SIZE, pk, p); p = strchr (p, ':'); ASSERT (p == line + 343); mp = ++p; p = strchr (p, ':'); ASSERT (p); ASSERT ((p - mp) % 2 == 0); msg_size = (p - mp) / 2; decode_hex (ED448_SIGNATURE_SIZE, s, p+1); msg = xalloc (msg_size + 1); msg[msg_size] = 'x'; decode_hex (msg_size, msg, mp); mark_bytes_undefined (ED448_KEY_SIZE, sk); ed448_shake256_public_key (t, sk); mark_bytes_defined (ED448_KEY_SIZE, t); ASSERT (MEMEQ(ED448_KEY_SIZE, t, pk)); ed448_shake256_sign (pk, sk, msg_size, msg, s2); mark_bytes_defined (ED448_SIGNATURE_SIZE, s2); ASSERT (MEMEQ (ED448_SIGNATURE_SIZE, s, s2)); ASSERT (ed448_shake256_verify (pk, msg_size, msg, s)); s2[ED448_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); memcpy (s2, s, ED448_SIGNATURE_SIZE); s2[2*ED448_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s2)); ASSERT (!ed448_shake256_verify (pk, msg_size + 1, msg, s)); if (msg_size > 0) { msg[msg_size-1] ^= 0x20; ASSERT (!ed448_shake256_verify (pk, msg_size, msg, s)); } free (msg); } #ifndef HAVE_GETLINE static ssize_t getline(char **lineptr, size_t *n, FILE *f) { size_t i; int c; if (!*lineptr) { *n = 500; *lineptr = xalloc (*n); } i = 0; do { c = getc(f); if (c < 0) { if (i > 0) break; return -1; } (*lineptr) [i++] = c; if (i == *n) { *n *= 2; *lineptr = realloc (*lineptr, *n); if (!*lineptr) die ("Virtual memory exhausted.\n"); } } while (c != '\n'); (*lineptr) [i] = 0; return i; } #endif void test_main(void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif const char *input = getenv ("ED448_SIGN_INPUT"); if (input) { size_t buf_size; char *buf; FILE *f = fopen (input, "r"); if (!f) die ("Opening input file '%s' failed: %s\n", input, strerror (errno)); for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) test_one (buf); free (buf); fclose (f); } else { /* Test vectors from RFC 8032. */ /* Blank */ test_one ("6c82a562cb808d10d632be89c8513ebf6c929f34ddfa8c9f63c9960ef6e348a3528c8a3fcc2f044e39a3fc5b94492f8f032e7549a20098f95b" "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" "5fd7449b59b461fd2ce787ec616ad46a1da1342485a70e1f8a0ea75d80e96778edf124769b46c7061bd6783df1e50f6cd1fa1abeafe8256180:" ":" "533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600" ":"); /* 1 octet */ test_one ("c4eab05d357007c632f3dbb48489924d552b08fe0c353a0d4a1f00acda2c463afbea67c5e8d2877c5e3bc397a659949ef8021e954e0a12274e" "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" "43ba28f430cdff456ae531545f7ecd0ac834a55d9358c0372bfa0c6c6798c0866aea01eb00742802b8438ea4cb82169c235160627b4c3a9480:" "03:" "26b8f91727bd62897af15e41eb43c377efb9c610d48f2335cb0bd0087810f4352541b143c4b981b7e18f62de8ccdf633fc1bf037ab7cd779805e0dbcc0aae1cbcee1afb2e027df36bc04dcecbf154336c19f0af7e0a6472905e799f1953d2a0ff3348ab21aa4adafd1d234441cf807c03a00" "03:"); /* 11 octets */ test_one ("cd23d24f714274e744343237b93290f511f6425f98e64459ff203e8985083ffdf60500553abc0e05cd02184bdb89c4ccd67e187951267eb328" "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" "dcea9e78f35a1bf3499a831b10b86c90aac01cd84b67a0109b55a36e9328b1e365fce161d71ce7131a543ea4cb5f7e9f1d8b00696447001400:" "0c3e544074ec63b0265e0c:" "1f0a8888ce25e8d458a21130879b840a9089d999aaba039eaf3e3afa090a09d389dba82c4ff2ae8ac5cdfb7c55e94d5d961a29fe0109941e00b8dbdeea6d3b051068df7254c0cdc129cbe62db2dc957dbb47b51fd3f213fb8698f064774250a5028961c9bf8ffd973fe5d5c206492b140e00" "0c3e544074ec63b0265e0c:"); /* 12 octets */ test_one ("258cdd4ada32ed9c9ff54e63756ae582fb8fab2ac721f2c8e676a72768513d939f63dddb55609133f29adf86ec9929dccb52c1c5fd2ff7e21b" "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" "3ba16da0c6f2cc1f30187740756f5e798d6bc5fc015d7c63cc9510ee3fd44adc24d8e968b6e46e6f94d19b945361726bd75e149ef09817f580:" "64a65f3cdedcdd66811e2915:" "7eeeab7c4e50fb799b418ee5e3197ff6bf15d43a14c34389b59dd1a7b1b85b4ae90438aca634bea45e3a2695f1270f07fdcdf7c62b8efeaf00b45c2c96ba457eb1a8bf075a3db28e5c24f6b923ed4ad747c3c9e03c7079efb87cb110d3a99861e72003cbae6d6b8b827e4e6c143064ff3c00" "64a65f3cdedcdd66811e2915:"); /* 13 octets */ test_one ("7ef4e84544236752fbb56b8f31a23a10e42814f5f55ca037cdcc11c64c9a3b2949c1bb60700314611732a6c2fea98eebc0266a11a93970100e" "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" "b3da079b0aa493a5772029f0467baebee5a8112d9d3a22532361da294f7bb3815c5dc59e176b4d9f381ca0938e13c6c07b174be65dfa578e80:" "64a65f3cdedcdd66811e2915e7:" "6a12066f55331b6c22acd5d5bfc5d71228fbda80ae8dec26bdd306743c5027cb4890810c162c027468675ecf645a83176c0d7323a2ccde2d80efe5a1268e8aca1d6fbc194d3f77c44986eb4ab4177919ad8bec33eb47bbb5fc6e28196fd1caf56b4e7e0ba5519234d047155ac727a1053100" "64a65f3cdedcdd66811e2915e7:"); /* 64 octets */ test_one ("d65df341ad13e008567688baedda8e9dcdc17dc024974ea5b4227b6530e339bff21f99e68ca6968f3cca6dfe0fb9f4fab4fa135d5542ea3f01" "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" "df9705f58edbab802c7f8363cfe5560ab1c6132c20a9f1dd163483a26f8ac53a39d6808bf4a1dfbd261b099bb03b3fb50906cb28bd8a081f00:" "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:" "554bc2480860b49eab8532d2a533b7d578ef473eeb58c98bb2d0e1ce488a98b18dfde9b9b90775e67f47d4a1c3482058efc9f40d2ca033a0801b63d45b3b722ef552bad3b4ccb667da350192b61c508cf7b6b5adadc2c8d9a446ef003fb05cba5f30e88e36ec2703b349ca229c2670833900" "bd0f6a3747cd561bdddf4640a332461a4a30a12a434cd0bf40d766d9c6d458e5512204a30c17d1f50b5079631f64eb3112182da3005835461113718d1a5ef944:"); /* 256 octets */ test_one ("2ec5fe3c17045abdb136a5e6a913e32ab75ae68b53d2fc149b77e504132d37569b7e766ba74a19bd6162343a21c8590aa9cebca9014c636df5" "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" "79756f014dcfe2079f5dd9e718be4171e2ef2486a08f25186f6bff43a9936b9bfe12402b08ae65798a3d81e22e9ec80e7690862ef3d4ed3a00:" "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:" "c650ddbb0601c19ca11439e1640dd931f43c518ea5bea70d3dcde5f4191fe53f00cf966546b72bcc7d58be2b9badef28743954e3a44a23f880e8d4f1cfce2d7a61452d26da05896f0a50da66a239a8a188b6d825b3305ad77b73fbac0836ecc60987fd08527c1a8e80d5823e65cafe2a3d00" "15777532b0bdd0d1389f636c5f6b9ba734c90af572877e2d272dd078aa1e567cfa80e12928bb542330e8409f3174504107ecd5efac61ae7504dabe2a602ede89e5cca6257a7c77e27a702b3ae39fc769fc54f2395ae6a1178cab4738e543072fc1c177fe71e92e25bf03e4ecb72f47b64d0465aaea4c7fad372536c8ba516a6039c3c2a39f0e4d832be432dfa9a706a6e5c7e19f397964ca4258002f7c0541b590316dbc5622b6b2a6fe7a4abffd96105eca76ea7b98816af0748c10df048ce012d901015a51f189f3888145c03650aa23ce894c3bd889e030d565071c59f409a9981b51878fd6fc110624dcbcde0bf7a69ccce38fabdf86f3bef6044819de11:"); /* 1023 octets */ test_one ("872d093780f5d3730df7c212664b37b8a0f24f56810daa8382cd4fa3f77634ec44dc54f1c2ed9bea86fafb7632d8be199ea165f5ad55dd9ce8" "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" "a81b2e8a70a5ac94ffdbcc9badfc3feb0801f258578bb114ad44ece1ec0e799da08effb81c5d685c0c56f64eecaef8cdf11cc38737838cf400:" "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:" "e301345a41a39a4d72fff8df69c98075a0cc082b802fc9b2b6bc503f926b65bddf7f4c8f1cb49f6396afc8a70abe6d8aef0db478d4c6b2970076c6a0484fe76d76b3a97625d79f1ce240e7c576750d295528286f719b413de9ada3e8eb78ed573603ce30d8bb761785dc30dbc320869e1a00" "6ddf802e1aae4986935f7f981ba3f0351d6273c0a0c22c9c0e8339168e675412a3debfaf435ed651558007db4384b650fcc07e3b586a27a4f7a00ac8a6fec2cd86ae4bf1570c41e6a40c931db27b2faa15a8cedd52cff7362c4e6e23daec0fbc3a79b6806e316efcc7b68119bf46bc76a26067a53f296dafdbdc11c77f7777e972660cf4b6a9b369a6665f02e0cc9b6edfad136b4fabe723d2813db3136cfde9b6d044322fee2947952e031b73ab5c603349b307bdc27bc6cb8b8bbd7bd323219b8033a581b59eadebb09b3c4f3d2277d4f0343624acc817804728b25ab797172b4c5c21a22f9c7839d64300232eb66e53f31c723fa37fe387c7d3e50bdf9813a30e5bb12cf4cd930c40cfb4e1fc622592a49588794494d56d24ea4b40c89fc0596cc9ebb961c8cb10adde976a5d602b1c3f85b9b9a001ed3c6a4d3b1437f52096cd1956d042a597d561a596ecd3d1735a8d570ea0ec27225a2c4aaff263" "06d1526c1af3ca6d9cf5a2c98f47e1c46db9a33234cfd4d81f2c98538a09ebe76998d0d8fd25997c7d255c6d66ece6fa56f11144950f027795e653008f4bd7ca2dee85d8e90f3dc315130ce2a00375a318c7c3d97be2c8ce5b6db41a6254ff264fa6155baee3b0773c0f497c573f19bb4f4240281f0b1f4f7be857a4e59d416c06b4c50fa09e1810ddc6b1467baeac5a3668d11b6ecaa901440016f389f80acc4db977025e7f5924388c7e340a732e554440e76570f8dd71b7d640b3450d1fd5f0410a18f9a3494f707c717b79b4bf75c98400b096b21653b5d217cf3565c9597456f70703497a078763829bc01bb1cbc8fa04eadc9a6e3f6699587a9e75c94e5bab0036e0b2e711392cff0047d0d6b05bd2a588bc109718954259f1d86678a579a3120f19cfb2963f177aeb70f2d4844826262e51b80271272068ef5b3856fa8535aa2a88b2d41f2a0e2fda7624c2850272ac4a2f561f8f2f7a318bfd5c" "af9696149e4ac824ad3460538fdc25421beec2cc6818162d06bbed0c40a387192349db67a118bada6cd5ab0140ee273204f628aad1c135f770279a651e24d8c14d75a6059d76b96a6fd857def5e0b354b27ab937a5815d16b5fae407ff18222c6d1ed263be68c95f32d908bd895cd76207ae726487567f9a67dad79abec316f683b17f2d02bf07e0ac8b5bc6162cf94697b3c27cd1fea49b27f23ba2901871962506520c392da8b6ad0d99f7013fbc06c2c17a569500c8a7696481c1cd33e9b14e40b82e79a5f5db82571ba97bae3ad3e0479515bb0e2b0f3bfcd1fd33034efc6245eddd7ee2086ddae2600d8ca73e214e8c2b0bdb2b047c6a464a562ed77b73d2d841c4b34973551257713b753632efba348169abc90a68f42611a40126d7cb21b58695568186f7e569d2ff0f9e745d0487dd2eb997cafc5abf9dd102e62ff66cba87:"); } } nettle-3.10/testsuite/eddsa-sign-test.c0000644000175000017500000001624014633602172017153 0ustar nissenisse/* eddsa-sign-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #include "sha3.h" static void test_eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { mp_limb_t *scratch = xalloc_limbs (_eddsa_sign_itch (ecc)); size_t nbytes = 1 + ecc->p.bit_size / 8; uint8_t *signature = xalloc (2*nbytes); uint8_t *public_out = xalloc (nbytes); uint8_t *digest = xalloc (2*nbytes); const uint8_t *k1 = digest + nbytes; mp_limb_t *k2 = xalloc_limbs (ecc->p.size); ASSERT (public->length == nbytes); ASSERT (private->length == nbytes); ASSERT (ref->length == 2*nbytes); _eddsa_expand_key (ecc, eddsa, ctx, private->data, digest, k2); _eddsa_public_key (ecc, k2, public_out, scratch); if (!MEMEQ (nbytes, public_out, public->data)) { fprintf (stderr, "Bad public key from _eddsa_expand_key + _eddsa_public_key.\n"); fprintf (stderr, "got:"); print_hex (nbytes, public_out); fprintf (stderr, "\nref:"); tstring_print_hex (public); fprintf (stderr, "\n"); abort (); } _eddsa_sign (ecc, eddsa, ctx, public->data, k1, k2, msg->length, msg->data, signature, scratch); if (!MEMEQ (2*nbytes, signature, ref->data)) { fprintf (stderr, "Bad _eddsa_sign output.\n"); fprintf (stderr, "Public key:"); tstring_print_hex (public); fprintf (stderr, "\nPrivate key:"); tstring_print_hex (private); fprintf (stderr, "\nk2:"); mpn_out_str (stderr, 16, k2, ecc->p.size); fprintf (stderr, "\nMessage (length %u):", (unsigned) msg->length); tstring_print_hex (msg); fprintf (stderr, "\ngot:"); print_hex (2*nbytes, signature); fprintf (stderr, "\nref:"); tstring_print_hex (ref); fprintf (stderr, "\n"); abort (); } free (scratch); free (signature); free (digest); free (k2); free (public_out); } static void test_ed25519_sign (const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { struct sha512_ctx ctx; sha512_init (&ctx); test_eddsa_sign (&_nettle_curve25519, &_nettle_ed25519_sha512, &ctx, public, private, msg, ref); } static void test_ed448_sign (const struct tstring *public, const struct tstring *private, const struct tstring *msg, const struct tstring *ref) { struct sha3_256_ctx ctx; sha3_256_init (&ctx); test_eddsa_sign (&_nettle_curve448, &_nettle_ed448_shake256, &ctx, public, private, msg, ref); } void test_main (void) { /* Based on a few of the test vectors at http://ed25519.cr.yp.to/python/sign.input */ test_ed25519_sign (SHEX("d75a980182b10ab7 d54bfed3c964073a" "0ee172f3daa62325 af021a68f707511a"), SHEX("9d61b19deffd5a60 ba844af492ec2cc4" "4449c5697b326919 703bac031cae7f60"), SHEX(""), SHEX("e5564300c360ac72 9086e2cc806e828a" "84877f1eb8e5d974 d873e06522490155" "5fb8821590a33bac c61e39701cf9b46b" "d25bf5f0595bbe24 655141438e7a100b")); test_ed25519_sign (SHEX("3d4017c3e843895a 92b70aa74d1b7ebc" "9c982ccf2ec4968c c0cd55f12af4660c"), SHEX("4ccd089b28ff96da 9db6c346ec114e0f" "5b8a319f35aba624 da8cf6ed4fb8a6fb"), SHEX("72"), SHEX("92a009a9f0d4cab8 720e820b5f642540" "a2b27b5416503f8f b3762223ebdb69da" "085ac1e43e15996e 458f3613d0f11d8c" "387b2eaeb4302aee b00d291612bb0c00")); test_ed25519_sign (SHEX("1ed506485b09a645 0be7c9337d9fe87e" "f99c96f8bd11cd63 1ca160d0fd73067e"), SHEX("f215d34fe2d757cf f9cf5c05430994de" "587987ce45cb0459 f61ec6c825c62259"), SHEX("fbed2a7df418ec0e 8036312ec239fcee" "6ef97dc8c2df1f2e 14adee287808b788" "a6072143b851d975 c8e8a0299df846b1" "9113e38cee83da71 ea8e9bd6f57bdcd3" "557523f4feb616ca a595aea01eb0b3d4" "90b99b525ea4fbb9 258bc7fbb0deea8f" "568cb2"), SHEX("cbef65b6f3fd5809 69fc3340cfae4f7c" "99df1340cce54626 183144ef46887163" "4b0a5c0033534108 e1c67c0dc99d3014" "f01084e98c95e101 4b309b1dbb2e6704")); /* Based on a few of the test vectors from RFC 8032 */ test_ed448_sign (SHEX("5fd7449b59b461fd 2ce787ec616ad46a" "1da1342485a70e1f 8a0ea75d80e96778" "edf124769b46c706 1bd6783df1e50f6c" "d1fa1abeafe82561 80"), SHEX("6c82a562cb808d10 d632be89c8513ebf" "6c929f34ddfa8c9f 63c9960ef6e348a3" "528c8a3fcc2f044e 39a3fc5b94492f8f" "032e7549a20098f9 5b"), SHEX(""), SHEX("533a37f6bbe45725 1f023c0d88f976ae" "2dfb504a843e34d2 074fd823d41a591f" "2b233f034f628281 f2fd7a22ddd47d78" "28c59bd0a21bfd39 80ff0d2028d4b18a" "9df63e006c5d1c2d 345b925d8dc00b41" "04852db99ac5c7cd da8530a113a0f4db" "b61149f05a736326 8c71d95808ff2e65" "2600")); test_ed448_sign (SHEX("43ba28f430cdff45 6ae531545f7ecd0a" "c834a55d9358c037 2bfa0c6c6798c086" "6aea01eb00742802 b8438ea4cb82169c" "235160627b4c3a94 80"), SHEX("c4eab05d357007c6 32f3dbb48489924d" "552b08fe0c353a0d 4a1f00acda2c463a" "fbea67c5e8d2877c 5e3bc397a659949e" "f8021e954e0a1227 4e"), SHEX("03"), SHEX("26b8f91727bd6289 7af15e41eb43c377" "efb9c610d48f2335 cb0bd0087810f435" "2541b143c4b981b7 e18f62de8ccdf633" "fc1bf037ab7cd779 805e0dbcc0aae1cb" "cee1afb2e027df36 bc04dcecbf154336" "c19f0af7e0a64729 05e799f1953d2a0f" "f3348ab21aa4adaf d1d234441cf807c0" "3a00")); test_ed448_sign (SHEX("df9705f58edbab80 2c7f8363cfe5560a" "b1c6132c20a9f1dd 163483a26f8ac53a" "39d6808bf4a1dfbd 261b099bb03b3fb5" "0906cb28bd8a081f 00"), SHEX("d65df341ad13e008 567688baedda8e9d" "cdc17dc024974ea5 b4227b6530e339bf" "f21f99e68ca6968f 3cca6dfe0fb9f4fa" "b4fa135d5542ea3f 01"), SHEX("bd0f6a3747cd561b dddf4640a332461a" "4a30a12a434cd0bf 40d766d9c6d458e5" "512204a30c17d1f5 0b5079631f64eb31" "12182da300583546 1113718d1a5ef944"), SHEX("554bc2480860b49e ab8532d2a533b7d5" "78ef473eeb58c98b b2d0e1ce488a98b1" "8dfde9b9b90775e6 7f47d4a1c3482058" "efc9f40d2ca033a0 801b63d45b3b722e" "f552bad3b4ccb667 da350192b61c508c" "f7b6b5adadc2c8d9 a446ef003fb05cba" "5f30e88e36ec2703 b349ca229c267083" "3900")); } nettle-3.10/testsuite/meta-aead-test.c0000644000175000017500000000125514633602172016753 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" const char* aeads[] = { "gcm_aes128", "gcm_aes192", "gcm_aes256", "gcm_camellia128", "gcm_camellia256", "gcm_sm4", "eax_aes128", "chacha_poly1305", }; void test_main(void) { int i,j; int count = sizeof(aeads)/sizeof(*aeads); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_aeads[j]; j++) { if (0 == strcmp(aeads[i], nettle_aeads[j]->name)) break; } ASSERT(NULL != nettle_aeads[j]); /* make sure we found a matching aead */ } j = 0; while (NULL != nettle_aeads[j]) j++; ASSERT(j == count); /* we are not missing testing any aeads */ } nettle-3.10/testsuite/gostdsa-vko-test.c0000644000175000017500000001472714633602172017406 0ustar nissenisse#include "testutils.h" #include "gostdsa.h" #include "streebog.h" static void test_vko (const struct ecc_curve *ecc, const char *priv, const char *x, const char *y, const struct tstring *ukm, const struct nettle_hash *hash, void * hash_ctx, const struct tstring *res) { struct ecc_scalar ecc_key; struct ecc_point ecc_pub; mpz_t temp1, temp2; uint8_t out[128]; size_t out_len = ((ecc_bit_size(ecc) + 7) / 8) * 2; ASSERT(out_len <= sizeof(out)); ecc_point_init (&ecc_pub, ecc); mpz_init_set_str (temp1, x, 16); mpz_init_set_str (temp2, y, 16); ASSERT (ecc_point_set (&ecc_pub, temp1, temp2) != 0); ecc_scalar_init (&ecc_key, ecc); mpz_set_str (temp1, priv, 16); ASSERT (ecc_scalar_set (&ecc_key, temp1) != 0); mpz_clear (temp1); mpz_clear (temp2); gostdsa_vko (&ecc_key, &ecc_pub, ukm->length, ukm->data, out); ecc_scalar_clear (&ecc_key); ecc_point_clear (&ecc_pub); if (hash) { hash->init (hash_ctx); hash->update (hash_ctx, out_len, out); hash->digest (hash_ctx, hash->digest_size, out); ASSERT (hash->digest_size == res->length); ASSERT (MEMEQ (res->length, out, res->data)); } else { ASSERT (out_len == res->length); ASSERT (MEMEQ (res->length, out, res->data)); } } void test_main (void) { struct streebog256_ctx ctx_256; struct streebog256_ctx ctx_512; /* RFC 7836, App B, provides test vectors, values there are little endian. * * However those test vectors depend on the availability of Streebog hash * functions, which is not available (yet). So these test vectors capture * the VKO value just before hash function. One can verify them by * calculating the Streeebog function and comparing the result with RFC * 7836, App B. */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), NULL, NULL, SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), NULL, NULL, SHEX("5fb5261b61e872f9 3efc03200f47378e f039aa89b993a274 a25dec5e5d49ed59" "84b7dfdf5970c3f7 3059a26d08f7bbc5 0830799bda18b533 499c4f00c21cff3e" "3b8e53a1ea920eb1 d7f3d08aa9e47595 4a53ac018c210b48 15451b7accc4a797" "a2b8faf3d89ee717 d07a857794b9b053 f8e0fd5456ccfcc2 2fd081c873416a3f")); /* RFC 7836, App B, 7), values there are little endian, calculation for size A */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog256, &ctx_256, SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); /* RFC 7836, App B, 7), values there are little endian, calculation for size B */ test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog256, &ctx_256, SHEX("c9 a9 a7 73 20 e2 cc 55 9e d7 2d ce 6f 47 e2 19 2c ce a9 5f a6 48 67 05 82 c0 54 c0 ef 36 c2 21")); /* RFC 7836, App B, 8), values there are little endian, calculation for size A */ test_vko(nettle_get_gost_gc512a(), "67b63ca4ac8d2bb32618d89296c7476dbeb9f9048496f202b1902cf2ce41dbc2f847712d960483458d4b380867f426c7ca0ff5782702dbc44ee8fc72d9ec90c9", "51a6d54ee932d176e87591121cce5f395cb2f2f147114d95f463c8a7ed74a9fc5ecd2325a35fb6387831ea66bc3d2aa42ede35872cc75372073a71b983e12f19", "793bde5bf72840ad22b02a363ae4772d4a52fc08ba1a20f7458a222a13bf98b53be002d1973f1e398ce46c17da6d00d9b6d0076f8284dcc42e599b4c413b8804", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog512, &ctx_512, SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); /* RFC 7836, App B, 8), values there are little endian, calculation for size B */ test_vko(nettle_get_gost_gc512a(), "dbd09213a592da5bbfd8ed068cccccbbfbeda4feac96b9b4908591440b0714803b9eb763ef932266d4c0181a9b73eacf9013efc65ec07c888515f1b6f759c848", "a7c0adb12743c10c3c1beb97c8f631242f7937a1deb6bce5e664e49261baccd3f5dc56ec53b2abb90ca1eb703078ba546655a8b99f79188d2021ffaba4edb0aa", "5adb1c63a4e4465e0bbefd897fb9016475934cfa0f8c95f992ea402d47921f46382d00481b720314b19d8c878e75d81b9763358dd304b2ed3a364e07a3134691", SHEX("1d 80 60 3c 85 44 c7 27"), &nettle_streebog512, &ctx_512, SHEX("79 f0 02 a9 69 40 ce 7b de 32 59 a5 2e 01 52 97 ad aa d8 45 97 a0 d2 05 b5 0e 3e 17 19 f9 7b fa" "7e e1 d2 66 1f a9 97 9a 5a a2 35 b5 58 a7 e6 d9 f8 8f 98 2d d6 3f c3 5a 8e c0 dd 5e 24 2d 3b df")); } nettle-3.10/testsuite/gostdsa-sign-test.c0000644000175000017500000000565214633602172017544 0ustar nissenisse#include "testutils.h" #include "gostdsa.h" static void test_gostdsa (const struct ecc_curve *ecc, /* Private key */ const char *sz, /* Random nonce */ const char *sk, /* Hash */ const struct tstring *h, /* Expected signature */ const char *r, const char *s) { struct dsa_signature ref; mpz_t t; mpz_t z; mpz_t k; mp_limb_t *rp = xalloc_limbs (ecc->p.size); mp_limb_t *sp = xalloc_limbs (ecc->p.size); mp_limb_t *zp = xalloc_limbs (ecc->p.size); mp_limb_t *kp = xalloc_limbs (ecc->p.size); mp_limb_t *scratch = xalloc_limbs (ecc_gostdsa_sign_itch (ecc)); dsa_signature_init (&ref); mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); mpz_limbs_copy (zp, z, ecc->p.size); mpz_limbs_copy (kp, k, ecc->p.size); ecc_gostdsa_sign (ecc, zp, kp, h->length, h->data, rp, sp, scratch); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); if (mpz_cmp (ref.r, mpz_roinit_n (t, rp, ecc->p.size)) != 0 || mpz_cmp (ref.s, mpz_roinit_n (t, sp, ecc->p.size)) != 0) { fprintf (stderr, "_gostdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "r = "); write_mpn (stderr, 16, rp, ecc->p.size); fprintf (stderr, "\ns = "); write_mpn (stderr, 16, sp, ecc->p.size); fprintf (stderr, "\nref.r = "); mpz_out_str (stderr, 16, ref.r); fprintf (stderr, "\nref.s = "); mpz_out_str (stderr, 16, ref.s); fprintf (stderr, "\n"); abort(); } free (rp); free (sp); free (zp); free (kp); free (scratch); dsa_signature_clear (&ref); mpz_clear (k); mpz_clear (z); } void test_main (void) { test_gostdsa (nettle_get_gost_gc256b(), "BFCF1D623E5CDD3032A7C6EABB4A923C46E43D640FFEAAF2C3ED39A8FA399924", /* z */ "5782C53F110C596F9155D35EBD25A06A89C50391850A8FEFE33B0E270318857C", /* k */ SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ test_gostdsa (nettle_get_gost_gc512a(), "3FC01CDCD4EC5F972EB482774C41E66DB7F380528DFE9E67992BA05AEE462435" "757530E641077CE587B976C8EEB48C48FD33FD175F0C7DE6A44E014E6BCB074B", /* z */ "72ABB44536656BF1618CE10BF7EADD40582304A51EE4E2A25A0A32CB0E773ABB" "23B7D8FDD8FA5EEE91B4AE452F2272C86E1E2221215D405F51B5D5015616E1F6", /* k */ SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ } nettle-3.10/testsuite/cast128-test.c0000644000175000017500000000344014633602172016320 0ustar nissenisse#include "testutils.h" #include "cast128.h" static void test_cast5(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct cast128_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; cast5_set_key(&ctx, key->length, key->data); cast128_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cast5_set_key(&ctx, key->length, key->data); cast128_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* Test vectors from B.1. Single Plaintext-Key-Ciphertext Sets, RFC * 2144 */ /* 128 bit key */ test_cipher(&nettle_cast128, SHEX("01 23 45 67 12 34 56 78" "23 45 67 89 34 56 78 9A"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("23 8B 4F E5 84 7E 44 B2")); /* 80 bit key */ test_cast5(SHEX("01 23 45 67 12 34 56 78 23 45"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("EB 6A 71 1A 2C 02 27 1B")); /* 40 bit key */ test_cast5(SHEX("01 23 45 67 12"), SHEX("01 23 45 67 89 AB CD EF"), SHEX("7A C8 16 D1 6E 9B 30 2E")); } nettle-3.10/testsuite/twofish-test.c0000644000175000017500000000136014633602172016615 0ustar nissenisse#include "testutils.h" #include "twofish.h" void test_main(void) { /* 128 bit key */ test_cipher(&nettle_twofish128, SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000 0000000000000000"), SHEX("9F589F5CF6122C32 B6BFEC2F2AE8C35A")); /* 192 bit key */ test_cipher(&nettle_twofish192, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677"), SHEX("0000000000000000 0000000000000000"), SHEX("CFD1D2E5A9BE9CDF 501F13B892BD2248")); /* 256 bit key */ test_cipher(&nettle_twofish256, SHEX("0123456789ABCDEF FEDCBA9876543210" "0011223344556677 8899AABBCCDDEEFF"), SHEX("0000000000000000 0000000000000000"), SHEX("37527BE0052334B8 9F0CFCCAE87CFA20")); } nettle-3.10/testsuite/ecc-mod-arith-test.c0000644000175000017500000000741714633602172017557 0ustar nissenisse#include "testutils.h" #define MAX_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 10000 static void test_add(const char *name, const struct ecc_modulo *m, const mpz_t az, const mpz_t bz) { mp_limb_t a[MAX_SIZE]; mp_limb_t b[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mpz_t mz; mpz_t tz; mpz_t ref; mpz_init (ref); mpz_add (ref, az, bz); mpz_mod (ref, ref, mpz_roinit_n (mz, m->m, m->size)); mpz_limbs_copy (a, az, m->size); mpz_limbs_copy (b, bz, m->size); ecc_mod_add (m, t, a, b); if (!mpz_congruent_p (ref, mpz_roinit_n (tz, t, m->size), mz)) { fprintf (stderr, "ecc_mod_add %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpz_out_str (stderr, 16, ref); fprintf (stderr, "\n"); abort (); } mpz_clear (ref); } static void test_sub(const char *name, const struct ecc_modulo *m, /* If range is non-null, check that 0 <= r < range. */ const mp_limb_t *range, const mpz_t az, const mpz_t bz) { mp_limb_t a[MAX_SIZE]; mp_limb_t b[MAX_SIZE]; mp_limb_t t[MAX_SIZE]; mpz_t mz; mpz_t tz; mpz_t ref; mpz_init (ref); mpz_sub (ref, az, bz); mpz_mod (ref, ref, mpz_roinit_n (mz, m->m, m->size)); mpz_limbs_copy (a, az, m->size); mpz_limbs_copy (b, bz, m->size); ecc_mod_sub (m, t, a, b); if (!mpz_congruent_p (ref, mpz_roinit_n (tz, t, m->size), mz)) { fprintf (stderr, "ecc_mod_sub %s failed: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " (bad)\nref = "); mpz_out_str (stderr, 16, ref); fprintf (stderr, "\n"); abort (); } if (range && mpn_cmp (t, range, m->size) >= 0) { fprintf (stderr, "ecc_mod_sub %s out of range: bit_size = %u\n", name, m->bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, m->size); fprintf (stderr, "\nb = "); mpn_out_str (stderr, 16, b, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, t, m->size); fprintf (stderr, " \nrange = "); mpn_out_str (stderr, 16, range, m->size); fprintf (stderr, "\n"); abort (); } mpz_clear (ref); } static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, unsigned count) { mpz_t a, b; unsigned j; mpz_init (a); mpz_init (b); for (j = 0; j < count; j++) { if (j & 1) { mpz_rrandomb (a, rands, m->size * GMP_NUMB_BITS); mpz_rrandomb (b, rands, m->size * GMP_NUMB_BITS); } else { mpz_urandomb (a, rands, m->size * GMP_NUMB_BITS); mpz_urandomb (b, rands, m->size * GMP_NUMB_BITS); } test_add (name, m, a, b); test_sub (name, m, NULL, a, b); } if (m->bit_size < m->size * GMP_NUMB_BITS) { mp_limb_t two_p[MAX_SIZE]; mpn_lshift (two_p, m->m, m->size, 1); mpz_t range; mpz_roinit_n (range, two_p, m->size); mpz_urandomm (a, rands, range); mpz_urandomm (b, rands, range); test_sub (name, m, two_p, a, b); } mpz_clear (a); mpz_clear (b); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, COUNT); test_modulo (rands, "q", &ecc_curves[i]->q, COUNT); } gmp_randclear (rands); } nettle-3.10/testsuite/sc-gcm-test0000755000175000017500000000012714633602172016065 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./gcm-test nettle-3.10/testsuite/sha1-test.c0000644000175000017500000001017014633602172015765 0ustar nissenisse#include "testutils.h" #include "nettle-write.h" #include "sha1.h" /* Test compression only. */ static void test_sha1_compress(const struct tstring *input, const struct tstring *expected) { size_t split; ASSERT (input->length % SHA1_BLOCK_SIZE == 0); ASSERT (expected->length == SHA1_DIGEST_SIZE); for (split = 0; split <= input->length; split += SHA1_BLOCK_SIZE) { struct sha1_ctx ctx; uint8_t digest[SHA1_DIGEST_SIZE]; sha1_init (&ctx); sha1_update (&ctx, split, input->data); sha1_update (&ctx, input->length - split, input->data + split); _nettle_write_be32 (SHA1_DIGEST_SIZE, digest, ctx.state); if (!MEMEQ (SHA1_DIGEST_SIZE, digest, expected->data)) { fprintf (stderr, "sha1_compress failed: length %u, split %u \nInput:", (unsigned) input->length, (unsigned) split); tstring_print_hex (input); fprintf (stderr, "\nOutput: "); print_hex (SHA1_DIGEST_SIZE, digest); fprintf(stdout, "\nExpected:\n"); tstring_print_hex (expected); fprintf (stderr, "\n"); abort (); } } } void test_main(void) { /* Initial state */ test_sha1_compress (SDATA(""), SHEX("67452301efcdab89 98badcfe10325476" "c3d2e1f0")); /* Single block compressed */ test_sha1_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY"), SHEX("005cf6fb02d9a17e f77d0b8eac9da60c" "08ecaf1c")); /* Two blocks compressed */ test_sha1_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY" "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345" "6789abcdefghijklmnopqrstuvwxyzzy"), SHEX("3e0dd3db30fc4e45 c17a97f0c431f07b" "6b4a5cc5")); test_hash(&nettle_sha1, SDATA(""), SHEX("DA39A3EE5E6B4B0D 3255BFEF95601890 AFD80709")); test_hash(&nettle_sha1, SDATA("a"), SHEX("86F7E437FAA5A7FC E15D1DDCB9EAEAEA 377667B8")); test_hash(&nettle_sha1, SDATA("abc"), SHEX("A9993E364706816A BA3E25717850C26C 9CD0D89D")); test_hash(&nettle_sha1, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("32D10C7B8CF96570 CA04CE37F2A19D84 240D3A89")); test_hash(&nettle_sha1, SDATA("message digest"), SHEX("C12252CEDA8BE899 4D5FA0290A47231C 1D16AAE3")); test_hash(&nettle_sha1, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz0123456789"), SHEX("761C457BF73B14D2 7E9E9265C46F4B4D DA11F940")); test_hash(&nettle_sha1, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("50ABF5706A150990 A08B2C5EA40FA0E5 85554732")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_sha1, SDATA("38"), SHEX("5b384ce32d8cdef02bc3a139d4cac0a22bb029e8")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA1(""). Each row is the values for A, B, C, D, E after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i A B C D E -1: 67452301 efcdab89 98badcfe 10325476 c3d2e1f0 0: 67452301 7bf36ae2 98badcfe 10325476 1fb498b3 1: 59d148c0 7bf36ae2 98badcfe 5d43e370 1fb498b3 15: 40182905 4544b22e a13017ac ab703832 d8fd6547 16: 50060a41 4544b22e a13017ac 6bf9173 d8fd6547 17: 50060a41 4544b22e 28a9520e 6bf9173 f63f5951 18: 50060a41 b3088dd 28a9520e c1afe45c f63f5951 19: e758e8da b3088dd 8a2a5483 c1afe45c f63f5951 20: e758e8da 42cc2237 8a2a5483 c1afe45c 90eb9850 21: b9d63a36 42cc2237 8a2a5483 7dbb787d 90eb9850 38: e47bc31 62273351 b201788b 413c1d9a 2aeeae62 39: 9bdbdd71 62273351 ec805e22 413c1d9a 2aeeae62 40: 9bdbdd71 5889ccd4 ec805e22 413c1d9a 95aa398b 41: 66f6f75c 5889ccd4 ec805e22 5e28e858 95aa398b 58: 2164303a 982bcbca e1afab22 c5a3382e af9292fa 59: 9b9d2913 982bcbca b86beac8 c5a3382e af9292fa 60: 9b9d2913 a60af2f2 b86beac8 c5a3382e d37db937 61: e6e74a44 a60af2f2 b86beac8 85b9d227 d37db937 78: c57a6345 6e9d9f84 666b8bc6 852dc41a ec052519 79: 72f480ed 6e9d9f84 999ae2f1 852dc41a ec052519 99: da39a3ee 5e6b4b0d 3255bfef 95601890 afd80709 */ nettle-3.10/testsuite/streebog-test.c0000644000175000017500000000650214633602172016747 0ustar nissenisse#include "testutils.h" #include "streebog.h" void test_main(void) { /* Using test vectors from the standard itself */ /* RFC 6986 provides all data in "Integer" big-endian format, while all * constructs expects the data in little-endian format. Thus these examples * (as the rest of the code) has data buffers reversed compared to the RFC * 6986. */ /* 10.1.1 */ test_hash(&nettle_streebog512, SDATA("012345678901234567890123456789012345678901234567890123456789012"), SHEX("1b54d01a4af5b9d5 cc3d86d68d285462" "b19abc2475222f35 c085122be4ba1ffa" "00ad30f8767b3a82 384c6574f024c311" "e2a481332b08ef7f 41797891c1646f48")); /* 10.1.2 */ test_hash(&nettle_streebog256, SDATA("012345678901234567890123456789012345678901234567890123456789012"), SHEX("9d151eefd8590b89 daa6ba6cb74af927" "5dd051026bb149a4 52fd84e5e57b5500")); /* 10.2.1 */ test_hash(&nettle_streebog512, SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" "e6e820e2edf3f6e82c20e2e5fef2fa20" "f120eceef0ff20f1f2f0e5ebe0ece820" "ede020f5f0e0e1f0fbff20efebfaeafb" "20c8e3eef0e5e2fb"), SHEX("1e88e62226bfca6f 9994f1f2d51569e0" "daf8475a3b0fe61a 5300eee46d961376" "035fe83549ada2b8 620fcd7c496ce5b3" "3f0cb9dddc2b6460 143b03dabac9fb28")); /* 10.2.2 */ test_hash(&nettle_streebog256, SHEX("d1e520e2e5f2f0e82c20d1f2f0e8e1ee" "e6e820e2edf3f6e82c20e2e5fef2fa20" "f120eceef0ff20f1f2f0e5ebe0ece820" "ede020f5f0e0e1f0fbff20efebfaeafb" "20c8e3eef0e5e2fb"), SHEX("9dd2fe4e90409e5d a87f53976d7405b0" "c0cac628fc669a74 1d50063c557e8f50")); /* Additional tests to verify long integer addition with carry */ test_hash(&nettle_streebog512, SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "16111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111116"), SHEX("8b06f41e59907d9636e892caf5942fcd" "fb71fa31169a5e70f0edb873664df41c" "2cce6e06dc6755d15a61cdeb92bd607c" "c4aaca6732bf3568a23a210dd520fd41")); test_hash(&nettle_streebog256, SHEX("eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee" "16111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111111" "11111111111111111111111111111116"), SHEX("81bb632fa31fcc38b4c379a662dbc58b" "9bed83f50d3a1b2ce7271ab02d25babb")); test_hash(&nettle_streebog512, SHEX("ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff"), SHEX("90a161d12ad309498d3fe5d48202d8a4" "e9c406d6a264aeab258ac5ecc37a7962" "aaf9587a5abb09b6bb81ec4b3752a3ff" "5a838ef175be5772056bc5fe54fcfc7e")); } nettle-3.10/testsuite/rsa-encrypt-test.c0000644000175000017500000001150514633602172017403 0ustar nissenisse#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; /* FIXME: How is this spelled? */ const unsigned char msg[] = "Squemish ossifrage"; size_t msg_length = LLENGTH(msg); uint8_t *decrypted; size_t decrypted_length; uint8_t after; mpz_t gibberish; mpz_t bad_input; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); mpz_init(bad_input); knuth_lfib_init(&lfib, 17); test_rsa_set_key_1(&pub, &key); if (verbose) fprintf(stderr, "msg: `%s', length = %d\n", msg, (int) msg_length); ASSERT(msg_length <= key.size); ASSERT(rsa_encrypt(&pub, &lfib, (nettle_random_func *) knuth_lfib_random, msg_length, msg, gibberish)); if (verbose) { fprintf(stderr, "encrypted: "); mpz_out_str(stderr, 10, gibberish); } decrypted = xalloc(key.size + 1); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length - 1; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); decrypted_length = msg_length; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); knuth_lfib_random (&lfib, key.size + 1, decrypted); after = decrypted[key.size]; decrypted_length = key.size; ASSERT(rsa_decrypt(&key, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[key.size] == after); knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); ASSERT(decrypted_length == msg_length); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test side channel resistant variant */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); after = decrypted[msg_length]; decrypted_length = msg_length; ASSERT(rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(MEMEQ(msg_length, msg, decrypted)); ASSERT(decrypted[msg_length] == after); /* test invalid length to rsa_sec_decrypt */ knuth_lfib_random (&lfib, msg_length + 1, decrypted); decrypted_length = msg_length - 1; after = decrypted[decrypted_length] = 'X'; decrypted[0] = 'A'; ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, gibberish)); ASSERT(decrypted[decrypted_length] == after); ASSERT(decrypted[0] == 'A'); /* Test zero input. */ mpz_set_ui (bad_input, 0); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test input that is slightly larger than n */ mpz_add(bad_input, gibberish, pub.n); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test input that is considerably larger than n */ mpz_mul_2exp (bad_input, pub.n, 100); mpz_add (bad_input, bad_input, gibberish); decrypted_length = msg_length; ASSERT(!rsa_decrypt(&key, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, bad_input)); ASSERT(!rsa_sec_decrypt(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, decrypted_length, decrypted, bad_input)); ASSERT(decrypted_length == msg_length); /* Test invalid key. */ mpz_add_ui (key.q, key.q, 2); decrypted_length = key.size; ASSERT(!rsa_decrypt_tr(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, &decrypted_length, decrypted, gibberish)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); mpz_clear(bad_input); free(decrypted); } nettle-3.10/testsuite/sc-ed448-test0000755000175000017500000000013114633602172016142 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./ed448-test nettle-3.10/testsuite/sha3-512-test.c0000644000175000017500000034637614633602172016320 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_512.txt using sha3.awk. */ test_hash(&nettle_sha3_512, /* 0 octets */ SHEX(""), SHEX("A69F73CCA23A9AC5C8B567DC185A756E97C982164FE25859E0D1DCC1475C80A615B2123AF1F5F94C11E3E9402C3AC558F500199D95B6D3E301758586281DCD26")); test_hash(&nettle_sha3_512, /* 1 octets */ SHEX("CC"), SHEX("3939FCC8B57B63612542DA31A834E5DCC36E2EE0F652AC72E02624FA2E5ADEECC7DD6BB3580224B4D6138706FC6E80597B528051230B00621CC2B22999EAA205")); test_hash(&nettle_sha3_512, /* 2 octets */ SHEX("41FB"), SHEX("AA092865A40694D91754DBC767B5202C546E226877147A95CB8B4C8F8709FE8CD6905256B089DA37896EA5CA19D2CD9AB94C7192FC39F7CD4D598975A3013C69")); test_hash(&nettle_sha3_512, /* 3 octets */ SHEX("1F877C"), SHEX("CB20DCF54955F8091111688BECCEF48C1A2F0D0608C3A575163751F002DB30F40F2F671834B22D208591CFAF1F5ECFE43C49863A53B3225BDFD7C6591BA7658B")); test_hash(&nettle_sha3_512, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D4B4BDFEF56B821D36F4F70AB0D231B8D0C9134638FD54C46309D14FADA92A2840186EED5415AD7CF3969BDFBF2DAF8CCA76ABFE549BE6578C6F4143617A4F1A")); test_hash(&nettle_sha3_512, /* 5 octets */ SHEX("21F134AC57"), SHEX("584219A84E8796076BF1178B14B9D1E2F96A4B4EF11F10CC516FBE1A29639D6BA74FB92815F9E3C5192ED4DCA20AEA5B109D52237C9956401FD44B221F82AB37")); test_hash(&nettle_sha3_512, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("4345B92A2AB7EADB6A24EE1D175AC258CCF2F694AC09EC9D47399E4D96F61F30B322C5438C51BACD0D597D00471A41ED8E9C9F146BBC807E6BC385F850FBABFE")); test_hash(&nettle_sha3_512, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("50081C93BF73ECC54A5FFE43FC14F8BAEEDBE7DA0302AC984C9E668389886BD064BAB26DDCB616EB4E0E726042B19F3FD50BDD0D2C5B34892E00E6F399DE254F")); test_hash(&nettle_sha3_512, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("150D787D6EB49670C2A4CCD17E6CCE7A04C1FE30FCE03D1EF2501752D92AE04CB345FD42E51038C83B2B4F8FD438D1B4B55CC588C6B913132F1A658FB122CB52")); test_hash(&nettle_sha3_512, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("A13C951C6C51F236A0197A29A8994B1C7294E17BA518ED1029D6F54AD739D8765920281BBB854D16FBB60E0385AFD6E6E433E63AAA77E73B8BEE7FDE569D6875")); test_hash(&nettle_sha3_512, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("5A566FB181BE53A4109275537D80E5FD0F314D68884529CA66B8B0E9F240A673B64B28FFFE4C1EC4A5CEF0F430229C5757EBD172B4B0B68A81D8C58A9E96E164")); test_hash(&nettle_sha3_512, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("7C77E30ECE98EF88964458683C5E0287B5896E166CCCA71D2BFD8D8BBC6D6FE589A0225EB1D6AA7B220F1410C9A9EC0672CCDDAA1732C3E2877FB5D232C2A428")); test_hash(&nettle_sha3_512, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("F5DF5952924E933330BD5BD7627A62C3672F24A4991DADAF78816E023769C91D1910537F9C19FCDE60FA6DE927982DD5F5970F74E30F2B040F67348A3394C48C")); test_hash(&nettle_sha3_512, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("80A1317EC534ED48D8A813E0BCA0CEE04F705A2F86352306A932EDC548B9A8F1CF79F95027F43BDADA8213449C54F68F4DD800B15C4ABAD87AD7A3B371A7C918")); test_hash(&nettle_sha3_512, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("54C274C3DDF26D824F5FDFCB349A600890057EB2E2022245CBB8BDC0D2240CFA8348F02191FABC0E10F9287185211C9F569132EE6DDE4C396668B4BB50AEFC3F")); test_hash(&nettle_sha3_512, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("00767236A7352551B283A8ECF4C79274F8C4CEA553AB43FC71CF22FB2F6865AD02C88BF0092F213057340C85A5318F62F4991C00C63CB0558CBCF13D6D84E73D")); test_hash(&nettle_sha3_512, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("001618372E75147AF90C0CF16C3BBDAA069DDBC62483B392D028DED49F75084A5DFCC53AECD9F57DDBB73DAA041FD71089D8FB5EDF6CFAF6F1E4E25AD3DE266C")); test_hash(&nettle_sha3_512, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("9644E3C90B67E22124E96DFEDCE53D33C460F132868F0975D18B22CFD59F637DD85AA405E39808A45570A498C0B8F2CBA59F8E1437EAEF89F20B88298ADFA2DE")); test_hash(&nettle_sha3_512, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("4739994390728F4A938DF7B3201CD63771858453F0FF1DDE9A2B9C38A27A0F6C868460D00EE03DDCB0F063F5F8BB7CB0959B7A222259DA0F2C57FA400B50985B")); test_hash(&nettle_sha3_512, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("AF69A46527C17117E6DFF32CBA289EDDD1EECDA13E5313E46678EB8006E7639854C3970DFEB4D907DB1151C1C5EE25CA6F195B09CA5A5CC97A4D64AC4C75578E")); test_hash(&nettle_sha3_512, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("191CEF1C6AA009B1ABA674BE2B3F0DA418FDF9E6A7ECF2BE42AC14F7D6E07331425133A83B4E0161CC7DEBF9DCD7FE3787DCB6622A38475189EDFE1DE6B053D6")); test_hash(&nettle_sha3_512, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("A60D7587424B7242D93BCCE515F1C75AE2BE7710F72ED3F4E5EA8BC2BA8D64099FE42B88A295E12FDAFAB441D772C4A9A7D794B27788EDEA271571A04305F253")); test_hash(&nettle_sha3_512, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("09FCAD97EA3CB6B7FC61580DE0968D238006B7E71F0BD58ABA2AA9D4ADB855D7606E7632138CCC0AA065CA0B92422262E029DA17D73CD3011FF285706C7FC1AE")); test_hash(&nettle_sha3_512, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("F61FAAB080CF9A5F75407B081A03DEF4F49A601A2BB832E8C6401BE0C98B3CEB3F75C922A91BD5060B3217F737404EF4612B9A009B69CA648B1E37B2ED49229D")); test_hash(&nettle_sha3_512, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("51DE0A622FC6FC702C7C2DB5CCB05CA0DDF792986E44B4D336A7A5DAF19A20A371D9BF7DDE822ECDD0A4CE28E4A0B46FE51A2AABEFA7865807EF3D3B1887F14D")); test_hash(&nettle_sha3_512, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("6286C3DB87D3B45CFD4DE85A7ADD18E07AE22F1F0F4675E1D4E1FC77633734D7962818A9F3B96B37FE774FC26DEA787485317B9622275F63A7DD6D62D650D307")); test_hash(&nettle_sha3_512, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("8146C43A0FFE481872142F56A9CEA44332EDC76B4E99C2BDC39D7F80B2A6B554C7598F09855BF7ABC5E6C048BE76F5F369EBB2884E6E37F186E8719DF3D523E4")); test_hash(&nettle_sha3_512, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("4B86FBF9DFB6767EB660AF9C30983ED65B6FD051247AB54767DFB49530EB3C01014EB26DF63E536CF55E0BCE2F62654FB2FCE3839B4BFD301570B1AB794DF67D")); test_hash(&nettle_sha3_512, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("21132FC11F6040AD493D627027C752CE29816589DE7BE78562914B63D1A9219803DDBD9673AA749F37FF4D6E1B5AE2A12633BA8B0C9994E031EBF6C42E58A793")); test_hash(&nettle_sha3_512, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("8A5374D92FF9A58E0451E609AA5C0C5C172BB2068C80562D0324F9CB6A037436910C6593F950C44374B4E5BF6F6D3A436ECE6DAAEB56D147D8CD839CCA35EAC3")); test_hash(&nettle_sha3_512, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("71025D089A39D27327C46C27BD4E7565DDBF9C286F185A08178601C3BAB4667F368A3A8BDDACF25B2B0AA5C9E0CD6C87DC32C854027A8954B5C6AFD3A85097AC")); test_hash(&nettle_sha3_512, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("DC29EB7130812A652AF3FF9B77629684634502EA6667E7E9F80090EC2A9D690C8C9A78645FB04D9CD269E706EE2C96E74207FBBDA559DC285C9BC52F15A256CA")); test_hash(&nettle_sha3_512, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("B087C90421AEBF87911647DE9D465CBDA166B672EC47CCD4054A7135A1EF885E7903B52C3F2C3FE722B1C169297A91B82428956A02C631A2240F12162C7BC726")); test_hash(&nettle_sha3_512, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("D2A95C6FC0F39C8F7A86C4DD6261A79C940FCB313BCFBA9BF71527F5BC70EF827CD97DFA18280E5DDEE5CCBC1D63CE88CE2BCDD82DAB610F79867A7C20B11E4F")); test_hash(&nettle_sha3_512, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("AF8C0FBD72B3F807DB95C9231BC4E93153DC6608B22F4707316AAB3D69AF0E63291B569F118B5C9E693C5BAC4630C4A923A4743581246AD3446DDA4F9076FDDB")); test_hash(&nettle_sha3_512, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BFC7D968D45342069807C5F1B96425CFFFE99ED136D47665E902E026C118701BB7C3E7FD691785115CFDB2EF235A66BCC1384A1D088B8CCA90D9D560913549DE")); test_hash(&nettle_sha3_512, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("9A348540AB669CDD8914426FBBAD192BA0DB16583E8D4E867B66CC78C6496E4D83DDBF7B972B0668DF7903B0FE9AB82B65153F947CF2AF2591121C9D1A78E515")); test_hash(&nettle_sha3_512, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("FFDB649D1AA7FF269B9BB0AE6192F7BCBC06612528DF0E68521D5C891E9BBA129271A07DC56393BB21218F5E2FB92CFFF833432066AA6380F3557A0748E65B33")); test_hash(&nettle_sha3_512, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("9665808D39B4BECFDD9AA8020A0A72CFD4F823A15D670D51278A4AE95507E16020AEDED6E6C0E2DAB0BAD890A9E7552403D2AA8D1EBC0B8EAEC9A3A8DBB2A9EF")); test_hash(&nettle_sha3_512, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("7ABA6B9F8F18D9D72B883EB988A5F4FFCC0217A3DA316AFF11B38976E90B0736CB000F522DBF2DDCBB61BA4BF44C356EC5B46FC86A5133F971A94FE2A9983260")); test_hash(&nettle_sha3_512, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("589C46625A6AC9A2C9C9A884F427C3C032887AE53A69932B72E1E3796BB9568929D163395A3AA8B2AB23C564937CD729206D9B62CC60353B68A69A739616EB35")); test_hash(&nettle_sha3_512, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("F7CD8737A1AB36B37612E57D1E5A3D4A269D18CF2CB7644A12540E3B184631794EC1A1DA118A109AEF514DB3590FE27BE0752EC0826ACAF458FB0A754BDC51F1")); test_hash(&nettle_sha3_512, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("B21BDEDE484CA18F672058667CB2F2DC922C44351E95C2CDA75AF7E45577BF50E3F203139F6262279ADFC3221B94A072641F8BDB55DCC02F21D0879EB5E7466A")); test_hash(&nettle_sha3_512, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("DB56265B9346968A390E9841D5B7878A158BAED946068E808E456735A67E49220FAB66239D5D506DD75A58F2C56E25C9C105A3827C1434C67255CFC9101A5D09")); test_hash(&nettle_sha3_512, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("4C825FD9A795CCD20A0892DA1572B9B1F70BA05FF2D2DA3A4726A74F9AB5323CCBC4290459C1BB46F0A1E1FFC357FF4766F4F4879DAA91D31ECA986AA30C7B00")); test_hash(&nettle_sha3_512, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("8445A05766A30DDD0080589F8E8CBF7EC59FB7A3CE73C0209791B19CF712CF1635D63C8356822272309C6B9F01637088878DBFFBEDB26D2A566185225C4DA56B")); test_hash(&nettle_sha3_512, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("2DC25165CF317ED7DE2B4F2FD0995D7785978CA8581EA8033E912F2E44EE613DEBFC5535C48D63838F325D1416B9180C20BDE82614504B7161F9860530ECA70C")); test_hash(&nettle_sha3_512, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("CB6110A02D7CA636463F6E3502CCF0173B000482C7E002AD9277C1D10317BDDEBC3DA7F91D0173E3E2F9552BDFDEA4DD1AFBF7508B096AAB1804921E95754E78")); test_hash(&nettle_sha3_512, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("7EF3A2894C6ECBC4201B15348F90671515ACCBA3C8166621F864A9184BF08C3F5A895F6B599D3CB41F20A8A1DF25AE84F1A6D7C8DE74FB7CEF48F7E96FDE8D43")); test_hash(&nettle_sha3_512, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("39C7AE0F80129D9D2980A6246E2B6F10A39EFAFD694DED12A6089509D95ECE506DC38C0A9DE487D9D401DB1F15193404911069533BCAE4C48C53F27BEE3CE0AC")); test_hash(&nettle_sha3_512, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9B8A7D2F8519AD6DC3D2BC5B696B354C5A8B4796402CE1242C52638EEA6893A1269820A642BC9EFE56CD7E26DC46E97A7FC58FAF3F1A7A25F86ECDC1F2F17E64")); test_hash(&nettle_sha3_512, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("B5CEEF23F56BE807B616C7FDA4867A1D12D0A16845459FC704CE631AD3279AB222DCA7ADDAE595D289CBA8996D46655FA9B6BE58700302E655C51C825F31BB2E")); test_hash(&nettle_sha3_512, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("143D024FA75C8D46273589B8F78432D49EF14178E4AAA27DC366C9CB787F24B73F4197A722F13031181A6FA6E4F66127893DA7B23A579BB93FE7D737A4194093")); test_hash(&nettle_sha3_512, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("0F48D008DD3AA630E8261658A55B565B6773992426B08592B4C1D77A58B067F05E25974E501628A2DB632F2DDDD73673119ADA5674D0CE92C7AA908B9E9C435E")); test_hash(&nettle_sha3_512, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("297498639FC7AA4152654E468E08F29AFFD7061D44E3F532BE4BAC169C877A2EA7B4D70D6BC0F678BE08AA064258EF57111310D13B889712D06530B690841DBE")); test_hash(&nettle_sha3_512, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1B6DA16151FCD18383372683480119A304796B2A5E54F7EDC6C7BC86817359E73F6FC5587C77BFC71B56EC67905FA7F15193F9F13CFA190BC7B05503A5782C8A")); test_hash(&nettle_sha3_512, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("B2F40935E7C9018814C4E2721D9B5AEEED3370690378E472BD29F227442CA4942B06189C346FDA498123ECE59018E42C8B7EE38191F97789B4AA93223A8D80EF")); test_hash(&nettle_sha3_512, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("C8D242FB5FF1C6CD11A040AEAF35CC09E355A975E04DED1D8341878BED5DFF8BBBD1B69F4D122CE53309AC08753B95D2A57721DFD12E70A8EF12E11E16DE0FD9")); test_hash(&nettle_sha3_512, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D1D5D5DD7D196B87BE4A38F2D9B4A69DF9DFE0A6E8CE71B08CF22C7F670ECF273EAF395D12FC63E1741DEF113CC7104970194A7C7C807E5319D7BB702F20B568")); test_hash(&nettle_sha3_512, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("D812470B2D135B6E1BC0C85DC0652BF9F6C2F9EE707A2E667181CC9F689BC7DF9CC999B08716868AFAC78244B151B725A027D9250AB7A073A469E7F09BDB0B55")); test_hash(&nettle_sha3_512, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("203EF6BB5132A9D44EAE93C7202B1469C2C2B93706D0A31B29223C411A39550F60F39B9556FD040BFB5F9F7099313B8874C8ED677CFC5F93D9A2941A9B0139DE")); test_hash(&nettle_sha3_512, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("23BEAD09707A77B295FD22FE001282338C2D368302A05FB114BA2A012C4DEFCF06F3887D6DB7A0A1DE04BC399BDE92D6BE71904A9AA7B92BEDFA0203F1D8B06F")); test_hash(&nettle_sha3_512, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("93A8DB85774B321090801DF4DC3CC75E94AF63FF6DCF50BD210E5B65FB35E1BEAEDED55602EB32380726029834982D77B434E94179D0A3EE1059345910EE1DCC")); test_hash(&nettle_sha3_512, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("3B7D98FF3152B2024AAD4FA0B40DC642E842D453305ECEF278574E386172F3C164E4EFB9C2951A23FC73D83C16B4900FB92AEB8EFE06B58F918BC4A481E4C238")); test_hash(&nettle_sha3_512, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("EB5067BF762A291CF258AD69A816A0B089E0BD44F8E5B74CF60BCE64734E59853CCB8D091CD2E33F90AA063FB7942CF5965D459200144C1A0801ABD69A9A094A")); test_hash(&nettle_sha3_512, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("B0E23D600BA4215F79D50047BBFED50DF7D6E769514D796AFD166DEECA88BD1CBE0AFC72A41E0317A223225B4F5882F723AFCBA3AF7C457EB525946DA6C53BB0")); test_hash(&nettle_sha3_512, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("83021062117DA99327E521D7C91331208BF3F0A972A6C755ECA46760C0984871FE03724A51FB5441C3CDD3D24FA1B8127510D6A42CFE18B08E8096ED702EF33C")); test_hash(&nettle_sha3_512, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("BCA9F06B6B9AB8F76C4F3DBE677D5B4B3103423644484C77CDD8C5DD6C1A0BF717C76E83DA9B2B4EDFE4CC133C1FC86396E8C3A9E42FDD20519FCAA19969189F")); test_hash(&nettle_sha3_512, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("DCDF7617F79DA8475B3A4DB1306C9CAF87F1AE85EC97721892D8E20D0E54EC82EE7A0F2D17F21A61AECD89A6C4CF5019D7B8077447EFE03DEF5208010A8A1E84")); test_hash(&nettle_sha3_512, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("9B8C7142180F0ED85359B6D186AE05B77B2DB7C3E1F066392E733B7EEFFD7C11F7A6C0C570273A1F3FEA1A0929D017C7A4FA00175B5ABA76861BCA7EE806458B")); test_hash(&nettle_sha3_512, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("3AB73A0A75B997C0EE8329C33E6EF1389E9821711867F775AF29517EDFFBE410D037143C6431FDED3D8CE728086C3512E94F038B9243B50CB820DC2445535D91")); test_hash(&nettle_sha3_512, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("DEF4AB6CDA8839729A03E000846604B17F03C5D5D7EC23C483670A13E11573C1E9347A63EC69A5ABB21305F9382ECDAAABC6850F92840E86F88F4DABFCD93CC0")); test_hash(&nettle_sha3_512, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A3E168B0D6C143EE9E17EAE92930B97E6600356B73AEBB5D68005DD1D07494451A37052F7B39FF030C1AE1D7EFC4E0C3667EB7A76C627EC14354C4F6A796E2C6")); test_hash(&nettle_sha3_512, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("635741B37F66CD5CE4DBD1F78ACCD907F96146E770B239046AFB9181910B612D0E65841FF866806EED83C3AE7012FC55E42C3FFC9C6E3D03CE2870442F293AB4")); test_hash(&nettle_sha3_512, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("D6299A21CB1B31F0A6EB67D82D4E738249013B75C9BCB4A4FE419036A6043A7103E9CA9B7D25759177C4B64001377093CF39F35C9B1625C6819369FA375FA49D")); test_hash(&nettle_sha3_512, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("07F0A184734BA4BB721F36D7B1B383F6BF99CD5F75941ECF1FF2B325F03AF970D1DB1F035975702093F59A7610BF054D12017ECD6109177CF061AB1496F87860")); test_hash(&nettle_sha3_512, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("89070B8B1E322CCF9D6307EDC11FC34E13874C4977DA9F6035D06FAF647D7F7D54B8250B541744298AACD4C54D9B41B4085DD35C491A461D504BDB42FC12F03C")); test_hash(&nettle_sha3_512, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("6C3FBE32556445DAD430CF15FE1243B6AB44349EEC2BE1132B0680E5EDF0B08B55F1ABE473439C5E0750132996195FD120C267B9100C47777B339132EC34CC80")); test_hash(&nettle_sha3_512, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("6AE3E656CF94DB10AE3C185362A6625CEC53E0BA4DC7D1608A3F2FCA3C4F31F89FE1B06FE9CA345E3F5E967A3EBCF6A1A16E24521D5C4690D9B642483AC7A896")); test_hash(&nettle_sha3_512, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("ADA8E78CE3E6D447BA2B7DCF98718FE7D43B38D68117E5779A41EDD8FA72198E3B3C1C0215925BC9D007FD2C355EDD668A0C27EF0FF89F76CF85363D4C9EE001")); test_hash(&nettle_sha3_512, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("3569D9A08DFB0001BE713940C464C119F5A4C1B9FF97D8297D04C7B2DCE2D684AEE16443C32E5BB2355AC8A336249D1BAAEAB4FBD04AB982D6B178DD0A5B5BC8")); test_hash(&nettle_sha3_512, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1343E3CD162D7986431BABE66383B84029665691E36CAF97CDACA17EE9E97D74201D2A828D72E9FBBD5E07831D90F09EAF3C863BD102CDB1EDEBC8AD58A53ECE")); test_hash(&nettle_sha3_512, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("BBA01DBEA9660F9C2AD74460B67A82440701EB995143FFCF7434B5D2DE4E35C82CC757DF776D46199DD8E7355AEB1F42A88F6F0BB50FD239C73898156E4DDBBC")); test_hash(&nettle_sha3_512, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("3268BC24E29392DDA1677B7A3CE3111994482D17BAD1C150AC885F1D29C308657C69FD4F7CE5967D04FCCB920DACB00D0CE09536EE92A6664CB20E692D91D8CE")); test_hash(&nettle_sha3_512, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("EC13E390FA65FDC11054E32C9F5BF5E6E97FBC34C28089346FF22D9762BEBF6A14FA7F9C2E6643D1ED7EC6925D0FA2098F8149058E99D02AD5CB61B4CCBA6467")); test_hash(&nettle_sha3_512, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6FD5A334D4B7F9C72A8DB1292CC8F19BF2A00F5C226C1636248024723CB876070A9657F48AB3B1D4229202B7BBC64053A48C3FF6B93AB11A2AF3237721C9CC09")); test_hash(&nettle_sha3_512, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("016C80CBABED07C50F2C1B677C43E52DE8D11751E54E596E0C04B3837A7E34A9FF5D2E98E7C58182879C15847D18DCE88EA900337BC448112E98CE1118820C58")); test_hash(&nettle_sha3_512, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("A4E85FF86482C10C6AAABC79A573CBF89A0A927110D755F22B529BD7CF3F6CC6CB9861E509657242A78B0C0AF78FF97ABCC1A8388270D6C8D302D45C9BA58404")); test_hash(&nettle_sha3_512, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("B97AFB77D39F8904AE8A5129A7DDC8EC9290AC40356E1B53DD057FA7584BA31AFAF9EF5B657097FC115EAA33E7EDE36DD00832D677EBD07C34B071E73580DD3A")); test_hash(&nettle_sha3_512, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("AB2FC59A43A2666C9206B9317479285E660B670C6F111F999556E8151E0EB8D12BC82C9A7E7B3F8D6F382A8D96775EA417F754FF552E1BAC271FBD08240F1B86")); test_hash(&nettle_sha3_512, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("0A673AF84E2D2317B80A873BFE38B252872708B38AF9B956E3554AC2DCE2F77C815593D99930E7AA666C57B59730712E5C4A9B57849EDDD712A378040EB824D8")); test_hash(&nettle_sha3_512, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1D34645463EBBD932C730E593D9C108AA86807DB6785F05C4CE80F3E8302F87EFBCCB1AB884E25F1DCD5485D385502995E7ABE2EF11BD3469E036D7EB93B4F39")); test_hash(&nettle_sha3_512, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("3F57FA915A782E3CC69815BA219F42AA2C222CD7F309F10AF843384B3D3939AA0B92DD9571686C7961E06BFEE818127FC5B5F32C67F4AA2AF10D4FA38F65E90D")); test_hash(&nettle_sha3_512, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("151382CA35FB20B895A9DC074D687F2F335EAF57456D357A685EF752DA59174D3F239AA9E04F142138D9413B21904665EF4DF2F63E663B490383660481F78362")); test_hash(&nettle_sha3_512, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("23AA4B74C54E8F450054B6ABDBC6F6C3E44366AFCEC099B155775DE040BF3B9CDD0B875F9D490FAA694F18CCBFFEC6CAB7DE57A59EC6327240AC59D62D50B21C")); test_hash(&nettle_sha3_512, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("3605CEC16A7AA8B2525479FCC1295411B6A952DCE233C9ACC856D6D17C9812C920178500CD0028B5998D07046C6A5CF398EE1EC97DF9182C33FCA86647861878")); test_hash(&nettle_sha3_512, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("C5A526D75816D41B53BF164B0467E0B80A9984D1830EDB9D49F7EC3ECFEFB01A2C824A0F645753AA463D567CB2782AFCB2B2C2102EA664C56998F79062636FC1")); test_hash(&nettle_sha3_512, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("B239941A31100AB1B24AF2D1FEF149DBA300105A31B72A8F217E306A0602D722CCD593A23E6539D3E4195A7E12CA19AE2BAE8B8399F7A9D50DB30216E973F2BF")); test_hash(&nettle_sha3_512, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("D6AB0D0B416D1BBC85479F9850585761B91775A60307AFACF70943FEB58657740FE35DC760AB9CFA672C6B5552AA67BFA1F0D6A6F943B3912C229B8E0155C002")); test_hash(&nettle_sha3_512, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("BC0A28450368C288013E2EB1196E58933CE05869CB55FA2BDA61D9D92F83B903E59DDE0B927CA6DBC46F5AF2EB7E8831E8668888BFEA46D78F4D274818D56328")); test_hash(&nettle_sha3_512, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("7820A20056DF741E19FF4D150663488CF86F936353E99E25B93220F5230BFBC13363B458D6DB92F9D211D705362B01782EC118ACFE53BAE4C6AC2C7E5D0111FB")); test_hash(&nettle_sha3_512, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("0984A43286A3CB22FB59F7880E114E23E3AD3B0D43025F3987D0AA6FA8E53E6066F80F4769241DCD062431C7F6712C57C6E3275ED3F2BC591DB6DC20E5BE0953")); test_hash(&nettle_sha3_512, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("A6300497F650859CD744679885CD5437A64CC3961574DCCE65E1611616A9F97190F39130BA532094BD62464D0B8B52297A2C9C279B2C9860C072CD44449A9CDF")); test_hash(&nettle_sha3_512, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("E2052884D112238807C02C135247F76E0E394BD6583BA83ED2731CF68F057276272B891A761CDEC6D8AD2E3F33E86AE9D9A234682BCE7A53816235692D2CF821")); test_hash(&nettle_sha3_512, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("FF6A7D0EFEA45E5F0ABCB173FCE2BE76B52D0F3FC363AFE31D219472742D73E56CEE2AB91A94D41335C4FA25CBDD6EBD1A087637CAA25099D5A9D60693CF62B9")); test_hash(&nettle_sha3_512, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("4183F96759E7C0628F2FC81979274F42111A43BD5DBB3685BB21704CE6B0ED3D164DECF28A3A991B303E1D7B86E2B175BA89945A8524F9C9318F12B160A1E4D1")); test_hash(&nettle_sha3_512, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("940C6F0BACF11E4B045F432003F889278709F9C3D8E420C9A17155F57E776D72B4306BBA4ADF721708F6EF457444AB12238372E207AB41D5EF5A68529ED0B26C")); test_hash(&nettle_sha3_512, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("172F0C680310375156911C07B1819F0B9D124514EC2C3750CB2E39926A28A4636AB7ECDCDD9D6A960D16C864DD585645D87F145C5B315381F356656D617FE97D")); test_hash(&nettle_sha3_512, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("410DBAA5E3453F2DAFCE135DC014F28FBF693C84EB7D4BECB80A3DB32E16E89062B3FF59C1DFDFAB32D84D20284632A2AC7F8F88D4B7023F879463BA18FF6553")); test_hash(&nettle_sha3_512, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("F93A099159C39617B75B188D527FC4DB287CBB4FDDDBA5AD4DCB4CFFC4DC59762BBC41A58D3A788EAE152AEA024BC4CC4F29FC7B8AB68065A68650A04B51818A")); test_hash(&nettle_sha3_512, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("05E69984EE99AA2BC851083AA44EE56FEEF86C45888867CDCDD0C7A8049080AE7858B93C19953A881BE5C036BD8FE83628C2E3AA9939A288B4AC4BC2876C2FBC")); test_hash(&nettle_sha3_512, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("BE22F3E253C2563C3353E693D2D5A65DC6BAC2CBCDA8E43E8584F9D851E602D4374936403FD688F0135E363DE8099F249DD21C61695C109C27ED5F4F4C1808BF")); test_hash(&nettle_sha3_512, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("1D1836C4E2C3EB27A74A9CD600C064391BD9EDD45464A5795182C8794748BA51A345C6FAE2B91F5758401E4F427D50B6882B1DF0977976C2C9432C1A9B3AE03F")); test_hash(&nettle_sha3_512, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("CB0D33C173C765BBA3714D56A4CF48FD6320AB8C5317E7AB1A46472AFB756232CD27F51473DCF9BD7DAC1AA7F669353FD8F3D27D17D3FE3EB3386876ECA38A85")); test_hash(&nettle_sha3_512, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("B579AD0C750B91E0671BB7F0482A519835D155AE1A4DB92112E66FBD158835E0C29E2F122A8C54C530F92633F6EC7B222CA3CED45B4B5A24426D99C59C1B6609")); test_hash(&nettle_sha3_512, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("689C878D8A44C79EAF0579DC96C0E7FE7D33491F59A6058BEE60E14B8006BDF6A6070B2B6D3BB6D7C31CCAE09EC403DF49DD12BA72C8532A8E476B4B415D8369")); test_hash(&nettle_sha3_512, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("4E4DC49E414C794A4B6D8D2093FEAB46D91321CFD089B1FD8CB5154F3E342645F6233A9216DB04F080E5AF8B156E782AD16E0B15D814173E78FCF5E7CF8EA51F")); test_hash(&nettle_sha3_512, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("2C8F456F9091517CAFA9DF1D09EE621EDFEB2C00DAB944355D592DFDA128F837228578E3965D3767959D3CDDE4E7B67E02241F28C5417E33EA74E39032F938EA")); test_hash(&nettle_sha3_512, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("3AE18402AD4123AF1AD868450591C46F66431D422A29D932DF94AF9AB3E256F806575B3EB0D24EDC7531725E0336847B2E571AE667B619A9D79A3E168948AF5D")); test_hash(&nettle_sha3_512, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("6F3E1294B67D875165FD09DD493DD55924E9E28E53AFA2DA80916D7D54E19C1705121D617E53F56EBA4767D6435E986FEEAEB965EC4956FD3C02DE1288FBC661")); test_hash(&nettle_sha3_512, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("AA3398BC7DAEB4F22CA6D1937B0C6097A49ADB6DBC03FC0F5226A644F217296BF55747269B861FC7B22BC5956CE3D8DA28E9F25D8C9599BC653CD0EE0C852473")); test_hash(&nettle_sha3_512, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("8BCBBE36DBE305FBB558EA46721D25DE7AAB7898E583E8BDF26701224387C524C683475C242C7DE090608A4F17663D217276F94F4188B942A03039B5E38D6AE3")); test_hash(&nettle_sha3_512, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("4782DFCAB650E7A8DAE9A010CB002DD0373BFBD31247FA9860876D7FFFD2D57C355F2054CB2EFEB45C5871F284F46B025798344A3719EFAB34D15152DD0BBC6C")); test_hash(&nettle_sha3_512, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("A4D538E449E2B3EBF9AAFC88D29E514BA0D2C8DE2706F3F6FA5A2C4F95F5DB5BAB59C1A69C16E4859A19730ABB2E6BF06152445EDA80E3BE5CE652023EA57E5E")); test_hash(&nettle_sha3_512, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("8732D243F1B3349F900DF430659B9AB9ED99F626AD35CB2084B57D60E5A5B47213AD213859CD40964C5A267C236D0E38167525F778E67E37D4F623A8884128ED")); test_hash(&nettle_sha3_512, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("97DC2606E14F7BFFF1FCA497965E36CAA3A81CFD6459D0254529F64DA40FFE7442C08A151D6CEE3B46BF3414E80110A0F71EEE44D7940027DEE90E919E498D65")); test_hash(&nettle_sha3_512, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("DE5978EACE4E51F7D289F2BEFBECB3AAC8E9CAD48FA0F7310C673D52BBCAEEBDE49CB5A76D334D6DFDD51AC1AB24E9E1CDC915069DBDDB3D2E30B0B0C26B3EE1")); test_hash(&nettle_sha3_512, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("33ABCA29A8A7094CFB10BE4A80E81F8001EBB933C0D4B98A695B22AB553F94F07646ABCE6ADF491817D17B78C40747D56FAF88A613138CA0E596636C672397B4")); test_hash(&nettle_sha3_512, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("4FAB45806B4628068458B5D0A2D4BF101B8BFC9276EF86AD5D883765C43F72CE8A5F7B4C5B535A915130BB185E699AB62228014E54DF790C0E93AADBE7E39E19")); test_hash(&nettle_sha3_512, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5F0BFB4146910CF0C320364B6AD8A02B0966229AB2676D9670F0DD241E8104DB02797EEFEA0B9CABBE90A44757B033755925B2FCCF3A00054F9AE8FBCEF752A8")); test_hash(&nettle_sha3_512, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("D38EF3B12EAA0BF62A75B6B63CFF3C9EF171DE1B75F5D02629365BCFE65BA7DDD30FCEF7FEBB82F19F9BEDCC1CC4C679B4292EA62C2A90A7562DA9A1318FE278")); test_hash(&nettle_sha3_512, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("60C95C274F99B8643A186344BC01D1279010BE55D1BE76F4E6F919F6B54D335EE0E1CA92133F3D7A2520CD82C4000E15EFED8D8A66F31B16B0977C63DE1BEB05")); test_hash(&nettle_sha3_512, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("9385D0ED9E73498E24B8C6E746A1C6BE8011EE30FCAC9BA17224EE2012378522C78F8737A224621FBA19C42040C5C7F38AC07B40E0E75EBC59D17975EE85D655")); test_hash(&nettle_sha3_512, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("7487164D408874AFDF07EBDADE8C62E756147BEAB3238B8738AEED927F54FE6D33AF3917D4E181B50CBC88A379C73585F9FBA4C1B67B4BE449004EA0F66D11AD")); test_hash(&nettle_sha3_512, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("0F41AB2D10C51E28638DAD178655F160B2F753DB44EED6CE4104693CC4A938D887617774AFECB33B890EE7FC577656CE168EEA42C604D152B952C9B772C9B530")); test_hash(&nettle_sha3_512, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("7575A1FB4FC9A8F9C0466BD5FCA496D1CB78696773A212A5F62D02D14E3259D192A87EBA4407DD83893527331407B6DADAAD920DBC46489B677493CE5F20B595")); test_hash(&nettle_sha3_512, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("2E293765022D48996CE8EFF0BE54E87EFB94A14C72DE5ACD10D0EB5ECE029CADFA3BA17A40B2FFA2163991B17786E51CABA79E5E0FFD34CF085E2A098BE8BACB")); test_hash(&nettle_sha3_512, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("BE8E14B6757FFE53C9B75F6DDE9A7B6C40474041DE83D4A60645A826D7AF1ABE1EEFCB7B74B62CA6A514E5F2697D585BFECECE12931BBE1D4ED7EBF7B0BE660E")); test_hash(&nettle_sha3_512, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("6C7E64EE0D826073D4F44BCF1586A83BACF3E2E138DFDB65B8B8B35FD7DAE300EA6E32C6245CCA27C674FEB2196755945AB7C5DCE99EAB9158A75518AC27C431")); test_hash(&nettle_sha3_512, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("5842D4DA2C309D9B2AA7CFAE702262F770A8E646620D65C17271416E9D7981FF93D228CD60DC1CC16921020D841E439E87F085E503D466C904ABF8CDD5ECCAA9")); test_hash(&nettle_sha3_512, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("F8B24527B5C84CA9A702DB2F535F78ED0323C2932A255DB24F872551CA7F5C0482B3690C62EEC8AD69308DB2D72308C4D615CDE3835B39B4F6FF115466F32763")); test_hash(&nettle_sha3_512, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("08C6E3938DE48171A99646BD090B7D53FF422AE63F99850032BD131AC7BDFBA8F83466AD31FAD3169D8A320FD9548BDFF2C40BA20E0D031A8054019C40ED2662")); test_hash(&nettle_sha3_512, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("6978AD4BC4F0FC44C35C6691CA46627D840BAA572DE9B0216673C988197191CDF812CF21920E052CC9CE1D507D1BA7DB6F151D01620ADA702DC637BF90809C19")); test_hash(&nettle_sha3_512, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("3A8E938C45F3F177991296B24565D9A6605516615D96A062C8BE53A0D6C5A6487BE35D2A8F3CF6620D0C2DBA2C560D68295F284BE7F82F3B92919033C9CE5D80")); test_hash(&nettle_sha3_512, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("FE45289874879720CE2A844AE34BB73522775DCB6019DCD22B8885994672A0889C69E8115C641DC8B83E39F7311815A164DC46E0BA2FCA344D86D4BC2EF2532C")); test_hash(&nettle_sha3_512, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("AFF61C6E11B98E55AC213B1A0BC7DE0405221AC5EFB1229842E4614F4A029C9BD14A0ED7FD99AF3681429F3F309FDB53166AA9A3CD9F1F1223D04B4A9015E94A")); test_hash(&nettle_sha3_512, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("26410E1A0D1E3659438DDDB2953EB3AA082CEB02A327FA0098574D89F9236F5DFF9C17DEF37F6CE4B5DC1EE5F23F578FE191EE8B51F1B8034BCBBBB7B6A500A5")); test_hash(&nettle_sha3_512, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("5015DA2A2E1661D3A52A65D19F02933029839F72717A77B5045198665093F944CFF85E094D418396A51C574157EED9FB6BDD4ECA53278FAB62AF699B53C82F58")); test_hash(&nettle_sha3_512, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("B27828CFEBCF4D896EABF1F84D079827B7DCC7F308A20476474DE518829A89AAC3DC50272CFA976B0B5819C45C9EEFC51B87A27D11C9E5F9579121125A887542")); test_hash(&nettle_sha3_512, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("42FC06DCF99B4E804BB349101B46D6A6A7366E47555406EA554248BAEF52E17AFA40829F5709D07FF407881DF106F156CA735622B0F051D8C372F6E811CDAE25")); test_hash(&nettle_sha3_512, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("0CA89C9B7273DE384FF33F1BACBB8505628C4D3E30350B335361563AD416ADA523122D37ACBEC57721F7BC5D9B049E1F4FE3C4CFE047E33A0E448EF5D5536CF0")); test_hash(&nettle_sha3_512, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("78C59A8CDF4D1D07A66BB2FAA7FFA2112D5C0FCABF7E3589E97623BDB922AF9AF24918C2CCFCE2B880BF64145C70DC9A4FDE78FDF0918DD2CE5FEA9CF99ACD41")); test_hash(&nettle_sha3_512, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("CF4D52D20272DE014D367310775287EE5E5CB34CF9AF78E65D1D1FE7FB1F13B62DD9B83C382BAA6AB4F6949478C8598FEF78E8D535311FC19808CB75E22DADED")); test_hash(&nettle_sha3_512, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("33D632E403C9F9A9349B28AA4821A12B1DB557D8928003D30C57D701CFF1C49BAC9472CECFF450E4D91D36C6CD78221790EFF6F0FBF498034014CBBACE5DCF09")); test_hash(&nettle_sha3_512, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("954C709ABCB0BB881592D93F5C2463CE8C060AD1DF3053302EA7B19F2B47BCF0FE359A832F9A865A8D3DBD3BE598DFD6D0FC1C574ECA0AEC78D8E3288399BE05")); test_hash(&nettle_sha3_512, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("A337062F5E5C9C35341A51224F2A59E6CF919A63BF59A6CFCE261194BBD660F28C2948D03CDCE5C7C151EC05B42AADD83051A16A62F0C7DF39AAA4EFC82CE4D3")); test_hash(&nettle_sha3_512, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("43E9D0EA8E526E83234D7B63D8244C7E7B12AE2ACC8082F986367268F10156574300172873845B207A7252624246E7D32CE0F7282E00C4552F6180F34E590E2E")); test_hash(&nettle_sha3_512, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("F7DA8D1E49D0D964400EE40F9C88E07025A8B0B00CADC624A63E2EA85B1598E22C8802BE0C1FF368519549A752E02546093D3B984E24600BA2AB7C792B9E074A")); test_hash(&nettle_sha3_512, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("D9A42761F980C78C36CF54C4207B0A62954E15A907A7CEA149B37A4E0A6376202FF8F12E16EBAD3AECC7FF3A9D6AD093B068DFE272E3B9646B1AEDC04961DC81")); test_hash(&nettle_sha3_512, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("BB65D8943413CEF89FDB05B35A55EC7503E4546A50FC3ECC825DABC1A1DAE6C771BB197F323625877E0BCCAA41253C99B6692976B99FC687B0B6B3E9AAB478C4")); test_hash(&nettle_sha3_512, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("540DF22180B69B9A83306619B2CA8CD8E07A34BBEB2219AC7CF88B468A947C4448489B303BD65506C9E1CE59348A9D863AAB5154848E95B5389783F6F5FB6AD8")); test_hash(&nettle_sha3_512, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("062E4A11A79FDB9CBC3A0E4C5F9875CAAA568BC713066E02D2A9CA4D27886CE23F70083A2BF4D0E7C55B120FE6D197203DC1C2FD3469112A08836727859E1F83")); test_hash(&nettle_sha3_512, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("9E1C6EE0C47B2D2CB77F602CAB53AC4C69C69778297894554196CB58060332C9FD8923F45C4B8EC26E16A5D04E6307FB99850A4540EA83E3F2626F3343E97225")); test_hash(&nettle_sha3_512, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("F18F0B072A6BF608A6C7420E891BE3795A6D19BA3E1276C826F1AE775CF125E428AE1A397CFD074BE0CD24F7100F51800F14471CCF4F485A6571E2B32E02611F")); test_hash(&nettle_sha3_512, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2859A3165F38CB59DE4275658BBAE9A0AD647D972CF98FA0EEC4C07EE75D576DBF9F5DD19A881DB4E4F7DB31EC0D77165911329CBE8A46D14D3EA7FDCB8A5C80")); test_hash(&nettle_sha3_512, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("9281BD03FE95545E5321A91A0AD8FA75A005B928C83450DF657419870C4E980E32484FCF1F598702ED20404FECE48A2EE9DBCF22120654AE402951605BED197E")); test_hash(&nettle_sha3_512, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("6CA7023E20735624E83995A9E8AEBA66B9BC8D0A30DF67108EFF8AEDEB3B3CA484457BD0277C2552CBC7D63DC87EB556F2199C54EA73BAE647764DE18489B1F1")); test_hash(&nettle_sha3_512, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("A965E699C1FFAEE369B3651C3A318582AE329AE51E6CCFB5275F58F748CEDB8F6B8434FAC4A1135AD9B555AA8CC1FF99A2220CBE83BFC1C374FFC927BB00ABD3")); test_hash(&nettle_sha3_512, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("4B44EC2D1848D0EC43AB0793390D24535F3328AD23C5F8FC43F5579BD16D84BBA08B233B0B5E24E22BF6CA2DEFEACA16BB98F8CDEAF26EECF2FC94AFE4604CF4")); test_hash(&nettle_sha3_512, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("73169F0BE264565E45FB8F4665753E55F240846EB0D481CEF0274E4A3D859521767D9F675C0628DDCE155267BA686F2142805713F20C4C25E0B24398C65E3480")); test_hash(&nettle_sha3_512, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9E1C196CB73D1EFA288D63902C64CE1A340BCDB8197F4AFECB1118DADD0D076B5FB7F6F809666CC58D2A8C1A68C65D0E91554C41D083F56D7B3DD37DF1B6C494")); test_hash(&nettle_sha3_512, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("0C429CC164253C09538668135C9436FDBC79DA8E1FBE92E7BBC6EB30627591E7347CCB43F7AEC2D37FF3DABCFC9FA0C80629937C0C177C1C7ED0FC76A15DF075")); test_hash(&nettle_sha3_512, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("700112FA90A1A2FD039A41B6485401634E757840E422AEB4A236634958192FFB2F2DDFA2253FC1ECB211C7E036098B714E62F7BF2B6975B1E95FAA9B8D02A73A")); test_hash(&nettle_sha3_512, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("901C6D85509F01A47EA2E2792A5DB728EA39E5703EEDEAE41365EDF10A866B922B1093E52E687E312DB129DA1F053EF6848CB0B314C9A3A999EB3E75E14C9CC2")); test_hash(&nettle_sha3_512, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("4CC9A61FFE08984417712B80F962365AF36ED66A8AAB2A788D22A5C6B23962D23584638E712E9183C0A271383DB0877F722D399116F9BEF79A56AB096EF21749")); test_hash(&nettle_sha3_512, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("B36EA56BB6BF80D91D5A605F8409AE6B7D879EC40815B35C664CC6B01BF6C718AD464F15C34DD1315A79A5456B6C3F8ED89E60390BC71EF747E12CDC77706245")); test_hash(&nettle_sha3_512, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("8ECB8F622DAB7087E9A95CD0341192FEA6B1C956DF9AD3DED823948B7849C4F3150C9559520953EBDE98ED76F6E43BFE4FB25FDA712525C6D3DAA80323BE8E4A")); test_hash(&nettle_sha3_512, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("519215DA34ACFCD62DD617ECD5978365417D57C2671A7B48655B89F448B23B128D3AD04910A1BBBDC00E954A1E49765176A8ACA4C37D56ABF0E0B72E331A8D7C")); test_hash(&nettle_sha3_512, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("0D1C1AD4E1CFEFEE854C4A739A0342E39D700DBAF4891978D7C839E87C680717D63AB4AA1ED7EB657CED9F8D2CF47204262E609610842FC5B219ACFF7EB188C4")); test_hash(&nettle_sha3_512, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("0A5D9EF40BA2B98EDBD7918CC6779483A1A00BD94CC1E1495495CAF6CD47C6239571C3828F4565A0D53786781D712C10EF7333227F651974628887D442A5EF9D")); test_hash(&nettle_sha3_512, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("EA83DE9AE057701F6EC68FF67E92E0334C18EBB79AF1953C2514408D58E69F105441642A1D5B7D6010F7CB15D131DD531855CA337A7B0B794FA6D6923F017AFA")); test_hash(&nettle_sha3_512, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("6651C25D33D10B72535F1DB26A1DFE2EB99CDD505448018589B5B88B7CAB63EB439C31A474C6F1191DF14EFC7D0665CC7B82A7DC54A7C6B0C2FD1F75C30D6872")); test_hash(&nettle_sha3_512, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("A754652247F7285CE2DD8A10035C69961E4F9C025E1FD087CBD3126E049A9E832C3F3A491FCDE338B8C01946CDD7DEC32A8FD7ED1CB3045BCAF3398905B1BB42")); test_hash(&nettle_sha3_512, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("FC1127F6650F32638453AB773F5CE60F9F6165BC9928EFF18C7A3281540C7A615D2D62A92E557D4A1EC1229E84819D2DBF06CED4DE0FF90040ECB961D678E181")); test_hash(&nettle_sha3_512, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("43C21BCCAC7ACEE8ED437B874ED7CDF20EA2E9DC98AB82124610DC4F8416248B51309045CDFBCE92EFA9E56C5B36D6E5D27580319CE69C22E5D6C87E551EED4A")); test_hash(&nettle_sha3_512, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("893934B8C630A9BF713C64FFD1128EAC75D1CEFDEF6642FB27F20CB56694C2FA8BA6EFCF3E0E56C7789CFAAC6B2F7B247DEA8367FFD269E74B9CDFB0537031EA")); test_hash(&nettle_sha3_512, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("B4CB58D8497978916DC362D37ADE12C7A0D8FE3B08B370659B27218291E04EF343095A91887B040984CB80B0C8611FD12C18EAD37B95320D59EDDB32113E42A4")); test_hash(&nettle_sha3_512, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("35C3F8F0DC28608EC942CB6287482219B42B2EBCBAD92B4C34E77E21B7D93B0E85EBF483DB2D4A979C48E58F746AC3DCF563CA7E1B2940371D8D83BF0795EC45")); test_hash(&nettle_sha3_512, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("B90E0CC6BC53182C4F2D17AA51391C8250C3032A12DAF2FCC641B49AA81ED9449403567B75D4121376DD8CC2D2BDBAFA456308AD7C0C13BA85619D75350727E3")); test_hash(&nettle_sha3_512, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("99497355AE1791799D11536C73605CDD1496C74E3E930B6272A103C3AA8C984D2D74B01AE72C94F2A4D3A069EAC6E00984D21EAE3DD7B32AD082B396601093BA")); test_hash(&nettle_sha3_512, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("C98265396F3278FC532125DED097A6851FC5BF37CA32EC26F43E64874241309F568A217119BA984C54099F8899AC94B7900A4DD9D3877E18371F5DAFD1921F08")); test_hash(&nettle_sha3_512, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("FC03BE193A5ED0E6B3502661C2D9E4E2A503CF3FDB231526A90C3C4C26089C787EE6CBF50D90AF61C17C5DF0B29C373B426740CD0D6FC370DE64EB2164BBAEB2")); test_hash(&nettle_sha3_512, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("FB9C3A9183B6D251BF61FAF1843455CB9C1BE35EABDC131D5BF38E98337934968291E9D6DC104374BC234FF22CC23CD6F338E7A3B019CDC9DF6E3750B6B01FDE")); test_hash(&nettle_sha3_512, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("F7965B71198636F162D5A4E08D73E8C8A9AC1ADDBDFD7C180C489CCA7360B3FEE3A4286154460BF867923B348BFE32E79D9139A0CB52C46FA20785FAEAE0A8BC")); test_hash(&nettle_sha3_512, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("5337477487A0AF43EB7B995293CA2BEF6EAB2432B1333DCAEAD7064406E22861FCEA623FD8B85B30465787352A36C943610F1458FD22E3F55DDD195A6ACAA374")); test_hash(&nettle_sha3_512, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("28AB5C6298A602AE51EEEC4080245F7CA10F9A8C304F22B5AA88D0E49226C01C2FD3CC5D8E99309767816E4F6D52719876065495DDB61DD113CFFF06B11D8604")); test_hash(&nettle_sha3_512, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("2AEEAC015D93245F6BF727CD182894097B902CD407D7E0DD06DA1A63F4451C657FF39F925E7C8A894AE593D11EBC2D5D1DE3D9A18018806719277D993F7FABED")); test_hash(&nettle_sha3_512, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("D0A119617B7E30C2A85ECBB3BBF325DDD589431C8C2E2F9FC6E324A6ED8BAF11870A80556CC0688FEE4DB70F22B9424B4F37A0F1E7EA314684DA31BF473B3F34")); test_hash(&nettle_sha3_512, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("1C88789885DCCC9AE81029ACF0B6C9D083CDB9774C345F1C755E54C45E9AF63A70DC2ABAEFEB1AD416F1BD3D9B69D4C4404D22C85E636A4703769C0112B550B8")); test_hash(&nettle_sha3_512, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("F52D7DD7FF248A1BCA7B714F14A79DF5766FD67C0031A471CC509F3516D7C348C33F7D4B1CA331B9323896B7074E10A891CEA851F9AC20245812B8CFAA556352")); test_hash(&nettle_sha3_512, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("A8AEE42A77C9B6387DC97319581959D9BD878D061487FD069ACA04D6F84D347E23587A6C7C56329B2DF88C56C7100ED51ACE5B5F778D65478F059CAFD6C098FD")); test_hash(&nettle_sha3_512, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4B961C4BB6035E7BDDA2E1A3B6F9CD52D1789866044C4A925693BEA88F65D046238BBEB4E7D3B060E47288041407392B291AE610BA70D6B4D64E74E7A7D0256F")); test_hash(&nettle_sha3_512, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("C0515B65B640B3FFD0A1582A54F4C8FB35C109B7FB472666E043D3C00AE3E0E0FA156C4CEFB46B5B7B4C0E480623E1A26018BDAEDC3E27D9C0D44C3E1D862015")); test_hash(&nettle_sha3_512, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("45C584564D9E0B8239CC1284939BA407A8E5E981691EAB6A04D9354C9C855E400B3037151122CED237636E61A7FF2905E0213A6D07306C459E2189E3E6A9E0B8")); test_hash(&nettle_sha3_512, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("136723350857E03756F02E60451A28E711611927B8136DCFF3E567DC618FF36B3100737C9781B9C84A576745C1E6BE030DAC8803A71464AF39DB94D00253AF3E")); test_hash(&nettle_sha3_512, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("C0F7713AA021A04525F751722A9AE5C4C7934D0A286F1FB05823D86A96251C04DECD960D8D4D66E2C565E6207A49612E1EFDE386536854B6AB9A4807B0A145BE")); test_hash(&nettle_sha3_512, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("FE1CB67D77FB463F77747FED292A989A341044A8B65FA1DF1441AA41A5C795916626E0E479FD0BA7F9B1DC15FED245B99598D35359834E8FD25CF19685219BE2")); test_hash(&nettle_sha3_512, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("4043CDD3F0EA793E49A8EC382F8071F6020B529CF8C82E969429117B362129B7689D3F1EA7FF77EE50263CECDAC5A43AA2AEE97CF3E665CCF535F6DE65AD0100")); test_hash(&nettle_sha3_512, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("7392BD445F58CD5D7D3CA98579CBAA9A9437D0C95E7932B4004117F207F8AA39156BC42537B0C790150D443C2D68C2C43E362DF9D019601797162E63076936C3")); test_hash(&nettle_sha3_512, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("9FF0F0D70CA076CA44C353A3C678C2095C89F619BB53EC9CB4888E2F14E50FBC146A7B521356369F1B9D5665836E45D5400F9856CC6DA3B3AFE6F3B0471FC9C6")); test_hash(&nettle_sha3_512, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A981FAA9D3CAC492B2FA078D1158F81248DF8DB36ACBD5BAD3A6C633BBE500EB481D2937BEEE9A76C84EDCDFA0F997EDCE708F07851422A7597E2463FC1912CD")); test_hash(&nettle_sha3_512, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("89025C13BC6B61A1BFADB1D37D676E49E6754E9DFC00D52C5EF13BA57C845D14AC75D5AE6F06714028103C3424717F4C2FBF6D88D055690987620AC5B440576A")); test_hash(&nettle_sha3_512, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("1545D8334836F7436F77F21532F5D3058E351DB8357EFC1E089583A0C40AD3A6AF5F2FEE793D3FE1B4721F6817A373499B20912A35C4609FA9D84BD274E978FC")); test_hash(&nettle_sha3_512, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AFAF201BA353316C1A7B810F120CFF941BB658B0763EEF59433403D8313B8F00BF18177898AE71907D3B524E68BB028EA1442866856111B12089BCBED177FD46")); test_hash(&nettle_sha3_512, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("3FB4F21A231973D2247F206D47B19EE1551647FD4D4F21FBCD6F653577C1AC69EAE4DB432C0234ACBE17B2CED0238A56ACC34D7BB82FBC190903035B7C538857")); test_hash(&nettle_sha3_512, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("0B1C53E68667314B5F3F0F30E25C622B1A86D10701D4A0473FD40F22C50ACB47D63EAFA582A2FBE5453A3F73BFBCA923680F4C2C7F99C98388C07DDD7AFF2C6E")); test_hash(&nettle_sha3_512, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("D836D0CE3A28AD71C3A876796BF65AAB838D84E4802ED49AC04484AE06AA08ED31DEB5C38C1022F0ACEED49CB58E38D3AAB09EFECED9349FDC33379251259826")); test_hash(&nettle_sha3_512, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("61B8A7520DAB4D395044B1A9CCC4F5263EDAE0325767E3D2A0EF225933A81F7E3796280870DBDAB8457D585C4106315B537653DC3D77E915100F421DB39F43B3")); test_hash(&nettle_sha3_512, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("B847B292818E800BAA415C2521A8158A6AB749934DB693D0D2E4613CDAE60BD56075CF2C29F587DC3530164190BC2C02D97CA32347FA2AA431E511BB7D1C87E8")); test_hash(&nettle_sha3_512, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("95ED6D8567774E66404FC32B7A01E1C625FC8322AB9BE0CD7C936731638B04C09748973D95665A35B218D1531411F3AA5E5C47E65D857A43783E2BD3C9D29005")); test_hash(&nettle_sha3_512, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("98350793FC1540AE72757C2D1BA0FA34DF1923C987F365752788E3C65931746C36D13FD293DB8EA1B6374872CCF74E9B0CFF67C6DEBB4263390CD96E2BDD864F")); test_hash(&nettle_sha3_512, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("C2493D60E1EFA6B472933EDE64D1F49EFF773635F66C6454E57E47935A0F4C5B94548DA5C369BDAC7146E54F017C3FD674CE32F8D95151C7CBC3E3BBA3EBE0D3")); test_hash(&nettle_sha3_512, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("70D7BA6585CD2EF91BB261025F9DCC80F8359C9DC30C7C2961F0D1F6057B9C44E3AA67A4BC00F137886E3CF1316D75F8EBF651C79DF9A99CABD0383008372016")); test_hash(&nettle_sha3_512, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("B50D0DA9B3DB1545CC1D2F35465C74D07543B3564249F12C546A08797EEA73326CE624203A3D25C92CE636BCCE86DA9CB9F39BC755EC0F39C090A0E8A72DA70B")); test_hash(&nettle_sha3_512, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("83752A88C915D4193296725DECC50C9C05D25D6BBD9AF2E0EF06286ECFEE961DE959BEDBB130704D432C2BC89930208F450E0A022661724043D268CB24E7FC47")); test_hash(&nettle_sha3_512, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("7288424BA855A76C7480B606F8F32E94396799BAB8BB3FC8FD21D180966C64971071E2645622524EC7D1645EEA7B7C1FA21F7F5B6B90F3E5BEB99222F05EA905")); test_hash(&nettle_sha3_512, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("E9399376D89C4DD4464E45825F4302CDCCD4C41DB4E8951BE17BCC6451858332398B7E4E7F5EEE6830C715451E4AACDB179DD5247BA6D5728CBD4060AEB77CB9")); test_hash(&nettle_sha3_512, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("CCEA447EFE6F8B06AC42076280377635F5FD0767F4AF8B245FE63B79FE4974E9156744E60E98D12018214C39F8A826D506D0D5948645E9F883C208D37D927A41")); test_hash(&nettle_sha3_512, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("7E03FCE3B67EBB28308823F56AA93DBB4D9EFDBD93300D97B1F99EFCB82C3684C5A5A5AA64E7A34C69B89399CAB05F22E8E88607B863336E4CBF8CF6E74B98C1")); test_hash(&nettle_sha3_512, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("6A457AE74F89C42BBD2BD2EBFFFBD71F036FF7B76C4AFDDFFBD52F32E588A9543CED09DA9A3E130AC1A19EF1ACB2FA68AC41917ED6BAD37A60982B16B5EB4FF3")); test_hash(&nettle_sha3_512, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("91B8CD795D1A6828601E00DB0C91FF9A6F837444F53FCF89E990B88F5F3E34EB490E72A1795FAB84F78DA3F7AFC89896C7CDE5865D1BCD74D5639E4903C683FE")); test_hash(&nettle_sha3_512, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("7635D79C1B32E4934EB0090C6D46C0B240F626C77D84F8EABF571BA8FDE924F4A1CF456704B101F667F912DEDBBCBEFF2180A419A68C7B790BA606E6602D5115")); test_hash(&nettle_sha3_512, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("DDD0C521ED60C55F65BAE241A9072D7F6F6CCA7F64624EC92C037BF8BC16F0602E75EE46879AF41F3EFF5CE235905F3856A031C3CC90A4851F4CD8463AAE6DE8")); test_hash(&nettle_sha3_512, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C84C03564D024F90560001CA4CEF867AF77999943E313CA17328756C43D2FE31CF98812D3A7AAB1535C28ED29D692DB4824E8D6DCE06C9994DBCBE0F82633FBE")); test_hash(&nettle_sha3_512, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("B4563191675191ED4D6107E52FA15ADC9D70642358D8C3E34DF10274E25D373FD8D19E92472B823E28BBDD1D541A95FDDD0D43C79FCB3BA18A7EC038D3EF69A6")); test_hash(&nettle_sha3_512, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("A30BD80CB3ACB3BFA7E037A3D0D2500974D71957F68135133020C32EB4D688F132D0FB045BE027F124B3D935CB889E3CBC4A4A420026BB2AC2A4B1B15C57BB64")); test_hash(&nettle_sha3_512, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("4A5809E457F54D9C7E8209F6C482D52A4EFE6D8A20C4C6FBA83687294929232D25CD7BF511D8E6FBF272E983F07D044F8723098D7A381F04E957B0787087EF02")); test_hash(&nettle_sha3_512, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("A79016C34BEE41AB5CB10278478A5B55D07C2E0831835DDE6F8FF8DAFAC37A5F88FBA07CCEFFE35849DBD123B06DF2335B002645D078FE1B08843C257A1BBE56")); test_hash(&nettle_sha3_512, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("603F7B09565634D4410B574A4DC9EA467437964517E5EFA51A362A30E8C632C55162A3351BB5532E40948AA9A1E3A8786C0422AEC3EC338C7F4B57679200452B")); test_hash(&nettle_sha3_512, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("1018692D530C55BAA580AE1E7384351100D4637CD33869C71E6076A3D4E310D964B81D593E89718845AC7A89E8AD5073506427C6C8F7FADFA0C5DC3CFAA5D924")); test_hash(&nettle_sha3_512, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("E3C0EAFFC3567BD72CC02150A75F32DDE53DE2652C5313EB3E97018ADDDF629DA01D97D0A9E2519451A7292F5DE00EE4456FE6E4F14F96D5DE7E6F174EDB28C4")); test_hash(&nettle_sha3_512, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("192AE7A0F7A816FD3D4020BDDCF2AAF52A64E6384DCA527F33AF4EE69099DCA97B890A99CFAB9D904A35F2707856696C30C6432DF70A6CEF704BB268055A6D07")); test_hash(&nettle_sha3_512, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("6BCD7E7C359FDD93A56D79F97FC2D534619F14FE443AC8C9E042C5105FBAF2777718DE07424A62333FFD43A501A8544449A7CAC3C8D821E380B0CB8172B9493B")); test_hash(&nettle_sha3_512, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("1FCD1E38AB03C750366CF86DD72EC3BF22F5BBF7FEA0149D31B6A67B68B537B59BA37917FD88CED9AA8D2941A65F552B7928B3785C66D640F3B74AF039ED18CE")); test_hash(&nettle_sha3_512, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("F39EF0626D3FBD9CD435A93E7EEE41E4A2FF5362F56C988B20870A3BEFA50470DC5FABE39895C0761289FAFD9147ABAB02561F300D0CEB9A732E14CA887CAF18")); test_hash(&nettle_sha3_512, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("81E8B59DDCD24811B405F7529DA125F0DC19AE21E8795CE9E6692DAB645B7959446ADCAA3061DC4642A51D8A562EFB03A7680AF0F52C01406D5C213EAAC6BE55")); test_hash(&nettle_sha3_512, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("63424B09069FBD2D0FAC00805AAD07FD56E30BB8116B5476AE90BF6ACEC84C3B45368A9EBB7FCEA8D65965F52514A2A59A06E6E06B07DC6AEE7F756BFC188E25")); test_hash(&nettle_sha3_512, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("1E709FB3501FA818F57E70C365DB45CCF2EB8A8FA66DE9B5F211D6F0CC9722ADE963C965AD5F6937BA62EDC2D8983843E0F3679D9C97B30CD54F2409DDA5F474")); test_hash(&nettle_sha3_512, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("5B9F0C544627FAADEA82825A569DA33A75C5DA6CC169926DE0556A737E4DAA07ABF1DC3DB0704F5D67FCBC4CB62AAC442ECEC867A2C16846F1D53D205CB872AC")); test_hash(&nettle_sha3_512, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("930AB42A9F5F5BC5F2222C748F2478A00F40C3B6D6487D6D7ED0D71100F40FCBB2C66566EA26AD0A417629F5A61DCA411CCD21F7367D308F3B1B24901824FA9B")); test_hash(&nettle_sha3_512, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("08203943C58210D3F82758272BEFBB9234FE913409A07944645959B1A6AF2F4363ABD7451232623DAA8E65C87F34939C140608950FBDBBE83D66407944F5423A")); test_hash(&nettle_sha3_512, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("A24DD6A50333F289C175CD4EC185DA9906E38C287A339DC4DEFAFD71B2EA32A6F6AEFE758E25FC8F043E806F1B2EE019E13B85536CD3EFAA2A9B5994FCAE4788")); test_hash(&nettle_sha3_512, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CD1ED5FFF6FA3D453872510B6B2712EC9C6EBA9543734D88511ED475905E123ED6EF6624F220445FE89C257A9F9C5166A2772EF768B50E9290FB1D4761ECA6C8")); test_hash(&nettle_sha3_512, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("CFAA0EB1C9F02C0469EEFB31A1A53CA1A4765F78EC171CF15DA7D5C512817B8BF7D7CD7B1416B3DE2BBA05EDFB0B493495AC2107A4B686D5DD8D6AD41B4AA3D7")); test_hash(&nettle_sha3_512, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("2BE71EE9ACE2DBCFD43D6D020C07244554DAC8A2CF1571D0FA1D004933739E8978323056797E04C333F5BF187E64F1D881E502672567F204DE0E73CE26E7190D")); test_hash(&nettle_sha3_512, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("6E8B8BD195BDD560689AF2348BDC74AB7CD05ED8B9A57711E9BE71E9726FDA4591FEE12205EDACAF82FFBBAF16DFF9E702A708862080166C2FF6BA379BC7FFC2")); } nettle-3.10/testsuite/serpent-test.c0000644000175000017500000002601214633602172016613 0ustar nissenisse#include "testutils.h" #include "serpent.h" static const struct tstring * tstring_hex_reverse (const char *hex) { struct tstring *s = tstring_hex (hex); uint8_t *p; size_t length, i; length = s->length; p = s->data; for (i = 0; i < (length+1)/2; i++) { uint8_t t = p[i]; p[i] = p[length - 1 - i]; p[length - 1 - i] = t; } return s; } #define RHEX(x) tstring_hex_reverse(x) /* For testing unusual key sizes. */ static void test_serpent(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct serpent_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; serpent_set_key(&ctx, key->length, key->data); serpent_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } serpent_set_key(&ctx, key->length, key->data); serpent_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* From libgcrypt */ test_cipher(&nettle_serpent128, SHEX("0000000000000000 0000000000000000"), SHEX("D29D576FCEA3A3A7 ED9099F29273D78E"), SHEX("B2288B968AE8B086 48D1CE9606FD992D")); test_cipher(&nettle_serpent192, SHEX("0000000000000000 0000000000000000 0000000000000000"), SHEX("D29D576FCEABA3A7 ED9899F2927BD78E"), SHEX("130E353E1037C224 05E8FAEFB2C3C3E9")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("D095576FCEA3E3A7 ED98D9F29073D78E"), SHEX("B90EE5862DE69168 F2BDD5125B45472B")); test_cipher(&nettle_serpent256, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("2061A42782BD52EC 691EC383B03BA77C")); /* The first test for each key size from the ecb_vk.txt and ecb_vt.txt * files in the serpent package. */ /* NOTE: These vectors uses strange byte-reversed order of inputs and outputs. */ /* 128 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent128, RHEX("8000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("49AFBFAD9D5A3405 2CD8FFA5986BD2DD")); /* vt, 1 */ test_cipher(&nettle_serpent128, RHEX("0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("10B5FFB720B8CB90 02A1142B0BA2E94A")); /* 192 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent192, RHEX("8000000000000000 0000000000000000" "0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("E78E5402C7195568 AC3678F7A3F60C66")); /* vt, 1 */ test_cipher(&nettle_serpent192, RHEX("0000000000000000 0000000000000000" "0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("B10B271BA25257E1 294F2B51F076D0D9")); /* 256 bit key */ /* vk, 1 */ test_cipher(&nettle_serpent256, RHEX("8000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("0000000000000000 0000000000000000"), RHEX("ABED96E766BF28CB C0EBD21A82EF0819")); /* vt, 1 */ test_cipher(&nettle_serpent256, RHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), RHEX("8000000000000000 0000000000000000"), RHEX("DA5A7992B1B4AE6F 8C004BC8A7DE5520")); /* Test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/ */ /* serpent128 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent128, SHEX("000102030405060708090A0B0C0D0E0F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("563E2CF8740A27C164804560391E9B27")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent128, SHEX("2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("92D7F8EF2C36C53409F275902F06539F")); /* serpent192 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent192, SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("6AB816C82DE53B93005008AFA2246A02")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent192, SHEX("2BD6459F82C5B300952C49104881FF482BD6459F82C5B300"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("827B18C2678A239DFC5512842000E204")); /* serpent256 */ /* Set 4, vector# 0 */ test_cipher(&nettle_serpent256, SHEX("000102030405060708090A0B0C0D0E0F" "101112131415161718191A1B1C1D1E1F"), SHEX("00112233445566778899AABBCCDDEEFF"), SHEX("2868B7A2D28ECD5E4FDEFAC3C4330074")); /* Set 4, vector# 1 */ test_cipher(&nettle_serpent256, SHEX("2BD6459F82C5B300952C49104881FF48" "2BD6459F82C5B300952C49104881FF48"), SHEX("EA024714AD5C4D84EA024714AD5C4D84"), SHEX("3E507730776B93FDEA661235E1DD99F0")); /* Test key padding. We use nettle_serpent256, which actually works also with key sizes smaller than 32 bytes. */ test_cipher(&nettle_serpent256, SHEX("00112233440100000000000000000000" "00000000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); /* Tests with various key sizes. Currrently, key sizes smaller than SERPENT_MIN_KEY_SIZE bytes (128 bits) are not publicly supported. */ test_serpent(SHEX("0011223344"), SHEX("0000000001000000 0200000003000000"), SHEX("C1415AC653FD7C7F D917482EE8EBFE25")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00010000000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00"), SHEX("0000000001000000 0200000003000000"), SHEX("8EB9C958EAFFDF42 009755D7B6458838")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "00112201000000000000000000000000"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); test_serpent(SHEX("00112233445566778899aabbccddeeff" "001122"), SHEX("0000000001000000 0200000003000000"), SHEX("C8A078D8212AC96D 9060E30EC5CBB5C7")); /* Test with multiple blocks. */ test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2"), SHEX("b3d488986c80dea7 c5ebdab4907871c9")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03")); test_cipher(&nettle_serpent128, SHEX("91c8e949e12f0e38 7b2473238a3df1b6"), SHEX("00000000 00000001 00000002 00000003" "00000004 00000005 00000006 00000007" "00000008 00000009 0000000a 0000000b" "0000000c 0000000d 0000000e 0000000f"), SHEX("2db9f0a39d4f31a4 b1a83cd1032fe1bd" "3606caa84a220b1b f6f43ff80a831203" "8c6c8d2793dc10b3 904d30e194f086a6" "b2f3e932b9b3f8d1 d4d074f7bd1ff7a3")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1")); test_cipher(&nettle_serpent128, SHEX("e87450aa0fd87293fd0371483a459bd2"), SHEX("a78a7a8d392f629d bd13674c8dce6fa2" "930c74dec02a11d8 c80d90b5e5c887a7" "83c92a921b5b2028 d9cb313a5f07ab09" "672eadf1624a2ed0 c42d1b08b076f75a" "7378272aa57ad7c8 803e326689541266" "b7a2efda5721776f 4113d63a702ac3ae" "cd1be7bbfad74819 644617f8656e9e5b" "34d449409c1f850a 4cb6700d6ef3405f"), SHEX("b3d488986c80dea7 c5ebdab4907871c9" "a4b92b13b79afb37 5518b01bfd706a37" "8e44c2d463df4531 165461699edbad03" "30ac8c52697102ae 3b725dba79ceb250" "d308b83478e86dbb 629f18736cca042f" "006b89e494469adf 0ee78c60684dff86" "5f2c99908ee77ffe aea3d30cb78a1ce1" "ebe855dd51532477 4d2d55969e032e6c")); } nettle-3.10/testsuite/memxor-test.c0000644000175000017500000001353014633602172016443 0ustar nissenisse#include "testutils.h" #include "memxor.h" #define MAX_SIZE 256 #define ALIGN_SIZE 16 #if HAVE_VALGRIND_MEMCHECK_H # include # define ROUND_DOWN(x) ((x) & (-ALIGN_SIZE)) # define ROUND_UP(x) ROUND_DOWN((x)+(ALIGN_SIZE-1)) enum mark_type { MARK_SRC, MARK_DST }; static void test_mark (enum mark_type type, const uint8_t *block, size_t block_size, const uint8_t *p, size_t size) { VALGRIND_MAKE_MEM_NOACCESS(block, p - block); if (type == MARK_DST) VALGRIND_MAKE_MEM_UNDEFINED(p, size); VALGRIND_MAKE_MEM_NOACCESS(p + size, (block + block_size) - (p + size)); } #define test_unmark(block, size) \ VALGRIND_MAKE_MEM_DEFINED((block), (size)) #else # define test_mark(type, block, block_size, start, size) # define test_unmark(block, size) #endif static uint8_t * set_align(uint8_t *buf, unsigned align) { unsigned offset; /* An extra redzone char at the beginning */ buf++; offset = (uintptr_t) (buf) % ALIGN_SIZE; if (offset < align) buf += (align - offset); else if (offset > align) buf += (align + ALIGN_SIZE - offset); return buf; } static void test_memxor (const uint8_t *a, const uint8_t *b, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_src) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t src_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *src = set_align (src_buf, align_src); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_src = %d\n", (int) size, align_dst, align_src); memcpy (dst, a, size); dst[-1] = 17; dst[size] = 17; memcpy (src, b, size); test_mark (MARK_SRC, src_buf, sizeof (src_buf), src, size); test_mark (MARK_SRC, dst_buf, sizeof (dst_buf), dst, size); memxor (dst, src, size); ASSERT (MEMEQ (size, dst, c)); test_unmark(src_buf, sizeof (src_buf)); test_unmark(dst_buf, sizeof (src_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } static void test_memxor3 (const uint8_t *ain, const uint8_t *bin, const uint8_t *c, size_t size, unsigned align_dst, unsigned align_a, unsigned align_b) { uint8_t dst_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t a_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t b_buf[MAX_SIZE + ALIGN_SIZE + 1]; uint8_t *dst = set_align (dst_buf, align_dst); uint8_t *a = set_align (a_buf, align_a); uint8_t *b = set_align (b_buf, align_b); if (verbose) fprintf(stderr, "size = %d, align_dst = %d, align_a = %d, align_b = %d\n", (int) size, align_dst, align_a, align_b); memset (dst, 0, size); dst[-1] = 17; dst[size] = 17; memcpy (a, ain, size); memcpy (b, bin, size); test_mark (MARK_SRC, a_buf, sizeof(a_buf), a, size); test_mark (MARK_SRC, b_buf, sizeof(b_buf), b, size); test_mark (MARK_DST, dst_buf, sizeof(dst_buf), dst, size); memxor3 (dst, a, b, size); ASSERT (MEMEQ (size, dst, c)); test_unmark (a_buf, sizeof(a_buf)); test_unmark (b_buf, sizeof(b_buf)); test_unmark (dst_buf, sizeof(dst_buf)); ASSERT (dst[-1] == 17); ASSERT (dst[size] == 17); } void test_main(void) { const uint8_t *a = H("ecc8737f 38f2f9e8 86b9d84c 42a9c7ef" "27a50860 49c6be97 c5cc6c35 3981b367" "f8b4397b 951e3b2f 35749fe1 25884fa6" "9361c97a ab1c6cce 494efb5a 1f108411" "21dc6386 e81b2410 2f04c29d e0ca1135" "c9f96f2e bb5b2e2d 8cb45df9 50c4755a" "362b7ead 4b930010 cbc69834 66221ba8" "c0b8d7ac 7ec3b700 6bdb1a3b 599f3e76" "a7e66a29 ee1fb98c 60a66c9e 0a1d9c49" "6367afc7 362d6ae1 f8799443 17e2b1a1" "ff1cc03c 9e2728ca a1f6598f 5a61bd56" "0826effc f3499da7 119249b6 fd643cd4" "2e7c74b0 f775fda4 a5617138 1e8520bf" "f17de57a decc36b6 9eceee6e d448f592" "be77a67a 1b91a5b3 62fab868 dcb046f6" "394b5335 b2eaa351 fc4456e4 35bb9c54"); const uint8_t *b = H("cac458ad fe87e226 6cb0ce3d cfa5cb3b" "963d0034 5811bb9e acf4675b 7464f800" "4b1bcff2 b2fa5dd0 0576aea6 888b8150" "bcba48f1 49bc33d2 e138b0d0 a29b486e" "f7e143c6 f9959596 6aaa4493 b0bea6f8" "1d778513 a3bfec7e 70cfe6a7 e31ad041" "5fe3371b 63aba991 dab9a3db 66310ebc" "24c2765d a722a131 2fc4d366 1f2e3388" "7e5b26d5 7b34bf4c 655d19da d1335362" "2fbc0d5d cc68c811 ef735c20 352986ef" "f47ac5c9 afa77f5a 20da6dd3 eb9dfb34" "0cdbf792 caf0d633 61d908da a4c0f2a9" "be7a573e 3b8d161c 47fc19be e47d7edc" "e5f00dae f64cbbb4 a081e1f0 381833d8" "30d302ff eed61887 3390d6b2 0048ac32" "9c6b2981 a224dcc1 6b1feebe 15834b1a"); const uint8_t *c = H("260c2bd2 c6751bce ea091671 8d0c0cd4" "b1980854 11d70509 69380b6e 4de54b67" "b3aff689 27e466ff 30023147 ad03cef6" "2fdb818b e2a05f1c a8764b8a bd8bcc7f" "d63d2040 118eb186 45ae860e 5074b7cd" "d48eea3d 18e4c253 fc7bbb5e b3dea51b" "69c849b6 2838a981 117f3bef 00131514" "e47aa1f1 d9e11631 441fc95d 46b10dfe" "d9bd4cfc 952b06c0 05fb7544 db2ecf2b" "4cdba29a fa45a2f0 170ac863 22cb374e" "0b6605f5 31805790 812c345c b1fc4662" "04fd186e 39b94b94 704b416c 59a4ce7d" "9006238e ccf8ebb8 e29d6886 faf85e63" "148de8d4 28808d02 3e4f0f9e ec50c64a" "8ea4a485 f547bd34 516a6eda dcf8eac4" "a5207ab4 10ce7f90 975bb85a 2038d74e"); const int size[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 23, 24, 25, 30, 31, 32, 33, 34, 35, 36, 37, 250, 251, 252, 253,254, 255, 256, -1 }; unsigned i, align_dst, align_a, align_b; for (i = 0; size[i] >= 0; i++) for (align_dst = 0; align_dst < ALIGN_SIZE; align_dst++) for (align_a = 0; align_a < ALIGN_SIZE; align_a++) { test_memxor (a, b, c, size[i], align_dst, align_a); for (align_b = 0; align_b < ALIGN_SIZE; align_b++) test_memxor3 (a, b, c, size[i], align_dst, align_a, align_b); } } nettle-3.10/testsuite/Makefile.in0000644000175000017500000001341414633602172016061 0ustar nissenisse@SET_MAKE@ srcdir = @srcdir@ VPATH = @srcdir@ top_srcdir = @top_srcdir@ include ../config.make PRE_CPPFLAGS = -I.. -I$(top_srcdir) PRE_LDFLAGS = -L.. TS_NETTLE_SOURCES = aes-test.c aes-keywrap-test.c arcfour-test.c arctwo-test.c \ balloon-test.c blowfish-test.c bcrypt-test.c cast128-test.c \ base16-test.c base64-test.c \ camellia-test.c chacha-test.c \ cnd-memcpy-test.c \ des-test.c des3-test.c \ md2-test.c md4-test.c md5-test.c md5-compat-test.c \ memeql-test.c memxor-test.c gosthash94-test.c \ ripemd160-test.c hkdf-test.c \ salsa20-test.c \ sha1-test.c sha224-test.c sha256-test.c \ sha384-test.c sha512-test.c sha512-224-test.c sha512-256-test.c \ sha3-permute-test.c sha3-224-test.c sha3-256-test.c \ sha3-384-test.c sha3-512-test.c \ shake128-test.c shake256-test.c \ streebog-test.c sm3-test.c sm4-test.c \ serpent-test.c twofish-test.c version-test.c \ knuth-lfib-test.c \ cbc-test.c cfb-test.c ctr-test.c gcm-test.c eax-test.c ccm-test.c \ cmac-test.c ocb-test.c siv-cmac-test.c siv-gcm-test.c \ poly1305-test.c chacha-poly1305-test.c \ hmac-test.c umac-test.c \ meta-hash-test.c meta-cipher-test.c\ meta-aead-test.c meta-armor-test.c meta-mac-test.c \ buffer-test.c yarrow-test.c xts-test.c pbkdf2-test.c \ x86-ibt-test.c drbg-ctr-aes256-test.c TS_HOGWEED_SOURCES = sexp-test.c sexp-format-test.c \ rsa2sexp-test.c sexp2rsa-test.c \ bignum-test.c random-prime-test.c \ pkcs1-test.c pkcs1-sec-decrypt-test.c \ pss-test.c rsa-sign-tr-test.c \ pss-mgf1-test.c rsa-pss-sign-tr-test.c \ rsa-test.c rsa-encrypt-test.c rsa-keygen-test.c \ rsa-oaep-encrypt-test.c \ rsa-sec-decrypt-test.c \ rsa-compute-root-test.c \ dsa-test.c dsa-keygen-test.c \ curve25519-dh-test.c curve448-dh-test.c \ ecc-mod-arith-test.c ecc-mod-test.c ecc-modinv-test.c \ ecc-redc-test.c ecc-sqrt-test.c \ ecc-dup-test.c ecc-add-test.c \ ecc-mul-g-test.c ecc-mul-a-test.c \ ecdsa-sign-test.c ecdsa-verify-test.c \ ecdsa-keygen-test.c ecdh-test.c \ eddsa-compress-test.c eddsa-sign-test.c \ eddsa-verify-test.c ed25519-test.c ed448-test.c \ gostdsa-sign-test.c gostdsa-verify-test.c \ gostdsa-keygen-test.c gostdsa-vko-test.c TS_SOURCES = $(TS_NETTLE_SOURCES) $(TS_HOGWEED_SOURCES) CXX_SOURCES = cxx-test.cxx TS_NETTLE = $(TS_NETTLE_SOURCES:.c=$(EXEEXT)) TS_HOGWEED = $(TS_HOGWEED_SOURCES:.c=$(EXEEXT)) TS_C = $(TS_NETTLE) @IF_HOGWEED@ $(TS_HOGWEED) TS_CXX = @IF_CXX@ $(CXX_SOURCES:.cxx=$(EXEEXT)) TARGETS = $(TS_C) $(TS_CXX) TS_SC_HOGWEED = sc-pkcs1-sec-decrypt-test sc-rsa-sec-decrypt-test \ sc-rsa-oaep-encrypt-test \ sc-ecdsa-sign-test sc-curve25519-dh-test sc-curve448-dh-test \ sc-ed25519-test sc-ed448-test TS_SC_NETTLE = sc-cnd-memcpy-test sc-gcm-test sc-memeql-test TS_SC = @IF_VALGRIND@ $(TS_SC_NETTLE) @IF_HOGWEED@ $(TS_SC_HOGWEED) TS_SH = symbols-test TS_ALL = $(TARGETS) $(TS_SH) $(TS_SC) @IF_DLOPEN_TEST@ dlopen-test$(EXEEXT) TS_FAT = $(patsubst %, %$(EXEEXT), aes-test cbc-test \ chacha-test salsa20-test memxor-test \ sha1-test sha256-test sha512-test sha3-permute-test sha3-512-test \ umac-test gcm-test siv-gcm-test) EXTRA_SOURCES = sha1-huge-test.c EXTRA_TARGETS = $(EXTRA_SOURCES:.c=$(EXEEXT)) # Includes all C source files, regardless of configuration SOURCES = $(TS_SOURCES) $(EXTRA_SOURCES) testutils.c dlopen-test.c DISTFILES = $(SOURCES) $(CXX_SOURCES) Makefile.in \ $(TS_SH) $(TS_SC_NETTLE) $(TS_SC_HOGWEED) sc-valgrind.sh gold-bug.txt testutils.h sha3.awk all: $(EXTRA_TARGETS) %.$(OBJEXT): %.c $(COMPILE) -c $< && $(DEP_PROCESS) %.$(OBJEXT): %.cxx $(COMPILE_CXX) -c $< && $(DEP_PROCESS) # BSD (and Solaris) make doesn't allow extra dependencies together one # single-suffix rules, which makes it impossible or almost impossible # to use suffix rules to build the test executables. So we use an # explicit rule for each and every executable. TEST_OBJS = testutils.$(OBJEXT) ../non-nettle.$(OBJEXT) LIB_HOGWEED = @IF_HOGWEED@ -lhogweed TEST_LIBS = $(LIB_HOGWEED) -lnettle $(LIBS) ../non-nettle.$(OBJEXT): ( cd .. && $(MAKE) non-nettle.$(OBJEXT) ) # Special target, to omit linking with libnettle dlopen-test$(EXEEXT): dlopen-test.$(OBJEXT) testutils.$(OBJEXT) $(LINK) dlopen-test.$(OBJEXT) -ldl -o dlopen-test$(EXEEXT) # Special target, using C++ linking cxx-test$(EXEEXT): cxx-test.$(OBJEXT) $(LINK_CXX) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ %$(EXEEXT): %.$(OBJEXT) $(LINK) $< $(TEST_OBJS) $(TEST_LIBS) -o $@ $(TARGETS) $(EXTRA_TARGETS): testutils.$(OBJEXT) ../non-nettle.$(OBJEXT) \ ../libnettle.stamp @IF_HOGWEED@ ../libhogweed.stamp # For use as, e.g., # # make check EMULATOR='$(VALGRIND)' # make check EMULATOR='$(VALGRIND) --log-fd=3' 3>valgrind.log # --partial-loads-ok=yes is needed for memxor's handling of unaligned # data. VALGRIND = valgrind --error-exitcode=1 --leak-check=full --show-reachable=yes @IF_ASM@ --partial-loads-ok=yes check: $(TS_ALL) $(TS_ALL:sc-%=%) TEST_SHLIB_DIR="$(TEST_SHLIB_DIR)" \ srcdir="$(srcdir)" \ EMULATOR="$(EMULATOR)" NM="$(NM)" EXEEXT="$(EXEEXT)" \ $(top_srcdir)/run-tests $(TS_ALL) Makefile: $(srcdir)/Makefile.in ../config.status cd .. && $(SHELL) ./config.status testsuite/$@ install uninstall: true distdir: $(DISTFILES) cp $? $(distdir) clean: -rm -f $(TARGETS) $(EXTRA_TARGETS) dlopen-test$(EXEEXT) \ *.$(OBJEXT) *.$(OBJEXT).d test1.out distclean: clean -rm -f Makefile *.d tags: etags -o $(srcdir)/TAGS --include $(top_srcdir) $(srcdir)/*.c $(srcdir)/*.h # Includes dependency files for everything, including objects which # the current configuration will not build. DEP_FILES = $(SOURCES:.c=.$(OBJEXT).d) $(CXX_SOURCES:.cxx=.$(OBJEXT).d) -include $(DEP_FILES) nettle-3.10/testsuite/cbc-test.c0000644000175000017500000002730614633602172015671 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "cbc.h" #include "knuth-lfib.h" #include "non-nettle.h" /* Test with more data and inplace decryption, to check that the * cbc_decrypt buffering works. */ #define CBC_BULK_DATA 0x2710 /* 10000 */ static void test_cbc_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CBC_BULK_DATA]; uint8_t cipher[CBC_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("c7a42a569b421224 d0c23e52f46f97f5"); struct CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CBC_BULK_DATA); knuth_lfib_random(&random, CBC_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CBC_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); CBC_ENCRYPT(&aes, aes256_encrypt, CBC_BULK_DATA, cipher, clear); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_decrypt_key(&aes.ctx, key); CBC_SET_IV(&aes, start_iv); CBC_DECRYPT(&aes, aes256_decrypt, CBC_BULK_DATA, cipher, cipher); ASSERT(cipher[CBC_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CBC_BULK_DATA, clear, cipher)); } void test_main(void) { /* Intermediate values: * iv XOR first message block: * "a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37" * First ciphertext block, c1: * "1f 94 fc 85 f2 36 21 06 4a ea e3 c9 cc 38 01 0e" * c1 XOR second message block: * "3f e0 94 ec 81 16 4e 68 26 93 c3 a6 a2 5b 64 2f" * Second ciphertext block, c1: * "7b f6 5f c5 02 59 2e 71 af bf 34 87 c0 36 2a 16" */ test_cipher_cbc(&nettle_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SDATA("Listen, I'll say this only once!"), SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e" "7b f6 5f c5 02 59 2e 71" "af bf 34 87 c0 36 2a 16"), SHEX("e9 a7 26 a0 44 7b 8d e6 03 83 60 de ea d5 b0 4e")); /* From NIST spec 800-38a on AES modes. * * F.2 CBC Example Vectors * F.2.1 CBC-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * d86421fb9f1a1eda505ee1375746972c * 604ed7ddf32efdff7020d0238b7c2a5d * 8521f2fd3c8eef2cdc3da7e5c44ea206 */ test_cipher_cbc(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("7649abac8119b246cee98e9b12e9197d" "5086cb9b507219ee95db113a917678b2" "73bed6b8e3c1743b7116e69e22229516" "3ff1caa1681fac09120eca307586e1a7"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes128, NULL, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("7649abac8119b246cee98e9b12e9197d" "5086cb9b507219ee95db113a917678b2" "73bed6b8e3c1743b7116e69e22229516" "3ff1caa1681fac09120eca307586e1a7"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); /* F.2.3 CBC-AES192.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * e12f97e55dbfcfa1efcf7796da0fffb9 * 8411b1ef0e2109e5001cf96f256346b5 * a1840065cdb4e1f7d282fbd7db9d35f0 */ test_cipher_cbc(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("4f021db243bc633d7178183a9fa071e8" "b4d9ada9ad7dedf4e5e738763f69145a" "571b242012fb7ae07fa9baac3df102e0" "08b0e27988598881d920a9e64f5615cd"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes192, NULL, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("4f021db243bc633d7178183a9fa071e8" "b4d9ada9ad7dedf4e5e738763f69145a" "571b242012fb7ae07fa9baac3df102e0" "08b0e27988598881d920a9e64f5615cd"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); /* F.2.5 CBC-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 6bc0bce12a459991e134741a7f9e1925 * 5ba1c653c8e65d26e929c4571ad47587 * ac3452d0dd87649c8264b662dc7a7e92 * cf6d172c769621d8081ba318e24f2371 */ test_cipher_cbc(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f58c4c04d6e5f1ba779eabfb5f7bfbd6" "9cfc4e967edb808d679f777bc6702c7d" "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b"), SHEX("000102030405060708090a0b0c0d0e0f")); test_aead(&nettle_cbc_aes256, NULL, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), NULL, SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f58c4c04d6e5f1ba779eabfb5f7bfbd6" "9cfc4e967edb808d679f777bc6702c7d" "39f23369a9d9bacfa530e26304231461" "b2eb05e2c39be9fcda6c19078c6a9d1b"), SHEX("000102030405060708090a0b0c0d0e0f"), NULL); test_cbc_bulk(); } /* IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 7649abac8119b246cee98e9b12e9197d Ciphertext 7649abac8119b246cee98e9b12e9197d Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block d86421fb9f1a1eda505ee1375746972c Output Block 5086cb9b507219ee95db113a917678b2 Ciphertext 5086cb9b507219ee95db113a917678b2 Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 604ed7ddf32efdff7020d0238b7c2a5d Output Block 73bed6b8e3c1743b7116e69e22229516 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Output Block 3ff1caa1681fac09120eca307586e1a7 Ciphertext 3ff1caa1681fac09120eca307586e1a7 F.2.2 CBC-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 7649abac8119b246cee98e9b12e9197d Input Block 7649abac8119b246cee98e9b12e9197d Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 5086cb9b507219ee95db113a917678b2 Input Block 5086cb9b507219ee95db113a917678b2 Output Block d86421fb9f1a1eda505ee1375746972c Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 73bed6b8e3c1743b7116e69e22229516 Input Block 73bed6b8e3c1743b7116e69e22229516 Output Block 604ed7ddf32efdff7020d0238b7c2a5d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 3ff1caa1681fac09120eca307586e1a7 Input Block 3ff1caa1681fac09120eca307586e1a7 Output Block 8521f2fd3c8eef2cdc3da7e5c44ea206 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.3 CBC-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block 4f021db243bc633d7178183a9fa071e8 Ciphertext 4f021db243bc633d7178183a9fa071e8 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block e12f97e55dbfcfa1efcf7796da0fffb9 Output Block b4d9ada9ad7dedf4e5e738763f69145a Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block 8411b1ef0e2109e5001cf96f256346b5 Output Block 571b242012fb7ae07fa9baac3df102e0 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block a1840065cdb4e1f7d282fbd7db9d35f0 Output Block 08b0e27988598881d920a9e64f5615cd Ciphertext 08b0e27988598881d920a9e64f5615cd F.2.4 CBC-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext 4f021db243bc633d7178183a9fa071e8 Input Block 4f021db243bc633d7178183a9fa071e8 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext b4d9ada9ad7dedf4e5e738763f69145a Input Block b4d9ada9ad7dedf4e5e738763f69145a Output Block e12f97e55dbfcfa1efcf7796da0fffb9 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 571b242012fb7ae07fa9baac3df102e0 Input Block 571b242012fb7ae07fa9baac3df102e0 Output Block 8411b1ef0e2109e5001cf96f256346b5 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext 08b0e27988598881d920a9e64f5615cd Input Block 08b0e27988598881d920a9e64f5615cd Output Block a1840065cdb4e1f7d282fbd7db9d35f0 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.2.5 CBC-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Plaintext 6bc1bee22e409f96e93d7e117393172a Input Block 6bc0bce12a459991e134741a7f9e1925 Output Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Block #2 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Input Block 5ba1c653c8e65d26e929c4571ad47587 Output Block 9cfc4e967edb808d679f777bc6702c7d Ciphertext 9cfc4e967edb808d679f777bc6702c7d Block #3 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Input Block ac3452d0dd87649c8264b662dc7a7e92 Output Block 39f23369a9d9bacfa530e26304231461 Ciphertext 39f23369a9d9bacfa530e26304231461 Block #4 Plaintext f69f2445df4f9b17ad2b417be66c3710 Input Block cf6d172c769621d8081ba318e24f2371 Output Block b2eb05e2c39be9fcda6c19078c6a9d1b Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b F.2.6 CBC-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Block #1 Ciphertext f58c4c04d6e5f1ba779eabfb5f7bfbd6 Input Block f58c4c04d6e5f1ba779eabfb5f7bfbd6 Output Block 6bc0bce12a459991e134741a7f9e1925 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Ciphertext 9cfc4e967edb808d679f777bc6702c7d Input Block 9cfc4e967edb808d679f777bc6702c7d Output Block 5ba1c653c8e65d26e929c4571ad47587 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Ciphertext 39f23369a9d9bacfa530e26304231461 Input Block 39f23369a9d9bacfa530e26304231461 Output Block ac3452d0dd87649c8264b662dc7a7e92 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Ciphertext b2eb05e2c39be9fcda6c19078c6a9d1b Input Block b2eb05e2c39be9fcda6c19078c6a9d1b Output Block cf6d172c769621d8081ba318e24f2371 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.10/testsuite/balloon-test.c0000644000175000017500000001213014633602172016555 0ustar nissenisse/* balloon-test.c Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "balloon.h" static void test_balloon(const struct nettle_hash *alg, size_t password_len, const char *password, size_t salt_len, const char *salt, unsigned s_cost, unsigned t_cost, const struct tstring *expected) { void *ctx = xalloc(alg->context_size); uint8_t *buf = xalloc(balloon_itch(alg->digest_size, s_cost)); alg->init(ctx); balloon(ctx, alg->update, alg->digest, alg->digest_size, s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); if (!MEMEQ(alg->digest_size, buf, expected->data)) { fprintf(stderr, "test_balloon: result doesn't match the expectation:"); fprintf(stderr, "\nOutput: "); print_hex(alg->digest_size, buf); fprintf(stderr, "\nExpected:"); tstring_print_hex(expected); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(buf); } static void test_balloon_sha(const struct nettle_hash *alg, size_t password_len, const char *password, size_t salt_len, const char *salt, unsigned s_cost, unsigned t_cost, const struct tstring *expected) { uint8_t *buf = xalloc(balloon_itch(alg->digest_size, s_cost)); if (alg == &nettle_sha1) balloon_sha1(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha256) balloon_sha256(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha384) balloon_sha384(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else if (alg == &nettle_sha512) balloon_sha512(s_cost, t_cost, password_len, (const uint8_t *)password, salt_len, (const uint8_t *)salt, buf, buf); else { fprintf(stderr, "test_balloon_sha: bad test\n"); FAIL(); } if (!MEMEQ(alg->digest_size, buf, expected->data)) { fprintf(stderr, "test_balloon_sha: result doesn't match the expectation:"); fprintf(stderr, "\nOutput: "); print_hex(alg->digest_size, buf); fprintf(stderr, "\nExpected:"); tstring_print_hex(expected); fprintf(stderr, "\n"); FAIL(); } free(buf); } /* Test vectors are taken from: * * */ void test_main(void) { test_balloon(&nettle_sha256, 8, "hunter42", 11, "examplesalt", 1024, 3, SHEX("716043dff777b44aa7b88dcbab12c078abecfac9d289c5b5195967aa63440dfb")); test_balloon(&nettle_sha256, 0, "", 4, "salt", 3, 3, SHEX("5f02f8206f9cd212485c6bdf85527b698956701ad0852106f94b94ee94577378")); test_balloon(&nettle_sha256, 8, "password", 0, "", 3, 3, SHEX("20aa99d7fe3f4df4bd98c655c5480ec98b143107a331fd491deda885c4d6a6cc")); test_balloon(&nettle_sha256, 1, "", 1, "", 3, 3, SHEX("4fc7e302ffa29ae0eac31166cee7a552d1d71135f4e0da66486fb68a749b73a4")); test_balloon(&nettle_sha256, 8, "password", 4, "salt", 1, 1, SHEX("eefda4a8a75b461fa389c1dcfaf3e9dfacbc26f81f22e6f280d15cc18c417545")); test_balloon_sha(&nettle_sha1, 8, "password", 4, "salt", 3, 3, SHEX("99393c091fdd3136f85864099ec49a439dcacc21")); test_balloon_sha(&nettle_sha256, 8, "password", 4, "salt", 3, 3, SHEX("a4df347f5a312e8b2b14c32164f61a81758c807f1bdcda44f4930e2b80ab2154")); test_balloon_sha(&nettle_sha384, 8, "password", 4, "salt", 3, 3, SHEX("78da235f7d0f84aba98b50a432fa6c8f7f3ecb7ea0858cfb316c7e5356aae6c8" "d7e7b3924c54c4ed71a3d0d68cb0ad68")); test_balloon_sha(&nettle_sha512, 8, "password", 4, "salt", 3, 3, SHEX("9baf289dfa42990f4b189d96d4ede0f2610ba71fb644169427829d696f6866d8" "7af41eb68f9e14fd4b1f1a7ce4832f1ed6117c16e8eae753f9e1d054a7c0a7eb")); } nettle-3.10/testsuite/poly1305-test.c0000644000175000017500000001554714633602172016442 0ustar nissenisse#include "testutils.h" #include "poly1305.h" #include "poly1305-internal.h" #include "knuth-lfib.h" static void check_digest (const char *name, void *ctx, nettle_hash_digest_func *f, const struct tstring *msg, const struct tstring *ref) { uint8_t tag[16]; ASSERT (ref->length <= 16); f(ctx, ref->length, tag); if (!MEMEQ(ref->length, ref->data, tag)) { printf ("%s failed\n", name); printf ("msg: "); print_hex (msg->length, msg->data); printf ("length: %u\n", (unsigned) msg->length); printf ("tag: "); print_hex (ref->length, tag); printf ("ref: "); print_hex (ref->length, ref->data); abort (); } } static void test_poly1305 (const struct tstring *key, const struct tstring *nonce, const struct tstring *msg, const struct tstring *ref) { struct poly1305_aes_ctx ctx; ASSERT (key->length == POLY1305_AES_KEY_SIZE); ASSERT (ref->length == POLY1305_AES_DIGEST_SIZE); poly1305_aes_set_key (&ctx, key->data); poly1305_aes_set_nonce (&ctx, nonce->data); poly1305_aes_update(&ctx, msg->length, msg->data); check_digest ("poly1305-aes", &ctx, (nettle_hash_digest_func *) poly1305_aes_digest, msg, ref); } static void poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, union nettle_block16 *nonce) { struct poly1305_ctx ctx; _nettle_poly1305_set_key (&ctx, key); for ( ; length >= 16; length -= 16, message += 16) _nettle_poly1305_block (&ctx, message, 1); if (length > 0) { uint8_t block[16]; memcpy (block, message, length); block[length] = 1; memset (block + length + 1, 0, sizeof(block) - 1 - length); _nettle_poly1305_block (&ctx, block, 0); } _nettle_poly1305_digest (&ctx, nonce); } static void ref_poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, union nettle_block16 *nonce) { uint8_t block[16]; mpz_t p; mpz_t h; mpz_t r; mpz_t m; mpz_init_set_ui (p, 1); mpz_init (r); mpz_init_set_ui (h, 0); mpz_init (m); mpz_mul_2exp (p, p, 130); mpz_sub_ui (p, p, 5); memcpy (block, key, sizeof(block)); block[3] &= 0x0f; block[4] &= 0xfc; block[7] &= 0x0f; block[8] &= 0xfc; block[11] &= 0x0f; block[12] &= 0xfc; block[15] &= 0x0f; /* Little-endian load */ mpz_import (r, 16, -1, 1, 0, 0, block); for ( ; length >= 16; length -= 16, message += 16) { mpz_import (m, 16, -1, 1, 0, 0, message); mpz_setbit (m, 128); mpz_add (h, h, m); mpz_mul (h, h, r); mpz_mod (h, h, p); } if (length > 0) { mpz_import (m, length, -1, 1, 0, 0, message); mpz_setbit (m, length * 8); mpz_add (h, h, m); mpz_mul (h, h, r); mpz_mod (h, h, p); } mpz_import (m, 16, -1, 1, 0, 0, nonce->b); mpz_add (h, h, m); mpz_fdiv_r_2exp (h, h, 128); memset (nonce->b, 0, 16); mpz_export (nonce->b, NULL, -1, 1, 0, 0, h); mpz_clear (p); mpz_clear (r); mpz_clear (h); mpz_clear (m); } static void test_poly1305_internal (const uint8_t key[16], size_t length, const uint8_t *message, const uint8_t nonce[16], const uint8_t ref[16]) { union nettle_block16 digest; memcpy (digest.b, nonce, sizeof(digest.b)); poly1305_internal (key, length, message, &digest); if (!MEMEQ (sizeof(digest.b), digest.b, ref)) { printf ("poly1305_internal failed\n"); printf ("key: "); print_hex (16, key); printf ("nonce: "); print_hex (16, nonce); printf ("msg: "); print_hex (length, message); printf ("length: %u\n", (unsigned) length); printf ("tag: "); print_hex (16, digest.b); printf ("ref: "); print_hex (16, ref); abort(); } } static void test_fixed (void) { static uint8_t nonce[16] = {0}; static const struct { char *key; char *message; char *digest; } test_cases[] = { {"9959780624f5670ccc9e530738ddd70a", "82785d0bbe75181ea188c1a0d8dd81cf90d1c0f1cfa97912e92ab91bd3357368", "00000000000000000000000000000000"}, {"6c72ea0dc487510934252a01544e9307", "0b6a6a734cb67fe9a548a81f21ec3db398c1ed1a62715e993e67f0a682b75990", "01000000000000000000000000000000"}, {"64447e0bdca48e0a30c5af06ec830008", "1fd9b81b8310bdf6007549d6d06df6d07e37c8a8500edd91874a5657cff1c1ba", "faffffffffffffffffffffffffffffff"}, {"054a840700390c092c422e037825c709", "3faabe212f024da30f8f7064d3dab6f426c5a408de0bec35624b6793a0d4a353", "05000000000000000000000000000000",} }; size_t i; for (i = 0; i < sizeof(test_cases) / sizeof(test_cases[0]); i++) { struct tstring *key = tstring_hex(test_cases[i].key); struct tstring *message = tstring_hex(test_cases[i].message); struct tstring *digest = tstring_hex(test_cases[i].digest); union nettle_block16 out; ASSERT (key->length == 16); ASSERT (digest->length == 16); memset (out.b, 0, sizeof(out.b)); test_poly1305_internal (key->data, message->length, message->data, nonce, digest->data); } } #define COUNT 10000 #define MAX_MESSAGE_SIZE 300 static void test_random(void) { struct knuth_lfib_ctx rand_ctx; unsigned j; knuth_lfib_init (&rand_ctx, 17); for (j = 0; j < COUNT; j++) { uint8_t key[16]; uint8_t nonce[16]; uint8_t message[MAX_MESSAGE_SIZE]; size_t length; union nettle_block16 ref; knuth_lfib_random (&rand_ctx, sizeof(key), key); knuth_lfib_random (&rand_ctx, sizeof(nonce), nonce); knuth_lfib_random (&rand_ctx, sizeof(length), (uint8_t *) &length); length %= MAX_MESSAGE_SIZE + 1; knuth_lfib_random (&rand_ctx, length, message); memcpy (ref.b, nonce, sizeof(ref.b)); ref_poly1305_internal (key, length, message, &ref); test_poly1305_internal (key, length, message, nonce, ref.b); } } void test_main(void) { /* From Bernstein's paper. */ test_poly1305 (SHEX("75deaa25c09f208e1dc4ce6b5cad3fbfa0f3080000f46400d0c7e9076c834403"), SHEX("61ee09218d29b0aaed7e154a2c5509cc"), SHEX(""), SHEX("dd3fab2251f11ac759f0887129cc2ee7")); test_poly1305 (SHEX("ec074c835580741701425b623235add6851fc40c3467ac0be05cc20404f3f700"), SHEX("fb447350c4e868c52ac3275cf9d4327e"), SHEX("f3f6"), SHEX("f4c633c3044fc145f84f335cb81953de")); test_poly1305 (SHEX("6acb5f61a7176dd320c5c1eb2edcdc74" "48443d0bb0d21109c89a100b5ce2c208"), SHEX("ae212a55399729595dea458bc621ff0e"), SHEX("663cea190ffb83d89593f3f476b6bc24" "d7e679107ea26adb8caf6652d0656136"), SHEX("0ee1c16bb73f0f4fd19881753c01cdbe")); test_poly1305 (SHEX("e1a5668a4d5b66a5f68cc5424ed5982d12976a08c4426d0ce8a82407c4f48207"), SHEX("9ae831e743978d3a23527c7128149e3a"), SHEX("ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491" "faf0990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb2109" "5c1bf9"), SHEX("5154ad0d2cb26e01274fc51148491f1b")); test_fixed(); test_random(); } nettle-3.10/testsuite/rsa-test.c0000644000175000017500000001464614633602172015732 0ustar nissenisse#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test md5 signatures */ mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "129b405ed85db88c" "55d35344c4b52854" "496516b4d63d8211" "80a0c24d6ced9047" "33065a564bbd33d0" "a5cdfd204b9c6d15" "78337207c2f1662d" "c73906c7a0f2bf5c" "af92cef9121957b1" "dcb111ff47b92389" "888e384d0cfd1b1e" "e5d7003a8feff3fd" "dd6a71d242a79272" "25234d67ba369441" "c12ae555c697754e" "a17f93fa92", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "13f9e43f7a401a73" "0a74985c01520d76" "bf5f2e2dff91e93b" "9267d8c388d6937b" "d4bc6f1fa31618a9" "b5e3a1a875af72f5" "0e805dbfebdf4348" "7d49763f0b365e78" "d2c0ea8fb3785897" "782289a58f998907" "248c9cdf2c643d7e" "6ba6b55026227773" "6f19caa69c4fc6d7" "7e2e5d4cd6b7a82b" "900d201ffd000448" "685e5a4f3e", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "06327f717f43bcf3" "5994e567e8241963" "8c22e1057a7771e7" "a665bb7441a39cc8" "7762f6b1a459cae3" "281462ed3f6aec48" "15c2365797a02af6" "8a603adf276c46f6" "e6afb25d07c57f47" "c516aff84abda629" "cc83d9364eb3616d" "7d4ddf0e9a25fac5" "7d56a252b0cb7b1f" "8266b525e9b893af" "116e7845c0969a9f" "603e2543f3", 16); test_rsa_sha512(&pub, &key, expected); /* Test detection of invalid keys with even modulo */ mpz_clrbit (pub.n, 0); ASSERT (!rsa_public_key_prepare (&pub)); mpz_clrbit (key.p, 0); ASSERT (!rsa_private_key_prepare (&key)); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test md5 signatures */ mpz_set_str(expected, "011b939f6fbacf7f" "7d3217b022d07477" "e582e34d4bbddd4c" "31520647417fc8a6" "18b2e196d799cedd" "d8f5c062fd796b0f" "72ab46db2ac6ec74" "39d856be3f746cc4" "3e0a15429954736a" "60a8b3c6ea93d2cb" "c69085c307d72517" "07d43bf97a3b51eb" "9e89", 16); test_rsa_md5(&pub, &key, expected); /* Test sha1 signature */ mpz_set_str(expected, "648c49e0ed045547" "08381d0bcd03b7bd" "b0f80a0e9030525d" "234327a1c96b8660" "f1c01c6f15ae76d0" "4f53a53806b7e4db" "1f789e6e89b538f6" "88fcbd2caa6abef0" "5432d52f3de463a4" "a9e6de94f1b7bb68" "3c07edf0924fc93f" "56e1a0dba8f7491c" "5c", 16); test_rsa_sha1(&pub, &key, expected); mpz_set_str(expected, "d759bb28b4d249a2" "f8b67bdbb1ab7f50" "c88712fbcabc2956" "1ec6ca3f8fdafe7a" "38433d7da287b8f7" "87857274c1640b2b" "e652cd89c501d570" "3980a0af5c6bb60c" "f84feab25b099d06" "e2519accb73dac43" "fb8bdad28835f3bd" "84c43678fe2ef41f" "af", 16); test_rsa_sha256(&pub, &key, expected); mpz_set_str(expected, "f761aae6273d6149" "06d8c208fb2897ca" "d798a46af4985b86" "51d51e6a3e11cbe0" "84f18ba8979c0f54" "11493f7c6e770560" "03db2146b4dbcaa6" "4aae2e02aab9ff7b" "1ddf77dc72145cf1" "c26ebde7c708cdc1" "62e167a7ac33967b" "386a40ea4a988d17" "47", 16); test_rsa_sha512(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.10/testsuite/sexp2rsa-test.c0000644000175000017500000000236014633602172016702 0ustar nissenisse#include "testutils.h" void test_main(void) { struct rsa_public_key pub; struct rsa_private_key priv; const struct tstring *sexp; rsa_public_key_init(&pub); rsa_private_key_init(&priv); sexp = SHEX("2831313a707269766174652d6b657928" "333a72736128313a6e36333a085c3408" "989acae4faec3cbbad91c90d34c1d259" "cd74121a36f38b0b51424a9b2be514a0" "4377113a6cdafe79dd7d5f2ecc8b5e96" "61189b86a7b22239907c252928313a65" "343a36ad4b1d2928313a6436333a06ee" "6d4ff3c239e408150daf8117abfa36a4" "0ad4455d9059a86d52f33a2de07418a0" "a699594588c64810248c9412d554f74a" "f947c73c32007e87c92f0937ed292831" "3a7033323a03259879b24315e9cf1425" "4824c7935d807cdb6990f414a0f65e60" "65130a611f2928313a7133323a02a81b" "a73bad45fc73b36deffce52d1b73e074" "7f4d8a82648cecd310448ea63b292831" "3a6133323a026cbdad5dd0046e093f06" "0ecd5b4ac918e098b0278bb752b7cadd" "6a8944f0b92928313a6233323a014875" "1e622d6d58e3bb094afd6edacf737035" "1d068e2ce9f565c5528c4a7473292831" "3a6333323a00f8a458ea73a018dc6fa5" "6863e3bc6de405f364f77dee6f096267" "9ea1a8282e292929"); ASSERT(rsa_keypair_from_sexp (&pub, &priv, 0, sexp->length, sexp->data)); test_rsa_key(&pub, &priv); rsa_public_key_clear(&pub); rsa_private_key_clear(&priv); } nettle-3.10/testsuite/rsa-pss-sign-tr-test.c0000644000175000017500000003027114633602172020106 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "nettle-internal.h" #define SALT "This is a magic salt" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" typedef int (*test_pss_sign_tr_func) (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s); typedef int (*test_pss_verify_func) (const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature); static void test_rsa_pss_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, test_pss_sign_tr_func sign_tr_func, test_pss_verify_func verify_func, void *ctx, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, size_t length, const uint8_t *message, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; uint8_t digest[NETTLE_MAX_HASH_DIGEST_SIZE]; uint8_t bad_digest[NETTLE_MAX_HASH_DIGEST_SIZE]; knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, length, message); hash->digest(ctx, hash->digest_size, digest); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(sign_tr_func(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, salt_length, salt, digest, signature)); if (verbose) { fprintf(stderr, "rsa-pss-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pss-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad digest */ memset(bad_digest, 0x17, sizeof(bad_digest)); ASSERT (!verify_func(pub, salt_length, bad_digest, signature)); /* Try the good digest */ ASSERT (verify_func(pub, salt_length, digest, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!verify_func(pub, salt_length, digest, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct sha256_ctx sha256ctx; struct sha384_ctx sha384ctx; struct sha512_ctx sha512ctx; mpz_t p1; mpz_t q1; struct tstring *salt; struct tstring *msg; mpz_t expected; mpz_init(expected); mpz_init(p1); mpz_init(q1); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "25e6ce0cc00e917e177a09cb4dfd843d104c179b71aded60e68ebc" "ca2cabb1e51502adf28e53fa7ede42619f21a1162755b9658edf88" "a038bb4fea2bb73306fb384d5785c1a8c98a255277c91a4f88ddd3" "52ebdc78f71f7e62b7a870dac4ab25f1004453457e831a1572f7c9" "23fcc48e3b69db582127d14471c7195dce", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); mpz_set_str(expected, "52f4393ccc92b5672dd3cfd8624765d3a4cdb50c7a92060c33b4663" "fa545b32ce56ec8cd44fe9720df301906ae40921e844b6d80331194" "972f98e309c937c887c53da940778f29d52dd9489e6016a07e9aa16" "b1ea8fefc0860ad69068ad6f94a4b0c8fc8a0797b08c58cf4a8df90" "ee1375feedf7bf73f16ebb2d1cc7e4", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "1a4d28331341cabf7ac85bc59a58d439b7ec2c607c6a74e35b5909" "1dfa3d9de9fde93e4a431f0f768bec07c39995d253209f86e3dc84" "037ecd5d23d963fab4fa8a001e018d82cb19d743a94ba7dc7a821e" "87b72e67a0fe058f956208f7060dc104", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, LDATA(SALT), LDATA(MSG1), expected); /* From FIPS 186-2 */ mpz_set_str(pub.n, "be499b5e7f06c83f" "a0293e31465c8eb6" "b58af920bae52a7b" "5b9bfeb7aa72db12" "64112eb3fd431d31" "a2a7e50941566929" "494a0e891ed56139" "18b4b51b0d1fb977" "83b26acf7d0f384c" "fb35f4d2824f5dd3" "80623a26bf180b63" "961c619dcdb20cae" "406f22f6e276c80a" "37259490cfeb72c1" "a71a84f1846d3308" "77ba3e3101ec9c7b" , 16); mpz_set_str(pub.e, "11", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "e7a80c5d211c06ac" "b900939495f26d36" "5fc2b4825b75e356" "f89003eaa5931e6b" "e5c3f7e6a633ad59" "db6289d06c354c23" "5e739a1e3f3d39fb" "40d1ffb9cb44288f", 16); mpz_set_str(key.q, "d248aa248000f720" "258742da67b71194" "0c8f76e1ecd52b67" "a6ffe1e49354d66f" "f84fa601804743f5" "838da2ed4693a5a2" "8658d6528cc1803b" "f6c8dc73c5230b55", 16); mpz_set_str(key.d, "0d0f17362bdad181" "db4e1fe03e8de1a3" "208989914e14bf26" "9558826bfa20faf4" "b68dba6bb989a01f" "03a21c44665dc5f6" "48cb5b59b954eb10" "77a80263bd22cdfb" "88d39164b7404f4f" "1106ee01cf60b776" "95748d8fdaf9fd42" "8963fe75144010b1" "934c8e26a8823967" "2cf49b3422a07c4d" "834ba208d570fe40" "8e7095c90547e68d", 16); /* a = d % (p-1) */ mpz_sub_ui(p1, key.p, 1); mpz_fdiv_r(key.a, key.d, p1); mpz_clear(p1); /* b = d % (q-1) */ mpz_sub_ui(q1, key.q, 1); mpz_fdiv_r(key.b, key.d, q1); mpz_clear(q1); /* c = q^{-1} (mod p) */ mpz_invert(key.c, key.q, key.p); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "11e169f2fd40b07641b9768a2ab19965fb6c27f10fcf0323fcc6d1" "2eb4f1c06b330ddaa1ea504407afa29de9ebe0374fe9d1e7d0ffbd" "5fc1cf3a3446e4145415d2ab24f789b3464c5c43a256bbc1d692cf" "7f04801dac5bb401a4a03ab7d5728a860c19e1a4dc797ca542c820" "3cec2e601eb0c51f567f2eda022b0b9ebddeeefa", 16); salt = SHEX("11223344555432167890"); msg = SHEX("c7f5270fca725f9bd19f519a8d7cca3cc5c079024029f3bae510f9" "b02140fe238908e4f6c18f07a89c687c8684669b1f1db2baf9251a" "3c829faccb493084e16ec9e28d58868074a5d6221667dd6e528d16" "fe2c9f3db4cfaf6c4dce8c8439af38ceaaaa9ce2ecae7bc8f4a5a5" "5e3bf96df9cd575c4f9cb327951b8cdfe4087168"); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha256_sign_digest_tr, rsa_pss_sha256_verify_digest, &sha256ctx, &nettle_sha256, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "b281ad934b2775c0cba5fb10aa574d2ed85c7f99b942b78e497024" "80069362ed394baded55e56cfcbe7b0b8d2217a05a60e1acd725cb" "09060dfac585bc2132b99b41cdbd530c69d17cdbc84bc6b9830fc7" "dc8e1b2412cfe06dcf8c1a0cc3453f93f25ebf10cb0c90334fac57" "3f449138616e1a194c67f44efac34cc07a526267", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha384_sign_digest_tr, rsa_pss_sha384_verify_digest, &sha384ctx, &nettle_sha384, salt->length, salt->data, msg->length, msg->data, expected); mpz_set_str(expected, "8ffc38f9b820ef6b080fd2ec7de5626c658d79056f3edf610a295b" "7b0546f73e01ffdf4d0070ebf79c33fd86c2d608be9438b3d420d0" "9535b97cd3d846ecaf8f6551cdf93197e9f8fb048044473ab41a80" "1e9f7fc983c62b324361dade9f71a65952bd35c59faaa4d6ff462f" "68a6c4ec0b428aa47336f2178aeb276136563b7d", 16); test_rsa_pss_sign_tr(&pub, &key, rsa_pss_sha512_sign_digest_tr, rsa_pss_sha512_verify_digest, &sha512ctx, &nettle_sha512, salt->length, salt->data, msg->length, msg->data, expected); /* The public key n for this test is of size k = 1017 bits, and the pss "em" value is limited to k - 1 = 1016 bits or 127 octets. The alleged signature below results in a 1017 bit number during the signature verification, which is too large, and used to result in an assertion failure when attempting to convert the number to a 127 octet string. */ mpz_set_str(pub.n, "1d64559685aad3490e976b48aacf442ecee847268f882341eafe78" "a0ca4ef88f66edbaf55b70e5285cc117aa9ceb322a4227c17e9e89" "27bf38e5672faecf79e2983d92766fbb6624522f072ae0e4e46d37" "052ce1e5745c2dd8fd67de3862e4711161e359b96bda85911ebf4e" "6ce1bea625970269c77004a3cb03f9c382c5f79", 16); mpz_set_str(pub.e, "10001", 16); ASSERT (rsa_public_key_prepare(&pub)); msg = SHEX("7f85e4909ff7bb29536e540a53031ef03ddcb129e553a43273fa1f" "ed28c22a8b57c7bde101ff746f335ba69b29642019"); /* Alleged signature, resulting in a too large m. */ mpz_set_str(expected, "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000005ffff05" "000000000000000000000000000000000000000000000000000000" "000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000", 16); ASSERT(!rsa_pss_sha384_verify_digest(&pub, 48, msg->data, expected)); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.10/testsuite/ecc-redc-test.c0000644000175000017500000000751514633602172016607 0ustar nissenisse#include "testutils.h" static void ref_redc (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn) { mpz_t t; mpz_t m, a; mp_size_t an; mpz_init (t); mpz_setbit (t, mn * GMP_NUMB_BITS); mpz_roinit_n (m, mp, mn); an = 2*mn; while (an > 0 && ap[an-1] == 0) an--; mpz_roinit_n (a, ap, an); mpz_invert (t, t, m); mpz_mul (t, t, a); mpz_mod (t, t, m); mpz_limbs_copy (rp, t, mn); mpz_clear (t); } /* Destructively normalize tp, then compare */ static int mod_equal(const struct ecc_modulo *m, const mp_limb_t *ref, mp_limb_t *tp) { if (mpn_cmp (tp, m->m, m->size) >= 0) mpn_sub_n (tp, tp, m->m, m->size); return mpn_cmp (ref, tp, m->size) == 0; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define MAX_SIZE (2*MAX_ECC_SIZE) #define COUNT 10000 void test_main (void) { gmp_randstate_t rands; mp_limb_t a[MAX_SIZE]; mp_limb_t m[MAX_SIZE]; mp_limb_t ref[MAX_SIZE]; unsigned i; mpz_t r; gmp_randinit_default (rands); test_randomize(rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; unsigned j; for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, 2*ecc->p.size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, 2*ecc->p.size); ref_redc (ref, a, ecc->p.m, ecc->p.size); if (ecc->p.reduce != ecc->p.mod) { mpn_copyi (m, a, 2*ecc->p.size); ecc->p.reduce (&ecc->p, m, m); if (!mod_equal (&ecc->p, ref, m)) { fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } mpn_copyi (m, a, 2*ecc->p.size); ecc->p.reduce (&ecc->p, m + ecc->p.size, m); if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) { fprintf (stderr, "ecc->p.reduce failed: bit_size = %u, rp == xp + size\n", ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } if (ecc->p.redc_size != 0) { mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) ecc_pm1_redc (&ecc->p, m, m); else ecc_pp1_redc (&ecc->p, m, m); if (!mod_equal (&ecc->p, ref, m)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } mpn_copyi (m, a, 2*ecc->p.size); if (ecc->p.m[0] == 1) ecc_pm1_redc (&ecc->p, m + ecc->p.size, m); else ecc_pp1_redc (&ecc->p, m + ecc->p.size, m); if (!mod_equal (&ecc->p, ref, m + ecc->p.size)) { fprintf (stderr, "ecc_p%c1_redc failed: bit_size = %u\n", (ecc->p.m[0] == 1) ? 'm' : 'p', ecc->p.bit_size); fprintf (stderr, "a = "); mpn_out_str (stderr, 16, a, 2*ecc->p.size); fprintf (stderr, "\nm = "); mpn_out_str (stderr, 16, m + ecc->p.size, ecc->p.size); fprintf (stderr, " (bad)\nref = "); mpn_out_str (stderr, 16, ref, ecc->p.size); fprintf (stderr, "\n"); abort (); } } } } mpz_clear (r); gmp_randclear (rands); } nettle-3.10/testsuite/camellia-test.c0000644000175000017500000000662114633602172016706 0ustar nissenisse#include "testutils.h" #include "camellia.h" static void test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); if (key->length == 16) { struct camellia128_ctx encrypt; struct camellia128_ctx decrypt; camellia128_set_encrypt_key (&encrypt, key->data); camellia128_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fail_encrypt: tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } camellia128_invert_key (&decrypt, &encrypt); camellia128_crypt (&decrypt, length, data, data); } else { struct camellia256_ctx encrypt; struct camellia256_ctx decrypt; if (key->length == 24) camellia192_set_encrypt_key (&encrypt, key->data); else if (key->length == 32) camellia256_set_encrypt_key (&encrypt, key->data); else abort (); camellia256_crypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) goto fail_encrypt; camellia256_invert_key (&decrypt, &encrypt); camellia256_crypt (&decrypt, length, data, data); } if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (data); } void test_main(void) { /* Test vectors from RFC 3713 */ /* 128 bit keys */ test_cipher(&nettle_camellia128, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); /* 192 bit keys */ test_cipher(&nettle_camellia192, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); /* 256 bit keys */ test_cipher(&nettle_camellia256, SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); /* Test camellia_invert_key with src != dst */ test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("67 67 31 38 54 96 69 73 08 57 06 56 48 ea be 43")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("b4 99 34 01 b3 e9 96 f8 4e e5 ce e7 d7 9b 09 b9")); test_invert(SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10" "00 11 22 33 44 55 66 77 88 99 aa bb cc dd ee ff"), SHEX("01 23 45 67 89 ab cd ef fe dc ba 98 76 54 32 10"), SHEX("9a cc 23 7d ff 16 d7 6c 20 ef 7c 91 9e 3a 75 09")); } nettle-3.10/testsuite/sha3-permute-test.c0000644000175000017500000000421514633602172017451 0ustar nissenisse#include "testutils.h" #include "sha3.h" #include "sha3-internal.h" static void display (const struct sha3_state *state) { unsigned x, y; for (x = 0; x < 5; x++) { for (y = 0; y < 5; y++) /* Is there a simple and *portable* way to print uint64_t? */ printf ("%8lx%08lx ", (unsigned long) (state->a[x +5*y] >> 32), (unsigned long) (state->a[x+5*y] & 0xffffffff)); printf("\n"); } } void test_main(void) { /* From KeccakPermutationIntermediateValues.txt */ static const struct sha3_state s1 = { { 0xF1258F7940E1DDE7ULL, 0x84D5CCF933C0478AULL, 0xD598261EA65AA9EEULL, 0xBD1547306F80494DULL, 0x8B284E056253D057ULL, 0xFF97A42D7F8E6FD4ULL, 0x90FEE5A0A44647C4ULL, 0x8C5BDA0CD6192E76ULL, 0xAD30A6F71B19059CULL, 0x30935AB7D08FFC64ULL, 0xEB5AA93F2317D635ULL, 0xA9A6E6260D712103ULL, 0x81A57C16DBCF555FULL, 0x43B831CD0347C826ULL, 0x01F22F1A11A5569FULL, 0x05E5635A21D9AE61ULL, 0x64BEFEF28CC970F2ULL, 0x613670957BC46611ULL, 0xB87C5A554FD00ECBULL, 0x8C3EE88A1CCF32C8ULL, 0x940C7922AE3A2614ULL, 0x1841F924A2C509E4ULL, 0x16F53526E70465C2ULL, 0x75F644E97F30A13BULL, 0xEAF1FF7B5CECA249ULL, } }; static const struct sha3_state s2 = { { 0x2D5C954DF96ECB3CULL, 0x6A332CD07057B56DULL, 0x093D8D1270D76B6CULL, 0x8A20D9B25569D094ULL, 0x4F9C4F99E5E7F156ULL, 0xF957B9A2DA65FB38ULL, 0x85773DAE1275AF0DULL, 0xFAF4F247C3D810F7ULL, 0x1F1B9EE6F79A8759ULL, 0xE4FECC0FEE98B425ULL, 0x68CE61B6B9CE68A1ULL, 0xDEEA66C4BA8F974FULL, 0x33C43D836EAFB1F5ULL, 0xE00654042719DBD9ULL, 0x7CF8A9F009831265ULL, 0xFD5449A6BF174743ULL, 0x97DDAD33D8994B40ULL, 0x48EAD5FC5D0BE774ULL, 0xE3B8C8EE55B7B03CULL, 0x91A0226E649E42E9ULL, 0x900E3129E7BADD7BULL, 0x202A9EC5FAA3CCE8ULL, 0x5B3402464E1C3DB6ULL, 0x609F4E62A44C1059ULL, 0x20D06CD26A8FBF5CULL, } }; struct sha3_state state; memset (&state, 0, sizeof(state)); sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s1)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s1); FAIL(); } sha3_permute (&state); if (!MEMEQ (sizeof(state), &state.a, &s2)) { printf("Got:\n"); display (&state); printf("Ref:\n"); display (&s2); FAIL(); } } nettle-3.10/testsuite/ecdsa-sign-test.c0000644000175000017500000001441014633602172017147 0ustar nissenisse#include "testutils.h" static void test_ecdsa (const struct ecc_curve *ecc, /* Private key */ const char *sz, /* Random nonce */ const char *sk, /* Hash */ const struct tstring *h, /* Expected signature */ const char *r, const char *s) { struct dsa_signature ref; mpz_t t; mpz_t z; mpz_t k; mp_limb_t *rp = xalloc_limbs (ecc->p.size); mp_limb_t *sp = xalloc_limbs (ecc->p.size); mp_limb_t *zp = xalloc_limbs (ecc->p.size); mp_limb_t *kp = xalloc_limbs (ecc->p.size); mp_limb_t *scratch = xalloc_limbs (ecc_ecdsa_sign_itch (ecc)); dsa_signature_init (&ref); mpz_init_set_str (z, sz, 16); mpz_init_set_str (k, sk, 16); mpz_limbs_copy (zp, z, ecc->p.size); mpz_limbs_copy (kp, k, ecc->p.size); mark_bytes_undefined (sizeof(mp_limb_t) * ecc->p.size, zp); mark_bytes_undefined (sizeof(mp_limb_t) * ecc->p.size, kp); ecc_ecdsa_sign (ecc, zp, kp, h->length, h->data, rp, sp, scratch); mark_bytes_defined (sizeof(mp_limb_t) * ecc->p.size, rp); mark_bytes_defined (sizeof(mp_limb_t) * ecc->p.size, sp); mpz_set_str (ref.r, r, 16); mpz_set_str (ref.s, s, 16); if (mpz_cmp (ref.r, mpz_roinit_n (t, rp, ecc->p.size)) != 0 || mpz_cmp (ref.s, mpz_roinit_n (t, sp, ecc->p.size)) != 0) { fprintf (stderr, "_ecdsa_sign failed, bit_size = %u\n", ecc->p.bit_size); fprintf (stderr, "r = "); write_mpn (stderr, 16, rp, ecc->p.size); fprintf (stderr, "\ns = "); write_mpn (stderr, 16, sp, ecc->p.size); fprintf (stderr, "\nref.r = "); mpz_out_str (stderr, 16, ref.r); fprintf (stderr, "\nref.s = "); mpz_out_str (stderr, 16, ref.s); fprintf (stderr, "\n"); abort(); } free (rp); free (sp); free (zp); free (kp); free (scratch); dsa_signature_clear (&ref); mpz_clear (k); mpz_clear (z); } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* Producing the signature for corresponding test in ecdsa-verify-test.c, with special u1 and u2. */ test_ecdsa (&_nettle_secp_224r1, "99b5b787484def12894ca507058b3bf5" "43d72d82fa7721d2e805e5e6", "2", SHEX("cdb887ac805a3b42e22d224c85482053" "16c755d4a736bb2032c92553"), "706a46dc76dcb76798e60e6d89474788" "d16dc18032d268fd1a704fa6", /* r */ "3a41e1423b1853e8aa89747b1f987364" "44705d6d6d8371ea1f578f2e"); /* s */ /* Produce a signature where verify operation results in a point duplication. */ test_ecdsa (&_nettle_secp_256r1, "1", /* Private key */ "01010101010101010101010101010101" "01010101010101010101010101010101", /* nonce */ SHEX("6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16"), /* hash */ "6ff03b949241ce1dadd43519e6960e0a" "85b41a69a05c328103aa2bce1594ca16", /* r */ "53f097727a0e0dc284a0daa0da0ab77d" "5792ae67ed075d1f8d5bda0f853fa093"); /* s */ /* Test cases for the smaller groups, verified with a proof-of-concept implementation done for Yubico AB. */ test_ecdsa (&_nettle_secp_192r1, "DC51D3866A15BACDE33D96F992FCA99D" "A7E6EF0934E70975", /* z */ "9E56F509196784D963D1C0A401510EE7" "ADA3DCC5DEE04B15", /* k */ SHEX("BA7816BF8F01CFEA414140DE5DAE2223" "B00361A396177A9C"), /* h */ "8c478db6a5c131540cebc739f9c0a9a8" "c720c2abdd14a891", /* r */ "a91fb738f9f175d72f9c98527e881c36" "8de68cb55ffe589"); /* s */ test_ecdsa (&_nettle_secp_224r1, "446df0a771ed58403ca9cb316e617f6b" "158420465d00a69601e22858", /* z */ "4c13f1905ad7eb201178bc08e0c9267b" "4751c15d5e1831ca214c33f4", /* z */ SHEX("1b28a611fe62ab3649350525d06703ba" "4b979a1e543566fd5caa85c6"), /* h */ "2cc280778f3d067df6d3adbe3a6aad63" "bc75f08f5c5f915411902a99", /* r */ "d0f069fd0f108eb07b7bbc54c8d6c88d" "f2715c38a95c31a2b486995f"); /* s */ /* From RFC 4754 */ test_ecdsa (&_nettle_secp_256r1, "DC51D386 6A15BACD E33D96F9 92FCA99D" "A7E6EF09 34E70975 59C27F16 14C88A7F", /* z */ "9E56F509 196784D9 63D1C0A4 01510EE7" "ADA3DCC5 DEE04B15 4BF61AF1 D5A6DECE", /* k */ SHEX("BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"), /* h */ "CB28E099 9B9C7715 FD0A80D8 E47A7707" "9716CBBF 917DD72E 97566EA1 C066957C", /* r */ "86FA3BB4 E26CAD5B F90B7F81 899256CE" "7594BB1E A0C89212 748BFF3B 3D5B0315"); /* s */ test_ecdsa (&_nettle_secp_384r1, "0BEB6466 34BA8773 5D77AE48 09A0EBEA" "865535DE 4C1E1DCB 692E8470 8E81A5AF" "62E528C3 8B2A81B3 5309668D 73524D9F", /* z */ "B4B74E44 D71A13D5 68003D74 89908D56" "4C7761E2 29C58CBF A1895009 6EB7463B" "854D7FA9 92F934D9 27376285 E63414FA", /* k */ SHEX("CB00753F 45A35E8B B5A03D69 9AC65007" "272C32AB 0EDED163 1A8B605A 43FF5BED" "8086072B A1E7CC23 58BAECA1 34C825A7"), /* h */ "FB017B91 4E291494 32D8BAC2 9A514640" "B46F53DD AB2C6994 8084E293 0F1C8F7E" "08E07C9C 63F2D21A 07DCB56A 6AF56EB3", /* r */ "B263A130 5E057F98 4D38726A 1B468741" "09F417BC A112674C 528262A4 0A629AF1" "CBB9F516 CE0FA7D2 FF630863 A00E8B9F"); /* s*/ test_ecdsa (&_nettle_secp_521r1, "0065FDA3 409451DC AB0A0EAD 45495112" "A3D813C1 7BFD34BD F8C1209D 7DF58491" "20597779 060A7FF9 D704ADF7 8B570FFA" "D6F062E9 5C7E0C5D 5481C5B1 53B48B37" "5FA1", /* z */ "00C1C2B3 05419F5A 41344D7E 4359933D" "734096F5 56197A9B 244342B8 B62F46F9" "373778F9 DE6B6497 B1EF825F F24F42F9" "B4A4BD73 82CFC337 8A540B1B 7F0C1B95" "6C2F", /* k */ SHEX("DDAF35A1 93617ABA CC417349 AE204131" "12E6FA4E 89A97EA2 0A9EEEE6 4B55D39A" "2192992A 274FC1A8 36BA3C23 A3FEEBBD" "454D4423 643CE80E 2A9AC94F A54CA49F"), /* h */ "0154FD38 36AF92D0 DCA57DD5 341D3053" "988534FD E8318FC6 AAAAB68E 2E6F4339" "B19F2F28 1A7E0B22 C269D93C F8794A92" "78880ED7 DBB8D936 2CAEACEE 54432055" "2251", /* r */ "017705A7 030290D1 CEB605A9 A1BB03FF" "9CDD521E 87A696EC 926C8C10 C8362DF4" "97536710 1F67D1CF 9BCCBF2F 3D239534" "FA509E70 AAC851AE 01AAC68D 62F86647" "2660"); /* s */ } nettle-3.10/testsuite/bignum-test.c0000644000175000017500000000403514633602172016415 0ustar nissenisse#include "testutils.h" #if HAVE_CONFIG_H #include "config.h" #endif #include #include #if WITH_HOGWEED #include "bignum.h" static void test_bignum(const char *hex, const struct tstring *base256) { mpz_t a; mpz_t b; uint8_t *buf; mpz_init_set_str(a, hex, 16); nettle_mpz_init_set_str_256_s(b, base256->length, base256->data); ASSERT(mpz_cmp(a, b) == 0); buf = xalloc(base256->length + 1); memset(buf, 17, base256->length + 1); nettle_mpz_get_str_256(base256->length, buf, a); ASSERT(MEMEQ(base256->length, buf, base256->data)); ASSERT(buf[base256->length] == 17); mpz_clear(a); mpz_clear(b); free(buf); } static void test_size(long x, unsigned size) { mpz_t t; mpz_init_set_si(t, x); ASSERT(nettle_mpz_sizeinbase_256_s(t) == size); mpz_clear(t); } #endif /* WITH_HOGWEED */ void test_main(void) { #if WITH_HOGWEED test_size(0, 1); test_size(1, 1); test_size(0x7f, 1); test_size(0x80, 2); test_size(0x81, 2); test_size(0xff, 2); test_size(0x100, 2); test_size(0x101, 2); test_size(0x1111, 2); test_size(0x7fff, 2); test_size(0x8000, 3); test_size(0x8001, 3); test_size(- 1, 1); /* ff */ test_size(- 0x7f, 1); /* 81 */ test_size(- 0x80, 1); /* 80 */ test_size(- 0x81, 2); /* ff7f */ test_size(- 0xff, 2); /* ff01 */ test_size(- 0x100, 2); /* ff00 */ test_size(- 0x101, 2); /* feff */ test_size(- 0x1111, 2); /* eeef */ test_size(- 0x7fff, 2); /* 8001 */ test_size(- 0x8000, 2); /* 8000 */ test_size(- 0x8001, 3); /* ff7fff */ test_bignum("0", SHEX("00")); test_bignum("010203040506", SHEX("010203040506")); test_bignum("80010203040506", SHEX("0080010203040506")); test_bignum( "-1", SHEX( "ff")); test_bignum( "-7f", SHEX( "81")); test_bignum( "-80", SHEX( "80")); test_bignum( "-81", SHEX( "ff7f")); test_bignum("-7fff", SHEX( "8001")); test_bignum("-8000", SHEX( "8000")); test_bignum("-8001", SHEX("ff7fff")); #else /* !WITH_HOGWEED */ SKIP(); #endif /* !WITH_HOGWEED */ } nettle-3.10/testsuite/pkcs1-sec-decrypt-test.c0000644000175000017500000000416714633602172020403 0ustar nissenisse#include "testutils.h" #include "pkcs1-internal.h" static int pkcs1_decrypt_for_test(size_t msg_len, uint8_t *msg, size_t pad_len, uint8_t *pad) { int ret; mark_bytes_undefined (msg_len, msg); mark_bytes_undefined (pad_len, pad); ret = _pkcs1_sec_decrypt (msg_len, msg, pad_len, pad); mark_bytes_defined (msg_len, msg); mark_bytes_defined (pad_len, pad); mark_bytes_defined (sizeof (ret), &ret); return ret; } void test_main(void) { uint8_t pad[128]; uint8_t buffer[] = "\x00\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10" "\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20" "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30" "\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50" "\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60" "\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70" "\x00\x53\x49\x47\x4e\x45\x44\x20\x4d\x45\x53\x53\x41\x47\x45\x2e"; uint8_t message[15]; memcpy(pad, buffer, 128); memset (message, 'A', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 1); ASSERT (memcmp (message, "SIGNED MESSAGE.", 15) == 0); /* break format byte 1 */ memcpy(pad, buffer, 128); pad[0] = 1; memset (message, 'B', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "BBBBBBBBBBBBBBB", 15) == 0); /* break format byte 2 */ memcpy(pad, buffer, 128); pad[1] = 1; memset (message, 'C', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "CCCCCCCCCCCCCCC", 15) == 0); /* break padding */ memcpy(pad, buffer, 128); pad[24] = 0; memset (message, 'D', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "DDDDDDDDDDDDDDD", 15) == 0); /* break terminator */ memcpy(pad, buffer, 128); pad[112] = 1; memset (message, 'E', 15); ASSERT (pkcs1_decrypt_for_test(15, message, 128, pad) == 0); ASSERT (memcmp (message, "EEEEEEEEEEEEEEE", 15) == 0); } nettle-3.10/testsuite/base64-test.c0000644000175000017500000001071014633602172016215 0ustar nissenisse#include "testutils.h" #include "base64.h" #include "knuth-lfib.h" static void test_fuzz_once(struct base64_encode_ctx *encode, struct base64_decode_ctx *decode, size_t size, const uint8_t *input) { size_t base64_len = BASE64_ENCODE_RAW_LENGTH (size); size_t out_len; char *base64 = xalloc (base64_len + 2); uint8_t *decoded = xalloc (size + 2); *base64++ = 0x12; base64[base64_len] = 0x34; *decoded++ = 0x56; decoded[size] = 0x78; out_len = base64_encode_update(encode, base64, size, input); ASSERT (out_len <= base64_len); out_len += base64_encode_final(encode, base64 + out_len); ASSERT (out_len == base64_len); ASSERT (base64[-1] == 0x12); ASSERT (base64[base64_len] == 0x34); ASSERT(base64_decode_update(decode, &out_len, decoded, base64_len, base64)); ASSERT(base64_decode_final(decode)); ASSERT (out_len == size); ASSERT (decoded[-1] == 0x56); ASSERT (decoded[size] == 0x78); ASSERT(MEMEQ(size, input, decoded)); free (base64 - 1); free (decoded - 1); } static void test_fuzz(void) { /* Fuzz a round-trip through both encoder and decoder */ struct base64_encode_ctx encode; struct base64_decode_ctx decode; unsigned i; size_t length; uint8_t input[1024]; struct knuth_lfib_ctx rand_ctx; knuth_lfib_init(&rand_ctx, 39854); for (i = 0; i < 10000; i++) { length = i % sizeof(input); /* length could be 0, which is fine we need to test that case too */ knuth_lfib_random(&rand_ctx, length, input); base64_encode_init(&encode); base64_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); base64url_encode_init(&encode); base64url_decode_init(&decode); test_fuzz_once(&encode, &decode, length, input); } } static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } static inline int base64_decode_in_place (struct base64_decode_ctx *ctx, size_t *dst_length, size_t length, uint8_t *data) { return base64_decode_update (ctx, dst_length, data, length, (const char *) data); } void test_main(void) { ASSERT(BASE64_ENCODE_LENGTH(0) == 0); /* At most 4 bits */ ASSERT(BASE64_ENCODE_LENGTH(1) == 2); /* At most 12 bits */ ASSERT(BASE64_ENCODE_LENGTH(2) == 3); /* At most 20 bits */ ASSERT(BASE64_ENCODE_LENGTH(3) == 4); /* At most 28 bits */ ASSERT(BASE64_ENCODE_LENGTH(4) == 6); /* At most 36 bits */ ASSERT(BASE64_ENCODE_LENGTH(5) == 7); /* At most 44 bits */ ASSERT(BASE64_ENCODE_LENGTH(12) == 16); /* At most 100 bits */ ASSERT(BASE64_ENCODE_LENGTH(13) == 18); /* At most 108 bits */ ASSERT(BASE64_DECODE_LENGTH(0) == 0); /* At most 6 bits */ ASSERT(BASE64_DECODE_LENGTH(1) == 1); /* At most 12 bits */ ASSERT(BASE64_DECODE_LENGTH(2) == 2); /* At most 18 bits */ ASSERT(BASE64_DECODE_LENGTH(3) == 3); /* At most 24 bits */ ASSERT(BASE64_DECODE_LENGTH(4) == 3); /* At most 30 bits */ test_armor(&nettle_base64, LDATA(""), ""); test_armor(&nettle_base64, LDATA("H"), "SA=="); test_armor(&nettle_base64, LDATA("He"), "SGU="); test_armor(&nettle_base64, LDATA("Hel"), "SGVs"); test_armor(&nettle_base64, LDATA("Hell"), "SGVsbA=="); test_armor(&nettle_base64, LDATA("Hello"), "SGVsbG8="); test_armor(&nettle_base64, LDATA("Hello\0"), "SGVsbG8A"); test_armor(&nettle_base64, LDATA("Hello?>>>"), "SGVsbG8/Pj4+"); test_armor(&nettle_base64, LDATA("\xff\xff\xff\xff"), "/////w=="); test_armor(&nettle_base64url, LDATA(""), ""); test_armor(&nettle_base64url, LDATA("H"), "SA=="); test_armor(&nettle_base64url, LDATA("He"), "SGU="); test_armor(&nettle_base64url, LDATA("Hel"), "SGVs"); test_armor(&nettle_base64url, LDATA("Hell"), "SGVsbA=="); test_armor(&nettle_base64url, LDATA("Hello"), "SGVsbG8="); test_armor(&nettle_base64url, LDATA("Hello\0"), "SGVsbG8A"); test_armor(&nettle_base64url, LDATA("Hello?>>>"), "SGVsbG8_Pj4-"); test_armor(&nettle_base64url, LDATA("\xff\xff\xff\xff"), "_____w=="); { /* Test overlapping areas */ uint8_t buffer[] = "Helloxxxx"; struct base64_decode_ctx ctx; size_t dst_length; ASSERT(BASE64_ENCODE_RAW_LENGTH(5) == 8); base64_encode_in_place(5, buffer); ASSERT(MEMEQ(9, buffer, "SGVsbG8=x")); base64_decode_init(&ctx); dst_length = 0; /* Output parameter only. */ ASSERT(base64_decode_in_place(&ctx, &dst_length, 8, buffer)); ASSERT(dst_length == 5); ASSERT(MEMEQ(9, buffer, "HelloG8=x")); } test_fuzz (); } nettle-3.10/testsuite/base16-test.c0000644000175000017500000000140714633602172016215 0ustar nissenisse#include "testutils.h" #include "base16.h" void test_main(void) { ASSERT(BASE16_ENCODE_LENGTH(0) == 0); ASSERT(BASE16_ENCODE_LENGTH(1) == 2); ASSERT(BASE16_ENCODE_LENGTH(2) == 4); ASSERT(BASE16_DECODE_LENGTH(0) == 0); ASSERT(BASE16_DECODE_LENGTH(1) == 1); ASSERT(BASE16_DECODE_LENGTH(2) == 1); ASSERT(BASE16_DECODE_LENGTH(3) == 2); ASSERT(BASE16_DECODE_LENGTH(4) == 2); test_armor(&nettle_base16, LDATA(""), ""); test_armor(&nettle_base16, LDATA("H"), "48"); test_armor(&nettle_base16, LDATA("He"), "4865"); test_armor(&nettle_base16, LDATA("Hel"), "48656c"); test_armor(&nettle_base16, LDATA("Hell"), "48656c6c"); test_armor(&nettle_base16, LDATA("Hello"), "48656c6c6f"); test_armor(&nettle_base16, LDATA("Hello\0"), "48656c6c6f00"); } nettle-3.10/testsuite/sm3-test.c0000644000175000017500000000107314633602172015635 0ustar nissenisse#include "testutils.h" #include "sm3.h" void test_main(void) { /* test vectors from: * https://datatracker.ietf.org/doc/html/draft-shen-sm3-hash-01 */ test_hash(&nettle_sm3, SDATA("abc"), SHEX("66c7f0f462eeedd9 d1f2d46bdc10e4e2" "4167c4875cf2f7a2 297da02b8f4ba8e0")); test_hash(&nettle_sm3, SDATA("abcdabcdabcdabcdabcdabcdabcdabcd" "abcdabcdabcdabcdabcdabcdabcdabcd"), SHEX("debe9ff92275b8a1 38604889c18e5a4d" "6fdb70e5387e5765 293dcba39c0c5732")); } nettle-3.10/testsuite/chacha-poly1305-test.c0000644000175000017500000000213214633602172017631 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From draft-irtf-cfrg-chacha20-poly1305-08 */ test_aead (&nettle_chacha_poly1305, NULL, SHEX("8081828384858687 88898a8b8c8d8e8f" "9091929394959697 98999a9b9c9d9e9f"), SHEX("50515253c0c1c2c3 c4c5c6c7"), SHEX("4c61646965732061 6e642047656e746c" "656d656e206f6620 74686520636c6173" "73206f6620273939 3a20496620492063" "6f756c64206f6666 657220796f75206f" "6e6c79206f6e6520 74697020666f7220" "7468652066757475 72652c2073756e73" "637265656e20776f 756c642062652069" "742e"), SHEX("d31a8d34648e60db7b86afbc53ef7ec2" "a4aded51296e08fea9e2b5a736ee62d6" "3dbea45e8ca9671282fafb69da92728b" "1a71de0a9e060b2905d6a5b67ecd3b36" "92ddbd7f2d778b8c9803aee328091b58" "fab324e4fad675945585808b4831d7bc" "3ff4def08e4b7a9de576d26586cec64b" "6116"), /* The draft splits the nonce into a "common part" and an iv, and it seams the "common part" is the first 4 bytes. */ SHEX("0700000040414243 44454647"), SHEX("1ae10b594f09e26a 7e902ecbd0600691")); } nettle-3.10/testsuite/arcfour-test.c0000644000175000017500000001144114633602172016574 0ustar nissenisse#include "testutils.h" #include "arcfour.h" static void test_arcfour(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; struct arcfour_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); arcfour_set_key(&ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { arcfour_crypt(&ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } arcfour_crypt(&ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } arcfour_set_key(&ctx, key->length, key->data); arcfour_crypt(&ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { test_arcfour(SHEX("01234567 89ABCDEF 00000000 00000000"), SHEX("01234567 89ABCDEF"), SHEX("69723659 1B5242B1")); /* More data. This ensures that we get some collisions between the S accesses at index i,j and the access at si + sj. I.e. the cases where the ordering of loads and stores matter. */ test_arcfour(SHEX("aaaaaaaa bbbbbbbb cccccccc dddddddd"), SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("a2b35dc7 bf95ae1e 1c432d15 f4fb8c1c" "f264e1d0 bd090831 6caa7d17 5401ae67" "3cfbd140 fd3dee42 1012d674 2fb69fa3" "6522631e bb3d4703 535de1ce 4a81ddce" "5780cfe0 b5fc9fae ebe14c96 26451bd9" "992f2204 119cbe37 cbdc453c 7afa08c7" "1380ccf8 48f81e53 a535cdfb 96c64faa" "c3f759d0 fa1ff920 008d95cf 39d52324" "d0aac3f9 749b22e2 6a065145 06fb249d" "ffb8e05e cb0381fe 5346a04a 63dac61c" "10b6683e 3ab427de d4c6bc60 6366545e" "77d0e121 96037717 a745d49e e72a70aa" "a50a612d 879b0580 fd4a89ae 3ee49871" "2cf6c98d a62dfbc7 d7b2d901 2c3aaf27" "42b7e089 ef2466ac 450b440c 138daa1a" "cf9ebef6 f66a7a64 2677b213 06640130" "de6651df 0065180d 4db366ba 9c377712" "53d21cac 82ed72a4 c6c4d81e 4375fea3" "1f935909 95322c83 13c64d8e 829c93a6" "d540a1b3 20f41541 96800888 1a7afc9b" "e39e89fc 3ac78be5 cdbbf774 33c36863" "da2a3b1b d06e54a9 aa4b7edd 70b34941" "b886f7db f36c3def f9fc4c80 7ce55ea5" "98a7257b f68a9e1d caf4bfd6 43bd9853" "c966629d 54e34221 6e140780 d48c69bb" "5e77e886 86f2ebcb 807732d5 d29bc384" "a4ca1c31 c7c1b5b9 85dbfcf1 8d845905" "a0ff487a b4a3f252 a75caebf 857ba48b" "613e3067 92cada3e 0e07f599 2f4794f3" "af01f15a 491732fb 22aa09a3 d2e1e408" "fe94bdb4 993c68b1 1bb79eb1 bb7ec446" "760ef7bf 2caa8713 479760e5 a6e143cd")); } nettle-3.10/testsuite/salsa20-test.c0000644000175000017500000003525614633602172016412 0ustar nissenisse#include "testutils.h" #include "salsa20.h" #include "memxor.h" static int memzero_p (const uint8_t *p, size_t n) { size_t i; for (i = 0; i < n; i++) if (p[i]) return 0; return 1; } /* The ecrypt testcases encrypt 512 zero bytes (8 blocks), then give the xor of all blocks, and the data for block 0 (0-63), 3,4 (192-319), 7 (448-511) */ #define STREAM_LENGTH 512 static void test_salsa20_stream(const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *xor_ref) { struct salsa20_ctx ctx; uint8_t data[STREAM_LENGTH + 1]; uint8_t stream[STREAM_LENGTH + 1]; uint8_t xor[SALSA20_BLOCK_SIZE]; size_t j; ASSERT (iv->length == SALSA20_IV_SIZE); ASSERT (ciphertext->length == 4*SALSA20_BLOCK_SIZE); ASSERT (xor_ref->length == SALSA20_BLOCK_SIZE); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); memset(stream, 0, STREAM_LENGTH + 1); salsa20_crypt(&ctx, STREAM_LENGTH, stream, stream); if (stream[STREAM_LENGTH]) { fprintf(stderr, "Stream of %d bytes wrote too much!\n", STREAM_LENGTH); FAIL(); } if (!MEMEQ (64, stream, ciphertext->data)) { fprintf(stderr, "Error failed, offset 0:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (128, stream + 192, ciphertext->data + 64)) { fprintf(stderr, "Error failed, offset 192:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, stream + 192); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 64); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ (64, stream + 448, ciphertext->data + 192)) { fprintf(stderr, "Error failed, offset 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(64, stream + 448); fprintf(stderr, "\nExpected:"); print_hex(64, ciphertext->data + 192); fprintf(stderr, "\n"); FAIL(); } memxor3 (xor, stream, stream + SALSA20_BLOCK_SIZE, SALSA20_BLOCK_SIZE); for (j = 2*SALSA20_BLOCK_SIZE; j < STREAM_LENGTH; j += SALSA20_BLOCK_SIZE) memxor (xor, stream + j, SALSA20_BLOCK_SIZE); if (!MEMEQ (SALSA20_BLOCK_SIZE, xor, xor_ref->data)) { fprintf(stderr, "Error failed, bad xor 448:\n"); fprintf(stderr, "\nOutput: "); print_hex(SALSA20_BLOCK_SIZE, xor); fprintf(stderr, "\nExpected:"); print_hex(SALSA20_BLOCK_SIZE, xor_ref->data); fprintf(stderr, "\n"); FAIL(); } for (j = 1; j <= STREAM_LENGTH; j++) { memset(data, 0, STREAM_LENGTH + 1); salsa20_set_iv(&ctx, iv->data); salsa20_crypt(&ctx, j, data, data); if (!MEMEQ(j, data, stream)) { fprintf(stderr, "Encrypt failed for length %lu:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(j, data); fprintf(stderr, "\nExpected:"); print_hex(j, stream); fprintf(stderr, "\n"); FAIL(); } if (!memzero_p (data + j, STREAM_LENGTH + 1 - j)) { fprintf(stderr, "Encrypt failed for length %lu, wrote too much:\n", (unsigned long) j); fprintf(stderr, "\nOutput: "); print_hex(STREAM_LENGTH + 1 - j, data + j); fprintf(stderr, "\n"); FAIL(); } } } /* Test with simple structure of the salsa20 input, to aid debugging. */ static void test_salsa20_core(void) { const uint32_t input[16] = { 0, 1, 2, 3, 4, 5, 6, 7, /* Second block will have carry from first counter word propagate to next word. */ 0xffffffff, 9, 10, 11, 12, 13, 14, 15 }; const struct tstring *expected_12 = SHEX("c456dd00835121fa 2f3f818adea91c66" "c024ec78191dbef8 4e828fde71420f4f" "2edb91cc7ae72fe6 1c6d96d1169241f5" "8d34bec538389247 1b2f71089992fd2b" "a1194b4875788ee5 731f27c32481450b" "4cc7b2a3f8ac7f43 6f42bd16a71cb721" "299f6d9481e4bc87 23b5c0a2f142e507" "34b7fe35fe292f2f 1bf9ae5296afdbeb"); const struct tstring *expected_20 = SHEX( "02e02587e69cd380 3e5f3c53f0c29173" "d3becef2da8da494 e8d1d4294270fc5e" "a2c2001a6a45dc71 a3699e6594af795f" "299814ae4f73650b e1d13040031dbfef" "46b5b8ce5dc5b255 78b2695eb61fa816" "7e22958311e2d585 826f4ebf1c7b3c98" "a2857c3e4edc6f9e ed4312d698ddad55" "57d13942292f8713 63eb7a5ab07a707e"); struct salsa20_ctx ctx; uint8_t output[128]; ASSERT (expected_12->length == 128); ASSERT (expected_20->length == 128); /* Two blocks, to exercises _salsa20_2core, if available. */ memcpy (&ctx, input, sizeof(ctx)); salsa20r12_crypt (&ctx, 128, output, expected_12->data); if (!memzero_p (output, 128)) { fprintf(stderr, "salsa20r12_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, output); fprintf(stderr, "\n"); FAIL(); } memcpy (&ctx, input, sizeof(ctx)); salsa20_crypt (&ctx, 128, output, expected_20->data); if (!memzero_p (output, 128)) { fprintf(stderr, "salsa20_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(128, output); fprintf(stderr, "\n"); FAIL(); } } typedef void salsa20_func(struct salsa20_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); static void _test_salsa20(salsa20_func *crypt, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { struct salsa20_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (iv->length == SALSA20_IV_SIZE); data = xalloc(length + 1); salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); data[length] = 17; crypt(&ctx, length, data, cleartext->data); if (data[length] != 17) { fprintf(stderr, "Encrypt of %lu bytes wrote too much!\nInput:", (unsigned long) length); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } salsa20_set_key(&ctx, key->length, key->data); salsa20_set_iv(&ctx, iv->data); crypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } #define test_salsa20(key, iv, cleartext, ciphertext) \ _test_salsa20 (salsa20_crypt, (key), (iv), (cleartext), (ciphertext)) #define test_salsa20r12(key, iv, cleartext, ciphertext) \ _test_salsa20 (salsa20r12_crypt, (key), (iv), (cleartext), (ciphertext)) void test_main(void) { test_salsa20_core(); /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/reduced/12-rounds/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20r12(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("FC207DBF C76C5E17")); test_salsa20r12(SHEX("00400000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("6C11A3F9 5FEC7F48")); test_salsa20r12(SHEX("09090909090909090909090909090909"), SHEX("0000000000000000"), SHEX("00000000 00000000"), SHEX("78E11FC3 33DEDE88")); test_salsa20r12(SHEX("1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B1B"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("A6747461 1DF551FF")); test_salsa20r12(SHEX("80000000000000000000000000000000" "00000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("AFE411ED 1C4E07E4")); test_salsa20r12(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("52E20CF8 775AE882")); /* http://www.ecrypt.eu.org/stream/svn/viewcvs.cgi/ecrypt/trunk/submissions/salsa20/full/verified.test-vectors?logsort=rev&rev=210&view=markup */ test_salsa20(SHEX("80000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("4DFA5E48 1DA23EA0")); test_salsa20(SHEX("00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("B66C1E44 46DD9557")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("05E1E7BE B697D999")); test_salsa20(SHEX("80000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("E3BE8FDD 8BECA2E3")); test_salsa20(SHEX("00000000 00000000 00000000 00000000" "00000000 00000000 00000000 00000000"), SHEX("80000000 00000000"), SHEX("00000000 00000000"), SHEX("2ABA3DC45B494700")); test_salsa20(SHEX("0053A6F94C9FF24598EB3E91E4378ADD" "3083D6297CCF2275C81B6EC11467BA0D"), SHEX("0D74DB42A91077DE"), SHEX("00000000 00000000"), SHEX("F5FAD53F 79F9DF58")); test_salsa20_stream(SHEX("80000000000000000000000000000000"), SHEX("00000000 00000000"), SHEX("4DFA5E481DA23EA09A31022050859936" "DA52FCEE218005164F267CB65F5CFD7F" "2B4F97E0FF16924A52DF269515110A07" "F9E460BC65EF95DA58F740B7D1DBB0AA" "DA9C1581F429E0A00F7D67E23B730676" "783B262E8EB43A25F55FB90B3E753AEF" "8C6713EC66C51881111593CCB3E8CB8F" "8DE124080501EEEB389C4BCB6977CF95" "7D5789631EB4554400E1E025935DFA7B" "3E9039D61BDC58A8697D36815BF1985C" "EFDF7AE112E5BB81E37ECF0616CE7147" "FC08A93A367E08631F23C03B00A8DA2F" "B375703739DACED4DD4059FD71C3C47F" "C2F9939670FAD4A46066ADCC6A564578" "3308B90FFB72BE04A6B147CBE38CC0C3" "B9267C296A92A7C69873F9F263BE9703"), SHEX("F7A274D268316790A67EC058F45C0F2A" "067A99FCDE6236C0CEF8E056349FE54C" "5F13AC74D2539570FD34FEAB06C57205" "3949B59585742181A5A760223AFA22D4")); test_salsa20_stream(SHEX("48494A4B4C4D4E4F5051525354555657" "58595A5B5C5D5E5F6061626364656667"), SHEX("0000000000000000"), SHEX("53AD3698A011F779AD71030F3EFBEBA0" "A7EE3C55789681B1591EF33A7BE521ED" "68FC36E58F53FFD6E1369B00E390E973" "F656ACB097E0D603BE59A0B8F7975B98" "A04698274C6AC6EC03F66ED3F94C08B7" "9FFDBF2A1610E6F5814905E73AD6D0D2" "8164EEB8450D8ED0BB4B644761B43512" "52DD5DDF00C31E3DABA0BC17691CCFDC" "B826C7F071E796D34E3BFFB3C96E76A1" "209388392806947C7F19B86D379FA3AE" "DFCD19EBF49803DACC6E577E5B97B0F6" "D2036B6624D8196C96FCF02C865D30C1" "B505D41E2C207FA1C0A0E93413DDCFFC" "9BECA8030AFFAC2466E56482DA0EF428" "E63880B5021D3051F18679505A2B9D4F" "9B2C5A2D271D276DE3F51DBEBA934436"), SHEX("7849651A820B1CDFE36D5D6632716534" "E0635EDEFD538122D80870B60FB055DB" "637C7CA2B78B116F83AFF46E40F8F71D" "4CD6D2E1B750D5E011D1DF2E80F7210A")); } /* Intermediate values for the first salsa20 test case. 0: 61707865 80 0 0 0 3120646e 0 0 0 0 79622d36 80 0 0 0 6b206574 1: 50e6ebaf 3093463d f190e454 9032fa35 b83c32b0 7fdf3d47 eff21454 a6bf53f6 59562a33 90327718 9bc1ab3d 49c5665e 4b9c6232 a5b70d82 b1169b3c 8273a766 2: 877140ed bc61b44d 60af1c4e 8a219997 dfa36b55 9dc00f65 e245efc8 ece54d32 72a63aac c0dc93d7 a1cd6536 b3d44ccb 8ebd332b c4022fa0 5d4ff16b 65f222e 3: 26693f1 c7ef1593 549a3a3 9396e54a c899675e 1f815f3 47c648d ebbc01 67f6ac0c d03d4afa 810d422e e7fd3e5b 8cd07539 3eb6917b 54e58e29 ef2c818d 4: 1dff67e3 39538859 717137d4 b935012 f279ff60 26098b57 4cc2cc68 752f0a9c f62fef8b a3028de7 74c726e7 42bbaa73 85d7ae1b 36e9c191 791019b1 82263e6a 5: 5058d8b0 d3e44dcf 10bb47b1 7b673ef0 19f30031 111e4716 ec0295bc 6fd5bf67 12ffc7e4 d8b55c8 170d410 dd715714 dcd50b85 1f2bfff6 bde9be51 dbcb0b76 6: bc9cffbc 33ef9daa 8057f2b9 896b4878 705ae8b d14227c3 64a13629 112fc18c bfe180ad eaf359a0 68467f43 a365bb13 6b1e849 e6cc8032 70e6c3fe cb0a55bb 7: 8d90ced2 54d545b4 85be446e b1632f4f a071ac6a 90e0a919 33e1e736 ca25d574 a2b9cc17 7211ef22 c6d499c3 83fdd462 69a1c02c 4ee14ab4 33c7598 6c536d35 8: 27885144 2d2a552b f3f9bf1b 33ebeb6b 104b8b7a a96110e 9acb26ae 9dba5b23 be384f78 4cdf3afc ef04b59d f0b9a6fe ae50a69b 6c6ea81 f11fe33a 5abcb2ae 9: 3b2388b1 a820e0d9 1f008910 88c73d4e fc306490 8188ba2d d0cae010 9a65a2e4 cf53e73f acec2667 4b870ab0 6cbfe29b 27295feb 2a801ee 16f1c6fe 4f40ae38 10: 6d52785f 5d421f38 d44f5a20 a7ec3b7c c6a5c6cb f2a38eca c45beae 69415ff 93bbc87e cad09b7b c4627081 55276967 3e13c4d8 aa4e20f4 2a485bf2 bcdbfc61 11: 5136a836 dd9db9bc 50366ca5 a65edf75 75bb5d1e 6bd4e822 cb52477c 7323b939 881133b8 38079a5c 14e61ea3 632aa57 ac091b61 fc1c6ca1 7e5fcc1a 329a1938 12: 5e0ca897 175e6c47 7a1e9674 609ad5a ac25229b 49de7bae 370e70c f8bde5e7 21f81ab3 e6130800 9e2a3e8f 70eed5f1 d0fbb239 d78a8ea6 b644390a 2c582e03 13: 99fc90d3 f3e42871 78784440 a5885714 28084a8c 27900f47 e453b985 39b7ca44 81e5dbf 7860f2b0 693f4da0 74c5ce19 5f2d43d a9563322 7bd6f4da 4d2e97f5 14: 25571a99 3197dbee 50a1c7d7 91f0e753 2528837d 56153f81 287f5022 270918e4 42764fa3 fea16e5b 9ec649fe a4e5e669 8734b3d9 6fc1ae8a b79a8a04 af160a85 15: 34b906a6 3f56196a 6b690cbf 6c08907a 60cfba2b 819592a7 3c9b803a 1a3ce6d2 fdfc6af 282cd998 ad20e9ec a0c76a1 772ffdcc ebf39c76 15579a67 dada9ba0 16: 3d87b380 5f9d893a c676cd97 e6d2b4b8 7d6ca34a 1dc97a79 e3de94b bccb03cd 12e2a81b 23b00e62 74d433a6 acedb4cb 6e34fe34 f4c034e4 b3349639 f6ac0473 17: e014e81d 916efb68 d833f0c9 2a0e2be9 a334791f 71573537 d5c5cb06 c8abbb8c 6abb97da 9031d7dc 9bea8440 90030a9c 6c2bdf8a 2649fbf 3a3aeef8 ee0d66c8 18: e9fb1dd3 80e4f86d 2bf2e408 d1809e73 20872c8d d93bc116 9012e00c 1c813d8e 45aa03ae 7136cba6 a6b85fc3 9e2d048a 48013f9e 1f2853d3 854c21d b9cdfb3c 19: 3d47db86 8392cea8 2cf87621 2cff7d58 dea99415 5800a055 e3661354 86701443 cc9d23f 616a0a0b 836c1eb9 6c1e72e7 24cba2f0 54be11a6 6dcb2586 a5663106 20: e6ee81e8 a03ea19d 2002319a 36998550 eefc52da e4e51bb3 b67c264f 7ffd5c5f e0974f2b 4a9216ff 1bc4b21c 70a1095 bc60e4f9 da95ef65 b740f758 3f90765d */ nettle-3.10/testsuite/ecc-modinv-test.c0000644000175000017500000000650714633602172017166 0ustar nissenisse#include "testutils.h" #include static int ref_modinv (mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *mp, mp_size_t mn, int use_redc) { mpz_t g, s, a, m; int res; mpz_init (g); mpz_init (s); mpz_roinit_n (a, ap, mn); mpz_roinit_n (m, mp, mn); mpz_gcdext (g, s, NULL, a, m); if (mpz_cmp_ui (g, 1) == 0) { if (mpz_sgn (s) < 0) { mpz_add (s, s, m); ASSERT (mpz_sgn (s) > 0); } res = 1; } else res = 0; if (use_redc) { mpz_mul_2exp (s, s, 2 * mn * GMP_NUMB_BITS); mpz_mod (s, s, m); } mpz_limbs_copy (rp, s, mn); mpz_clear (g); mpz_clear (s); return res; } #define MAX_ECC_SIZE (1 + 521 / GMP_NUMB_BITS) #define COUNT 200 static void test_modulo (gmp_randstate_t rands, const char *name, const struct ecc_modulo *m, int use_redc) { mp_limb_t *a; mp_limb_t *ai; mp_limb_t *ref; mp_limb_t *scratch; unsigned j; mpz_t r; mpz_init (r); a = xalloc_limbs (m->size); ai = xalloc_limbs (m->size); ref = xalloc_limbs (m->size);; scratch = xalloc_limbs (m->invert_itch); /* Check behaviour for zero input */ mpn_zero (a, m->size); memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, a, scratch); if (!ecc_mod_zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for zero input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Check behaviour for a = m */ memset (ai, 17, m->size * sizeof(*ai)); m->invert (m, ai, m->m, scratch); if (!ecc_mod_zero_p (m, ai)) { fprintf (stderr, "%s->invert failed for a = p input (bit size %u):\n", name, m->bit_size); fprintf (stderr, "p = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\n"); abort (); } for (j = 0; j < COUNT; j++) { if (j & 1) mpz_rrandomb (r, rands, m->size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, m->size * GMP_NUMB_BITS); mpz_limbs_copy (a, r, m->size); if (!ref_modinv (ref, a, m->m, m->size, use_redc)) { if (verbose) fprintf (stderr, "Test %u (bit size %u) not invertible mod %s.\n", j, m->bit_size, name); continue; } m->invert (m, ai, a, scratch); if (!ecc_mod_equal_p (m, ai, ref, scratch)) { fprintf (stderr, "%s->invert failed (test %u, bit size %u):\n", name, j, m->bit_size); fprintf (stderr, "a = "); mpz_out_str (stderr, 16, r); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, m->m, m->size); fprintf (stderr, "\nt = "); mpn_out_str (stderr, 16, ai, m->size); fprintf (stderr, " (bad)\nr = "); mpn_out_str (stderr, 16, ref, m->size); printf ("\n"); abort (); } } mpz_clear (r); free (a); free (ai); free (ref); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { test_modulo (rands, "p", &ecc_curves[i]->p, ecc_curves[i]->use_redc); test_modulo (rands, "q", &ecc_curves[i]->q, 0); } gmp_randclear (rands); } nettle-3.10/testsuite/ecc-sqrt-test.c0000644000175000017500000001565614633602172016670 0ustar nissenisse/* ecc-sqrt.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #define COUNT 500 #if NETTLE_USE_MINI_GMP /* Implements Legendre symbol only, requiring that p is an odd prime */ static int mpz_ui_kronecker (mp_limb_t ul, const mpz_t p) { mpz_t t, u; int r; mpz_init_set_ui (u, ul); mpz_init_set (t, p); mpz_sub_ui (t, t, 1); mpz_tdiv_q_2exp (t, t, 1); mpz_powm (t, u, t, p); r = mpz_cmp_ui (t, 1); if (r < 0) r = 0; else if (r == 0) r = 1; else { mpz_sub (t, p, t); ASSERT (mpz_cmp_ui (t, 1) == 0); r = -1; } mpz_clear (t); mpz_clear (u); return r; } #endif /* NETTLE_USE_MINI_GMP */ static void test_sqrt (gmp_randstate_t rands, const struct ecc_modulo *m, int use_redc) { mpz_t u; mpz_t p; mpz_t r; mpz_t t; unsigned z, i; mp_limb_t *up; mp_limb_t *rp; mp_limb_t *scratch; mpz_init (u); mpz_init (t); mpz_roinit_n (p, m->m, m->size); up = xalloc_limbs (m->size); rp = xalloc_limbs (m->size); scratch = xalloc_limbs (m->sqrt_itch); /* Check behaviour for zero input */ mpn_zero (up, m->size); memset (rp, 17, m->size * sizeof(*rp)); if (!m->sqrt (m, rp, up, scratch)) { fprintf (stderr, "m->sqrt returned failure for zero input, bit_size = %d\n", m->bit_size); abort(); } if (!ecc_mod_zero_p (m, rp)) { fprintf (stderr, "m->sqrt failed for zero input (bit size %u):\n", m->bit_size); fprintf (stderr, "r = "); mpn_out_str (stderr, 16, rp, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Find a non-square */ for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) ; if (verbose) fprintf(stderr, "test_sqrt on %d-bit modulo. Non square: %d\n", m->bit_size, z); for (i = 0; i < COUNT; i++) { if (i & 1) mpz_rrandomb (u, rands, m->bit_size); else mpz_urandomb (u, rands, m->bit_size); if (use_redc) { /* We get non-redc sqrt if we reduce u before calling m->sqrt */ mpz_limbs_copy (scratch, u, m->size); mpn_zero (scratch + m->size, m->size); m->reduce (m, up, scratch); } else { mpz_limbs_copy (up, u, m->size); } if (!m->sqrt (m, rp, up, scratch)) { mpz_mul_ui (u, u, z); mpz_mod (u, u, p); ecc_mod_mul_1 (m, up, up, z); if (!m->sqrt (m, rp, up, scratch)) { fprintf (stderr, "m->sqrt returned failure, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\n"); abort (); } } /* Check that r^2 = u */ mpz_roinit_n (r, rp, m->size); mpz_mul (t, r, r); if (!mpz_congruent_p (t, u, p)) { fprintf (stderr, "m->sqrt gave incorrect result, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nr = 0x"); mpz_out_str (stderr, 16, r); fprintf (stderr, "\n"); abort (); } } mpz_clear (u); mpz_clear (t); free (up); free (rp); free (scratch); } static void test_sqrt_ratio (gmp_randstate_t rands, const struct ecc_modulo *m) { mpz_t u; mpz_t v; mpz_t p; mpz_t r; mpz_t t; unsigned z, i; mp_limb_t *up; mp_limb_t *vp; mp_limb_t *rp; mp_limb_t *scratch; mpz_init (u); mpz_init (v); mpz_init (t); mpz_roinit_n (p, m->m, m->size); up = xalloc_limbs (m->size); vp = xalloc_limbs (m->size); rp = xalloc_limbs (m->size); scratch = xalloc_limbs (m->sqrt_ratio_itch); /* Check behaviour for zero input */ mpn_zero (up, m->size); mpn_zero (vp, m->size); vp[0] = 1; memset (rp, 17, m->size * sizeof(*rp)); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { fprintf (stderr, "m->sqrt_ratio returned failure for zero input, bit_size = %d\n", m->bit_size); abort(); } if (!ecc_mod_zero_p (m, rp)) { fprintf (stderr, "m->sqrt_ratio failed for zero input (bit size %u):\n", m->bit_size); fprintf (stderr, "r = "); mpn_out_str (stderr, 16, rp, m->size); fprintf (stderr, " (bad)\n"); abort (); } /* Find a non-square */ for (z = 2; mpz_ui_kronecker (z, p) != -1; z++) ; if (verbose) fprintf(stderr, "test_sqrt_ratio on %d-bit modulo. Non square: %d\n", m->bit_size, z); for (i = 0; i < COUNT; i++) { if (i & 1) { mpz_rrandomb (u, rands, m->bit_size); mpz_rrandomb (v, rands, m->bit_size); } else { mpz_urandomb (u, rands, m->bit_size); mpz_urandomb (v, rands, m->bit_size); } mpz_limbs_copy (up, u, m->size); mpz_limbs_copy (vp, v, m->size); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { mpz_mul_ui (u, u, z); mpz_mod (u, u, p); mpz_limbs_copy (up, u, m->size); if (!m->sqrt_ratio (m, rp, up, vp, scratch)) { if (mpz_divisible_p (v, p)) /* v = 0 (mod p), sqrt_ratio should fail. */ continue; fprintf (stderr, "m->sqrt_ratio returned failure, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\n"); abort (); } } /* Check that r^2 v = u */ mpz_roinit_n (r, rp, m->size); mpz_mul (t, r, r); mpz_mul (t, t, v); if (!mpz_congruent_p (t, u, p)) { fprintf (stderr, "m->sqrt_ratio gave incorrect result, bit_size = %d\n" "u = 0x", m->bit_size); mpz_out_str (stderr, 16, u); fprintf (stderr, "\nv = 0x"); mpz_out_str (stderr, 16, v); fprintf (stderr, "\nr = 0x"); mpz_out_str (stderr, 16, r); fprintf (stderr, "\n"); abort (); } } mpz_clear (u); mpz_clear (v); mpz_clear (t); free (up); free (vp); free (rp); free (scratch); } void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { if (ecc_curves[i]->p.sqrt) test_sqrt (rands, &ecc_curves[i]->p, ecc_curves[i]->use_redc); if (ecc_curves[i]->p.sqrt_ratio) test_sqrt_ratio (rands, &ecc_curves[i]->p); } gmp_randclear (rands); } nettle-3.10/testsuite/ccm-test.c0000644000175000017500000006515514633602172015710 0ustar nissenisse/* ccm-test.c Self-test and vectors for CCM mode ciphers using AES-128 and AES-256. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* The * test vectors have been collected from the following standards: * NIST SP800-38C * RFC 3610 * IEEE 802.15.4-2011 * IEEE P1619.1/D22 July 2007 (draft version) */ #include "testutils.h" #include "aes.h" #include "ccm.h" #include "knuth-lfib.h" static void test_compare_results(const char *name, const struct tstring *adata, /* Expected results. */ const struct tstring *e_clear, const struct tstring *e_cipher, /* Actual results. */ const void *clear, const void *cipher, const void *digest) /* digest optional. */ { int tlength = (e_cipher->length - e_clear->length); if (digest && tlength && !MEMEQ(tlength, e_cipher->data + e_clear->length, digest)) { fprintf(stderr, "%s digest failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(tlength, digest); fprintf(stderr, "\nExpected:"); print_hex(tlength, e_cipher->data + e_clear->length); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_cipher->length, e_cipher->data, cipher)) { fprintf(stderr, "%s: encryption failed\nAdata: ", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_clear); fprintf(stderr, "\nOutput: "); print_hex(e_cipher->length, cipher); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_cipher); fprintf(stderr, "\n"); FAIL(); } if (!MEMEQ(e_clear->length, e_clear->data, clear)) { fprintf(stderr, "%s decrypt failed:\nAdata:", name); tstring_print_hex(adata); fprintf(stderr, "\nInput: "); tstring_print_hex(e_cipher); fprintf(stderr, "\nOutput: "); print_hex(e_clear->length, clear); fprintf(stderr, "\nExpected:"); tstring_print_hex(e_clear); fprintf(stderr, "\n"); FAIL(); } } /* test_compare_results */ static void test_cipher_ccm(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *nonce, const struct tstring *authdata, int repeat, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *en_data; uint8_t *de_data; uint8_t *en_digest; uint8_t de_digest[CCM_BLOCK_SIZE]; size_t tlength; struct ccm_ctx ccm; int i; ASSERT (key->length == cipher->key_size); ASSERT (cleartext->length <= ciphertext->length); ASSERT ((cleartext->length + CCM_BLOCK_SIZE) >= ciphertext->length); tlength = ciphertext->length - cleartext->length; de_data = xalloc(cleartext->length); en_data = xalloc(ciphertext->length); en_digest = en_data + cleartext->length; cipher->set_encrypt_key(ctx, key->data); /* Encrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_encrypt(&ccm, ctx, cipher->encrypt, cleartext->length, en_data, cleartext->data); ccm_digest(&ccm, ctx, cipher->encrypt, tlength, en_digest); /* Decrypt using the incremental API. */ ccm_set_nonce(&ccm, ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_update(&ccm, ctx, cipher->encrypt, authdata->length, authdata->data); } ccm_decrypt(&ccm, ctx, cipher->encrypt, cleartext->length, de_data, ciphertext->data); ccm_digest(&ccm, ctx, cipher->encrypt, tlength, de_digest); /* Compare results using the generic API. */ test_compare_results("CCM", authdata, cleartext, ciphertext, de_data, en_data, de_digest); /* Ensure we get the same answers using the all-in-one API. */ if (repeat <= 1) { int ret; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); ccm_encrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, ciphertext->length, en_data, cleartext->data); ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, ciphertext->data); if (ret != 1) fprintf(stderr, "ccm_decrypt_message failed to validate message\n"); test_compare_results("CCM_MSG", authdata, cleartext, ciphertext, de_data, en_data, NULL); /* Ensure that we can detect corrupted message or tag data. */ if (tlength) { en_data[0] ^= 1; ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length, authdata->data, tlength, cleartext->length, de_data, en_data); if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); } /* Ensure we can detect corrupted adata. */ if (tlength && authdata->length) { ret = ccm_decrypt_message(ctx, cipher->encrypt, nonce->length, nonce->data, authdata->length-1, authdata->data, tlength, cleartext->length, de_data, ciphertext->data); if (ret != 0) fprintf(stderr, "ccm_decrypt_message failed to detect corrupted message\n"); } } /* Ensure we get the same answers using the per-cipher API. */ if (cipher == &nettle_aes128) { struct ccm_aes128_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-128 encrypt. */ ccm_aes128_set_key(&aes, key->data); ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes128_digest(&aes, tlength, en_digest); /* AES-128 decrypt. */ ccm_aes128_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes128_update(&aes, authdata->length, authdata->data); } ccm_aes128_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes128_digest(&aes, tlength, de_digest); test_compare_results("CCM_AES_128", authdata, cleartext, ciphertext, de_data, en_data, de_digest); } /* TODO: I couldn't find any test cases for CCM-AES-192 */ if (cipher == &nettle_aes256) { struct ccm_aes256_ctx aes; memset(de_data, 0, cleartext->length); memset(en_data, 0, ciphertext->length); memset(de_digest, 0, sizeof(de_digest)); /* AES-256 encrypt. */ ccm_aes256_set_key(&aes, key->data); ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_encrypt(&aes, cleartext->length, en_data, cleartext->data); ccm_aes256_digest(&aes, tlength, en_digest); /* AES-256 decrypt. */ ccm_aes256_set_nonce(&aes, nonce->length, nonce->data, authdata->length * repeat, cleartext->length, tlength); for (i = 0; i < repeat; i++) { ccm_aes256_update(&aes, authdata->length, authdata->data); } ccm_aes256_decrypt(&aes, cleartext->length, de_data, ciphertext->data); ccm_aes256_digest(&aes, tlength, de_digest); test_compare_results("CCM_AES_256", authdata, cleartext, ciphertext, de_data, en_data, de_digest); } free(ctx); free(en_data); free(de_data); } void test_main(void) { /* Create a pattern of 00010203 04050607 08090a00b 0c0d0e0f ... */ struct tstring *adata; unsigned int i; adata = tstring_alloc(256); for (i=0; ilength; i++) adata->data[i] = (i & 0xff); /* From NIST spec 800-38C on AES modes. * * Appendix C: Example Vectors */ /* * C.1 Example 1 * Klen = 128, Tlen = 32, Nlen = 56, Alen = 64, Plen = 32 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("10111213141516"), SHEX("0001020304050607"), 1, SHEX("20212223"), SHEX("7162015b" "4dac255d")); /* * C.2 Example 2 * Klen = 128, Tlen = 48, Nlen = 64, Alen = 128, Plen = 128 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("1011121314151617"), SHEX("000102030405060708090a0b0c0d0e0f"), 1, SHEX("202122232425262728292a2b2c2d2e2f"), SHEX("d2a1f0e051ea5f62081a7792073d593d" "1fc64fbfaccd")); /* * C.3 Example 3 * Klen = 128, Tlen = 64, Nlen = 96, Alen = 160, Plen = 192 */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f" "10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f" "3031323334353637"), SHEX("e3b201a9f5b71a7a9b1ceaeccd97e70b" "6176aad9a4428aa5 484392fbc1b09951")); /* * C.4 Example 4 * Klen = 128, Tlen = 112, Nlen = 104, Alen = 524288, Plen = 256 * A = 00010203 04050607 08090a0b 0c0d0e0f * 10111213 ... */ test_cipher_ccm(&nettle_aes128, SHEX("404142434445464748494a4b4c4d4e4f"), SHEX("101112131415161718191a1b1c"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f" "303132333435363738393a3b3c3d3e3f"), SHEX("69915dad1e84c6376a68c2967e4dab61" "5ae0fd1faec44cc484828529463ccf72" "b4ac6bec93e8598e7f0dadbcea5b")); /* From RFC 3610 * * Section 8: Test Vectors * Packet Vector #1 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 03 02 01 00 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("58 8C 97 9A 61 C6 63 D2 F0 66 D0 C2 C0 F9 89 80 6D 5F 6B 61 DA C3 84" "17 E8 D1 2C FD F9 26 E0")); /* * Packet Vector #2 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 04 03 02 01 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("72 C9 1A 36 E1 35 F8 CF 29 1C A8 94 08 5C 87 E3 CC 15 C4 39 C9 E4 3A 3B" "A0 91 D5 6E 10 40 09 16")); /* * Packet Vector #3 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 05 04 03 02 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("51 B1 E5 F4 4A 19 7D 1D A4 6B 0F 8E 2D 28 2A E8 71 E8 38 BB 64 DA 85 96 57" "4A DA A7 6F BD 9F B0 C5")); /* * Packet Vector #4 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 06 05 04 03 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("A2 8C 68 65 93 9A 9A 79 FA AA 5C 4C 2A 9D 4A 91 CD AC 8C" "96 C8 61 B9 C9 E6 1E F1")); /* * Packet Vector #5 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 07 06 05 04 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("DC F1 FB 7B 5D 9E 23 FB 9D 4E 13 12 53 65 8A D8 6E BD CA 3E" "51 E8 3F 07 7D 9C 2D 93")); /* * Packet Vector #6 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 08 07 06 05 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("6F C1 B0 11 F0 06 56 8B 51 71 A4 2D 95 3D 46 9B 25 70 A4 BD 87" "40 5A 04 43 AC 91 CB 94")); /* * Packet Vector #7 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 09 08 07 06 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("01 35 D1 B2 C9 5F 41 D5 D1 D4 FE C1 85 D1 66 B8 09 4E 99 9D FE D9 6C" "04 8C 56 60 2C 97 AC BB 74 90")); /* * Packet Vector #8 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0A 09 08 07 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("7B 75 39 9A C0 83 1D D2 F0 BB D7 58 79 A2 FD 8F 6C AE 6B 6C D9 B7 DB 24" "C1 7B 44 33 F4 34 96 3F 34 B4")); /* * Packet Vector #9 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0B 0A 09 08 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07"), 1, SHEX("08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("82 53 1A 60 CC 24 94 5A 4B 82 79 18 1A B5 C8 4D F2 1C E7 F9 B7 3F 42 E1 97" "EA 9C 07 E5 6B 5E B1 7E 5F 4E")); /* * Packet Vector #10 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0C 0B 0A 09 A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E"), SHEX("07 34 25 94 15 77 85 15 2B 07 40 98 33 0A BB 14 1B 94 7B" "56 6A A9 40 6B 4D 99 99 88 DD")); /* * Packet Vector #11 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0D 0C 0B 0A A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F"), SHEX("67 6B B2 03 80 B0 E3 01 E8 AB 79 59 0A 39 6D A7 8B 83 49 34" "F5 3A A2 E9 10 7A 8B 6C 02 2C")); /* * Packet Vector #12 */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("00 00 00 0E 0D 0C 0B A0 A1 A2 A3 A4 A5"), SHEX("00 01 02 03 04 05 06 07 08 09 0A 0B"), 1, SHEX("0C 0D 0E 0F 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F 20"), SHEX("C0 FF A0 D6 F0 5B DB 67 F2 4D 43 A4 33 8D 2A A4 BE D7 B2 0E 43" "CD 1A A3 16 62 E7 AD 65 D6 DB")); /* * Packet Vector #13 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 41 2B 4E A9 CD BE 3C 96 96 76 6C FA"), SHEX("0B E1 A8 8B AC E0 18 B1"), 1, SHEX("08 E8 CF 97 D8 20 EA 25 84 60 E9 6A D9 CF 52 89 05 4D 89 5C EA C4 7C"), SHEX("4C B9 7F 86 A2 A4 68 9A 87 79 47 AB 80 91 EF 53 86 A6 FF BD D0 80 F8" "E7 8C F7 CB 0C DD D7 B3")); /* * Packet Vector #14 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 33 56 8E F7 B2 63 3C 96 96 76 6C FA"), SHEX("63 01 8F 76 DC 8A 1B CB"), 1, SHEX("90 20 EA 6F 91 BD D8 5A FA 00 39 BA 4B AF F9 BF B7 9C 70 28 94 9C D0 EC"), SHEX("4C CB 1E 7C A9 81 BE FA A0 72 6C 55 D3 78 06 12 98 C8 5C 92 81 4A BC 33" "C5 2E E8 1D 7D 77 C0 8A")); /* * Packet Vector #15 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 10 3F E4 13 36 71 3C 96 96 76 6C FA"), SHEX("AA 6C FA 36 CA E8 6B 40"), 1, SHEX("B9 16 E0 EA CC 1C 00 D7 DC EC 68 EC 0B 3B BB 1A 02 DE 8A 2D 1A A3 46 13 2E"), SHEX("B1 D2 3A 22 20 DD C0 AC 90 0D 9A A0 3C 61 FC F4 A5 59 A4 41 77 67 08 97 08" "A7 76 79 6E DB 72 35 06")); /* * Packet Vector #16 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 76 4C 63 B8 05 8E 3C 96 96 76 6C FA"), SHEX("D0 D0 73 5C 53 1E 1B EC F0 49 C2 44"), 1, SHEX("12 DA AC 56 30 EF A5 39 6F 77 0C E1 A6 6B 21 F7 B2 10 1C"), SHEX("14 D2 53 C3 96 7B 70 60 9B 7C BB 7C 49 91 60 28 32 45 26" "9A 6F 49 97 5B CA DE AF")); /* * Packet Vector #17 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 F8 B6 78 09 4E 3B 3C 96 96 76 6C FA"), SHEX("77 B6 0F 01 1C 03 E1 52 58 99 BC AE"), 1, SHEX("E8 8B 6A 46 C7 8D 63 E5 2E B8 C5 46 EF B5 DE 6F 75 E9 CC 0D"), SHEX("55 45 FF 1A 08 5E E2 EF BF 52 B2 E0 4B EE 1E 23 36 C7 3E 3F" "76 2C 0C 77 44 FE 7E 3C")); /* * Packet Vector #18 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 D5 60 91 2D 3F 70 3C 96 96 76 6C FA"), SHEX("CD 90 44 D2 B7 1F DB 81 20 EA 60 C0"), 1, SHEX("64 35 AC BA FB 11 A8 2E 2F 07 1D 7C A4 A5 EB D9 3A 80 3B A8 7F"), SHEX("00 97 69 EC AB DF 48 62 55 94 C5 92 51 E6 03 57 22 67 5E 04 C8" "47 09 9E 5A E0 70 45 51")); /* * Packet Vector #19 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 42 FF F8 F1 95 1C 3C 96 96 76 6C FA"), SHEX("D8 5B C7 E6 9F 94 4F B8"), 1, SHEX("8A 19 B9 50 BC F7 1A 01 8E 5E 67 01 C9 17 87 65 98 09 D6 7D BE DD 18"), SHEX("BC 21 8D AA 94 74 27 B6 DB 38 6A 99 AC 1A EF 23 AD E0 B5 29 39 CB 6A" "63 7C F9 BE C2 40 88 97 C6 BA")); /* * Packet Vector #20 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 92 0F 40 E5 6C DC 3C 96 96 76 6C FA"), SHEX("74 A0 EB C9 06 9F 5B 37"), 1, SHEX("17 61 43 3C 37 C5 A3 5F C1 F3 9F 40 63 02 EB 90 7C 61 63 BE 38 C9 84 37"), SHEX("58 10 E6 FD 25 87 40 22 E8 03 61 A4 78 E3 E9 CF 48 4A B0 4F 44 7E FF F6" "F0 A4 77 CC 2F C9 BF 54 89 44")); /* * Packet Vector #21 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 27 CA 0C 71 20 BC 3C 96 96 76 6C FA"), SHEX("44 A3 AA 3A AE 64 75 CA"), 1, SHEX("A4 34 A8 E5 85 00 C6 E4 15 30 53 88 62 D6 86 EA 9E 81 30 1B 5A E4 22 6B FA"), SHEX("F2 BE ED 7B C5 09 8E 83 FE B5 B3 16 08 F8 E2 9C 38 81 9A 89 C8 E7 76 F1 54" "4D 41 51 A4 ED 3A 8B 87 B9 CE")); /* * Packet Vector #22 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 5B 8C CB CD 9A F8 3C 96 96 76 6C FA"), SHEX("EC 46 BB 63 B0 25 20 C3 3C 49 FD 70"), 1, SHEX("B9 6B 49 E2 1D 62 17 41 63 28 75 DB 7F 6C 92 43 D2 D7 C2"), SHEX("31 D7 50 A0 9D A3 ED 7F DD D4 9A 20 32 AA BF 17 EC 8E BF" "7D 22 C8 08 8C 66 6B E5 C1 97")); /* * Packet Vector #23 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 3E BE 94 04 4B 9A 3C 96 96 76 6C FA"), SHEX("47 A6 5A C7 8B 3D 59 42 27 E8 5E 71"), 1, SHEX("E2 FC FB B8 80 44 2C 73 1B F9 51 67 C8 FF D7 89 5E 33 70 76"), SHEX("E8 82 F1 DB D3 8C E3 ED A7 C2 3F 04 DD 65 07 1E B4 13 42 AC" "DF 7E 00 DC CE C7 AE 52 98 7D")); /* * Packet Vector #24 */ test_cipher_ccm(&nettle_aes128, SHEX("D7 82 8D 13 B2 B0 BD C3 25 A7 62 36 DF 93 CC 6B"), SHEX("00 8D 49 3B 30 AE 8B 3C 96 96 76 6C FA"), SHEX("6E 37 A6 EF 54 6D 95 5D 34 AB 60 59"), 1, SHEX("AB F2 1C 0B 02 FE B8 8F 85 6D F4 A3 73 81 BC E3 CC 12 85 17 D4"), SHEX("F3 29 05 B8 8A 64 1B 04 B9 C9 FF B5 8C C3 90 90 0F 3D A1 2A B1" "6D CE 9E 82 EF A1 6D A6 20 59")); /* From IEEE 802.15.4-2011 * * Annex C: Test vectors for cryptographic building blocks * C.2.1 MAC beacon frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 02"), SHEX("08 D0 84 21 43 01 00 00 00 00 48 DE AC 02 05 00 00 00 55 CF 00 00 51 52 53 54"), 1, SHEX(""), SHEX("22 3B C1 EC 84 1A B5 53")); /* * C.2.2 MAC data frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 04"), SHEX("69 DC 84 21 43 02 00 00 00 00 48 DE AC 01 00 00 00 00 48 DE AC 04 05 00 00 00"), 1, SHEX("61 62 63 64"), SHEX("D4 3E 02 2B")); /* * C.2.3 MAC command frame */ test_cipher_ccm(&nettle_aes128, SHEX("C0 C1 C2 C3 C4 C5 C6 C7 C8 C9 CA CB CC CD CE CF"), SHEX("AC DE 48 00 00 00 00 01 00 00 00 05 06"), SHEX("2B DC 84 21 43 02 00 0000 00 48 DE AC FF FF 01 00 00 00 00 48 DE AC 06 05 00 00 00 01"), 1, SHEX("CE"), SHEX("D8 4F DE 52 90 61 F9 C6 F1")); /* From IEEE P1619.1/D22 July 2007 (draft version) * * Annex D: Test Vectors * D.2.1 CCM-128-AES-256 test vector 1 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX(""), 0, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "4b0a3e5e51f151eb0ffae7c43d010fdb")); /* * D.2.2 CCM-128-AES-256 test vector 2 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX(""), SHEX("904704e89fb216443cb9d584911fc3c2")); /* * D.2.3 CCM-128-AES-256 test vector 3 */ test_cipher_ccm(&nettle_aes256, SHEX("0000000000000000000000000000000000000000000000000000000000000000"), SHEX("000000000000000000000000"), SHEX("00000000000000000000000000000000"), 1, SHEX("00000000000000000000000000000000"), SHEX("c1944044c8e7aa95d2de9513c7f3dd8c" "87314e9c1fa01abe6a6415943dc38521")); /* * D.2.4 CCM-128-AES-256 test vector 4 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce60978f4d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX(""), 0, SHEX("a845348ec8c5b5f126f50e76fefd1b1e"), SHEX("cc881261c6a7fa72b96a1739176b277f" "3472e1145f2c0cbe146349062cf0e423")); /* * D.2.5 CCM-128-AES-256 test vector 5 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("000102030405060708090a0b0c0d0e0f10111213"), 1, SHEX("202122232425262728292a2b2c2d2e2f3031323334353637"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e5" "9bba3f3a107f3239bd63902923f80371")); /* * D.2.6 CCM-128-AES-256 test vector 6 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), adata, 256, SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), SHEX("04f883aeb3bd0730eaf50bb6de4fa2212034e4e41b0e75e577f6bf2422c0f6d2" "3376d2cf256ef613c56454cbb5265834")); /* * D.2.7 CCM-128-AES-256 test vector 7 */ test_cipher_ccm(&nettle_aes256, SHEX("404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f"), SHEX("101112131415161718191a1b"), SHEX("202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f"), 1, SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("24d8a38e939d2710cad52b96fe6f82010014c4c43b2e55c557d69f0402e0d6f2" "06c53d6cbd3f1c3c6de5dcdcad9fb74f25741dea741149fe4278a0cc24741e86" "58cc0523b8d7838c60fb1de4b7c3941f5b26dea9322aa29656ec37ac18a9b108" "a6f38b7917f5a9c398838b22afbd17252e96694a9e6237964a0eae21c0a6e152" "15a0e82022926be97268249599e456e05029c3ebc07d78fc5b4a0862e04e68c2" "9514c7bdafc4b52e04833bf30622e4eb42504a44a9dcbc774752de7bb82891ad" "1eba9dc3281422a8aba8654268d3d9c81705f4c5a531ef856df5609a159af738" "eb753423ed2001b8f20c23725f2bef18c409f7e52132341f27cb8f0e79894dd9" "ebb1fa9d28ccfe21bdfea7e6d91e0bab")); /* * D.2.8 CCM-128-AES-256 test vector 8 */ test_cipher_ccm(&nettle_aes256, SHEX("fb7615b23d80891dd470980bc79584c8b2fb64ce6097878d17fce45a49e830b7"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("36"), 1, SHEX("a9"), SHEX("9d3261b1cf931431e99a32806738ecbd2a")); /* * D.2.9 CCM-128-AES-256 test vector 9 */ test_cipher_ccm(&nettle_aes256, SHEX("f8d476cfd646ea6c2384cb1c27d6195dfef1a9f37b9c8d21a79c21f8cb90d289"), SHEX("dbd1a3636024b7b402da7d6f"), SHEX("7bd859a247961a21823b380e9fe8b65082ba61d3"), 1, SHEX("90ae61cf7baebd4cade494c54a29ae70269aec71"), SHEX("6c05313e45dc8ec10bea6c670bd94f31569386a6" "8f3829e8e76ee23c04f566189e63c686")); } nettle-3.10/testsuite/ocb-test.c0000644000175000017500000004064714633602172015710 0ustar nissenisse#include "testutils.h" #include "non-nettle.h" struct ocb_aes128_message_key { struct ocb_aes128_encrypt_key encrypt_key; struct aes128_ctx decrypt_key; }; static void ocb_aes128_set_encrypt_key_wrapper (struct ocb_aes128_message_key *key, const uint8_t *aes_key) { ocb_aes128_set_encrypt_key (&key->encrypt_key, aes_key); } static void ocb_aes128_set_decrypt_key_wrapper (struct ocb_aes128_message_key *key, const uint8_t *aes_key) { ocb_aes128_set_decrypt_key (&key->encrypt_key, &key->decrypt_key, aes_key); } static void ocb_aes128_encrypt_message_wrapper (const struct ocb_aes128_message_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { ocb_aes128_encrypt_message (&key->encrypt_key, nlength, nonce, alength, adata, OCB_DIGEST_SIZE, clength, dst, src); } static int ocb_aes128_decrypt_message_wrapper (const struct ocb_aes128_message_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { return ocb_aes128_decrypt_message (&key->encrypt_key, &key->decrypt_key, nlength, nonce, alength, adata, OCB_DIGEST_SIZE, mlength, dst, src); } static const struct nettle_aead_message ocb_aes128_message = { "ocb_aes128", sizeof(struct ocb_aes128_message_key), AES128_KEY_SIZE, OCB_DIGEST_SIZE, 1, /* Supports in-place operation. */ (nettle_set_key_func*) ocb_aes128_set_encrypt_key_wrapper, (nettle_set_key_func*) ocb_aes128_set_decrypt_key_wrapper, (nettle_encrypt_message_func*) ocb_aes128_encrypt_message_wrapper, (nettle_decrypt_message_func*) ocb_aes128_decrypt_message_wrapper, }; /* For 96-bit tag */ static void set_nonce_tag96 (struct ocb_aes128_ctx *ctx, size_t length, const uint8_t *nonce) { ASSERT (length == OCB_NONCE_SIZE); ocb_aes128_set_nonce (&ctx->ocb, &ctx->key, 12, OCB_NONCE_SIZE, nonce); } void test_main(void) { /* From RFC 7253 */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221100"), /* nonce */ SHEX("785407BFFFC8AD9EDCC5520AC9111EE6")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("0001020304050607"), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("6820B3657B6F615A"), /* ciphertext */ SHEX("BBAA99887766554433221101"), /* nonce */ SHEX("5725BDA0D3B4EB3A257C9AF1F8F03009")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("0001020304050607"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221102"), /* nonce */ SHEX("81017F8203F081277152FADE694A0A00")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("45DD69F8F5AAE724"), /* ciphertext */ SHEX("BBAA99887766554433221103"), /* nonce */ SHEX("14054CD1F35D82760B2CD00D2F99BFA9")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F"), /* plaintext */ SHEX("571D535B60B277188BE5147170A9A22C"), /* ciphertext */ SHEX("BBAA99887766554433221104"), /* nonce */ SHEX("3AD7A4FF3835B8C5701C1CCEC8FC3358")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221105"), /* nonce */ SHEX("8CF761B6902EF764462AD86498CA6B97")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F"), /* plaintext */ SHEX("5CE88EC2E0692706A915C00AEB8B2396"), /* ciphertext */ SHEX("BBAA99887766554433221106"), /* nonce */ SHEX("F40E1C743F52436BDF06D8FA1ECA343D")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* plaintext */ SHEX("1CA2207308C87C010756104D8840CE1952F09673A448A122"), /* ciphertext */ SHEX("BBAA99887766554433221107"), /* nonce */ SHEX("C92C62241051F57356D7F3C90BB0E07F")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA99887766554433221108"), /* nonce */ SHEX("6DC225A071FC1B9F7C69F93B0F1E10DE")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617"), /* plaintext */ SHEX("221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3C"), /* ciphertext */ SHEX("BBAA99887766554433221109"), /* nonce */ SHEX("E725F32494B9F914D85C0B1EB38357FF")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* plaintext */ SHEX("BD6F6C496201C69296C11EFD138A467ABD3C707924B964DE" "AFFC40319AF5A485"), /* ciphertext */ SHEX("BBAA9988776655443322110A"), /* nonce */ SHEX("40FBBA186C5553C68AD9F592A79A4240")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA9988776655443322110B"), /* nonce */ SHEX("FE80690BEE8A485D11F32965BC9D2A32")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F"), /* plaintext */ SHEX("2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF4" "6040C53F1432BCDF"), /* ciphertext */ SHEX("BBAA9988776655443322110C"), /* nonce */ SHEX("B5E1DDE3BC18A5F840B52E653444D5DF")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("D5CA91748410C1751FF8A2F618255B68A0A12E093FF45460" "6E59F9C1D0DDC54B65E8628E568BAD7A"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("ED07BA06A4A69483A7035490C5769E60")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("BBAA9988776655443322110E"), /* nonce */ SHEX("C5CD9D1850C141E358649994EE701B68")); /* tag */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15" "A5DDBFC5787E50B5CC55EE507BCB084E"), /* ciphertext */ SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("479AD363AC366B95 A98CA5F3000B1479")); /* tag */ /* Test with 96-bit tag. */ test_aead(&nettle_ocb_aes128, (nettle_hash_update_func *) set_nonce_tag96, SHEX("0F0E0D0C0B0A09080706050403020100"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* plaintext */ SHEX("1792A4E31E0755FB03E31B22116E6C2DDF9EFD6E33D536F1" "A0124B0A55BAE884ED93481529C76B6A"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("D0C515F4D1CDD4FDAC4F02AA")); /* tag */ /* 16 blocks, not verified with other implementations or any authoritative test vector.not an authoritative test vector. */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("4412923493c57d5d e0d700f753cce0d1" "d2d95060122e9f15 a5ddbfc5787e50b5" "11dfb888da244711 f051dbce82b0b9a7" "cb14869b164e55eb 578e41fa435ff220" "25ed114f6ec18cd6 7b743ab299e596f6" "6100fba539db164d 765eaff0bf489ace" "90ff6af96d1c395b 8dd586b154a0ecea" "504395c5592cf2f0 03a3878585a0bfd3" "b4039d15bc47a6d6 4a51f7302a976bb0" "175167bcb5d8f071 a3faff70544ab2ba" "52947d35d6e545e9 bda57b3972ecad10" "f0e85aec389f4276 2e58978918d4c285" "c2088ca8ac48095c 976065aa47766756" "7a507bab08315b2e 36327e8103a6a70d" "7f9f5318684697b2 bf95d65fa5458e6e" "f40a974cb940e8fd 63baf0ce96773279"), SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("3aa4f4e4b4ff142c 9357291589fa25d8")); /* tag */ /* 16 complete blocks + left-over bytes, not verified with other implementations or any authoritative test vector. */ test_aead(&nettle_ocb_aes128, NULL, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX(""), /* auth data */ SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" "404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f" "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" "a0a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebf" "c0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedf" "e0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff" "deadbeaf"), SHEX("4412923493c57d5d e0d700f753cce0d1" "d2d95060122e9f15 a5ddbfc5787e50b5" "11dfb888da244711 f051dbce82b0b9a7" "cb14869b164e55eb 578e41fa435ff220" "25ed114f6ec18cd6 7b743ab299e596f6" "6100fba539db164d 765eaff0bf489ace" "90ff6af96d1c395b 8dd586b154a0ecea" "504395c5592cf2f0 03a3878585a0bfd3" "b4039d15bc47a6d6 4a51f7302a976bb0" "175167bcb5d8f071 a3faff70544ab2ba" "52947d35d6e545e9 bda57b3972ecad10" "f0e85aec389f4276 2e58978918d4c285" "c2088ca8ac48095c 976065aa47766756" "7a507bab08315b2e 36327e8103a6a70d" "7f9f5318684697b2 bf95d65fa5458e6e" "f40a974cb940e8fd 63baf0ce96773279" "1dd97611"), SHEX("BBAA9988776655443322110F"), /* nonce */ SHEX("8a24edb596b59425 43ec197d5369979b")); /* tag */ /* Test the all-in-one message functions. */ test_aead_message(&ocb_aes128_message, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("BBAA99887766554433221100"), /* nonce */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX("785407BFFFC8AD9EDCC5520AC9111EE6")); test_aead_message(&ocb_aes128_message, SHEX("000102030405060708090A0B0C0D0E0F"), /* key */ SHEX("BBAA99887766554433221101"), /* nonce */ SHEX("0001020304050607"), /* auth data */ SHEX("0001020304050607"), /* plaintext */ SHEX("6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009")); /* ciphertext */ /* Test-vector from libgcrypt:tests/basic.c: */ test_aead(&nettle_ocb_aes128, (nettle_hash_update_func *) set_nonce_tag96, SHEX("0F0E0D0C0B0A09080706050403020100"), /* key */ SHEX("000102030405060708090A0B0C0D0E0F1011121314151617" "18191A1B1C1D1E1F2021222324252627"), /* auth data */ /* test vector for checksumming */ SHEX("01000000000000000000000000000000" "02000000000000000000000000000000" "04000000000000000000000000000000" "08000000000000000000000000000000" "10000000000000000000000000000000" "20000000000000000000000000000000" "40000000000000000000000000000000" "80000000000000000000000000000000" "00010000000000000000000000000000" "00020000000000000000000000000000" "00040000000000000000000000000000" "00080000000000000000000000000000" "00100000000000000000000000000000" "00200000000000000000000000000000" "00400000000000000000000000000000" "00800000000000000000000000000000" "00000100000000000000000000000000" "00000200000000000000000000000000" "00000400000000000000000000000000" "00000800000000000000000000000000" "00001000000000000000000000000000" "00002000000000000000000000000000" "00004000000000000000000000000000" "00008000000000000000000000000000" "00000001000000000000000000000000" "00000002000000000000000000000000" "00000004000000000000000000000000" "00000008000000000000000000000000" "00000010000000000000000000000000" "00000020000000000000000000000000" "00000040000000000000000000000000" "00000080000000000000000000000000" "00000000010000000000000000000000" "00000000020000000000000000000000" "00000000040000000000000000000000" "00000000080000000000000000000000" "00000000100000000000000000000000" "00000000200000000000000000000000" "00000000400000000000000000000000" "00000000800000000000000000000000" "00000000000100000000000000000000" "00000000000200000000000000000000" "00000000000400000000000000000000" "00000000000800000000000000000000" "00000000001000000000000000000000" "00000000002000000000000000000000" "00000000004000000000000000000000" "00000000008000000000000000000000"), /* plaintext */ SHEX("01105c6e36f6ac480f022c51e31ed702" "90fda4b7b783194d4b4be8e4e1e2dff4" "6a0804d1c5f9f808ea7933e31c063233" "2bf65a22b20bb13cde3b80b3682ba965" "b1207c58916f7856fa9968b410e50dee" "98b35c071163d1b352b9bbccd09fde29" "b850f40e71a8ae7d2e2d577f5ee39c46" "7fa28130b50a123c29958e4665dda9a5" "e0793997f8f19633a96392141d6e0e88" "77850ed4364065d1d2f8746e2f1d5fd1" "996cdde03215306503a30e41f58ef3c4" "400365cfea4fa6381157c12a46598edf" "18604854462ec66e3d3cf26d4723cb6a" "9d801095048086a606fdb9192760889b" "a8ce2e70e1b55a469137a9e2e6734565" "283cb1e2c74f37e0854d03e33f8ba499" "ef5d9af4edfce077c6280338f0a64286" "2e6bc27ebd5a4c91b3778e22631251c8" "c5bb75a10945597a9d6c274fc82d3338" "b403a0a549d1375f26e71ef22bce0941" "93ea87e2ed72fce0546148c351eec3be" "867bb1b96070c377fff3c98e21562beb" "475cfe28abcaaedf49981f6599b15140" "ea6130d24407079f18ba9d4a8960b082" "b39c57320e2e064f02fde88c23112146" "1cac3655868aef584714826ee4f361fb" "e6d692e1589cbb9dd3c74fa628df2a1f" "3b0029b1d62b7e9978013ed3c793c1dd" "1f184c8f7022a853cac40b74ac749aa3" "f33f0d14732dfda0f2c3c20591bf1f5a" "710ec0d0bca342baa5146068a78ff58c" "66316312b7a98af35a0f4e92799b4047" "f047ae61f25c28d232ce5c168cc745d6" "6da13cb0f9e38a696635dba7a21571cf" "cd64ec8cc33db7879f59a90d9edd00f6" "a899e39ab36b9269a3ac04ebad9326bf" "53cd9b400168a61714cd628a4056d236" "bd8622c76daa54cb65f5db2fe03bafbe" "0b23549ae31136f607293e8093a21934" "74fd5e9c2451b4c8e0499e6ad34fafc8" "ab77722a282f7f84b14ddebf7e696300" "c1ef92d4a0263c6cca104530f996e272" "f58992ff68d642b071a5848dc4acf2ae" "28fb1f27ae0f297d5136a7a0a4a03e89" "b588755b8217a1c62773790e69261269" "19f45daf7b3ccf18e3fc590a9a0e172f" "033ac4d13c3decc4c62d7de718ace802" "140452dc850989f6762e3578bbb04be3"), /* ciphertext */ SHEX("BBAA9988776655443322110D"), /* nonce */ SHEX("1a237c599c4649f4e586b2de")); /* tag */ } nettle-3.10/testsuite/hmac-test.c0000644000175000017500000007212014633602172016044 0ustar nissenisse#include "testutils.h" #include "hmac.h" #define HMAC_TEST(alg, key, msg, mac) \ do { \ struct hmac_##alg##_ctx ctx; \ \ hmac_##alg##_set_key(&ctx, key->length, key->data); \ hmac_##alg##_update(&ctx, msg->length, msg->data); \ digest[mac->length] = 17; \ hmac_##alg##_digest(&ctx, mac->length, digest); \ ASSERT(MEMEQ (mac->length, digest, mac->data)); \ ASSERT(digest[mac->length] == 17); \ } while (0) void test_main(void) { /* sha512's digests are longest */ uint8_t digest[SHA512_DIGEST_SIZE+1]; memset(digest, 0, sizeof(digest)); /* Test vectors for md5, from RFC-2202 */ /* md5 - 1 */ test_mac (&nettle_hmac_md5, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("9294727a3638bb1c 13f48ef8158bfc9d")); /* md5 - 2 */ HMAC_TEST(md5, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("750c783e6ab0b503 eaa86e310a5db738")); /* md5 - 3 */ test_mac(&nettle_hmac_md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("56be34521d144c88 dbb8c733f0e8b3f6")); /* md5 - 4 */ HMAC_TEST(md5, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("697eaf0aca3a3aea 3a75164746ffaa79")); /* md5 - 5 */ test_mac(&nettle_hmac_md5, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("56461ef2342edc00 f9bab995")); /* md5 - 6 */ HMAC_TEST(md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6b1ab7fe4bd7bf8f 0b62e6ce61b9d0cd")); /* md5 - 7 */ HMAC_TEST(md5, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("6f630fad67cda0ee 1fb1f562db3aa53e")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("e84db42a188813f30a15e611d64c7869")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("123662062e67c2aab371cc49db0df134")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("0a46cc10a49d4b7025c040c597bf5d76")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("d1f4d89f0e8b2b6ed0623c99ec298310")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("1627207b9bed5009a4f6e9ca8d2ca01e")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("922aae6ab3b3a29202e21ce5f916ae9a")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("ede9cb83679ba82d88fbeae865b3f8fc")); HMAC_TEST(md5, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("939dd45512ee3a594b6654f6b8de27f7")); /* Test vectors for ripemd160, from http://homes.esat.kuleuven.be/~bosselae/ripemd160.html */ test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA(""), SHEX("cf387677bfda8483e63b57e06c3b5ecd8b7fc055")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("a"), SHEX("0d351d71b78e36dbb7391c810a0d2b6240ddbafc")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abc"), SHEX("f7ef288cb1bbcc6160d76507e0a3bbf712fb67d6")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("message digest"), SHEX("f83662cc8d339c227e600fcd636c57d2571b1c34")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("843d1c4eb880ac8ac0c9c95696507957d0155ddb")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("60f5ef198a2dd5745545c1f0c47aa3fb5776f881")); test_mac(&nettle_hmac_ripemd160, SHEX("00112233445566778899aabbccddeeff01234567"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("e49c136a9e5627e0681b808a3b97e6a6e661ae79")); /* Other key */ test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA(""), SHEX("fe69a66c7423eea9c8fa2eff8d9dafb4f17a62f5")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("a"), SHEX("85743e899bc82dbfa36faaa7a25b7cfd372432cd")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abc"), SHEX("6e4afd501fa6b4a1823ca3b10bd9aa0ba97ba182")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("message digest"), SHEX("2e066e624badb76a184c8f90fba053330e650e92")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("07e942aa4e3cd7c04dedc1d46e2e8cc4c741b3d9")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), SHEX("b6582318ddcfb67a53a67d676b8ad869aded629a")); test_mac(&nettle_hmac_ripemd160, SHEX("0123456789abcdeffedcba987654321000112233"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("f1be3ee877703140d34f97ea1ab3a07c141333e2")); /* Test vectors for sha1, from RFC-2202 */ /* sha1 - 1 */ test_mac(&nettle_hmac_sha1, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b 0b0b0b0b"), SDATA("Hi There"), SHEX("b617318655057264 e28bc0b6fb378c8e f146be00")); /* sha1 - 2 */ HMAC_TEST(sha1, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("effcdf6ae5eb2fa2 d27416d5f184df9c 259a7c79")); /* sha1 - 3 */ test_mac(&nettle_hmac_sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa aaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("125d7342b9ac11cd 91a39af48aa17b4f 63f175d3")); /* sha1 - 4 */ HMAC_TEST(sha1, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 19"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("4c9007f4026250c6 bc8414f9bf50c86c 2d7235da")); /* sha1 - 5 */ test_mac(&nettle_hmac_sha1, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("4c1a03424b55e07f e7f27be1")); /* sha1 - 6 */ HMAC_TEST(sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("aa4ae5e15272d00e 95705637ce8a3b55 ed402112")); /* sha1 - 7 */ HMAC_TEST(sha1, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger " "Than One Block-Size Data"), SHEX("e8e99d0f45237d78 6d6bbaa7965c7808 bbff1a91")); /* Test vectors for sha224, from RFC 4231 */ HMAC_TEST(sha224, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("896fb1128abbdf196832107cd49df33f" "47b4b1169912ba4f53684b22")); HMAC_TEST(sha224, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("a30e01098bc6dbbf45690f3a7e9e6d0f" "8bbea2a39e6148008fd05e44")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("7fb3cb3588c6c1f6ffa9694d7d6ad264" "9365b0c1f65d69d1ec8333ea")); HMAC_TEST(sha224, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("6c11506874013cac6a2abc1bb382627c" "ec6a90d86efc012de7afec5a")); HMAC_TEST(sha224, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("0e2aea68a90c8d37c988bcdb9fca6fa8")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("95e9a0db962095adaebe9b2d6f0dbce2" "d499f112f2d2b7273fa6870e")); HMAC_TEST(sha224, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("3a854166ac5d9f023f54d517d0b39dbd" "946770db9c2b95c9f6f565d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("d12a49ae38177ffeaa548b2148bb5238" "60849772d9391e675b103d89")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("b04ff8522f904f553970bfa8ad3f0086" "bce1e8580affd8a12c94e31a")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("afcfb5511f710334f9350f57faec3c08" "764b4bd126a6840f4347f116")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("9df9907af127900c909376893565c6cf" "2d7db244fdc4277da1e0b679")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("254ebf6b8ddd7a3271b3d9aca1699b0c" "0bfb7df61e8a114922c88d27")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("6ec5bffba5880c3234a6cf257816e4d5" "35ab178a7f12929769e378fb")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("5f768179dbb29ca722875d0f461a2e2f" "597d0210340a84df1a8e9c63")); HMAC_TEST(sha224, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c7667b0d7e56b2b4f6fcc1d8da9e22da" "a1556f44c47132a87303c6a2")); /* Test vectors for sha256, from RFC 4231 */ HMAC_TEST(sha256, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("b0344c61d8db38535ca8afceaf0bf12b" "881dc200c9833da726e9376c2e32cff7")); HMAC_TEST(sha256, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("5bdcc146bf60754e6a042426089575c7" "5a003f089d2739839dec58b964ec3843")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("773ea91e36800e46854db8ebd09181a7" "2959098b3ef8c122d9635514ced565fe")); HMAC_TEST(sha256, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("82558a389a443c0ea4cc819899f2083a" "85f0faa3e578f8077a2e3ff46729665b")); HMAC_TEST(sha256, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("a3b6167473100ee06e0c796c2955552b")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("60e431591ee0b67f0d8a26aacbf5b77f" "8e0bc6213728c5140546040f0ee37f54")); HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("9b09ffa71b942fcb27635fbcd5b0e944" "bfdc63644f0713938a7f51535c3a35e2")); /* Additional test vectors for sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt */ /* Test Case #1: HMAC-SHA-256 with 3-byte input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abc"), SHEX("a21b1f5d4cf4f73a 4dd939750f7a066a" "7f98cc131cb16a66 92759021cfab8181")); /* Test Case #2: HMAC-SHA-256 with 56-byte input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopq"), SHEX("104fdc1257328f08 184ba73131c53cae" "e698e36119421149 ea8c712456697d30")); /* Test Case #3: HMAC-SHA-256 with 112-byte (multi-block) input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20"), SDATA("abcdbcdecdefdefgefghfghighijhijk" "ijkljklmklmnlmnomnopnopqabcdbcde" "cdefdefgefghfghighijhijkijkljklm" "klmnlmnomnopnopq"), SHEX("470305fc7e40fe34 d3eeb3e773d95aab" "73acf0fd060447a5 eb4595bf33a9d1a3")); /* Test Case #4: HMAC-SHA-256 with 8-byte input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b 0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("198a607eb44bfbc6 9903a0f1cf2bbdc5" "ba0aa3f3d9ae3c1c 7a3b1696a0b68cf7")); /* Test Case #6: HMAC-SHA-256 with 50-byte input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddddddddddddddd dddddddddddddddd" "dddd"), SHEX("cdcb1220d1ecccea 91e53aba3092f962" "e549fe6ce9ed7fdc 43191fbde45c30b0")); /* Test Case #7: HMAC-SHA-256 with 50-byte input and 37-byte key */ HMAC_TEST(sha256, SHEX("0102030405060708 090a0b0c0d0e0f10" "1112131415161718 191a1b1c1d1e1f20" "2122232425"), SHEX("cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcd cdcdcdcdcdcdcdcd" "cdcd"), SHEX("d4633c17f6fb8d74 4c66dee0f8f07455" "6ec4af55ef079985 41468eb49bd2e917")); /* Test Case #8: HMAC-SHA-256 with 20-byte input and 32-byte key */ test_mac(&nettle_hmac_sha256, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c" "0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c"), SDATA("Test With Truncation"), SHEX("7546af01841fc09b 1ab9c3749a5f1c17")); /* Test Case #9: HMAC-SHA-256 with 54-byte input and 80-byte key */ HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("6953025ed96f0c09 f80a96f78e6538db" "e2e7b820e3dd970e 7ddd39091b32352f")); /* Test Case #10: HMAC-SHA-256 with 73-byte (multi-block) input and 80-byte key */ HMAC_TEST(sha256, SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SDATA("Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data"), SHEX("6355ac22e890d0a3 c8481a5ca4825bc8" "84d3e7a1ff98a2fc 2ac7d8e064c3b2e6")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("5c780648c90d121c50091c3a0c3afc1f" "4ab847528005d99d9821ad3f341b651a")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("6142364c0646b0cfe426866f21d613e0" "55a136a7d9b45d85685e080a09cec463")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("e49aa7839977e130ad87b63da9d4eb7b" "263cd5a27c54a7604b6044eb35901171")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("e5ef49f545c7af933a9d18c7c562bc91" "08583fd5cf00d9e0db351d6d8f8e41bc")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("373b04877180fea27a41a8fb8f88201c" "a6268411ee3c80b01a424483eb9156e1")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("eb5945d56eefbdb41602946ea6448d53" "86b08d7d801a87f439fab52f8bb9736e")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("3798f363c57afa6edaffe39016ca7bad" "efd1e670afb0e3987194307dec3197db")); HMAC_TEST(sha256, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("c89a7039a62985ff813fe4509b918a43" "6d7b1ffd8778e2c24dec464849fb6128")); /* Test vectors for sha384, from RFC 4231 */ HMAC_TEST(sha384, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("afd03944d84895626b0825f4ab46907f" "15f9dadbe4101ec682aa034c7cebc59c" "faea9ea9076ede7f4af152e8b2fa9cb6")); HMAC_TEST(sha384, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("af45d2e376484031617f78d2b58a6b1b" "9c7ef464f5a01b47e42ec3736322445e" "8e2240ca5e69e2c78b3239ecfab21649")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("88062608d3e6ad8a0aa2ace014c8a86f" "0aa635d947ac9febe83ef4e55966144b" "2a5ab39dc13814b94e3ab6e101a34f27")); HMAC_TEST(sha384, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("3e8a69b7783c25851933ab6290af6ca7" "7a9981480850009cc5577c6e1f573b4e" "6801dd23c4a7d679ccf8a386c674cffb")); HMAC_TEST(sha384, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("3abf34c3503b2a23a46efc619baef897")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("4ece084485813e9088d2c63a041bc5b4" "4f9ef1012a2b588f3cd11f05033ac4c6" "0c2ef6ab4030fe8296248df163f44952")); HMAC_TEST(sha384, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("6617178e941f020d351e2f254e8fd32c" "602420feb0b8fb9adccebb82461e99c5" "a678cc31e799176d3860e6110c46523e")); /* Test vectors for sha512, from RFC 4231 */ HMAC_TEST(sha512, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b"), SDATA("Hi There"), SHEX("87aa7cdea5ef619d4ff0b4241a1d6cb0" "2379f4e2ce4ec2787ad0b30545e17cde" "daa833b7d6b8a702038b274eaea3f4e4" "be9d914eeb61f1702e696c203a126854")); HMAC_TEST(sha512, SDATA("Jefe"), SDATA("what do ya want for nothing?"), SHEX("164b7a7bfcf819e2e395fbe73b56e0a3" "87bd64222e831fd610270cd7ea250554" "9758bf75c05a994a6d034f65f8f0e6fd" "caeab1a34d4a6b4b636e070a38bce737")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("fa73b0089d56a284efb0f0756c890be9" "b1b5dbdd8ee81a3655f83e33b2279d39" "bf3e848279a722c806b485a47e67c807" "b946a337bee8942674278859e13292fb")); HMAC_TEST(sha512, SHEX("0102030405060708090a0b0c0d0e0f10" "111213141516171819"), SHEX("cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcdcdcdcdcdcdcdcdcdcdcdcdcdcdcd" "cdcd"), SHEX("b0ba465637458c6990e5a8c5f61d4af7" "e576d97ff94b872de76f8050361ee3db" "a91ca5c11aa25eb4d679275cc5788063" "a5f19741120c4f2de2adebeb10a298dd")); HMAC_TEST(sha512, SHEX("0c0c0c0c0c0c0c0c 0c0c0c0c0c0c0c0c 0c0c0c0c"), SDATA("Test With Truncation"), SHEX("415fad6271580a531d4179bc891d87a6")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("Test Using Larger Than Block-Size Key - Hash Key First"), SHEX("80b24263c7c1a3ebb71493c1dd7be8b4" "9b46d1f41b4aeec1121b013783f8f352" "6b56d037e05f2598bd0fd2215d6a1e52" "95e64f73f63f0aec8b915a985d786598")); HMAC_TEST(sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaa"), SDATA("This is a test using a larger than block-size ke" "y and a larger than block-size data. The key nee" "ds to be hashed before being used by the HMAC al" "gorithm."), SHEX("e37b6a775dc87dbaa4dfa9f96e5e3ffd" "debd71f8867289865df5a32d20cdc944" "b6022cac3c4982b10d5eeb55c3e4de15" "134676fb6de0446065c97440fa8c6a58")); /* Additional test vectors, from Daniel Kahn Gillmor */ HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA(""), SHEX("34316413c2d6940572d0bbbf099d529d" "148b424533cf562bc1b365f530e21a31" "799fc51cef78060cc6f448a8e5d780c2" "6cdf20d4c3e6f27fe5ef576bbd05e855")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("a"), SHEX("cf1948507378bc3ab58cb6ec87f4d456" "b90d3298395c29873f1ded1e111b50fe" "c336ed24684bf19716efc309212f37aa" "715cfb9ecccf3af13691ded167b4b336")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("38"), SHEX("b8201784216ce01b83cdd282616c6e89" "644c6dfd1269ed8580bbc39b92add364" "c2b2a2018cffb1915e8625e473b67d0f" "e54a50e475dfa0e2b1a97bac1383792c")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("f097ee08b8c44e847a384f9fd645e35e" "4816baa9791ba39d3dc611210500b044" "873ee296bf1047dc06daa201a5767192" "5b73b4ea59c60114881c8287d0699c83")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("message digest"), SHEX("921a441a884b83c76a8526da8e60d60d" "17ded4eee5c29375e0d93717669a4c3e" "eba7473e95f7c1a2a85afc24a0adbc4d" "6c2bdd6ca6cab8b18d19f82d4a6c51bc")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("640054c96f35815095617d0a8c956066" "1a6ff46bfb39110333b2c52c8866abfb" "59d9152c9b0948c1ed65c3fd72a8fb82" "190acc8830770afe5b0c5b6414c75a77")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), SHEX("835a4f5b3750b4c1fccfa88da2f746a4" "900160c9f18964309bb736c13b59491b" "8e32d37b724cc5aebb0f554c6338a3b5" "94c4ba26862b2dadb59b7ede1d08d53e")); HMAC_TEST(sha512, SDATA("monkey monkey monkey monkey"), SDATA("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), SHEX("fdf83dc879e3476c8e8aceff2bf6fece" "2e4f39c7e1a167845465bb549dfa5ffe" "997e6c7cf3720eae51ed2b00ad2a8225" "375092290edfa9d48ec7e4bc8e276088")); /* Additional test vectors, from draft-kelly-ipsec-ciph-sha2-01.txt */ /* Test case AUTH512-1: */ test_mac(&nettle_hmac_sha512, SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b" "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA("Hi There"), SHEX("637edc6e01dce7e6742a99451aae82df" "23da3e92439e590e43e761b33e910fb8" "ac2878ebd5803f6f0b61dbce5e251ff8" "789a4722c1be65aea45fd464e89f8f5b")); /* Test case AUTH512-2: */ HMAC_TEST(sha512, SDATA("JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe" "JefeJefeJefeJefe"), SDATA("what do ya want for nothing?"), SHEX("cb370917ae8a7ce28cfd1d8f4705d614" "1c173b2a9362c15df235dfb251b15454" "6aa334ae9fb9afc2184932d8695e397b" "fa0ffb93466cfcceaae38c833b7dba38")); /* Test case AUTH512-3: */ test_mac(&nettle_hmac_sha512, SHEX("aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), SHEX("dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddddddddddddddddddddddddddddddd" "dddd"), SHEX("2ee7acd783624ca9398710f3ee05ae41" "b9f9b0510c87e49e586cc9bf961733d8" "623c7b55cebefccf02d5581acc1c9d5f" "b1ff68a1de45509fbe4da9a433922655")); /* Test case AUTH512-3 from same document seems broken. */ HMAC_TEST(gosthash94, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("bfebe25f051bfef6ac858babb0abc409" "bfd2e334ab847bc0b0d056517c7d94c5")); HMAC_TEST(gosthash94cp, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("bad70b61c41095bc47e1141cfaed4272" "6a5ceebd62ce75dbbb9ad76cda9f72f7")); /* RFC 7836 */ HMAC_TEST(streebog512, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("a59bab22ecae19c65fbde6e5f4e9f5d8" "549d31f037f9df9b905500e171923a77" "3d5f1530f2ed7e964cb2eedc29e9ad2f" "3afe93b2814f79f5000ffc0366c251e6")); HMAC_TEST(streebog256, SHEX("000102030405060708090a0b0c0d0e0f" "101112131415161718191a1b1c1d1e1f"), SHEX("0126bdb87800af214341456563780100"), SHEX("a1aa5f7de402d7b3d323f2991c8d4534" "013137010a83754fd0af6d7cd4922ed9")); HMAC_TEST(sm3, SDATA("monkey monkey monkey monkey"), SDATA("abc"), SHEX("7a9388e2ca5343b5d76e7c2c3d84f239" "f306c0b60d5e0dc4d2771e42860a6a2b")); } nettle-3.10/testsuite/sc-curve25519-dh-test0000755000175000017500000000014114633602172017436 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./curve25519-dh-test nettle-3.10/testsuite/hkdf-test.c0000644000175000017500000001332614633602172016053 0ustar nissenisse#include "testutils.h" #include "hkdf.h" #include "hmac.h" static void test_hkdf_sha256(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha256_ctx ctx; uint8_t prk[SHA256_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha256_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, SHA256_DIGEST_SIZE, ikm->length, ikm->data, prk); if (MEMEQ(SHA256_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA256_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha256_set_key(&ctx, SHA256_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha256_update, (nettle_hash_digest_func*) hmac_sha256_digest, SHA256_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } static void test_hkdf_sha1(const struct tstring *ikm, const struct tstring *salt, const struct tstring *info, const struct tstring *extract_output, const struct tstring *expand_output) { struct hmac_sha1_ctx ctx; uint8_t prk[SHA1_DIGEST_SIZE]; uint8_t *buffer = xalloc(expand_output->length); hmac_sha1_set_key(&ctx, salt->length, salt->data); hkdf_extract(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, SHA1_DIGEST_SIZE, ikm->length, ikm->data, prk); if (MEMEQ(SHA1_DIGEST_SIZE, prk, extract_output->data) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(SHA1_DIGEST_SIZE, prk); fprintf(stdout, "\nExpected:\n"); print_hex(extract_output->length, extract_output->data); abort(); } hmac_sha1_set_key(&ctx, SHA1_DIGEST_SIZE, prk); hkdf_expand(&ctx, (nettle_hash_update_func*) hmac_sha1_update, (nettle_hash_digest_func*) hmac_sha1_digest, SHA1_DIGEST_SIZE, info->length, info->data, expand_output->length, buffer); if (MEMEQ(expand_output->length, expand_output->data, buffer) == 0) { fprintf(stdout, "\nGot:\n"); print_hex(expand_output->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(expand_output->length, expand_output->data); abort(); } free(buffer); } void test_main(void) { /* HKDF test vectors from RFC5869 */ test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5"), SHEX("3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865")); test_hkdf_sha256(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244"), SHEX("b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87")); test_hkdf_sha256(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04"), SHEX("8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b"), SHEX("000102030405060708090a0b0c"), SHEX("f0f1f2f3f4f5f6f7f8f9"), SHEX("9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243"), SHEX("085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896")); test_hkdf_sha1(SHEX("000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f"), SHEX("606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf"), SHEX("b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff"), SHEX("8adae09a2a307059478d309b26c4115a224cfaf6"), SHEX("0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4")); test_hkdf_sha1(SHEX("0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b"), SDATA(""), SDATA(""), SHEX("da8c8a73c7fa77288ec6f5e7c297786aa0d32d01"), SHEX("0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918")); test_hkdf_sha1(SHEX("0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c"), SHEX(""), SHEX(""), SHEX("2adccada18779e7c2077ad2eb19d3f3e731385dd"), SHEX("2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48")); } nettle-3.10/testsuite/sm4-test.c0000644000175000017500000000100214633602172015626 0ustar nissenisse#include "testutils.h" #include "sm4.h" void test_main(void) { /* test vectors from: * https://tools.ietf.org/id/draft-ribose-cfrg-sm4-10.html */ test_cipher(&nettle_sm4, SHEX("0123456789ABCDEF FEDCBA9876543210"), SHEX("0123456789ABCDEF FEDCBA9876543210"), SHEX("681EDF34D206965E 86B3E94F536E4246")); test_cipher(&nettle_sm4, SHEX("FEDCBA9876543210 0123456789ABCDEF"), SHEX("0001020304050607 08090A0B0C0D0E0F"), SHEX("F766678F13F01ADE AC1B3EA955ADB594")); } nettle-3.10/testsuite/buffer-test.c0000644000175000017500000000114714633602172016406 0ustar nissenisse#include "testutils.h" #include "buffer.h" void test_main(void) { struct nettle_buffer buffer; uint8_t s[5]; nettle_buffer_init(&buffer); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(NETTLE_BUFFER_PUTC(&buffer, 'x')); ASSERT(buffer.size == 4); ASSERT(buffer.alloc >= 4); ASSERT(MEMEQ(4, buffer.contents, "foox")); nettle_buffer_clear(&buffer); nettle_buffer_init_size(&buffer, sizeof(s), s); ASSERT(buffer.alloc == sizeof(s)); ASSERT(nettle_buffer_write(&buffer, LDATA("foo"))); ASSERT(buffer.size == 3); ASSERT(!nettle_buffer_write(&buffer, LDATA("bar"))); } nettle-3.10/testsuite/sha3.awk0000755000175000017500000000073514633602172015363 0ustar nissenisse#! /usr/bin/awk -f # This script is used to process the Keccak testvectors, originally # we used http://keccak.noekeon.org/KeccakKAT-3.zip. # For the updated NIST version, test vectors can be found at # https://github.com/gvanas/KeccakCodePackage/tree/master/TestVectors /^Len/ { len = $3 } /^Msg/ { msg = $3 } /^MD/ { md = $3; if (len % 8 == 0) printf("test_hash(&nettle_sha3_xxx, /* %d octets */\nSHEX(\"%s\"),\nSHEX(\"%s\"));\n", len / 8, len ? msg : "", md); } nettle-3.10/testsuite/sha512-256-test.c0000644000175000017500000000105514633602172016450 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_256, SDATA("abc"), SHEX("53048E26 81941EF9 9B2E29B7 6B4C7DAB" "E4C2D0C6 34FC6D46 E0E2F131 07E7AF23")); test_hash(&nettle_sha512_256, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("3928E184 FB8690F8 40DA3988 121D31BE" "65CB9D3E F83EE614 6FEAC861 E19B563A")); } nettle-3.10/testsuite/md2-test.c0000644000175000017500000000160114633602172015612 0ustar nissenisse#include "testutils.h" #include "md2.h" void test_main(void) { /* Testcases from RFC 1319 */ test_hash(&nettle_md2, SDATA(""), SHEX("8350e5a3e24c153df2275c9f80692773")); test_hash(&nettle_md2, SDATA("a"), SHEX("32ec01ec4a6dac72c0ab96fb34c0b5d1")); test_hash(&nettle_md2, SDATA("abc"), SHEX("da853b0d3f88d99b30283a69e6ded6bb")); test_hash(&nettle_md2, SDATA("message digest"), SHEX("ab4f496bfb2a530b219ff33031fe06b0")); test_hash(&nettle_md2, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4e8ddff3650292ab5a4108c3aa47940b")); test_hash(&nettle_md2, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("da33def2a42df13975352846c30338cd")); test_hash(&nettle_md2, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("d5976f79d83d3a0dc9806c3c66f3efd8")); } nettle-3.10/testsuite/blowfish-test.c0000644000175000017500000000263614633602172016756 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "blowfish.h" static void test_blowfish(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct blowfish_ctx ctx; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; blowfish_set_key(&ctx, key->length, key->data); blowfish_encrypt(&ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } blowfish_set_key(&ctx, key->length, key->data); blowfish_decrypt(&ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(data); } void test_main(void) { /* 208 bit key. Test from GNUPG. */ test_blowfish(SDATA("abcdefghijklmnopqrstuvwxyz"), SDATA("BLOWFISH"), SHEX("32 4E D0 FE F4 13 A2 03")); } nettle-3.10/testsuite/rsa-keygen-test.c0000644000175000017500000000420714633602172017202 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" static void progress(void *ctx UNUSED, int c) { fputc(c, stderr); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx lfib; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); /* Generate a 1024 bit key with random e */ knuth_lfib_init(&lfib, 13); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 1024, 50)); test_rsa_key(&pub, &key); mpz_set_str(expected, "31ee088024b66f28" "e182fa07e60f7864" "636eea21cf74c804" "02a9c29ebd00933d" "8fae3ddf029d18e0" "1b5498c70a4b68fd" "d3135748424e8caf" "43ee86068f250c92" "8da001d09f68c433" "96f2c2a42eaed7e5" "8934a052faa38b2c" "f2ac04cc91bd0d15" "4f60b16dc9045b08" "2ea1372717fd7f9c" "1e9cc383b7d5b909" "72e3126df060ef79" , 16); test_rsa_md5(&pub, &key, expected); /* Generate a 2000 bit key with fixed e */ knuth_lfib_init(&lfib, 17); mpz_set_ui(pub.e, 17); ASSERT (rsa_generate_keypair(&pub, &key, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, verbose ? progress : NULL, 2000, 0)); test_rsa_key(&pub, &key); mpz_set_str(expected, "892ef7cda3b0b501" "85de20b93340316e" "b35ac9c193f1f5a3" "9e6c1c327b9c36b8" "d4f1d41653b48fbd" "0c49e48bbdc46ced" "13b3f6426e8a1780" "55b9077ba59ce748" "a325563c3b4bdf78" "acdcdd556f5de3cf" "70257c3b334ba360" "5625ebda869c8058" "b95b40c1e75eb91b" "776e83c0224757c6" "b61266cb1739df1a" "c7fcc09194c575b5" "af4f3eb8e3aa3900" "22b72fb6e950c355" "88743bab32c3a214" "ea5865e2f5c41d67" "12e745496890fc9d" "7944a759f39d7b57" "e365d8d3f6ac2dd4" "052b6a2e58a6af82" "b0d67e7fe09045d9" "bc965e260cf3c9a9" "3bfaa09bdd076dc2" "c0ab48ce5b67105c" "cad90dcfc11cd713" "e64478d2d7ea42dd" "fd040793c487588d" "6218" , 16); test_rsa_sha1(&pub, &key, expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.10/testsuite/gostdsa-verify-test.c0000644000175000017500000000706014633602172020103 0ustar nissenisse#include "testutils.h" #include "gostdsa.h" static void test_gostdsa (const struct ecc_curve *ecc, /* Public key */ const char *xs, const char *ys, /* Hash */ struct tstring *h, /* Valid signature */ const char *r, const char *s) { struct ecc_point pub; struct dsa_signature signature; mpz_t x, y; ecc_point_init (&pub, ecc); dsa_signature_init (&signature); mpz_init_set_str (x, xs, 16); mpz_init_set_str (y, ys, 16); if (!ecc_point_set (&pub, x, y)) die ("ecc_point_set failed.\n"); mpz_set_str (signature.r, r, 16); mpz_set_str (signature.s, s, 16); if (!gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify failed with valid signature.\n"); fail: fprintf (stderr, "bit_size = %u\nx = ", ecc->p.bit_size); mpz_out_str (stderr, 16, x); fprintf (stderr, "\ny = "); mpz_out_str (stderr, 16, y); fprintf (stderr, "\ndigest "); print_hex (h->length, h->data); fprintf (stderr, "r = "); mpz_out_str (stderr, 16, signature.r); fprintf (stderr, "\ns = "); mpz_out_str (stderr, 16, signature.s); fprintf (stderr, "\n"); abort(); } mpz_combit (signature.r, ecc->p.bit_size / 3); if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.r, ecc->p.bit_size / 3); mpz_combit (signature.s, 4*ecc->p.bit_size / 5); if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } mpz_combit (signature.s, 4*ecc->p.bit_size / 5); h->data[2*h->length / 3] ^= 0x40; if (gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify unexpectedly succeeded with invalid signature.\n"); goto fail; } h->data[2*h->length / 3] ^= 0x40; if (!gostdsa_verify (&pub, h->length, h->data, &signature)) { fprintf (stderr, "gostdsa_verify failed, internal testsuite error.\n"); goto fail; } ecc_point_clear (&pub); dsa_signature_clear (&signature); mpz_clear (x); mpz_clear (y); } void test_main (void) { test_gostdsa (nettle_get_gost_gc256b(), "971566CEDA436EE7678F7E07E84EBB7217406C0B4747AA8FD2AB1453C3D0DFBA", /* x */ "AD58736965949F8E59830F8DE20FC6C0D177F6AB599874F1E2E24FF71F9CE643", /* y */ SHEX("1C067E20EA6CB183F22EFB0F3C6FD2A4E6A02821CB7A1B17FACD5E1F7AA76F70"), /* h */ "E9323A5E88DD87FB7C724383BFFE7CECD4B9FFA2AC33BEEF73A5A1F743404F6B", /* r */ "5E5B9B805B01147A8492C4A162643AC615DC777B9174108F3DC276A41F987AF3"); /* s */ test_gostdsa (nettle_get_gost_gc512a(), "03A36340A95BB5F93D131961B5B1C1B3213DF7FF3B5A30376407E2A65C441BC6" "D1B34662317083243F007B15A8512B526606D3B172B606DCE86DBD6F82DA3D40", /* x */ "DEAD76318012FED79507809C89CC44848743640EAC9A3C847DA9082E050760A1" "0679F4B707ABC1872640AD20D7441F66C7A8B3BFF1B8E11B4A076F0A86749F73", /* y */ SHEX("EDC257BED45FDDE4F1457B7F5B19017A8F204184366689D938532CDBAA5CB29A" "1D369DA57F8B983BE272219BD2C9A4FC57ECF7A77F34EE2E8AA553976A4766C0"), /* h */ "891AA75C2A6F3B4DE27E3903F61CBB0F3F85A4E3C62F39A6E4E84A7477679C6E" "45008DC2774CA2FF64C12C0606FF918CAE3A50115440E9BF2971B627A882A1E8", /* r */ "31065479996DDBDEE180AFE22CA3CDC44B45CE4C6C83909D1D3B702922A32441" "A9E11DCFBEA3D847C06B1A8A38EB1671D6C82FA21B79C99BE2EA809B10DAA5DF"); /* s */ } nettle-3.10/testsuite/rsa-oaep-encrypt-test.c0000644000175000017500000004303514633602172020330 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "nettle-meta.h" #include "rsa-internal.h" #include "sha1.h" #define MARK_MPZ_LIMBS_UNDEFINED(x) \ mark_bytes_undefined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) #define MARK_MPZ_LIMBS_DEFINED(x) \ mark_bytes_defined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) typedef int (*test_rsa_oaep_encrypt_func) (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext); typedef int (*test_rsa_oaep_decrypt_func) (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext); static int rsa_decrypt_for_test(test_rsa_oaep_decrypt_func decrypt_func, const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { int ret; /* Makes valgrind trigger on any branches depending on the input data. Except that (i) we have to allow rsa_sec_compute_root_tr to check that p and q are odd, (ii) mpn_sec_div_r may leak information about the most significant bits of p and q, due to normalization check and table lookup in invert_limb, and (iii) mpn_sec_powm may leak information about the least significant bits of p and q, due to table lookup in binvert_limb. */ mark_bytes_undefined (*length, message); MARK_MPZ_LIMBS_UNDEFINED(key->a); MARK_MPZ_LIMBS_UNDEFINED(key->b); MARK_MPZ_LIMBS_UNDEFINED(key->c); mark_bytes_undefined ((mpz_size (key->p) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->p) + 1); mark_bytes_undefined((mpz_size (key->q) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->q) + 1); ret = decrypt_func (pub, key, random_ctx, random, label_length, label, length, message, ciphertext); mark_bytes_defined (sizeof(*length), length); mark_bytes_defined (*length, message); mark_bytes_defined (sizeof(ret), &ret); MARK_MPZ_LIMBS_DEFINED(key->a); MARK_MPZ_LIMBS_DEFINED(key->b); MARK_MPZ_LIMBS_DEFINED(key->c); MARK_MPZ_LIMBS_DEFINED(key->p); MARK_MPZ_LIMBS_DEFINED(key->q); return ret; } static void test_rsa_oaep_encrypt_decrypt (struct rsa_public_key *pub, struct rsa_private_key *key, test_rsa_oaep_encrypt_func encrypt_func, test_rsa_oaep_decrypt_func decrypt_func, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message) { uint8_t *ciphertext; uint8_t *decrypted; size_t decrypted_length; uint8_t after; struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); ciphertext = xalloc (key->size + 1); knuth_lfib_random (&lfib, key->size + 1, ciphertext); after = ciphertext[key->size]; ASSERT (encrypt_func (pub, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, length, message, ciphertext)); ASSERT (ciphertext[key->size] == after); if (verbose) { fprintf (stderr, "encrypted: "); print_hex (key->size, ciphertext); fprintf (stderr, "\n"); } decrypted = xalloc (length + 1); knuth_lfib_random (&lfib, length + 1, decrypted); after = decrypted[length]; /* Test short buffer */ decrypted_length = length - 1; ASSERT (!rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); decrypted_length = length; ASSERT (rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); ASSERT (decrypted_length == length); ASSERT (MEMEQ (length, message, decrypted)); ASSERT (decrypted[length] == after); free (decrypted); free (ciphertext); } static void test_encrypt_decrypt (void) { struct rsa_public_key pub; struct rsa_private_key key; const unsigned char msg[] = "Squemish ossifrage"; size_t msg_length = LLENGTH(msg); const unsigned char label[] = "This is a magic label"; size_t label_length = LLENGTH(label); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_2(&pub, &key); /* Test without label */ test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha256_encrypt, rsa_oaep_sha256_decrypt, 0, NULL, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha384_encrypt, rsa_oaep_sha384_decrypt, 0, NULL, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha512_encrypt, rsa_oaep_sha512_decrypt, 0, NULL, msg_length, msg); /* Test with label */ test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha256_encrypt, rsa_oaep_sha256_decrypt, label_length, label, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha384_encrypt, rsa_oaep_sha384_decrypt, label_length, label, msg_length, msg); test_rsa_oaep_encrypt_decrypt (&pub, &key, rsa_oaep_sha512_encrypt, rsa_oaep_sha512_decrypt, label_length, label, msg_length, msg); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); } static int rsa_oaep_sha1_encrypt (const struct rsa_public_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, uint8_t *ciphertext) { struct sha1_ctx ctx; sha1_init (&ctx); return _rsa_oaep_encrypt (key, random_ctx, random, &ctx, &nettle_sha1, label_length, label, length, message, ciphertext); } static int rsa_oaep_sha1_decrypt (const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t *length, uint8_t *message, const uint8_t *ciphertext) { struct sha1_ctx ctx; sha1_init (&ctx); return _rsa_oaep_decrypt (pub, key, random_ctx, random, &ctx, &nettle_sha1, label_length, label, length, message, ciphertext); } static void random_from_seed (struct tstring *seed, size_t n, uint8_t *dst) { ASSERT (n <= seed->length); memcpy (dst, seed->data, n); } static void test_rsa_oaep_encrypt_decrypt_kat (struct rsa_public_key *pub, struct rsa_private_key *key, test_rsa_oaep_encrypt_func encrypt_func, test_rsa_oaep_decrypt_func decrypt_func, void *random_ctx, nettle_random_func *random, size_t label_length, const uint8_t *label, size_t length, const uint8_t *message, const uint8_t *expected) { uint8_t *ciphertext; uint8_t *decrypted; size_t decrypted_length; uint8_t after; /* For blinding at decryption */ struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); ciphertext = xalloc (key->size + 1); knuth_lfib_random (&lfib, key->size + 1, ciphertext); after = ciphertext[key->size]; ASSERT (encrypt_func (pub, random_ctx, random, label_length, label, length, message, ciphertext)); ASSERT (MEMEQ (key->size, ciphertext, expected)); ASSERT (ciphertext[key->size] == after); decrypted = xalloc (length + 1); knuth_lfib_random (&lfib, length + 1, decrypted); after = decrypted[length]; decrypted_length = length; ASSERT (rsa_decrypt_for_test (decrypt_func, pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, label_length, label, &decrypted_length, decrypted, ciphertext)); ASSERT (decrypted_length == length); ASSERT (MEMEQ (length, message, decrypted)); ASSERT (decrypted[length] == after); free (decrypted); free (ciphertext); } /* The below are known answer tests constructed using the draft * version of PKCS #1 2.1 test vectors from RSA Laboratories: * * ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip * * While the original zip file is no longer accessible, a copy is * kept in the python-cryptography repository, under the following license: * https://github.com/pyca/cryptography/tree/49bf4e408cd2f93276687f451dd28982e5d501e0/vectors/cryptography_vectors/asymmetric/RSA/pkcs-1v2-1d2-vec */ /* * Copyright (c) Individual contributors. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * 1. Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * 3. Neither the name of PyCA Cryptography nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR * ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ static void test_rsa_oaep_set_key(struct rsa_public_key *pub, struct rsa_private_key *key) { mpz_set_str(pub->n, "a8b3b284af8eb50b" "387034a860f146c4" "919f318763cd6c55" "98c8ae4811a1e0ab" "c4c7e0b082d693a5" "e7fced675cf46685" "12772c0cbc64a742" "c6c630f533c8cc72" "f62ae833c40bf258" "42e984bb78bdbf97" "c0107d55bdb662f5" "c4e0fab9845cb514" "8ef7392dd3aaff93" "ae1e6b667bb3d424" "7616d4f5ba10d4cf" "d226de88d39f16fb", 16); mpz_set_str(pub->e, "010001", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "53339cfdb79fc846" "6a655c7316aca85c" "55fd8f6dd898fdaf" "119517ef4f52e8fd" "8e258df93fee180f" "a0e4ab29693cd83b" "152a553d4ac4d181" "2b8b9fa5af0e7f55" "fe7304df41570926" "f3311f15c4d65a73" "2c483116ee3d3d2d" "0af3549ad9bf7cbf" "b78ad884f84d5beb" "04724dc7369b31de" "f37d0cf539e9cfcd" "d3de653729ead5d1" , 16); #endif mpz_set_str(key->p, "d32737e7267ffe13" "41b2d5c0d150a81b" "586fb3132bed2f8d" "5262864a9cb9f30a" "f38be448598d413a" "172efb802c21acf1" "c11c520c2f26a471" "dcad212eac7ca39d", 16); mpz_set_str(key->q, "cc8853d1d54da630" "fac004f471f281c7" "b8982d8224a490ed" "beb33d3e3d5cc93c" "4765703d1dd79164" "2f1f116a0dd852be" "2419b2af72bfe9a0" "30e860b0288b5d77", 16); mpz_set_str(key->a, "0e12bf1718e9cef5" "599ba1c3882fe804" "6a90874eefce8f2c" "cc20e4f2741fb0a3" "3a3848aec9c9305f" "becbd2d76819967d" "4671acc6431e4037" "968db37878e695c1", 16); mpz_set_str(key->b, "95297b0f95a2fa67" "d00707d609dfd4fc" "05c89dafc2ef6d6e" "a55bec771ea33373" "4d9251e79082ecda" "866efef13c459e1a" "631386b7e354c899" "f5f112ca85d71583", 16); mpz_set_str(key->c, "4f456c502493bdc0" "ed2ab756a3a6ed4d" "67352a697d4216e9" "3212b127a63d5411" "ce6fa98d5dbefd73" "263e372814274381" "8166ed7dd63687dd" "2a8ca1d2f4fbd8e1", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } static void test_encrypt (void) { struct rsa_public_key pub; struct rsa_private_key key; struct tstring *seed; struct tstring *msg; struct tstring *ciphertext; rsa_private_key_init(&key); rsa_public_key_init(&pub); /* Test vector from RSA labs */ test_rsa_oaep_set_key(&pub, &key); /* Example 1.1 */ msg = tstring_hex ("6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34"); seed = tstring_hex ("18b776ea21069d69776a33e96bad48e1dda0a5ef"); ciphertext = tstring_hex ("354fe67b4a126d5d" "35fe36c777791a3f" "7ba13def484e2d39" "08aff722fad468fb" "21696de95d0be911" "c2d3174f8afcc201" "035f7b6d8e69402d" "e5451618c21a535f" "a9d7bfc5b8dd9fc2" "43f8cf927db31322" "d6e881eaa91a9961" "70e657a05a266426" "d98c88003f8477c1" "227094a0d9fa1e8c" "4024309ce1ecccb5" "210035d47ac72e8a"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.2 */ msg = tstring_hex ("750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5"); seed = tstring_hex ("0cc742ce4a9b7f32f951bcb251efd925fe4fe35f"); ciphertext = tstring_hex ("640db1acc58e0568" "fe5407e5f9b701df" "f8c3c91e716c536f" "c7fcec6cb5b71c11" "65988d4a279e1577" "d730fc7a29932e3f" "00c81515236d8d8e" "31017a7a09df4352" "d904cdeb79aa583a" "dcc31ea698a4c052" "83daba9089be5491" "f67c1a4ee48dc74b" "bbe6643aef846679" "b4cb395a352d5ed1" "15912df696ffe070" "2932946d71492b44"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.3 */ msg = tstring_hex ("d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051"); seed = tstring_hex ("2514df4695755a67b288eaf4905c36eec66fd2fd"); ciphertext = tstring_hex ("423736ed035f6026" "af276c35c0b3741b" "365e5f76ca091b4e" "8c29e2f0befee603" "595aa8322d602d2e" "625e95eb81b2f1c9" "724e822eca76db86" "18cf09c5343503a4" "360835b5903bc637" "e3879fb05e0ef326" "85d5aec5067cd7cc" "96fe4b2670b6eac3" "066b1fcf5686b685" "89aafb7d629b02d8" "f8625ca3833624d4" "800fb081b1cf94eb"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.4 */ msg = tstring_hex ("52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85"); seed = tstring_hex ("c4435a3e1a18a68b6820436290a37cefb85db3fb"); ciphertext = tstring_hex ("45ead4ca551e662c" "9800f1aca8283b05" "25e6abae30be4b4a" "ba762fa40fd3d38e" "22abefc69794f6eb" "bbc05ddbb1121624" "7d2f412fd0fba87c" "6e3acd888813646f" "d0e48e785204f9c3" "f73d6d8239562722" "dddd8771fec48b83" "a31ee6f592c4cfd4" "bc88174f3b13a112" "aae3b9f7b80e0fc6" "f7255ba880dc7d80" "21e22ad6a85f0755"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.5 */ msg = tstring_hex ("8da89fd9e5f974a29feffb462b49180f6cf9e802"); seed = tstring_hex ("b318c42df3be0f83fea823f5a7b47ed5e425a3b5"); ciphertext = tstring_hex ("36f6e34d94a8d34d" "aacba33a2139d00a" "d85a9345a86051e7" "3071620056b920e2" "19005855a213a0f2" "3897cdcd731b4525" "7c777fe908202bef" "dd0b58386b1244ea" "0cf539a05d5d1032" "9da44e13030fd760" "dcd644cfef2094d1" "910d3f433e1c7c6d" "d18bc1f2df7f643d" "662fb9dd37ead905" "9190f4fa66ca39e8" "69c4eb449cbdc439"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); /* Example 1.6 */ msg = tstring_hex ("26521050844271"); seed = tstring_hex ("e4ec0982c2336f3a677f6a356174eb0ce887abc2"); ciphertext = tstring_hex ("42cee2617b1ecea4" "db3f4829386fbd61" "dafbf038e180d837" "c96366df24c097b4" "ab0fac6bdf590d82" "1c9f10642e681ad0" "5b8d78b378c0f46c" "e2fad63f74e0ad3d" "f06b075d7eb5f563" "6f8d403b9059ca76" "1b5c62bb52aa4500" "2ea70baace08ded2" "43b9d8cbd62a68ad" "e265832b56564e43" "a6fa42ed199a0997" "69742df1539e8255"); ASSERT (ciphertext->length == key.size); test_rsa_oaep_encrypt_decrypt_kat (&pub, &key, rsa_oaep_sha1_encrypt, rsa_oaep_sha1_decrypt, seed, (nettle_random_func *) random_from_seed, 0, NULL, msg->length, msg->data, ciphertext->data); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif test_encrypt_decrypt (); test_encrypt (); } nettle-3.10/testsuite/xts-test.c0000644000175000017500000001470114633602172015753 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "xts.h" #include "nettle-internal.h" static void test_check_data(const char *operation, const uint8_t *input, const uint8_t *output, const uint8_t *expected, size_t length) { if (!MEMEQ(length, output, expected)) { fprintf(stderr, "XTS %s failed:\nInput:", operation); print_hex(length, input); fprintf(stderr, "\nOutput: "); print_hex(length, output); fprintf(stderr, "\nExpected:"); print_hex(length, expected); fprintf(stderr, "\n"); FAIL(); } } static void test_cipher_xts(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *tweak, const struct tstring *cleartext, const struct tstring *ciphertext) { void *twk_ctx = xalloc(cipher->context_size); void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; size_t length = cleartext->length; ASSERT (cleartext->length == ciphertext->length); ASSERT (key->length == cipher->key_size * 2); ASSERT (tweak->length == XTS_BLOCK_SIZE); data = xalloc(length); data2 = xalloc(length); cipher->set_encrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); cipher->set_decrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, tweak->data, length, data2, data); test_check_data("decrypt", data, data2, cleartext->data, length); memcpy(data, cleartext->data, length); cipher->set_encrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_encrypt_message(ctx, twk_ctx, cipher->encrypt, tweak->data, length, data, data); test_check_data("inplace encrypt", cleartext->data, data, ciphertext->data, length); cipher->set_decrypt_key(ctx, key->data); cipher->set_encrypt_key(twk_ctx, &key->data[key->length / 2]); xts_decrypt_message(ctx, twk_ctx, cipher->decrypt, cipher->encrypt, tweak->data, length, data, data); test_check_data("inplace decrypt", data, data, cleartext->data, length); /* make sure AES128 specific functions also works the same */ if (cipher == &nettle_aes128) { struct xts_aes128_key xts_key; xts_aes128_set_encrypt_key(&xts_key, key->data); xts_aes128_encrypt_message(&xts_key, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); xts_aes128_set_decrypt_key(&xts_key, key->data); xts_aes128_decrypt_message(&xts_key, tweak->data, length, data, ciphertext->data); test_check_data("decrypt", ciphertext->data, data, cleartext->data, length); } /* make sure AES256 specific functions also works the same */ if (cipher == &nettle_aes256) { struct xts_aes256_key xts_key; xts_aes256_set_encrypt_key(&xts_key, key->data); xts_aes256_encrypt_message(&xts_key, tweak->data, length, data, cleartext->data); test_check_data("encrypt", cleartext->data, data, ciphertext->data, length); xts_aes256_set_decrypt_key(&xts_key, key->data); xts_aes256_decrypt_message(&xts_key, tweak->data, length, data, ciphertext->data); test_check_data("decrypt", ciphertext->data, data, cleartext->data, length); } free(twk_ctx); free(ctx); free(data); free(data2); } void test_main(void) { /* From NIST CAVS 11.0, * * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/aes/XTSTestVectors.zip * * Selection of testing vectors from the above CAVS set */ /* AES-128 single block - exact block size multiple */ test_cipher_xts(&nettle_aes128, SHEX("a1b90cba3f06ac353b2c343876081762" "090923026e91771815f29dab01932f2f"), SHEX("4faef7117cda59c66e4b92013e768ad5"), SHEX("ebabce95b14d3c8d6fb350390790311c"), SHEX("778ae8b43cb98d5a825081d5be471c63")); /* AES-128 two blocks - exact block size multiple */ test_cipher_xts(&nettle_aes128, SHEX("750372c3d82f63382867be6662acfa4a" "259be3fa9bc662a1154ffaaed8b448a5"), SHEX("93a29254c47e4260669621307d4f5cd3"), SHEX("d8e3a56559a436ce0d8b212c80a88b23" "af62b0e598f208e03c1f2e9fa563a54b"), SHEX("495f7855535efd133464dc9a9abf8a0f" "28facbce21bd3c22178ec489b799e491")); /* AES-128 partial second block */ test_cipher_xts(&nettle_aes128, SHEX("394c97881abd989d29c703e48a72b397" "a7acf51b59649eeea9b33274d8541df4"), SHEX("4b15c684a152d485fe9937d39b168c29"), SHEX("2f3b9dcfbae729583b1d1ffdd16bb6fe" "2757329435662a78f0"), SHEX("f3473802e38a3ffef4d4fb8e6aa266eb" "de553a64528a06463e")); /* AES-256 two blocks - exact block size multiple */ test_cipher_xts(&nettle_aes256, SHEX("1ea661c58d943a0e4801e42f4b094714" "9e7f9f8e3e68d0c7505210bd311a0e7c" "d6e13ffdf2418d8d1911c004cda58da3" "d619b7e2b9141e58318eea392cf41b08"), SHEX("adf8d92627464ad2f0428e84a9f87564"), SHEX("2eedea52cd8215e1acc647e810bbc364" "2e87287f8d2e57e36c0a24fbc12a202e"), SHEX("cbaad0e2f6cea3f50b37f934d46a9b13" "0b9d54f07e34f36af793e86f73c6d7db")); /* AES-256 three blocks - exact block size multiple */ test_cipher_xts(&nettle_aes256, SHEX("266c336b3b01489f3267f52835fd92f6" "74374b88b4e1ebd2d36a5f457581d9d0" "42c3eef7b0b7e5137b086496b4d9e6ac" "658d7196a23f23f036172fdb8faee527"), SHEX("06b209a7a22f486ecbfadb0f3137ba42"), SHEX("ca7d65ef8d3dfad345b61ccddca1ad81" "de830b9e86c7b426d76cb7db766852d9" "81c6b21409399d78f42cc0b33a7bbb06"), SHEX("c73256870cc2f4dd57acc74b5456dbd7" "76912a128bc1f77d72cdebbf270044b7" "a43ceed29025e1e8be211fa3c3ed002d")); } nettle-3.10/testsuite/symbols-test0000755000175000017500000000257414633602172016414 0ustar nissenisse#! /bin/sh # Check that all exported symbols use the nettle prefix. if [ -z "$srcdir" ] ; then srcdir=`pwd` fi : ${NM:=nm} # * nm on aix seems to generate bogus output including random binary # data. Using -g is a workaround to get rid of that. But nm -g # doesn't work on Solaris-2.4, so try nm -g first, and plain nm if # -g isn't recognized. # # * gcc on x86 generates functions like __i686.get_pc_thunk.bx in pic # code. # * LLVM shipped with Xcode/CLT 10+ on macOS builds the symbol # ____chkstk_darwin into the majority of binaries/libraries, including # both the libraries checked here. ( $NM -g ../libnettle.a || $NM ../libnettle.a ) \ | grep ' [DRT] ' | egrep -v '( |^|\.)(\.?_?(_?nettle_)|get_pc_thunk|(_*chkstk_darwin))' \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libnettle.a, lacking the nettle prefix: cat test1.out exit 1 fi if [ -s ../libhogweed.a ] ; then PATTERN='\.?_?_?nettle_|get_pc_thunk|(_*chkstk_darwin)' if grep '^#define.*NETTLE_USE_MINI_GMP.*1$' ../version.h >/dev/null ; then PATTERN="$PATTERN|_?(mp_|mpz_|mpn_)" fi ( $NM -g ../libhogweed.a || $NM ../libhogweed.a ) \ | grep ' [DRT] ' | egrep -v "( |^|\.)($PATTERN)" \ | sort -k3 > test1.out if [ -s test1.out ] ; then echo Exported symbols in libhogweed.a, lacking the nettle prefix: cat test1.out exit 1 fi fi exit 0 nettle-3.10/testsuite/md4-test.c0000644000175000017500000000247014633602172015621 0ustar nissenisse#include "testutils.h" #include "md4.h" void test_main(void) { /* Testcases from RFC 1320 */ test_hash(&nettle_md4, SDATA(""), SHEX("31d6cfe0d16ae931b73c59d7e0c089c0")); test_hash(&nettle_md4, SDATA("a"), SHEX("bde52cb31de33e46245e05fbdbd6fb24")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); test_hash(&nettle_md4, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("043f8582f241db351ce627e153e7f0e4")); test_hash(&nettle_md4, SDATA("12345678901234567890123456789012345678901234567890" "123456789012345678901234567890"), SHEX("e33b4ddc9c38f2199c3e7b164fcc0536")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_md4, SDATA("38"), SHEX("ae9c7ebfb68ea795483d270f5934b71d")); test_hash(&nettle_md4, SDATA("abc"), SHEX("a448017aaf21d8525fc10ae87aa6729d")); test_hash(&nettle_md4, SDATA("message digest"), SHEX("d9130a8164549fe818874806e1c7014b")); test_hash(&nettle_md4, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("d79e1c308aa5bbcdeea8ed63df412da9")); } nettle-3.10/testsuite/x86-ibt-test.c0000644000175000017500000000234214633602172016334 0ustar nissenisse#include "testutils.h" #if defined(__GNUC__) && (defined(__i386__) || defined(__x86_64__)) \ && defined(__CET__) && defined(__linux__) #include static void segfault_handler(int signo) { exit(0); } static void ibt_violation(void) { #ifdef __i386__ unsigned int reg; asm volatile("lea 1f, %0\n\t" "jmp *%0\n" "1:" : "=r" (reg)); #else unsigned long long reg; asm volatile("lea 1f(%%rip), %0\n\t" "jmp *%0\n" "1:" : "=r" (reg)); #endif } #ifdef __i386__ static unsigned int _get_ssp(void) { unsigned int ssp; asm volatile("xor %0, %0\n\trdsspd %0" : "=r" (ssp)); return ssp; } #else static unsigned long long _get_ssp(void) { unsigned long long ssp; asm volatile("xor %0, %0\n\trdsspq %0" : "=r" (ssp)); return ssp; } #endif void test_main(void) { /* NB: This test should trigger SIGSEGV on CET platforms. _get_ssp returns the address of shadow stack pointer. If the address of shadow stack pointer is 0, SHSTK is disabled and we assume that IBT is also disabled. */ if (_get_ssp() == 0) { ibt_violation(); SKIP(); } signal(SIGSEGV, segfault_handler); ibt_violation(); FAIL(); } #else void test_main(void) { SKIP(); } #endif nettle-3.10/testsuite/gold-bug.txt0000644000175000017500000022531714633602172016264 0ustar nissenisseEdgar Allan Poe The Gold-Bug What ho! what ho! this fellow is dancing mad! He hath been bitten by the Tarantula. --All in the Wrong. Many years ago, I contracted an intimacy with a Mr. William Legrand. He was of an ancient Huguenot family, and had once been wealthy: but a series of misfortunes had reduced him to want. To avoid the mortification consequent upon his disasters, he left New Orleans, the city of his forefathers, and took up his residence at Sullivan's Island, near Charleston, South Carolina. This island is a very singular one. It consists of little else than the sea sand, and is about three miles long. Its breadth at no point exceeds a quarter of a mile. It is separated from the mainland by a scarcely perceptible creek, oozing its way through a wilderness of reeds and slime, a favorite resort of the marsh hen. The vegetation, as might be supposed, is scant, or at least dwarfish. No trees of any magnitude are to be seen. Near the western extremity, where Fort Moultrie stands, and where are some miserable frame buildings, tenanted, during summer, by the fugitives from Charleston dust and fever, may be found, indeed, the bristly palmetto; but the whole island, with the exception of this western point, and a line of hard, white beach on the seacoast, is covered with a dense undergrowth of the sweet myrtle so much prized by the horticulturists of England. The shrub here often attains the height of fifteen or twenty feet, and forms an almost impenetrable coppice, burdening the air with its fragrance. In the inmost recesses of this coppice, not far from the eastern or more remote end of the island, Legrand had built himself a small hut, which he occupied when I first, by mere accident, made his acquaintance. This soon ripened into friendship--for there was much in the recluse to excite interest and esteem. I found him well educated, with unusual powers of mind, but infected with misanthropy, and subject to perverse moods of alternate enthusiasm and melancholy. He had with him many books, but rarely employed them. His chief amusements were gunning and fishing, or sauntering along the beach and through the myrtles, in quest of shells or entomological specimens--his collection of the latter might have been envied by a Swammerdamm. In these excursions he was usually accompanied by an old negro, called Jupiter, who had been manumitted before the reverses of the family, but who could be induced, neither by threats nor by promises, to abandon what he considered his right of attendance upon the footsteps of his young "Massa Will." It is not improbable that the relatives of Legrand, conceiving him to be somewhat unsettled in intellect, had contrived to instill this obstinacy into Jupiter, with a view to the supervision and guardianship of the wanderer. The winters in the latitude of Sullivan's Island are seldom very severe, and in the fall of the year it is a rare event indeed when a fire is considered necessary. About the middle of October, 18--, there occurred, however, a day of remarkable chilliness. Just before sunset I scrambled my way through the evergreens to the hut of my friend, whom I had not visited for several weeks--my residence being, at that time, in Charleston, a distance of nine miles from the island, while the facilities of passage and repassage were very far behind those of the present day. Upon reaching the hut I rapped, as was my custom, and getting no reply, sought for the key where I knew it was secreted, unlocked the door, and went in. A fine fire was blazing upon the hearth. It was a novelty, and by no means an ungrateful one. I threw off an overcoat, took an armchair by the crackling logs, and awaited patiently the arrival of my hosts. Soon after dark they arrived, and gave me a most cordial welcome. Jupiter, grinning from ear to ear, bustled about to prepare some marsh hens for supper. Legrand was in one of his fits--how else shall I term them?--of enthusiasm. He had found an unknown bivalve, forming a new genus, and, more than this, he had hunted down and secured, with Jupiter's assistance, a scarabaeus which he believed to be totally new, but in respect to which he wished to have my opinion on the morrow. "And why not to-night?" I asked, rubbing my hands over the blaze, and wishing the whole tribe of scarabaei at the devil. "Ah, if I had only known you were here!" said Legrand, "but it's so long since I saw you; and how could I foresee that you would pay me a visit this very night of all others? As I was coming home I met Lieutenant G----, from the fort, and, very foolishly, I lent him the bug; so it will be impossible for you to see it until the morning. Stay here to-night, and I will send Jup down for it at sunrise. It is the loveliest thing in creation!" "What?--sunrise?" "Nonsense! no!--the bug. It is of a brilliant gold color--about the size of a large hickory nut--with two jet black spots near one extremity of the back, and another, somewhat longer, at the other. The antennae are--" "Dey ain't NO tin in him, Massa Will, I keep a tellin' on you," here interrupted Jupiter; "de bug is a goole-bug, solid, ebery bit of him, inside and all, sep him wing--neber feel half so hebby a bug in my life." "Well, suppose it is, Jup," replied Legrand, somewhat more earnestly, it seemed to me, than the case demanded; "is that any reason for your letting the birds burn? The color"--here he turned to me--"is really almost enough to warrant Jupiter's idea. You never saw a more brilliant metallic luster than the scales emit-- but of this you cannot judge till to-morrow. In the meantime I can give you some idea of the shape." Saying this, he seated himself at a small table, on which were a pen and ink, but no paper. He looked for some in a drawer, but found none. "Never mind," he said at length, "this will answer;" and he drew from his waistcoat pocket a scrap of what I took to be very dirty foolscap, and made upon it a rough drawing with the pen. While he did this, I retained my seat by the fire, for I was still chilly. When the design was complete, he handed it to me without rising. As I received it, a loud growl was heard, succeeded by a scratching at the door. Jupiter opened it, and a large Newfoundland, belonging to Legrand, rushed in, leaped upon my shoulders, and loaded me with caresses; for I had shown him much attention during previous visits. When his gambols were over, I looked at the paper, and, to speak the truth, found myself not a little puzzled at what my friend had depicted. "Well!" I said, after contemplating it for some minutes, "this IS a strange scarabaeus, I must confess; new to me; never saw anything like it before--unless it was a skull, or a death's head, which it more nearly resembles than anything else that has come under MY observation." "A death's head!" echoed Legrand. "Oh--yes--well, it has something of that appearance upon paper, no doubt. The two upper black spots look like eyes, eh? and the longer one at the bottom like a mouth-- and then the shape of the whole is oval." "Perhaps so," said I; "but, Legrand, I fear you are no artist. I must wait until I see the beetle itself, if I am to form any idea of its personal appearance." "Well, I don't know," said he, a little nettled, "I draw tolerably-- SHOULD do it at least--have had good masters, and flatter myself that I am not quite a blockhead." "But, my dear fellow, you are joking then," said I, "this is a very passable SKULL--indeed, I may say that it is a very EXCELLENT skull, according to the vulgar notions about such specimens of physiology--and your scarabaeus must be the queerest scarabaeus in the world if it resembles it. Why, we may get up a very thrilling bit of superstition upon this hint. I presume you will call the bug Scarabaeus caput hominis, or something of that kind--there are many similar titles in the Natural Histories. But where are the antennae you spoke of?" "The antennae!" said Legrand, who seemed to be getting unaccountably warm upon the subject; "I am sure you must see the antennae. I made them as distinct as they are in the original insect, and I presume that is sufficient." "Well, well," I said, "perhaps you have--still I don't see them;" and I handed him the paper without additional remark, not wishing to ruffle his temper; but I was much surprised at the turn affairs had taken; his ill humor puzzled me--and, as for the drawing of the beetle, there were positively NO antennae visible, and the whole DID bear a very close resemblance to the ordinary cuts of a death's head. He received the paper very peevishly, and was about to crumple it, apparently to throw it in the fire, when a casual glance at the design seemed suddenly to rivet his attention. In an instant his face grew violently red--in another excessively pale. For some minutes he continued to scrutinize the drawing minutely where he sat. At length he arose, took a candle from the table, and proceeded to seat himself upon a sea chest in the farthest corner of the room. Here again he made an anxious examination of the paper, turning it in all directions. He said nothing, however, and his conduct greatly astonished me; yet I thought it prudent not to exacerbate the growing moodiness of his temper by any comment. Presently he took from his coat pocket a wallet, placed the paper carefully in it, and deposited both in a writing desk, which he locked. He now grew more composed in his demeanor; but his original air of enthusiasm had quite disappeared. Yet he seemed not so much sulky as abstracted. As the evening wore away he became more and more absorbed in reverie, from which no sallies of mine could arouse him. It had been my intention to pass the night at the hut, as I had frequently done before, but, seeing my host in this mood, I deemed it proper to take leave. He did not press me to remain, but, as I departed, he shook my hand with even more than his usual cordiality. It was about a month after this (and during the interval I had seen nothing of Legrand) when I received a visit, at Charleston, from his man, Jupiter. I had never seen the good old negro look so dispirited, and I feared that some serious disaster had befallen my friend. "Well, Jup," said I, "what is the matter now?--how is your master?" "Why, to speak the troof, massa, him not so berry well as mought be." "Not well! I am truly sorry to hear it. What does he complain of?" "Dar! dot's it!--him neber 'plain of notin'--but him berry sick for all dat." "VERY sick, Jupiter!--why didn't you say so at once? Is he confined to bed?" "No, dat he aint!--he aint 'fin'd nowhar--dat's just whar de shoe pinch--my mind is got to be berry hebby 'bout poor Massa Will." "Jupiter, I should like to understand what it is you are talking about. You say your master is sick. Hasn't he told you what ails him?" "Why, massa, 'taint worf while for to git mad about de matter-- Massa Will say noffin at all aint de matter wid him--but den what make him go about looking dis here way, wid he head down and he soldiers up, and as white as a goose? And den he keep a syphon all de time--" "Keeps a what, Jupiter?" "Keeps a syphon wid de figgurs on de slate--de queerest figgurs I ebber did see. Ise gittin' to be skeered, I tell you. Hab for to keep mighty tight eye 'pon him 'noovers. Todder day he gib me slip 'fore de sun up and was gone de whole ob de blessed day. I had a big stick ready cut for to gib him deuced good beating when he did come--but Ise sich a fool dat I hadn't de heart arter all--he looked so berry poorly." "Eh?--what?--ah yes!--upon the whole I think you had better not be too severe with the poor fellow--don't flog him, Jupiter--he can't very well stand it--but can you form no idea of what has occasioned this illness, or rather this change of conduct? Has anything unpleasant happened since I saw you?" "No, massa, dey aint bin noffin onpleasant SINCE den--'twas 'FORE den I'm feared--'twas de berry day you was dare." "How? what do you mean." "Why, massa, I mean de bug--dare now." "The what?" "De bug--I'm berry sartin dat Massa Will bin bit somewhere 'bout de head by dat goole-bug." "And what cause have you, Jupiter, for such a supposition?" "Claws enuff, massa, and mouff, too. I nebber did see sich a deuced bug--he kick and he bite eberyting what cum near him. Massa Will cotch him fuss, but had for to let him go 'gin mighty quick, I tell you--den was de time he must ha' got de bite. I didn't like de look ob de bug mouff, myself, nohow, so I wouldn't take hold oh him wid my finger, but I cotch him wid a piece oh paper dat I found. I rap him up in de paper and stuff a piece of it in he mouff--dat was de way." "And you think, then, that your master was really bitten by the beetle, and that the bite made him sick?" "I don't think noffin about it--I nose it. What make him dream 'bout de goole so much, if 'taint cause he bit by the goole-bug? Ise heered 'bout dem goole-bugs 'fore dis." "But how do you know he dreams about gold?" "How I know? why, 'cause he talk about it in he sleep--dat's how I nose." "Well, Jup, perhaps you are right; but to what fortunate circumstance am I to attribute the honor of a visit from you to- day?" "What de matter, massa?" "Did you bring any message from Mr. Legrand?" "No, massa, I bring dis here pissel;" and here Jupiter handed me a note which ran thus: "MY DEAR ---- "Why have I not seen you for so long a time? I hope you have not been so foolish as to take offense at any little brusquerie of mine; but no, that is improbable. "Since I saw you I have had great cause for anxiety. I have something to tell you, yet scarcely know how to tell it, or whether I should tell it at all. "I have not been quite well for some days past, and poor old Jup annoys me, almost beyond endurance, by his well-meant attentions. Would you believe it?--he had prepared a huge stick, the other day, with which to chastise me for giving him the slip, and spending the day, solus, among the hills on the mainland. I verily believe that my ill looks alone saved me a flogging. "I have made no addition to my cabinet since we met. "If you can, in any way, make it convenient, come over with Jupiter. DO come. I wish to see you TO-NIGHT, upon business of importance. I assure you that it is of the HIGHEST importance. "Ever yours, "WILLIAM LEGRAND." There was something in the tone of this note which gave me great uneasiness. Its whole style differed materially from that of Legrand. What could he be dreaming of? What new crotchet possessed his excitable brain? What "business of the highest importance" could HE possibly have to transact? Jupiter's account of him boded no good. I dreaded lest the continued pressure of misfortune had, at length, fairly unsettled the reason of my friend. Without a moment's hesitation, therefore, I prepared to accompany the negro. Upon reaching the wharf, I noticed a scythe and three spades, all apparently new, lying in the bottom of the boat in which we were to embark. "What is the meaning of all this, Jup?" I inquired. "Him syfe, massa, and spade." "Very true; but what are they doing here?" "Him de syfe and de spade what Massa Will sis 'pon my buying for him in de town, and de debbil's own lot of money I had to gib for em." "But what, in the name of all that is mysterious, is your 'Massa Will' going to do with scythes and spades?" "Dat's more dan I know, and debbil take me if I don't b'lieve 'tis more dan he know too. But it's all cum ob de bug." Finding that no satisfaction was to be obtained of Jupiter, whose whole intellect seemed to be absorbed by "de bug," I now stepped into the boat, and made sail. With a fair and strong breeze we soon ran into the little cove to the northward of Fort Moultrie, and a walk of some two miles brought us to the hut. It was about three in the afternoon when we arrived. Legrand had been awaiting us in eager expectation. He grasped my hand with a nervous empressement which alarmed me and strengthened the suspicions already entertained. His countenance was pale even to ghastliness, and his deep-set eyes glared with unnatural luster. After some inquiries respecting his health, I asked him, not knowing what better to say, if he had yet obtained the scarabaeus from Lieutenant G----. "Oh, yes," he replied, coloring violently, "I got it from him the next morning. Nothing should tempt me to part with that scarabaeus. Do you know that Jupiter is quite right about it?" "In what way?" I asked, with a sad foreboding at heart. "In supposing it to be a bug of REAL GOLD." He said this with an air of profound seriousness, and I felt inexpressibly shocked. "This bug is to make my fortune," he continued, with a triumphant smile; "to reinstate me in my family possessions. Is it any wonder, then, that I prize it? Since Fortune has thought fit to bestow it upon me, I have only to use it properly, and I shall arrive at the gold of which it is the index. Jupiter, bring me that scarabaeus!" "What! de bug, massa? I'd rudder not go fer trubble dat bug; you mus' git him for your own self." Hereupon Legrand arose, with a grave and stately air, and brought me the beetle from a glass case in which it was enclosed. It was a beautiful scarabaeus, and, at that time, unknown to naturalists--of course a great prize in a scientific point of view. There were two round black spots near one extremity of the back, and a long one near the other. The scales were exceedingly hard and glossy, with all the appearance of burnished gold. The weight of the insect was very remarkable, and, taking all things into consideration, I could hardly blame Jupiter for his opinion respecting it; but what to make of Legrand's concordance with that opinion, I could not, for the life of me, tell. "I sent for you," said he, in a grandiloquent tone, when I had completed my examination of the beetle, "I sent for you that I might have your counsel and assistance in furthering the views of Fate and of the bug--" "My dear Legrand," I cried, interrupting him, "you are certainly unwell, and had better use some little precautions. You shall go to bed, and I will remain with you a few days, until you get over this. You are feverish and--" "Feel my pulse," said he. I felt it, and, to say the truth, found not the slightest indication of fever. "But you may be ill and yet have no fever. Allow me this once to prescribe for you. In the first place go to bed. In the next--" "You are mistaken," he interposed, "I am as well as I can expect to be under the excitement which I suffer. If you really wish me well, you will relieve this excitement." "And how is this to be done?" "Very easily. Jupiter and myself are going upon an expedition into the hills, upon the mainland, and, in this expedition, we shall need the aid of some person in whom we can confide. You are the only one we can trust. Whether we succeed or fail, the excitement which you now perceive in me will be equally allayed." "I am anxious to oblige you in any way," I replied; "but do you mean to say that this infernal beetle has any connection with your expedition into the hills?" "It has." "Then, Legrand, I can become a party to no such absurd proceeding." "I am sorry--very sorry--for we shall have to try it by ourselves." "Try it by yourselves! The man is surely mad!--but stay!--how long do you propose to be absent?" "Probably all night. We shall start immediately, and be back, at all events, by sunrise." "And will you promise me, upon your honor, that when this freak of yours is over, and the bug business (good God!) settled to your satisfaction, you will then return home and follow my advice implicitly, as that of your physician?" "Yes; I promise; and now let us be off, for we have no time to lose." With a heavy heart I accompanied my friend. We started about four o'clock--Legrand, Jupiter, the dog, and myself. Jupiter had with him the scythe and spades--the whole of which he insisted upon carrying--more through fear, it seemed to me, of trusting either of the implements within reach of his master, than from any excess of industry or complaisance. His demeanor was dogged in the extreme, and "dat deuced bug" were the sole words which escaped his lips during the journey. For my own part, I had charge of a couple of dark lanterns, while Legrand contented himself with the scarabaeus, which he carried attached to the end of a bit of whipcord; twirling it to and fro, with the air of a conjurer, as he went. When I observed this last, plain evidence of my friend's aberration of mind, I could scarcely refrain from tears. I thought it best, however, to humor his fancy, at least for the present, or until I could adopt some more energetic measures with a chance of success. In the meantime I endeavored, but all in vain, to sound him in regard to the object of the expedition. Having succeeded in inducing me to accompany him, he seemed unwilling to hold conversation upon any topic of minor importance, and to all my questions vouchsafed no other reply than "we shall see!" We crossed the creek at the head of the island by means of a skiff, and, ascending the high grounds on the shore of the mainland, proceeded in a northwesterly direction, through a tract of country excessively wild and desolate, where no trace of a human footstep was to be seen. Legrand led the way with decision; pausing only for an instant, here and there, to consult what appeared to be certain landmarks of his own contrivance upon a former occasion. In this manner we journeyed for about two hours, and the sun was just setting when we entered a region infinitely more dreary than any yet seen. It was a species of table-land, near the summit of an almost inaccessible hill, densely wooded from base to pinnacle, and interspersed with huge crags that appeared to lie loosely upon the soil, and in many cases were prevented from precipitating themselves into the valleys below, merely by the support of the trees against which they reclined. Deep ravines, in various directions, gave an air of still sterner solemnity to the scene. The natural platform to which we had clambered was thickly overgrown with brambles, through which we soon discovered that it would have been impossible to force our way but for the scythe; and Jupiter, by direction of his master, proceeded to clear for us a path to the foot of an enormously tall tulip tree, which stood, with some eight or ten oaks, upon the level, and far surpassed them all, and all other trees which I had then ever seen, in the beauty of its foliage and form, in the wide spread of its branches, and in the general majesty of its appearance. When we reached this tree, Legrand turned to Jupiter, and asked him if he thought he could climb it. The old man seemed a little staggered by the question, and for some moments made no reply. At length he approached the huge trunk, walked slowly around it, and examined it with minute attention. When he had completed his scrutiny, he merely said: "Yes, massa, Jup climb any tree he ebber see in he life." "Then up with you as soon as possible, for it will soon be too dark to see what we are about." "How far mus' go up, massa?" inquired Jupiter. "Get up the main trunk first, and then I will tell you which way to go--and here--stop! take this beetle with you." "De bug, Massa Will!--de goole-bug!" cried the negro, drawing back in dismay--"what for mus' tote de bug way up de tree?--d--n if I do!" "If you are afraid, Jup, a great big negro like you, to take hold of a harmless little dead beetle, why you can carry it up by this string--but, if you do not take it up with you in some way, I shall be under the necessity of breaking your head with this shovel." "What de matter now, massa?" said Jup, evidently shamed into compliance; "always want for to raise fuss wid old nigger. Was only funnin anyhow. ME feered de bug! what I keer for de bug?" Here he took cautiously hold of the extreme end of the string, and, maintaining the insect as far from his person as circumstances would permit, prepared to ascend the tree. In youth, the tulip tree, or Liriodendron tulipiferum, the most magnificent of American foresters, has a trunk peculiarly smooth, and often rises to a great height without lateral branches; but, in its riper age, the bark becomes gnarled and uneven, while many short limbs make their appearance on the stem. Thus the difficulty of ascension, in the present case, lay more in semblance than in reality. Embracing the huge cylinder, as closely as possible, with his arms and knees, seizing with his hands some projections, and resting his naked toes upon others, Jupiter, after one or two narrow escapes from falling, at length wriggled himself into the first great fork, and seemed to consider the whole business as virtually accomplished. The RISK of the achievement was, in fact, now over, although the climber was some sixty or seventy feet from the ground. "Which way mus' go now, Massa Will?" he asked. "Keep up the largest branch--the one on this side," said Legrand. The negro obeyed him promptly, and apparently with but little trouble; ascending higher and higher, until no glimpse of his squat figure could be obtained through the dense foliage which enveloped it. Presently his voice was heard in a sort of halloo. "How much fudder is got to go?" "How high up are you?" asked Legrand. "Ebber so fur," replied the negro; "can see de sky fru de top oh de tree." "Never mind the sky, but attend to what I say. Look down the trunk and count the limbs below you on this side. How many limbs have you passed?" "One, two, tree, four, fibe--I done pass fibe big limb, massa, 'pon dis side." "Then go one limb higher." In a few minutes the voice was heard again, announcing that the seventh limb was attained. "Now, Jup," cried Legrand, evidently much excited, "I want you to work your way out upon that limb as far as you can. If you see anything strange let me know." By this time what little doubt I might have entertained of my poor friend's insanity was put finally at rest. I had no alternative but to conclude him stricken with lunacy, and I became seriously anxious about getting him home. While I was pondering upon what was best to be done, Jupiter's voice was again heard. "Mos feered for to ventur pon dis limb berry far--'tis dead limb putty much all de way." "Did you say it was a DEAD limb, Jupiter?" cried Legrand in a quavering voice. "Yes, massa, him dead as de door-nail--done up for sartin--done departed dis here life." "What in the name of heaven shall I do?" asked Legrand, seemingly in the greatest distress. "Do!" said I, glad of an opportunity to interpose a word, "why come home and go to bed. Come now!--that's a fine fellow. It's getting late, and, besides, you remember your promise." "Jupiter," cried he, without heeding me in the least, "do you hear me?" "Yes, Massa Will, hear you ebber so plain." "Try the wood well, then, with your knife, and see if you think it VERY rotten." "Him rotten, massa, sure nuff," replied the negro in a few moments, "but not so berry rotten as mought be. Mought venture out leetle way pon de limb by myself, dat's true." "By yourself!--what do you mean?" "Why, I mean de bug. 'Tis BERRY hebby bug. Spose I drop him down fuss, an den de limb won't break wid just de weight of one nigger." "You infernal scoundrel!" cried Legrand, apparently much relieved, "what do you mean by telling me such nonsense as that? As sure as you drop that beetle I'll break your neck. Look here, Jupiter, do you hear me?" "Yes, massa, needn't hollo at poor nigger dat style." "Well! now listen!--if you will venture out on the limb as far as you think safe, and not let go the beetle, I'll make you a present of a silver dollar as soon as you get down." "I'm gwine, Massa Will--deed I is," replied the negro very promptly--"mos out to the eend now." "OUT TO THE END!" here fairly screamed Legrand; "do you say you are out to the end of that limb?" "Soon be to de eend, massa--o-o-o-o-oh! Lor-gol-a-marcy! what IS dis here pon de tree?" "Well!" cried Legrand, highly delighted, "what is it?" "Why 'taint noffin but a skull--somebody bin lef him head up de tree, and de crows done gobble ebery bit ob de meat off." "A skull, you say!--very well,--how is it fastened to the limb?-- what holds it on?" "Sure nuff, massa; mus look. Why dis berry curious sarcumstance, pon my word--dare's a great big nail in de skull, what fastens ob it on to de tree." "Well now, Jupiter, do exactly as I tell you--do you hear?" "Yes, massa." "Pay attention, then--find the left eye of the skull." "Hum! hoo! dat's good! why dey ain't no eye lef at all." "Curse your stupidity! do you know your right hand from your left?" "Yes, I knows dat--knows all about dat--'tis my lef hand what I chops de wood wid." "To be sure! you are left-handed; and your left eye is on the same side as your left hand. Now, I suppose, you can find the left eye of the skull, or the place where the left eye has been. Have you found it?" Here was a long pause. At length the negro asked: "Is de lef eye of de skull pon de same side as de lef hand of de skull too?--cause de skull aint got not a bit oh a hand at all-- nebber mind! I got de lef eye now--here de lef eye! what mus do wid it?" Let the beetle drop through it, as far as the string will reach-- but be careful and not let go your hold of the string." "All dat done, Massa Will; mighty easy ting for to put de bug fru de hole--look out for him dare below!" During this colloquy no portion of Jupiter's person could be seen; but the beetle, which he had suffered to descend, was now visible at the end of the string, and glistened, like a globe of burnished gold, in the last rays of the setting sun, some of which still faintly illumined the eminence upon which we stood. The scarabaeus hung quite clear of any branches, and, if allowed to fall, would have fallen at our feet. Legrand immediately took the scythe, and cleared with it a circular space, three or four yards in diameter, just beneath the insect, and, having accomplished this, ordered Jupiter to let go the string and come down from the tree. Driving a peg, with great nicety, into the ground, at the precise spot where the beetle fell, my friend now produced from his pocket a tape measure. Fastening one end of this at that point of the trunk of the tree which was nearest the peg, he unrolled it till it reached the peg and thence further unrolled it, in the direction already established by the two points of the tree and the peg, for the distance of fifty feet--Jupiter clearing away the brambles with the scythe. At the spot thus attained a second peg was driven, and about this, as a center, a rude circle, about four feet in diameter, described. Taking now a spade himself, and giving one to Jupiter and one to me, Legrand begged us to set about digging as quickly as possible. To speak the truth, I had no especial relish for such amusement at any time, and, at that particular moment, would willingly have declined it; for the night was coming on, and I felt much fatigued with the exercise already taken; but I saw no mode of escape, and was fearful of disturbing my poor friend's equanimity by a refusal. Could I have depended, indeed, upon Jupiter's aid, I would have had no hesitation in attempting to get the lunatic home by force; but I was too well assured of the old negro's disposition, to hope that he would assist me, under any circumstances, in a personal contest with his master. I made no doubt that the latter had been infected with some of the innumerable Southern superstitions about money buried, and that his fantasy had received confirmation by the finding of the scarabaeus, or, perhaps, by Jupiter's obstinacy in maintaining it to be "a bug of real gold." A mind disposed to lunacy would readily be led away by such suggestions--especially if chiming in with favorite preconceived ideas--and then I called to mind the poor fellow's speech about the beetle's being "the index of his fortune." Upon the whole, I was sadly vexed and puzzled, but, at length, I concluded to make a virtue of necessity--to dig with a good will, and thus the sooner to convince the visionary, by ocular demonstration, of the fallacy of the opinion he entertained. The lanterns having been lit, we all fell to work with a zeal worthy a more rational cause; and, as the glare fell upon our persons and implements, I could not help thinking how picturesque a group we composed, and how strange and suspicious our labors must have appeared to any interloper who, by chance, might have stumbled upon our whereabouts. We dug very steadily for two hours. Little was said; and our chief embarrassment lay in the yelpings of the dog, who took exceeding interest in our proceedings. He, at length, became so obstreperous that we grew fearful of his giving the alarm to some stragglers in the vicinity,--or, rather, this was the apprehension of Legrand;-- for myself, I should have rejoiced at any interruption which might have enabled me to get the wanderer home. The noise was, at length, very effectually silenced by Jupiter, who, getting out of the hole with a dogged air of deliberation, tied the brute's mouth up with one of his suspenders, and then returned, with a grave chuckle, to his task. When the time mentioned had expired, we had reached a depth of five feet, and yet no signs of any treasure became manifest. A general pause ensued, and I began to hope that the farce was at an end. Legrand, however, although evidently much disconcerted, wiped his brow thoughtfully and recommenced. We had excavated the entire circle of four feet diameter, and now we slightly enlarged the limit, and went to the farther depth of two feet. Still nothing appeared. The gold-seeker, whom I sincerely pitied, at length clambered from the pit, with the bitterest disappointment imprinted upon every feature, and proceeded, slowly and reluctantly, to put on his coat, which he had thrown off at the beginning of his labor. In the meantime I made no remark. Jupiter, at a signal from his master, began to gather up his tools. This done, and the dog having been unmuzzled, we turned in profound silence toward home. We had taken, perhaps, a dozen steps in this direction, when, with a loud oath, Legrand strode up to Jupiter, and seized him by the collar. The astonished negro opened his eyes and mouth to the fullest extent, let fall the spades, and fell upon his knees. "You scoundrel!" said Legrand, hissing out the syllables from between his clenched teeth--"you infernal black villain!--speak, I tell you!--answer me this instant, without prevarication!--which-- which is your left eye?" "Oh, my golly, Massa Will! aint dis here my lef eye for sartain?" roared the terrified Jupiter, placing his hand upon his RIGHT organ of vision, and holding it there with a desperate pertinacity, as if in immediate, dread of his master's attempt at a gouge. "I thought so!--I knew it! hurrah!" vociferated Legrand, letting the negro go and executing a series of curvets and caracols, much to the astonishment of his valet, who, arising from his knees, looked, mutely, from his master to myself, and then from myself to his master. "Come! we must go back," said the latter, "the game's not up yet;" and he again led the way to the tulip tree. "Jupiter," said he, when we reached its foot, "come here! was the skull nailed to the limb with the face outward, or with the face to the limb?" "De face was out, massa, so dat de crows could get at de eyes good, widout any trouble." "Well, then, was it this eye or that through which you dropped the beetle?" here Legrand touched each of Jupiter's eyes. "'Twas dis eye, massa--de lef eye--jis as you tell me," and here it was his right eye that the negro indicated. "That will do--we must try it again." Here my friend, about whose madness I now saw, or fancied that I saw, certain indications of method, removed the peg which marked the spot where the beetle fell, to a spot about three inches to the westward of its former position. Taking, now, the tape measure from the nearest point of the trunk to the peg, as before, and continuing the extension in a straight line to the distance of fifty feet, a spot was indicated, removed, by several yards, from the point at which we had been digging. Around the new position a circle, somewhat larger than in the former instance, was now described, and we again set to work with the spade. I was dreadfully weary, but, scarcely understanding what had occasioned the change in my thoughts, I felt no longer any great aversion from the labor imposed. I had become most unaccountably interested--nay, even excited. Perhaps there was something, amid all the extravagant demeanor of Legrand--some air of forethought, or of deliberation, which impressed me. I dug eagerly, and now and then caught myself actually looking, with something that very much resembled expectation, for the fancied treasure, the vision of which had demented my unfortunate companion. At a period when such vagaries of thought most fully possessed me, and when we had been at work perhaps an hour and a half, we were again interrupted by the violent howlings of the dog. His uneasiness, in the first instance, had been, evidently, but the result of playfulness or caprice, but he now assumed a bitter and serious tone. Upon Jupiter's again attempting to muzzle him, he made furious resistance, and, leaping into the hole, tore up the mold frantically with his claws. In a few seconds he had uncovered a mass of human bones, forming two complete skeletons, intermingled with several buttons of metal, and what appeared to be the dust of decayed woolen. One or two strokes of a spade upturned the blade of a large Spanish knife, and, as we dug farther, three or four loose pieces of gold and silver coin came to light. At sight of these the joy of Jupiter could scarcely be restrained, but the countenance of his master wore an air of extreme disappointment. He urged us, however, to continue our exertions, and the words were hardly uttered when I stumbled and fell forward, having caught the toe of my boot in a large ring of iron that lay half buried in the loose earth. We now worked in earnest, and never did I pass ten minutes of more intense excitement. During this interval we had fairly unearthed an oblong chest of wood, which, from its perfect preservation and wonderful hardness, had plainly been subjected to some mineralizing process--perhaps that of the bichloride of mercury. This box was three feet and a half long, three feet broad, and two and a half feet deep. It was firmly secured by bands of wrought iron, riveted, and forming a kind of open trelliswork over the whole. On each side of the chest, near the top, were three rings of iron--six in all--by means of which a firm hold could be obtained by six persons. Our utmost united endeavors served only to disturb the coffer very slightly in its bed. We at once saw the impossibility of removing so great a weight. Luckily, the sole fastenings of the lid consisted of two sliding bolts. These we drew back--trembling and panting with anxiety. In an instant, a treasure of incalculable value lay gleaming before us. As the rays of the lanterns fell within the pit, there flashed upward a glow and a glare, from a confused heap of gold and of jewels, that absolutely dazzled our eyes. I shall not pretend to describe the feelings with which I gazed. Amazement was, of course, predominant. Legrand appeared exhausted with excitement, and spoke very few words. Jupiter's countenance wore, for some minutes, as deadly a pallor as it is possible, in the nature of things, for any negro's visage to assume. He seemed stupefied--thunderstricken. Presently he fell upon his knees in the pit, and burying his naked arms up to the elbows in gold, let them there remain, as if enjoying the luxury of a bath. At length, with a deep sigh, he exclaimed, as if in a soliloquy: "And dis all cum of de goole-bug! de putty goole-bug! de poor little goole-bug, what I boosed in that sabage kind oh style! Ain't you shamed oh yourself, nigger?--answer me dat!" It became necessary, at last, that I should arouse both master and valet to the expediency of removing the treasure. It was growing late, and it behooved us to make exertion, that we might get everything housed before daylight. It was difficult to say what should he done, and much time was spent in deliberation--so confused were the ideas of all. We, finally, lightened the box by removing two thirds of its contents, when we were enabled, with some trouble, to raise it from the hole. The articles taken out were deposited among the brambles, and the dog left to guard them, with strict orders from Jupiter neither, upon any pretense, to stir from the spot, nor to open his mouth until our return. We then hurriedly made for home with the chest; reaching the hut in safety, but after excessive toil, at one o'clock in the morning. Worn out as we were, it was not in human nature to do more immediately. We rested until two, and had supper; starting for the hills immediately afterwards, armed with three stout sacks, which, by good luck, were upon the premises. A little before four we arrived at the pit, divided the remainder of the booty, as equally as might be, among us, and, leaving the holes unfilled, again set out for the hut, at which, for the second time, we deposited our golden burdens, just as the first faint streaks of the dawn gleamed from over the treetops in the east. We were now thoroughly broken down; but the intense excitement of the time denied us repose. After an unquiet slumber of some three or four hours' duration, we arose, as if by preconcert, to make examination of our treasure. The chest had been full to the brim, and we spent the whole day, and the greater part of the next night, in a scrutiny of its contents. There had been nothing like order or arrangement. Everything had been heaped in promiscuously. Having assorted all with care, we found ourselves possessed of even vaster wealth than we had at first supposed. In coin there was rather more than four hundred and fifty thousand dollars--estimating the value of the pieces, as accurately as we could, by the tables of the period. There was not a particle of silver. All was gold of antique date and of great variety--French, Spanish, and German money, with a few English guineas, and some counters, of which we had never seen specimens before. There were several very large and heavy coins, so worn that we could make nothing of their inscriptions. There was no American money. The value of the jewels we found more difficulty in estimating. There were diamonds--some of them exceedingly large and fine--a hundred and ten in all, and not one of them small; eighteen rubies of remarkable brilliancy;--three hundred and ten emeralds, all very beautiful; and twenty-one sapphires, with an opal. These stones had all been broken from their settings and thrown loose in the chest. The settings themselves, which we picked out from among the other gold, appeared to have been beaten up with hammers, as if to prevent identification. Besides all this, there was a vast quantity of solid gold ornaments; nearly two hundred massive finger and ears rings; rich chains--thirty of these, if I remember; eighty-three very large and heavy crucifixes; five gold censers of great value; a prodigious golden punch bowl, ornamented with richly chased vine leaves and Bacchanalian figures; with two sword handles exquisitely embossed, and many other smaller articles which I cannot recollect. The weight of these valuables exceeded three hundred and fifty pounds avoirdupois; and in this estimate I have not included one hundred and ninety-seven superb gold watches; three of the number being worth each five hundred dollars, if one. Many of them were very old, and as timekeepers valueless; the works having suffered, more or less, from corrosion--but all were richly jeweled and in cases of great worth. We estimated the entire contents of the chest, that night, at a million and a half of dollars; and upon the subsequent disposal of the trinkets and jewels (a few being retained for our own use), it was found that we had greatly undervalued the treasure. When, at length, we had concluded our examination, and the intense excitement of the time had, in some measure, subsided, Legrand, who saw that I was dying with impatience for a solution of this most extraordinary riddle, entered into a full detail of all the circumstances connected with it. "You remember," said he, "the night when I handed you the rough sketch I had made of the scarabaeus. You recollect, also, that I became quite vexed at you for insisting that my drawing resembled a death's head. When you first made this assertion I thought you were jesting; but afterwards I called to mind the peculiar spots on the back of the insect, and admitted to myself that your remark had some little foundation in fact. Still, the sneer at my graphic powers irritated me--for I am considered a good artist--and, therefore, when you handed me the scrap of parchment, I was about to crumple it up and throw it angrily into the fire." "The scrap of paper, you mean," said I. "No; it had much of the appearance of paper, and at first I supposed it to be such, but when I came to draw upon it, I discovered it at once to be a piece of very thin parchment. It was quite dirty, you remember. Well, as I was in the very act of crumpling it up, my glance fell upon the sketch at which you had been looking, and you may imagine my astonishment when I perceived, in fact, the figure of a death's head just where, it seemed to me, I had made the drawing of the beetle. For a moment I was too much amazed to think with accuracy. I knew that my design was very different in detail from this--although there was a certain similarity in general outline. Presently I took a candle, and seating myself at the other end of the room, proceeded to scrutinize the parchment more closely. Upon turning it over, I saw my own sketch upon the reverse, just as I had made it. My first idea, now, was mere surprise at the really remarkable similarity of outline--at the singular coincidence involved in the fact that, unknown to me, there should have been a skull upon the other side of the parchment, immediately beneath my figure of the scarabaeus, and that this skull, not only in outline, but in size, should so closely resemble my drawing. I say the singularity of this coincidence absolutely stupefied me for a time. This is the usual effect of such coincidences. The mind struggles to establish a connection--a sequence of cause and effect--and, being unable to do so, suffers a species of temporary paralysis. But, when I recovered from this stupor, there dawned upon me gradually a conviction which startled me even far more than the coincidence. I began distinctly, positively, to remember that there had been NO drawing upon the parchment, when I made my sketch of the scarabaeus. I became perfectly certain of this; for I recollected turning up first one side and then the other, in search of the cleanest spot. Had the skull been then there, of course I could not have failed to notice it. Here was indeed a mystery which I felt it impossible to explain; but, even at that early moment, there seemed to glimmer, faintly, within the most remote and secret chambers of my intellect, a glow-wormlike conception of that truth which last night's adventure brought to so magnificent a demonstration. I arose at once, and putting the parchment securely away, dismissed all further reflection until I should be alone. "When you had gone, and when Jupiter was fast asleep, I betook myself to a more methodical investigation of the affair. In the first place I considered the manner in which the parchment had come into my possession. The spot where we discovered the scarabaeus was on the coast of the mainland, about a mile eastward of the island, and but a short distance above high-water mark. Upon my taking hold of it, it gave me a sharp bite, which caused me to let it drop. Jupiter, with his accustomed caution, before seizing the insect, which had flown toward him, looked about him for a leaf, or something of that nature, by which to take hold of it. It was at this moment that his eyes, and mine also, fell upon the scrap of parchment, which I then supposed to be paper. It was lying half buried in the sand, a corner sticking up. Near the spot where we found it, I observed the remnants of the hull of what appeared to have been a ship's longboat. The wreck seemed to have been there for a very great while, for the resemblance to boat timbers could scarcely be traced. "Well, Jupiter picked up the parchment, wrapped the beetle in it, and gave it to me. Soon afterwards we turned to go home, and on the way met Lieutenant G----. I showed him the insect, and he begged me to let him take it to the fort. Upon my consenting, he thrust it forthwith into his waistcoat pocket, without the parchment in which it had been wrapped, and which I had continued to hold in my hand during his inspection. Perhaps he dreaded my changing my mind, and thought it best to make sure of the prize at once--you know how enthusiastic he is on all subjects connected with Natural History. At the same time, without being conscious of it, I must have deposited the parchment in my own pocket. "You remember that when I went to the table, for the purpose of making a sketch of the beetle, I found no paper where it was usually kept. I looked in the drawer, and found none there. I searched my pockets, hoping to find an old letter, when my hand fell upon the parchment. I thus detail the precise mode in which it came into my possession, for the circumstances impressed me with peculiar force. "No doubt you will think me fanciful--but I had already established a kind of CONNECTION. I had put together two links of a great chain. There was a boat lying upon a seacoast, and not far from the boat was a parchment--NOT A PAPER--with a skull depicted upon it. You will, of course, ask 'where is the connection?' I reply that the skull, or death's head, is the well-known emblem of the pirate. The flag of the death's head is hoisted in all engagements. "I have said that the scrap was parchment, and not paper. Parchment is durable--almost imperishable. Matters of little moment are rarely consigned to parchment; since, for the mere ordinary purposes of drawing or writing, it is not nearly so well adapted as paper. This reflection suggested some meaning--some relevancy--in the death's head. I did not fail to observe, also, the FORM of the parchment. Although one of its corners had been, by some accident, destroyed, it could be seen that the original form was oblong. It was just such a slip, indeed, as might have been chosen for a memorandum--for a record of something to be long remembered, and carefully preserved." "But," I interposed, "you say that the skull was NOT upon the parchment when you made the drawing of the beetle. How then do you trace any connection between the boat and the skull--since this latter, according to your own admission, must have been designed (God only knows how or by whom) at some period subsequent to your sketching the scarabaeus?" "Ah, hereupon turns the whole mystery; although the secret, at this point, I had comparatively little difficulty in solving. My steps were sure, and could afford but a single result. I reasoned, for example, thus: When I drew the scarabaeus, there was no skull apparent upon the parchment. When I had completed the drawing I gave it to you, and observed you narrowly until you returned it. YOU, therefore, did not design the skull, and no one else was present to do it. Then it was not done by human agency. And nevertheless it was done. "At this stage of my reflections I endeavored to remember, and DID remember, with entire distinctness, every incident which occurred about the period in question. The weather was chilly (oh, rare and happy accident!), and a fire was blazing upon the hearth. I was heated with exercise and sat near the table. You, however, had drawn a chair close to the chimney. Just as I placed the parchment in your hand, and as you were in the act of inspecting it, Wolf, the Newfoundland, entered, and leaped upon your shoulders. With your left hand you caressed him and kept him off, while your right, holding the parchment, was permitted to fall listlessly between your knees, and in close proximity to the fire. At one moment I thought the blaze had caught it, and was about to caution you, but, before I could speak, you had withdrawn it, and were engaged in its examination. When I considered all these particulars, I doubted not for a moment that HEAT had been the agent in bringing to light, upon the parchment, the skull which I saw designed upon it. You are well aware that chemical preparations exist, and have existed time out of mind, by means of which it is possible to write upon either paper or vellum, so that the characters shall become visible only when subjected to the action of fire. Zaffre, digested in aqua regia, and diluted with four times its weight of water, is sometimes employed; a green tint results. The regulus of cobalt, dissolved in spirit of niter, gives a red. These colors disappear at longer or shorter intervals after the material written upon cools, but again become apparent upon the reapplication of heat. "I now scrutinized the death's head with care. Its outer edges-- the edges of the drawing nearest the edge of the vellum--were far more DISTINCT than the others. It was clear that the action of the caloric had been imperfect or unequal. I immediately kindled a fire, and subjected every portion of the parchment to a glowing heat. At first, the only effect was the strengthening of the faint lines in the skull; but, upon persevering in the experiment, there became visible, at the corner of the slip, diagonally opposite to the spot in which the death's head was delineated, the figure of what I at first supposed to be a goat. A closer scrutiny, however, satisfied me that it was intended for a kid." "Ha! ha!" said I, "to be sure I have no right to laugh at you--a million and a half of money is too serious a matter for mirth--but you are not about to establish a third link in your chain--you will not find any especial connection between your pirates and a goat-- pirates, you know, have nothing to do with goats; they appertain to the farming interest." "But I have just said that the figure was NOT that of a goat." "Well, a kid then--pretty much the same thing." "Pretty much, but not altogether," said Legrand. "You may have heard of one CAPTAIN Kidd. I at once looked upon the figure of the animal as a kind of punning or hieroglyphical signature. I say signature; because its position upon the vellum suggested this idea. The death's head at the corner diagonally opposite, had, in the same manner, the air of a stamp, or seal. But I was sorely put out by the absence of all else--of the body to my imagined instrument--of the text for my context." "I presume you expected to find a letter between the stamp and the signature." "Something of that kind. The fact is, I felt irresistibly impressed with a presentiment of some vast good fortune impending. I can scarcely say why. Perhaps, after all, it was rather a desire than an actual belief;--but do you know that Jupiter's silly words, about the bug being of solid gold, had a remarkable effect upon my fancy? And then the series of accidents and coincidents--these were so VERY extraordinary. Do you observe how mere an accident it was that these events should have occurred upon the SOLE day of all the year in which it has been, or may be sufficiently cool for fire, and that without the fire, or without the intervention of the dog at the precise moment in which he appeared, I should never have become aware of the death's head, and so never the possessor of the treasure?" "But proceed--I am all impatience." "Well; you have heard, of course, the many stories current--the thousand vague rumors afloat about money buried, somewhere upon the Atlantic coast, by Kidd and his associates. These rumors must have had some foundation in fact. And that the rumors have existed so long and so continuous, could have resulted, it appeared to me, only from the circumstance of the buried treasures still REMAINING entombed. Had Kidd concealed his plunder for a time, and afterwards reclaimed it, the rumors would scarcely have reached us in their present unvarying form. You will observe that the stories told are all about money-seekers, not about money-finders. Had the pirate recovered his money, there the affair would have dropped. It seemed to me that some accident--say the loss of a memorandum indicating its locality--had deprived him of the means of recovering it, and that this accident had become known to his followers, who otherwise might never have heard that the treasure had been concealed at all, and who, busying themselves in vain, because unguided, attempts to regain it, had given first birth, and then universal currency, to the reports which are now so common. Have you ever heard of any important treasure being unearthed along the coast?" "Never." "But that Kidd's accumulations were immense, is well known. I took it for granted, therefore, that the earth still held them; and you will scarcely be surprised when I tell you that I felt a hope, nearly amounting to certainty, that the parchment so strangely found involved a lost record of the place of deposit." "But how did you proceed?" "I held the vellum again to the fire, after increasing the heat, but nothing appeared. I now thought it possible that the coating of dirt might have something to do with the failure: so I carefully rinsed the parchment by pouring warm water over it, and, having done this, I placed it in a tin pan, with the skull downward, and put the pan upon a furnace of lighted charcoal. In a few minutes, the pan having become thoroughly heated, I removed the slip, and, to my inexpressible joy, found it spotted, in several places, with what appeared to be figures arranged in lines. Again I placed it in the pan, and suffered it to remain another minute. Upon taking it off, the whole was just as you see it now." Here Legrand, having reheated the parchment, submitted it to my inspection. The following characters were rudely traced, in a red tint, between the death's head and the goat: "53++!305))6*;4826)4+)4+).;806*;48!8]60))85;1+8*:+(;:+*8!83(88)5*!; 46(;88*96*?;8)*+(;485);5*!2:*+(;4956*2(5*-4)8]8*;4069285);)6!8)4++; 1(+9;48081;8:8+1;48!85;4)485!528806*81(+9;48;(88;4(+?34;48)4+;161;: 188;+?;" "But," said I, returning him the slip, "I am as much in the dark as ever. Were all the jewels of Golconda awaiting me upon my solution of this enigma, I am quite sure that I should be unable to earn them." "And yet," said Legrand, "the solution is by no means so difficult as you might be led to imagine from the first hasty inspection of the characters. These characters, as anyone might readily guess, form a cipher--that is to say, they convey a meaning; but then from what is known of Kidd, I could not suppose him capable of constructing any of the more abstruse cryptographs. I made up my mind, at once, that this was of a simple species--such, however, as would appear, to the crude intellect of the sailor, absolutely insoluble without the key." "And you really solved it?" "Readily; I have solved others of an abstruseness ten thousand times greater. Circumstances, and a certain bias of mind, have led me to take interest in such riddles, and it may well be doubted whether human ingenuity can construct an enigma of the kind which human ingenuity may not, by proper application, resolve. In fact, having once established connected and legible characters, I scarcely gave a thought to the mere difficulty of developing their import. "In the present case--indeed in all cases of secret writing--the first question regards the LANGUAGE of the cipher; for the principles of solution, so far, especially, as the more simple ciphers are concerned, depend upon, and are varied by, the genius of the particular idiom. In general, there is no alternative but experiment (directed by probabilities) of every tongue known to him who attempts the solution, until the true one be attained. But, with the cipher now before us, all difficulty was removed by the signature. The pun upon the word 'Kidd' is appreciable in no other language than the English. But for this consideration I should have begun my attempts with the Spanish and French, as the tongues in which a secret of this kind would most naturally have been written by a pirate of the Spanish main. As it was, I assumed the cryptograph to be English. "You observe there are no divisions between the words. Had there been divisions the task would have been comparatively easy. In such cases I should have commenced with a collation and analysis of the shorter words, and, had a word of a single letter occurred, as is most likely, (a or I, for example,) I should have considered the solution as assured. But, there being no division, my first step was to ascertain the predominant letters, as well as the least frequent. Counting all, I constructed a table thus: Of the character 8 there are 33. ; " 26. 4 " 19. +) " 16. * " 13. 5 " 12. 6 " 11. !1 " 8. 0 " 6. 92 " 5. :3 " 4. ? " 3. ] " 2. -. " 1. "Now, in English, the letter which most frequently occurs is e. Afterwards, the succession runs thus: a o i d h n r s t u y c f g l m w b k p q x z. E predominates so remarkably, that an individual sentence of any length is rarely seen, in which it is not the prevailing character. "Here, then, we have, in the very beginning, the groundwork for something more than a mere guess. The general use which may be made of the table is obvious--but, in this particular cipher, we shall only very partially require its aid. As our predominant character is 8, we will commence by assuming it as the e of the natural alphabet. To verify the supposition, let us observe if the 8 be seen often in couples--for e is doubled with great frequency in English--in such words, for example, as 'meet,' 'fleet,' 'speed,' 'seen,' 'been,' 'agree,' etc. In the present instance we see it doubled no less than five times, although the cryptograph is brief. "Let us assume 8, then, as e. Now, of all WORDS in the language, 'the' is most usual; let us see, therefore, whether there are not repetitions of any three characters, in the same order of collocation, the last of them being 8. If we discover repetitions of such letters, so arranged, they will most probably represent the word 'the.' Upon inspection, we find no less than seven such arrangements, the characters being ;48. We may, therefore, assume that ; represents t, 4 represents h, and 8 represents e--the last being now well confirmed. Thus a great step has been taken. "But, having established a single word, we are enabled to establish a vastly important point; that is to say, several commencements and terminations of other words. Let us refer, for example, to the last instance but one, in which the combination ;48 occurs--not far from the end of the cipher. We know that the ; immediately ensuing is the commencement of a word, and, of the six characters succeeding this 'the,' we are cognizant of no less than five. Let us set these characters down, thus, by the letters we know them to represent, leaving a space for the unknown-- t eeth. "Here we are enabled, at once, to discard the 'th,' as forming no portion of the word commencing with the first t; since, by experiment of the entire alphabet for a letter adapted to the vacancy, we perceive that no word can be formed of which this th can be a part. We are thus narrowed into t ee, and, going through the alphabet, if necessary, as before, we arrive at the word 'tree,' as the sole possible reading. We thus gain another letter, r, represented by (, with the words 'the tree' in juxtaposition. "Looking beyond these words, for a short distance, we again see the combination ;48, and employ it by way of TERMINATION to what immediately precedes. We have thus this arrangement: the tree ;4(4+?34 the, or, substituting the natural letters, where known, it reads thus: the tree thr+?3h the. "Now, if, in place of the unknown characters, we leave blank spaces, or substitute dots, we read thus: the tree thr...h the, when the word 'through' makes itself evident at once. But this discovery gives us three new letters, o, u, and g, represented by +, ?, and 3. "Looking now, narrowly, through the cipher for combinations of known characters, we find, not very far from the beginning, this arrangement, 83(88, or egree, which plainly, is the conclusion of the word 'degree,' and gives us another letter, d, represented by !. "Four letters beyond the word 'degree,' we perceive the combination ;46(;88. "Translating the known characters, and representing the unknown by dots, as before, we read thus: th.rtee, an arrangement immediately suggestive of the word thirteen,' and again furnishing us with two new characters, i and n, represented by 6 and *. "Referring, now, to the beginning of the cryptograph, we find the combination, 53++!. "Translating as before, we obtain .good, which assures us that the first letter is A, and that the first two words are 'A good.' "It is now time that we arrange our key, as far as discovered, in a tabular form, to avoid confusion. It will stand thus: 5 represents a ! " d 8 " e 3 " g 4 " h 6 " i * " n + " o ( " r ; " t ? " u "We have, therefore, no less than eleven of the most important letters represented, and it will be unnecessary to proceed with the details of the solution. I have said enough to convince you that ciphers of this nature are readily soluble, and to give you some insight into the rationale of their development. But be assured that the specimen before us appertains to the very simplest species of cryptograph. It now only remains to give you the full translation of the characters upon the parchment, as unriddled. Here it is: "'A good glass in the bishop's hostel in the devil's seat forty-one degrees and thirteen minutes northeast and by north main branch seventh limb east side shoot from the left eye of the death's head a bee-line from the tree through the shot fifty feet out.'" "But," said I, "the enigma seems still in as bad a condition as ever. How is it possible to extort a meaning from all this jargon about 'devil's seats,' 'death's heads,' and 'bishop's hostels'?" "I confess," replied Legrand, "that the matter still wears a serious aspect, when regarded with a casual glance. My first endeavor was to divide the sentence into the natural division intended by the cryptographist." "You mean, to punctuate it?" "Something of that kind." "But how was it possible to effect this?" "I reflected that it had been a POINT with the writer to run his words together without division, so as to increase the difficulty of solution. Now, a not overacute man, in pursuing such an object, would be nearly certain to overdo the matter. When, in the course of his composition, he arrived at a break in his subject which would naturally require a pause, or a point, he would be exceedingly apt to run his characters, at this place, more than usually close together. If you will observe the MS., in the present instance, you will easily detect five such cases of unusual crowding. Acting upon this hint I made the division thus: "'A good glass in the bishop's hostel in the devil's seat--forty- one degrees and thirteen minutes--northeast and by north--main branch seventh limb east side--shoot from the left eye of the death's head--a bee-line from the tree through the shot fifty feet out.'" "Even this division," said I, "leaves me still in the dark." "It left me also in the dark," replied Legrand, "for a few days; during which I made diligent inquiry in the neighborhood of Sullivan's Island, for any building which went by name of the 'Bishop's Hotel'; for, of course, I dropped the obsolete word 'hostel.' Gaining no information on the subject, I was on the point of extending my sphere of search, and proceeding in a more systematic manner, when, one morning, it entered into my head, quite suddenly, that this 'Bishop's Hostel' might have some reference to an old family, of the name of Bessop, which, time out of mind, had held possession of an ancient manor house, about four miles to the northward of the island. I accordingly went over to the plantation, and reinstituted my inquiries among the older negroes of the place. At length one of the most aged of the women said that she had heard of such a place as Bessop's Castle, and thought that she could guide me to it, but that it was not a castle, nor a tavern, but a high rock. "I offered to pay her well for her trouble, and, after some demur, she consented to accompany me to the spot. We found it without much difficulty, when, dismissing her, I proceeded to examine the place. The 'castle' consisted of an irregular assemblage of cliffs and rocks--one of the latter being quite remarkable for its height as well as for its insulated and artificial appearance. I clambered to its apex, and then felt much at a loss as to what should be next done. "While I was busied in reflection, my eyes fell upon a narrow ledge in the eastern face of the rock, perhaps a yard below the summit upon which I stood. This ledge projected about eighteen inches, and was not more than a foot wide, while a niche in the cliff just above it gave it a rude resemblance to one of the hollow-backed chairs used by our ancestors. I made no doubt that here was the 'devil's seat' alluded to in the MS., and now I seemed to grasp the full secret of the riddle. "The 'good glass,' I knew, could have reference to nothing but a telescope; for the word 'glass' is rarely employed in any other sense by seamen. Now here, I at once saw, was a telescope to be used, and a definite point of view, ADMITTING NO VARIATION, from which to use it. Nor did I hesitate to believe that the phrases, 'forty-one degrees and thirteen minutes,' and 'northeast and by north,' were intended as directions for the leveling of the glass. Greatly excited by these discoveries, I hurried home, procured a telescope, and returned to the rock. "I let myself down to the ledge, and found that it was impossible to retain a seat upon it except in one particular position. This fact confirmed my preconceived idea. I proceeded to use the glass. Of course, the 'forty-one degrees and thirteen minutes' could allude to nothing but elevation above the visible horizon, since the horizontal direction was clearly indicated by the words, 'northeast and by north.' This latter direction I at once established by means of a pocket compass; then, pointing the glass as nearly at an angle of forty-one degrees of elevation as I could do it by guess, I moved it cautiously up or down, until my attention was arrested by a circular rift or opening in the foliage of a large tree that overtopped its fellows in the distance. In the center of this rift I perceived a white spot, but could not, at first, distinguish what it was. Adjusting the focus of the telescope, I again looked, and now made it out to be a human skull. "Upon this discovery I was so sanguine as to consider the enigma solved; for the phrase 'main branch, seventh limb, east side,' could refer only to the position of the skull upon the tree, while 'shoot from the left eye of the death's head' admitted, also, of but one interpretation, in regard to a search for buried treasure. I perceived that the design was to drop a bullet from the left eye of the skull, and that a bee-line, or, in other words, a straight line, drawn from the nearest point of the trunk 'through the shot' (or the spot where the bullet fell), and thence extended to a distance of fifty feet, would indicate a definite point--and beneath this point I thought it at least POSSIBLE that a deposit of value lay concealed." "All this," I said, "is exceedingly clear, and, although ingenious, still simple and explicit. When you left the Bishop's Hotel, what then?" "Why, having carefully taken the bearings of the tree, I turned homeward. The instant that I left 'the devil's seat,' however, the circular rift vanished; nor could I get a glimpse of it afterwards, turn as I would. What seems to me the chief ingenuity in this whole business, is the fact (for repeated experiment has convinced me it IS a fact) that the circular opening in question is visible from no other attainable point of view than that afforded by the narrow ledge upon the face of the rock. "In this expedition to the 'Bishop's Hotel' I had been attended by Jupiter, who had, no doubt, observed, for some weeks past, the abstraction of my demeanor, and took especial care not to leave me alone. But, on the next day, getting up very early, I contrived to give him the slip, and went into the hills in search of the tree. After much toil I found it. When I came home at night my valet proposed to give me a flogging. With the rest of the adventure I believe you are as well acquainted as myself." "I suppose," said I, "you missed the spot, in the first attempt at digging, through Jupiter's stupidity in letting the bug fall through the right instead of through the left eye of the skull." "Precisely. This mistake made a difference of about two inches and a half in the 'shot'--that is to say, in the position of the peg nearest the tree; and had the treasure been BENEATH the 'shot,' the error would have been of little moment; but 'the shot,' together with the nearest point of the tree, were merely two points for the establishment of a line of direction; of course the error, however trivial in the beginning, increased as we proceeded with the line, and by the time we had gone fifty feet threw us quite off the scent. But for my deep-seated impressions that treasure was here somewhere actually buried, we might have had all our labor in vain." "But your grandiloquence, and your conduct in swinging the beetle-- how excessively odd! I was sure you were mad. And why did you insist upon letting fall the bug, instead of a bullet, from the skull?" "Why, to be frank, I felt somewhat annoyed by your evident suspicions touching my sanity, and so resolved to punish you quietly, in my own way, by a little bit of sober mystification. For this reason I swung the beetle, and for this reason I let it fall from the tree. An observation of yours about its great weight suggested the latter idea." "Yes, I perceive; and now there is only one point which puzzles me. What are we to make of the skeletons found in the hole?" "That is a question I am no more able to answer than yourself. There seems, however, only one plausible way of accounting for them--and yet it is dreadful to believe in such atrocity as my suggestion would imply. It is clear that Kidd--if Kidd indeed secreted this treasure, which I doubt not--it is clear that he must have had assistance in the labor. But this labor concluded, he may have thought it expedient to remove all participants in his secret. Perhaps a couple of blows with a mattock were sufficient, while his coadjutors were busy in the pit; perhaps it required a dozen--who shall tell?" nettle-3.10/testsuite/pbkdf2-test.c0000644000175000017500000001732014633602172016305 0ustar nissenisse#include "testutils.h" #include "hmac.h" #include "pbkdf2.h" /* NOTE: The salt argument is expected to expand to length, data */ #define PBKDF2_TEST(ctx, update, digest, size, c, salt, expect) \ do { \ dk[expect->length] = 17; \ PBKDF2 (ctx, update, digest, size, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) #define PBKDF2_HMAC_TEST(f, key, c, salt, expect) \ do { \ dk[expect->length] = 17; \ f (key, c, salt, expect->length, dk); \ ASSERT(MEMEQ (expect->length, dk, expect->data)); \ ASSERT(dk[expect->length] == 17); \ } while (0) /* Streebog test has particularly long testcase */ #define MAX_DKLEN 100 void test_main (void) { uint8_t dk[MAX_DKLEN + 1]; struct hmac_sha1_ctx sha1ctx; struct hmac_sha256_ctx sha256ctx; struct hmac_sha512_ctx sha512ctx; struct hmac_gosthash94cp_ctx gosthash94cpctx; struct hmac_streebog512_ctx streebog512ctx; struct hmac_streebog256_ctx streebog256ctx; /* Test vectors for PBKDF2 from RFC 6070. */ hmac_sha1_set_key (&sha1ctx, LDATA("password")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 2, LDATA("salt"), SHEX("ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("4b007901b765489abead49d926f721d065a429c1")); #if 0 /* too slow */ PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 16777216, LDATA("salt"), SHEX("eefe3d61cd4da4e4e9945b3d6ba2158c2634e984")); #endif hmac_sha1_set_key (&sha1ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038")); hmac_sha1_set_key (&sha1ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("56fa6aa75548099dcc37d7f03425e0c3")); /* PBKDF2-HMAC-SHA-256 test vectors confirmed with another implementation. */ hmac_sha256_set_key (&sha256ctx, LDATA("passwd")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); hmac_sha256_set_key (&sha256ctx, LDATA("Password")); PBKDF2_TEST (&sha256ctx, hmac_sha256_update, hmac_sha256_digest, SHA256_DIGEST_SIZE, 80000, LDATA("NaCl"), SHEX("4ddcd8f60b98be21830cee5ef22701f9")); /* PBKDF2-HMAC-SHA-512 test vectors confirmed with another implementation (python-pbkdf2). >>> from pbkdf2 import PBKDF2 >>> import hmac as HMAC >>> from hashlib import sha512 as SHA512 >>> PBKDF2("password", "salt", 50, macmodule=HMAC, digestmodule=SHA512).read(64).encode('hex') */ hmac_sha512_set_key (&sha512ctx, LDATA("password")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("NaCL"), SHEX("73decfa58aa2e84f94771a75736bb88bd3c7b38270cfb50cb390ed78b305656af8148e52452b2216b2b8098b761fc6336060a09f76415e9f71ea47f9e9064306")); hmac_sha512_set_key (&sha512ctx, LDATA("pass\0word")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 1, LDATA("sa\0lt"), SHEX("71a0ec842abd5c678bcfd145f09d83522f93361560563c4d0d63b88329871090e76604a49af08fe7c9f57156c8790996b20f06bc535e5ab5440df7e878296fa7")); hmac_sha512_set_key (&sha512ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&sha512ctx, hmac_sha512_update, hmac_sha512_digest, SHA512_DIGEST_SIZE, 50, LDATA("salt\0\0\0"), SHEX("016871a4c4b75f96857fd2b9f8ca28023b30ee2a39f5adcac8c9375f9bda1ccd1b6f0b2fc3adda505412e79d890056c62e524c7d51154b1a8534575bd02dee39")); /* Test convenience functions. */ PBKDF2_HMAC_TEST(pbkdf2_hmac_sha1, LDATA("password"), 1, LDATA("salt"), SHEX("0c60c80f961f0e71f3a9b524af6012062fe037a6")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha256, LDATA("passwd"), 1, LDATA("salt"), SHEX("55ac046e56e3089fec1691c22544b605")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha384, LDATA("passwd"), 1, LDATA("salt"), SHEX("cd3443723a41cf1460cca9efeede428a")); PBKDF2_HMAC_TEST(pbkdf2_hmac_sha512, LDATA("passwd"), 1, LDATA("salt"), SHEX("c74319d99499fc3e9013acff597c23c5")); /* From TC26 document, MR 26.2.001-2012 */ hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("password")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 1, LDATA("salt"), SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("1f1829a94bdff5be10d0aeb36af498e7a97467f3b31116a5a7c1afff9deadafe")); hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("788358c69cb2dbe251a7bb17d5f4241f265a792a35becde8d56f326b49c85047b7638acb4764b1fd")); hmac_gosthash94cp_set_key (&gosthash94cpctx, LDATA("pass\0word")); PBKDF2_TEST (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("43e06c5590b08c0225242373127edf9c8e9c3291")); PBKDF2_HMAC_TEST (pbkdf2_hmac_gosthash94cp, LDATA("password"), 1, LDATA("salt"), SHEX("7314e7c04fb2e662c543674253f68bd0b73445d07f241bed872882da21662d58")); /* From TC26 document R 50.1.111-2016 */ hmac_streebog512_set_key (&streebog512ctx, LDATA("password")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 1, LDATA("salt"), SHEX("64770af7f748c3b1c9ac831dbcfd85c26111b30a8a657ddc3056b80ca73e040d2854fd36811f6d825cc4ab66ec0a68a490a9e5cf5156b3a2b7eecddbf9a16b47")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("salt"), SHEX("e52deb9a2d2aaff4e2ac9d47a41f34c20376591c67807f0477e32549dc341bc7867c09841b6d58e29d0347c996301d55df0d34e47cf68f4e3c2cdaf1d9ab86c3")); hmac_streebog512_set_key (&streebog512ctx, LDATA("passwordPASSWORDpassword")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("saltSALTsaltSALTsaltSALTsaltSALTsalt"), SHEX("b2d8f1245fc4d29274802057e4b54e0a0753aa22fc53760b301cf008679e58fe4bee9addcae99ba2b0b20f431a9c5e50f395" "c89387d0945aedeca6eb4015dfc2bd2421ee9bb71183ba882ceebfef259f33f9e27dc6178cb89dc37428cf9cc52a2baa2d3a")); hmac_streebog512_set_key (&streebog512ctx, LDATA("pass\0word")); PBKDF2_TEST (&streebog512ctx, hmac_streebog512_update, hmac_streebog512_digest, STREEBOG512_DIGEST_SIZE, 4096, LDATA("sa\0lt"), SHEX("50df062885b69801a3c10248eb0a27ab6e522ffeb20c991c660f001475d73a4e167f782c18e97e92976d9c1d970831ea78ccb879f67068cdac1910740844e830")); /* Generated */ hmac_streebog256_set_key (&streebog256ctx, LDATA("password")); PBKDF2_TEST (&streebog256ctx, hmac_streebog256_update, hmac_streebog256_digest, STREEBOG256_DIGEST_SIZE, 1, LDATA("salt"), SHEX("d789458d143b9abebc4ef63ca8e576c72b13c7d4289db23fc1e946f84cd605bc")); } nettle-3.10/testsuite/ed25519-test.c0000644000175000017500000001306114633602172016131 0ustar nissenisse/* ed25519-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #include "testutils.h" #include #include "eddsa.h" #include "base16.h" static void decode_hex (size_t length, uint8_t *dst, const char *src) { struct base16_decode_ctx ctx; size_t out_size; base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &out_size, dst, 2*length, src)); ASSERT (out_size == length); ASSERT (base16_decode_final (&ctx)); } /* Processes a single line in the format of http://ed25519.cr.yp.to/python/sign.input: sk pk : pk : m : s m : where sk (secret key) and pk (public key) are 32 bytes each, m is variable size, and s is 64 bytes. All values hex encoded. */ static void test_one (const char *line) { const char *p; const char *mp; uint8_t sk[ED25519_KEY_SIZE]; uint8_t pk[ED25519_KEY_SIZE]; uint8_t t[ED25519_KEY_SIZE]; uint8_t s[ED25519_SIGNATURE_SIZE]; uint8_t *msg; size_t msg_size; uint8_t s2[ED25519_SIGNATURE_SIZE]; decode_hex (ED25519_KEY_SIZE, sk, line); p = strchr (line, ':'); ASSERT (p == line + 128); p++; decode_hex (ED25519_KEY_SIZE, pk, p); p = strchr (p, ':'); ASSERT (p == line + 193); mp = ++p; p = strchr (p, ':'); ASSERT (p); ASSERT ((p - mp) % 2 == 0); msg_size = (p - mp) / 2; decode_hex (ED25519_SIGNATURE_SIZE, s, p+1); msg = xalloc (msg_size + 1); msg[msg_size] = 'x'; decode_hex (msg_size, msg, mp); mark_bytes_undefined (ED25519_KEY_SIZE, sk); ed25519_sha512_public_key (t, sk); mark_bytes_defined (ED25519_KEY_SIZE, t); ASSERT (MEMEQ(ED25519_KEY_SIZE, t, pk)); ed25519_sha512_sign (pk, sk, msg_size, msg, s2); mark_bytes_defined (ED25519_SIGNATURE_SIZE, s2); ASSERT (MEMEQ (ED25519_SIGNATURE_SIZE, s, s2)); ASSERT (ed25519_sha512_verify (pk, msg_size, msg, s)); s2[ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); memcpy (s2, s, ED25519_SIGNATURE_SIZE); s2[2*ED25519_SIGNATURE_SIZE/3] ^= 0x40; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s2)); ASSERT (!ed25519_sha512_verify (pk, msg_size + 1, msg, s)); if (msg_size > 0) { msg[msg_size-1] ^= 0x20; ASSERT (!ed25519_sha512_verify (pk, msg_size, msg, s)); } free (msg); } #ifndef HAVE_GETLINE static ssize_t getline(char **lineptr, size_t *n, FILE *f) { size_t i; int c; if (!*lineptr) { *n = 500; *lineptr = xalloc (*n); } i = 0; do { c = getc(f); if (c < 0) { if (i > 0) break; return -1; } (*lineptr) [i++] = c; if (i == *n) { *n *= 2; *lineptr = realloc (*lineptr, *n); if (!*lineptr) die ("Virtual memory exhausted.\n"); } } while (c != '\n'); (*lineptr) [i] = 0; return i; } #endif void test_main(void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif const char *input = getenv ("ED25519_SIGN_INPUT"); if (input) { size_t buf_size; char *buf; FILE *f = fopen (input, "r"); if (!f) die ("Opening input file '%s' failed: %s\n", input, strerror (errno)); for (buf = NULL; getline (&buf, &buf_size, f) >= 0; ) test_one (buf); free (buf); fclose (f); } else { /* First few lines only */ test_one ("9d61b19deffd5a60ba844af492ec2cc44449c5697b326919703bac031cae7f60d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a:d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a::e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b:"); test_one ("4ccd089b28ff96da9db6c346ec114e0f5b8a319f35aba624da8cf6ed4fb8a6fb3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:3d4017c3e843895a92b70aa74d1b7ebc9c982ccf2ec4968cc0cd55f12af4660c:72:92a009a9f0d4cab8720e820b5f642540a2b27b5416503f8fb3762223ebdb69da085ac1e43e15996e458f3613d0f11d8c387b2eaeb4302aeeb00d291612bb0c0072:"); test_one ("c5aa8df43f9f837bedb7442f31dcb7b166d38535076f094b85ce3a2e0b4458f7fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:fc51cd8e6218a1a38da47ed00230f0580816ed13ba3303ac5deb911548908025:af82:6291d657deec24024827e69c3abe01a30ce548a284743a445e3680d7db5ac3ac18ff9b538d16f290ae67f760984dc6594a7c15e9716ed28dc027beceea1ec40aaf82:"); test_one ("0d4a05b07352a5436e180356da0ae6efa0345ff7fb1572575772e8005ed978e9e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:e61a185bcef2613a6c7cb79763ce945d3b245d76114dd440bcf5f2dc1aa57057:cbc77b:d9868d52c2bebce5f3fa5a79891970f309cb6591e3e1702a70276fa97c24b3a8e58606c38c9758529da50ee31b8219cba45271c689afa60b0ea26c99db19b00ccbc77b:"); } } nettle-3.10/testsuite/cnd-memcpy-test.c0000644000175000017500000000176514633602172017177 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" static void cnd_memcpy_for_test(int cnd, void *dst, const void *src, size_t n) { /* Makes valgrind trigger on any branches depending on the input data. */ mark_bytes_undefined (n, dst); mark_bytes_undefined (n, src); mark_bytes_undefined (sizeof(cnd), &cnd); cnd_memcpy (cnd, dst, src, n); mark_bytes_defined (n, src); mark_bytes_defined (n, dst); } #define MAX_SIZE 50 void test_main(void) { uint8_t src[MAX_SIZE]; uint8_t dst[MAX_SIZE]; uint8_t res[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 1; size < 50; size++) { knuth_lfib_random (&random_ctx, size, src); knuth_lfib_random (&random_ctx, size, dst); memcpy (res, dst, size); cnd_memcpy_for_test (0, res, src, size); ASSERT (memcmp (res, dst, size) == 0); cnd_memcpy_for_test (1, res, src, size); ASSERT (memcmp (res, src, size) == 0); } } nettle-3.10/testsuite/dsa-test.c0000644000175000017500000012536714633602172015717 0ustar nissenisse#include "testutils.h" void test_main(void) { struct dsa_public_key pub; struct dsa_private_key key; struct dsa_signature signature; struct dsa_params *params = (struct dsa_params *) &pub; dsa_public_key_init(&pub); dsa_private_key_init(&key); dsa_signature_init(&signature); mpz_set_str(pub.p, "83d9a7c2ce2a9179f43cdb3bffe7de0f0eef26dd5dfae44d" "531bc0de45634d2c07cb929b0dbe10da580070e6abfbb841" "5c44bff570b8ad779df653aad97dc7bdeb815d7e88103e61" "606ed3d8a295fbfd340d2d49e220833ebace5511e22c4f02" "97ed351e9948fa848e9c8fadb7b47bcc47def4255b5e1d5e" "10215b3b55a0b85f", 16); mpz_set_str(pub.q, "8266e0deaf46020ba48d410ca580f3a978629b5d", 16); mpz_set_str(pub.g, "30d34bb9f376bec947154afe4076bc7d359c9d32f5471ddb" "be8d6a941c47fa9dc4f32573151dbb4aa59eb989b74ac36b" "b6310a5e8b580501655d91f393daa193ae1303049b87febb" "093dc0404b53b4c5da2463300f9c5b156d788c4ace8ecbb9" "dd00c18d99537f255ac025d074d894a607cbe3023a1276ef" "556916a33f7de543", 16); mpz_set_str(pub.y, "64402048b27f39f404a546a84909c9c0e9e2dd153a849946" "1062892598d30af27ae3cefc2b700fb6d077390a83bdcad7" "8a1299487c9623bb62af0c85a3df9ef1ee2c0d66658e1fd3" "283b5407f6cd30ee7e6154fad41a6a8b0f5c86c5accc1127" "bf7c9a5d6badcb012180cb62a55c5e17d6d3528cdbe002cc" "ee131c1b86867f7a", 16); mpz_set_str(key.x, "56c6efaf878d06eef21dc070fab71da6ec1e30a6", 16); test_dsa_key(params, pub.y, key.x, 160); mpz_set_str(signature.r, "180342f8d4fb5bd0311ebf205bdee6e556014eaf", 16); mpz_set_str(signature.s, "392dc6566b2735531a8460966171464ef7ddfe12", 16); test_dsa160(&pub, &key, &signature); mpz_set_str(pub.p, "fda45d8f1df8f2b84fb3cf9ae69f93b087d98bea282f643e" "23472c5b57605952010e4c846d711f2783e8ad4e1447698e" "2e328fdb1d411ccb0f3caef5b8fc0b9dcecfadf022ecc7de" "5c153c8f10fe88d63abf7d296ad485dfd6eead595fc1c36b" "8bd42e8668b55b2bb0f1a6aecbe678df504880de2481a5e4" "97d1b7d92ee48ffeb083a1833094a0418ec0d914409c720c" "87ea63c164ec448c471b574a8f88073ebeb44dc6d6b98260" "46126f03022ff04dcb6a2381a09b0a227d3c57cfbfd48e4a" "19cbb0a35242c9e234ebe105ae26cab01ede40aa2869fad8" "6bff57a19ec87b8de294ca03269c268c10813f18169beac5" "ac97c0e748ccb244282c50c670e1bccb", 16); mpz_set_str(pub.q, "bd612630da4d930779a32546dc413efd299111b443c7355d" "65d991163cc3cd9d", 16); mpz_set_str(pub.g, "050c56e14adb03e47d3902852f5b21c96c28a2aa89619c8b" "78a98aa5083700994f99184588d2cefaf2a3ea213dd2d084" "0e682a52357d5fefaef44520622f021855744d638e792f21" "89543f9770aa1960da4d7b325a37a2922b035c8da3d71543" "5d7a6ddefc62e84fe76fecbbf9667c6a1781a84aa434548b" "bdc315f2fb0a420d65c1f72911845b148e994660138052a1" "fce1c6f933be155b2af8c0177277cd3b75d9477ddbcb77bc" "f5cccea915a2f3750ba41f337edd44f768cb3d24b17e299d" "5cebe5e78cbaf5ad41e815edfc71df3131bd5359c653a224" "bd3ac6a27bad7efff11b24fad0109ee26e4df76fc99e150d" "666a9294bab8a03f113d228bfad349f4", 16); mpz_set_str(pub.y, "da7f9abb0b554afaa926c9cffa897239bfdbc58ed9981748" "edb1e38f42dea0560a407a48b509a5cb460bf31dee9057a0" "b41d468698fa82ff03c47e8f3f6564c74d6f1daa5f84ad25" "b937317f861fa68c19e20d6b855e85cd94d5af95b968416e" "6d43711f24d5497f018b7627d2bed25dc793ddb897fdcc34" "5d183e43a80205483dea7a12185be3b185a7d84d3385b962" "4485882722d177ccd8f49c5b519fb96b9b59fcfc63422f25" "88fb8ff00bce46acb7c80d105c31414ecf5be0a0dad975bd" "dcd83d6f063f9bce562fdd5b68e18fc2159dbb2457adc7a7" "ee5bc0796eff370908f866a41b9a8873f89e1904925141f8" "e574df25bd869f43a184a804e8ce5fcc", 16); mpz_set_str(key.x, "39f84f88569da55c6bee7e18175b539ea9b7ee24fabd85a7" "1fa8c93b7181545b", 16); test_dsa_key(params, pub.y, key.x, 256); mpz_set_str(signature.r, "03fe95c9dbbe1be019d7914e45c37c70" "0f499f559312a59f3bc5037f51d3f74c", 16); mpz_set_str(signature.s, "839dbee8d30e6b0cc349528f900f30ee" "6d4ce9864332d07c87b5a98bd75dbdbb", 16); test_dsa256(&pub, &key, &signature); /* Some of the test vectors from http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-3dsatestvectors.zip */ /* L=1024, N=160, SHA-1 */ mpz_set_str(pub.p, "a8f9cd201e5e35d892f85f80e4db2599a5676a3b1d4f1903" "30ed3256b26d0e80a0e49a8fffaaad2a24f472d2573241d4" "d6d6c7480c80b4c67bb4479c15ada7ea8424d2502fa01472" "e760241713dab025ae1b02e1703a1435f62ddf4ee4c1b664" "066eb22f2e3bf28bb70a2a76e4fd5ebe2d1229681b5b0643" "9ac9c7e9d8bde283", 16); mpz_set_str(pub.q, "f85f0f83ac4df7ea0cdf8f469bfeeaea14156495", 16); mpz_set_str(pub.g, "2b3152ff6c62f14622b8f48e59f8af46883b38e79b8c74de" "eae9df131f8b856e3ad6c8455dab87cc0da8ac973417ce4f" "7878557d6cdf40b35b4a0ca3eb310c6a95d68ce284ad4e25" "ea28591611ee08b8444bd64b25f3f7c572410ddfb39cc728" "b9c936f85f419129869929cdb909a6a3a99bbe0892163681" "71bd0ba81de4fe33", 16); mpz_set_str(pub.y, "313fd9ebca91574e1c2eebe1517c57e0c21b0209872140c5" "328761bbb2450b33f1b18b409ce9ab7c4cd8fda3391e8e34" "868357c199e16a6b2eba06d6749def791d79e95d3a4d09b2" "4c392ad89dbf100995ae19c01062056bb14bce005e8731ef" "de175f95b975089bdcdaea562b32786d96f5a31aedf75364" "008ad4fffebb970b", 16); mpz_set_str(signature.r, "50ed0e810e3f1c7cb6ac62332058448bd8b284c0", 16); mpz_set_str(signature.s, "c6aded17216b46b7e4b6f2a97c1ad7cc3da83fde", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("3b46736d559bd4e0c2c1b2553a33ad3c6cf23cac998d3d0c" "0e8fa4b19bca06f2f386db2dcff9dca4f40ad8f561ffc308" "b46c5f31a7735b5fa7e0f9e6cb512e63d7eea05538d66a75" "cd0d4234b5ccf6c1715ccaaf9cdc0a2228135f716ee9bdee" "7fc13ec27a03a6d11c5c5b3685f51900b1337153bc6c4e8f" "52920c33fa37f4e7"), &signature); mpz_set_str(pub.y, "29bdd759aaa62d4bf16b4861c81cf42eac2e1637b9ecba51" "2bdbc13ac12a80ae8de2526b899ae5e4a231aef884197c94" "4c732693a634d7659abc6975a773f8d3cd5a361fe2492386" "a3c09aaef12e4a7e73ad7dfc3637f7b093f2c40d6223a195" "c136adf2ea3fbf8704a675aa7817aa7ec7f9adfb2854d4e0" "5c3ce7f76560313b", 16); mpz_set_str(signature.r, "a26c00b5750a2d27fe7435b93476b35438b4d8ab", 16); mpz_set_str(signature.s, "61c9bfcb2938755afa7dad1d1e07c6288617bf70", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("d2bcb53b044b3e2e4b61ba2f91c0995fb83a6a97525e6644" "1a3b489d9594238bc740bdeea0f718a769c977e2de003877" "b5d7dc25b182ae533db33e78f2c3ff0645f2137abc137d4e" "7d93ccf24f60b18a820bc07c7b4b5fe08b4f9e7d21b256c1" "8f3b9d49acc4f93e2ce6f3754c7807757d2e1176042612cb" "32fc3f4f70700e25"), &signature); /* L=1024, N=160, SHA-224 */ mpz_set_str(pub.p, "8b9b32f5ba38faad5e0d506eb555540d0d7963195558ca30" "8b7466228d92a17b3b14b8e0ab77a9f3b2959a09848aa69f" "8df92cd9e9edef0adf792ce77bfceccadd9352700ca5faec" "f181fa0c326db1d6e5d352458011e51bd3248f4e3bd7c820" "d7e0a81932aca1eba390175e53eada197223674e3900263e" "90f72d94e7447bff", 16); mpz_set_str(pub.q, "bc550e965647fb3a20f245ec8475624abbb26edd", 16); mpz_set_str(pub.g, "11333a931fba503487777376859fdc12f7c687b0948ae889" "d287f1b7a712ad220ae4f1ce379d0dbb5c9abf419621f005" "fc123c327e5055d1850634c36d397e689e111d598c1c3636" "b940c84f42f436846e8e7fcad9012ceda398720f32fffd1a" "45ab6136ce417069207ac140675b8f86dd063915ae6f62b0" "cec729fbd509ac17", 16); mpz_set_str(pub.y, "7e339f3757450390160e02291559f30bed0b2d758c5ccc2d" "8d456232bb435ae49de7e7957e3aad9bfdcf6fd5d9b6ee3b" "521bc2229a8421dc2aa59b9952345a8fc1de49b348003a9b" "18da642d7f6f56e3bc665131ae9762088a93786f7b4b72a4" "bcc308c67e2532a3a5bf09652055cc26bf3b18833598cffd" "7011f2285f794557", 16); mpz_set_str(signature.r, "afee719e7f848b54349ccc3b4fb26065833a4d8e", 16); mpz_set_str(signature.s, "734efe992256f31325e749bc32a24a1f957b3a1b", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("fb2128052509488cad0745ed3e6312850dd96ddaf791f1e6" "24e22a6b9beaa65319c325c78ef59cacba0ccfa722259f24" "f92c17b77a8f6d8e97c93d880d2d8dbbbedcf6acefa06b0e" "476ca2013d0394bd90d56c10626ef43cea79d1ef0bc7ac45" "2bf9b9acaef70325e055ac006d34024b32204abea4be5faa" "e0a6d46d365ed0d9"), &signature); /* L=1024, N=160, SHA-256 */ mpz_set_str(pub.p, "cba13e533637c37c0e80d9fcd052c1e41a88ac325c4ebe13" "b7170088d54eef4881f3d35eae47c210385a8485d2423a64" "da3ffda63a26f92cf5a304f39260384a9b7759d8ac1adc81" "d3f8bfc5e6cb10efb4e0f75867f4e848d1a338586dd0648f" "eeb163647ffe7176174370540ee8a8f588da8cc143d939f7" "0b114a7f981b8483", 16); mpz_set_str(pub.q, "95031b8aa71f29d525b773ef8b7c6701ad8a5d99", 16); mpz_set_str(pub.g, "45bcaa443d4cd1602d27aaf84126edc73bd773de6ece15e9" "7e7fef46f13072b7adcaf7b0053cf4706944df8c4568f26c" "997ee7753000fbe477a37766a4e970ff40008eb900b9de4b" "5f9ae06e06db6106e78711f3a67feca74dd5bddcdf675ae4" "014ee9489a42917fbee3bb9f2a24df67512c1c35c97bfbf2" "308eaacd28368c5c", 16); mpz_set_str(pub.y, "4cd6178637d0f0de1488515c3b12e203a3c0ca652f2fe30d" "088dc7278a87affa634a727a721932d671994a958a0f8922" "3c286c3a9b10a96560542e2626b72e0cd28e5133fb57dc23" "8b7fab2de2a49863ecf998751861ae668bf7cad136e6933f" "57dfdba544e3147ce0e7370fa6e8ff1de690c51b4aeedf04" "85183889205591e8", 16); mpz_set_str(signature.r, "76683a085d6742eadf95a61af75f881276cfd26a", 16); mpz_set_str(signature.s, "3b9da7f9926eaaad0bebd4845c67fcdb64d12453", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("812172f09cbae62517804885754125fc6066e9a902f9db20" "41eeddd7e8da67e4a2e65d0029c45ecacea6002f9540eb10" "04c883a8f900fd84a98b5c449ac49c56f3a91d8bed3f08f4" "27935fbe437ce46f75cd666a0707265c61a096698dc2f36b" "28c65ec7b6e475c8b67ddfb444b2ee6a984e9d6d15233e25" "e44bd8d7924d129d"), &signature); /* L=2048, N=224, SHA-1 */ mpz_set_str(pub.p, "f2d39ed3062b13c916273600a0f2a029e86d7a4b9217b4f1" "815bf2b24d9710a57ab33f997294b014585b8d0198dfdccb" "cd75314da5ff85aa344b45adaeaa979b51a312a7bfa94472" "fb633f1a6f156bb4458867dfd38403f06b851f00fe2d3484" "077bded71ab7513d04a140220575fb693395480e4c8402b7" "a46cec2d37a778c305accd1f13e9f62e865315f4b22cc467" "c8986ec8e4961ddf810566b0c4ee369ac6aa15e43f474400" "5826f5bde8071a19e30b6909aac4b3d174237270dad02799" "d09b8a2cc5f22e66894b5422228b2c234f11f5a771c5b89c" "f465a2acecbbeeaa1725fe8f9b59422be8991052cb556ddf" "2c8ce8fa9206dbf39feadc194e00f8e5", 16); mpz_set_str(pub.q, "8000000000000000c118f49835e4ef733c4d15800fcf059e884d31b1", 16); mpz_set_str(pub.g, "e3a93c09da6f560e4d483a382a4c546f2335c36a4c35ac14" "63c08a3e6dd415df56fdc537f25fd5372be63e4f5300780b" "782f1acd01c8b4eb33414615fd0ea82573acba7ef83f5a94" "3854151afc2d7dfe121fb8cd03335b065b549c5dcc606be9" "052483bc284e12ac3c8dba09b426e08402030e70bc1cc2bf" "8957c4ba0630f3f32ad689389ac47443176063f247d9e229" "6b3ea5b5bc2335828ea1a080ed35918dee212fd031279d1b" "894f01afec523833669eac031a420e540ba1320a59c424a3" "e5849a460a56bcb001647885b1433c4f992971746bfe2977" "ce7259c550b551a6c35761e4a41af764e8d92132fcc0a59d" "1684eab90d863f29f41cf7578faa908c", 16); mpz_set_str(pub.y, "289ff18c32a56bb0b8839370647683a38a5a7e291410b932" "07212adc8088d30f93e9e4abc523f3d46936e7d5c90d8874" "2b36afd37563408f15c8c1a4f7ac24bf05f01008ffee70c8" "825d57c3a9308bad8a095af2b53b2dda3cbed846d95e301e" "b9b84766415d11f6c33209a0d28571096ab04a79aa0dc465" "997529686b68e887cd8a205c2dc8195aef0422eba9979f54" "9ac85548e419413643b7244361153ada1480d238cd00dc16" "527938955548dd5d027ded1029eeeb8ed6c61b4cd59341d8" "b15466e9da890a989996f4d7691e6072de136af28b5874bf" "08bd1f8a60cfb1c00888132909f515e04bce81b02951aa41" "baac68ffdb8c5dc77a1d32d8f2c10dd7", 16); mpz_set_str(signature.r, "45df2f423e94bf155dd4e1d9e63f315ea606dd38527d4cf6328738c8", 16); mpz_set_str(signature.s, "59b3e8efa5bc0ccbf4a3cbb6515c4b9bf784cfacdcc101dc9f81d31f", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("edc6fd9b6c6e8a59f283016f7f29ee16deeaa609b5737927" "162aef34fed985d0bcb550275637ba67831a2d4efccb3529" "6dfe730f4a0b4f4728d1d7d1bb8f4a36238a5c94311fa113" "4a93a6b4de39c085e9f60ae4e237c0416d58042bb36baa38" "cba8c896295b745d5376fd8ce42eb6ee5a1b38f87716b265" "b76e58cfb24a9170"), &signature); /* L=2048, N=224, SHA-224 */ mpz_set_str(pub.p, "aa815c9db1c4d3d2773c7d0d4d1da75ecfc4a39e97d5fa19" "1ffec8b1490a290ce335e5ce87ea620a8a17de0bb64714e2" "ec840bf00e6ebdb4ffb4e324ca07c3c8717309af1410362a" "772c9add838b2b0cae1e90ab448adabdacd2e5df59c4187a" "32a23719d6c57e9400885383bf8f066f23b941920d54c35b" "4f7cc5044f3b40f17046956307b748e840732844d00a9ce6" "ec5714293b6265147f15c67f4be38b082b55fdeadb612468" "9fb76f9d25cc28b8eaa98b562d5c1011e0dcf9b39923240d" "332d89dc9603b7bddd0c70b83caa2905631b1c83cabbae6c" "0c0c2efe8f58131ed8351bf93e875f6a73a93cbad470141a" "2687fbacf2d71c8ddee971ad660729ad", 16); mpz_set_str(pub.q, "ea347e90be7c2875d1fe1db622b4763837c5e27a6037310348c1aa11", 16); mpz_set_str(pub.g, "2042094ccbc8b8723fc928c12fda671b83295e99c743576f" "44504be1186323319b5002d24f173df909ea241d6ea52899" "04ee4636204b2fbe94b068fe093f7962579549551d3af219" "ad8ed19939eff86bcec834de2f2f78596e89e7cb52c524e1" "77098a56c232eb1f563aa84bc6b026deee6ff51cb441e080" "f2dafaea1ced86427d1c346be55c66803d4b76d133cd445b" "4c3482fa415023463c9bf30f2f784223e26057d3aa0d7fbb" "660630c52e49d4a0325c7389e072aa349f13c966e159752f" "bb71e9336890f93243fa6e72d299365ee5b3fe266ebf1110" "568fee4425c847b50210bd484b97431a42856adca3e7d1a9" "c9c675c7e266918320dd5a78a48c48a9", 16); mpz_set_str(pub.y, "1ae10c786ad0902c5c685dae5c7121418a377b888b5f2f2b" "c76623570fd62bcb190b471ad5359c5f062f8819289e956d" "8aa6f90d1f8cf1ee72d3a1bdfd56c478dc29a19c4569b5a6" "0e3a8f34f60656eac5b25dde5514a5c67b675423204f6cca" "f0990617cc7355b9d3ed868978a252020a769ed59a6edaa6" "efe3377eef45f3f6f3e64179cc7db8b143fb835c5d71bfcf" "a1e2a9049bccf7fe9ab57546220fe3f4b7521c861739d138" "507e81a46a6993605441dcb90d6ee4afbc42cabe90a25444" "4968109d7edd9694a023239f1d56175dd1fac115915e24fa" "b563f4fc3f269bed2f300832d112596485a711417aa73bb4" "ac72a651a1fa5baed3636c720d397008", 16); mpz_set_str(signature.r, "65102e8f64ecb11f06017b1a0c0def3c29897c277c4a948b1f4da6b9", 16); mpz_set_str(signature.s, "21ad0abb27bd3c21166cb96aef70c0dbd5f3079cab0dd543d4125bd1", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("e920fc1610718f2b0213d301c0092a51f3c6b0107bbbd824" "3a9689c044e2d142f202d9d195a5faef4be5acadc9ff6f7d" "2261e58b517139bcb9489b110423c2e59eb181294ffdae8a" "ad0e624fab974c97f9f5e7dc19d678a9cb3429cf05ec5090" "72856f5adfec6e29bafe8e5ba95593e612843e343111d88a" "1eaff7dc0a2e277f"), &signature); /* mod = L=2048, N=224, SHA-256 */ mpz_set_str(pub.p, "a4c7eaab42c4c73b757770916489f17cd50725cd0a4bc4e1" "cf67f763b8c1de2d6dab9856baafb008f365b18a42e14dc5" "1f350b88eca0209c5aa4fd71a7a96c765f5901c21e720570" "d7837bec7c76d2e49344731ca39405d0a879b9e0dcd1a812" "5fd130ec1e783e654b94e3002e6b629e904ab3877867720c" "bd54b4270a9e15cd028c7cc796f06c272a660951928fdbeb" "2dca061b41e932257305742ff16e2f429191d5e5f1a6ddf6" "e78c5d7722cff80a9c0bd5c8d7aeba8c04438992b075e307" "c1534c49ad380f477f5f7987dc172c161dca38dcaf3fb384" "6c72c9119a5299adc748951b3dce0d00d4a9013800b20082" "03b72465bc6a84ae059a30c4522dea57", 16); mpz_set_str(pub.q, "ce89fe332b8e4eb3d1e8ddcea5d163a5bc13b63f16993755427aef43", 16); mpz_set_str(pub.g, "8c465edf5a180730291e080dfc5385397a5006450dba2efe" "0129264fbd897bb5579ca0eab19aa278220424724b4f2a6f" "6ee6328432abf661380646097233505339c5519d357d7112" "b6eec938b85d5aa75cc2e38092f0a530acb54e50fe82c4d5" "62fb0f3036b80b30334023ebbe6637a0010b00c7db863711" "68563671e1e0f028aedbd45d2d572621a609982a073e51aa" "e27707afbeef29e2ecee84d7a6d5da382be3a35f42b6c668" "49202ab19d025b869d08776476d1ab981475ad2ad2f3e6fd" "07e30696d90a626816df60d6ca7afd7b482f942f83b45cc8" "2933731f87faee320900f2aa3e70b1867e1430e40be67c07" "f9290299ef067b8b24a7515b3f992c07", 16); mpz_set_str(pub.y, "748a40237211a2d9852596e7a891f43d4eb0ee48826c9cfb" "336bbb68dbe5a5e16b2e1271d4d13de03644bb85ef6be523" "a4d4d88415bcd596ba8e0a3c4f6439e981ed013d7d9c7033" "6febf7d420cfed02c267457bb3f3e7c82145d2af54830b94" "2ec74a5d503e4226cd25dd75decd3f50f0a858155d7be799" "410836ddc559ce99e1ae513808fdaeac34843dd7258f16f6" "7f19205f6f139251a4186da8496d5e90d3fecf8ed10be6c2" "5ff5eb33d960c9a8f4c581c8c724ca43b761e9fdb5af66bf" "fb9d2ebb11a6b504a1fbe4f834ecb6ac254cab513e943b9a" "953a7084b3305c661bfad434f6a835503c9ade7f4a57f5c9" "65ec301ecde938ee31b4deb038af97b3", 16); mpz_set_str(signature.r, "9c5fa46879ddaf5c14f07dfb5320715f67a6fec179e3ad53342fb6d1", 16); mpz_set_str(signature.s, "c3e17e7b3c4d0ac8d49f4dd0f04c16a094f42da0afcc6c90f5f1bbc8", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("cec8d2843dee7cb5f9119b75562585e05c5ce2f4e6457e9b" "cc3c1c781ccd2c0442b6282aea610f7161dcede176e77486" "1f7d2691be6c894ac3ebf80c0fab21e52a3e63ae0b350257" "62ccd6c9e1fecc7f9fe00aa55c0c3ae33ae88f66187f9598" "eba9f863171f3f56484625bf39d883427349b8671d9bb7d3" "96180694e5b546ae"), &signature); /* L=2048, N=256, SHA-1 */ mpz_set_str(pub.p, "c1a59d215573949e0b20a974c2edf2e3137ff2463062f75f" "1d13df12aba1076bb2d013402b60af6c187fb0fa362167c9" "76c2617c726f9077f09e18c11b60f65008825bd6c02a1f57" "d3eb0ad41cd547de43d87f2525f971d42b306506e7ca03be" "63b35f4ada172d0a06924440a14250d7822ac2d5aeafed46" "19e79d4158a7d5eb2d9f023db181a8f094b2c6cb87cb8535" "416ac19813f07144660c557745f44a01c6b1029092c129b0" "d27183e82c5a21a80177ee7476eb95c466fb472bd3d2dc28" "6ce25847e93cbfa9ad39cc57035d0c7b64b926a9c7f5a7b2" "bc5abcbfbdc0b0e3fede3c1e02c44afc8aefc7957da07a0e" "5fd12339db8667616f62286df80d58ab", 16); mpz_set_str(pub.q, "8000000000000000000000001bd62c65e8b87c89797f8f0c" "bfa55e4a6810e2c7", 16); mpz_set_str(pub.g, "aea5878740f1424d3c6ea9c6b4799615d2749298a17e2620" "7f76cef340ddd390e1b1ad6b6c0010ad015a103342ddd452" "cac024b36e42d9b8ed52fafae7a1d3ce9e4b21f910d1356e" "b163a3e5a8184c781bf14492afa2e4b0a56d8884fd01a628" "b9662739c42e5c5795ade2f5f27e6de1d963917ce8806fc4" "0d021cd87aa3aa3a9e4f0c2c4c45d2959b2578b2fb1a2229" "c37e181059b9d5e7b7862fa82e2377a49ed0f9dca820a581" "4079dd6610714efaf8b0cc683d8e72e4c884e6f9d4946b3e" "8d4cbb92adbbe7d4c47cc30be7f8c37ca81883a1aac68600" "59ff4640a29ccae73de20b12e63b00a88b2ee9ba94b75eb4" "0a656e15d9ec83731c85d0effcb9ef9f", 16); mpz_set_str(pub.y, "880e17c4ae8141750609d8251c0bbd7acf6d0b460ed3688e" "9a5f990e6c4b5b00875da750e0228a04102a35f57e74b8d2" "f9b6950f0d1db8d302c5c90a5b8786a82c68ff5b17a57a75" "8496c5f8053e4484a253d9942204d9a1109f4bd2a3ec311a" "60cf69c685b586d986f565d33dbf5aab7091e31aa4102c4f" "4b53fbf872d700156465b6c075e7f778471a23502dc0fee4" "1b271c837a1c26691699f3550d060a331099f64837cddec6" "9caebf51bf4ec9f36f2a220fe773cb4d3c02d0446ddd4613" "3532ef1c3c69d432e303502bd05a75279a7809a742ac4a78" "72b07f1908654049419350e37a95f2ef33361d8d8736d408" "3dc14c0bb972e14d4c7b97f3ddfccaef", 16); mpz_set_str(signature.r, "363e01c564f380a27d7d23b207af3f961d48fc0995487f60" "052775d724ab3d10", 16); mpz_set_str(signature.s, "4916d91b2927294e429d537c06dd2463d1845018cca2873e" "90a6c837b445fdde", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("de3605dbefde353cbe05e0d6098647b6d041460dfd4c0003" "12be1afe7551fd3b93fed76a9763c34e004564b8f7dcacbd" "99e85030632c94e9b0a032046523b7aacdf934a2dbbdcfce" "efe66b4e3d1cb29e994ff3a4648a8edd9d58ed71f12399d9" "0624789c4e0eebb0fbd5080f7d730f875a1f290749334cb4" "05e9fd2ae1b4ed65"), &signature); /* L=2048, N=256, SHA-224 */ mpz_set_str(pub.p, "d02276ebf3c22ffd666983183a47ae94c9bccbcbf95ddcb4" "91d1f7ce643549199992d37c79e7b032d26ed031b6ba4489" "f3125826fafb2726a98333ebd9abdde592d8693d9859536d" "9cc3841a1d24e044d35aced6136256fc6d6b615cf4f4163a" "a381eb2b4c480825a8eccc56d8ddcf5fe637e38ad9b2974b" "d2cf68bf271e0d067d2465a8b6b660524f0082598945ada5" "8ea649b9804eb4753408c2c59768c46abb82e3295f3d9ca4" "69f84cc187f572dc4b5a3b39346ec839dfad6f07d6d1f0e2" "15209bb0ecc05c767cf2e7943ac9cfb02eee1e9ef5946e8c" "e88316b5e15fdcf95a132ef2e4bb0817136528cfa5dd9653" "2f9c3abe5c421620edb6bcbd52234ca9", 16); mpz_set_str(pub.q, "8000000012997e8285e4089708f528070c6d7af8a0bd0140" "9e7a079cdb6fc5bb", 16); mpz_set_str(pub.g, "778453049ef262147fed7b59b0ee6764607c51e7b5b5fc6f" "ea7a7a7b1dd6bb283f4a9ae98efd3964b1556758cb15b2a5" "3af8619e74d85898bec77d3b3f382494ae5961a13ffc745d" "a386182291519800f99dd710e00aeb15adee088e2798ee2e" "46f598526cf0f4667055d1ba009750041dc5cdd2725ff1d9" "7dd340c8518af7671b87d39d67aeced84b66f84e0701efc8" "2a5c9ef954ee576d24c385b14d63037f0d866fd424b4975b" "dd5485ed740cb932e843f906683f7c7b2c74775d901c361b" "847b519c0da699638da40bd736b783d2710b2c2cc26ef912" "71bf4e2c1929f876e902e2057164223bc78d6a2b9f6c0c7a" "7cb85922f7d6c4287ae23861f8128848", 16); mpz_set_str(pub.y, "7bb31e98c7a0437f978a73d5dcfbdfbb09cc2499dfaf1eb5" "256bccd6358cabb5f67d04a42823463b7e957f2b9213f1fa" "8e5a98d614484701abb8c7d67641fe6ed06fa4527b493dda" "b2e74640fde3de70da693f1db2b8e26417040af0eea6cab4" "51a795a52e187d2ee241b93f65c86c6d66f45834cce165ac" "5eb670d4f0095c23ce9757e3bdc636f991ee0073d90a0920" "2edb35cc3ea1cf9adca1617fa0bffd9c126229a604a1d3bf" "4931ddf0b9942dfc8a2f8c09fcc97032564a79ae1ebe1e2c" "e49ff57839e7c43fa60b1603d15a450898aa4e4a1ee80657" "94126d64f013367096a83686b9f158c33b10f5f3b36cf1f6" "358b3f34f84b101dc26d3db68bcc95c8", 16); mpz_set_str(signature.r, "059bee9e708b7f20c3f791a640edee964e0aa672893c4847" "99715817b3a8f6d4", 16); mpz_set_str(signature.s, "4bd41c84a724cc86e4f0194ec0fbf379e654d0d7f6a1f08b" "d468139422a5c353", 16); test_dsa_verify(params, pub.y, &nettle_sha224, SHEX("39f2d8d503aae8cd17854456ecfad49a18900d4375412bc6" "89181ed9c2ccafea98dca689a72dc75e5367d3d3abfc2169" "700d5891cff70f69d9aca093b061b9f5057f94636bc27831" "15254344fb12e33b167272e198838a8728e7744ea9a2e824" "8e34d5906e298302472637b879de91c1a6f9f331a5cf98a5" "af29132990d27416"), &signature); /* L=2048, N=256, SHA-256 */ mpz_set_str(pub.p, "a8adb6c0b4cf9588012e5deff1a871d383e0e2a85b5e8e03" "d814fe13a059705e663230a377bf7323a8fa117100200bfd" "5adf857393b0bbd67906c081e585410e38480ead51684dac" "3a38f7b64c9eb109f19739a4517cd7d5d6291e8af20a3fbf" "17336c7bf80ee718ee087e322ee41047dabefbcc34d10b66" "b644ddb3160a28c0639563d71993a26543eadb7718f317bf" "5d9577a6156561b082a10029cd44012b18de6844509fe058" "ba87980792285f2750969fe89c2cd6498db3545638d5379d" "125dccf64e06c1af33a6190841d223da1513333a7c9d7846" "2abaab31b9f96d5f34445ceb6309f2f6d2c8dde06441e879" "80d303ef9a1ff007e8be2f0be06cc15f", 16); mpz_set_str(pub.q, "e71f8567447f42e75f5ef85ca20fe557ab0343d37ed09edc" "3f6e68604d6b9dfb", 16); mpz_set_str(pub.g, "5ba24de9607b8998e66ce6c4f812a314c6935842f7ab54cd" "82b19fa104abfb5d84579a623b2574b37d22ccae9b3e415e" "48f5c0f9bcbdff8071d63b9bb956e547af3a8df99e5d3061" "979652ff96b765cb3ee493643544c75dbe5bb39834531952" "a0fb4b0378b3fcbb4c8b5800a5330392a2a04e700bb6ed7e" "0b85795ea38b1b962741b3f33b9dde2f4ec1354f09e2eb78" "e95f037a5804b6171659f88715ce1a9b0cc90c27f35ef2f1" "0ff0c7c7a2bb0154d9b8ebe76a3d764aa879af372f4240de" "8347937e5a90cec9f41ff2f26b8da9a94a225d1a913717d7" "3f10397d2183f1ba3b7b45a68f1ff1893caf69a827802f7b" "6a48d51da6fbefb64fd9a6c5b75c4561", 16); mpz_set_str(pub.y, "5a55dceddd1134ee5f11ed85deb4d634a3643f5f36dc3a70" "689256469a0b651ad22880f14ab85719434f9c0e407e60ea" "420e2a0cd29422c4899c416359dbb1e592456f2b3cce2332" "59c117542fd05f31ea25b015d9121c890b90e0bad033be13" "68d229985aac7226d1c8c2eab325ef3b2cd59d3b9f7de7db" "c94af1a9339eb430ca36c26c46ecfa6c5481711496f624e1" "88ad7540ef5df26f8efacb820bd17a1f618acb50c9bc197d" "4cb7ccac45d824a3bf795c234b556b06aeb9291734532520" "84003f69fe98045fe74002ba658f93475622f76791d9b262" "3d1b5fff2cc16844746efd2d30a6a8134bfc4c8cc80a4610" "7901fb973c28fc553130f3286c1489da", 16); mpz_set_str(signature.r, "633055e055f237c38999d81c397848c38cce80a55b649d9e" "7905c298e2a51447", 16); mpz_set_str(signature.s, "2bbf68317660ec1e4b154915027b0bc00ee19cfc0bf75d01" "930504f2ce10a8b0", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("4e3a28bcf90d1d2e75f075d9fbe55b36c5529b17bc3a9cca" "ba6935c9e20548255b3dfae0f91db030c12f2c344b3a29c4" "151c5b209f5e319fdf1c23b190f64f1fe5b330cb7c8fa952" "f9d90f13aff1cb11d63181da9efc6f7e15bfed4862d1a62c" "7dcf3ba8bf1ff304b102b1ec3f1497dddf09712cf323f561" "0a9d10c3d9132659"), &signature); /* L=2048, N=256, SHA-384 */ mpz_set_str(pub.p, "a6167c16fff74e29342b8586aed3cd896f7b1635a2286ff1" "6fdff41a06317ca6b05ca2ba7c060ad6db1561621ccb0c40" "b86a03619bfff32e204cbd90b79dcb5f86ebb493e3bd1988" "d8097fa23fa4d78fb3cddcb00c466423d8fa719873c37645" "fe4eecc57171bbedfe56fa9474c96385b8ba378c79972d7a" "aae69a2ba64cde8e5654f0f7b74550cd3447e7a472a33b40" "37db468dde31c348aa25e82b7fc41b837f7fc226a6103966" "ecd8f9d14c2d3149556d43829f137451b8d20f8520b0ce8e" "3d705f74d0a57ea872c2bdee9714e0b63906cddfdc28b677" "7d19325000f8ed5278ec5d912d102109319cba3b6469d467" "2909b4f0dbeec0bbb634b551ba0cf213", 16); mpz_set_str(pub.q, "8427529044d214c07574f7b359c2e01c23fd97701b328ac8" "c1385b81c5373895", 16); mpz_set_str(pub.g, "6fc232415c31200cf523af3483f8e26ace808d2f1c6a8b86" "3ab042cc7f6b7144b2d39472c3cb4c7681d0732843503d8f" "858cbe476e6740324aaa295950105978c335069b919ff9a6" "ff4b410581b80712fe5d3e04ddb4dfd26d5e7fbca2b0c52d" "8d404343d57b2f9b2a26daa7ece30ceab9e1789f9751aaa9" "387049965af32650c6ca5b374a5ae70b3f98e053f51857d6" "bbb17a670e6eaaf89844d641e1e13d5a1b24d053dc6b8fd1" "01c624786951927e426310aba9498a0042b3dc7bbc59d705" "f80d9b807de415f7e94c5cf9d789992d3bb8336d1d808cb8" "6b56dde09d934bb527033922de14bf307376ab7d22fbcd61" "6f9eda479ab214a17850bdd0802a871c", 16); mpz_set_str(pub.y, "5ca7151bca0e457bbc46f59f71d81ab16688dc0eb7e4d17b" "166c3326c5b12c5bdebb3613224d1a754023c50b83cb5ecc" "139096cef28933b3b12ca31038e4089383597c59cc27b902" "be5da62cae7da5f4af90e9410ed1604082e2e38e25eb0b78" "dfac0aeb2ad3b19dc23539d2bcd755db1cc6c9805a7dd109" "e1c98667a5b9d52b21c2772121b8d0d2b246e5fd3da80728" "e85bbf0d7067d1c6baa64394a29e7fcbf80842bd4ab02b35" "d83f59805a104e0bd69d0079a065f59e3e6f21573a00da99" "0b72ea537fa98caaa0a58800a7e7a0623e263d4fca65ebb8" "eded46efdfe7db92c9ebd38062d8f12534f015b186186ee2" "361d62c24e4f22b3e95da0f9062ce04d", 16); mpz_set_str(signature.r, "4fd8f25c059030027381d4167c3174b6be0088c15f0a573d" "7ebd05960f5a1eb2", 16); mpz_set_str(signature.s, "5f56869cee7bf64fec5d5d6ea15bb1fa1169003a87eccc16" "21b90a1b892226f2", 16); test_dsa_verify(params, pub.y, &nettle_sha384, SHEX("8c78cffdcf25d8230b835b30512684c9b252115870b603d1" "b4ba2eb5d35b33f26d96b684126ec34fff67dfe5c8c856ac" "fe3a9ff45ae11d415f30449bcdc3bf9a9fb5a7e48afeaba6" "d0b0fc9bce0197eb2bf7a840249d4e550c5a25dc1c71370e" "67933edad2362fae6fad1efba5c08dc1931ca2841b44b78c" "0c63a1665ffac860"), &signature); /* L=3072, N=256, SHA-1 */ mpz_set_str(pub.p, "fd5a6c56dd290f7dd84a29de17126eb4e4487b3eff0a44ab" "e5c59792d2e1200b9c3db44d528b9f7d2248032e4ba0f7bf" "c4fafc706be511db2276c0b7ecffd38da2e1c2f237a75390" "c1e4d3239cba8e20e55840ecb05df5f01a1b6977ad1906f2" "cb544ccfb93b901ad0966b1832ad2dab526244a3156c905c" "01ac51cb73b9dcd9860d56175a425d846485d9b1f44a8a0c" "2578e6cf61947bc1a1392fdd320b16a9d70455fe436f2d47" "ded8e8e605f7486eb578ea7fc4ffd13c07f9996af159fd41" "1e9451403278dd1141a8c926b35c96384bbd6bee09c46f44" "c36b1ffc7197f5e925dbe0544a68e6ab8c18e426a466b392" "f9c27dd79fefa9ca163cc5a375539a8559f277f657a535d1" "964c6a5e91683ef5698ebaa01ef818dbf72cb04c3ff092d1" "88866f25cd405108f566b087f73d2d5beb51fac6de84ae51" "61a66af9602c7e4bfc146f4820bdfc092faeac69133e4a08" "a5b202a12498a22e57bad54674ed4b510109d52b5f74e70e" "1f6f82161718cd4cf00cc9f1958acc8bddcdfbd1fbe46cd1", 16); mpz_set_str(pub.q, "800000000000000000000000334a26dd8f49c6811ce81bb1" "342b06e980f64b75", 16); mpz_set_str(pub.g, "99ab030a21a5c9818174872167641c81c1e03c9b274cfbc2" "7bc472542927766de5fa0539b3b73f3f16ac866a9aec8b44" "5ded97fbff08834ed98c77e7fc89e5dc657bef766ff7fbf8" "e76873e17bee412762d56fe1141760ab4d25bafd4b6ef25b" "49a3506632d1f8e10770930760ec1325932c5a4baf9e9015" "4264ddf442ec5c41fed95d11525151dbcfb3758149bad81c" "62b9cff7816b8f953b8b7c022590d1584e921dc955f5328a" "c72983ed5cf0d04056fe0d531e62f8f6c9ab3c0fcd44e148" "60b7311d2561c77c1d32f6c69dc8f77968c9d881ad9db5e0" "c114fda8628bca0335eb7fb9e15e625aabab58fc01194c81" "bf6fb2ce54077b82250e57c6a7b25deb6ee39d4b686a5c30" "7a7612b2d85ee92512413dea297e44f317be7ceb70a3328a" "f0b401001a418562b8ffe4e9771b4b4a8e0b40c791349d5d" "4e459fe620a1a2fc72e2f6ca28567d4c2632bbde1b49864c" "06bb12619f132c1da8f571ef613eac739f66ab3914cb3fa1" "ab86e05e5082ebaa24ebeea4cf51beefc27df512fe3fee7d", 16); mpz_set_str(pub.y, "e7c2ee18c3aa362c0182c6a56c2584628083c73e045beda8" "d653690c9c2f6544edf9702c57c455273905336a5f517110" "7a313cd7d0b0f50f8d3342c60219f22a9023394059d05f46" "4c4496d55dab6eb0898527ff4cf5678e7b5bfb5e18d92c4a" "9d73288cce14530fc4702f6d0397ec39a880c4a72d358730" "c56633386ede028023c1791f3164d1574e7823c79b8a3ca1" "343ea166ba6f02b7ff7e9ef2198db107f7cc159f3b6a1c00" "a78c355c566deb0ac6fde3f633cb9177a1fbc6c1766ca021" "d5fec470101abb440d2f06982181a8c92b7cdd765336b9a1" "e1ab70283d6db0a963fb648c37c4e29a74c37577291049ab" "47cdbc104c04db966681ea8ebb9f00cf4c4a546211737957" "5fbda4b801979451fa94b19b4e93656705c0f734f3e0914b" "b96c1e2b8a0fb68faf14296efdf3300ad95bcde8b67cc4b2" "6e6488eef925cfaeac6f0d6567e8b41355f89d1c2b8fe687" "bfa2df5e287e1305b89b8c388c26196090ac0351abc561aa" "dc797da8ccea4146c3e96095ebce353e0da4c55019052caa", 16); mpz_set_str(signature.r, "21ca148cdf44be4ae93b2f353b8e512d03ad96dafa80623f" "de4922a95f032732", 16); mpz_set_str(signature.s, "73e48b77a3aa44307483c2dd895cb51db2112177c185c59c" "b1dcff32fda02a4f", 16); test_dsa_verify(params, pub.y, &nettle_sha1, SHEX("ca84af5c9adbc0044db00d7acfb1b493aab0388ffbad47b3" "8cd3e9e3111cfe2cda2a45f751c46862f05bdcec4b698adf" "d2e1606e484c3be4ac0c379d4fbc7c2cda43e922811d7f6c" "33040e8e65d5f317684b90e26387cf931fe7c2f515058d75" "3b08137ff2c6b79c910de8283149e6872cb66f7e02e66f23" "71785129569362f1"), &signature); /* L=3072, N=256, SHA-256 */ mpz_set_str(pub.p, "c7b86d7044218e367453d210e76433e4e27a983db1c560bb" "9755a8fb7d819912c56cfe002ab1ff3f72165b943c0b28ed" "46039a07de507d7a29f738603decd1270380a41f971f2592" "661a64ba2f351d9a69e51a888a05156b7fe1563c4b77ee93" "a44949138438a2ab8bdcfc49b4e78d1cde766e5498476005" "7d76cd740c94a4dd25a46aa77b18e9d707d6738497d4eac3" "64f4792d9766a16a0e234807e96b8c64d404bbdb876e39b5" "799ef53fe6cb9bab62ef19fdcc2bdd905beda13b9ef7ac35" "f1f557cb0dc458c019e2bc19a9f5dfc1e4eca9e6d4665641" "24304a31f038605a3e342da01be1c2b545610edd2c1397a3" "c8396588c6329efeb4e165af5b368a39a88e4888e39f40bb" "3de4eb1416672f999fead37aef1ca9643ff32cdbc0fcebe6" "28d7e46d281a989d43dd21432151af68be3f6d56acfbdb6c" "97d87fcb5e6291bf8b4ee1275ae0eb4383cc753903c8d29f" "4adb6a547e405decdff288c5f6c7aa30dcb12f84d392493a" "70933317c0f5e6552601fae18f17e6e5bb6bf396d32d8ab9", 16); mpz_set_str(pub.q, "876fa09e1dc62b236ce1c3155ba48b0ccfda29f3ac5a97f7" "ffa1bd87b68d2a4b", 16); mpz_set_str(pub.g, "110afebb12c7f862b6de03d47fdbc3326e0d4d31b12a8ca9" "5b2dee2123bcc667d4f72c1e7209767d2721f95fbd9a4d03" "236d54174fbfaff2c4ff7deae4738b20d9f37bf0a1134c28" "8b420af0b5792e47a92513c0413f346a4edbab2c45bdca13" "f5341c2b55b8ba54932b9217b5a859e553f14bb8c120fbb9" "d99909dff5ea68e14b379964fd3f3861e5ba5cc970c4a180" "eef54428703961021e7bd68cb637927b8cbee6805fa27285" "bfee4d1ef70e02c1a18a7cd78bef1dd9cdad45dde9cd6907" "55050fc4662937ee1d6f4db12807ccc95bc435f11b71e708" "6048b1dab5913c6055012de82e43a4e50cf93feff5dcab81" "4abc224c5e0025bd868c3fc592041bba04747c10af513fc3" "6e4d91c63ee5253422cf4063398d77c52fcb011427cbfcfa" "67b1b2c2d1aa4a3da72645cb1c767036054e2f31f88665a5" "4461c885fb3219d5ad8748a01158f6c7c0df5a8c908ba8c3" "e536822428886c7b500bbc15b49df746b9de5a78fe3b4f69" "91d0110c3cbff458039dc36261cf46af4bc2515368f4abb7", 16); mpz_set_str(pub.y, "456a105c713566234838bc070b8a751a0b57767cb75e9911" "4a1a46641e11da1fa9f22914d808ad7148612c1ea55d2530" "1781e9ae0c9ae36a69d87ba039ec7cd864c3ad094873e6e5" "6709fd10d966853d611b1cff15d37fdee424506c184d62c7" "033358be78c2250943b6f6d043d63b317de56e5ad8d1fd97" "dd355abe96452f8e435485fb3b907b51900aa3f24418df50" "b4fcdafbf6137548c39373b8bc4ba3dabb4746ebd17b87fc" "d6a2f197c107b18ec5b465e6e4cb430d9c0ce78da5988441" "054a370792b730da9aba41a3169af26176f74e6f7c0c9c9b" "55b62bbe7ce38d4695d48157e660c2acb63f482f55418150" "e5fee43ace84c540c3ba7662ae80835c1a2d51890ea96ba2" "06427c41ef8c38aa07d2a365e7e58380d8f4782e22ac2101" "af732ee22758337b253637838e16f50f56d313d07981880d" "685557f7d79a6db823c61f1bb3dbc5d50421a4843a6f2969" "0e78aa0f0cff304231818b81fc4a243fc00f09a54c466d6a" "8c73d32a55e1abd5ec8b4e1afa32a79b01df85a81f3f5cfe", 16); mpz_set_str(signature.r, "53bae6c6f336e2eb311c1e92d95fc449a929444ef81ec427" "9660b200d59433de", 16); mpz_set_str(signature.s, "49f3a74e953e77a7941af3aefeef4ed499be209976a0edb3" "fa5e7cb961b0c112", 16); test_dsa_verify(params, pub.y, &nettle_sha256, SHEX("cb06e02234263c22b80e832d6dc5a1bee5ea8af3bc2da752" "441c04027f176158bfe68372bd67f84d489c0d49b07d4025" "962976be60437be1a2d01d3be0992afa5abe0980e26a9da4" "ae72f827b423665195cc4eed6fe85c335b32d9c03c945a86" "e7fa99373f0a30c6eca938b3afb6dff67adb8bece6f8cfec" "4b6a12ea281e2323"), &signature); /* L=3072, N=256, SHA-384 */ mpz_set_str(pub.p, "a410d23ed9ad9964d3e401cb9317a25213f75712acbc5c12" "191abf3f1c0e723e2333b49eb1f95b0f9748d952f04a5ae3" "58859d384403ce364aa3f58dd9769909b45048548c55872a" "6afbb3b15c54882f96c20df1b2df164f0bac849ca17ad2df" "63abd75c881922e79a5009f00b7d631622e90e7fa4e98061" "8575e1d6bd1a72d5b6a50f4f6a68b793937c4af95fc11541" "759a1736577d9448b87792dff07232415512e933755e1225" "0d466e9cc8df150727d747e51fea7964158326b1365d580c" "b190f4518291598221fdf36c6305c8b8a8ed05663dd7b006" "e945f592abbecae460f77c71b6ec649d3fd5394202ed7bbb" "d040f7b8fd57cb06a99be254fa25d71a3760734046c2a0db" "383e02397913ae67ce65870d9f6c6f67a9d00497be1d763b" "21937cf9cbf9a24ef97bbcaa07916f8894e5b7fb03258821" "ac46140965b23c5409ca49026efb2bf95bce025c4183a5f6" "59bf6aaeef56d7933bb29697d7d541348c871fa01f869678" "b2e34506f6dc0a4c132b689a0ed27dc3c8d53702aa584877", 16); mpz_set_str(pub.q, "abc67417725cf28fc7640d5de43825f416ebfa80e191c42e" "e886303338f56045", 16); mpz_set_str(pub.g, "867d5fb72f5936d1a14ed3b60499662f3124686ef108c5b3" "da6663a0e86197ec2cc4c9460193a74ff16028ac9441b0c7" "d27c2272d483ac7cd794d598416c4ff9099a61679d417d47" "8ce5dd974bf349a14575afe74a88b12dd5f6d1cbd3f91ddd" "597ed68e79eba402613130c224b94ac28714a1f1c552475a" "5d29cfcdd8e08a6b1d65661e28ef313514d1408f5abd3e06" "ebe3a7d814d1ede316bf495273ca1d574f42b482eea30db5" "3466f454b51a175a0b89b3c05dda006e719a2e6371669080" "d768cc038cdfb8098e9aad9b8d83d4b759f43ac9d22b353e" "d88a33723550150de0361b7a376f37b45d437f71cb711f28" "47de671ad1059516a1d45755224a15d37b4aeada3f58c69a" "136daef0636fe38e3752064afe598433e80089fda24b144a" "462734bef8f77638845b00e59ce7fa4f1daf487a2cada11e" "aba72bb23e1df6b66a183edd226c440272dd9b06bec0e57f" "1a0822d2e00212064b6dba64562085f5a75929afa5fe509e" "0b78e630aaf12f91e4980c9b0d6f7e059a2ea3e23479d930", 16); mpz_set_str(pub.y, "1f0a5c75e7985d6e70e4fbfda51a10b925f6accb600d7c65" "10db90ec367b93bb069bd286e8f979b22ef0702f717a8755" "c18309c87dae3fe82cc3dc8f4b7aa3d5f3876f4d4b3eb68b" "fe910c43076d6cd0d39fc88dde78f09480db55234e6c8ca5" "9fe2700efec04feee6b4e8ee2413721858be7190dbe905f4" "56edcab55b2dc2916dc1e8731988d9ef8b619abcf8955aa9" "60ef02b3f02a8dc649369222af50f1338ed28d667f3f10ca" "e2a3c28a3c1d08df639c81ada13c8fd198c6dae3d62a3fe9" "f04c985c65f610c06cb8faea68edb80de6cf07a8e89c0021" "8185a952b23572e34df07ce5b4261e5de427eb503ee1baf5" "992db6d438b47434c40c22657bc163e7953fa33eff39dc27" "34607039aadd6ac27e4367131041f845ffa1a13f556bfba2" "307a5c78f2ccf11298c762e08871968e48dc3d1569d09965" "cd09da43cf0309a16af1e20fee7da3dc21b364c4615cd512" "3fa5f9b23cfc4ffd9cfdcea670623840b062d4648d2eba78" "6ad3f7ae337a4284324ace236f9f7174fbf442b99043002f", 16); mpz_set_str(signature.r, "7695698a14755db4206e850b4f5f19c540b07d07e08aac59" "1e20081646e6eedc", 16); mpz_set_str(signature.s, "3dae01154ecff7b19007a953f185f0663ef7f2537f0b15e0" "4fb343c961f36de2", 16); test_dsa_verify(params, pub.y, &nettle_sha384, SHEX("ed9a64d3109ef8a9292956b946873ca4bd887ce624b81be8" "1b82c69c67aaddf5655f70fe4768114db2834c71787f858e" "5165da1a7fa961d855ad7e5bc4b7be31b97dbe770798ef79" "66152b14b86ae35625a28aee5663b9ef3067cbdfbabd8719" "7e5c842d3092eb88dca57c6c8ad4c00a19ddf2e1967b59bd" "06ccaef933bc28e7"), &signature); /* L=3072, N=256, SHA-512 */ mpz_set_str(pub.p, "c1d0a6d0b5ed615dee76ac5a60dd35ecb000a202063018b1" "ba0a06fe7a00f765db1c59a680cecfe3ad41475badb5ad50" "b6147e2596b88d34656052aca79486ea6f6ec90b23e363f3" "ab8cdc8b93b62a070e02688ea877843a4685c2ba6db111e9" "addbd7ca4bce65bb10c9ceb69bf806e2ebd7e54edeb7f996" "a65c907b50efdf8e575bae462a219c302fef2ae81d73cee7" "5274625b5fc29c6d60c057ed9e7b0d46ad2f57fe01f82323" "0f31422722319ce0abf1f141f326c00fbc2be4cdb8944b6f" "d050bd300bdb1c5f4da72537e553e01d51239c4d461860f1" "fb4fd8fa79f5d5263ff62fed7008e2e0a2d36bf7b9062d0d" "75db226c3464b67ba24101b085f2c670c0f87ae530d98ee6" "0c5472f4aa15fb25041e19106354da06bc2b1d322d40ed97" "b21fd1cdad3025c69da6ce9c7ddf3dcf1ea4d56577bfdec2" "3071c1f05ee4077b5391e9a404eaffe12d1ea62d06acd6bf" "19e91a158d2066b4cd20e4c4e52ffb1d5204cd022bc7108f" "2c799fb468866ef1cb09bce09dfd49e4740ff8140497be61", 16); mpz_set_str(pub.q, "bf65441c987b7737385eadec158dd01614da6f15386248e59f3cddbefc8e9dd1", 16); mpz_set_str(pub.g, "c02ac85375fab80ba2a784b94e4d145b3be0f92090eba17b" "d12358cf3e03f4379584f8742252f76b1ede3fc37281420e" "74a963e4c088796ff2bab8db6e9a4530fc67d51f88b905ab" "43995aab46364cb40c1256f0466f3dbce36203ef228b35e9" "0247e95e5115e831b126b628ee984f349911d30ffb9d613b" "50a84dfa1f042ba536b82d5101e711c629f9f2096dc834de" "ec63b70f2a2315a6d27323b995aa20d3d0737075186f5049" "af6f512a0c38a9da06817f4b619b94520edfac85c4a6e2e1" "86225c95a04ec3c3422b8deb284e98d24b31465802008a09" "7c25969e826c2baa59d2cba33d6c1d9f3962330c1fcda7cf" "b18508fea7d0555e3a169daed353f3ee6f4bb30244319161" "dff6438a37ca793b24bbb1b1bc2194fc6e6ef60278157899" "cb03c5dd6fc91a836eb20a25c09945643d95f7bd50d20668" "4d6ffc14d16d82d5f781225bff908392a5793b803f9b70b4" "dfcb394f9ed81c18e391a09eb3f93a032d81ba670cabfd6f" "64aa5e3374cb7c2029f45200e4f0bfd820c8bd58dc5eeb34", 16); mpz_set_str(pub.y, "6da54f2b0ddb4dcce2da1edfa16ba84953d8429ce60cd111" "a5c65edcf7ba5b8d9387ab6881c24880b2afbdb437e9ed7f" "fb8e96beca7ea80d1d90f24d546112629df5c9e9661742cc" "872fdb3d409bc77b75b17c7e6cfff86261071c4b5c9f9898" "be1e9e27349b933c34fb345685f8fc6c12470d124cecf51b" "5d5adbf5e7a2490f8d67aac53a82ed6a2110686cf631c348" "bcbc4cf156f3a6980163e2feca72a45f6b3d68c10e5a2283" "b470b7292674490383f75fa26ccf93c0e1c8d0628ca35f2f" "3d9b6876505d118988957237a2fc8051cb47b410e8b7a619" "e73b1350a9f6a260c5f16841e7c4db53d8eaa0b4708d62f9" "5b2a72e2f04ca14647bca6b5e3ee707fcdf758b925eb8d4e" "6ace4fc7443c9bc5819ff9e555be098aa055066828e21b81" "8fedc3aac517a0ee8f9060bd86e0d4cce212ab6a3a243c5e" "c0274563353ca7103af085e8f41be524fbb75cda88903907" "df94bfd69373e288949bd0626d85c1398b3073a139d5c747" "d24afdae7a3e745437335d0ee993eef36a3041c912f7eb58", 16); mpz_set_str(signature.r, "a40a6c905654c55fc58e99c7d1a3feea2c5be64823d4086c" "e811f334cfdc448d", 16); mpz_set_str(signature.s, "6478050977ec585980454e0a2f26a03037b921ca588a78a4" "daff7e84d49a8a6c", 16); test_dsa_verify(params, pub.y, &nettle_sha512, SHEX("494180eed0951371bbaf0a850ef13679df49c1f13fe3770b" "6c13285bf3ad93dc4ab018aab9139d74200808e9c55bf883" "00324cc697efeaa641d37f3acf72d8c97bff0182a35b9401" "50c98a03ef41a3e1487440c923a988e53ca3ce883a2fb532" "bb7441c122f1dc2f9d0b0bc07f26ba29a35cdf0da846a9d8" "eab405cbf8c8e77f"), &signature); dsa_public_key_clear(&pub); dsa_private_key_clear(&key); dsa_signature_clear(&signature); } nettle-3.10/testsuite/eddsa-compress-test.c0000644000175000017500000000631614633602172020051 0ustar nissenisse/* eddsa-compress-test.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "eddsa.h" #include "eddsa-internal.h" #define COUNT 500 void test_main (void) { gmp_randstate_t rands; unsigned i; gmp_randinit_default (rands); test_randomize(rands); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size, itch; mpz_t zp, t; mp_limb_t *s; mp_limb_t *p; mp_limb_t *pa1; mp_limb_t *pa2; mp_limb_t *scratch; size_t clen; uint8_t *c; unsigned j; if (!(ecc->p.bit_size == 255 || ecc->p.bit_size == 448)) continue; size = ecc_size (ecc); clen = 1 + ecc->p.bit_size / 8; mpz_roinit_n (zp, ecc->p.m, size); mpz_init (t); s = xalloc_limbs (size); p = xalloc_limbs (ecc_size_j (ecc)); pa1 = xalloc_limbs (ecc_size_a (ecc)); pa2 = xalloc_limbs (ecc_size_a (ecc)); c = xalloc (clen); itch = _eddsa_decompress_itch (ecc); if (itch < ecc->mul_g_itch) itch = ecc->mul_g_itch; ASSERT (_eddsa_compress_itch (ecc) <= itch); scratch = xalloc_limbs (itch); for (j = 0; j < COUNT; j++) { mpz_t x1, y1, x2, y2; mpz_urandomb (t, rands, ecc->q.bit_size); mpz_limbs_copy (s, t, ecc->q.size); ecc->mul_g (ecc, p, s, scratch); _eddsa_compress (ecc, c, p, scratch); ecc->h_to_a (ecc, 0, pa1, p, scratch); _eddsa_decompress (ecc, pa2, c, scratch); mpz_roinit_n (x1, pa1, size); mpz_roinit_n (y1, pa1 + size, size); mpz_roinit_n (x2, pa2, size); mpz_roinit_n (y2, pa2 + size, size); if (!(mpz_congruent_p (x1, x2, zp) && mpz_congruent_p (y1, y2, zp))) { fprintf (stderr, "eddsa compression failed:\nc = "); print_hex (clen, c); fprintf (stderr, "\np1 = 0x"); mpz_out_str (stderr, 16, x1); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y1); fprintf (stderr, "\np2 = 0x"); mpz_out_str (stderr, 16, x2); fprintf (stderr, ",\n 0x"); mpz_out_str (stderr, 16, y2); fprintf (stderr, "\n"); FAIL(); } } mpz_clear (t); free (s); free (p); free (c); free (pa1); free (pa2); free (scratch); } gmp_randclear (rands); } nettle-3.10/testsuite/curve448-dh-test.c0000644000175000017500000000720014633602172017106 0ustar nissenisse/* curve448-dh-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "curve448.h" static void test_g (const uint8_t *s, const uint8_t *r) { uint8_t p[CURVE448_SIZE]; mark_bytes_undefined (CURVE448_SIZE, s); curve448_mul_g (p, s); mark_bytes_defined (CURVE448_SIZE, p); if (!MEMEQ (CURVE448_SIZE, p, r)) { printf ("curve448_mul_g failure:\ns = "); print_hex (CURVE448_SIZE, s); printf ("\np = "); print_hex (CURVE448_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE448_SIZE, r); printf (" (expected)\n"); abort (); } } static void test_a (const uint8_t *s, const uint8_t *b, const uint8_t *r) { uint8_t p[CURVE448_SIZE]; mark_bytes_undefined (CURVE448_SIZE, s); mark_bytes_undefined (CURVE448_SIZE, b); curve448_mul (p, s, b); mark_bytes_defined (CURVE448_SIZE, p); if (!MEMEQ (CURVE448_SIZE, p, r)) { printf ("curve448_mul failure:\ns = "); print_hex (CURVE448_SIZE, s); printf ("\nb = "); print_hex (CURVE448_SIZE, b); printf ("\np = "); print_hex (CURVE448_SIZE, p); printf (" (bad)\nr = "); print_hex (CURVE448_SIZE, r); printf (" (expected)\n"); abort (); } } void test_main (void) { #if NETTLE_USE_MINI_GMP || WITH_EXTRA_ASSERTS if (test_side_channel) SKIP(); #endif /* From RFC 7748. */ test_g (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0")); test_g (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609")); test_a (H("9a8f4925d1519f5775cf46b04b5800d4ee9ee8bae8bc5565d498c28d" "d9c9baf574a9419744897391006382a6f127ab1d9ac2d8c0a598726b"), H("3eb7a829b0cd20f5bcfc0b599b6feccf6da4627107bdb0d4f345b430" "27d8b972fc3e34fb4232a13ca706dcb57aec3dae07bdc1c67bf33609"), H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); test_a (H("1c306a7ac2a0e2e0990b294470cba339e6453772b075811d8fad0d1d" "6927c120bb5ee8972b0d3e21374c9c921b09d1b0366f10b65173992d"), H("9b08f7cc31b7e3e67d22d5aea121074a273bd2b83de09c63faa73d2c" "22c5d9bbc836647241d953d40c5b12da88120d53177f80e532c41fa0"), H("07fff4181ac6cc95ec1c16a94a0f74d12da232ce40a77552281d282b" "b60c0b56fd2464c335543936521c24403085d59a449a5037514a879d")); } nettle-3.10/testsuite/knuth-lfib-test.c0000644000175000017500000000046714633602172017204 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx ctx; uint32_t a[2009]; uint32_t x; unsigned m; knuth_lfib_init(&ctx, 310952); for (m = 0; m<2009; m++) knuth_lfib_get_array(&ctx, 1009, a); x = knuth_lfib_get(&ctx); ASSERT (x == 461390032); } nettle-3.10/testsuite/sha3-224-test.c0000644000175000017500000030237614633602172016310 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_224.txt using sha3.awk. */ test_hash(&nettle_sha3_224, /* 0 octets */ SHEX(""), SHEX("6B4E03423667DBB73B6E15454F0EB1ABD4597F9A1B078E3F5B5A6BC7")); test_hash(&nettle_sha3_224, /* 1 octets */ SHEX("CC"), SHEX("DF70ADC49B2E76EEE3A6931B93FA41841C3AF2CDF5B32A18B5478C39")); test_hash(&nettle_sha3_224, /* 2 octets */ SHEX("41FB"), SHEX("BFF295861DAEDF33E70519B1E2BCB4C2E9FE3364D789BC3B17301C15")); test_hash(&nettle_sha3_224, /* 3 octets */ SHEX("1F877C"), SHEX("14889DF49C076A9AF2F4BCB16339BCC45A24EBF9CE4DCDCE7EC17217")); test_hash(&nettle_sha3_224, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("A33C58DF8A8026F0F9591966BD6D00EED3B1E829580AB9BE268CAF39")); test_hash(&nettle_sha3_224, /* 5 octets */ SHEX("21F134AC57"), SHEX("10E580A32199596169331AD43CFCF10264F81565037040028A06B458")); test_hash(&nettle_sha3_224, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("FE52C30C95C1E5193207E97D355FDE09453482708C0876AA961508F0")); test_hash(&nettle_sha3_224, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("8B449849CB7C4776C593DE58FD5C2E322CB5316BE08A75057A01ED6A")); test_hash(&nettle_sha3_224, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("01386CDD70589B3B34941EFE16B85071E9BA948179922044F640868E")); test_hash(&nettle_sha3_224, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("86953D0864019C81FD3A805357A162FD76A13A7CBF6FF0D635015D0E")); test_hash(&nettle_sha3_224, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("E56FC2A5A58709031DF02A2E46AD95F93583E2745630540D8D97F703")); test_hash(&nettle_sha3_224, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("1D783C37C32A2B71B504BCAA05FC00B639F1FAE7E8D8E3F3BC49F041")); test_hash(&nettle_sha3_224, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("54C7E4BF3C73E192ADE223DFEA86F2D04ACF953612731958F854C7BD")); test_hash(&nettle_sha3_224, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("77E51CEADA2AA1CBBF95ACD821008B57E946F7940223B19F0C53E62E")); test_hash(&nettle_sha3_224, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("9ED59ED155E97154E067FA0F5A130839B57BDBDA6FEB82DABE006F00")); test_hash(&nettle_sha3_224, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("81B3E56CFEEE8E9138D3BFE24BB7CCDFD4B50D0B8CA11AE7D4B0C960")); test_hash(&nettle_sha3_224, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("B1571BED52E54EEF377D99DF7BE4BC6682C43387F2BF9ACC92DF608F")); test_hash(&nettle_sha3_224, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("08045CF78D238D56972F1C850414BC404FC6DCB11F8D8210D034C610")); test_hash(&nettle_sha3_224, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("9FFD840C550AD23971EB5CE89AE2FD6222ABFB7F0AAFD7EB0005716B")); test_hash(&nettle_sha3_224, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("72DECB5EA1B25A2DAAEB234A8D96E0F57211426666A2EE76B2385C62")); test_hash(&nettle_sha3_224, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("A589936370A3D20039C469D44A1C26E62823AB28CC50175A9897F98E")); test_hash(&nettle_sha3_224, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("96F43401AD49C58D887020F395BDD01F6DAD04128A85B17780408C37")); test_hash(&nettle_sha3_224, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("A3A0F0C552E7CD2723FE22E1D5719E213D9A3DA1DB99E32EFFFD0F46")); test_hash(&nettle_sha3_224, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("E991F4A14B56DC6B224EF352AE8BC8CAE8B1AF1C25C6733DFB7FFE1F")); test_hash(&nettle_sha3_224, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("718866C21CBE3F291364C07B36078A6BF0B8258B0EC155E2E2B1AF23")); test_hash(&nettle_sha3_224, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("23606D06FD8F87C2205ABB5FD04C33EBA30509955200566A0F772B49")); test_hash(&nettle_sha3_224, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("05935F0AD2264475DF34FA96F6A9118C32B217E86169EB7ADE4E2FDB")); test_hash(&nettle_sha3_224, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("FBEC83CBDB6D08C7BFDDC2E37F73B16DC92926A5C23DAB41DEEBFB1B")); test_hash(&nettle_sha3_224, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("1E693B0BCE2372550DAEF35B14F13AB43441ED6742DEE3E86FD1D8EF")); test_hash(&nettle_sha3_224, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("1781F1344DC17F678571F4E5DF3998B1D38B1D83602B53B9B6F283D6")); test_hash(&nettle_sha3_224, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("03B74B7D8FC1F23F76BAB2B6C35F292C15506DE64978FCF6D9973FCE")); test_hash(&nettle_sha3_224, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("6A6857FBA903B9DA2753690C39C548BE008E22EBB372EEAA16C85918")); test_hash(&nettle_sha3_224, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("887921848AD98458F3DB3E0ECD5AD5DB1F0BF9F2D0CA08601074D597")); test_hash(&nettle_sha3_224, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("E0573AD706B44D8C4D204F884B95AB18913E76F41CF29A16DBE34794")); test_hash(&nettle_sha3_224, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("BA31233099055483C99F7AD82D0D24AF487ED4B53FFF1A892A55DDB3")); test_hash(&nettle_sha3_224, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("BEFAA1CB47CF78DDD4E096B861BC340B776F52E351EBE378ADE305BA")); test_hash(&nettle_sha3_224, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("F1E7A1B28EA4D6FB86570F66911E3258C3F49F891654FBCE9BC79B8B")); test_hash(&nettle_sha3_224, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("C2B31746446934FE29E84CFB5C25B03BE33E9004F74E91C1AF0DB789")); test_hash(&nettle_sha3_224, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("3A80645FE4271346AAEDC3AE5011B75DF163FAD3EE6128D87F3D9DA3")); test_hash(&nettle_sha3_224, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("3C5EBE43A2571BCEF25E4EA67A4CA9838770D23599059955AF93FF83")); test_hash(&nettle_sha3_224, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("AF71DAB0F33D3B48733AD6335CA609398D894E6FA96F5510AE73E5D2")); test_hash(&nettle_sha3_224, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("DD7512DAA0C634CC1588870B84691D7DE2C182E5570D57868E7DDA5D")); test_hash(&nettle_sha3_224, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("6CB4F9292BA33CA8D293B7A7EF76619E77309BA2178CD4A130BF9218")); test_hash(&nettle_sha3_224, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("A9B8435E55FC50FE935EC96798A629C13E856C3C5CFD248126976E0D")); test_hash(&nettle_sha3_224, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("93E79850622B91F729AB056EA402E27F01B5323158111B29362A96D5")); test_hash(&nettle_sha3_224, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("7E51D5531382490670115DE13137CB3ADB6E7621B7D9ECA8170FAA96")); test_hash(&nettle_sha3_224, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("95C35037A8076926FC5C421C35160AC5FE533A2782F20F2D3F4B1B7D")); test_hash(&nettle_sha3_224, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("BF024A4FE480636118FCC85B807704D59B64D16A150AA53CDE41F030")); test_hash(&nettle_sha3_224, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("B7A51FBB084DEEB55136EFD7260E5B112E3C40D1A2D14B142DF930DF")); test_hash(&nettle_sha3_224, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("61CF830A2C4F8F48BC643F97A25F822C013F73BDF4CB4194BC8D55DF")); test_hash(&nettle_sha3_224, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("D87F62EA811A2F6BF3C5FDE13475B9C676620C0184F87149DC8686C8")); test_hash(&nettle_sha3_224, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("028A639C7EC0BA1DCEC0B689AA26E2C0167622462669A5C52031602B")); test_hash(&nettle_sha3_224, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("908EF28AB2B6CBB449B9AF7FA78B3D90E019C3916562EB4819A0C87F")); test_hash(&nettle_sha3_224, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("6AC84149F890E1352C6D7397DAC3B3773947B3757E8ED4EC059EF899")); test_hash(&nettle_sha3_224, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("45DA27715CD75F5875BEB7D914CF7488240D1B1F975D430D2F49E9BF")); test_hash(&nettle_sha3_224, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("63AFBABBEC072140DFCEFE64CF7BC9534DCA10956042E31DBE58D0A5")); test_hash(&nettle_sha3_224, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6487193D9CBE593B3DAA50D4DFDF7DD2612300BB93CB39E3EEFA1AFA")); test_hash(&nettle_sha3_224, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("0DEC25BE3277E27D4F784AD5FF8F79D61D9A309BD693513ACBEED12F")); test_hash(&nettle_sha3_224, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("130B67C6D1A5616227ABD73ABF6FEB70FCE1D5A4BF3338C6DCCB39D5")); test_hash(&nettle_sha3_224, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("3ABB5ACB8485E20BB620D4A030B9C25D3156A9B26893AE007C79F305")); test_hash(&nettle_sha3_224, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("922E216529A95305307E908C69367EBB9AD931ECA314563AC36AAB80")); test_hash(&nettle_sha3_224, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("C72E93A2C39ABCD90AB11CD3F15D59DA3C23C0F17C4E26C9C5890887")); test_hash(&nettle_sha3_224, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("CCCC3B59F28C3FC462DC0A696150F5AEA62DA0ABA97C476BD0D866C1")); test_hash(&nettle_sha3_224, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("28CFD0C6F0208D24AAA69E6C39F5257C13303E91C2D683A9AF29B973")); test_hash(&nettle_sha3_224, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("C154607F986F9BF902D831293C8386D36B201EABA6F6FB0B678B4B81")); test_hash(&nettle_sha3_224, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("95E87AC90F541AB90CBCF7FD7E0E0C152CEF78D5EE1830E9ED8A1ED7")); test_hash(&nettle_sha3_224, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("35BD7D02541D6D4B10ACE6029A24C07A38FD563ABA227F0F776EA5E2")); test_hash(&nettle_sha3_224, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("99DECB8CF1D474970B3CFA87FA462B75E3287B98B4BE4093429E22D6")); test_hash(&nettle_sha3_224, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8C20FD3D8E08235B01727A4DF44D86E71E824F14B0C2FE4E8DA7F1BB")); test_hash(&nettle_sha3_224, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("E29E68439AECDE56F5297FB935DC7DBE63D61CE360A19629195BD8AA")); test_hash(&nettle_sha3_224, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("5D2164DA84E7707CD1E789711A664AB2EBCF66EBA899A909A1D0CBEC")); test_hash(&nettle_sha3_224, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("FA263B093EA3F96B52DB6251EA25A5254ADA5B54D476CB0794D38889")); test_hash(&nettle_sha3_224, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("D803E320A9865EBF3555E8A3E3134768A2EE1B3E59FA15F35C2EC550")); test_hash(&nettle_sha3_224, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("102925B63B3E9395F88124C3BFA777F29A5B41C13B62ADD7C271CD6E")); test_hash(&nettle_sha3_224, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("6C4E83CD9258205F3C2BCF64149F4ACDCEE7742CB2D36038537171BD")); test_hash(&nettle_sha3_224, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("C74C9EBB2EF9A9822A6228BD1186DCC4411BC59EC938DF27E54B0815")); test_hash(&nettle_sha3_224, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("D23420F9985D66F097D43A0FB2434149D2B33F21B5BAD6CFC250E072")); test_hash(&nettle_sha3_224, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("102EDD2E946F33DD7AA553EA4CE4E659C7B240E1E28BC66200845D87")); test_hash(&nettle_sha3_224, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("7C8EB98B7338403C013D65C0B5BB4B5D2CBF539CB1109CF447FA6650")); test_hash(&nettle_sha3_224, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("C7B07DE91EFCE42DAB78199EE2EB3014A494994236A12B3DE2330C25")); test_hash(&nettle_sha3_224, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("2FCEF2594AE855DE4FC66DCCC517A659118B3A9F2E5FE638980ADBFB")); test_hash(&nettle_sha3_224, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("D45873F0453CBF38156A1384E33E5C76588B7BFB48A709B3943D9186")); test_hash(&nettle_sha3_224, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("3543ADD5B7EDFC83AFE7C1F2D55140AEDB858304628109FD077B3860")); test_hash(&nettle_sha3_224, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("36784F114958D8B5B625DD89A4E3973A113E5D1610DFA55B4FB45AEC")); test_hash(&nettle_sha3_224, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4187FEAED4FBD3D505A96A8D60668A88172E4F7C8451A4A6802C5747")); test_hash(&nettle_sha3_224, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("6E4766DB4E9D1102CEE6DFE0AE2221321B9C0FE707F0A7825D7557EC")); test_hash(&nettle_sha3_224, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("E1FC972BFB294185F1980CA2938655FB583E812AD3D64FA5A4CF703E")); test_hash(&nettle_sha3_224, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F6F28E3B65B684C9D9506061980046061390CCDE2458A20F9B086BE5")); test_hash(&nettle_sha3_224, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("F686D2B1386B02B08F6B02BD5D50206D5E138440CB0D93EBCC3B32A7")); test_hash(&nettle_sha3_224, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("46483375D112FC2BE7F611BE4B98DFADA38892C43CEFA586726B48BB")); test_hash(&nettle_sha3_224, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("E1E9AD568AE5B0D9731400BA4FC7DF0321A04EA41393BA6979C7179C")); test_hash(&nettle_sha3_224, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("133F31D9FBC1B2A33F1C98BFE21E129E0716A69EE27408743FFF17AC")); test_hash(&nettle_sha3_224, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("31328F04CA64E8521A36A8943C33CEB95BE1B9080F4533D6DA07606D")); test_hash(&nettle_sha3_224, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("ADD374B1D279469C08E7B27AE3FF1B04C3D0FB3EF6E59AA3AF86660B")); test_hash(&nettle_sha3_224, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FED7FDE894D92CC3BB68FCC396B5EB00C4156F04FC9CED99D12CFA5B")); test_hash(&nettle_sha3_224, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("17FC0327DE474C78F538B4F3981674FF470AA42EF3B82C0CC34DE6DA")); test_hash(&nettle_sha3_224, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("88FEFBE8995E296A9DEE4DA2B414D5A7E134045639A6B176C2D736ED")); test_hash(&nettle_sha3_224, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("C002732F6F38AB83828921F5FCB4A8CE1FC561B0E9FA214C5FF02192")); test_hash(&nettle_sha3_224, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("44E9002F9D97D98BB439AFC361F93BB959523E73136A2C65B2E2B066")); test_hash(&nettle_sha3_224, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("2BFF16CBA9E50762D2288EB780078462C086F4CBF59479F5387A0B27")); test_hash(&nettle_sha3_224, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("5EFDC3CAA22EE2C2EB632D4C6645CE3EC63960DFD69A04BBE01156C5")); test_hash(&nettle_sha3_224, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("E8FB64A74387C9A3E1AC4ABC82D3591B6B349F2E5CDE6584D8D7C371")); test_hash(&nettle_sha3_224, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("DB224BCCF5CA86DFBA3EA372E2269750B532409EA004E82D4B5835E8")); test_hash(&nettle_sha3_224, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("4E28867DCEF3A7B759CA24D8107BEB0CBF9DB0F10A3C410A9B4BA8C8")); test_hash(&nettle_sha3_224, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("5C0C2DF13A1FD6762B6E50FB3E080E649C3A7A8DDA415C42FB637136")); test_hash(&nettle_sha3_224, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("36F5630EC2829B0FBAD84F150932E46647EDCC454E06B23166661D60")); test_hash(&nettle_sha3_224, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("DAC2594BCD357E63928A21E98348F27D0FA2C70EB07C7E8E93D6D84E")); test_hash(&nettle_sha3_224, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("24970DF3CF8C9E30DCBE661817FF74538AD43BC90B149ED7CAB7811B")); test_hash(&nettle_sha3_224, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("AD9BF420D2B570EBE7923A76B253F156F3513712955BCBB9A87394DB")); test_hash(&nettle_sha3_224, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("2F60928263FE1D5FA5136DA8DE1D2C3B60BD4B700A3E2C256E9536EF")); test_hash(&nettle_sha3_224, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("BFB40F7E7F81F2FEC7644E08FBC99C768ADC6314B8CCD833332F1BF8")); test_hash(&nettle_sha3_224, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("190E9FDA8A7D78343FF24ADE9FEE69650C7631AD6329D17D4BD575DB")); test_hash(&nettle_sha3_224, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("E26CD20B87083CB9F246D216E3DA51EF7C5519B483DB439D37256DBE")); test_hash(&nettle_sha3_224, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6CAF807F6ABC1A7721A5F209FC09FD00474B9E2A77EF7B57E1320271")); test_hash(&nettle_sha3_224, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("64CD5291A1A0807BA7C14103A0F46C636795F8F8D3A12E59E88D9C51")); test_hash(&nettle_sha3_224, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("29491256A80BF1A9325348B5841EDC726FA8A53117268C47F74B5E49")); test_hash(&nettle_sha3_224, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("A523449B770A8DE3B39CD446046149FEAEE327D6D5B39929B9AAC915")); test_hash(&nettle_sha3_224, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("ABB2FCE213CE164C94AB7A763C21F638A3BB8D72F802DEADACC023AE")); test_hash(&nettle_sha3_224, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("C40D969F7218D71B904C4E4EACEB0473BA0A2E7339649DA5DFEB8938")); test_hash(&nettle_sha3_224, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("2EB28FDF458D4FECB5B441D910B576F630E666BBF30AAC90AB64425B")); test_hash(&nettle_sha3_224, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("A3387B2FA23A13BFAE77895F1F93935A0710EE3A027FF0D6399D8ECC")); test_hash(&nettle_sha3_224, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("75755F46C2FC86BD4AAE75919C6CA5B1A7375E466CA3170F70EEE490")); test_hash(&nettle_sha3_224, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("7184C69EE1C43FD564102CD68EF898D5D0D8264B9B0D044691BC18AF")); test_hash(&nettle_sha3_224, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("F50CF78FF46513C905399CC2510681A90CE089FCED40FBC9CF218CA4")); test_hash(&nettle_sha3_224, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("F2AABE18D7B4DD8E4DC0AC8DCF4E9019C7C9AF33D4B952DA41219FE5")); test_hash(&nettle_sha3_224, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("AC5D00D177E71D7B9A97270E6200E4D3D07851EB2E58B12BE0BEED95")); test_hash(&nettle_sha3_224, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("CB7979B4C6C2826CDEF7E1AADA85F8C4546DD59D29FC0AEA444F8077")); test_hash(&nettle_sha3_224, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("F9D8CCF6684693C40C81EBBD006C49984FBAF3A2B2E905ABE60765DD")); test_hash(&nettle_sha3_224, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("ED1F6387A7BE090277B65A5FCD7040C7BE0EEAF0FD7F14968097873B")); test_hash(&nettle_sha3_224, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("0A27CE6973CB22A8B10057A8E7A654058B71E6D8C69C653415FF0C81")); test_hash(&nettle_sha3_224, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("BE3BE49980F43FB6598BE921D7D8FDA1F397F605D9708C5D125C4E9F")); test_hash(&nettle_sha3_224, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("932137BF2CD32DDFD3BA80C525268730B6F7458601B5296AEB325183")); test_hash(&nettle_sha3_224, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("796698CE24EFCDA8214D161138F3C7DA6D7615E4CF1DAC63B69941F9")); test_hash(&nettle_sha3_224, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("B216930E158D65FB1FF424F9EAB6CD28996231EF5EE1D65DBE29D370")); test_hash(&nettle_sha3_224, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("AF6C676A62288B2D25A862F8866B262A74E3D2A0D414B966CE601E14")); test_hash(&nettle_sha3_224, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("418C83EB01881B4F38544665201DD05C939CA047D31834F637342342")); test_hash(&nettle_sha3_224, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("64D78817714FE05272D3805E6E19056B1649036CDCD5094FD1CC890A")); test_hash(&nettle_sha3_224, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("2C4E7C537D0E2AF2261A669BC24BD0DF16D2C72A7F98D7A5EF6A8150")); test_hash(&nettle_sha3_224, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF1FCB80AB380CA33BDB61F96ADAB334937E190F03C1B78B219E50F8")); test_hash(&nettle_sha3_224, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("0DD77ADA384CAB6A7ACED19CFC8048C2566D4303E2010C98D16A0516")); test_hash(&nettle_sha3_224, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("B256D0D6B6D6A72E113D105AD9601C91933D53B20A30D8E2CF33F96D")); test_hash(&nettle_sha3_224, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("B95F72512546E4AF685931246717BC482BFE922789A26EEF01BDE82D")); test_hash(&nettle_sha3_224, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("628238A9532727CC83F8FDCED11D138A17EEE4822C5D3549157D6D5E")); test_hash(&nettle_sha3_224, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("AB0FD308590574D6F6130232D9FAFA9FFCFEA78579A6A8F67C590420")); test_hash(&nettle_sha3_224, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("D5134200DC98F4CA480CD24D24497737252B55977AE5A869BA27089D")); test_hash(&nettle_sha3_224, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("494CBC9B649E48EC5AD7364AEB9C8EDF4A4F400789EF203F7B818A44")); test_hash(&nettle_sha3_224, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("7FF8A28AB12074102AEF3EFB8904284B617237322A2BF701C9FCFEFC")); test_hash(&nettle_sha3_224, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("50CDBEAB4BBAA0861F3E364AF520F9D8B54E79E3871ABCA7BBB2BAE5")); test_hash(&nettle_sha3_224, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("29B6B523C82F499078C73630BA38227BBD08EF1A2D67B425C058DEF5")); test_hash(&nettle_sha3_224, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("93CE0C8D4355300D4E63D6599129DEA7420E5B609DBB35BE432B12B5")); test_hash(&nettle_sha3_224, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("D02896D957B599869F2B2A4992A49EEF7AB1308F456C78C809BDAC88")); test_hash(&nettle_sha3_224, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("181E2301F629A569271BB740D32B1D3BD25ACB179E9AEBEF98009ED4")); test_hash(&nettle_sha3_224, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("5CD017B269A6366C789D9CECAEF3EE9C3575181A084266D78A028DB7")); test_hash(&nettle_sha3_224, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("AC280A211C98A07F6FCBB719F250E3E5A6BA2C93A833976C9F3147EB")); test_hash(&nettle_sha3_224, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("C284C9308A28B6D29CCAA7853F8C41BADCDDBC1AA4E99481A6EE2F4D")); test_hash(&nettle_sha3_224, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("3D9A979B34D45569E1C98D09DC62D03616C0251C41A8B90138750F1E")); test_hash(&nettle_sha3_224, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("8DDC9F1E0F94C1247A67D6119A9169762C6C7F1EC7F611D61353AB30")); test_hash(&nettle_sha3_224, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("46EDA2622D49B9148B40B6014C75A4086EB9DD4740F0DD591ACA53B2")); test_hash(&nettle_sha3_224, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("57CFA137968C39EAA12533044B8265BB903EC16C8D17B6CF1F106C57")); test_hash(&nettle_sha3_224, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("8730C219E19D9D37CB7A63A4DDD55E84DCB0236EF7C8828B2A23C9B9")); test_hash(&nettle_sha3_224, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("61C01FB4A010F319D193CB6D36063751950A1A8F93539BEA32F84EA1")); test_hash(&nettle_sha3_224, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("1459044DF9C26F5E240F6A6B9380734CAD84B6592FC9693DDD9F974E")); test_hash(&nettle_sha3_224, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("EB5CC00173239851F3960EDAC336005109189DFC04B29CA4CDDE5BC1")); test_hash(&nettle_sha3_224, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("A640D4841390F47DC47D4BFCF130FCF51C5F2D491F91C13374CE5965")); test_hash(&nettle_sha3_224, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("85BB3ED98C4808D8F67C722C9119C54E6543B29E57BD4FB5CBC878C7")); test_hash(&nettle_sha3_224, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("50B7D0ACB93211E0FC935F970BC43A00BE829D6B3C137D4A7E3B2BC1")); test_hash(&nettle_sha3_224, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("7CDC1782B39FC0EEB1F874D97C88051CF10508E0875FA173AC41CC8E")); test_hash(&nettle_sha3_224, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("EE5D508A4E75900193E99A04B8D838A18DEDFCC431E7AF3182A47DD6")); test_hash(&nettle_sha3_224, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("5942BA8B58A355F2AEF07E29F8F9971301E877FA32D7025DF552B1EB")); test_hash(&nettle_sha3_224, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("29240A9E973888B98A3A836933855D41D8ABB6C3806A626C3DF18F6C")); test_hash(&nettle_sha3_224, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("9AF178B1DD3CEFC96227A289175BB61D9F6B0B352D7804F5E07EA45D")); test_hash(&nettle_sha3_224, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("F543B4D423EAAC86338BB6D8C6181AD6DC0A25733953CED7EB8377F3")); test_hash(&nettle_sha3_224, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("77B4079EEE9D9E3FDA051EE0CA430B4DF011D056612C1AF446A187C2")); test_hash(&nettle_sha3_224, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("987D30120C9AA4964650A6A730E99C86F7FBDDB4EA8D6B4815EE4EBF")); test_hash(&nettle_sha3_224, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("46193359397BC3EACD69BFF410203583382DE93ECC4D80DCFB4FC51D")); test_hash(&nettle_sha3_224, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("0BC29107C7E25D44F8CE83A415B1DE5DF38A6719769606762B7192C2")); test_hash(&nettle_sha3_224, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("B485644C32283B280179F7C9714350F0B3ACFD7C45A247BF3B6CDB07")); test_hash(&nettle_sha3_224, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("F384542499EFD23381DEBCD9124C539C40BFA70E517280F56A0920E1")); test_hash(&nettle_sha3_224, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("D12E3884BC8CF9175D1778E8A3AAA119E4A897738F8D81B1278BC448")); test_hash(&nettle_sha3_224, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("D8A348264D48045D4482F3FE002C1A1F36D4DF0D5E47FAC5125C7947")); test_hash(&nettle_sha3_224, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("6865464C6A230B4BF64BA33BF97459D1D22DAFB19E08F4B7DACE02FF")); test_hash(&nettle_sha3_224, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("19D33CD354A13AB2A44044154BD865F117EF8A887FBD0570A8A4CA80")); test_hash(&nettle_sha3_224, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E438AE4153463B333AE4FE57BF131505C8C04A534A39A20574155E49")); test_hash(&nettle_sha3_224, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("454796C7219C6F7E88508DFC13668B81748211BD016D84B59293B445")); test_hash(&nettle_sha3_224, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("CE158AED6ED3C9D4432E2422AF8D255AB1F3898F6F5B5C5A1478552C")); test_hash(&nettle_sha3_224, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("A0A21D95E640F13B25652484E244BE1B373E9B0609B685EFCE48107A")); test_hash(&nettle_sha3_224, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("CA8CB1359F0B05E2FF9414CCE0DE6D2CB4D05B08354C2119A87342CA")); test_hash(&nettle_sha3_224, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("0DDDD152CF063F0F505B518EB8DB755704F45C9735780EC3A898A923")); test_hash(&nettle_sha3_224, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("57397BB1F84711641E94F413F5D73556B96BA5CFE15F709528626D07")); test_hash(&nettle_sha3_224, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("68F6AC4289FD5214263130830FDA4DA601B88B1F8533EAC07A0338D9")); test_hash(&nettle_sha3_224, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F145C45212392894E7F1C4E52728470F8A2D961514869990EFBE8232")); test_hash(&nettle_sha3_224, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("38CE7100E92EE4B65CC831915A06CFC2101990CB68E1004F7E9017D4")); test_hash(&nettle_sha3_224, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("BD63CA84DAC8BC586D0F0BE352DBBBA1F4CB430DEAA8119B8DA13C06")); test_hash(&nettle_sha3_224, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("7EE4EAEA6127C68EFCE66991B8F0851FE072DF3B1E0B5D07E3A4BE06")); test_hash(&nettle_sha3_224, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("7F3EE578B0410687EAF536F9EC7D654B75F504C104B78793C4CF90D5")); test_hash(&nettle_sha3_224, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("C9C26396E560CD1E6824D9E56E179FCC8AAC4C0D932F7632BA594D4C")); test_hash(&nettle_sha3_224, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("EF30652E3C6EA4EC214472BF96E5F30DCA1D31A78EB422734615EAF1")); test_hash(&nettle_sha3_224, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("5A964BF38EB347684220A3E83EB1EFCB641C8F911CB068A774B25B8C")); test_hash(&nettle_sha3_224, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("07413665EDCB8A35021874984910B498CF74823050640243AE7C84CD")); test_hash(&nettle_sha3_224, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("FCC9EAD160832F5F0FAFED6381AFD57FE1335FBFB05B7FB1F0075D37")); test_hash(&nettle_sha3_224, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("EC5C6DB60B0834FB2E0E7106AEEAFB9E614BE093C847018214D8A5DB")); test_hash(&nettle_sha3_224, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("0D5F6DE16B7CBBA49C28654F2AE98163257E7B6B500A3801EEF0733F")); test_hash(&nettle_sha3_224, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("7B7E1FC4D3833ED87FD166F909F5C2566DC0E95B17AC834F1E9E3DAD")); test_hash(&nettle_sha3_224, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("C6AC9D5464855E5C2F83F2A56F9A992137DA47EC05C541295F8C43E7")); test_hash(&nettle_sha3_224, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("4EE2F93C18974D978DD3A1CBF8B1DAC473807067B8807D026182B901")); test_hash(&nettle_sha3_224, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("D64AEE17ED8E2B85E6B097DB49554D356F032A34A15B7E844EC8D889")); test_hash(&nettle_sha3_224, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("1BDDC92BE89A672C1BD956B450B9D7B47B4BB0BC58AC51F15F7E054D")); test_hash(&nettle_sha3_224, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("0C8AC240170C6546DEBF4BFB5B38F8F30EA5DC6EF86C166E8E136D6B")); test_hash(&nettle_sha3_224, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("2FD9FDFD244B0A7342F886B87B3DDDCE54C8870FB26A71A8F6520231")); test_hash(&nettle_sha3_224, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("1B6BE19D72199BF75FD4075E54975AFA0433B9BF515BD300CE543D41")); test_hash(&nettle_sha3_224, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("A46B89B64B0C7930DD45F5B2582FD79C7AD90A58C94C52F9BFA55CFC")); test_hash(&nettle_sha3_224, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("21F0D8855387241D71A712E5F5682C156B9FD2AA6284294718853F0A")); test_hash(&nettle_sha3_224, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("82EE85541D7A5B2A2B290003C3EE46574D58A7DDD54FBC210F8FEA57")); test_hash(&nettle_sha3_224, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("278DD8A3F3208191CFF658B8D6DB35E133A16E47AA375EDB92C6A737")); test_hash(&nettle_sha3_224, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("B50527711C047DEF70B17CF20F970BED79C1C1B95275C2784C3903DE")); test_hash(&nettle_sha3_224, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("F77CB5275212C92FA0DAD921B65F50814822E3D6D584C89528990F02")); test_hash(&nettle_sha3_224, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("76CA9E685DFADC67576D44E8C1A82E8CF7E92FB0A81FE49E21108E09")); test_hash(&nettle_sha3_224, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ABD313BC70B7FAB0EBC167D739B54C97389E752EE1A313B12673F51C")); test_hash(&nettle_sha3_224, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("F79F6356328C580B811FEA81C5ED90A303CAF34A09BEB143BE450D42")); test_hash(&nettle_sha3_224, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("299D62F8DF5EADE6871883B033B830A9952A74B12F3D55AF798C6997")); test_hash(&nettle_sha3_224, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("82BA2B8D65E14FDAC51F609F888881DB8070A0B70D7892C009A1AD28")); test_hash(&nettle_sha3_224, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("F8E5218DB087D38B1C773247FC22704C1FBDB20B1500E26AFA0B7572")); test_hash(&nettle_sha3_224, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("FA602F09B28F8679771E9C3966032B80FA2F0F33E84F3ED69BE7AE9C")); test_hash(&nettle_sha3_224, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C8D7568889DD6FCBC3B8874ED79051875D3CE29102DF0C5DAC8AEB8A")); test_hash(&nettle_sha3_224, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("D83B06D509D332164087C0C3FA50B2264CB27F66D746B0470166CBC2")); test_hash(&nettle_sha3_224, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("386147B0CF2365346E9846D3F3A7DCEEB6E3665BA7D1593C08B2B582")); test_hash(&nettle_sha3_224, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("A69C0C18A712408D8FA2389ACABC3BF6F6412F69783E9F37960D0B56")); test_hash(&nettle_sha3_224, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("0699FD35416D83791DC8E656F22718B09DA9E3DF6E7F37A250E22DCD")); test_hash(&nettle_sha3_224, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("BF6A3598A15E28B776229F4D124D403FAD9D0FBC2B7668C95D8B5046")); test_hash(&nettle_sha3_224, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("56F8E9F69A399E528996C463D65F20DB41406533C7DF2BA1AFA2494A")); test_hash(&nettle_sha3_224, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("9904D57DEDB935427F235A0009612235F14E9426B218E028F87B3C0C")); test_hash(&nettle_sha3_224, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("FF7013679AB2BE65AEDD09739F56F8DD0072738B86E71A2470476C8C")); test_hash(&nettle_sha3_224, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("9DFB6A854A33914EAE1596DCD2BE363A96E7E088BE520F60E5A65C7F")); test_hash(&nettle_sha3_224, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("C27E80C373B216703D3D9E67223CFC5497C3E74455D49B049AE3F5F4")); test_hash(&nettle_sha3_224, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("3A189630F53C567B1C1825794D50DEF901A00E7F3728ECF2BBE00D90")); test_hash(&nettle_sha3_224, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("2585BD8D9158D6952BEE95B004F5FED70FAF061B68AB2D6A40469BE7")); test_hash(&nettle_sha3_224, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("7E64F3C5895D0586CC5B543B27DE1B66A935171E2E7F3CA48DD3718E")); test_hash(&nettle_sha3_224, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("0F837708E010375AF87F75415ED69988FE60EB2F2669AD051FA99727")); test_hash(&nettle_sha3_224, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("C79DE39778593810C03583D5962B36E04F343653074766D157A15993")); test_hash(&nettle_sha3_224, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("95CC811CC56521A40E3CED8D9A230E2101E8061FB01E388B9964BF29")); test_hash(&nettle_sha3_224, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("2EBE13F12EC43E3F6B0506D7AB216E1C311394F7C89D69A920CD00C0")); test_hash(&nettle_sha3_224, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("820101F5435D86E19BEC58ED0E1C7E630FE82DD92D7704E414802A16")); test_hash(&nettle_sha3_224, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("B1CF54F51F81FDB5B649BB6115126149296278BFF3D5395CF5F112D4")); test_hash(&nettle_sha3_224, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("B602722D1B9F31B9C5091E0FF720F1D1A8A51EB6F95ED3B412DE063D")); test_hash(&nettle_sha3_224, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("1368454E849F2D2299077F40826B4072E6FEE49B2062CB8E3B4523C9")); test_hash(&nettle_sha3_224, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("5765B70574F93341C1CC4ACB34F645B5D97B81D4CE8F38C3862F6C19")); test_hash(&nettle_sha3_224, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("B8FB318245B4042222B4063A053F15DA6B894F22736F3F9E26F72175")); test_hash(&nettle_sha3_224, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("353622E92C7907F5563BAF8F4E7AF0C2F872F4FB583B01AF9EB3D907")); test_hash(&nettle_sha3_224, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("87215AF73D5CDE98B355479AFB82A511180B7DC3D5342C88E133AED8")); test_hash(&nettle_sha3_224, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("25AE852DBA36B8D58A94DD5CFD8345141FF57E7DB7D7816C4F7252BB")); test_hash(&nettle_sha3_224, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("ECE0394418F066F55023797551E06F6A7D1645682AA4D9DD75AF8E76")); test_hash(&nettle_sha3_224, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("84A4BD2E3FA26C4FB01FE81953398F5B4B5704944354B51B887FD990")); test_hash(&nettle_sha3_224, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("170C413863D9F4E8C0B87A8532416B10A69C348D3A144658EAEEF0ED")); test_hash(&nettle_sha3_224, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("D8C257DB76536F7EF1DCFB24976EB716D9491CD8651E0254E7C4A5BB")); test_hash(&nettle_sha3_224, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("F81D8EE40869BB38A13A4F75588FA3308068DD1CDC27267D66FAC198")); test_hash(&nettle_sha3_224, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("94689EA9F347DDA8DD798A858605868743C6BD03A6A65C6085D52BED")); } nettle-3.10/testsuite/cfb-test.c0000644000175000017500000002730014633602172015666 0ustar nissenisse#include "testutils.h" #include "aes.h" #include "cfb.h" #include "knuth-lfib.h" /* Test with more data and inplace decryption, to check that the * cfb_decrypt buffering works. */ #define CFB_BULK_DATA 10000 #define CFB8_BULK_DATA CFB_BULK_DATA static void test_cfb_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CFB_BULK_DATA]; uint8_t cipher[CFB_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("1fd0a9189b8480b7 b06a2b36ef5943ba"); struct CFB_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB_BULK_DATA); knuth_lfib_random(&random, CFB_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CFB_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); CFB_ENCRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, clear); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_encrypt_key(&aes.ctx, key); CFB_SET_IV(&aes, start_iv); CFB_DECRYPT(&aes, aes256_encrypt, CFB_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CFB_BULK_DATA, clear, cipher)); } static void test_cfb8_bulk(void) { struct knuth_lfib_ctx random; uint8_t clear[CFB8_BULK_DATA]; uint8_t cipher[CFB8_BULK_DATA + 1]; const uint8_t *key = H("966c7bf00bebe6dc 8abd37912384958a" "743008105a08657d dcaad4128eee38b3"); const uint8_t *start_iv = H("11adbff119749103 207619cfa0e8d13a"); const uint8_t *end_iv = H("f84bfd48206f5803 6ef86f4e69e9aec0"); struct CFB8_CTX(struct aes256_ctx, AES_BLOCK_SIZE) aes; knuth_lfib_init(&random, CFB8_BULK_DATA); knuth_lfib_random(&random, CFB8_BULK_DATA, clear); /* Byte that should not be overwritten */ cipher[CFB8_BULK_DATA] = 17; aes256_set_encrypt_key(&aes.ctx, key); CFB8_SET_IV(&aes, start_iv); CFB8_ENCRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, clear); ASSERT(cipher[CFB8_BULK_DATA] == 17); if (verbose) { printf("IV after bulk encryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT(MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); /* Decrypt, in place */ aes256_set_encrypt_key(&aes.ctx, key); CFB8_SET_IV(&aes, start_iv); CFB8_DECRYPT(&aes, aes256_encrypt, CFB8_BULK_DATA, cipher, cipher); ASSERT(cipher[CFB8_BULK_DATA] == 17); if (verbose) { printf("IV after bulk decryption: "); print_hex(AES_BLOCK_SIZE, aes.iv); printf("\n"); } ASSERT (MEMEQ(AES_BLOCK_SIZE, aes.iv, end_iv)); ASSERT (MEMEQ(CFB8_BULK_DATA, clear, cipher)); } void test_main(void) { /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.7 CFB8-AES128.Encrypt */ test_cipher_cfb8(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("3b79424c9c0dd436bace9e0ed4586a4f" "32b9"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.9 CFB8-AES192.Encrypt */ test_cipher_cfb8(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("cda2521ef0a905ca44cd057cbf0d47a0" "678a"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.11 CFB8-AES256.Encrypt */ test_cipher_cfb8(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d"), SHEX("dc1f1a8520a64db55fcc8ac554844e88" "9700"), SHEX("000102030405060708090a0b0c0d0e0f")); /* From NIST spec 800-38a on AES modes. * * F.3 CFB Example Vectors * F.3.13 CFB128-AES128.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * 3b3fd92eb72dad20333449f8e83cfb4a * c8a64537a0b3a93fcde3cdad9f1ce58b * 26751f67a3cbb140b1808cf187a4f4df */ test_cipher_cfb(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3b3fd92eb72dad20333449f8e83cfb4a" "c8a64537a0b3a93fcde3cdad9f1ce58b" "26751f67a3cbb140b1808cf187a4f4df" "c04b05357c5d1c0eeac4c66f9ff7f2e6"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.15 CFB128-AES192.Encrypt */ /* Intermediate values, blocks input to AES: * * 000102030405060708090a0b0c0d0e0f * cdc80d6fddf18cab34c25909c99a4174 * 67ce7f7f81173621961a2b70171d3d7a * 2e1e8a1dd59b88b1c8e60fed1efac4c9 */ test_cipher_cfb(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5" "62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("cdc80d6fddf18cab34c25909c99a4174" "67ce7f7f81173621961a2b70171d3d7a" "2e1e8a1dd59b88b1c8e60fed1efac4c9" "c05f9f9ca9834fa042ae8fba584b09ff"), SHEX("000102030405060708090a0b0c0d0e0f")); /* F.3.17 CFB128-AES256.Encrypt */ /* Intermediate values, blcoks input to AES: * * 000102030405060708090a0b0c0d0e0f * dc7e84bfda79164b7ecd8486985d3860 * 39ffed143b28b1c832113c6331e5407b * df10132415e54b92a13ed0a8267ae2f9 */ test_cipher_cfb(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("dc7e84bfda79164b7ecd8486985d3860" "39ffed143b28b1c832113c6331e5407b" "df10132415e54b92a13ed0a8267ae2f9" "75a385741ab9cef82031623d55b1e471"), SHEX("000102030405060708090a0b0c0d0e0f")); test_cfb_bulk(); test_cfb8_bulk(); } /* F.3.13 CFB128-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 26751f67a3cbb140b1808cf187a4f4df Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 F.3.14 CFB128-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block 50fe67cc996d32b6da0937e99bafec60 Ciphertext 3b3fd92eb72dad20333449f8e83cfb4a Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block 3b3fd92eb72dad20333449f8e83cfb4a Output Block 668bcf60beb005a35354a201dab36bda Ciphertext c8a64537a0b3a93fcde3cdad9f1ce58b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block c8a64537a0b3a93fcde3cdad9f1ce58b Output Block 16bd032100975551547b4de89daea630 Ciphertext 26751f67a3cbb140b1808cf187a4f4df Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 26751f67a3cbb140b1808cf187a4f4df Output Block 36d42170a312871947ef8714799bc5f6 Ciphertext c04b05357c5d1c0eeac4c66f9ff7f2e6 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.15 CFB128-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b 000102030405060708090a0b0c0d0e0f Segment #1 50 IV Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext cdc80d6fddf18cab34c25909c99a4174 Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 67ce7f7f81173621961a2b70171d3d7a Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext c05f9f9ca9834fa042ae8fba584b09ff F.3.16 CFB128-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block a609b38df3b1133dddff2718ba09565e Ciphertext cdc80d6fddf18cab34c25909c99a4174 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block cdc80d6fddf18cab34c25909c99a4174 Output Block c9e3f5289f149abd08ad44dc52b2b32b Ciphertext 67ce7f7f81173621961a2b70171d3d7a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 67ce7f7f81173621961a2b70171d3d7a Output Block 1ed6965b76c76ca02d1dcef404f09626 Ciphertext 2e1e8a1dd59b88b1c8e60fed1efac4c9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block 2e1e8a1dd59b88b1c8e60fed1efac4c9 Output Block 36c0bbd976ccd4b7ef85cec1be273eef Ciphertext c05f9f9ca9834fa042ae8fba584b09ff Plaintext f69f2445df4f9b17ad2b417be66c3710 F.3.17 CFB128-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 39ffed143b28b1c832113c6331e5407b Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext df10132415e54b92a13ed0a8267ae2f9 Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 75a385741ab9cef82031623d55b1e471 F.3.18 CFB128-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 IV 000102030405060708090a0b0c0d0e0f Segment #1 Input Block 000102030405060708090a0b0c0d0e0f Output Block b7bf3a5df43989dd97f0fa97ebce2f4a Ciphertext dc7e84bfda79164b7ecd8486985d3860 Plaintext 6bc1bee22e409f96e93d7e117393172a Segment #2 Input Block dc7e84bfda79164b7ecd8486985d3860 Output Block 97d26743252b1d54aca653cf744ace2a Ciphertext 39ffed143b28b1c832113c6331e5407b Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Segment #3 Input Block 39ffed143b28b1c832113c6331e5407b Output Block efd80f62b6b9af8344c511b13c70b016 Ciphertext df10132415e54b92a13ed0a8267ae2f9 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Segment #4 Input Block df10132415e54b92a13ed0a8267ae2f9 Output Block 833ca131c5f655ef8d1a2346b3ddd361 Ciphertext 75a385741ab9cef82031623d55b1e471 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.10/testsuite/shake256-test.c0000644000175000017500000136546014633602172016501 0ustar nissenisse/* shake256-test.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "sha3.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) const struct nettle_hash nettle_shake256 = { "shake256", sizeof(struct sha3_256_ctx), 0, SHA3_256_BLOCK_SIZE, (nettle_hash_init_func *) sha3_256_init, (nettle_hash_update_func *) sha3_256_update, (nettle_hash_digest_func *) sha3_256_shake, }; static void test_incremental (const struct tstring *msg, const struct tstring *digest, size_t interval) { struct sha3_256_ctx ctx; size_t offset = 0; uint8_t *buffer = xalloc (digest->length); sha3_256_init (&ctx); sha3_256_update (&ctx, msg->length, msg->data); while (offset < digest->length) { size_t to_read = MIN(digest->length - offset, interval); sha3_256_shake_output (&ctx, to_read, buffer + offset); offset += to_read; } ASSERT (MEMEQ (digest->length, digest->data, buffer)); free (buffer); } void test_main(void) { const struct tstring *msg, *digest; /* Extracted from ShortMsgKAT_SHAKE256.txt. */ test_hash (&nettle_shake256, /* 0 octets */ SHEX(""), SHEX("46B9DD2B0BA88D13233B3FEB743EEB243FCD52EA62B81B82B50" "C27646ED5762FD75DC4DDD8C0F200CB05019D67B592F6FC821C" "49479AB48640292EACB3B7C4BE141E96616FB13957692CC7EDD" "0B45AE3DC07223C8E92937BEF84BC0EAB862853349EC75546F5" "8FB7C2775C38462C5010D846C185C15111E595522A6BCD16CF8" "6F3D122109E3B1FDD943B6AEC468A2D621A7C06C6A957C62B54" "DAFC3BE87567D677231395F6147293B68CEAB7A9E0C58D864E8" "EFDE4E1B9A46CBE854713672F5CAAAE314ED9083DAB4B099F8E" "300F01B8650F1F4B1D8FCF3F3CB53FB8E9EB2EA203BDC970F50" "AE55428A91F7F53AC266B28419C3778A15FD248D339EDE785FB" "7F5A1AAA96D313EACC890936C173CDCD0FAB882C45755FEB3AE" "D96D477FF96390BF9A66D1368B208E21F7C10D04A3DBD4E3606" "33E5DB4B602601C14CEA737DB3DCF722632CC77851CBDDE2AAF" "0A33A07B373445DF490CC8FC1E4160FF118378F11F0477DE055" "A81A9EDA57A4A2CFB0C83929D310912F729EC6CFA36C6AC6A75" "837143045D791CC85EFF5B21932F23861BCF23A52B5DA67EAF7" "BAAE0F5FB1369DB78F3AC45F8C4AC5671D85735CDDDB09D2B1E" "34A1FC066FF4A162CB263D6541274AE2FCC865F618ABE27C124" "CD8B074CCD516301B91875824D09958F341EF274BDAB0BAE316" "339894304E35877B0C28A9B1FD166C796B9CC258A064A8F57E2" "7F2A")); test_hash (&nettle_shake256, /* 1 octets */ SHEX("CC"), SHEX("DDBF55DBF65977E3E2A3674D33E479F78163D592666BC576FEB" "5E4C404EA5E5329C3A416BE758687DE1A55E23D9E48A7D3F3CE" "6D8F0B2006A935800ECA9C9FC903D86F065367221067658B4D7" "473ED54800D196FBE1089811DD9B47F21E3698B1573653ADAD2" "31C39F145B586D6C0133378416138E4423F7AF7DACFFE965706" "A3C49024002B53BA05871E3F066694B163630B0053BE41FA45D" "4317EAA84214254038A37A9C83D62EB9EA6E6ACAFA6BBFE5AF9" "F389690D5A9E27BF97C1B93D93ECF36DF6DA212E12B24481541" "56E94687336B6DA91E368512B9F34C616166542923F3618640D" "930F922A3DDDD2F87920378541446F2223F593931BD1BA02E29" "07CE3404621F26B900D05A1119A9E4934A7CD818DD9237445BF" "50475A011EA0078788801D21DFECB7A2BB294E4956DFA71D8CC" "472405342BF80120FE18A551D88D6ABC24D83F077BFB25EBDE5" "F4B03678D677EE646DCE3496D5138BE108782CA5A00AAFF3CB4" "BB873EC0F2E932DD74847033EC5F07254E3027B0AC12DB7D6D3" "F90B53D8A5BD63B99C3BF5CD38B453D7CB12D0AE2BF1CFD3EE8" "8AF71BB6606B0B791DEFC2D762C8641BB8319FE17321EBA407E" "B744699D92B35ABD79F5B9A85408C93D61233FECE638023875A" "A02B9EDBACC84003A28CCA2D55A0742D635FDA888905986CA01" "C1E6420D49EC25224D84E915DFD1638A492282F1FD053770168" "953C")); test_hash (&nettle_shake256, /* 2 octets */ SHEX("41FB"), SHEX("B64ECACD5F7499ACC085C908D35DCC1FC0131816F28D360592E" "1265079F92A5F844C4BF6AA50D98D52720797E8C992F43C76A7" "3FD95F9BC4CD272157842ADA2518190FCA342DC20D0C57CDDF0" "1B3DDF77977EDED63445E40BE82DF8D26DB629A2D307EE9FE28" "D2FE557E3971858C6D67C42BE2CF44DD7570521CE0647446742" "5B7AAAE39DB90945BAD388009ED5715C684BB4E4981EEA324EC" "F66584AD08D9F27C6A4DCF615591857BC7364E8A7C136661AE5" "FFE828C734DD5EA5A071276E8477B8525E02B7B445D91CC6E37" "D58740DC2B069BE6D92E7DF95C1AB52B76F7761AE34328962EA" "C7156E460B3C04FFECAEC8722A56E7373285E42D4CAC5498F8D" "7DD5ECDA9F9973A32F8D425171E1390BFC812C9EE4D4AB8FA9A" "0D93AA90A4C258FC64D77BBCF49977E87C3810C80C458516899" "6A31F446F9391A193B888CD321E22E9368F4F11495FE124141C" "04015532345D7CB0A13A4DD9007D737B3A176A88E5FC153D4AC" "2E8CD641C40C4261BBA70E1B87114030FF67CB22ACEC90AC288" "D6B59D25B00038468B4780254FAC4EF158EC2CD52C0AB9217EE" "D1ED0A5E7B4C4B3A64B1824E2B27AA53398765D5352BD1ED0E9" "C7B3FB264D141741659F7D8FD0EEEC9F9163C42AFDB540D5F2C" "87833880A0C942AE4CCEA7FFF2F4C798B8AAF24C33BE8054A09" "459A3AF7200D555334241709A18ECF88CE93C99234D6AB02859" "16AE")); test_hash (&nettle_shake256, /* 3 octets */ SHEX("1F877C"), SHEX("F6BF0397DBFBB20E4AE30F0A47FE976CD109B3AA09B0E3F29F5" "60E4ED333C0D083326B03F6EAEB57E277BBFE1CCE36C499434D" "838CB4C8CD8B02A87790F4A6717B22D46F9220391C420A1A1BF" "AA9ED5B85116BA1D9E17FF16F6BCE6704C80A49FD9AC42689DB" "0996C6BD3266694077C6DE120043A827D44979CE8CCC6AA7E53" "08EBA64ACF9FFFF51D36BC4401F8117D4B96340C62D106B0A64" "45F01987F9C4C0A420E1A9BAEB594BCB1BDBFE59B6065EB91CB" "EB252473C7858ECA475E1C81E8425C7E2C1706C4C4ABB3AEAE3" "9332479ECDEFDFA93C60EC4007A51C5DD093B527264155F2202" "E01D2083D27D71A6F6C92D839E6EA7D24AFDB5C43630F1BD06E" "2B45B2C0D0AD70BDA111363298AB9754F26DB00A3FD93D72981" "DD463DEFD286320A274F5422E9400DC6E7C78D75534C75AF6B0" "398596EEE5048919B8FE33467C2B7C227BC88994B28819815D8" "21DC27BAD0458D57F40B12A8A933729A0F6BAE74DBD150325D1" "4C302835AB95DABDE87A2ACEE9347609A6175DBB538FDFB278B" "E0B3D5F062768F9E0EB1AC9C36B4E05E3ADFCA73981CEBAF6E0" "47A18196EA78846D9A782B6E1CEE2036866DBCA749644E74EF5" "A4538D4AFB1706B360F734814313D20A1AC626BEE7AC0FE9F27" "7D48BC50816AC9743A61E32F8B26CA6F4DC81FE7F3558AA2F18" "586D89A8E3070868C76B4CA4727F541072DCDAB3D547D52ABB6" "F356")); test_hash (&nettle_shake256, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("CE7FBC15503986E3B84530D84A16EF64332A6EA57E354E9F205" "4BFC2AA8891F94B4FDD42FD227C94B33F9AD45CF3982239F81F" "BC2CBAC7809F01E1C294073AD6D2821C1283C5C427F41FD4645" "5EF7B4EA0D6D5E249AF95FAC80A8678C1A5318443E63122DDFE" "D2591FC690527F97A09920941B02439AF3BA36B17FD588E187F" "CBC1FF109AB4A9ECFC671926EF0CC9C82EE06EC6759E2758A88" "59B8FA9DDF46D6C049621FF589F3FF56C9419D6F48A68B68FEF" "D068ABEC24824D7FC150277C2439BF78D15D59DBAA2CB17E528" "2E6E9ED744841F4A4BBB778CFEAB0471CE850B2A2F948DB3926" "F733EF7B3AA9AB8EA84278DCA62B0691F5DD13EA11660A8E2FB" "5CD8BA74A352C044E7219E750F29B62F94ED268A68029B94B64" "F3D4F2193A7FC69ED34A59657471F04C4961084EBB581ABCC9D" "50E3674A7DEBB285FC7215BF6606DB1392A7F1619B347A4D07D" "230DA07811FDE2AEBE45A70178CF841C619F712EF26BEEECC41" "83A1040076E73FCF6FABE5C25A4B71D564A97CF3C88F1856D9C" "8B42E94F746CE4605D2AAEB56D1DA5527598E17E5680D309788" "E09910BEB74DF7D3C3CD4EC680083F5845F4A1C15070E57979C" "01B89DF7BE64435EA4817BC0AD23ACCA6CB878F7131F02F9215" "E2D5C12CF3B4D24B29620C891A54AC8BE6E3DEC08397887DE0E" "A86B81A5459B968FBAE18B4B0324DE7E7C1AEEFC7598644CE1F" "F8F9")); test_hash (&nettle_shake256, /* 5 octets */ SHEX("21F134AC57"), SHEX("BB8A8447517BA9CA7FA34EC99A80004F228AB282472841EB3D3" "A76225C9DBE77F7E40A066776D32C74941202F9F4AA43D12C62" "64AFA59639C44E11F5E14F1E5695208DB78F37CF3AC172469DE" "67B80014D1A4B968A56F855BAF35A275B8EC77B9CA591257AA2" "EF048663CD05D76B72CF3A9D2BB44B154B16E95EB8B61BD8415" "A867367F0031BFF5D49237157C197473309FDAAFC8146AB9FCD" "4254477B052AB306BB575ECA6872863B5F43F026C2BE3289E85" "7D50441330EC02F6AB4C6329B18D3AF0A1ED9DB70F34016EA0C" "AFF1F0EF08BA6D26566DF6CCE9A457E1900FBA3338A771E40CF" "B39581F16019D521E4F398539C4A6F2CA22ECF9158B96064C0F" "26B8A076E58B5F0BA3187342A5C9A5569E6D08A2AC27258CF04" "26D995724579C723A0FA8269B4239026A08D88738156943F1DF" "F6E0FFF5E4696149436CD97732424366626CE7B67A3BBE480E4" "25B51872AAE7CE59E70995C194E00FEE82119A4320A4B91158D" "B65B83195C9B799D3EAF3CBF8593D11DC67EE8C0CD7CA4FAE69" "D9F46A7E70186A33DFAAD510D8DEF82AA5710B0ABB70DFC396E" "CFD33F56F66957B82A220D1ECA09166F72358A71054A179C196" "1B64F26A3D7AAFB030C28A73337862E8364D3F562B324CA2EBE" "F58B7A8F089213178C8D0ADDB5A18022154CF010C722C279AE6" "0AA984597EC6542EE1ABDCAAE8D5545FF45E781ABC7145AE2A3" "1249")); test_hash (&nettle_shake256, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("69401EBF1D4C7EA500BE60EF06783DCB009A13B4FCD8B341E5F" "2E40F39E732237E86716F26873C1820BC36D20F6D5E64A9C5E6" "36855305CBC3F4BE4A9905B5F79FB769A794299EAFA8E81FFA5" "1BB4D602480B1C40F9EE9BEE017D5D7F6DE68C8A79EE92A20B9" "DA5BD3D01BC565CDD3E5786FC4D48F719C01CD6D3CAFCD500F4" "F768600E6891102FFC10F1394E3A40A1BD54381775BB400EE6E" "20B95420FCB2C86BBFCF380BC95EEFCA33BC8DE823E13B4B04A" "7AE1FDEB8279F3EF3E4FD50B2FDE530B0D4C8DABDA6F225A412" "1A79FED79D8A013C9DF1103ABF081294FCBBC5ABF20BA38E007" "5169A9C13CFFF94AEB271A46875710A60CD78915C33892D7FCD" "6C97A1C74846ADDA847F58ADCE8EF762D11C4F15FF8B97F9BED" "C97E1A8AE554C0B9E66BA1D48BCFAD0D56F91B65E25B03A5E48" "CF4DB0DBC467BBBC1E037743991AC72B4B259D65013A2708EB8" "25DFDC65093A4F4F5E98427DE7C60138467D8900ADFCE1F2740" "8638DC66957D27CB774BBAFF0BEDEE0F6553BCBAC9724A20E8E" "D0CE6B2F764E4F0D80E4521788A5CC88C3D36F19925AC2F205C" "F6EB7E6D6888EEFD0BE49BC8BFD8A80B9E05DC7513BEBA7BE52" "D39BF9BD2B2DCD03FDC8F8E7F90A83DAB2AD85F51D040BA0F1C" "0A9DC38E929A50DB7F99A26836612E601C6E4346E5E895EF4CC" "FCD6A5CC3777FC11FA64A9AC27D2CDA67E29CB18A7E99E2CA07" "30C6")); test_hash (&nettle_shake256, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("C02561C12CCDD167CA959D9756CC70946F7FED8BA705E3EDC43" "3D3C45D9299D0AEFE9E8E25D602C4DB0D14ECAEFDFDFED2DE13" "4AC5D0C4DFC02ABEFFFDD7667A434936151D529A93CB266100B" "94AD0449597B1590398A1A63C42649385B4CFAA828C89037E0F" "97BEDA8450A68520143889A92C258645664EB57CBA01C3B1134" "318E11A1848D912D0D2CBAEBD59A71B52495671C548522F4013" "94FE48DB49956C03044CAFBD40371EF657F1AA86E4969459BBB" "D21DEA563A51482A47147EF85487A5CCDBC532BC2AEBC3265E7" "1BD8D56F4521CD93354A73D175FCCF5AABEF2768DE2D8E851D4" "FC21FF032829411DB2668300853BA5F8BB1FFDCE3FF59197BD1" "833D2ABFB8C3027B36B21969F7E36C3B6F3FABA9454ADDECDAF" "C213D347A44B0D364997A9E608BCFF3D2004139CD05005B9BD8" "FEC09E5976EAB977B5DE8E39373C10D9EE2D2EC196B33689783" "EF3ABC3DBCECA9BF33E8DEE9A1AFDEAA71A2FE42A3B0C60781C" "9A2D5714278CC7CB349A3B6E7251B96E4E2FAC606B459C28AE8" "1B551168D28ACD01D4A08416B6714D8F82485A1C6D5348F7DC4" "981AA38E7F39EDABC981022C4CD3345383D8C25C929FBF66026" "F91664998BC34F9689375D06FF95D208D4ACC7791633B222ACF" "D3EA26F8B5C4858997A1FF77050F280AC7B7E5325ABE9E55FC2" "7EA8ED1D9D32194B0C5D8807F94AE6F737276065CA08C323E9E" "D421")); test_hash (&nettle_shake256, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("8A804FC3A4FEE6CEF6808C756A17BCDF6B235808493FC78E797" "01E59A9E9A67D60F0F256AA69DC0258A2510F9936AEE2BCBD0F" "679696F439F37BF9AFB170D44A58DBCF71EFF14CEC1E624D3D8" "F1DDDDD3E33421B1E305C794C2C88FCADF9D7C51F52E4352BF9" "C9C895AA457F5449E82FB36E2A64D1AA69771EF3D675F09030A" "95653837AB2237DAA7FCEC36651355B2507713CC6A2186E950D" "E82DC699122644193F8F231C607BA7F3BDD0A214B4EC0155D30" "517F681FDC2A89D3143040BE0E0B6DC7E5185C723464CCAA2FE" "321AF3B4174283355FE3D1CED518E00B6063DDD607B166BA388" "978294244EA8EC773A528003A04914B76E9BE3337D806CA20C5" "84B2BB66AFCD144417E3D93243F185D26DBA90EA39259C7F23B" "8A6427AA8A7622F277605F4A463F78A0C189C8DE2C553AE2077" "3D7CB4F7E26A13F4204B3752D9CEDDF29849798479A4BD0D7CE" "4D22CC51F88127435BD161F026B1811A723E786DB1DC01F921F" "E076C3532FA969EF1F8993E0A4FB6C17597D8DB38DD7AF259E3" "22751CC0A1CCA2EE4940F4EA56CE9179941CF4696256CD04AB8" "53266D12E7E679377D54E2C2F24832974C573192DD2FDD4DA5E" "FD72114109248B03F0AE03123252FFFF977BDE87AF8D8022C4C" "51DA68EFB87ABEEDA7A72EB4D0D1A2EB65EA4CEBC7CCABF3787" "B9BE98E14E4A273635F69E3E4BA557A1A42D1BF69EBD359B895" "320A")); test_hash (&nettle_shake256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("7B5562ABA86E6329693CE1CAAB2506AF93AD28BE4DE045E66A7" "B277C4DC3C2C9E698AD5F6D8826230A38FCE87142DD83B28F05" "5FA7A9212F5017374A7EAC5BB7824C1540597DE34BE9EC894EA" "BCF751BFD5DE029A1CADA7E599D433BAC0499AAD9782579D282" "23A5D16264EFBF55EB1370748E7DAC4B56255468FA9694A93C4" "B3759F691D9A4A08B53A15F61FAA1268E38AAEB43B3FCDBF0BA" "003E2037EB52C8E9931DB9C60FFC1D1FCEE7663D1017AB6DCC1" "B92472A88A3D568AF5AFF930AEADBAE751753CBF2F987338DEB" "1AA822FE28788866073319662438B6CAF6BD8D79DE14FDB6D30" "F7983F5711177765D7D5E1EFB610FAFC9DE733C9DB3FD2F1C35" "421D29CB96F87A0DD1E83AD19ACDC7C2BF7A6F047994A96E6D9" "1BEC34AAAF18AAB7B32A0B379A60F12AFC697770CC6039031C1" "3B5DD66E0D368609D3018ACCFB02FA4973BDA707CDA096D712F" "AF59B43BE3EF5EB7C227530C987DC4991955796B2F588359112" "B9E7566CA785CC5706AC333D12E2DA37A97A13B69540084D1A5" "908ED3BAF73A0E1C55A6BD036F1342F8EC671593B9B555DEFBA" "BB3364914E4396D6E2B2ADFA951A6A263AADA6D879B4FF330F8" "48D2598CB418E530BC63BB11E7A247C5A2C21D5C2A34D237219" "55567E4452DF9F5E2108C1FEA8FBF672422BB3B85C7C5664B91" "8D3F3644339367CEFBE609A9B00C250111801C3F365BA752709" "B76E")); test_hash (&nettle_shake256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("C92FDFEA927EEEE73162C436C6A3FB97291C33787BF7C2CD80D" "ECF6004C043BC4509A2CFAC1FBEEB0BCBC7C2974B168AF3291D" "EE1AF2D0826935DA79C5BF7CF3A211F347C2A44630DCC20E964" "E3BE24A20766A2EC50310F4B1990A3987FD8D144D3A6F091C6F" "8ECB7B2069905A7A1BCE8A49A9779E9132BAE521FC44689F786" "1B7C735815448984D6809C2138ED64A45C4320E09BF459A985A" "41D024DC4CE0D95681DC9379FC4DEE3C024436E7A949589A74B" "434F6B5D5742501D1E4761E0DF89F4F1943614C5682086D31F6" "EB2B65A005FCA29B48777748132A15BCE74228E5CDCB95C05F5" "1730E8E27E9DE71D582A95AD3E78E64B978D872B91A88C6175E" "C3F92D5AAC14BCEFD0F6D8D5E2E19DE467C530FDE86AAF6FA5A" "E0254EA01D70860278C24BE7F7C52669AEEEC52C606FE664D7A" "8E857EB64948D663DC11E9DE33A410DCB3EB61FDF6E9622B66B" "9B9F4A39C4B578A8D346906D14AA713D2B266DB5B85AED05186" "CCB2809B38BBB3C9F99C2861793FC70D972B51F2199674E734D" "46FE0E8EB675777AC9E4B578A7DE4DCFB5AC1E7A2EB0067237B" "985050D66885F85CE3410467B5CA374A9F420D8CE5DA4A4934F" "E78065541C53D071C88F0FF132EEADEFBDAC5E98251C597930C" "DB32D79656EB44F95C78BBDAFAA59B7E36DA08A58AF3DAEE995" "36EFB56319643FF422CFB53D152EA302A6458F58B5EB9F2C81C" "31C4")); test_hash (&nettle_shake256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("F772DECEFF020D1BE280E7F93DF5056577E78D104CB1E2AFD42" "2B021C6206D94AF56EB9404F8294403173E4A6932A1576BCC47" "580B6CE2CC80B20FFB274FAC017FA05B3D804A6CD8E874CF258" "E5D46CCFE06D76DCC18C9874CD3B7543973EBE3367AD38E51F0" "A46B92D47A68018A819F2D90724EA9F5FC51F444003757B028F" "BF96F5413296AA9BB8532773EB8CB7CFC803578FAF52082D4BB" "8AF606301FA927A94FB62A73E2E9FE367E782351185516C181A" "A674E19301A38D1375E1658A181DBF927973C02207BAC3A0B65" "C0C6904E8195A3C6550D13CFD46C1885987263E82CE56485759" "BFFB2647F420625F2B483C2750FB0B4707A2014FF57B1A42375" "B37B444B0811CED4CB93D5C45551D5E1C8DF20BCCD9437B7E43" "9156DD9AD4D905393AFAC1347AB2979811CD1BEAC7C454C4B71" "66B85BFE52FF6C4905C55D83C15C3A9A7760BDA9FC4B90EC4AA" "BF9CB3660A883BE7137733A1477971D479049268ADD74E0C821" "0B1A9FABA84FB940F62B1193CCAAC3F020D10CE14DD8C058C46" "BC35846C07A10DAE9C03C3EDC323CBCC83987DF1FB2ABD141C7" "C0694624AA68DF9C306D2E179FB4D603F42C99EA369C90C1764" "95104FA7DE772EA71A9FB014B467CA220F9C004F287F8F0786B" "3D47C9DAF3FEEE80B2CE4A92AEB0FF8E8C09448DAD76F5FB01D" "6997EBB139D7FA5DF8C0BF12BBE0AF2B6E354C4089F32B8C529" "4634")); test_hash (&nettle_shake256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("00F3525289B33FB3C179398EC76F2E31B824A532B2AA6B2DA6F" "FAD5287E07F9F9A2FDD2F2032AC202119CA0A01B7C9C6DE7248" "77FFC874D5E578066A4BE43757BC2D9B09AA7B483749E0F8858" "2CF9CC3D47B8A0A98D70AC793326FC5EB6533F00EEC34BFAB35" "18FF4E98B79582621C2BC7BB7AC8AFAA8D60DF3F072FCAAF514" "FA7FD9EFE2B1FCD3CB96A7F70A87436922584B93EF74BB03254" "16EEFEC14EFD150432366C1C1E5F7949C2573CDE16A24C42918" "C919ABD988F8951207149F873F78D2793FD642F3B3E93041B88" "55B8CCF62A2F6A2B8ECE4DC704CF693069BC789D470FC4938AD" "23D5B5DD20D13E31345B2169F750E69C4913E3DFA1F1E54A301" "9A8333B6648659A6A2E93882FC4F8AE0234FD149123D831F148" "213F578E8961DD07CEDF94907ABADF7EFD84500E501BF2588E3" "B155E7D24815DA9584595EFD2FC6F1768F651C1EB10E0029553" "4F89A8DDE9D37C05F7E4EF9EA236B615F82BFD07E7F6FEB1C62" "DFCDD4F598BDFB3CBB0FC3259ED96D52AE156B20F0F6EBB0891" "27CF98F045BDCB12DB84C2EE47800CE36AB10F982231FE746D3" "2FC5002700E264AAA6432E7BC6BF4F4AF41E82E256C3DD6DDED" "B24B3607015CDDF78BC1AC56F835D03D8297BDEE57F87EFFBD0" "66C3DE372F285EB2E7D7359684BD2072B090BB78C3EE71A45A0" "CB7C22EB4081CEB3CDB89CBAF3D124AD86A9A830457E273C8AB" "8B33")); test_hash (&nettle_shake256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("1CF1698F0702653368463A9EEF102E8588FD5E711F4BA16E379" "8D7C7730ACDCE6C65EA3849CDCA9D08437BEE09F78D52397C92" "D0F00ACC9D5E9450213F337B9A75697E8FBBDDCA67CCBB7F8B2" "CAB1209397A4EDA1BA9AB1B44366E4F7A0D2DB47D5480247194" "D486D63D72FCFECEAC8CFBDB7F8784D4CC9214B3893FC7EEBC9" "7A33B9DDEC9605484C96BB77CAE4D212F16229DD507622A01C8" "61043320D9C06373E1E0D9649D95B42A990B0B447ADFBD307DA" "D1394C30D12E010AD5F6C8ACC729904CCDFCA2162C32C5EE565" "4316E10A97A192EC23BAAF594B711277A301FE6EEB4B54903D1" "BB736D4788F65DBEFECB4761685C683DB56C05D0F26F179010C" "B323C2FC8B9A44DD4A172BE2228C6B0A0779B0637E6B5DE0477" "76597A17FE94D86AAED911A1DDD27F8F61710CCA8C5F38504A5" "0F01304B559419F06B5F043DFE984B4DEA2DB6090C1A836F26C" "0728048C0D89401722B9576577F11700BBC5A6BBF1C23C687BB" "478112DA0DDA52C1ED622D0227382F76EDAE51DB2FF14C098BA" "E8D25A2A53D98508DA98C99AECDDB7EAD8DA98AE41BF21A59B3" "FE4B3DD68F0FB15242EF3056FBF77462D4FF67E0B344BE02CCF" "03FB98F6DD5F6D306A4C2B2451EC8AA2933172689BD11A7E391" "1B236905D6D8CE1C030E754A0B493CFBAA39123B0DC4B7085F9" "FE5988B0447B706CF226EDD34B644BCB591A002A08CBA030F6B" "1927")); test_hash (&nettle_shake256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("413131ADD0DBA2B0A48443D3399896AD65BF5F4426D234AE20C" "9D2DB3D9DFAB81401D7722842A58312F837E7DE13069802F58C" "7CE9A3AD1703E9C7170D1AE751023147464CF8694515AB5E268" "36B935ED493B9D66D9229BB0B66F1C5AC721D8AEC1F883DEC33" "D0380BA79BE198A6AA1F2CF555818D54CD28C0682EB44FA0F18" "10DF50A8F005557C9BA52F02D70EF769EE7724B852A94E1710C" "6758307FFEE309C8F884DD0597012679F7C97CF59F8A41B06A8" "45CCDEFD5CBDA268885A2781FEE48FE4ECF4D0559868607F352" "4AA25D1A5CBE5C33FE0E8E8E47B6705203D49CAE7F1749DA49C" "BC469B8870C1CD7D029F6398CF7AA0D3114F56F78885093A59C" "0C188ADAA40976827AE1000BD6AB4C7A2154D80AC6786CC23AD" "EF333A2C538152584045A87E942B8033C565506BD319AD99C85" "A4655F6E47979F55B5F9F9822F9A338CFBAA50D580E27953BA9" "D13BDB3FDB480226EDD2A8F8F56C75015714A51EA63C73FFFAC" "63DC3FC6FB8D509BC40B87B9332FA37DAAA441D05984BA56781" "AE25D324E508B300E6B07629EE5BD2DE33D3BBE6FDDB699E35C" "324FDB521CDEFCE30D01570AE82803B0B54A7C1AF4B45121461" "A848477C11F535B700633D88A68AD2ABD9AFD09A4DDC1BE5511" "B574CA6E525EAC7A6CD7C26EED3E5656142AB8B24D97A76FAB9" "4EDD8AF21CA7170A98660A5CBDA15925E67C5C579363DC4F697" "0C95")); test_hash (&nettle_shake256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("2FEAF391D45B2B8632EA10806E35D465F2F767DCCEA9304502A" "4CF9CFD85F7CD46BF0E5CDF2C31A43C6AADEB0C4683B3FE54E0" "42C014457D0542A8AC09529C1931FD1CEEB0EEF6C5A1D28F7FD" "1E7998537D78B9DCEAD530B0AB257E273432D3D7205E451CEFC" "6906451DDDC6B3B0DA1D1F2DF3F043396858E7619B8A420D0CB" "2CDFBBE43E19BD2BC670E2F5DA51A1B8141F7FA0FA79538FC90" "9D31847C46653C8184114505C51C49C844EC18AE5C6EF782040" "0D0859B3820FED6B023D1A3455C2BD6E1A7D25169B58BB71A82" "107893F27E994BA04C79D209ED97E359D02B991E402CF0D14EB" "61D4C1ED931B4526D63E9E9517FAA5BC83A23521620FB5B9E9A" "C1CDF45536AF54E567F5D9BC31196D23C58C0C70939497A3E11" "FA544A37991B5C06B8D7F57D3057E83C3EAF1758EBD0F569E5A" "8979D340740A9FA1ADE5A9D956F171D9A0D0EFA871E98AE8D5F" "3D5733FDF0388FD8D9564E6C267C6438F0F78D7A224DBADF7E6" "E645EC6952B96A9D6FB441CDD640B576B2C92BC7C5FB11CE767" "B0105DE7907DC00DD4F8F25DC85B6A84083500F3127708ECC12" "50AA15D350437664D0D6ED61E83DBEB951260C1746C0F06423C" "4B84FE75A752E7F034B2584920288EE697926B9BC87FD086299" "2C3D9934876A978744043D8949273A3583A7C5DDBC25DDC0C7B" "EFBDA1F306C9EF7A2F21E15543EBD5EF87C39814C91E1B60B07" "9700")); test_hash (&nettle_shake256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("57119C4507F975AD0E9EA4F1166E5F9B590BF2671AAEB41D130" "D2C570BAFC579B0B9EC485CC736A0A848BBC886CBAA79FFCD06" "7CE64B3B410741AB011C54422568089405BF1E8DDD9E3BCEFE1" "A713DDA18CC2B73FDE0EB323FA7518DE2808C875A6C55111BE3" "E0CD20663B794048F5FF44638EF871FBA0F4C2ED41A96D36216" "06740935E9EA1ABEFE15A1A3BD55C8AE6B2C021CC772B34DA21" "9115C8F6072A09F2B718E26ECD2538E5F12068F577ED7D03A2B" "BCC7CA7DB81D2CBAEF2AC8F33B1355798576CD3545B9DC792FD" "BB9C8D1C123EE0407C6328E09103FA6CE1B4DC9FFB0BE7236DA" "B3ABD29E704D0C352C524FAC14E12FB61929D98DED973D7E878" "5A8ACF52AF56C01CE62AD93660C93B683FC22088D7302F72D0D" "AE54553B0C3E6DA7C498BEB3AA46E7459779A1B0E1FB19556A7" "1635B404C0BBBF3F34536F2776FA12206513FBB1F2A11CE9683" "460D22778867ABA7335210D817B720B3D8A8C48243D128EA2A4" "BA8996D160351194C0AD3988ED0AC5ED61C1F576A33C914C2BE" "BEE0EEBE55878E2B43A51E510251068E3C0F7C7292189573EB6" "AF979CDAEBA8B8E359E6B632BABAFE3528773CDD4A1861B7AB2" "532113F2B259D45598A76D54C739DC2F4AF2700F3B5CF22431E" "D9F73D53CAF41D134F5CC67ECF8F99549C091CA6697FF20E08B" "F6AE9B6BE74BC77F26DB50D25F48E67A94DD705521F02D3CBD5" "FD56")); test_hash (&nettle_shake256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("87F2A509E9D42B0F595662CC93094F26F06A86D79D98398B7F8" "7EE2BB5FB25384F9FE3F7A72AB5DE21CB3B7836F73618307242" "D53937C67CC5F36A7552F917DB12A4364736B08671314EBCD3F" "34C670E0BB066D3E8792ACE223608F5A152ECBF9FCB4242FEDC" "1E27143835F0C06320174E7EEEEB60F6B5A8DC9AAE97ECA494D" "79B3DDFDDBE91D3294AB4C3B3CBD1341EA4917733FB13A15BA3" "4B46F0D5981C9DC457A123C4152776E15B37870C24EDC0BD9CB" "73CFA5D290739C17289C2DE3A71ABA0DFACE3B76DF71CDB6769" "7321772357587E3C2319C15D867A76F5C7BF5CA2F523265D411" "8EAD7F96BB30349F5C4373D5E4FAB4076CEB6AB8C11CCDA6B72" "72121A11F00F67D7D5AE31E86EDAB458BCDE042C58E3D3368DC" "485BDABD40A3F6B7294C038B8ED3026E70ECC9EC7D6060504F9" "31AABA816D5AA5EC9FA7CEFEC123E71C5135178F252885A7153" "A4714E0D9C95AF171A6AAB936F0B464AB07E32AAF29CD4D9315" "62F700CA1419BCA2ED1243F8EE1B442CDB1F5252225954136E2" "E80A7FBAF9095108647AFF7F31D4C4CAA050EB1A90AB1D1AC0F" "67B9F411006A4B76D5CB4B48D2154DA87303ED37C9F911064E4" "D2F0531474E98F3F96B1A0A008DDD0AF4B86435F8B26BFC7693" "C338C6AF5823FF7A9BEFA57D72E2F1BB2982DA356A8B3D08D4C" "19355FD6EFB35D68B3A41144B49713A470BF61D0CA05E520447" "68CD")); test_hash (&nettle_shake256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("20561970BF01E4108BC498DA4B8F900A0FA378770DAAE9703E1" "66898874A1821AB0432D7CB1D0A7006E5461DD3049387C41163" "27D1D3E0755CDE00A3C40BB5FCFBDE5AD0A7E46650AE7CB37DC" "2F0E4F506DBA47437EEEC9F823ACD89F3EAEF767AEB39D38F88" "00DA54790F362A3C183CB9BC420047EE86B3EC22E2B2F4C029E" "F64A5270C21255D39363894AEE6478788436C758E4101F2096C" "D7F13FE76E54CC5CD85C9183E6E1A1A3A218379997AEF9DA643" "D8012F402FBBF88E6D0AE991EC4645F3118FEF0F66D7C8EE745" "28D622E1E9EF1A69E39CA7EA0E045BB568980D4659ED20F0CE6" "8503620A94ED7D5C9337DC20805D2DA7D0F14B5AB3B93637F77" "1C9E63D0B57AAEE353AFF672596C4660CB39381A9010600CE93" "197CC6A06219A3778B89B0F6AE003B5F9BEF76CCF6D551B852E" "076A678A74E75E408E1D4D6B1960488FF21B6F6B7C308205F93" "BD9DA1C6DA1DE9707307410BD7AE22FF24E24BBFDAE849FFE26" "66B1BDBCA2E08CF9D0F3F7698C4F983D4B92EE28B5B4B8BD98C" "317AEFCB41E56DD5534F59DA6C84B3D21587D2EE740F54A0C7F" "AD62A63B98AF747237B68F78A39CBA4596F81A223367D345576" "88B324B5335CFAA67E78A8095C92D70802A2AA76129DEE69B91" "D175BDC0A485A58C91CB8EF326B2C8D1D82325C4ABE4A0F764F" "C01A9F0A743E7F107CE384DC223D7AD7481AC8AB7BB273237CD" "735E")); test_hash (&nettle_shake256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("F29097E10DE56C3A4A24746EE4E7A6507050D18E40F1CB8C701" "B5E589FB645A4E400A3FD2C9C4D48E57BB9E146ABB1EF98D0BB" "C6375C266754C7F1CF62682F0C6A6D6B11E2E0AEA41533DCDC8" "51319A34FB197D56F4A35D3B82C3D314ECA59E03774E84391E8" "846D236D0CC51E7A5591205C6C1738B746E616B2A8267709103" "F51D0ACF3156BA42CB226BE3E94F2293E9E0FBC19BDF5717633" "E17B5944A02505CC53B01325D1D77965295EA6B6B50E1294176" "7F7288B9F4E6CCF3F567A1EA3D17379BD1DDC357039FB356D94" "57956A8E149E30AA5092A4F85DBEE2083A62610F04FD28A5A18" "80183366211287E9CDBE8B261E93557A38F6EC2D13FCDDB5DD9" "05599B5469257F3F2E83125DAE5F30E8E7514D55241121D9685" "08D1FB55C8F339530A437BDBBE04C42B6B229666763400F5493" "E31CAAB061A67ACCF41954C2AA0A7FA0087A4B828A1AFBC62BA" "09E91A3AA44FA4A74652882B7FF38C9C1692BF83FBAAA17F32D" "EE6D25518FA0721463334FADFC6D050E0CB195E477150CA1198" "EBE4D19ECAE1B1321003823BF04D8F9D4866BA3013C9A47FF0B" "53FA6C70F57D220D86E8BFE71A61354F099245004487B65E7C4" "5E090630E6F73FDC56B2EFE6B3469BD31D23384CD4A830A716D" "50C7A91DD09A45A79F47D73BB32D14BBE85CFB56BBAAC47D973" "A6F3F9FC23EDD774A31B533FCF7E78A2A75872C5954788097E0" "4845")); test_hash (&nettle_shake256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("BF4EEE53BAECA39E2884780A1F007B5069E7A90F1ABBD12EF77" "C77A4038CA56609D52B9BEE113536D8FEC7D264F2951072FADB" "F2D3A0B21690ED5478A540C02D903B3675787929AC44A2BDC65" "97B2EF2956B3640B3771EDB189E98FBE8FB4CDDC8C641ADC707" "D47EA2DBE17616AA0ACB4AF8D7197626577A5AB5A71AF722332" "7FE96C4472B3F21FBA242416A266BD863BE3598D57DD910A265" "335D17A7B51F59DEBF9F4049ABEA37CAD33B8F2032A4FD5FC6F" "124044FBF2A9E47421FD6C1488DF87B942CF01F9FC7F13F7824" "C7C09AAF6D739F4E3876B383546EC682DEAA6F633E630101646" "BD1456CC22A7BAC50190548EE56C5FB0115809BE6B1D7CF5488" "A26660E0A80DCA89EF655A963E8013A61CE27DA232430183D41" "C9C9AF96C14E846ADDF3684782E207916820F57E04C60E99934" "0F9630E8505C98F467E2A122FEFD1031D67789F890BE96D7B62" "9828CDA153F9CC19BF8B6D0B0716F931F17014D9AC4B6D983DD" "41EDFFABCF33693F7558DAB690F669C53C21A4D8DE7BC32ACA6" "CC45225A2C980AEF2307A7097995D97EE060005CB965512CC85" "CC81A75D3F2F0975183D9CEE293BC69A06C896634962369E01F" "475098C62D574A0D6A57A5FDAB004DDD8C3D96AEFACB39B3E4E" "1523447BC8FE397B488D8A5DA6E4978AED897AD0A2FB88C5ECF" "86CCA7A67438B988C04F3C14A754A74ED3D03D478CE9EFD752C" "0531")); test_hash (&nettle_shake256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("A697F36886208CFBD55C3CC1C407C3F978A31574E4B9A790716" "E601C6EE0ABC421AA5E5488B57E293CAD8AF40065C161407D0D" "CDFCBD172FFE700B60D7EFA289C4755733FA535365DB90082EE" "E0B812442E367BCD4451F152FCD54687DE4AE20F7FC60FCB3DC" "D1C419EDF74251EC84471D35E4EA43E684995101ACAACDC0D8E" "CF5F39840850557C70BE1477A2F168CBE97FEA85EA188594A4B" "DB583EF9DD2C5B682774E7E7E0CC85C1723CF91603793C711E2" "DA65869BE3A24D481C032A8674C1E0CD91A267302CC084B53C8" "4AF3D0A7D350BB62A2F3B9027E1F253C24D481A34AB8D8B164A" "78B0A60C95C13454BC4AE87C5E4E101B7D04C6C3F00E6BC4B4B" "B922F39C87A4AD843704E125F5CFCFD8A1E8E894230CDD7DBD7" "BD40A9CABABEB5BAE9CC49DB656AC90EBEE4AFBE3897B0F7A64" "059BB331A4767983403DF36C919759AD6BFA379920594D0F775" "BA2390A522C3FA7B0348781155EDD29BE53891B41F44E16BC5C" "290C1CF31EC33E66E588ADDD70E79FB26EEE21DFDF40A3C54D8" "E1CD79F2848B4238F7B803891EC01623AD92E53D3EA22197DF2" "9BB6554AEA8CF2D29EC4B673FAA0A0C64675F3BDCE07288EED0" "3D980C36E4D10689DD5E525F34DF78B1E76CD87F8FAC22DA1DB" "1FD9533F58577D136FE161A688F3FB9CFB42D909EFB98085FEF" "BD8D26498A847C9493E02E5364290CBFE45570BA39BCE1415DD" "5BCC")); test_hash (&nettle_shake256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("DA7660020D2EFF07955C3724CF85B1B9533278FFD2EC05522B8" "A876DB92C7F9998F0F029B2156D630DF390B3F8F5A31A8E74B9" "43D6B36E1C97BC4F059408DE495462A8E039F590D5FCBC3965A" "663F33BE332F9E56BF37D9108554DC9FCDEA2E771A5E22EDE61" "AD5476153969D1ECF5ABB108BBAAF6323D7E570B2747EC04C35" "E7DE5EA2AC0306042CAECF38B0060984460D000DDD3DCABCDCA" "CC83414E56EE2C44F6D6DCF4875EEDCC4EED761B62E1A338697" "0571EE127D84563034F1BA93D2A84310956C532F0EC4414BB01" "AD19BEDA20C714125176EC202A9F8F9917359794239DDF0376F" "AB51A5160F0FC5CD16E7B7DFB0943CD524064104BD1CCE97A34" "2035FA47138C27DD9FB00F6528409E10BEC016503B17687C66F" "2A00072B6245EC061598DA570F36B9FE8F4C35E3E8FCB3CA1A8" "D913FEAB1890C8AEDE727E63C6085B5C196E82BBF872906C814" "40EC8B0A65B2271285616C7111C702964E3232AC34E7CD4AD5F" "5568C9E30B813941C02466B817CB1523D6717E58B4ECCBCD74A" "923E806D82AF352395F22526E06A71585B71569E87C3D1AAFE8" "C06098204042CB2E41E92117E4264ECD229A7F2BF2A9188A532" "64195766707430B432FC332E160D786A9415A0260DFD91482B6" "83AEC0E62B0D1A480650041EB7CDCFFDC9601AB353D9197CA15" "604351FC226BD574C3B66B1C6227B7CF6577DF01520214A961D" "0403")); test_hash (&nettle_shake256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("F887A018985C64AB3D5609BE2121E73F7AB70D4A90BF47660E5" "35B72DFC0A1DF20EC0C372862BBDD1C74DB76A0ED12BBC03228" "3AA5FA615AF320E1C15315EA171EB224184691D13D38EF39DEB" "FA2629DF136FEE74C49D61282DB8DBFD0CAC30B135330DD4F25" "644B73FE8276C66325BA588C7178D39EAD3C8DB5BFB6A5F30F5" "90181C84C6B88C421A4ADE52B6DFB74D1F1D82EB206FBF8678D" "95442DB8292189EA349D3335C8A4B57E88C4F91B12CD0A3FB10" "830783869ACC88BA943ACD63ACDDFA8634FED8339626233614E" "FCE39D60DD2D8B1F6BC87799C4B7EBBB7D407C5621E56CB2E8D" "3952E07D5560544F810B2BBC56054DCFA0731A9B67067CD1C8C" "4951FB2AD6466098DA17C9547BC5831646AC73BBD06E596AEDC" "C57804B01EB817EDAF9D46E3728F003D286B95664317361EF0B" "5ADC00DCB1F6368295656DF2A41C950367BDD25BA8DB2B6B7AE" "EB1161FD089D02E35BB9188E7A91415DBA172F906264905BE8E" "E1E9DA5AF53B3ACFFB44437157DC275D26323402C07C77070D4" "79CC89AFBA181029FB97F9F0C9DF1B4BE0F0B000A218E380CB8" "4A40ABDD79E267578EE379C3B674A25A30E902400B0BFA6A69C" "B7AB96661781E7CF05A6F225F301065B59C033C5D873A5BE330" "7B6E59708599595FAB5D2A91C601FC75E97DAF27B9453BFE950" "29ED5B7F2B95C35377E5153DE2FE9AFC847A82888E9469E8DDC" "F4E7")); test_hash (&nettle_shake256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("2DBE1B6F378F1C56AACB5F9A71A12EB3516942F2D45CD4628E2" "D6DBAAA4CA282D640806C927C93B3DC6D1C96D528FC2FBDC91D" "7773BDBC26B2E5429063889F0842640D4EB0A69F2C705A11FD4" "0484F16A0248077897C8039C575C1A1C7BCCA09952EBB491457" "6C9A9D35B2043C7A5ADE1EC97B6D46CD647815941164BCD8D11" "7E5C4892B6A5A5155B066BCA61A9293E705EDD00DED6402F12D" "0DAFCCF608391F24657283102C30E71777B7B9F39F069B90B44" "A6E84D87660D1BCF9587A25EB59F814CFFA8CBCE7D7EAC35B27" "E8707F65F5B78FB16BE7C17812857B8CB6A447BAFC1CDF793F8" "3B6D29824B3C355ECD204631EF1E176B53A6B82FDAF3D224851" "FC7BC0F6B83A6D05D0432FB34567A48BE56368272D2012C0F29" "6324BA45B7438F13759A4A1AF293C244C5B326D6C68D28A5A3F" "CEF1AE25CEEC38D866D747D62CB9B5F8CB38B047151192FF44F" "FE1B35B5D08E95344E09BD7194CAC4D66722C9E365F3C0B7B48" "FE0A2293E478B4E6C8E6B7C93F41637BB0FD15FDC24E6443595" "FAAC6C342E8DEF79F01DFD96E624A8954B0AE93591375B8FA6D" "7EDA21578A51AE0EB69D97DE7AFC1F4FA797FA6D11D5C2663A8" "B09665463770000249DB5A23233BF83D36C7A15D3E8673F52DC" "C06270B246086E5AD0648236C68EFBF04A311A9A090C72A6A79" "116EBBA4BACFE7F46B5630F27C99F257A3C563B864933B8FC36" "72A3")); test_hash (&nettle_shake256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("59425FE5B259EAD7E04232543C65EB5ABD0C4DB6F9E03C18492" "8E877805B9E7EC156D8C1BD0EE27E4FA931832B41781DAD3C7D" "23BEA681C74251B1EC51A90077356D3C5CA2A2779BDE6F45BE6" "ADC20FE6DD0BC489B3D6E43DEC4FF6E33A24C62421A20B8740B" "A1E13BD6447E2D6CCEDACB692A4468C898F815DF88B8A3E0240" "BCD64D2277D8456642CB129F8627EBA5380A9329932977021DF" "D641498B40F8D75DB5A4F9F62ED2EFE831EBA92EA600BC95152" "B3E2FDA2873F54800C15C2256768099BA5ACAD759734533E8F4" "B5C729B42FCACCFEA0D6C7B5DEAD8A5A1D0D115836D63476EB3" "C90325F3FFC48C964F69B2957E121D9501405ECF5CDF5C78270" "19BF4A92417B1E44C444D8B714EE85154BAD6462317515CF1B6" "80AADCCAD3F3B69D70875020FA770A0F7A969E4B1672DCA70CC" "DB8D7122A7E8AE77CA7E0819D6CEE706D71F0732DD1AEF5106C" "65AD8C66FD350C13F2D02237D2B4B9AC3DDA52E3771FE5473C4" "7C77BF84DD90EF38104D8571AE25F6B7AE6B292708F0B967A99" "8A6D8F66429C1C81CE5C03843877AE4C56F14FE4F5A24C8F930" "72CE79E3A3BE409D902881B73D9BDD3AA0C8EDA88F0511E98EB" "93B271FF5F244B956B1DA8C7A8F377F39C803355F1D70D55775" "C7FBA96CC98C02999A47EEFD94E52811FAF30C099078C7C1C50" "772057FE65E954FBF28CC414CBD5C2EB12AE86A0912D3812A04" "ADFD")); test_hash (&nettle_shake256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("48612B3A4374024BF509409FBC6B12E049F2F5065A0CC31C49E" "EDD57FFD19F1C1AF6263ADE73B4C29AA77E5C05BC0AAD40C904" "106A19A8FD55DB489AC77904569ACD0D62F18BAC28A287299EF" "6CACD0B342760ABAE5A35A2E67F85E854DF55C5BFE831408C14" "EA2B0A3C0FFDF29D8B9FEA747EDB856DF6591B3CC76D3F4BC77" "70E38FCF603F4455C9B5019B7D8A2C939340BEC5247E597CFCE" "386A458BDD4BA5007D03BC82BF310B4A8CD328A62E2FA1E8FAE" "543736C10633B3C70B21B98C769ADF07567C3F6D89A006BE4B2" "AD21643BEC00DE1EC9F7CA7CA733ECDBCE3C58B45119E5F593D" "CDC5C95BD07082CF5D9B9A1AA11530E302E1FC8D6D2FC3B0FA8" "34AE3B2E98B428853C8A1B9266AEB7B8436543BFFAF69467D7E" "ECE47F2DBC790FCF2EFE2791213482B641388D58B5045774308" "78EF15485E437A4A1F2FEBCD994C088283D92C90975C976331D" "051EA2C2EA887A20DF5C90E4FC77A9370306152FD2CA6C6410F" "BD529BF9CA22B4C8FFD4444EEF136EF0B61276E42B0D0424F26" "82F291C7A704ACA96B355AEDA4D382C16B3AD879BC6B6881972" "94203661F21E3E881BBF4265C6B71431B5DC29F614E090D723B" "A086B23051B00B7E81AE8D2315C41A90E1205CE8A1C5A744F82" "B7582A099D61FC5FA6B2E9A28920E503B32A84F4831201DAF2B" "AEA8CB98E034F7AB63655E670952EEA74E3DDBED01EA9DCA953" "3184")); test_hash (&nettle_shake256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("775025E1E1E0A1C865E2B57B7B43ED67FF002DF27DE0A62AC17" "76F894E1DBDB2921029AFE631201298CD5D51B9A2A6E49717E6" "8A180EB27B9954A807667E4D24024DC3A60A60A819EDF287026" "0AEA535698F9B5D83B820013547E570847EF9F4563931138791" "B44AD298217000F039A9933FF02B99AB66A571D2D5E16507DCA" "9EEF54B1910E26EF361887512D646CBAD74F99DEB082F7AD971" "E2E9EE37AF77B80B2A763DE07D91229E8B5A0E9BF220B0C15DC" "939253BDF45CAF4A8172AFDA5D096B47793461654341D08599B" "FAEE496369D5D6E37562F9AAC399A413FF892F9DC07E624DDBA" "B1C72FA0F2D1AA98EC442BB1BBF7609074E61ED16D25367869A" "5F54E33B52DEE5020B9ACE4DFE5115ED049A6CE62227661BDDE" "DDBF77AC1D45114CB734D9CABC634908FF540C2AC162CBAAB65" "5CB35138CBDF81CF5318E92516EC9C4CF05E14547CADD180937" "55458621C0903FE6ABC29AD174187F0D5D6B314CAE5A4F95860" "12D396BBC69D81A66927352A9F4B926E1CAE962A73401587FFB" "C6D9FAFA35ECC1B678D0D050F790BD8CF4B6EA3C3B663CD77FC" "6004C257328256F26205EA41EF7A423CC757E81BD7BC408988D" "AB45E8D632B669DCAD4585DCF6348C8C5D2DC651A4AC1806F3A" "55DBE5FAE59D50E2B9F25F89200DD88BAAC59C14EA0798194B9" "0641642B425317BDE993AD1467200432B1EBF23440D0F789EA5" "A83D")); test_hash (&nettle_shake256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("36DA0700FD13A62A128D5C87F69863A9EE8DFC65E5E1F97C495" "A675ED8253CADE4F79D45D9E34C8FCD3D5AF760344FA76B271A" "916A539D467F9FEA26DF0CB98DCA0409602910D7F298D6E9360" "0EAE6447CD2EDE4A76526014FB58ABD4A48ABB38DA5ACCA349F" "140CBB391A6705E4E153C87A80C93E912C912B9C97CB89B101E" "6BCD0B739CF89D18B522A1FFB858B837C643240DCC8F8553508" "596EDBA0282847EA724B5D25CE6704CD3DF3EF40E5410D0C674" "6F97F390DCD77F69E6C41CB009FFCC9EF3C6F9B2DAA646DD07F" "CE398A9603BC223AA22AF0676931D4FDD5D2C06C6F2F4D31D48" "54F72E44EA149ED172BF152CDD08D33AF58878B8E268CE44E82" "46360AD41076FC4E9BD9F460CF5AD24EA05F4E32EE2AF4B1F56" "B8813599F23DDDA7FBD9195A40C5683988D1A84FBFC951D3613" "AB6FF84D372AA4A0EB2B68FFF9B37AD1ABF88725A5479E77E55" "F320BD8BF69A2E174F715B10D8FF4E8CA72F2E29AB501F9A74C" "D4DDFFA99522D1C48C619B1669ACF555F5E5221D34C7B36C56C" "53C3EA3AC302C197D74735A1FB295A39AE38D87F451F86C327B" "67C16A1D1BE50C453F3CA5C9BBC5F78D7C46F5FBE1B44C36615" "9AF8797FBD29C6B025894B66266332078860D083A58873B8EDD" "E27300B4177F4B1A70EF2557610F19B2FD8DF4692FA548A018A" "014F55B90D77ED357987A033ED8E83E07A5D5D3648612854EB1" "0430")); test_hash (&nettle_shake256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("4D2453D01B5B3FBF0FBC4E6F7D2F28914EFDE730877568F3DA9" "CA256C3252560DC9F9AC94AC203AB2A3829A3202E6F4D385D21" "5B843D64B52B3CC28B11E3876248B4CC692D4F7DDD46C36FB72" "92794875D8353D945438BFF037737E3E9133FB6559CF65E7129" "B98644141A1E5870B22751076F4AF9A14F2B0D198FF4772B91F" "4F5329B5BF9326FE39D5BEA9B6D4CD19BEEE8A6B8FE1CF3EA3E" "256C7E1A6A95C5B9336AC8CD2AF6D35C776B5563563CC59906A" "BF1ACFA707AE71E6E52D6A77CBA9E960BCE2D3C11E7A6AD2378" "74F6316D982207CD5CDEAAB3C5EAE28A3E5364626891555721F" "81068F60301B1DB9CC8D8FE00D9949EF2998273BCEDF012A982" "4B5942831AFD4922908624F4C2D3D218FD440652F59F536F8B3" "3EC88CC3E9DB8A4513EB8880B95F29876C4747A8F83D089879B" "29350DCB6CAB4497A8EB14AFA848432310C213D7439968D4942" "CDA32B5E6DF26D29F42BCD98FE7C67020804380D0D9E4A931EF" "9AA117F872C7C0AFF2E5F11451AF753C383144E60E661D6DB11" "FA78E542FD2C9DF493DA608CDEAD669E0AE4ACD76744CFA6808" "8420FA24A43B6E2C1706A10DB468D8A7B6E18CE68C4EAF1CB1B" "9D794AF9457292C2999DC18337531ADCA5BE1225BE1825B3142" "7EFA14BE2B500C0174333CBD3553E05AD1E4E27858BCA6F2BF2" "A966A8EAA6012F4ECF1F3387F3E3409D3986F2E2BF7DD239832" "C9FB")); test_hash (&nettle_shake256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("2D46D78B2BD91664CF875974D2CFDB0AE27E00FAEDEC3370C5C" "B83129EBE05EC438A0A02232601C33AD623162B8BB160F5D8F5" "C892BBA4606D1937A1E4F90782205CF7EDEF07C0EDACEDD95F4" "86157A0C64E0303D30029CEF36894100E79693F3E794596CE99" "ADBAF2E3D4B4ADA5D43B9735DE4B24520EA9C8041CACEA8AC65" "9699DF823C7BE9AE82D52BCB294A43A751A71F6E0B939BF9F08" "31443026A292058B62817FC9EB139DD0637B7EFA73344858078" "AED6FE93A6F22E1E14B92E87CC3CB5C4FD7170413C4949E5D06" "DDD44FE90AC4EBEAE413A7BAAB1FD2B99BAFF442E155E94EB49" "D75EFDDD9C0BBB6C1EC6AC6496145C755788DFEB766CA0256DF" "9C658B7BC660808F875E9E38B3E297543D2C9032B454161F9CE" "E80B0A7F9F49039728D2F12142EA22C4708307B6593CFD0EF5F" "38A1E29FE43058A735BA02D4EDC010C02F4B625AAF832030949" "E81264B213AA8A16BFB10D35C5A369B86CBBF4EEE8DF699B302" "B052315AB495B9B287E9883B05C6273B4C32FCA1D186D2DF481" "F54355DA3AF3E7EAB49C1406857CB9F590E7B1B8EA5B7A0C5DB" "B7FD778A4FB570BE2CB735F21CA599AF8903596E80F8379B517" "D6A0F7F7D5125A7D4375BD90175EFCF5316F13C8B09219BC840" "52B7FD2BC1D55656FDB9CF1918997717C6E2AA0FDB46530C271" "14263E017FE5D91153FDDA221DD63F14C25E3439E05F5DDDB3A" "C966")); test_hash (&nettle_shake256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("B3DC434BAD278ECE68C6DFBAC1416BF47FB37645AC6E6B7E4DF" "D79E4605EE32B9795ED18683FCB56F910E223704FF1200F015E" "AFB2EE06181E9EAB1BA17BC5D84BC22A2D5C134991C906A71D8" "B20F6ECD6BBC27FE715EDABDCF1C4E1A374B15AB4D76EA6AC58" "0904BC66010CD8352CAF365DA80094F461070CFFA34A86DF705" "B87CC277D80196C86C602326E8E3AACE1BE7F0136C0988FAA11" "A2FF91AE941799EC4DE96E9F167E4088C822BBACC46DFA327DF" "7210C9B31A9F7306AE753152A86F9E0ECB03FDEB7415C9ADBA6" "D61FCA7F4D3C776EE6FBE6901860292FCC6CB89FB45A68F6165" "E36885DD40671EE372283591BC90C2B4A542282B13BEE71EBBA" "4E12797DF59FE47649A27AF116DA9F41E0F0B6B962F7260DFA2" "F569A97BF47405A4EC4A6463680E3903CC7C3CA2F39E9366FCE" "CA8031DA89E447B37F3B80769FDC0449291FAF1BB8F9CECED3C" "175062DAE783F51637581E913104C7042BC328E1F2571CAA557" "2E75EE3F5A0F559B50191F3ECBC1FFC039BD3DBA90F7007AADE" "D690FF35D8D84FD0A9D427B2171072F1ED51A8EA9AA8A066FEF" "6B88915265D80CA283EAB1056B6BCA093D60BFE288E3B9029E5" "AA395C9F3E3913D4B22BADA270A282FF83C963E97F1F7543AA9" "2B5F419973671EE03A79D1392C40EE57265FDAF75977C9F0E98" "C2CEDDD7F7C52B4122A4E517280C9547DF99FFB30692ED39929" "FA16")); test_hash (&nettle_shake256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("BF7A4FFF6C7B53893BFBA9505594DFFF317A09278C3A59221B8" "DFBDBAFD08EE237FCC272ECB1C7672B41B8DEC7D54B988B4CCA" "65CF297E1D54DA65A176350AC489947359E11E34AB3E4D6744E" "AD1775DF90BD5BE0712BD54EF46DC279587527976461D6B8F9D" "0C0FE14B10372550ECF74B3CB30C463F25090ABF7DB84D32F51" "E8AEE7298C49607E4D3DD79B9348E33F2E58A7D0D76394C0B1C" "79642CF2C3077CA0764F291FF48A8CD723C953276A829CC1E7B" "798BECA33E8B0FC0BD44224CAB89BA334E52D6943A1ECAC72CA" "3BC825BD61DC4CAEE1A12E053EF31115456DA434747AA8D6DEF" "E56E35FE67D5E761881D681AD8EFD3AD5C69430FF75794FAEA5" "553FD91A4ECF7730EE8205AAAA0DB99AEDE2C52591696514AED" "17F7B8942026AE16D67588A943E5D13BF47F15F1A458F06ED83" "A48641941DAB491594DD02C681950B84718CAEF0E6187F23C89" "FE46A40D5C22AE297A05E8B613B264D204334BE5922A6DEDFF5" "B978767233AC58925C672F4F4B0B77326A5B283CB1DF217BDDF" "DFBF12E4FEBA42E23C18675E0FBF0269E2D53A024B4286FA906" "85C2D8E67E3A60BE0D7072C3AD8BE9F4A389FBBAFE191CF06EF" "F95605A89C3C668BAAB7657A90F23B6B791421D214767736CB6" "17BF1481CE103768E5A8A3384978EAA8F56A6F2E729D6307973" "ED19B270247867E5861172467821A22872E52657BA2FFDDF605" "2025")); test_hash (&nettle_shake256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("2EA40CA6662A79D253A43DB2845535098F8F4D791E45EF610B4" "7F90D0F28309EC047BF1C565F799253E32A3C538EC6AD842406" "D9BF127CC56AEBC442B4B8FBB5DA5C759E1BE0C201246B96032" "4A087B3A3093EF07CDF45D915C2A4B0FF70D64C1611C17C629B" "E9852CC408AFE212FC303C196F422A085A72684C10460E294FB" "60CE9F2D5E2A599E4F1E3FAB86740F61EE2DCDAF7E1C8D8BC29" "8F40B993CBD0A8EDBBE0EB8715B6A58D2CECD21FC637B02E05B" "AD75E3B8EF0C2BDB157288F763F0B190468016C186A94503257" "2E71952325D30D2DCDE2A915169C51D0C448644D785AC658B0F" "0132B3CC96884C41DDEAD9B57425FDC013D067697C0FDE6A2DD" "31AFE31CCCF9D85B46325D6CEDD80B70EC717278D70C4344757" "088906A577C2EB030F8AD2B18A1A196DE26648915560D228F70" "2956B27046ED63EA6BB863F797CDE111A02B19A6F49BDC7EAB2" "0E040938B9977D534BDD01D19B15781235C249A24EC832770A7" "6520F5C0E5F5ACC6E6DF757FDE79DE7AD8C43028515B82614D0" "DA808400C574E5A982D0CF9461BD25EB6521064152DC7BF3295" "595B7A16410012FB01AEF4ED6ECF22C209FCE011888E29B8C3F" "84CB29F42AE0EC1C4C6D4C02619F90BAAAF7219BE0F2129723E" "AD133ECA7E0D50478DE346F90089BAED5D1D04563F64E3A3D5E" "228988D71DA3DF85D906C9AFC972CA6314482BA62C557CE7CE8" "986E")); test_hash (&nettle_shake256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("489A2DA0386AD9F87188CEF4BC2B22186F74B1561D79D8ADE98" "EC2190003B99795DAFEFE1851276ECF233EC9ACC0142DBAA3FF" "1D94692430F67C2B1D809A88A683B73E00BBD678D3728EA98DC" "1A751FD5839B8EFAD1F4CB45009411B8F9B9442AC797B55E182" "7B0B6FD2A4B1E9F078FD43D9553399B9A52E7567CDCE4A27647" "820D8483F16360104A7AC8F3594CD786F51A9ED172443BCAC49" "E1F4B32E4E915A3CBD7AC18FE691E4B9BF35F31D1E8FA401EA3" "7458EBBB1CB6C4E99C6B031C6C6981D95422EC1A9AF5E74C021" "8F403AB62D54E28AA116FF96CE0D6E8076420846DCCF95C9AAC" "FAB3A4864F93B5D3869A7DADA5BBF8197411966166B2F4F52E3" "150FE802C96C47AFD6A9F64F7554FE3D52B79BDACD6C95401C9" "A78F11594347E77F727ACD5E0131CF898C4F36DBB067EE05E43" "8B6FAA70D8B7720EB94728440147B159577CB5CFCCFE9A9EC32" "1081D429FF88C4ABE02C7BEA2B10B61E521889E5CCC29470DC1" "6132489FB43092B6C9EFC9517CCDC0B0824A95501D74B445606" "62141114F0EB6C7A0B469CCABD358546CF1DF37DEA67E3946AC" "D70A504A787ACF86B07298938882D0B67EE67D69A8CABD0B835" "152633BCA5A76C2E6DB958FDA265756669D1105A67889F83C01" "918398BD296ED801A0B5F0FC8AEFDD5205793ADB85A8D6EA15C" "FBB6A82153EE69C10C2C92CB38C90CE0E73E32489522994096F" "08D4")); test_hash (&nettle_shake256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("578B2D3B14B19C349DCE30CAD612BC2FD7CE8D6F034FBF4D328" "E7A570EADEF3F9624B65251F992132D25E5363BD653122D5257" "002F806DCE93D0B15919FF9EF2C303C748D9782588C90E3B236" "D51B69B1EAA1301A703B8B6EAFB6C200745D5B08A07A69B6204" "BE3DB36CF6127E5F8399E5901318F9F0C18CEF9201CBD31324D" "87CE630A64518AA7042AB3E2C64F39231AC3DE7BBE859CD3A4D" "90109B2955FBE75A38F45C4B841C7E1E32F22EB69DB97F6AA4D" "45D12EC5180AFF7863C17FE1CB7DFF337DA46F7F5B0DBEF813B" "40DD67F985C978B9ECCC5685E059F55E503B5BE924769A11FE1" "873EA406AC79242FFD6D45334D7C51FD4D1D5EAA28E1388E3BC" "EB4D67320D9723D060EFF815766587FC11C13675DCC53F30EA1" "660DC8C20332A3FF05E2E70AC821E0CD250132A59DCC4F40ABB" "C8783690FAB8BD7693BF106E8F8C7A6D59495FB7301390819C8" "7C86BD94442185DE8B4CC784A690D742A439F73AE7E8252A3D5" "C0E4C0410FE919CD7A53F85F522C138A3D654D9B947963BCF29" "3BEC3D253DBAB8FD39A48A340F8AFD75C97519BFF4506550BE8" "F1C1C7C345C89EDAA8A56F128AF2DA8E86A19A6494BC33DAD41" "2E6DDDE813E3338D16C4C34D40C2E6E1CA61FAECB934D4ED0BB" "0A19D3AB88EA32F7E277BF8521AA733D7240394733A3A1FD762" "3463857E1633F0FACE8BB83437DCC308E4F6791D8790A54FF8E" "06F8")); test_hash (&nettle_shake256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("ABED83F7273F3C7A73A700565F16AECBB0E03D278594A29FAC8" "3B38689AE49A72411CB6FCA5D636EBA8C560CC038B47DA87442" "9BE7C50A9215B5098F94110EF4E38F88D8DB1C483D3EA4728F4" "3B25D94E0C89BB50C66CFA25A62FBF536EBE3D8E7E71529EC53" "33A2823DE42C50F02414C99CFC61B1E7B4C767828748216BF6B" "14658C114C52B7A53C52A3F8BB35048343B19C5B19FA11FCF5D" "78769F1712E6F8FB5B31C017D3E23091B1E8184752ED0669AB3" "8E890D3D7880A71B0B22149038E81AF04C4CC7CCBA848702790" "8CF2F50EF3D6563141DBB9B898D06B7253B4057E9A69D026A27" "F5DF48BBF2FEE2B603240D44B9453FF485B2212828061CEB54C" "DDC17C8DE430D2E86045C790B23C84499C6BB04151BEA457C8A" "18DCF0094F969365AE1F25032AE0524C2A09B69F71BD3EF46E8" "871AAD3B58C92BC4B694BD5D47A8A80CA8DAEBA6584E5D5B4D6" "B5671C823E6F78D8B67A6745236BF675E28A17C2F8CACB4B5D1" "67991D27813C5500951A5E78086EB87C18D0E26863260F69199" "89F5EB180EA48DE6A3750B9E2C1F780230E0070E216D373D3E0" "ED3DAA0F668A8810DA759CFF1494E3BD17B369EA71DE73CF0E7" "EB3912515E454544BE78178DB41F9FBC4BE73D1EAC8C015496B" "08839344D963F070E5AEFDBF29BD056B77C2B98826AE397ECE0" "701DCA8AA45245F26D718D9F46C90F34AD8EF70972ACC600BF5" "EEA9")); test_hash (&nettle_shake256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("A9D48CDDE90093FF80DC7846BAECF4C7D6F876703AA4404BE05" "0345BF7D2F9FF3F93CE132E38EBEA01AB691BAC9F8943CB33AA" "E7887E9783E0A11EBA2D139A615DF8A62EE4AB9E57BCE1F7FA1" "9C3B3F6AA88B547F0BD5AC0E2237B514145173AE8DEEB6F606C" "AF1545C9F442D84D36080BA514759E3C0D1D3688A3D8B7C28DD" "8404AA5E09AAC0AF3C14792D78434762169CAA935E2AED3264A" "1C0A005C359B3B58BB5F9B9A6E5ECE5186F9DC26C952A298B76" "C49138D20798BFCB843D06CF20AA1D540111BCD50C6D39DFC23" "EF7A8AA8E93526690C8608623A109B1554C840F15E670DC4C33" "E3BD81784287C3FE98FFCDE6AEF5DA5C0038E31D111C333F48A" "D6634ECB47C45213F23AC0C5787CB9665D3B31EC2A0FF9C597A" "4372DF2CE34D443A86B8091729049C4EE58E4ED17EC95033607" "39C966B1B3A005237C668A6258E67CF9B5B3611A91AB5779D62" "82ADCB74958B7D45C06819E78E904B4C557BEC431704FFC563F" "40321E64A7CC456211B5C981C6C987469FCE101A81076DDABE2" "2408E949E86457658E07F61F5BE6BFC68B968FFFE044BFD278B" "D91180A05A40FE65F26D907D205411B880D3EB4945652FC0C11" "2525E06C4795C01F4B67BE8868594E617BDA761465D7BEEBB2C" "564AB66FBF976D38521F83B8DF85A203197F0B6AEA473D3CF39" "46E4DC87739A418101AEF50D1A4355B1E8E5E1D638191DD815A" "5445")); test_hash (&nettle_shake256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("41CD43AF243BE7F0580A9B406AA597E72958D24E45F52A2E1A5" "9BC535C207EFCBC9D8B65A567CA05DA450458C2FFD58CA8CA3B" "01617AB6DF19A4C384294AA174D728CB93D6D82BC135EC92F13" "870DCD556DB4421C1C6563803EEE5EBDBCF14B3AD79EDB4E062" "970BAFB3E801D5DE4ACAF052A6E07B0235B0CFA4CDDE1E54C3A" "0CEC7E8401A4D38E12193E7CBD66213B7C7B0B8046220FFAFE8" "68E31CE93FE8BB7EAD861D96CC5A3EDD4820BC2C62DD8A4D449" "FE9B938F1A55262E7CC25BDE92315E329D8F612DF71649EE0AA" "A3983FB4984B6E1127188EA9F3D40590D854F5BE570543ADDD8" "E330BBA204919D7911E56702EFBA881793087ECF5CEA975A88D" "B706FB08AA8A10BA5F72D2302DB1A01BF15FCC3B05C96937005" "0CAC51F54990D57D9A37790B5E26D08B56DE0AAFA61EB238687" "D4396B2899FF6D250F92B1DD2ACBEDBCC1C0A194BA00DA478D0" "BB659D901009FF593F6A4F66092F67238909056E1A0EE1C8D51" "CD39BA3794CA92786AAB18D03C13CFC41F08373D1275D75FC58" "A9314133E62C14E05467EC5829967856817E7AF85DC0A83AF3E" "87097210E71D7325748022E25194512E54B9B18697C3B70B96C" "A8D572861D25178CBA90E503B84930BF714AAFCE91CECC995B2" "623C63F15A1F0F50849F57F5037BEEC1056D4163D728C59BDE6" "F526F331DF17B5A34177D7B05103735461CD325EEC332FE02A8" "5B15")); test_hash (&nettle_shake256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("A0B529DD351C0F7C539BFAC5A3302F5E88906A29E665DAF3057" "1447C3DCE7BCDEA802E364B65B3037903C5EDBDA2412E084CBC" "D4F51A4024CA6E154DA70C4781DCFC7836F06E5E4606D16D2E1" "BED0D60FB36B84F582EAFB152191CF804D121F0F69324156B73" "3DBC79E1355B9B4D1726E393C22C82BF1EE85372CF04A594018" "C63A02EDFBB2892221875F20DC73330EDCEE0E62CB57D2BA43F" "A1E8AF7ADF157A79861FB48ED49C97104C6D89D290061229D51" "BDFABA62CB77C498A8D71F627372244452549D4F7469ACE1E29" "EC39E60E8563D3FFBACA5804D6660C7C1559879FF1804CF864A" "E8D1C8EF258B41B21B48400ADF439A76C0BDD62FBBC2607D85F" "4295AA0875601FCC1C3BE531B526ED081188DA38B0E40F7FF4D" "7A41C4CBDBF8DB3F46C00D2DA9D7F8FA3459F60C7419AC6F691" "473136ECED7C342D3EB5A39F611EEDBB0DDB3EB12AD67F1BE69" "6795B951A7308DF5FDB83BE7BF1B650C1C9222C22677A4B37EF" "E0CCE03D7237699FCA345A31238067F83547C5442946FAB4E12" "9BDDD409F8A0176CE87A341BBC353CF8A3EB72E5C7AA696B12B" "16E12C13FCD597D864771C43777E8433899F157A0DD21117839" "D2BA21E85FF2E09FA0ED73C9AF26173B9C3B8AC5B1FC4BF7C87" "F06B5AF7626CA15EEF79D529454ACD23A7643F91811365146FB" "18CD0DDC3D46C72C7D1E97E4414225A76B55A19B226D5A77FB1" "B5D4")); test_hash (&nettle_shake256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("5EB982A2754FE46D19D8CBF86B4D594D14B421C8AB3AE447624" "47E9F789271F5A1175CA9B6C604FE8046A9A8C11A9FF9354BDC" "91BDF051AB6FA1F6A44D0E42977897F5342958ADBCC1E612A49" "B46EE66420E34F2233E8AD857359EA92E3FBE3F84191127833D" "6BDFF88019BA5B6982F446326877B3D3662767C6E91B0A6F9D2" "888BEA239B25F1B6A248A6CDAC1775976958FA9624EDFA7DE30" "50CB73602D24D13763C2D67A016308BF4C53D9C7B4A95AB5425" "49944B74A2EB30F688B1FC9138B57FB76AB320AC7BD48727CF4" "CE4BD34FC3B0C2EC0E95BDDD0EF0F5F70FD34C6C89098297861" "3D2132FCCF37541042415FDDE4AF368A207D59251F50E14D7A5" "310BBBD378781DF611B425495FC69A2A6644FC6B29ACCFA9918" "EBE05436EE9E191946AF9CBF15011BB53CCED508C4CEC0BC4E1" "56D0884347AA46A902F216ED6577E56129B441EFE731CF6C0EE" "AF378F5A29586F5A62D10BAB2778F106FC6C3EFBF2452C75045" "D578C38222E14247DB42FA60FA6D909E0AEC09EDFFF90CC41B3" "2A9725714E41FFA9F350FF3C1008511534337DECE84A0F3D5DF" "085993BD3D5C755B95E6ED4B36FCEE70B68AF427C3C80386983" "920307878C1A01C5D782AF85C89C8BCBB0EDB2274BF7172DBF1" "6AE9BA1CDD7A97D6B2BC2D06F20BD0431618115097621A36C41" "C9788DC68B95955EA5E097177D66B0897C7BFDAED8487A79E14" "DCDA")); test_hash (&nettle_shake256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("78C7D0D0FDB5FFBCFE55AC06F0E6E58C805FBF76FC2D13911B6" "B63888088CBED5F7E2071F7BBC12063DE085394A691DEE09DD1" "DAE2EEE0DD9491C23B0949C870102EAEE2F39E20A62D9AE95B0" "426C0FA05545C0F128FB53E0B8BE090C1C82F0B66DF4D7CD0F6" "3C9A85E17844988523296849AF7105F845E0F26200A26091212" "8FE7F2265C9E41D7FE587BECD50B8B729EC445C7CE9135C9591" "4C6C9686F43A56CF652A6DD275CA6A883651F78E8FCB8168E8D" "D8FD780735F087203EE1A30B5A13D5F6B7CEA34CCCA3BD336B2" "08DAC5878E85BF147B0B4E70D87F73DE0487BCAFB6ED9C3002E" "2DF56F215B78C7020A1BC9F433161BA7FC94B4CE3679EE955D8" "0363420768C9C7E3C6696E94ECCB0A748FC1F1F402EBEC06807" "8862F1E2DFC8CD6FC23FE1051E51DFE3D65B3779CDE8824BFBA" "8AB63FEF474D648FE4A8F9C083EE0E6CF8FF6768D1F54F31370" "5F4A3D7568192D91E9F0408E8EBB101CBE97AD9FF76A1F347FF" "152F45D9B20AEB7DE7CC2047E47635032953FC5CC5CE45D66AC" "D2E11C77FAD0DA8DCF15FF123365DC9F35DE92838173EBCBDA9" "DA15FA35D10B64E7BB71539708D8806145A1892FBD4176B2E99" "31514BEC17FDA5CDD82C8EF9F6EB4E2900D039115D5B1E940E8" "796FA8FD74127FA53990639F130732EB48CF50620A9DDCFB01F" "D69490A8B5105CFC7A3EA274006F51221C2356212581FB16963" "E7EA")); test_hash (&nettle_shake256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("832BEFAECA90FEF41577649B6348182753EBEE32EA688306DBE" "EF8665D6FFC6C5A26EC69EC8C90A0FEA854893C0C4885A2DCA4" "AE77243F735048FF31B80D1A4C84F055DEB1C11F76BF45DAD95" "16899555AAFEA86A129C4EED1D4CFC7604045D22120C8E06F67" "793644533202A69B683B2ECB19AED3DB158397C922DC3A90B64" "A8825541BA5DD9AFD7F82DBC603F156B9F619A83C7132A0D8AD" "71205C83AA4A52B6223507493E0F9FAB9530762A190C9FC5968" "0C961B08CF36DEB67A9A472FF93698FDB84DCF3CFF84C6E9D48" "804ABEB6AA47AD62DC9463C131BFFDB127F9F63F8FF88D9EADE" "CC6B0E00C657CE54E7BF800B9A35173DFC6669BB54A069D9EE6" "2BAFE9B3C791DD51A21994CEE03FA37FAA5D56518A6B65572C1" "B3A17EF52F642C7B2CEE065282FE742E5F9C9BA5003BF1676AB" "07439CCCFFF7D7B76DF84E3D99FAA269F0475CB5EA7DB25D3BE" "BEE36B96634B58596AC788C5F31B8DABA35211D4708EB1F778C" "A38ADB4C15A831D8769AA16110DDFC406B05BCF25B456113196" "03C17A40A24CB2C38079E5684B473DBDFB98877FFE06298C333" "37326CC2AD1BAEEF678BDBFFD89BB1E35827CE296E20B0084EE" "AA0AB1FC647EFCC0231DF9B9B5ADED6DAB34C75E6CBE206DEE3" "E794AA42500FBD837B6F6AA015BB4C923F8F1F769B049888933" "773CD24B688B0F787A2B74AD15275AD6C4C336CDFB1BD929ACE" "58CE")); test_hash (&nettle_shake256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("0CB8AB1E6149F41D29171DBB444B0F3C07FEFDE56D9CBD1150F" "C43E29009E0F5EDC50F89EA7CC0EA6C9E23236C6AAC72BB3321" "A51AFCB32F9AB5D1051ED244E2A8D417431863649699077079E" "1687B36F75C995D6A78B87A9E949A56A2CFBCC15CEFCAA6C2CB" "51F054072A05C12FBA86B10D303B3EFEAC18F8515BFCDDB1172" "D56B8C92C1AFD4AD5DE2476CF073B7FB4B7DDB8FB2C4BA8AB0C" "53474857F1FF47CD3B1060612F7C564988D2881189248CD13D5" "EA347F10E1F21E299294651342EBDBA1657862306844E274D7B" "2DC9DC6D92F395AF2F5BD01B13FC7C7AFF630E854DB63EC517F" "D3251D12C10B5F6C17DCB8990FB39CF1AD3B65F2F019B24591B" "813D56D661A904405DD814AAE4334A8EEF7CFA455C994C3E31B" "9507FC0E2DE00A1A0AF4DBCCBCDBF393391C5AEC9E3B4D3C8E5" "F879D8E75F63078E686A1BDD5E6358C5807A669F89F90D4EBB3" "1B7396C0152D5DBF665D28BC59327BBFEB466F1E7570462ED89" "8A31E386DE5538DB505FBD1B9020C984A49BC39968A69D5B3E2" "B9A9B61D6776D5349D4334C3042C0317A2A34234E8CB64B89D2" "9E3A8B6E8799822F57C3C6C739B3C263CB4B283EF0F859305C8" "4D11A9DD0DEE36CC8976E6EA1BCD04451B0E0EFE343634DFEC7" "868AD52EBC551D5CFC0277B15B854614FAD548337F20467D175" "EF3DBB135FC37367B916CA35E714B998C3553D5F494903A8B9A" "4B7E")); test_hash (&nettle_shake256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("9FA49C101D9901053C789B01A505853C8370FDD00F7FEC13ABF" "FC91C7B06E1211DC293FC0D52911CC12AA9CED634B398284F38" "70E82B7F5AF9C3298D53BCFC3A3DE488985CD1047318C2319B9" "E2AC85752B3B0BA2C151FCD08C99E1176CA599557D3A63F4F1E" "BF2FA31CCF9AFB729713387A7CEFFB6F61FF8162B1CD943D915" "4ECB362E6ECC6E2669F746B1422904A3DCD93313E4031238B6E" "B117166B374FA8AE8440A358C1EA7B11B88FDDBDE5737083664" "4B72C0219747A0FE793A1D77F42E66D2D695BC1D9567CF1A1B7" "43C33EE309CB4956BFC426B06FE20FFCE98A72FCDAD31EC5DED" "9EA45D494C89AE577BCB79967CB532B97CCC1708EB2AE8E830C" "AC0953C34ED28BE988E89992C9F0C8FC58FD5E7346DB2F24BBB" "57606302B0520D7AAE54F3492DF6040916AF04B30F7F2480B22" "B93AC47FC5DE2CCDEB27A47C25045695AE9F3E54FB27052CB58" "141918105E0621156FF4BAD6A35DF5BCAA0FBA8D67A18130F11" "7A09FF90B8760A7027614BE569FB67659BF0DCD1F3B7D13222A" "338F9E5736D5DAD6032189E149D22D56861B72A561A9DA575D7" "20F56C365C5C8BD0455C18B7B73DFA4652C1D570A338A5B1D2A" "2D00A4387613D11BAA57160A513F4B64D91739E032ED72BB2DC" "FAFE6BA6136FB381857071250CF63051059F9BA3719305D33EF" "9DC8D33FD6D427402EE348324C78920278D6E5B2678C1C4FD40" "8760")); test_hash (&nettle_shake256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("7818EC8E1A13963C319BD2199294E1459323556D3E1CA05EA11" "081FD706655C1CAD1A9270495E550DD34A71D6D6B2554C2CCE9" "776B30BF0CB151ED0A87CD09735CEBBB03A188EB8A1D62EC0FB" "614BB8D1D67418F91DF9E7FEF2EA9971CD46A1E6AD52D2433DF" "FE98DD59E0C9F32A4A493ACCE9E6B2D946A56DA432A43E45A79" "14959AF23F1D08F5CC55B3C06669308021C004F0AFB3DF5BC10" "A7F19A7ED2DCA14297281D49952D067B094A4068493E7DF9940" "3063AD007CE8CE76E2A7ED02F7023543E43E9CFECE94601379A" "048A73663A9B06B04704D59FDB6DEBA49799D3E8052C1AB3430" "2A2A2392B53A5FB9547628ED4F8F157DB8D795CDEA73F992122" "97512A04269B0D5F418E2795BFE76E939F8BC9F2137141DA25C" "F095F2B754F6D0CFD84B3901A903445B7A71612539F4F736DFC" "1D4DA1B9A8CFA87F15E34D4A813808CCFE2C9A9A710A1B97521" "66996EDE550E14B55DAD529C8A99BB9FE2688CF2CF294245707" "15C49EAF94C0EA0BFF227ED445435E3626F31CD5E887CF1490A" "9A2B7951AD42EBA5B24B02EE726F95E1E6862DC30636983C88D" "C915361F209DD5603672C9B4D4ADA1703F56955015B9128FF7C" "0547DFEDF772E63AD7EC847B946A66B6E4D3DC8A8EC3B50745F" "F7841318BD115BA649B662C99B973F4E7C26CB1604D407AE95C" "E967406E70396558CA27ABD91FA7190A5D0F4AC89A070F45B85" "8B86")); test_hash (&nettle_shake256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("5F6539A11001926EF3E0DFFB0142588D4E48ED4A212753128C4" "C944CC6503E5FD4111583D67FBFD4B2ED2D82447E985DD03CB4" "DA9CCD8ECF25069E84B4741A4C5756D6295E55075601098D996" "A375DFC3156D5F56E28FD8F3BD4793601603BC999BF93659D63" "F3B95AD0AF1F5E1749DF5197C95AEB05C683DCF37E9F362DB1D" "D64578E8ED9C1CCF0A3AD93E69B82FAC004ABB2489B0734C4CA" "C5B1A9316CC30F44AC42914AE696698862938DD0DBB3D8FA6A5" "3D1F70D25A175CF810AD901D29DC3BE40E4F19A5308CCB795F4" "4F2EC364946D99F59D2DC1DC21C5DD162B7C8CD5BBE8F4CA8F6" "06A0EF5B4619EA93B278DCDC2E943455F178ED62FA747193215" "D76C8F76077F9209A9311F1F848009483C82A82BE1A9FA17EE6" "9D1DE59AA305DA992F709F2C9A1EFB33DBC8108A7D22AD38934" "D2995A3A5D58DCDB8E435D18099D9B3A5F9CAB18B940F9E1B2D" "B9BC9768B6D29C2098273BE3EB77D07DC6E48868CEED85484A4" "6D94A3807CED72C292FD699ACFB6B1DA030EABFF5456FCDFAAE" "70E851BA49142CA528D91D00CE148758B54F0293E6C53C7540B" "55288322B015B6067DD16C0CB711C63970CC16BAFA980A8C3D8" "DA5FF2236D8DAB951A2FAFE29FC72257AD99409F418E405858F" "BD1A9EAB6930977C034B3D020A86C25586F8524D6577557D732" "68D225CB8E38892D3E7F0095F68A98C1B7355B5E331D69BD487" "FE4F")); test_hash (&nettle_shake256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("B3120C516E7A7039B7F8D2A886B4774FA9E14B80A7F7B1F33D1" "B4FAAAD74D549E2195E5B6345B19AFCDEBA3ACD5ADE7200500B" "CB9C94D6848357D6FA88CF9125E59D0CBCE876D681A68B6AE4E" "25DD5994D496B7C64F0B9124BEAC30348EA6B80803FF17C0846" "E19F9ACEE413E07E6FF849801C131DAF7A36F2EDE51CF9D21CC" "0ED6300EC5D6B64E6FB9F2A9B909DEB4069738D60D6F9F6CC50" "D749AA7EF264E2BBD6DC680823C45AA8D3A349255823EFBE4CA" "C62C0D38A4388B1FED31EFDC5BD3D6227106FE03B4A40F21F3F" "0411405A4A80E92F3CC045C7967CB7AF2F33879DCF9DA5E7ADF" "813091EB357EC9C0DD097B868FE2D715C124AD0A44E2B6DADF5" "B360FAF6A727448D5D7B76AB2C716543A09E2F75D570103A8E9" "589AE58D01904ACFA0DF54E6FFF01ED725266F7E52B992FB341" "44568173065E406A1E98D8DDE1889D0B7274011CA00357BCD07" "D4CF8323F103D682B272A98395A60A95237482F00DDD5220433" "2947D4708D9B8697F9CE529ADF3599C440E2B435F4F6D039B35" "1FBB198BF360D3A184616B86573E7E32113B1A5E1EB52A1D15B" "EBB3C49407AD6282EE2551859F9CF87D0D8F0AB362A439EC535" "40B4B024EB49B525ED29626DB292D1333F579B1896A6357F9D0" "B51BD283718D2A7ABD8F3786A7DF2B512070A2C9A1B53457F27" "C6B859A2C6956BFF50AA7906D546C67786B68EC1DF3E93CC60C" "6968")); test_hash (&nettle_shake256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("F59933F9E9FC474342B7BCB8B4DD6BA7B02AF5EDD2C1824B227" "BBD2A56287267804534E943EA69B571990EAD3AD5DAD06CA9C0" "BF97FEA1F3878824782E244D77407E3E83D5F527A1F5BFD8C74" "7FC08C5170E4F6CB114A9CC34E96AC2758782344451BFDCB090" "2EC52A9FC82087195CD1019A8E5B03E496A42762FDCCBA6EC57" "3D5C0740391697D95934F983231ED9642A0C6A2F92198B49670" "AA7F76C1715F3C80648E606B97CF708596AB9D8DDC7D039DEA1" "F4DE4D22E6ED297790AD73D9EBC2B1BC55315BB60E90EC7A2FA" "9A7922FA5A4E824BE742EDF41693F595571CA33EEAFF4EFDF58" "FBC0B9B1CB610AB2E658CAF31FE6E0AE74064DB62CE339C1F43" "9A55FDA0F594635573C511D040CB59F2BEF552F38D87F31AF2E" "98B59E9F0E67BC57D59F51204663511865BFFE1CFC42B00AC0D" "69487AABCC648BDD8201362A43AE19A9570DEF75BCFFA6D0009" "62E931AD32E36A9118D74C777F9A6D853496E9638332C3E6D7B" "0A5F030B2B4198C9B31A82CE117412C144914E784D9B0DBCB8A" "3320FF22C4F4F4810D5885C7DF3D0FEF30B4F2272230278C600" "834133C4E11AE65BCAE2069FDC1C863CDD701DB750DAE4CDF37" "A2314E39DBA691ED7D4A0087B8057EE27B3F6AF14AC0A742826" "FEADA8C5B5D52557952DA2FFE45E7C328E04C3CD61A5D8F5E11" "B3ACB6667A08498AE0582FE0E06105101CCEC61C63FF3CDE8BD" "1798")); test_hash (&nettle_shake256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("5DB567B895164625131B8049728A0A66BCDD2B27D37828AF413" "53DF5AFA10DF9FCCCCC110DDA3071A35319EF50821CF1796B5C" "319D4FAE433E8A2599325C511C3C03E6EBB7C10E3BE35451756" "75F7AB719E906640DFECCDADF77C345DD798AC7E2B7EE83C98D" "D194CA19BC1131200494A4B67428C23061CDC4000762C12565F" "A1C731A574530D282C2502356A75F03685A4FD08D1E938BCC2D" "6E7EEE748DD1391950A44AFD63B73ED549895F0CB38F7D29269" "7994520DE110F782B0CF47BFB07CFFBCCA6D476D468B227B340" "6F44CBF3C6EF6920B293FAC69927DCB2D153350C7C8BA2D84D4" "11E3CA70EDD9321CC0387A6DFB84221915094EEE0A272F267DC" "111F18E46C6D82CD6B98933261B5A880FEDFD23AB2F7B6CE349" "789EDE97CC034D0E0408E3E3B75D951D7DF039700629CE147BF" "B2E2772EA80C8681D6DB87667A63E3FF358E74AB45712F0BC1C" "747551DD96F72A6290C5E9679A45F37934E7E22378A2BB4A031" "52DFD450B98D76C233E107C57142B72389350072027BCDF9BD1" "82A304E8B255F28459D96687083765E46F9B4BB14DBC374BB40" "1EA0DA7557ACB2684A96F2791E1B8DB0919365820CD315B730E" "F8BB83124577E55A139DE4C9236182B885ADFF4CA2298F157FC" "460972D6BD67D538CBA7E32F9051AFCC00FCDF797FC8231360B" "A6B7ECD5C4D647338F23E1F578469E1558F49F87FEFE28CD761" "BDE6")); test_hash (&nettle_shake256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("B3D7178BC88BD577C5D95A67B110545C8ACF8F6FB56B5DA15F5" "738785E6C950347905B928DCA2E70CD2A5E574811DDBC894EF7" "FA8EC3446C7897B2BB2D68A61763A892632A3C5C6A3764AA0F5" "76717ADA5CCDA30BACCDAF71740316910CC08E8272B67521292" "FE1749026FADDEA743358421EAB011087D10D4208FAE8D5D607" "EE0D89976BCD79A12F4ED8B1C5D0189B0E2ED5B0B396C85B277" "63BDBF52D56B92E015CF080DF4F2EC80398DFBD733519F3915D" "3F102D0066D425EF9FE1AA3AFC8584C8F4D594ABA86AD52E71F" "A77893266C4C606A63891C41A679964A5E3AEF1C277D6D35D41" "0ECA6156F8CFED13DADF8022AC9159F913C4838AE1AF73EC268" "F9D3BF085639D69F2CC51C39EA594948FCD238D093A799F266F" "BD90B07F4619E342E38AFD178864760AB109CB4949E518305B8" "2ADCD68FE6E922D1ABAB2D132D10E0AABDAF78F0CFB74DEEF78" "CBCB422BBDE5083E57F016F4C5679E9D5010D4091B3FE615458" "86A65AFA49716EF8CB5A6C0EBBA4A2386A6591BCEDB3563BDA7" "F0E792CF28D257BD066D44E3AEAE8478D093FA9482FC26C77D7" "3DD3150D53D9F1A030063122916FDA66BAC51C69CEAE533F7A1" "569A3B9536CD35067EB190D2812EB2CD089D3E1DB98F2DFE5A6" "839F5B04B6EDCA6732837D23F985E1CC9444AC04DF0B2BBDBB4" "4E24D39DF2F447D72FFB90B7E9C68A46329ED630CDAE9470770" "4428")); test_hash (&nettle_shake256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("341AA5C875EB43F10E8DE28505858865870E62A9A4FF45BF977" "B947D0BE17B2DCB74D5880FB5316C5C0B5E1C7DA24D8C8C72E5" "CDA4A9405912D12EC5316611EB40AE84A903703F67D3817BB73" "AC7C2C449D4D6D737CBE06C144A20F99DFFC12A8F104DF9E448" "A96DE38DC6D7F83324FB3A2626BC91405EE5917F3765D9F2288" "7777226BE829584D6E0F6544B5E1C25F939FC9136BA2E0C0D6F" "6EE5F4EA97DE937352D9428222667D974F4840FEE0770657DAE" "58BBADB5F47EB9C88232FB7BCC6F1FEDA76600FA2659F7E8311" "29B3E3856ACA6D78E0D7C582852503A67876877DC6599C10D42" "DBB81E6AFD2919A18E4EC01EC7A032ACF2A8320C5AE348D28CA" "B36C85CD256DB5C30BA1F8891005E68F91D7B0CB0AC4476937D" "1748F2ACE0A1C512AD07514E31CB0CFD743E5C29633C2646AD1" "882176BA15E7CC8427FA20B2295100621A6E01F7FF4F27A6AC0" "766F9C25934E64546F16F61B5CEC865028BD0D7DCAFDB3D6912" "C5786372E1E4ADC6CC8DD3E0A0F299B65BEAC5FAE69E8219787" "A8EFFEFCB50E40C8BC1C3D033742D98FF30D64D72D089AEEE28" "489791F6099CE354385DB83256150A1F9B6CC7444665BB95614" "AE6E6F511CEE0C49288B3EB31F9C7D04B3D126A1535531505F0" "C2710CF6CE7A6DB31F043C7C535F89467CE1F6E85A10AAF5486" "A3A6953CD351D865F818FE959E6E74F2DE42C1FD6E219DEB606" "6C86")); test_hash (&nettle_shake256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("BA270D4DAD10865DF673F0DBB9D72EF788689673116CDC469A8" "CB9C89E6D8D511DBFFF6FA38E29257C9A5820781094300C088C" "DDA2A17AFBF164D13E360EC04FA44AE98CBFB972A68D35E6FEE" "E3AE61CC217487D7461F7315449E201D707F8CD0E9FBC64D920" "12B22175E677A304D903E556A5D1FEFAF8177A8EC3E50635449" "6CD693531ADB22BE09BA71B4710549BCDD6D5EE1ED3975258C7" "7760725D1C4416EF3F3B45DD8210433BB44882667A2154D4179" "2A37F2B7C5C85DFF707BC2A89AFD652D83904EC084D1E03496A" "7F402FEBA9F77254772904580CFFB1E7A0A8D489B6CAD6D97C9" "A5824545FDA36FCFA2E0A6F7E11710A8BEC33767303FE884319" "5E9F17B1B75A4625C67E39FDADECADA6A7E7755DA7742548B79" "7662B6A24194E07CE2E0302FEFF4671E6CD972324173F14F5A6" "0D443F6162CF2D6A3E2E0A7F2A6BBADACEC5F4B43D4AAD80900" "3722982FC7AF821AE4143D123AEA6B7D8550541DA9D704D81D9" "E12820EC03E8443866EAA80A534A5983581F1DAFC7F124915D4" "2F9A24887207C2232B5EF9D8DED3A3ADCB4D493FA2FDD6061F3" "9F28CA3B489676CCE7E0600DFAE247A62E96BE8A63ABB977A4F" "35F8361B71C8578BDD63F35D17CEA1463AE0709353F4667367F" "0FA0B6B6B6EEBFA049BE6133350F71E9CC1B157ED18C9D90A1A" "4D134E553165549C18004279ABA0C4EAD5F342CC05039DAE1C9" "CFAF")); test_hash (&nettle_shake256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("C2911768C4579E3876B6ABF0A4A30646D8271FCBF3DC682C48C" "10E41A878609301F10073F3EA87BFD934854147D129DEBA9124" "FC69B6E29C271062CC8B3A5785367FDEC382D365D4D60E7E63E" "946154F948B55E7E31A0CAB5D25BEA7CDCC82D8B6E200C28C7B" "4946B4CA30B46970EBB415FC18D9BB60C4F81A308BECFB2E40F" "796B8D6F914FA7F134664B8EEF9FFCA684B296D26BBA051BF45" "F3EDB68ACC5D0C79C08724BC7EACF702633C99C47DBF4E08AF4" "3A48A51A25620C1F16BBFE4CE1A52A60B4DD603524DE38ACC2B" "E65240F51E36C6533D85A7B0FB06FDAE420A7E84C4644B943E5" "CC4AC48505CF042ECE8FBB4AB90B16B7AF3ADE3E24F871DA2D8" "6813A100C82E62F949C3570FB117407AB71A660BB4284A114B1" "F6817621EEFE246CC0169CA7C09FE6684A9709BB5E7C5C09A35" "B4D5E109E133D23CEFFF9E438BE621577A98D9B49B0F30740E7" "E3038C8BCF07E88ACB767F9A43B60DA387B617D6FFF8A8D8784" "513D649EF3A142ABAC0BCD8159F4FB65DB24616225FB4FC636D" "6C1D94DB757E647934BA77C946BB7D010AE5C78E05157466590" "CBDA903630809649BEF7F0D27000A9156B2D05DB89AC90A91F4" "D1F295D296D7783E6872FACCB70CBCCD244BF620D5499382421" "C8CB3829E756E6B415AF3C26F952539D14BBBE56C034B58124A" "D973A726676B7F278E7D4111701D69681412BDF08731C4CB14E" "ABFB")); test_hash (&nettle_shake256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("C2AFC53CC5DBE46697F64D5B6B37BF1DB7DDD06D54EE9DA7873" "C77D91DE47377DBC5D525BA8C14D5F24A2BDD473DE53FB1BCBA" "E0ADF93B4525C0A77D1952A21BA5E575AB9AA889A19D85A02A1" "AE4D420613BBEB7BD2A7032137F196E0566C284CD11822EF938" "C191763BEB392EAE3FD6FAD77EA7252EE72798E5B4318961EF6" "7E595BFE0BE036C478C88B80C50C3F7BD047066F4CBE031A867" "644529AFBBE607C6FA77602ACEF9A635DE3B1FBD6C967B61330" "40D1A6649F1FF5598CE0E76AF8ACE89406FC02F2818EF8C29FA" "FF1F46A551B534BCE2C30E6FCA6F62DF3BDDDE56FFD8550466F" "48C0D14BEBB386F5BADCA240D848EFB66AC2D339A54AA1ACCB5" "C753B081F0B6F782388E7B82C77304F30E03B5D3BFCE0F1B515" "8AEDECAB4749C17305DCF231A04EA2436F423F5A818C461E90D" "65EDA69DDC5D977B19F26E4C9DB874F2602A3F5BE5AB8C5C70C" "DBC57E5BF757037768E1962D0AC697645B598C46D639C7A0DD3" "1B7CCFB88E4745BF2776505308C28FDDB084F67618B84D0451A" "B2AA45437202474ABAA0780935EE78D47EBB4E07C6466D3F8E8" "3C1B27EFFC1064FE01880D2A7D571A955DCD4F55D631DFBB3CB" "550E3541254C0D4041479FBB331EC591F8AFE5B644F6DF9F430" "0375805BED126EB96893BCAB7FC5AC5CCAD3596D8C011258F3E" "D269A6B0A6C4736D467BEE9D495D414B475D9354174B36E9756" "55C8")); test_hash (&nettle_shake256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("B9E75F5D4B74FFBD244CD9566DF861526B5DE9584D3280BA5A6" "84EAC9D44C91C0DCEC5827DA4EC0FA7F60D29286D348F576F4E" "2FA03AC5BE8F27E9F9912BF500D0CD549F5E5799697C61F0403" "C264C4B2D986DDBFFE72FD8CA6439FC01D1F7138A92947364D5" "86D67C300F27EC2E3E75F9088A5B787490494EBE0C42D00401A" "2ABA6374CB3E33BBD737ECFBF80EE24D4985F6D11FE24FEDBEF" "B387D4EDBF4AE1F409E67F10719F47397968E406A51B0DABB4E" "9391FEF03F9F7BC47193215205386914FADE37017EDFB0DFE8C" "51B4C35C0AEB6F8A8E6D4D69FB538ECDBF65CF92325A7F280E8" "069CF9FCFCDE610BD024CBA87827E92CAF22482413C694F9F1A" "DE65B67F8E1D32E4B5D51F038C2FA9D89FDB2BC1848E3E7B54C" "4CD4D021F4C8BAFF61875899B79EF4A1468B0443691981FABC9" "5D076070BBD5890EFAEE194A6484E584364BAC001FCB37C2285" "8F74E1A01EA8EEBD49D9A55A19F5967B898C5B71D5F2CE93F4E" "52CE4B4D00D7C42E58D71C174E9326C5AE1E40BFBD8BD37DBCE" "9369062124CB47D683DB245A4F289F052F89812440BE2ED28B4" "0049A9DBC75B3FB1003BE8A1B996BE44270A83DC20A38D62C59" "71D09D06FFDC3F89379A99923F2BE2FB6651407EE37F4BC8073" "E396887166AD4F0A4E156C72463A524EDBF462F62AAB251E321" "59CB3D79A2CB3A8FCBC196721642682646A83EE60425DD7207F" "7360")); test_hash (&nettle_shake256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("EB24ECB6C9CCCDA1E8AB1CA26683B63A43CA864E23AA7681A49" "27AFFBD8ADEE82704B24B321D6C909A1CBFCB453AC084557FE8" "4AB25E044885ED8051A0EBBB457D9821E9C132230FF27C4F279" "51432DA415D90D59CF7148569CBA02AF32A8F4B774D5E4667AE" "594C2CC4776AEBA2CA7D5F678C522A03B426AB2325127E56A40" "57837CFEE2607207DEA5F913CD64BED09E7FA723148ACA13F52" "2B584AF9A36E74E86415F7C064C7575176488895F0EE6A6795B" "51729AC947BF09668A9ADEEC199592B77227D62205857B75E01" "E62E3D2757F02C4892A9E9C2A9187F7F3DDB16B7ADC28C33F58" "89F87F949EB0A61E5FE431A3C11191DA6D127BFC899CDA0787E" "B269D0296F31F3580D9F630E0693F292D2B9954444E56A82D6C" "81319CD99D5DDB2F042E9242244455D5D9F59CE9DADF0BE7804" "94FDCABC72AEE397F13CBD656D246B6240A1C21BAD6E0126CAE" "A1C93096A41CF648BC0ED7A051E03DCB51E2C48AE32C8818863" "4021A4B64ADC4B2CA9A5118D4B6698E87C1E3D4C2666996F875" "4242214F3B07806C8EAC8CB63AFCE0A03B64D63D46AD53F0345" "DC3A9FE550D43E9E569F8C2BABB2C025D843F7D568DEE6BC762" "D3B4DB80B8A3119DCB19A17CF5FE1639CA313FC74EACEAB5F9B" "AC2E546C36DD7C292B959A2C9CA98CD143C5822BC94179DEF33" "D146A16091688CE192BF03A7E334BD033DB66A3D544A8FE17D2" "F5CB")); test_hash (&nettle_shake256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("75102A95654D885655B910E6778F8A72B263B0854442230F8D8" "923AFCC92C5BC98EE5F2E8D53EE1EB7F7A85A7562FB96535AF6" "C78F0491EB11B4BE2CC71CCAD0442DBA422B84FB16ED529278C" "57A543A3B8910D17232B2B7FC4B81BEA56A6E99F64A50DD73AC" "D26E506EDD60A788548DBA27AA66BF6D41C8CA0CC603D8CA515" "F3BC948AFEE2E7EC3F8CEBC56A01682E66A082846E8EDD0CED8" "5A6D5ADA77A9567424C73F049DBB2CDC180E6DD85AD73D624BF" "E10BA0CE3609771E50B51004BD62029259300E333D18697A3DD" "0408D37C5E275CC8A4C6C5AD85040365B3A427F21BFF9F1660D" "AD79D439C5DAD6855E75840577B6AA822F614B42CF57561A70E" "E8216F9CCDD8B10F36455A2677CF93756A3E30E2E177029C4E0" "A3860CC01619549AAB73B52E7E5340B42EBAE37478CD899B71F" "9FBAF7DDE36C57450CB5793E371C903EDE8143F9CA3C8EA2231" "BF5F3191A49681EE8F45374D81A774E9F8C6EE5465B567BCCE1" "C77E8289C72411A1C8F5402906046F42CAFE88B54A5E8C7FBC5" "311B1A7C43A1094047935A27B2D89E9470EA28569211F1E6D99" "E9FCD1AEA301A6271F90F51DDAB660E90A50D10003BF425858C" "FB0D67ED630F74D6FF46E57FFB7236D55703A55531F89D92EEA" "C17C6A050F56B46BD0466A0A918EC972E0947A991B024AF21D9" "F92B6147155A1EF08EBF620FBB65C309863A25F3BD1D9ECD818" "E354")); test_hash (&nettle_shake256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("603CFB5E53D83CCDECB22C5C75E67F5DFA0DB7D874E6D280DE0" "14555B1300192D9B769482878950ACDB484E87C26F366D2DB04" "9FFE8C92799954FE31DDE56A061E2F80A5DA15B65A0C9382C77" "90EBEE8E676373405BC1BCFBE974797CBAA998A0315CD9051BF" "669E00611880AEDD88DC690192D8D485726B47879861A85349C" "2017D9892692DE8DF315EC3EB4E6C508B85002FC7E6D7812FC7" "E025FCA92F14EE57EC9F507EC05FB8D143DB2EF6B83B8785289" "C2FABA51E962B77754C0081CC1253DE4CF8C36D2150B263FA01" "E19E5157EAC5521E29414407FBCB604A442FDCE7DE9C99D46D7" "1F78D1B9931033AF38940D70651884B766762605EAE11457A60" "F44BF5CEED9C0E9A9C600DA70B87B57E4B5C280E3AA568BC6E3" "988B5481006298BCF9239583F39C5EF439E551B6166DAF31970" "DDF7BB6B7E068DAE50C15D7A1B3D4F3587A91BDEAA59DC66622" "0C2DFD238BEF11F99DD47B87DBA8C60598B531013468EA5F15E" "DB0E2F43D4F4EFA673E88AADF4572A50C25B3B7953C4FF0CA8F" "32D374FDC3C130CCF67E95ABDD315FE7390D5160F6B307F3A20" "497C76F69CCF18151E5995452F01ADF1D55BF3A678D0ACFF44C" "50852F940DA91AA3FA8A5BC8CC72DF7AF11AF0E19C167F6031D" "C780DF8583F290059F5ABEC6917F7EF54339538424234454004" "BE4398CD0CA6CD1E71D0372F2229591F7647142C13C5B089780" "6F30")); test_hash (&nettle_shake256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("724E26AD36068E3825E1F997CFED8AD10194B96E76EF425BD34" "7254BF19BB862DD449E0182E9B8E20C8CB5440E34CB7391935B" "6F5D49F3319A984E313A9F4ED7107C43D737F016BD20D7F454A" "670199566CAB98C4D05F0D31B2811A48EBA4DF019936B0C6E98" "3C3557DCFFD42238885A7CBA1376CDAD15BC2FEF1E75013CD3A" "CA86FDE4B616F2BFE310131AA5EE826F5B0451D4DFC0F0EBDEA" "CB36A8B6AB96D7D81B2A21F7E09C5E908FCACFA763DED4361E2" "D9EC86559DF71A827662EF692D503C72987CC9F5A9FD69F9AAC" "4231BF27E8C64ADE3F9B51FF7DF4775B966A6C2FA6F913FD191" "F9B79DDDFC077363E1E62810F9D82C82A0CA9FD45B9267B1799" "8C2FB7E812195CAFB0A08831CA47857E00E329072037B3A96DC" "9780FDB52379E7180ED0E84866D42779D89F56F94A8D86C0600" "302A09255F838EFABBD08FA7B342EBCE887CBDE92743A36C14F" "61386BC9FA5662F7A2E39E0CD165E0E0F635478EB28217C1E97" "EE7DF96D6E6143918C7CFE29236E9911D10C756871E749E2CA7" "21DC4F1D0DAFB1715591F3708971409A54712588AF7CEA3FD2D" "0D06C036CAE4F76B885F50B3FE11A39F304C9702BF5F24DD5A2" "006E9FE6AD23AEC9598E34B4B043B092CAED032C3FA42306064" "805E73FE03560ACE3BD87D974C8FB95DA0C68E0EC4B245C849B" "BD06B94A319209514707BF5447113EE3B14AFCA06A6BF308DBE" "03A8")); test_hash (&nettle_shake256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("D0F92C3953C2696FC132FA48BA36EB7576D34C5BACFA4E9D9F6" "DEA8F7B0B6B746F6F7914EE8B9C25EBCA91D601E781B29C99D0" "DA92A1C8670918927A45B2AF16E9BF00CE9A877E361E797F951" "1B9A116AB72209D7E8DBF0E299991B173E4C654021517A94F9F" "4CBFE6FC4BB3C3EB5171435219EC0D80BE57E3900BCE9327D10" "DFDCE70BCD32C129FD5D5BCC54C4BC972F67562796466F9BCC7" "399DB8444C2EE896ECDA88E0F9ED729985992F0BD707ED3ECE9" "7064480AA1D10D4BB176F65DB3327A0F34D3CC32140A95594DA" "7707F565849D1258435285C1B9828723EF42C475D30040AAFB3" "237A759141EDE73070E8995D2FF72C727B1F8A215AF3E511385" "2FEBC029413C2D2F21849CCFF5269B8D188C147D4FE3843D195" "0FC09409BA0E5FD2C5567F11F0DD098810924E56463CE5B6C74" "37163C6201A9252DC484800303FACF0D6B004CC856BC68AEDEC" "5496021B37A667B02F5F7E7234484B531F07ED78B6EB747CF59" "5367EC3EF33DF41D25424A858F50A63D5D503EFEB895334466F" "C3B01DA6246A5801B9D06071D765A65E64F2214F93B6F072115" "343D711697EF2E1463E021CF3ED9CFCBE5A81E54DAB729D52F2" "F309BECF754E3D420CF0CA060C7BE4589D748B84028517AF792" "3767833858A35B26B0AB5C5E3B14E68BBF50AC28A3129F6AE08" "6BF783612749DAF4CFE87E75A4C89DEF988064E32D616F1CCC1" "7D46")); test_hash (&nettle_shake256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("F31DE8CAD77A334C3480D93E3B30844DF1EC344A8D44CDD277B" "0099F28001239EB0DA5B566FDC383F0E1577F67EDD2BC0F11DE" "67F3E7A4D97C56C9F3BB0FCB4D3E4D08F7F3D5C30FBD2D964CD" "45F36826F614668193554A33BF0170AC3E64C10E4E3570EEF84" "DF387944A6436A814DCC53645D01968C4EBD1BD0BDD76354580" "805BFADAC96470FD354BA2630F7FF8F7AB29282ABA946B1A9E0" "63C316A6D337A7CEC2FB4B562B899F626418BB61EB4F9E9BD7B" "294C7ECA75AB522D642CE495640E4BB1E2B14A10775704DCE5A" "DC7D7E3C091520B48DD18A291841CECE5EF56E1969915FB4979" "60D011A8F46A5B08EB39232283EF332F7AB0D8FDBD900BC2001" "83186BE31A6EFF7F5F4CD27C12BBEEDB0715A0E6E1F6E35753F" "E7F3996C75AE34D2E8E76E43F49EBDD505DEE66536E5F2332DA" "F4EE462B7B524F3BED1293BC45DF9511FC03D2734DA036EB3F8" "C62BB0E623031939E83745744F7DBE93E57ED65EAC1016E4147" "15B54AE83A15FAC6E76057D77C3811491F390C0B4EA0BCE2923" "72A8633E26C10C11E301E57983109903DBBF4D08434A6287B8D" "F665BDBFB03957CEA7AE4EEF506AB1F7AF1358EB48E7FFFC960" "6C266E6CD903C75772E2E88E954585DE90111A250EE62FC12D7" "5C5C58CB7C03C9C06C2AAC9EDBFEB02A1207AE5F9A92D32DCE6" "528A13725EDBE757F309449A40E93286388D8C09F9BFBF49E5F" "B826")); test_hash (&nettle_shake256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("A3D9ECECA03A1016A8546AD75C7B35102D5ABB0021FB5F2B1F5" "3B591624EF0F6C199F64DBCF325E37F4A361368CF60F3BDA9F1" "1BCF5FF2EB1A4C0B0546B5E898204EA5E4117F519F72F2F5DE1" "017B2BAE0723D91A430B2B3C1987FDD24FF0D0F1CDE2483A22F" "C37F296CE16998C12994603CFAB4B496D3333B25ED48ADB1EC9" "26A44CD5DB14C2072588F15EA752A31A8A3AA559A35EBC900FC" "E948111AF7522AFBDF7C56065B196CDD00FDBAADE3A80D2DB10" "271BDF6418F0F817FE991EC055CCA474B61E1AF6BE6FF6396AB" "04716809433BC8AF75369049E605C1C0028A0D370E7CD0C1EB5" "71FB379B757E8BD21AA61C2E2F2B0D0DBD2D73ACB2DD0887923" "B840079BC74F6C69682118B2B3DFD3FE94D3A76EB8BD68CFA94" "034DF0B5419104675B9F5E56F8C6E0EFF12D9B20E27535A09E9" "FA103803B62C66D7AE09F8E39A5F505F3BF93D27EEE1B16546F" "97AF0616BD4923425A1F0FEA1655334A528C5DA469850A02574" "96C820A351D826EEDAB469A3871182B8435615E8CB1C8C81D34" "F8904DF7F81D48FFDE990B69F0608E6B05AC130709D3DFA9E8D" "9F343622991BC686E80B4F0877C03D9B1E0A190D4C33C11246A" "20CFB297E127FC359AFD037B1A90C040D9E10F77A3F6D9FC45A" "2877711559C8B09348B203FC49A1770730D1206DD03B9E64C39" "0A308BC27896309BE2EBCED1A7ADE8D7187E8F6F9A76523FC82" "0E30")); test_hash (&nettle_shake256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("46F35DCE4FF3A34E944AC51B64AB60D314E30C2CA9C5B4675D7" "59E1E852835977B6E247C025A8FF0248C622C492A04B87C5A2C" "906B2C1CC8F9CF2E03DBBE046644ED26F37B2C4EB2D16B558D8" "2E2A3400EA2BEE9B4D0A3641B7065FCBC34ABD67EABDF5AB7B3" "F278C47D24EE127515A2C94BA955A01A098BEFB59261082F233" "83210FE82208574B95763FCA6132AFB3E644461B1D78F3C8E04" "D860FB0952F9A33A7E56C1AEC1CD3CA913CA62FD35FBCFF62B0" "032484ED07AB9C510C589F62965D676382EC7E55E359F5BFA71" "24A54B83C245725AD796987EF4E9186C74E8B1B53CF02753334" "1278B0A6B621D7FC68B556F0B3E1A95312F4FD3471EF1BF3C3C" "5ECE8269B29A51470ADE59A3F15F2600B858EAF8B6B109339CF" "1B15B0EDF36E0004992BED6E1B187BA60ED3E92A542A83753E1" "4E0CA85A0DF441E5B03A9709EB1AE714615C7C5F2F54C373BC5" "ABE342124BCA909BD4F6696950E0483BC798059A94CD8D852D6" "C5E596A6CE12FF053874F459E68062C5650ECC934EEDE1E7206" "BDE104CF33C95FE103D279108B60B4078DB9522F2CEB28B77DE" "F8E4E59C93552B8C09C0D74E8AECB3B6C50BE0C123E2EB39470" "908BB7288E451C51F6F7154143DC78D5F5C4ED402217A3B6146" "6CE80CCA2257D77DBB99B6069FDC6CDCA949BCF279B3E4DE579" "68DD0EF83C19C5E1A07B19B85FC60E593600470C3F4603178BA" "08CA")); test_hash (&nettle_shake256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("77B7496ED08C3933BD75983C0C0494BDD8262493A4B55DDCCC6" "4167E67EAC0F6E6307ACC15C33F3963744E26CA6C504D393B3E" "E8165E4D49EB3B6E649207653048F8B822FF884DC74937443B1" "C4A888C7A768C63D5B5D29E7446873923B9D7A56FA5D9E90760" "AB86D5718E3464821B79EB46D169141FF16120BFB650C76D4B3" "E5B3F6CE61FEBDBE09AED7F4C91066D903AF6E56531E8FF7154" "9508B6E420CAC6BEDFE0CBEAE6BC228476BC8C00EAE43D40C82" "CBDF6B460C376D7C11648EB2815B6506ABD4339B25D58D45CDD" "0A0B9E35A88E251FDC34D4810D659D179F59EBD03717FD31A63" "94CE12CD5569066E138885CB2BDEBBA06367557CE849EB869F3" "CAC38800D51C22B666AE2701E580796394DFA02F4910BF5F86A" "AB53951233364EA20CDA35AFBAB445BE7F686643856F825394B" "E7B4B6D2C918D0151F46FB9AEE8A7BA2D706E48CB0BC429B064" "262C1A0EB3524FF14632F5184575C15F6F4A3446E93CB4E86B6" "A931BA268409CE30B4595FD2059A27183B3BA8D0ACE8E482866" "D5C7D5B03DB8DBD24B99D59EB6EEFFD209E124535D154B98F99" "91D84FE1AA763C5133D41ECC233930957DCEB7896AF70F735A2" "F5C1E79480AFD50943BC5014BCF0A7354AA7F713163B55A1E41" "BDD05FBBA9C1DB2C69043ED9EEA4FA45C990CCB4A8DC41AFAB1" "8164018E54C47AC5BD6980FD796ACF0DDB42C7042A4877E8BE3" "DE29")); test_hash (&nettle_shake256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("8229BFC635A769D86656396B7723FB46BBA9868712F27C37792" "5CA6B358B8391E0AD8C30DA71FC8F0716BB95ACB0DA00C61F3A" "7BC8DF1315715E925F1EBFBFB5D72CB3E098F0C014A80E88A44" "231DDA194DFA8E35E359F60EA5D7A5E0D1E64A8FDE294F4ED2E" "3E98294DAB838B2C6B3FAFCB2995AC17AF67669A24FB7131823" "3A82DC8B934C8693B3DF784A5BB34CE9CB3FDE79AFCBFA66C07" "D1202C954E849DADC0C1D5BA79BFA74919C1C6FFFDBB834287C" "852522A65AE3D32E337C2BF16C3B5E22D4577F5B05F1B872185" "32041B9692B0EC561881479C924BA92E154B57A1AFBA6214F68" "FD067D109A92A9B0E127A0A6B78E85808268567CBD1A2653201" "233B4E80BE103EB951748A1D1F8A205856A650C58DF15E8E1C7" "6644E52614AB4DABF51A2320A98D259F8295412291464E1D918" "C9BB8F5282301BE5F91DCC507F140D8642B7A6FD37327CF38F5" "10679845853CFA039FF4CBF749D48032D6650BC7AC2BECAEFC5" "672CA7C61A8F6A1BD69D321D2AC1E6095B3AF7111F509BE0062" "707617C62DA3336C3086C39B2DCB9DA7F23BE732EF32F906243" "250CE4D38668ACC8CEEBEE87C43F077DF2DF1EA4F6345477490" "FE37725ECCB8D4F47B14A85B0D36FEEADD4A020DA3DDA4A4889" "5DDAA45B5EF8499E937D06BFE6DF88897A828DC19D9AD93C622" "E0263E74F818F921C4200856C9EC9D36CC99A6B0BD59FCCCE72" "CE3D")); test_hash (&nettle_shake256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("66126E27DA8C1600B68D0ED65E9F47C4165FAA43DC4EB1B99FF" "EDDC33E61E20B01B160C84740B0F9FE29FDA1FB5EFF2819D98C" "047CDD0CF8A0D396864E54A34657BD0C0355C75C77E5C3D9AD2" "03E71FC2785A83D254B953277B262EE0A5BB7D0C24ED57FAED4" "FDB96D5FD7820E6EFEEB5A9E9DF48C619C4872CF3B2516DBB28" "073273E2693544E271D6F0F64BE8DC236ECD021C00039FD362A" "843DC3681B166CBC2407495E18903E469403807FE623F3648F7" "99F18FBD60FFF7705D07464E801E0AED4F2F0642B9A2C5CDD0C" "902B59B1DA19A09375C1C13175B618091B8882A0E7205EE63A9" "219ECBCFA943A10D2D9A50C8C0B5D43B003F67EF0D52ADBF9F6" "59BB62FA6E00678BB8D4449648872A99EECDBB3DC381B5199FD" "500912AFA93C63A6B23D00D0A416468FDAB93AEDD9115265BE3" "A4440DD4029FF7F88D9755623E77F9430B934DAE529BE9A6B30" "7B1B292AB5918EB24B14598554B4CC6269419C701494B7CBA5B" "3D69F6CDCD5181FD03E0748D08E1E0AA5C4EC62C47877C10858" "73C016EF24E7E45DA71D3DB9DB23B153CCEDA9A9AB5CCD8C546" "6CEF29810098E976E4867075601F83A2D2CDA1A476A1E990CE0" "4C4567FFB99AAC428922D9D8B25AF68C36463D3AA4F689CD778" "F79E743E0BB5F935E6D45F978DCB2AED12DFCDCA469556556E1" "9F25D4C959C98785FB471D4BD1675D3B84742766D5BA4BFF2A3" "F912")); test_hash (&nettle_shake256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("EFAEE039C0412FCE8F55F6E7772889EC18D0604FB18040DC1E5" "783596CD820B421A0DCAA528C8A62B17A22164430672DA6D818" "E2E555AA8E79665A6F8F5721A4E17FE8FEDA551ACC9116F1F50" "E95839FFF2427DC1D988B0269838102547D4D46C11D2548BE3F" "885111D53F3061A74972C56579C681C20BD5D47A4C2A9523BCE" "154068FDF3813F5D45A8D446758C212614E3A6E80EBCFEF81E4" "4034E0F2D02FCD0AE5E6B10DC24EA09B94DBC47873768C0DC6C" "F2991B9477448540924CB57D3582D7B8E453E946C57129285B5" "48FCC831B3E311CFFFA3161941689E3CD649C3F47D96037804D" "0C6A4FA8C09B11A7D5A35F6C4AB89B64C735153422A3E529E19" "B9AD7F7CC346F904912E1A6C098CCED3BE9755137A26907CFD7" "F7AEB1A573A971C4A5760CA5399CBE642F0106497AA1D364DDC" "DABF375C547BDDB6011F26B564D0CCF4E055DC0869BC280391E" "5C0203005D92246E377DC560D16F3A9588068473B14FE7E39F9" "C25108EA279D98DF21902E60DD4EB03266E873D3B0C24DD3306" "6991386C4311E58197F24AF80FA150068407821C2327E900340" "550E7826B2F510AC65D4B21E9336610945A0E5A0EC8D132D694" "316F2B8A21CC24520C6204EF036116B2FE66A79CBB202F65E1D" "1782AE10CC71BE51DD44718E2FE9D229C705B94B9BA6B27A392" "5E55DA290875588C8EDB8A1866FAC9EFB7FB292F69A89ED772C" "C68D")); test_hash (&nettle_shake256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("F64CB396701785B64767D4F17A768EE198297A74E5D1617FF74" "A3323C096579C0279E351C2407BB889CD4AE718B09ABA711FE3" "AC14AE7D7DE0072E8BB0B6A1F92A1C93DDB46DE891CFB1F3681" "4E585F672BA871601E817BCD6327F3A7FA7DE35AF6A0948DCF3" "DEDBC8A7154CE8529033F67FC656F95FD47B60E49681895EBE0" "824DF50F8EA0480B50EB3264243A88BEF29F5F4FBA012B86A5D" "FC98054AF4D15248CDADCB160193DE7068CE71EB76E32ACDD0D" "D94F6B27B5158D9E63EB25831219768454C8A951E9678F41EF6" "F654CAACB0F2AB5DD614BF0BBD932DE06FC31D7259309B23DF8" "B5864322EB2D8F39A07E5A3F324B64876612BE4A1C47B06F7C5" "BB814169D94B78CE22AEB7249C96A29C52BDB5550C7B292C96E" "A9ED6700F5D3032D2A81CD68ED3A6DE8FCAF9379ED0D95C94BC" "B0082915FF7DB5EA1BC25645EF3B546A728AFF4CA20C6F8288F" "F0FF4B7DBF838E1A3EC5463AB88CC827D03A748FBB924797A98" "D309BAC09E73215BF8BE798C151D322D6110C280D85B45785D8" "54DA39A80F64897918C169BD7E1FC52D003999C084BF69B696E" "6D747E859DD2D6EC6FA1339A395858477BC49241B302FC74E01" "88A2A8138507331923C357AB4EED3F64FFA908CDAD9116039A4" "69229F9A62070799026097EC7F5A71A7FB01B5473E8035D383B" "9F236F2FAA0E06DBB135A939EF9CB31AF1E312F47C6C9BE1F50" "DA36")); test_hash (&nettle_shake256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("CD85DEB9DA581AF66C0B3125B697371F16EE34606A577AD6D8A" "C7E4E4A948B36C844EC9EA85EB168D7A5A1EB4B72A685AEB80A" "75075B420C9B53B963D960F7BC88DCED631C734114C28B2E20F" "0657D9256AB01B1AFEDDA9B9F85FD30D0DE3B98DB38AB90DE60" "045836CFB12C41E5BDAE57B937B637C11ED47F7DE242EB9F72D" "3253C5D883B22333F181FFAD60A541DA08601791FC0F8D9F44A" "94B551B1A879B76FC2B7931A2F4301D121A4E6861F5C84FFCB0" "139FC37268B5F8A4C3FD490809CF44F68BC1E665B369D4D74DD" "0BDEA71ED0514C37A47124CE146927274D95067C80036ED9F1A" "5B0A10AE71E837A09DBE4DC358DF4687392D99B2ACE8BEADA96" "56677518B1607C8E13B7F45100BFCEFA1D4E38B9BB29EB23D17" "B9CC66F70635A6C531BE9CB890AE833CD7CE35498CC9F81C576" "493913BAD87532B711F3F88873E9ED48A83B6B2C503E096A33F" "824FEB4CCC702E82CEF00FBD938FF9BEF6E3F80E149EB343381" "6A1D3FE7F005734192CCB5A8B0D7D43327B535547A9CC7F5FA2" "86F9EAC26E9E6A1CFB86DB35831F75A9902A3E78F6BF9B47288" "36C81B3C614923C3EA88D6C5F55449A83EBA0F5FF7B4F070842" "06D4590BF817C1FEB43595462037AFB6969A91EEB963BD244AD" "B1B654FC98A0B0BE99029B3D5BDD69D2158939D677B054CE55D" "ECF0F332851E0A74EAF2BF3EB672D4CB1F467D0E5391F98501F" "EC2E")); test_hash (&nettle_shake256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("A90053A8F738A68C18CB87FBAA8370BD14270412D0014C5DE80" "08FBB74E619182A0442C121F7E2449A5B019DC0CE597BF1D7D3" "E64D1184946D45208A864723A73CC1E242F7187811C522F880A" "CF53056D835BD150FCB7DB61363D22074349FF54A3E5FF25712" "72910A7333959D8CC29F69B540E5ECCA50DF7799236338E2925" "5656930E22679A3A585E32B88C27452BE75BDE73789B45623E6" "95FB7408DC51891D50A3BF84C5088C5F6FBB1B740DEB7FE38BC" "A05F1A3BBB516E9AFED0A41F8FCE94411CB84D8BFD51EF91718" "4A66C56B31A190AE02B86F62CDA2FD7471EC030E94EDB56C144" "025A1BA9B792A515DBBF402D33BB6451825E52A87B7B82C44CE" "E32669F96F3D8DAAC5923127B51AB5C5ED43E5A9344B32C5A37" "05345EE98CCC5259C9D3342CC10D660274DD628F1C2C031FE9E" "D282500D5C3982C7976620FB46190C57856E519C6FC1760A306" "C3497F2E001C7113248F53EA1A4BF9DB370285EE441E4B43459" "B6F8690CF10BC1785138F8855DF859BCF1AA581DB4A6EFB576D" "938FC273E7D126CAAB7FBCBAD62DBED1FE2C33F24640AFA899D" "EF2825AC2C0FE928DF223B1043117C061F1C7EEC723C5CBFA83" "14E1B18EA6CB63C02B9D6FA3B27929B4D42F1D785813FEFE124" "9F65B725D4DE59AE071A4F6A40AAA26935F4DEFDFA3760C98CB" "E805A50DEBB3011E006015FBE8400CFB1B6B3D2162014D675DF" "4246")); test_hash (&nettle_shake256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("27BF218A01125514BB1B78E582AAD16720267373BB27FF96A59" "4B7F10CC1D0A393FA753F50437C89301542D27C12C03F53FF77" "1CD0DF4B38F40B607B67CF419020D34C18F5BD3BD424D39F47D" "118C84A53A635E17365F84FA0340BE3212056C155FD227D3B52" "F9BE75538FC23287B5DEEC0E5737C8484ABBA0BE6CC43D956F1" "7A41CF81DCE5E78326633CF09326E0004B172763089A593DFBB" "C1A0960A16F207F464F9EA2AFFE732208E970E00AA0BF122863" "4E98031155B61F6EE509648D4B0BF58FC9CDDD0B470B95A0AED" "8A3A96DEB2F7FCF65CE08A826300D4E48A681019C5A8EED66E7" "FD5FF098308138B4E11886528AA9ED32617392B0F6E133A9968" "3DADDAC328838008BEFE9DC680720BF4231E88848660C8EF4A2" "973046D8E70D8EE8D8497AED8A748B3185A77B238B5650C9909" "5D8702209C0C31FE1770042FE3BDC2582F5FB841EB5A234CB4C" "9B637FB4C5DD9F90225DB4C62DA420F3D1895FB2EB05E3A3D67" "67F73FDBC8B94D48A555CE4CDE5045BF5325B782E0C242FB3CD" "27D963A9EF014DDBA4B0608F2627FCABB2EDF570A49AD5377B1" "BC7193D9CCCC23F5D35C2DB59D05DF8D4A8E5146298B6EBE1DE" "25BA1089DC746EFEF6BCE22B43FB99EEABDDAA76566452F544E" "AA85CE4559BA683A122CE76927242050FB236BDA091480AB1B9" "ADCA148B639F986A3E936BBA565B54F727A0D45F369DF25B9AE" "8528")); test_hash (&nettle_shake256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("2FCE215362A523D7B76FB836EB458667099C58BC51D7EE6F6DE" "B9894B6A337576B0DAF9A806488C3D238762B7A2E7B12AACD1D" "696517EED142AA5DC5A0747F08E5E39A2486D75F497CBD6C489" "9D6F5BF2AAAC9189A6ABC6E787B0D9C5283C840E518C6AB0393" "CF60337369251DF935A02DE0463DBFA4DCDC1DE9034FC9C21FF" "B9DBD7C48384DFF31012BD5F5A9CDFDB7139C3C35F560913D64" "3DDB728910413F1267BF1BF1586C5EE69DAD26B53154934762D" "4C80C34D511BDD8A391F83D224F9F8F83B61DAA046C542BC78F" "153A3AED27E1268058F6952258D274F11C8D9634A5BDD4E69C6" "0DCF1F89DF2238EADFE783CBA652A554186D9E8307C7773722D" "1049C3815526F583612BBD8F6C587D058B80FBD38113957E602" "12777A9F67B612312583FEFB67533C065286CF371001440B1A7" "A43DE2405E5E92D633F12A63EE2EBC408164545DF22803FF239" "DEE66EAA20780D103D940880E8BF68B9D815EFCF16F59E0D858" "AF33FE4D287A2B8E61C6EBF26E16E354B3EF63774EE01A14691" "B149D81F010A655F308E966C990E1BEFCB6E4253FF43BF473AF" "A78AA88C36EBBE735B6B2F92BA9D07A738E000C9B42BF8A3A4D" "8FB6C38AA36B3329F909676183FBB520196D0DEDC80DC6BA0DB" "4D72AC6544551CC38B23AFE000A91F10A89956D2120494543E3" "FF5D7D1B2791207860A0B921DEBBAE769E55713A1D611F6B117" "5BD0")); test_hash (&nettle_shake256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("992E831E9BF5FD994A73F17699CA0ACAEF65E8212E5C4A49556" "9654B5DB523BB04431B7910A343FF254F4432485B4A6A88701A" "FA889B11C45C53B4A1C4A1872FC685D644DEB5DE2340511F29D" "062F6CF0F39803BC333044CDE83103155A49F77FF8946A77FB0" "92D1CF1715F02297ED4F6B0A43254863641C4C244DB87FE486A" "3EB78DD3B57CCE06722CCBBF53ECCC862A8256625AB03563FE4" "730F74C8F78037BDE37D538DA822AE9141B8098A8B57D74FCEA" "A072746DBED8C4B23F91B3DE8B9B733D06CCFA2FC18747590C9" "AC01A9FA675D8CB51505098F8993C494592C2561F8F2FEE3B26" "7D8FB77A1AB853432850F90B8C52D08E23A19226A61E0589842" "ECEB48059F8F1B749D563E2C652B70C426B91B8B0E19EF2B319" "F2D7DFC25F0D712A76CA9332F92BB38CF89DED9802BB7AD5654" "B2357325CB1CF6F1C9FB364EF41EE8B0A8BAF5FF9E8878E56BA" "4BEEAE384BDF029E4911DF8E84F5B570704D53B67D6BB1AEF37" "976B38F405D9AEA67C6A6D77370E37BD78034645A9B64056723" "66DC061BF384EB0E9E73466FF5D018C9BA52DD262DC97970CB4" "B8AB467847C23DA0FB101F5A7B9EBA51ACE6C0119ED03C7A14A" "FCA676BED44922EDCBACBC79B6DB231C60DCD4ABBBFA0C13C0A" "B3D680AECA78EB9BF0F71CE6886AFF6C309594A9DF2D01692C5" "6265A6E9256C366C4C53B6C0FC38B6EF18ED8C571D94EE27E85" "0D4C")); test_hash (&nettle_shake256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("47CB72FC64AEB3F76085626534EA346A2B4797B5D61839BD7A1" "5DF05D5E3552C2751C697BC2C532E2B3A8934B9ACD898567145" "0DB65D6F44D9B6E27972FBE050E6A76537EED3E9FB15849ED61" "C3B2F6E30A8523DF8E95BFAE3A93BB306343212F1C288113594" "42759C85C3E6829A179C03F86A442DBABF49940297DE3F29CA9" "F6EE25EEF49B9C7B37DC4499A9D16D3B32DA2AB391AC1E6BA6F" "3967532FA18E50B1E52D6D3EB2447EE20CE459ED970D71E33D8" "0A20E933F09E494A753D15590A29B15733FBC93217B47B36851" "00AA31D5029DB16FD7E293C51C55E54E15457F99009590EF8C7" "B7BE110453B73B4652B2F9C048BD7F2EA2590D33ECC5508BD62" "BE3A0918C174D99C5939FEE9C48592CFC220F59F28F57777DDD" "43AAACBD23A61A8473D4CCF01389E982877282E8694F03683EB" "B44406C798104B9F3223B0DF50EC964665492EEE586CBDED57A" "75F17762A2903604F8120FD1D981AFED7D6AEA59FE70DDCE738" "A41F53F611B927EC3DD3AB7E89A0B0B3943EAA2A74FA2C02098" "4DCEB577F6B3E7AE98CBB81F3CD9780E52D44BDEFFAF466FDAC" "7A4429BC89295204B0FBB9C8A22A5F202E8536542C244CBF300" "0C0CC1CBB0C4E18A29CC92697B0E58AB1AE77AE10B1D3EC92EB" "697364CA69279C4EEEF39D27C06E63DAC76028DF7A5A974F8C9" "7AF5C7AA31B5BB5F1F4DB2E63B3D4C9F6849129084C77ADE975" "62B6")); test_hash (&nettle_shake256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("458FF16E716EE4C47F3B60B3E473D91157767621E9E3A200EA0" "BA18B511B00C9BA311C7D542289D03F07ADFA6110675DCB43D5" "D8EC69C0EEF6AAF4664F917E01FF8DC5F203E89540EB96640FF" "807ED60D761C4D3D92F55604EFA648C5CABA130731FC2BB5351" "46EF6EA4FF3A7CF388647EC25C3879671874BA259C6ABB31B4A" "8090BEA5AA7D6B05F5647CAEADA7BA35B45FEEEE744BC0E76D8" "EA6B84CC4103D358192BACB126800CB5A6E114709E7DA7766B7" "61B6FD0A83203B82B74E87D426E71AC1AFAE590F4F06008537E" "79E2025007CF2F5ECD0BC1A0E14C5CB8384B9DAEC501CD985C9" "858212CE2B9AB2422F6F7EE0E081FDA987AA90A6D51DDC1173C" "CBEE0592E970CD3DDA52431C57FA323758AC0A4E47D049EF3C5" "1211A4F9312614312B6DC119336D7BEBBF325C2C4D24727E290" "9058543BE4065C58F4E9E3F3F0ED88B8C392CBF610680123210" "D5214650EF8DE411B7F6EBBCF2DD95F7FEACD074A29516E42EF" "BE37C239E9AAAE6E0E1E1C61B418BFF50F0D7D56347579A75AC" "A891D51CB5299987734EE208F0D85512C846AED6DB2A2F453B1" "10FE2475852C92FF1BB3439D9D6F3EB76B49E239F72883D067B" "F9D1BFFBB1B668D677F940940B9D042C06EDFA9256B6AFAA37F" "918A99309E4E40CD3D374DB5A37BB43DA60682FFD1D01CD1EBF" "9E90971FE16176DFFDA5867150FB83F271E4402ED52C1DF78F2" "BF52")); test_hash (&nettle_shake256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("021F06C7138F663522BCD444E597C2B78F4C8369C88747A1550" "80005E09A68C6A73C4F8D1C7C088D3CDA2B48F310D5371F336B" "C261697542028D48FF92523DD78C100CD858FC5FD1F49181424" "47E11281881D9C22680800DAC76D690444458D53E35D263B2E0" "81F470C9E8577565EF7F8C530F78AEF2039A0B253A28E29E6C3" "0FD26FFF9677E65121B5175822D0942D0DBBA9F764514FB9363" "69F74324E8F950BFCC192A30921F04552245EE79CBFA319063E" "4DEC133E10EC6B02002FA61EBC288B8404DE81D9A513FA7FE6D" "B2C61BC4ADA6DFDDB4B49B5CAEE1D7CCF5BA6F40A39AF92EA26" "222850D4F4FA9079F79365806440B89663C705A247629C8E28E" "77FD17D39ACB37BDA2DEF7847C12D7F180A67BC788795D6AE91" "87E6AEDF164E282C1E76322A8F38856C6D95460977FE8F6A760" "F49111400467E7E0EAA5AD7E9C5F9A17B462CC8B45F308CBA67" "71CAB434F407CA6CCA371A6C7313CAC055A13D5C79195DBD949" "A4FC9C176C26E6D5ECF343B199E478A25DDA55FEC4FD416E270" "8AF001BB8AC3773E7824BBAC1C0656953984B1109F1F95DB0AA" "DE0CB53BE77E88CA83A86563E1E87011E718FB3616BA3E54A2B" "F9DFF761A42EE1E809DD1A431C7A832442461DA90E7AD5FCD58" "1827BFB2C8FDB0A046F09D30773FBC1481DA0FBB92A6AFD073B" "A96811ACDEEEDAADAFCE7C70E4CE75421C85E9C1AFB270D120E" "186A")); test_hash (&nettle_shake256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("DBC0350CCAAEE7F6E18576E435CAFC7CC65EBC81B27DA2F18A8" "88ADEE19418BF6F4D1B3088E5824BF663028A690354F4A953AE" "73CDCE6B095A835CD45ED5752D72E699ACF031529D73348218E" "AB5DD6F98D675E33880F6E79D0FB3A78E843F26E018F543872A" "313560F8024A6756013DB3AB13FB23661D33EF9520EA60A0467" "5454B5F3069230447000ED2A879A1B342F560A8AD2F37AFAA80" "668E90001D315BA266D03152E714434FB0F52E287A235EF5DC4" "252AABC8722B6920A069C98F69C64BFC31B1E13D01DD0052440" "1D4F8494111137EE283EFE82C2215FEA54304C3297E6A1A88E4" "6F000084AD090551A994308165AA2D0D96585DD4C826554CE80" "D3C00344140D4387322650F857350812C6C4E660D2E3EE5DEC7" "3D27A6455D6170569FB0F56313A561BC6FD1BB6FC11BC6A830F" "32847050EAC3451E153C00BDAB83D8CEF319894DB18DD80F111" "2E560E2353DE9C2DB6BFD428327AABA644C218FABF3D75CC42B" "3773DB2113D037588AF31F1B1F21D076F285F1F5CAFE5312E7C" "2FCA07AF2E6FE3651AEFA91BEA2740AFD1C2AC77EF03BBCCEA3" "6940AA9A7D733289F9575E9E14617AAE7402DD7847114C75EB4" "432FFC2D3D0BD56117F9286609DC91E9CA63E1E064F09F2653B" "A905CB12C8AB6D7772203B0AFE6332C4E9F73BA4B652FF16E97" "59FB70AD5F548540C7ECF6C6DD7D17C5D2A9B45C548B7EC8819" "E8A5")); test_hash (&nettle_shake256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("7AC057C0DDA89D3A001AB997F2E405B4C1D1906191C3A50399A" "9A49B2E01CB2C3D20DB6618A7AEC42F8143C580505145E60D6E" "1D4559FE3F46F5AA1373502EB0661A608C31839BC4D7FA44AD6" "586FBB53FBAD598C05B9443D6CAD708C8664079FB276947C4EF" "022C1BC7267B41C1764B249C8E7B347BF006DF1498E31CC9EF2" "558F96F7F7AE323D6A633E1BF23312C1E9E2146676730954648" "727B61A5DB507F1959250D49A52F9804668AB3A56ECB6C49EA7" "819D093E85A0A1335CCD4F54360466F7C37DF0F65CE52F7B396" "B49D39A3AAAA0FE33F053EA711351BFEC78A1E05F55954D7056" "B7380430B45275E2CF57AC13F7FE332B760D8BD793CE4F88613" "0C3E4581A5995F865DF2C68CB2FC01B558997A54AB8A684F5BD" "67855972CB3BD54A9620F71CFD3C9F0FF260B80CB14CFE4FA9D" "61583CFABB12BE42C4C64C85D1F26D3B0645AC60065F9E85C70" "883BE7F06B9376737F83313DEBECAAC3F1146B050F8B360A614" "B6C72EC91A3E44B196713F5754F1249F6DCEEBAEA8049FF32F3" "08513F9C0C2353C9814C0E67CAD64A1F332624490A39DF8F9BC" "FA61C315CF2563031429567334038F1D086BE0B9A4BADCD9C4A" "0840348BD476C00A7CDFD8862E80EB9A833BD2BB56D88CB55D3" "D064326B8FA084F92F3DC2D8CDFBA3E3A0E3EB9E44B1EFE0563" "BC7A75F9A736A87A89A15A6812110FE92ABF5B8F77EA88C2207" "517F")); test_hash (&nettle_shake256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("F0C453711D0CE1B3A120BFAF25570E3E949207F575782FFBEB8" "A6600D7CAA9938D28EC6872D1FC914BF8BB02331C40728D3BE5" "31197694CE644DDD148D0EF54C077D56B6506A4A941B087A61D" "3D57B8AE53824DA8D8CF069D1CF5DF46E309108D74F318D38FE" "1968F1550AD7921D976ED5ABC60953E4FD073A3AE7FA378A105" "E0FC3BCCB3CE3469A536EFA3F9E5C8590F19EC7E8708AF92A9C" "A35CAEC1743F2284DA30E613AFB371507EC61C5574771BD7436" "583415D8E4406EF39150E50CBE233A781E8867639DD491B1F53" "217FDE1FC5B93671C1B6931E07966DE705D162F14EF3C95E67C" "40AB1C0841380F9A9165C5222477FEB97E9A3C88104D7CEE9B3" "EC6876A0ECF0198D258B9E308083B826F32FEE17E2A59FC2004" "6CA815FE0955CA88A81FB56A7C90BC922136AB0B3F3E034B626" "34FC830837F2DFD86798A11B335D5FBA27398E5023CDE6F1340" "241509E92C6A4B298B3BD330ECB2012B8F95DEDF67B68D5309F" "A1AC9DB856561D6E81666A49AADE4DE719E1A4B519AECE0BD49" "41A36492E0B79CB7EFEFADF4EDC6A344C4B0640A17F0E7F70E9" "0E77DDE40A82457DCD58658316B4B9378BF058B05AE39D0C750" "692B92BB2D16B5F43200DEF81CCC61B2A26CCE991BF939534D6" "1592328BFBA68AA8C9F51F3A04466759D7D1B966789FCBA85EE" "120C66A8F3C308E6A1533220E4A38C21DDAA4B2FC51FB49F59C" "84B3")); test_hash (&nettle_shake256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("23F75EDBCD5D5F329F01E45502B66995CFB9A5F0748E9E1BCB3" "44B639873BBA79D21EF36B8CC1BD8A2357D8DFBF3C32BA6C0C2" "E8936FB968389D8D1388C20B9F572BF9CEF93891C643D672C86" "55BD67ECC3D0EC9452C6D1A0789AD3C734B926188E4A1B3D684" "F14C0A5D9E72CD2A10C5CFA8BEDC0BA5F3AC6B5150A256F2B94" "5586981F8092E0827294FB846986D3885F38BC6F945B900EBB5" "46094E29FACDEAB1BDC1D7FE1C6C83E562D09E08319E2BCA1F3" "EBD4A82B9ECBD8E6B38906D861E2E0704EE4F55DED4E7A74F18" "8210EE439183E80DFA8795A1F75F0EFD49A4FCEFEB97F187360" "69BCA02273FF542ADBB6EEC13128F1D74C87D6C6B45726F62EA" "57ED49321BE6FA516B1AA2349B3C85A5F971C4E15715BADEAFD" "2E8A217D1188129CF49A54FD85803EBB361D73F0D8D0A7D557D" "0E17C8D83C27DDCE473908A1CF9ECF0F8085E77FDA3DC89C826" "09A647E25FFA8D2FC86194B2A793C7B32B4C893115EAB9A7040" "85047F9225A29236C6188F017AD4972661C796A3258ED494935" "33BEF9A59A27DCBCF614AEAAF20BEF156AD261BFA23FBEE2D84" "D76AF0E721739AF02DF710D020CB80E895BF20685D3AE61DECA" "82D34206351870AABBCE23CDA3567DC1AFFEF9319BB1A212D52" "BAAD92D069A332BD020420FD34E6FB6F97102C9AF3C877ABD9A" "790BDAB7E7940B1CC01702D2E4CEEA1A3A2F20E3B4027BDDC6E" "2FE0")); test_hash (&nettle_shake256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("0AF273F2384078BF8BECF3731049A763753EDB89CA1AE2BA03B" "82EF5DDE8C5E23E692982C524035D406DBAD8FB897AF5D7DB96" "1652A0D6F5C18D71EF1F1A541D0A29085AAA1D26D2C4366DA7E" "41781C34FA40A3FC7E9132C3F0CFFFF267E2BC771DD29266E2C" "649A94F3F15FBC71A561968E0A755D4D0AC7540B9E674539AA4" "D15D2FE81AE969EE492CE89104F994C6201EAB2F6A726D9AB88" "479E324789BFD003EABC2944C43BC061C1E24B7DDFE1C980F65" "DD598C33942482475F4D717DEAE78BA3D8A7A887120D9A814D5" "81BE9D593422AB033A1776C3C7A6DA30D4D83E8E120AC733303" "C401B68D1CA76B2A20AF4FF0FE49780E25B43850D495BA91AA7" "27DBE6E28B677C8C7DDABFEBCFAAF67B8ECD8BE1B459BDD68B4" "29E7B25B6B0A02DD2BF0ACEFC5CBCFE5CD07C814E3266027EAE" "612C39077C810E766A872A79D68BC8FE8EDFA04CE2C80325C2F" "EB03B5C838425860B24A6BB2D91BFA5F67102A3F6ACD3DD6C93" "37BDE3E94699F3B3431D8293F793886238228BDDF4B38F229FE" "244ABE471B16A1BCC73BB7BAE6A93788DE0D349CB75729D422A" "FB32CAECCEFFC42B7BD0694B154286F4CDA4517534D0C2FA7B9" "8E72AEF0E2B8D8E0BB6A5FA82EB802C27511256C1352B20D2E5" "9D0D3D63FF5EC33670FA27CA69D2F586826D3A1EA098CD9CCA9" "231E74B91E999EFDA12F63FA8076A44894B40840FDBC4D25DFE" "1CF7")); test_hash (&nettle_shake256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("7FC1F7FC27223766C8F4310087A3C54A5A8AA061EB20D367194" "243BB62C7D90099684BBF368CB6BB71802C62C9F3258992C0C9" "79557622A5FB15CA0E50A26891E73790EA3DF4859829B4F683C" "7F5C2DB0FE08ECF76B9D4E897AB80530D9F1D1242B42170C198" "C7852566DFADAC5740D61A52C4882F46E29AFE2C7335C5A1157" "E5B93610D0A8E4529D8473330547EFE22DD9757503C7A67ADA4" "E9B2CEAB8AC5B383F2D6170D6D6A17C03EA9F9B9399FD6C1CBA" "624E7911DEE9892B31D463B3A44946FBF246D773629EA484CD2" "0B03D8AC428BC8AE87CC8182D96F8D220A7312DDBF191F45849" "3769691E7585CCD740C30FE7D63101023867C9A3F02D999BC0A" "D653B71DC9A611BE56A44D4DF2DBDE402A0B7B6D7644B5754D5" "0DC81F59FB17F7C38E62427A844DB406846BC74DAE737E24FF8" "06505C5C4351A54AA920CAD01DDD8A5960AE143F476608A6DB6" "168FD5D72453EA010B1139417277E6C5116D1D32008A40CB300" "6FB65EE9D4F5F9AAB1648B3990F5B9DD338836460075B8BC504" "B4DD2FC04EC57DBC63D32CA39C07EC7C2348A459FDE1533B30F" "496F84502367BE809D0AB0C6E86474EB2D7A3A4CE29CC8D0ECF" "B87B4662FDD789A99034A64C5B40F763D098888FB32346EB644" "C28FD6BD6BB62E0D5AADAFFEF0BF0BDB801A809F76D79B84606" "183067B5056528CFFF3ABA4F0EC0DC926FFCFC2377035C8B5F1" "0D57")); test_hash (&nettle_shake256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("1BDC443B8F1E6A47C575A1158C00EC9E69048BE22AC067CDC12" "33171A69E773B6319B0BFE0281F0CABB4DA1F75C583320A96A6" "2FE8DDF10D0C3F7871023562177E827FE0B58A02D38C5A4903B" "7CD8B0CA80012238372DC5DDA701A4287D071FA2B29771F7054" "8CE43ACB0F2E5A49313FC76EBAFE8B75E121F0294E417323EC9" "BCA9FAFFA81FED2AA775AA2D2C641D7BE624EA861BD5C24CCFD" "AC1FFDFAC4627C3985A41EE5EB57E229E1A1B9312C6FDA42916" "05D26BA4401EF106DFB5BEFA7DEB27500F11A09617E8CFFBD39" "AE95D9EEE736EBA41AE469988947A863FF6BFEEA212EEA29297" "025F96453DC3AD935E75F12C5A7F0E6C12213BD7BE910D70EB9" "78624843CA772959B5918E29AA377A7B4413946A97E546A9A05" "BF107C881C9499B9E907A667CCD1B3C64D674E3A5796EC33F6D" "6E4A2AE7D114D744BEE7729773A627C063133AEEEC4757F999E" "A7F01298A783C32934D29FEE45E2048322AA3FBAF20F9D70C1D" "8A0183A630E3E73CB2EB1C934DB4DC9101C949C46C1954D95A1" "7B7D362B87FC51BE9FE98FB76B19B7FE9D1D76104D3D49FA7F1" "CAFC252F2E4FF32C3CA43A23947EEDD4B88EA640E58DE625CB0" "A9E11212EC1FBB24BCCB39B06AC90973BBDD279578666E4D169" "290B0321C5B2197B6A5759FCCFD8CFA820ABA055F81F1030840" "F3BEF889E8ECFF87D0EE1C53DB99F67827710DD0CF59346F2CD" "53DB")); test_hash (&nettle_shake256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("78FA82E4172CD8CF41CAD3D431E39EA0C6A88544402B5CAD9FF" "3D8CD6DC8890260D989AEE087DAB49C092A94975EE3D5B8706D" "0F1F522E5AC350306B01B4B19A81377667B20C201241315C3C0" "5A9F7484EBB70E79588EEAD5D9BEBE5ACC3E226B807B46192D6" "4A2CB886E4B811817CF7F219934C57D5DC2D00E3EE234B579B6" "B6E2D5346D3876CDB3752624E65434E88D55E1284297CAE6249" "95B1B37671B89C57E876FB361ED8AC6345693D82BDEBE00AC37" "DE6617239205AEF566C1619F406F4CB1C9777AF2C07F693E35E" "4289ACBD91C59F067C502446F21CA1602D10CB1D78D18DCB043" "C4B4E06972178BAB4C90062342FF3646CEC8120A5CD14E19715" "F66EC6F619DA0EDBF1C9D9BADA80F0BB210F09476085CDF3832" "06FCDEB987623CD69D591F301D8DB94018EA3F90B8F067C3E14" "7771F148A60B440CA6BE7A1943F544375D50D45DB2BAF339441" "90F19446F7A1F04F7E45D59B9548E01EAF6E4D6D525B37A6576" "9D280DB6DB391F27A9D84E4D97C7CE0AFCA3BCCA7A97636FF37" "56C6CBA855DD5C625574277ECA6A2195027705827C0E4FF945A" "A57E25EFBB65F5128D312145C5A8DA0A4D46D805C3F6ACFFB15" "1B0484EF811770BDD87935CDDE0444276CC8B64E84B877A31D8" "17E95963F3621AFE6FCE57D94D50771F91CD0AB1BC61DD97BCF" "03EBCBC2C2EC687B705A2BCC5D0DEB20CBE6459644D14633C65" "B256")); test_hash (&nettle_shake256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("414EADC6832F91A04B7700E668AA487E63DB05151E29EF1718C" "7D9F4C6EDD1C88B05910F23D8A854B94C7156C421126272EDB7" "3A6E158350EC7A39980DA19316346D1F330C3FB987D7B4C46B6" "469B7A59EB6B1649BBB7BC0E074C00A152517624F22A4A58800" "447E7505D55F687F08FB939D1AA6DF8E73BAC6CE88467B30976" "150636146526031BAC9F6667AA71516F9C5F70E502D7D18868F" "6DD359D8D026A040AF3CAB533EA5A95DD7CB2006552796C5E1E" "B2C3B46DBD9F2481F1B428CFDD1287299E7C7129B377E3954AE" "0EE96F955B7F0354610B84652705A0594C045C3CDBD1B564BEC" "43FDB5928B905023B1BA41B448E39E649C0B65CABE745C1DABE" "9352D05F165BBED160DC2C52794C5D0F07D1E18F47CB94F2F97" "190944BE08C4BAE53755B30D062B3D697575AD56FD4C75ED40C" "F7C239941F7B052500EE5CA7CEDAA9190988F47A21216E907A6" "3C795D2292CE926D541F331CBFFA9F16516D54999DFC9911310" "CF564D8F1F00B92BD9FAC0AAC99A951EAE3175AD20558E8B934" "E05FF58351056466A61EC5CF4F11A01E3FE0CD6EA280E278388" "99BCAF7FBD8CD4308098E2EE71A4E9EC258D03118F0BC4619C6" "6E52F35F1AAD2378D82BDA8ADB750313705D41263CF2FDEBA1A" "D5E025FC76DC620CDC3B684ECDE0283F9A7D69A8463B58F4AC7" "F5B1E2F3F580CA7F4188F32706D722BE4543E8E0942B3169603" "49B3")); test_hash (&nettle_shake256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("0CF9AA0F0478443DF90BEDFC2457009F3E58B06EFB22D1F282D" "A4A2320623A250D584F27E2D45F708DA667A9BCC26E35C19C55" "B16A993AE9D98948FF2366D8A0AA06915EE5712D137D46D48C5" "36DB9A25BDF88F99A941683E342B5541AE481B1BA6A889B7ACB" "E9A6593C53349C1B7D6FC8FC66627A2FAF7811C0F0A49D90424" "6B95E9B668E8BB25D521F0905841B7B2AC64B2E359FB48FF29D" "7A314B1D2E7E01B0D210986664C249DC711346449FC77BAEE4D" "F54344CC18A816AD9C980BD0D9D01C4AD4EF0C702CFD8780510" "3910E81CD3F6CF4D13D1398E755E5470E23ACCA6B510CA59FFA" "0B523A9D7FF7A5D85FBAEB3E5A9C11D947AC5FDAC04B0B77E4A" "E7943F696849DF0FF931E2300CB099F0DEF86D835A8AF4B53FC" "6C3D38BA33158A1F95690E8C5560C060B0E48783AF1E2001BB0" "4CB4399CD27280715AA0EDA7AE754B8A13F84916B003F87DCEE" "BAB5938FC4342167EFAA2A889C48CF92F6892BD9BA41B61CD1B" "3BF94D612C2ED603687DE8644613605FE9F066E4FCD8FF75DA8" "FBC9C63C37D1828C173BC4AC668AACD20AB1E3F449A7BC4F4EF" "0A6AB8D5B0A70CC2D706B6C6821771DEAD7CB29F2332F4292DF" "7E397BDEE393D57B06A1AAD3DA51CB8F1D11E43D2FDBE72F69F" "951D0FD9217F4462CBE5C701FFF1025515829CEBBAED488FC26" "798BEE9AD6CE88F33029061A588E177BC1CBB24EB393481F3B6" "1616")); test_hash (&nettle_shake256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("2B8F5423A417D9B827D98AC1D21EB7C1CDF4348F28FF08B6F06" "389E4CC2311C5721509A5888DF03F7F4B94D42CB66F3B885EA8" "B130934A1025220769D1C352F72D378F3A63CEA1E762ACEA574" "66C3AF188772872C16D889F06BF0AA321170FC1AA842B413BFF" "9FA32FC1E060F868A370434C99FE586E8DF4C6DF1D167912F35" "E7BB983D668225DFE5A00241A1050702A5CEF8CB5EC957B779D" "6CA1C9F6858ACEB4E927E104A1DC59C5E90B31F4A6E27623B46" "D40D472D6D4B6EA6CE8BA4721A5A765DE104C4ED808B4EBD73D" "60A56363727CE0273710E63FB8A2D565C49823823F7B001E44C" "8571B885AAC4E14F8651CC95C11EDB3599BD85989C931F866B7" "C63F80EFF135DB2FE1B17D5DFF147959606FACA0FE22E5BFC88" "D43F6057DB91EB0AD0C5491B66B2EC9B20EA01E215F40922F41" "ED4ED64616960272617F32D62F28897BA03C5A8657B1DD4ADBF" "0F8E53492998922A47BB2D7897502F8687C465C8A7615089062" "108D70164677E11E1F63917A4F230E8C577346F880B7B8ECD06" "40D10622131731CF447662AFEBBB230C902B28D8445C5F3EA03" "1AE7AF04F5B22D3AE7CE58C6CB4EC4158DCA5266AF0C50F609B" "12C5F4527F836F8804777BD6C80F5D7D9B0F317CB5A663D3B7F" "3225361EA81415CD5AF56BF24629D511A80ECD169AAF9558AF4" "87D46A569495A70C76CFE83462733BF58B2A7C78A7EA1FD0561" "1DDF")); test_hash (&nettle_shake256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("C52001EE31F26ADB120EAD7699EE35AC178D71FB5B073129955" "2B57DF2A4F521A021CC56D54F2B43D18D7726FA977FEC221F68" "19B5B7F933BEE2EC643B67E16BCC26A7DC1BB1DA3B40F2FE026" "45CF5BDF3140E89ABACE926E710ABF0F07205291A336187AAEC" "AD9371DA35867EE8D8845E09FB47269ED94D04B47A3B6C460BF" "419F13AD2F65D63824805ED264AFFCA9E7EC9774C4E36695806" "86C0A02ECCD98277365940F4CBEA5DD5B0BC84F981C16FA6CF2" "D6F1A292EC956C7D0714C6895E96A7C884173E662CE5DB1018F" "B512CE773ED4752CFABF9045269922D11718C572A94ACCA1EDC" "04CE16D533B064B416684D921D46A8F2859E7D09660F620DAFC" "C232029A20886A552D29CCC30509A3941847244609911CA6C59" "6E2FD915FA8BE37D7EB41D403043683AE9C74DC7D6F4770086C" "F8C6E101E989FD6A5C60E34183C4EF08EA869FE2AF0FE5EF701" "A6A64EE0D0F813A14E574D504E219292C103469F9A11DE75083" "2C2BDE0261475856D5C9FB4727CA49EA81908A1F7FAA20248C7" "39179CC09D93E4901ED63F14A57B20EF9190176A27BC07F912C" "C62DD1328B032B893642118EF3426B1A8B95A0E36FCB8A77570" "25606E9E485B56E84D0E691234E072AD64FB8E836118634074F" "D8362405DBEC4D8AA12E9E84068EE3B29B7F573CE1B52649CA0" "DC1F758C1D4F5E2B72A861D6326F01084B6B49E478FB4CD8EE9" "2750")); test_hash (&nettle_shake256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("386C3B1A524F2EC39C33FB31CDD3981FDD57F1E33D04FAC5482" "8C54F42EF763856B72202799D4CDF4AECF073B8B9EAC39F0F69" "54545BF60DD55CE2FAB4558DECD7E1A5A40B87A293D35394DA6" "4A4F606956213326FF4D8849A3F19781AFA9DBC0AD0E0BED551" "164275D4FC11638AF3ACF95C86994C27AB72F0E5EE366CA8EF3" "9C000661BDDF23551AA368F347B4526474496CE14C30503C251" "3501404987446A193DAE20C4B384D0D9926814BAAA863320946" "B9759C7BF1BC890F88826DA59E028F641CFDF7223DB20B34B63" "89B048CBB85C4A0E4E84DC5C5241D2DAEAA82E9092ED266971F" "D185D3B661971160C05C4B42BA8E1E8E31FE588C0BAA81A2BF2" "017B1E0B99BC360FAF13315CE88CE653C20BBCFAAA8ED013EB8" "9FA5DA39FC49D99E3C050E622122B7E393BD933B72C5392B165" "E60538BB6E29DE30A5947053D4A23038AAEFB13DB8BA4FB3B1A" "65B474D94E4CF985B2402BF22CA7FB723DCDD83BA875DF3C603" "50886CAB6A1BD02FAB32F1DCA0CCD879B351196E1F8BCC3531A" "C653604932B69E7365B8B61E557585B7A836379D0229844F6B5" "D2C4F31A6BA2CF4A2585B7153C6005D10526DBC144189B0747C" "BE58EDF2F4FFCA80FF99A4BD7C8CCE3BCAC36AA5D0D7DC2B231" "A5B888198AD71042CDA93C5AEF246CF3FBE7A663FE60BC04CEC" "70480CC2D83C847371FF5347A93D54059926B6B8F52CE6AFD2E" "5630")); test_hash (&nettle_shake256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("6BB18C45BE71508441EE815061ED782F4BB5ACF5393BC9BB825" "FC79CAD025C6D970D615F4285185696CE226969D5E06E1643F8" "BA93F5617AFB096ABF46DE2EE7D32BBAA335628C41F1FF30841" "8556C51E6DA30639BA5DA36A14976DFDC013551F632133723AA" "9555B8B11BF0594457A6B288B01185927A48412019E58621806" "FAA968CA26366B884C428607D2D6FE9E8924E6D8D769A7D2DE9" "0195AB6DEE4896ABAC3119FD15EE61251FCAB1D3858527E2E6E" "1B8EC05BF8659EA345E519CADEDD779E40D2508BC6EAC6FB531" "DE15CF7F3478A4288DF556D4B6C9DDC5F1B6071FEDF3C4F9A96" "0B18F8301064B4F83620F2402614C600EA80FB2B24BB9B8B777" "BBA3010AC1FBE61AE18BFFF9502F66111B8CA1E0DF671C311A6" "F11697DD8C245C4B946B8DB03D6C07EF14C45CFFC328E6C1294" "8D4137D6803469E996C1D84C3C1DBB8CFCE592217155DC8F9E1" "E558CB58693620F57F5F81578F060B23A1A75ABE8010FC53852" "4DC1B5543D84F5F28CDE4AA509B8A034522F2F61F8E3A683EAD" "34ECE04EE84663475D65D6DB75CD6FBE011D6F1994D76BE3566" "04D93311CD0410D3B022FC328CC850D7BCC1BB96AE45E8B4C9E" "53904FD8BB8B0FA1D8AAB9BBEBBA0724DBA6A2C71F28AD705FB" "E6BFD958FE493AC47D70A1C4B3BD738C519558DF9F66130C688" "31A7D748B7B382023810865CD9989735E25186690FA187E8E24" "B77B")); test_hash (&nettle_shake256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("51F3DE30531335B02C0A8CDA5285FBEF9AF618E433142E9E971" "3388602B0486A99707BE420AEAB53DCFACA68CC6CC6A3133075" "A518D2EB1C500F0AC2E0B8A91D3303594BB38FFC45B80AFB8E2" "5C4304A85280E6124891E739FC9DF8E34ABD9262DCB4330C2C0" "F22E78447B3FA67677ACC1F3D8E836EEA94AEA4D616132650C9" "288804C3CCA5F1C0139624E198643D52C42960052FBBCF89AF0" "0D58600A9597BD12A39A33AECEEB161EE527398BD915ABF6427" "46E4C965A77E916E700CA905CB70222A3A8B8C5DE3ACF75A9A0" "065681497F27AEE6B1F4402EA711CE6B24592BC637F83BAF912" "D3E10E0A7E03CE9314FB264E5FFDC3564307362837C28AFBE2C" "94BD89AD3CD4A48C1A2EC38090C38E6CB4174149CF0D5841049" "C1D7DDA1E51DF8F3216CAA119A9E3229CAA062039EB165F4D5D" "E68FCB76ED32F1E191166BE83CB6384FEC4528588D8A3188A9D" "A7BC1F5DE68C42D9E2934CC1010DC535EC87804810C009982BE" "6646B3C50DCAB7EAF4DC7786503F29EB3F1558A7341E49348F7" "3479A2D3EE6B8AC076BF5AD17375D81F9E4DBB365B2489F17C4" "0B9A4CC10F6DE034B4B81A3D4F81475BABB9581C4BFEE62C562" "6FC436983570D5C6144FDD5A55E1898919A8BE4CE3780FB2548" "32CCA90F988004D12039A947502216651775160D987DF82F432" "75FC7B8A308C63DB7C28959AD9D8E6D27A5A551E685B6639744" "65D9")); test_hash (&nettle_shake256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("41143CE195B170FC23ED53D7AE8CA61F397CDBB72F261750A7B" "D26CFF56212AC7BB1B18D002493F418185ACC703DF4417F44B9" "3F4A7684D3D68F8F042A73C3841B6B5FA0079163D4881C39BCE" "CAA548A50237E3F8DF20F986552978ADA9C4EB2E57062DB8D91" "564BA4EB96503B932B5FBE3D88EFABF452A03EECE5B3E78492D" "C555ECC95714A1C5C1B201CB42E10852C9A5FE101ECD53FC6AC" "D7E1D0D6EFECF81BA76582E6E9CF80E70E52C0384EE05978A31" "234DDD1C2D501DEC0BF1F26706F1C6AF4A6DCFE1E7245D7BFBB" "96DA619EF27B4CD67527BD6B5117E4E55297B9474A5BCD251F0" "F17B10F196CFA95ED3CE61458ACC55CC2BA83904796AADD71E9" "78D4615E6588954F7D48B1BC705B497E073DFE2ABD5224792EC" "A6C09D611C311C544BB332B2C9D144D24950F3A27857B9F9AD1" "DB4DFB9AEF65BCE2C224EE9FE9785593CC9CC74D076BB5DC575" "B4EA65FA59A6DFCE634EF83072CBBABC5AAA53AEF5CB4D2C19A" "613D0054EDA3954BE7E649C2C38CFA9F7746941E2B77DEB63E6" "2A9FFEC59D15329CD7D02FCE7006406F3119CF579E1F6F0A1F4" "FC74C7031894D240B5BCC9A7306754AF9B43DF80005C7B62F88" "5574AE9C44B90D5CFB93990CAB41FC3E9962CD0F8047CA1AEB1" "399FAAFC6D6FCCF66B2F02CFB9532899CCE1AA8E822EE9498A6" "7C3972407DFE98969F9DF9CE328A4B9A1DAE1651BAFB32AE29B" "F666")); test_hash (&nettle_shake256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("1B0D344DE5A414960E67D684D301901D8E89C25EBDF7494DB9A" "1FFED44E5D688207F4533CADD09FC8BD428FDC3592959E90956" "13BD808797BFEF5130FBFCC1FC72B58D93BC4A291284115D5EB" "47911FBC0A4AA5875AA2B6EE1E1BCB296507183AA5399AE8192" "EC6AE579D9AD172F72F5A1957BA10B0FA4E9666FEE9611B0487" "30275A0F4D6D48F98D860939936C9B41D1AF5D729B11C930853" "46D8769C141B81FED9F17FD85C0197380482483C5F45B3D8BEA" "2C2E90EEF2EB489B6986A891BC0F29EE7E2943355E4223C2414" "27C49D7A897C956323ED10B074132449FB6371A9BFFDAB8D113" "282016AF1F7E8E26807A0B0B4809BC035BAE86F476F7FFE002B" "BE7E30B4C06B00E712F1D54E954D59AF083DA123034E73B9854" "B45E9BC2EFBBB7282743DC5942BF372D94432379EBEA4A65699" "7088004A5C2AEFD6A4CE6FE94C2A06C8A0446495DF224269E31" "0F1DC184DD37ECE4EE46038369C031FF90AD3787331AB6BB1CB" "AAB7A0194FBA947FC6485B371A684E7E1CCF4E9F4D272158A36" "B559451E48095B3C09328DBB52C7659C7E163504587962D87A5" "E60BB3C4868CEBC204238FA08B97AF71DE9ABE7F409AD0D2945" "5E1CE59433685EFEAAECCBE01462B1760FE25BACE44CFA6E1B5" "C28DCA00790D96D2B6FAE377CE4BAC7CE64A97AF68EE913C331" "07E4A62EFD4CC752DADB23877B54795A43A7AF8593E085480F9" "B43C")); test_hash (&nettle_shake256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("69271E30637CE53639A9A80582F8E9D91E0A19AF1C25A4E316A" "4ACBFC4534D7B6DB55BBDEA37F2526E5CA0407D0A39D06E2AFB" "6538C125B3390A860E033378440419FF91634BCA42EEC9AD80E" "55E65D43147358146038C9BAEBAB808C1A9B2D796BF22BAAA54" "D92298212E7101E56D1A0A229CBCF9E08791C6BD464EB997164" "502445C2993B1D2A6AC4242D1F4108C2AE4DBF48FC403FB8F35" "3C5CA3EDC09C5D4993048962D1DDB474928BFEE27DF6AF8BEAE" "B264EDD09DB4950AC5E12561751BD3ABC41C9A81F6C5C339AA9" "F7266CB4A28EE26F29571A7F4C9B350974BEB0AAAD642D9934E" "9EFF77ED136BF825A845041B9C01F0559BB1987FD6FC951322E" "4A4B4EE50C7A7CC43324391603D689BD19ADA54982E03A2BD12" "610A09BD076C0C3F6D6E0CA348110D8DC5DAA5C842198AC5EC9" "2A79099ADEA1FDA0DF0B35E8871373B312D61554391DBC9E1C5" "F9007C9D3799C24DC4A0894E175706DF7D04EB2D69D90BAB571" "17E04B681FB24945F3BA3DD7F1912171556464500D4FBB90840" "08A79EAC50D8BF59163AFBA8E0F1E5F82E15255398F62890C95" "21A0571813210FCCB582818A6D1747A31822DB55C4B6BF15A19" "076B7D6349873C88E86BD87D08E0058A212780C86915CA559E5" "81EC3DC7D5BFAB9C5403661F09484F908DFB2D98B65F8543FB3" "F102C2C5D0B89B15E565E9B04E07F7141E35102BDB056801100" "B160")); test_hash (&nettle_shake256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("2730675F5F4DB76D342EAE88CF856B370982277E24A1F95E071" "EB0C28D6655D9517CBA67DDE32BA6A4A322D37AD4A4EEF90A60" "E2FE3A568417BE75432F57964BB1DD7A5A165C24F38F4085CC4" "551C35BD0E2663198DF04EE86803D75EE5ECBB14D7BA6166934" "32B0FFC83F27E82016D7E3436C2384D1A7AB87E4CE758A5A83A" "4FD63831D6F88E4E80D1CD257ED4B418FE1BB498004D1CE8CDA" "CEDE429A53F06EB77D0A6AB47BEEAEE12FEBEB07D434E26A719" "57E55F4F3284BA0F8157DE3F1C8E0E4874DB4E65E5243982BFD" "57A9E70D18BE390834A9C3791E6AB6341739A963A946E1DA81A" "4D9B3722BAC231191EAA013E424C2B965967AE986D50426D983" "0E92499E0808FD6EA92A8A1054F93A0F84C11BF417DE01A7B0B" "A5890172BCAABB3D2CC23853822960E666558B2B4695F38A22B" "576757C0A1A84437E7B627989A4053B14954ECA09DF2221D6C6" "E88654EEA2A741DF3BBD6EF2A8C463D797222E72DE8E44C8C6F" "2FEB44E3D2310ECBB139AAF3FE2C4B2BC9D7142C0291BF9FC97" "71178A484417202DC721876800E010E53F1972E3630B5DCE021" "6351E687552AF2FABA699A4E3E0C5385D80DC367FD0D07258DD" "59A6BA5D2E0FFAE60A5E0C48243794913CACDFC14D20001CD9A" "097A9CC57D313006E0B8945ADE9791812B63E98A291CB009E89" "9DFCC7BDF9F58F3866F6C33AE77718081A517720C34DAEEFA52" "7641")); test_hash (&nettle_shake256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("DF6FD8F4E768031B0CE25C199F02EC29053EA8200B7EB306E80" "2C8DF23CB213CFA06C37630A3B14570968948C5269A67706225" "27C87D432098F0CBCCB733A5D28B035CADA562BD0FCC032D2F4" "5DB8D2C948FB341AC2B0C5C699C62BAB551553099E8A21518AF" "F800C8ED42B44DE7C30F29E691C1435CE72CB67060307D1B1C3" "8192FE198AD3D20E9E12A8C9529F8A134A0CCAC8DE552AF3FC0" "5D48FE2E3ED1DE5ADFA0B7C324320E262232A14D3A7163A0498" "0CFBF087BEC24E356DFD8AE4DE9B0620BFFD1FF904E58B39085" "22AC13D1D541F662D95008B1F8C52DA67829B7CD208BC9B8A3B" "6927E575BFBF7E29F1CAD832D9D01ED41E5512ACE419B92F71F" "A0CF5F79E33016D5E19EEFF561C94827584623118EA367D768B" "C24927C92FC19999FEFF28E3A09D2F266B28433CDCD51589571" "1FC081F8B1D143323B680E8B7469EB0FDD467143C292C8D822C" "C16111E9AB2A0C9EAD40B2867303686FF4B9BB4DEC4C8B552E3" "796CD91443AF8C4542897769EADEAEA39A366E91D65E92F06CD" "6554A1F6CA905996F5F62CFD559D1B300D912E6FF9166853488" "0E6A8C414FAD3C107A180BE3E0BBF4F33CDA343032D01C98C63" "20F6DE582DAB7B15FDD6E75AC3AC7FD079B191233D872AB351A" "E1A56F0A4CCA8D0215CA1FD5F9C45EE171F4BC72D18E78ED6D9" "D651E40AA77522F6E3451995FBC3207FC0F30D1B39EE836F937" "1A36")); test_hash (&nettle_shake256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("3C891240ED9F62F45658B5C1D3E4D77975E45CFB10C45513927" "EA9D911B3E41414DC0EEA38C8A6868A9E0AF20F96BAC833C1DA" "F71D0BFEABF41B8C26C011495F8DEC94D72ACB5C5C9ABB1C372" "F8B779BE741C860E722A0F85CAAC3D21C6C9EBE61C6489FF558" "1ADF5650B6416E0E88A889CA60CC641052D601D491057BEF36B" "4DC3B5B76BAF0DE4E7248A40D9BE6D55A7E8C26663828D08495" "DB33F94ACC7E7E49A7A61F352816D8C4C0E23F36540418AE6DC" "009FAB33C945C6E48ED60BC466478788002220DA9A5560425A6" "162AA03AFD5700CEBFAE439D20A85F2CB826CC8814940F2CF25" "E34754D8DF03DE448FD1D1AB38BBC2B1577BB1BC39DA7B91B7E" "63F78C5F43A875C427BB110E0D5FF07E004AC9D810D333300A2" "778A06369B7CD684AC86AEBC97D7B9C09442C35E66925BB0E4C" "04C5B3D11267F0F3812A5BEE8E18653D98B6B586D5735D4D3C9" "2E3B76DB5BE509AB32060E954D97FC8B6A428509EA98E4F8210" "F42DB3229E07E1EEDA684B47911556A8C34FB0DCC0998A781FB" "CA574FA891C24B35251C9D0D8429763468CBF0214B2D1EC94AB" "3FAE82E57C748122531C615BDBD4CDA56ABF319D6EAFF738BDA" "7683BA4CDD78737941DCAC4FC45E379BD6512EAB6D14C4F3D57" "48A3CF45713792D314F81F1D1F5ACED67A0A9AA026433F32053" "0632E5F72122B63ACF01F2BCCDA9BD4FC579E6DDC1371DFCBF7" "347B")); test_hash (&nettle_shake256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("201561B1D68F1AFB93098777B7D95E56B790194F45057B3B50F" "08EA89436E54BAC9A5E945BD1CBB51ACFBB0D61E539D1B3E896" "A1BC1426C1FA408B5D16D706457C35E3D67377AB2817127A852" "DA463FE06D2EFDD25016521F19B8D5E54014A54E297014230C8" "1C917A983FE4429B47F6A460FCC4AA5A4E1E322CF74A9DAFD30" "D313D2C0F9EBD1A8468A300F12E6CDC0E971BB7BFF172593C7D" "B286F467899B9A23ED3E222BD6124CB9C4FE2AFAC157CF81FF0" "98F021B95F1069D7609963621C368AFD3EEAF84A17F1469AEED" "DAEC2DB5BFFFBCC39A73AA2A62578775100A92AD74DDCE3A0DC" "B27A740A6E7C0F4C3E36E4AE55B04F04CB7D9527176BCD94DF3" "B884FD4CC2EAD608CAA016EDA2E2232D0AF888A3ADD12CDE0D8" "488650EC6047199842056744B77FA806BBBB96A47ED253192D4" "6B47D828EEDB9DC0CB38D576735E870826F829D76F58CA7F3A8" "0FCAEA1CAC1BC38A6339C307F23DC25E3231094211FC867B0F0" "BD9D1584FBFF5A52EC3B5624DC814208E484B5D069B78A577EC" "CC017FEDBBD139C13B50B395AD16CC551430229B56B4D75A145" "88A765728774CC234D1DC46F0E64E7845CF237330C3D2422CDE" "F5CB1D741741DA30F39D99035D7F7C49D6A3149D02DD061F853" "23D6E0054DB7395AB8FC496418B7770355B854FD36FC1DE72CE" "F330976C2FA6FC73469B71B80F5D9B5CAD008C38746A54578C3" "D195")); test_hash (&nettle_shake256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("42A5915CC1DBAC56FF74825DB482AFB8752991EDD5B8F5D040F" "E45B30161C75178D5D56F8A6FE9B11A71E19D0EE241A656171E" "BD9501AA4B5F2CF0344FBD23EA5035D9A2C42FCFACB5F13D921" "2805F353932169A0628D015644ED450E8F8717A1901D5A21FD9" "F8360054946A29CA31DEBE683956FCC9F862BB5AB04F07AB11F" "751FC8D7CDB0FA9C616DF691794C6D26CC1A18A45847FEA7601" "7D57D9BD6BFD1E5CEA4C92604ACC860252DD0F53886C48D0187" "054BDFE1939A2E6D5C570A82C300A6553BEE5E107EE319435F0" "AD18B92552ED9B4FFFD472CC482DF76B6DAAE5432D17C247544" "4BB76CD79313CD14620C1D2B3487D91C25A47ADE446E1DEFA7C" "6D2C2ECA3163106F10EDA5779EA6C21F8D778C29CA3601FE5F4" "56B74DD08C7ECDE8FF599B26540624BAB26314453247A945612" "4F680E68CB91B8247E0E5A06CD366E46055F31712DCBA81B590" "FBA34C8E619C8F3EFD39D2B69CCC6C3D184FD058A9BED65148C" "E65680F31715373526C509EFF8DDF378A0127E1482809CA13A8" "34FB3A1B00231F6B69A8523F72EF580150A4805981F9B1A7488" "AC880BC4018105545707B85F24569E4F864C30E66E750AE2065" "BFCEAA2DB440250568C6909590AFAC5C1DF88D3E6F02D2B4D60" "9460A6BF76FF7994EB5F64B00831C849F7851A3E743DAED3866" "8FD1548B333A01568140B1DCAA00E180429EC6BFEF620B06C98" "DDAD")); test_hash (&nettle_shake256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("BDA93EAFDEDDE22B029F4618B2135E9F7AFA583C8BAFC3B62CC" "667C4704CBCDD4AC6620361A0690AB8E857335C150C2D70FAC2" "C2F2D60D6472AE760C082775D54C8EEC450421D536B1A94A5DA" "5D803D951709A7F5BFFE63454306D7B229CCD3A89DBF9436C9C" "91C01A1D0964D86DE868B4FEAE6E3B88592A85E2BDC82CD5C52" "968C85F429B08A2E61E1FAAC0945606EC462EA7B2AF859609EA" "AE3025E43B4489F7B1274922FA72619B9EADE2F6C04D5863B03" "EF76189A81B9BED9A47BCC53501E96C2367067012036D07B95A" "C0604FB0E6A793881CD81D9577BF495FF769B72DC8B0D554CE7" "0FED81FD3AED5426525241924423A4B11391D3AB16C02577ADE" "31301960A579833C3FF5F9DC0EC068C3C92234B9DE3051B5833" "0AD87D0BB6F704B210E1C5A167684025AF9791757CB0DA0517E" "4A271C89AEEEEBE529609529B69E9A53C1631AB89AFA3D0FDC5" "82E923E5F2293903B75A4C321117BBECF2E114BE505DE8CAC60" "8C1DEAC6FA33C658D72454FC5C3784989803A839D565DA08436" "E700F3BC8DF99BD3465CB4C1E8886FB20354E132A629FC964B1" "0714F006978121E9737D70A77DC73FF77830E2DFB3ADBAABC83" "657D8700206AF318714867A1BA3BDCB8354B91F4F1A8B09BF54" "805BA01BC303E5F9887210584913C5130B643F15AB603ADCA3D" "918C3D5F15E97EC27FDA51E4E6CB73402AFAD08678217E46B0E" "2283")); test_hash (&nettle_shake256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("E4D90A392BAB78DD363C8747C586035358F051EE8909762C3D9" "AB4B2F1B7EB50B4738423C4A5087A5B12A9DEEFE186D0086F4D" "D0F9131ACCE891E43D131627316AE63C4E7D1250D809E78F94D" "276EF45C3C8EF4A37AC5910F1DD5F95989C938C98C55771B6DE" "1AE68F3A9015C1FBF2447F3F72C15847EB55E0296B711881E0C" "8518995BD7F75C3AA9C1193F3F7B47B9C133AF09CF53E1F55C1" "7CD96318C821DB4A6C7E79DD718684CD83D43E3EAAD165FE26F" "A204B797C59F33589E92C43E7E799E5A857ACEE310E66F1C99A" "2406CF4D2690DAEC060CC7E3019CC4A842881657E58818BA193" "E4C8B8113EA7B3BA930ABD58A7965F4A176CD5EA1447B417476" "94FB36775FA90999D1898949F8CB5943013A9CBE7654FC5D7BD" "7C915C1D251A22D6D8F7671D77417459366581C5587065C55AA" "EAEAC19488876ED0D5E5F2F3F0A07006500D03EF8CC151AB6B4" "6D587DFF8930AC8EDC3845BD2596387A56825A0036E1FEFE70E" "2A53A4C19B5E45AF6AD1C463042EEE139B244A7751DAACD4CA7" "C5CA075D2B639FB6AEE355DDD4FEC35F13C74E822E5F2C23A52" "EB2C2E209B62106195BDB80F19EF1636CA813E2FDD96425C971" "B6D0ED6B468A5E8F462D521E41586D7C848FE3103559D65B388" "A0D0F84FF6C4A48318BA3860CE5F2C419696931CD89F41733BA" "B732FCF8551B4ED28A3FD2F1DD14D2BD570048FABD6026C984E" "CBC8")); test_hash (&nettle_shake256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("AB362A6667C3143E58DB5D5E18294445643F1FB212FAAFCEA65" "6B4C9C9DA509609E7B99AB0BC1C7F782CC8BDD2C2C49A029910" "9F842442A6433D9515BADCB9E961C0EAA0CD90906C2970171EF" "25193CD49FFBE6609BC0F5702CC3FF1CAA859B50E59ED6407D9" "DA7AD2D44EA36BCF8B3F48AAB75C1EAF0C2A8A41E33135358EA" "ED3C5005CDF6114D35E4EA2B14E2F8EE6B995CA73FD75E281C3" "A145309C620B66718E058E171740649DBF4786E8B83C19A5CD0" "FE67B68E3FE2509662D968F4212224B466D04E4878C70B47409" "E5FB56FF2A5F324A96E799CCFC6613B28DF7787A6D967056968" "7D8345FF1F187DEB2A909C66F5B890CBCDFE18594DD52328F5E" "1D3B15F6398F9C3B880AF4D314B1924CF2FC30F96B45869E40E" "4A147D94A4BD92E3CBF64CCCA69B3476477B79B571FC5F91152" "9E151C3DD2FAEA561E9FDDF7DE4C93E5CE3BF3B90D25642EF62" "740EEAFA53CB4356CD598E9CF40339CD8166FE3CBEFC35B5990" "E642D5E2578D893C0A46505AF49280D544CE6865733C1AB75BB" "F194A4B6AB0447EE0F33FDBE80A41E860D80026A2D0C3FC2274" "C9A1BE2C07C57482B3E3982CE5495BFA0F9B5A10D2BC46F5DC7" "8E78168B552CE4D6FC9EFFC0FAA5CBA0CFB66AE078E6DC8DB24" "59C127F970B379E87A267C3A0A5E1672B5A16C93E8E239C9C3E" "51A96EC777361D0583010D4A0773921DC48B63BA3155DA483C0" "3D5C")); test_hash (&nettle_shake256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("D5D2074E7D45403D43D0FCE78C3AB81E2BD601A0337B163AB2E" "2E11CC4F0E73BC0E41ADEAECB5CE2B0422EE97DDD18869BCFDF" "9B4CFA9CDFF5DDFDE53B05D65B5ED250911B83BE8B9E5865568" "5A8D33C72826A1EBC1F244A433A9440B24DCFC691D9A78F3237" "9BD8BBDF4F8E2F8EDA7CA1CF74FC4E8C3C07349DE823980D9EC" "8229A3C43BEA5FEB0BB8F25610127ED1FA1741F90CF25DFE733" "15D440088C3523D9D5BE12431EB81E23EF5F5E9CB1571F08DD2" "4A7EB421CAA74C374F7CCDCDDEB4ED57297222210FA4930888C" "9AAEF06E36C78C43BF9196848CB07E1D941C719CBFB6AF8A501" "4EDA9DF9B205DC905B28EF6F29E2C29CF457317E01BB34ACD8E" "34C67F468CF41729BEE3532833D147CE4E5618855F28936D3A4" "EB6E0382049614A5DE0B05B317240A6E091CEF8A26C7E13280E" "02D19A6635033633EFB03FCD57AE2678C639B262F016647C61C" "E5DED0151951C7EB1FA1E3BBD1808210A3D22ABA98835A686DF" "3612AE6536D2180DE2DB5103E4BE1B2D74A8482450BF1B9F4FA" "91861505F5739F64D7C8CB8C5A3A2F864161F9B495445A1F668" "EB9A86E0C25D1BD0C50FA6431C4D4BEED9F53B6E918008B3DCE" "F98B484161A8DAC12C642DF9278601CCD80F789B770F05E8359" "495DDEF5D6FE54086827FFA8E7B2BDF03A33397CA2898214DE5" "A36D18AC33EE1CC0EE0FC4416A86815C7B98EA08C63D23CEEA1" "977D")); test_hash (&nettle_shake256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("8A80E00C325A49D17ACBB96FD41E874EAF00A0D141CB59DD136" "3365DB060F20C1015929E88E0BA0589FB35CA348B3F02CB256C" "D5FAFC7B1D1A7445C238167F325A2611F7C5E2B7ED44395938A" "5CE501D6CF78C9B9560D8F84210ECA3AC12ED40954EA0C8EF36" "2DE08CF11FCF47C34A3D56F271453BD62F74578F06B1C3958BE" "6D87331D8128070C244900B6DDE1423B2561504156FBC045755" "E1B591234960E1A44FA54CACB1795AD8EEAAD38FAAAC0A4EB84" "6A18B42A526018EAC0A5041DD1200C4169124590ACF93F2F26D" "B5D173608FB0B6C3C83F5C0B01349C558ED0E5851C9DE615CEB" "684A3C9C663119444008DA4A12E9386C98E15CF23CFEEB2F863" "2EBF15381D17268A5F92FD15D464D9E1F6EF896828420C9367B" "14C2B7E886F42C439801E0F119D1086F2A99B5E402E786B8C5A" "3B7902D2274FF1B5CB706AE0B5DA9CE63EA943B8AD8743C0AF4" "CACFA6EC9A2BFB45EF680385568AACC518755B7A2C4ED40F276" "E25BE1447F1131D064A5C54F3BDB80D4E6E1338108251B8294C" "BE4D3F182F3F462B3983ABB7F25B4D9AC8A3E2F3CCA397148EB" "CC154DE7DBA5A4820C677FADDCB502B6A67AF0DC0602CDE5BA9" "83C7BE0235C8BEDF1916F51433D80AD87B4815C6C397A9906B2" "D075BFC0F72431DA10F04AAE61545A62364F336754248606AB0" "62799988E6B0D71C2DBF907E211C963A3823332D6ABF4450D31" "1080")); test_hash (&nettle_shake256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("B645903F62E2A0394B7D98A526CE6C1725A03F4B35CAB927AD4" "FC2831F460CA6EB0959BDC5D90BB37E1D0E3DDC6CBDBB8F61D9" "21B7CC496D903A92166BAB4A436BBE6E9230DD0F91A6ED79188" "9B67727338EA636F54AFFE59D52CAD1B0D26ABA8A29C92874B5" "D6276369FC45769A3323C9788A7AB268081689614622BED3DFA" "207A0382680219D24B2854EEF3024A34DE3FD4ACC827D52FF2F" "1A4B40F1E957729609F8D3AFEF23A94D9E3EFBFA3E66BC1ED44" "C426D27ED4FDA0B4BBBAC6050DC71D064DE236DD800D0E24188" "EA0B1899AB6D0AC16986034BB1C8A21C7AD7F069E706730450F" "046D5F9B3C066C6CBF98C5151E5B45D6B0F3ECEF0377AEE19D8" "3941CAD4484AD07338E7DA24439EE38875498207CFD01349A3C" "B8BCAB058C70B48827C22278667026ACCE65A8F643BDA30A3A6" "FEBB5EB7B981963CF07F6FDF20AED8769C8EC35425C4366EEEA" "26AB28BF43E7FDC8B4F762A2CAC06D10E1A8C6EE35BDA64C6F7" "1CC02675EA4CD20B112B6E12D45DF6D37D83F04CE55DADB9F54" "C8A68E2C76AC55AAFB1A3231C277AE27BF2742D08FFEDF08DF3" "F098C5C60B59D2A89D2AF150B3FC73E399EF94B5002DC0AD109" "7767F47BA07F442D4DF4A4D72E5AECA7B2A37899F50FA3CDED9" "1474DA106FCC96B28D8418EA340BC983344BB58F244ED6755AC" "342B9E6B00CB19F9AFEEB3135E0374CE803CDA44E316EAA0B6E" "1E93")); test_hash (&nettle_shake256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("B15D1DCC49B25B2ECD567E1D0F46732CAD3F9559EFCFBBD1793" "DA46A5D9BCFAD723E504B12B7C1B65EAFB9647DC35A48448534" "4B9DEC5C378DDE04227F7224CFE6F06A962F380AE104146DBC2" "425FEE1D7AE7305E2D2C4E2F91D9188BC88799B730ABF3647A4" "365562ACDA20CBCC7DFDC5C6DEA8DDDB20443B9253466E4E215" "360F4066D918D938FDD204CA826E4A3358D169FB34410D45F8E" "783E7FCBF97A9CF0168E8EE6402C8B627DE5BC4DFFD8AE2C880" "7F863D10EDD57503A99A46035173A20DC10DF3E6BDA62B518E5" "8E94E5624659890F1174B3B7D798206691D3FFA692494829382" "1616184E160F237C1241F11779CDEB4FDD858B73F3DF45F05F4" "3BC81E0EAD584999DA04F71EA4914F8D8AE17DE086CDF69C31F" "CCB48B528781FBF8DCFC710AC421D28E93EA95DB4A6D38C1D47" "C800FCB3F816E36C86D6B3E5D6BB31C325C7A0DCA4D395867F4" "36F077C6711BB96DCBA9A6DEC6318FB9BAB829AE40BF70C5514" "6B87D9FAD9A839CEF462249BDC49B8022926E3C664D66595231" "23A6EE980B69BEA87437322DA1DD6235A74163968C0994AC0C2" "1156476D83F2B8697A1B510795D936DBFC2CFE67ED401CE708C" "7531F1B4DE75E8506DB082FD9B3B24673938242FFF4F30BE97C" "AD8ECD2F88BB5F497A8F154465921C9469B70FBA1F45D76C9A4" "0228A93D67836CB7CFE2F25A5F56C216084521484A7224A7A97" "6323")); test_hash (&nettle_shake256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("7AF1CD3572930B440F871CC3388678A1C612D6A590CD2B8692E" "0B96010AB4E122CF856925DC84AA0A87C7FB1661C5C74B08114" "88D3D486014E81B0D29B73450A0670A6F8223DF95B542590B3F" "6506CC18949FB6593F1A552E064B4E1576AD7A7CF202E0B8F90" "EAF90147D44EF16031D390940DA5D74C35A269B4ADF4A663584" "292007DA777B04C15C03F7635BEF56C1CA807D1CB3A8DAE8218" "821C44C7E6275CBF64D82453F764B458ACEB881816234494F71" "7F5240CFADDB3F11C1AF02B269F0F76B9DBC8ED643FB3B7C9F8" "A540A453C1EC85ABF9E8417B1E4DE9DC65181EE32802ABD6170" "A581AA2DD01188752C73D406461892D0D0909C5D3FE0ECBCA3D" "28F65B905A2DFF142E61CB088F9086D3C492E73C0EFF3AFBC37" "216EE98533B236406D80797933E54D3C21AE6B1B81F459FFD7B" "8BD1EB872FD62CC0B95F5384668A1BF91A474BFB97335DBD8C4" "761F3BB936E2032365256B534F98E9F4B3C50B4034478EFA268" "E9ED9EB9864044E90DCEDF4A2ECB9E8617C4E4ABE7CB4990511" "43C30BF73D397836E422A2CCD222A299603A3E4EAEA9BD2C3D6" "4A0ECB3CC7C0BC3D867C79231BBBC8C2ED4212EDC8B25C04C57" "E9A3EE8C103AEE4AD6AF025016C1A177288F4A17FE20A2E210B" "24A7AAB63D3FB4E687ED3BA2BC163F17C9067D07C18204D0AF9" "6A41CDF5BE9C6B89502D7CF1283E82410B11537CC931443076D" "60CD")); test_hash (&nettle_shake256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("6B1B8AAC47F782208F50AF3F977EAF8F2D69FC02390EE17BF17" "61ECB73D1088D236A5345380B6297AD1FDCD5117D16A3C410AE" "EA092D9892AE95C7B977930655C75CF7834C101F69D2E33A1A1" "7A489E040C5DB3F83A5216ED5778D391630D17405EE0A96FD7B" "834448FE0BC61CEC5014A6AF9B0F85827832E7469869B087249" "7033822D3419D43379AEB6C31406AFD1199ABAECF3AC8E2546B" "9736F8C4E399C8698B674DF5CF6BE81C73E52DCA979D3281200" "B9DF8D99BB6C65A7B6F620E1E4E6538A918C99CDE6CB33150F0" "896BB75421B8265AABC241C02D93E63476C351396E5B86DC66A" "05C74AE2EC87EA1D175D15A12ADF18F9792970DE3B9E30890D8" "896309815D57AE238895AA7E76DD6A46019F005F193C737B452" "D32649A8F39B1ED00AB8961A6EB04F699EA62357B7A38C423BA" "9D421529266459EF292B324A16062538E8C6550F822C2C14081" "6340F907D5D10B563198BB1539B82E5BEDE700F7FAB66EB8DA0" "45B23035DECD3F8DF11DF98A297A49F5B896A3536BB5A3E17A9" "DA1B266EE18FF6D4A6E59AF619306BF30316FDCCB7FBF580091" "6C18832F4CD21659774411F105DED35DE8B0D4B0B54755440E2" "6230E519B66319696E6ABD180FF5314EE184D3B2781F338FDD3" "E3935855F4C8B4021154EAFE67497599D0AE393A516673A970C" "FB9B7058826D7F0FC29F3ED34ED31F45790A63E5AC7918A4C3C" "B494")); test_hash (&nettle_shake256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("F76B436C25E0BF2D75A0DF0152D04117ED8DC0AE55B13A2CF83" "9E41A90C6070415EB8EF70A90BF205B0BB330435ABB41BB3329" "D015E9E56E86418BD671D0375E3AF8056EB882AE4191F82E062" "339D5505526AB42BF6CD54F0D36251A78EF274CBC797B89672C" "A224CB9B94E36648B362338D4981821B0B388E08CE97253B5E8" "C776E9B3AEA33DFC3815B5929A3800BB83543D42E0F331C264B" "1855AD3C002BD80D035932268DFE4CD6600F2B1F215F1670D7A" "4512E89C3D1509271ABB42E2608D7B4A900E00593E0509F7C88" "2AB0008AA83F5879F30D95A319A4058987804E5014212D415BA" "0E1C2407B9AA7B80945CF460E60609AC885BD7D639C9BCC961D" "6C32A96F041528B64747B5AB9557971EADA1EBEAC47F78B3992" "EEF2BF2806213952489934E7F5410602ED0987D8470AF3728A7" "F5BA326B77835694E32675E463C604C18DB4E4F5E1ABD056689" "66B8D102172E232B4EAEDB3C73E7A406C36DDC641469350D593" "336E9E5C8BA3C246154BD3CAC8E14CD60C9EA724FF059C931B7" "78B00A3C6E1016C1C41B3002F01D937499518A969D02AD08B5A" "B385A60CF5D018EF405DF9CAA63BC49015407B04AEBBE02F206" "DAB67E72388022D99D5BA4F6D57695186873276770452D60263" "5AEBBC988B7718F6EE99F9F05A6028E074BCE86FC134ABA4CB8" "2E1529ACC2E50E53F466B9B38FD3FC7181163D9A3B58F143AAB" "6297")); test_hash (&nettle_shake256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("C870CCF74F9A979827E1D0FF8E1DAC93A2E0F10A0BA7A4DE041" "853915DB7D86C65010DB41421201025D3465FF1267EA5DFC8E9" "0CDB4D933FA58F5A5E830C646A74E5BF807495D973929CD2D47" "63A0615902B8DF2D04A9D2553BCA94696DB2A332EC56B5612DE" "10CBD2E117AB226769A0F5E12E380E890489C4CEE3156B4CF1D" "4FA2FE55E20DB06D84DBB0F9833A3364F64481567C74049517D" "B8D75F6607467EFED0D8976ADC7C7F265371A552767BF6DDF87" "F88DD1BD326C46CC7C9A895D1D88D4452A1D72E7ADBFF6C02C5" "114ED5799C4E75944294BFF16DC782D529341BD289DA6136E0A" "4223F27E886D8AD057446E6BD41AB8EFD676B5084084A313E0B" "BA30C1DBC3C461AFD8B5C0EE02AA0D1BFD0A1ACE35369F78D55" "31286FB268F94D4EF50BA6A502C2EB2B744651B71B59974202A" "8088780CDEBCAF18AB8CA8E5AE928309EFDB5D5A639D7C83BEF" "87E5AAB4D403F7A9D22EDD1CBCD409B822F33225F05AE21C2BB" "E9E7A0B116B502DA93D6547E3931763F4FBE1507DC031CBAFDB" "08F4492396D4D32FDF8936D0BD082D45E70B3CDF8B807D974A7" "0BF17FC54A4A034BCD7F5DDA8C1002B92A641DA7E717D8C742B" "7F22FAB4918B1B3929C2CF7533666121184383746FC5FBB06E2" "796EEE83E6387DC610717FE4C7FF316D87367F6236E36524CF5" "25691D656F77732B4989D87FBADCC67886E151F7A61FC9141AF" "81B4")); test_hash (&nettle_shake256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("7AA373D1AD451F79A4B17BC9D3E2EC4D43457C6251E958E44F8" "D5EF360EB256CE5ED5082B938095DF2EC30DEAC299EEA526894" "6CC240AE0CFC0B8565235A77BED4B58560F111FA5630996AD51" "065A6A957979344C26C0FBC9843251B64C899ABA1DBE5124A21" "A604E706A50478DB8E93F239CD11D53B2F168A946E979AEF98D" "6A3CEAE032713C241B8176F1F32A7F132ECECE3FC57309F6F0D" "C9876B9327C4C03C42A74EC216E0DBE026DD167EE94FE8B0032" "F9BA033ED3E6BEF8DCDDCB288CE5F8D1B4DBC01A5BF51FD7252" "06283C7028D8013A170F0DC4AB107A442C95B0214A71D3BD7A2" "7CC48CABE6BDE4A5AA4698F56258E175BA1C6F7BE6D7EE60CB5" "BC4926CEC0D94A422554FECD2D7666462E125FA3C2FB84E98F2" "095B119AC492EF8EB3666A3BBE51A6E4CE3CFD1375A21D1570B" "E8A1CD22009E8261B3CD6F2E2085443A6AA76C91A349A7C49CF" "5F477FC017AD18439C580DBAFC94E96739732DDADF4829F9DA5" "FCFB6851AFA968E208D4090AD99F61F9657EE958698FDD1DD5E" "F21543D238D05C4C604E26D21DCCC8C878344EA888F12737221" "8A4511B803E3E6EA03CDDB2574E636EB40CA242FB31698290EB" "9C017D326A35D884A88C98B89C33E8656B717DD734223EE76B5" "EB147AF7521BF1F827827B37A6563E601AFDC3796D8DA4D1084" "FA462CD4AF969A800F522375E2C754BF20104F13A95FF2DADA5" "674F")); test_hash (&nettle_shake256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("A1D00913CC206BE2D1C38C22B6C732A05368C8AAB30865BE534" "3BE3C73AA6B7E8AFF69A544257DB1E6B6677E6CCDB6EB358A0E" "D096BC9FFF0DBF89B1E5345037864132FA7B820DDDDD5A88B95" "3CE834F1AA89BF56FBB02670DFC9FA29892FFFE61DABA419585" "0CA669F6E4AE00687AE4AF3A15B27A4E489A4AA01AE62E23FA0" "12CFE38BB601B343095B5DA20CC2B48352CB245C5306A2FA9F6" "CFB324B6DEBDA6513221197B24EB1EC2564E2527491B539289E" "AF593912458D835E3F8F46E058CD6B3B85D0833DE691A1E08CD" "6742E7B2957DDCD0E04858FD64987C66B6BAFA7A082F32D5158" "52E931A382792AB4FFE17B39D8918CFF002CB01C0CB1E1FD32B" "B8B02DF964752523E64DF6C74B8442719C3D7DC75CE9DCE5474" "AD6F235280CBD1F0268F19E695549016E948A7141FF4602330A" "096C67699B29DDBBB8F6600770CBD0E398B013932B04526A055" "B51D92F0AE8535A7E91936BF21AE70368E09005B14F3FD9E363" "5F35960D89E134E9B1447971B0D1CACF554845AE74CD93F73FA" "FE94189BC22D1DB9815A65B414DDE694FD053AECCE3BBC3CE73" "62F353A9434A49FABCDFD7E3CBE73ECE064DECA30E4BE01B113" "5FF6303E45E8065EF415BEFEFA948ADF42DCEF4520C2772C8E8" "438B60113919975CA0DCD2798BB026D4B59D3904FBCA4998533" "ADED822B15CCC86457E8507AAADC7E3EE221543472A87B730F4" "E5C2")); test_hash (&nettle_shake256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("E28D36BD926B9E8C105FE0099CFF1957ED7ACCB9618027421FE" "BF9DDD3129F4E6713376B3B7EE710430EF381CB12B831C80C7B" "1B93765F7693506733A75AC0E8FB5D3C30C6F4DC735C4C35991" "61ED02F4ABB5CDB174E53D93D91E1321EDFD79C0F63C92C7E5A" "253C1B8C4842F053CED0033405FAE5F16E2DC30024A6B1663A8" "6829ABFF72DE6F2A91C1CFE5955CFB584F8C65B9334590C9C46" "8A9B0FAC172792AA152F7DEDEAA4FA22FA7BA44131A1143F790" "53C7E2CB5AAF8ADCCB6AC72300892F792590BF5A1A9745FE593" "4C712CED382A316C487EFE0E6F146C8A562E6B40834FE20C362" "E495FE9E5CC871EDD2D61361492EE60CEF26ED38B4DA0480B4D" "FA66F5E71D44F10159016093841E02C34001800C5CDAAD0F9CD" "2A3144911031139CD6C54443A1D82405921B86DEB03E8F0C1EC" "D58F63B88944182F034BD07B0D021EBB7447F660E66BBC0A821" "C7852D183B806F0855AE194D80073280F3D07C2DC03571D5C6D" "0F0675AFD58ECFB211EA27733E870A6E86AE5108D8C1C3524B9" "9648541B61935746310FC6E99935E7C9A5D144E0735F2CC32B6" "DC42B34679052203A777AECF26D9461946699F834940BD34F8F" "CAC7C22E29B2B0CECC60183C44A5A63078127C10C1C14112226" "520CEBF9D47A7FBD4002AD482CDE289E7DAD3AA891BBA0B6B2B" "2FA378D26D629B4CE428F375BAE3FEA5E5C6B048928EC92099F" "3C3E")); test_hash (&nettle_shake256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("E3E693B2585C32926882C97BEA160D46ACE5ABF0FA47A9084FC" "FDB22DE3C65F43717358C2C2CE680D6D132443D478478A30471" "1BE3C5795F3EB0A7BF043CAE06E84443EB599DC259B3CE1F418" "4ABF1E6794556E9F2ABA99E5363DBC7E9C2C802976C87FDD7E0" "E3884B971AB33DA6CAFB65CCABD6CE492A59D359BC17D221638" "1AD838989DE9FE82245CE07CCB1239FA5A3D664D5B8F2E3410C" "023066AA47E030FC73BE5EBA27D83D656106401BEA73E36CC09" "F8A78BC0F4FD7C4B2B4E7D36F4E3CC31867D1EE207A7936FB3D" "5FCF512669AF63B9F01E4188ED39B1142CAF6578F788B53C3D6" "303C25C545DCE3F0B037456E3E7870392F43051FB2E8FDE663C" "80350F94F7A52D511A56CC268335D1ED24C9948C6E0426AEDBE" "1E082C0F075863E3DC0269BE5C83ACE9A98AF1EE45C79BA263A" "A81902E11F880205B7BBCDBA54F766150E744BD1E2C97E64B4A" "50A179B940C01A7AEFEA23E22DC3443D655E31FFAFA67FC5557" "27C8D02C3FB3DE7D6C13438F6323B89B7C975FC5B90D80BE8EF" "D41BBCE90F636CA01FFBE3AB39AA0F43460F33DFA492718A411" "711E9E7D38EAB956655314F35D36120237BEA48EEEDC5492560" "90DDEE8AB4BF2669131CFB590C65BBCE018CEEA3CE349A8CB83" "E3518CE8F353EB07F9007600C206C7F6B6B1DA24F1A263F0397" "73EF5F99FAE6D9B2B3160199F17D49AD69D51BF66915451F43E" "CDF4")); test_hash (&nettle_shake256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("A178F3B574A841C88EF21B6A20A100625334F4FEE5966AB2164" "686151AB9FED082CA4A9115A0B5F099C5DD4BE4EF1082D53321" "2BB862F084225655D8856E29F279418DE6FB723ED15C341CE31" "0B53E695C08689F776E4474FB6DBDB7DA46A9A2DFB7BC374AF8" "6984E1E10AD9D48B744A5FA98A0B161738468E06EE4E836BB71" "8BEFA381CABE18E9973FF07DCE1920B19DD797F84CDDC52DBD4" "9B4A462FD1A12ACD364804A290BEAB30AF0376CA098D44E5D14" "1D1636F6073569F2CE7213F6407EE376680E8D676942211A9EF" "B756EF9DCA40574AAD2084FAE0B617D727D7951C1321616F265" "69D96DE5ADA8EE101BCFD2C43C338F8957DEC234E23F5A1A0F6" "63EBECB98C35102DE1C101B99E8F42BD8EE7C528B1651099545" "F7BC9BC315C8861FD7EBF26B97A519931A63E0B06A73B14CD23" "65383B44A2107FE1AF0998F1574D9FA8818DC51D642240DBD0C" "104E89393B2C381944308D828720564763D3BFEE221BFA99D97" "6701717D4214CCE2FC25763C1B25EF67286BB7E497593B1A077" "912E3AF76993A4E20D4E8ADD7AEF4F715E5F1C8BD68E8913D9D" "8057447F273FC41F70A0290A5EBFDCE46209090032801F2CEF4" "4C8015E865D75759C7B2117C6E8EB6B57398B992B0E073C1FAC" "374C819B7AE16C464AB5019A45E7A6AD57B75380FF42D35339F" "23436A0D58497F7A12E4C3EB34816C4AAB9A2D3655079C12E05" "EA36")); test_hash (&nettle_shake256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("11C57A7AF45809863E024835F2A86BCB81763412DBCEB53F311" "53730FDFDC32A8ADBE3A8BD6D4778EA33AFC063D9767BC9E3AF" "EEA3C78FFAF5FA3023093C798F39111A182516218F0BC78C030" "7C75EB212B0EDAD184500261E00823F423D84BC2DAD3FFC6C2A" "B675A24CCFDF0DE5F669D1EAF91973071D50EC7D2C0CC4B6E42" "552199CAC4B65938F7E704248CBFF272C647E953FB9719FA8AA" "9C319FCC45E4FAD0752E7416F9DF0063F1A8BF43E316533C046" "C4F2E7254A02FEEAEBDCD4DF19B01C18B8DFEC1D291FD670BA6" "D434B41EB6068A365973082107ABD6DFB62FD428B9B183E1FCF" "CB654A6C7A55B91E0615658529FA4F6178FA4F5CEF329376169" "AF143B137B9B81B273796CD26CFD8372AC3184600EBCB2DCE06" "AA7F22C055A7B622717DB8E15571ACC61D94D8DA250FB8E6354" "9528CB53050322520925FE7FCD065BDEF0EC79AA38F1F105348" "614A57605C94BCD50DF80E692D1117C13BA3563AFB44E91117C" "9F6E4E7FA35397DFC58FE7F2DAADCDFC756EDAF5BDA38D6E1EB" "819A1080CF354F2AB779F63E2BCC763C8AC73C6D811AE2B5252" "E6FDEC79E2E97D8971D1EF39E2A144E84EE8087C673AADF3C46" "C4E6C1D9832E68BCAFF8C1E4DF1A5454D3A677040413BA32BED" "431B2F7D3F356CB060431A7F5B1B6CFBD5709736A408EF6CEF1" "B455EA74191F09FEEF230A1A0296807E8AB33403A9E3EA1650C" "D2AF")); test_hash (&nettle_shake256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("8E03C6B48B4E91BF5364CF9311172442253B6ED58B95D147A46" "74BCA639D75820FFE93509AB08FBE7EBA70544A9331C3BA3347" "B0B44E0FE36F9B799963212514AB2E673133EA5D9CF3181FFAC" "7F79475971369F7A0188F1A3687792258617C7521CF2EC97924" "1D8E9345B9205243A1CDA692418F8855BA61B57C75CE8A7B2D0" "19880D2C56C61DC0E3CACA0CD632E8819DCAFF9336498E1D573" "C16269D2D56509BECED579C80C3F09E4165081EA7910BB8D13F" "0373FA802F498AF190EBF8D7565A93A771AFCC8C417EA460E67" "F4AEA898C73ECCE5B17EBCF6EEF8A6E31D160038604499B3996" "5212588826D1F896915500497BF4F949E2CCC4C3439315E7AAC" "C2904A77AC0113A2AEFE64F6D625A7EF547E99FDCF9374300A1" "CC15373494BC1210B8DD5B5CE04B190A824566A9AE4A02DFC70" "FF8DF3191528A91E97DAD97057AAFB0357AE7F509FF7E464675" "124D0D23399AB6DB37B80397BCAAE48B8520860B79EFD72D955" "F53611E8D782A28C729F51D3174850E4FD61A4328709DE8170D" "1BB7B5A811BC3E0FD06F20F03CE1567CCDC5891673CD8E65947" "2015EE6A557D89B104E22E70315B40701B49C76BA0196F68A92" "55EEF2623E531D73D151A7F321409BDD8183CAAFFC18C6DD63C" "1EBA47F07B5B3D404C2203373EF356CD26D89DFD8F5BA2F7006" "46507AF3CF63DB907F9F70DDCB125259F28275CE8F41B63D140" "58C3")); test_hash (&nettle_shake256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("845E0DD7FCEA5E19E5DBC6CD03D58C2BAC4B81CE809BA7D0C75" "CB867DA6ECDC9CEBCA177AB9C3273C8EAD7B8C9F571D6D1D14E" "D0CAF6FFAAE4F1B7EBE653443E9BF099DD54CE3A021E0944BB1" "F8B34CB8CF199ED9B23FFC94E2FCB6FBA03D50D0C84C2C943F1" "7C1BD9EEC662420EE42ACD5C5F18223B92AC269B320BC190355" "0C1D55B7AE5804EAEB6F67C57537161EF8460E45E34FAB823AC" "0EEFA232404C7907DB88E4B1D74AF7DA5A2E38F82F96A86A506" "DF1E717E636AF1FA85BCA3259C78FE7CDE8FF56CD2461997FF8" "D3B31BE985B73E4EB0DBF36D39923CBA9982870DDEB52ACC02A" "97CAE8688E230364D5637170C328175208F8D225E2B19289A29" "205A9568F426FDBDA7BB04224808B2F21E4E80E2F18F4E79065" "4E0D6E486340464B6FA48C95F99A4106E95A6A378458B863655" "6C700D79FC45697C09A84D2EC41BCFD560F0A147ECE64006071" "3A86516ECC642396E16A63203CCE11809E7DADB5BDE418348E9" "1E30DC65E66242E29B69B9CEC5548D4BEF3E15A6CD4937C492B" "2F0FF83DD3ACEF224EF66AA27726161A418820196738EBD9569" "B49D51D1583129AFAEE4F9128C55813151895A046E4D5B4E7D1" "695B0D47BC657EF7795107148B165D0484F346C9C49A8DEE187" "E3C1F28A6D57FC3B7DA49042B37250DD02BC9807FE1AF57D5A3" "1664C90D5371542B28965E805224651F96836147E0300C2A938" "639E")); test_hash (&nettle_shake256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("EF1A40B1819AC20C49EE1F31E36B853619C8E960DA1A5BC8667" "4C5720C0F255E8099CD4572D09FA5B8F035ABEE5FCA1725F988" "954513E2E7FDCA92A55A757145B0E1A223A7CD4E0D18D3EC7C8" "BB33221B24AEDEA4A08F01B2130D58E19570272456697DF883A" "B29F4D4F86DDBFD1D97F1018277F84FFB615451190762B9B725" "56677591E6EBA3FE45F8769072E234602E222C77DFD8CC095B7" "3D1B231F3F09B89C2ECDCB741FED58085CD763E2B016623BF23" "92631984B6E4D2FE558B7F17973A8F58BE66D73AFAE5DE5C5B4" "6A6205E15F8A7F5B3ECCE65985EDBFE4C86D3830E642C99E44E" "F35AA55B834696DC519635240D6A693AC09CB3D567105420449" "664EB7B6BC367C482CB2682B1A34A9A051470EE3DAF8045B0DE" "FAE0EF10581830A1C21F75045D1297C9EF4B874E9004D4BF86F" "D770B820A9AA1FE967388215AAF00DDAC57F9B3B9CF0A67FC81" "E27565F1F3378A620C9A99B50AF301359E98D31EAD034DCB033" "4BF45D3CECAE0A95E4F0F0D60B0725F97AAF0EC1C4EA1D7D062" "D5B13A69B68CE5FB382FF7E25A219C7FE8CD1D78B47660319F6" "EA04418970EB3B5FA6778D84EBD4377C8B3DB2632CB616631DB" "82CF68CC4A03A44768B082F8A5FB606FBEDE8AC366B9D0813BB" "58017098A9B2D5BAF9C5313451F7FC5144F8A89EC34DA3CDDAC" "B079A963BAD7E08A4D68DE34612B116A0587731F4DF81355999" "40B3")); test_hash (&nettle_shake256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("B9A11246D631A7C9F33911215F36281030AA4959E598F2E3660" "2AD66E236F4EADC9E87A662FBB5E30555F7F2048571DB711D9B" "28389525DC1BFF502C1766BF7EC7A26688CF30EAA16A23D00BD" "408E11756BF0E9DC3265ABED5B83643260DA0F7B58919078EDC" "C9F62B2D14029657426407CFE5B514E17410F3351C401EE163D" "1897525441D6738ECCB5976C16EBF309ABE15FC5B15B3623385" "16BB8FC50DC69EBFD5E3CFC7B79571C7DCA79D57970AE090454" "7677B30CDD7D09A0973AE65D6E00F3F9205BA0D806CF3DDB5AC" "BFB5AC1DEF3AA8766E4921B42DF7B9E3AD5299747300C9D2640" "6CF195DCA47A673E232454DC80031FDAA0E3DA4B66DA9DF72B0" "40893378AEDD6911D35D3E007828EB749BED4E16657E9D33867" "E0319E6D4BADA0F16C466F3B1B8502BDC2584BCBD7128A976C6" "C8BF2D553D38AB28B982802D1E626C47B5EE08530FF22A9852A" "C113C560DDEF6931F6E6145C3E525F5E6269E7DFCD4C0517C16" "884C681B1BD78D4A415039439BC5947C65CC35BD52E7E2D0FE0" "C88B2C92C903A0DB75D5BAC3D3D6A5A323CAEE0E55C61E8BBC1" "113A7D8AED0B031020CD7C50346B2C9EEFE61C20C14AB947CDB" "7B3D153172D5F32BD267B4D77A7606CFB5080058F56E51CE9F7" "3E7D75C94A46A4E917BF575827D37773F2F9EB5A552420AEAD9" "8DF822A7EED212538E2B27DF5EE2188561775BD862902F3DD19" "A9C6")); test_hash (&nettle_shake256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("EA756978CE1BC77F9C84A151604F37CED854B00328DF4A486E9" "626C7DA6098F1A6380EFD8434FA59B037AB18C3488B404C03A4" "838A9E6C60B37C9348AA2CC3E09F016B1F07FED8D4A0B93BFD9" "121B4200A706887297A91AE12E1B385830536A88AFADDA80D4B" "14FC5CC9C49916CCCBB47F970378AEB5EA6F6F583D131E53AA7" "08196F749644DD153A3177F424921254A7FC92CA5CA241D54C6" "A1E565298D2BAFFCB173D22160241A535D34358FD0B54640CFF" "9E04890BDF23BDA5DC770240FEBB778D1D0B4B3C98CA7AFD251" "2596EBDF02F8E1EE5C74BA26A35E1482784F6284D0D5FA17CBC" "695508026CD49F30D82FE5819378DE13150805555406B8EBB6B" "BB8DEBF55A28B5F1350EF5AF18DAC71C9A02E76054EAF28E2D1" "259EE670492E75E1B3BE45492D6E3BC5096BA2952E7B1E97DBF" "5E18618EE7B197E6FC3B0A31B2F071376F6C55CEA08BBDFA37C" "F676A24DE82F23878566B48269141C17C7304D6252952158078" "B481FA4270C2DD631AFEE7D7518D1F1DF43B9841F10871D3B80" "E4680DBB89CE8C4CDAF4E16A4892A83F927AC7E4EA692C6EF1F" "E6A6B2FED3C8393A5100DDEF4B56FD158E45A95844E2195160C" "3D3E02FBF51A715C0117627C783D503CB241C636DDE3443ADFD" "AD82F5D9226D49921FF60788295A47B0D76AF43977FCAFEA4D6" "1DAD09E2318EA16E32C44B14AAAB6224193C3B9EEF105057A2B" "AE72")); test_hash (&nettle_shake256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("609D7E2F634D0457E311972039E1645E66392CDBD1414D5A8C8" "39F8B22618AC73BE81A745B9E2B83814A527F78D588119F7464" "CFB235E56D9E2F794A5BD510008689ECE3EE818707BE101A3B8" "A5E1211E3116AC0E9746F79A01AB9DCD01783E961C316EF4EE9" "08CD69C7C2B0E3560FB6DD5649896403D07F021539F8ADF22CA" "4E3535A81EF643AC230A0C94913E9584FD8AF77926360D280FE" "CA2283F8097DD843D509C5E34A9FA8B02BBA9015753D3F728AE" "F7053407A90DC48F15EA272DF1F478B967DA4C02C8D4F2903F9" "A98F90CA1589BEE5590195E0F6B24913641C2FFB42DA043B454" "8D82F8F0F580356E9946022B06DDB0BDE4947D4A25767C65D1C" "A02148954D1F33F07ED0886552C23286696067FACDF37B5D468" "B1A5F29126A2805BCBA687F61D920C53B8346579EE0D312691D" "FDA9E53B3A0EBDA1CE213C78DE4CDAA3C5D9C6D5A4C66A5B532" "37A7E5D80E8C1DB49656E28B2DF50C02E9BC580A62EE5E6F72D" "9681435BAA70C0B51AFD2CCC109D0D45634072BD404964FB44D" "2107A68E1A9CD60E63B847EA9C75EF14D19101E391D8F80D05F" "6BF0966C949DA6D9C8E2C865C0468C825E29BFB9CA2070518AD" "838A6B1530723F6261277EC7D1291104049503198B6C3B95D1D" "0EFCE786D5982F6D0120D9AB2D1C0DD9EA89644103442A76E68" "04A57B54FCA199E6D714576D631422BDA28C2A7F8838CEFF879" "E0D3")); test_hash (&nettle_shake256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("F5D0630D6BD21787A4101E2287550ADED2C2BAEB0CA91D24CB6" "1EACCF83B0D15700C6A95E643D8EA2383929D23DE5A1819EB75" "71F38CE173F378AB7275776A771380443B0CC1CFE1B9EFBAA85" "79FE6E002FE75B80FDC73AD20C727B003B6281A8BEFB7F7CB25" "45F42586AB879C9FF523D6ACF70F24994342EBADBDA27D3168A" "755C2DFC3C99360FE377C8A19F1465F6157CFF76A1D7C8A6FB9" "91058D582D5F2E19ED583136320C4DA569D9EBA4692E0BB19E6" "20C600260BFB0C95F7A8FA4560B1B715727CB04A8D37410DABE" "2ADC5CAB24465BBFB41AEC1E946BE1C50ECA676F47EA99D217D" "68F6B8F3536E879FDE16A355E71857143F7D07C9A207F4D61B8" "9B82354F0A0273AECA1361C3F949EFC2A45BEC3933E8A6E7A86" "E90E0EFE5D11F6A20ED9811A1CCA507E33CF47FEA26D7E67FA8" "8D374245B1A24D8F5C584DAE932BE1EE25ECC5EE61D31111A3D" "1EEBF220665EC401E28BB85B93D615B64EAD0FEF0E6AF725CA5" "EA8454B571A784EF95A020251FE236952D130692D81702B16F8" "DCF03CD82A809877B08774635A4859E1A516E9C4135FB415100" "359CA6DA69426D4139E90F00EFCADD155F85A4AB1CE154F8CBC" "84EFDFA7603FF48D5D1EE94A4D27DC9A450E35C60D9CF43594C" "9182B69FE9DF540F498C5C92DB68065F2ECDC52EE7D22736561" "FA617970375F6EA3D01FF39E2E22C979AB58DF80FFDB75B4258" "F49A")); test_hash (&nettle_shake256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("F3B73032FBC450B21DB7C6C263ABA819ACCB297B724CD95C552" "80FB7F4E6A5100181FDD6E010964C62FC51C0FB540794CD3BAC" "D695A082B20016E1BE1F8FD89E77AADA0747AFAD6ACB2F963BB" "476F1B515CC0604CE5A7B18506BFEB875BF483189D268255146" "FAB7B7820A26DFFE97C737A7D5BEE677524C4B64539CE760CB4" "AB6D03FBA155D05130A50D5C1EA81873C8A45F1FB83C2EBC11A" "2A1BDDD45AABBCC572D9E93611C4A1429B802EAF44EE19A4172" "43C069C99825959093A9E0E5BFF186C757A7270E33D02B81768" "D94014F17EFFAA3B2D92FEF370E552C8A8EF2B3557C2F930B7C" "79E9F6C0573BFFD8585000954D9264611E3D6BB305B08973D05" "83C7C2C5B2B0B5AA1B0ED46877FB02646472672121A60424194" "81D4A0A5EE001E1E067F6A7EE1EA4B880D00F7815FA9658AD9D" "D643139A37B3FEBB46585A2A74BE0EC2B8BCEBFD8F63672F2C1" "F213511E611C677CD92B2D6C4E43792CE3709AE1CACA3103F7D" "267940A0CA5868AFE6296458811BA67205A5BD4B27F96573F8B" "88F8DF2733B83C420CB2015DBECC6E0146657CDAE3C7A2D2DE5" "EAF8BC9EBD0A7FAB0FA37B24206B6118CC56087B0F573FBEE9B" "D0C4B70512EA4784D85D8A89E75E08F86D204A4A03D4C247CBF" "9AF7C20FD532A65D0C89311246CB572C77A35CBC9C65BE40FD7" "EA2D41A3F5A4AEF0BE01C4DF6AEF0190171932B03EB960172A3" "8101")); test_hash (&nettle_shake256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("FBBA34F9B8B88C9851E1B6A8613641A26E5E6944788449E7F78" "C66F32AAB088229599E67B048058A2BB6713C84033A2177B563" "407BF832D136FBA8A506B3E0C3AC8632F8C6DD058E1D242A247" "54D64D8A0E8DB424000561EA5298EDF2E5620237F4297CD4B2E" "48C87AF4ABB28167662B032F617D89C4CBBF064EF09AC2A1227" "85D55C411970A610ADE46475CC0E371ACE344B3BEE172D73E9F" "A4CFFD1806070E7CF48B722DCEC0756EB1EA059E8481DEF23BD" "F94A0050CE2848AF21B49B59320D5F4EDFBF2C1A653306BE31F" "3634E5871156C44D15F8C39C7F50FCEBB93C61DF9258F81941A" "EE98C0AAE76D92560FC4987C0CA8CBF07CDD9B96E1F24E83F59" "77A2C561870D6FD4752796900CC41AA4F2B256988403065A9C5" "06FA78C50E0B5B9592A4116FDE380EE9E6C7FC67FFCB5123FCE" "3B27A6D71EB875E88E0A8F20ACB50B3F2D46963913FCE830FB5" "E01BAF0F2FEDFA8E9717576B96F788FF8F8734C33C3CD9595EC" "2F6270BE920AA2A4FD56F83442141C1C1834820C1A41A51DA30" "8F5CB8457E6C835C4F075706051A7CDB3901413FB9B42DD9E0A" "2B8664BE7490CB4043ACAD67CC806886EA5C41BC8D81E00EA1C" "C7AFB5BC34E150EC26E4D6D8D5F0C5A362A28C98ED6B3915A09" "35D7A237BB24AA18D41DB5271BE154F4F51DC25AF823A978B8D" "41F46AE142470ADC4D008B260928F7382BB08C320F4802705AF" "6EED")); test_hash (&nettle_shake256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("DD4FC79F3B1D5201767CE9A0F89D3AD0A3949BD75668744B955" "23562A5107CF45ADFB39B5999D79CD3CBDB1F622B2B250C8664" "7A45419A243ADF4E7FBCFE227FFA2995BA39FDBC5BAE183B786" "704D8631EFF1F88CCB8563F112440DC48D87B97BF8E8CD8B894" "CEED6B43C857627AD1EFA81045CE505FEE7F370CFA478BCB4A4" "174D133D9A7057702E7122229F53CE03D281771CFE58EBD825C" "4285B4D7AAC7CB00A835FA094683F503E92B690A4A35D0E4F5F" "01DEDE83FC829E4F3C5F783737A68DFC9EAA3CCE682E3D52786" "75D17A2469FB0A814BF71FC212D7162ED80707AAA514CD5B682" "B95B948A8A9D79EE3CE1B9AD44D3E6E6EB455CF198927072D8F" "28950AAE0B5FDB628ED5280695E7A83665C94A23EBD16353679" "7EE6733166AF631F21F6C1FF398D8D363D6F7ED518FEAC9EEA1" "F98E9E3976706F2EBB3430AF64CB788A2461B736D91876FD481" "F5F0135B458B57CC00959BCC1D145B2B776D7B5B1BD0ED154DF" "B602F78C8D567F30ACF34341C9356BE887DC85E9415602E19DB" "053E965601CE5DB866C1A9EDE8C12A81850F1A46CDC15411256" "0A1E38C40A014E1109195FF23054954F463AA825FFE1A377D3C" "B1DB279D2E5BC7FEA045CF3B2681170CF42D4C0518BC9E51C3F" "854052263D31C50867426552E6CAEFE37267A7725A4460FE2A7" "F2D951DDCF55A66AB59DE1A66A7FD15169BFEE7339428308C04" "77B0")); test_hash (&nettle_shake256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("FE149A9560E60DD76DAC07CD65722403AC64637033653BD6005" "3F3958D0DF1EF1DAEB343FF6488587F49945A19479820A98DF8" "484CEC8E3608A8C7D15594F61FAF8547FB0BA643ABA3FE942E1" "91D61E2A84A548A4B76E0144B71E061D01E5B46629DC585EDA2" "1696B6F716ECD7D98E54FE49692B5FF7E74ED15183C4A4728A6" "A4FDC85FA56D49615E0141C65614DE51776C73A46D19E2EDA71" "226B5716FFD83C06813B631CDEF6BAC2B5F480CB59FB54DBD0E" "0FFF0539FF70FC1F5872D8B78B3E03335675925E2A6FB7FDC93" "78D3202F396F05DFCD0A2193FFA3DA954EB44486C054D7D8BC2" "2194612047F2F8C5FD5423504D6A06F0FCD4E611880C74BC84D" "7D5C3B66E017DCC79EF5EE41F9322F7DD863AA5428439D8E5ED" "3222F2346E305759B46826E039FFA8A2B0C7147C2AA44060262" "6FB79B0699ED15ED9CA54125603E9A9525DB238A518708E7870" "9D5CEE0F3A196B4CAB52198ED5A58C98775EECBDE3EC721214D" "B7A981C81D419F013F1DB230746BA5EBF30CE37882376DF8785" "ADCA0E04E9E18D0EC75778369F7516F5215AE92D67C4C475109" "0246A8F3A719BF83E3B310D61FADDB911B2080266D2B43F31FC" "9E3A5D9747EEBFC8816F63E398C9F506C00821D0F1097349FEC" "C2DC05FC420FE673F5398FFE828CB99B3EEEBE817EAB6208803" "339D8D905C845FC934487F51FFCDB4E83D8E337DACBCDC57F86" "7EBD")); test_hash (&nettle_shake256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("E38785ED93686FA741FBB6E5BE64933963C3C872F7A4E8C8D54" "0EC3F82284605625D32A24BCE8B40264EB51B164DD86F318ACF" "D9867F3BF23998275042AAF23BDA01F602622448957B81E5147" "5F15CDB31A9297EE390F681E460EC01A024F183110C728BB09A" "12DDE89E6F5DE2B4F8C17D981E3E9C531E6D4C19448A4A6BE28" "853AFA2FBA216F7C8E2CE4E4DE31F6B0E129CB5DA118B4A5956" "9A439C1095EB50C51CD83105B1A12B3F7086947EA7381969A78" "308F8FDDAC8B2D87F4540A8E7CAC8932CA76201F86561ADD09D" "833361851CEB9759AD1EEED4E00ED19C642BC6D0AED034276B6" "6D818E8791A7C1F42F8604E8B026D4635E3BDB27CA0FB28E751" "7BF662BB99AE3A3C698AD0AA2F02408E76A5F93ABFC933B1691" "A89EE3EBCA2885EA633D0FEA4DBCD03B05B68E0F4D267144FDC" "0898DE46011832ADC872F4A7F0D8933CDD482CA54FFA81774BA" "083D3D9FE07DE94F8E03FF66D9F1BFE7504E8A497591BA8F527" "58F92E0A4CA6A93979CD1F55EE9DBA17BAC6C69E83DDED4CE2D" "BFFB0B48C0C6AED657405DE18E7891B3C854127459E89FE5442" "CA6D5C223B046147BFDEE435CF4EFAEFD705373DC87E20B7D31" "C7D37907D30B8B32054BB9ECA80D0AFABB5EC5053D94D517F15" "8EA958C7458CF71FCA85B607A352A9A3B8F4F161E3B8853F6BB" "61864BAD12DD9B57ECDA507A3CAA63A1DEC726B518CB4FDDEED" "6A34")); test_hash (&nettle_shake256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("66FB94B62645F96FD55EA261E08A93AABE783F160AAFFE07253" "A1C3D45DC65F6AFDE9DF121A894A1A13CED4E5D492675BDA359" "26A1B147D5317D3CC09D4D34EBC1BB223663B349D3F66F05DDE" "7A66616E7F89B0BC6859A3EB8402B881890B21979BE6F60CFDB" "9F6C2FDE570D79CA9D24099820E433DD995E4C2271EB269937C" "BB96839A03BA7AF726ADF23B7FA2F86348C0489E09A559D0FEB" "FFCBF33D77CED28A439F09E2EFAA7D6334A783075B588134C69" "433AEF0F8665C05E97EC2AFE49336EE2CEC0724842A64123C7F" "43689D1EE88873F89AAAE9730B1A29768BE0E49A87B52C1F5AD" "08D700EF9B57A20F5DCC7C238A5E56CEA3A0EE1F9BDE550F279" "2741F607E81744855A5F109FE91887BC580199966DFE28A30FD" "1FBEA9AC4259E7BDF7135E4A9D83234F9D7ABE3BFB1F264E23A" "67F456096E27F540FBBD5DF0E8DDB5A6A455ECE063D4D528C25" "82BE8F111E1F7C7F204B82D40F60C2AF6099DBDFD64DF85899B" "A2A02A26870E3FECA6C07E99AD43F93D21DC275E1AFD1E136D2" "F49142B4D208EC865F91DDBA5822148C6884B7CB283DE5AACC4" "E8BB66BE3B08804246C808569B2DF0AEB08BD4C255AE1829AA6" "2AE9495A89D238DD93E2BDF5D14159E48510FC82B572402302C" "63956CD215341A1D367135623C644094CD845B08ABC7A8CBD4F" "3B66F48375DF7155BC5A781E69272EC1B3AE4E3CFA1D8D39BF0" "B4B1")); test_hash (&nettle_shake256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("295E0FBF3C5B510D6B244381BEDF20F8BC3D915CFA4BF9FC42D" "BF6932F44DCA91744D812CB9F639A9C3D376C49CE3C7DA90D26" "7D794805A61D20D00C79F42C37BE018C67857B6A02E46B6D6A1" "47506210651E31B280043610584A1440A07BDC8540AC46E637F" "7D947792A65ADCE3B790636FE1794E90598CA6340982EC58F3B" "24AE1C703FBB91412F1AE7C23A3CAF78C4BBBF32C90C365726E" "D4832016C5A19E94685A7CCEE376184A10BEED6DA7E26D1A426" "0EFFB7E9F7A0A0C71D7F164CC967C7526A0F1EDF1FF54AEB114" "109F7B34361DB5AAEF9EAD31A4D4896CB86556D2619DE0ACE07" "C133B14006119BD4BC8CF4F8EC09CD2ED91B4E524012261EC95" "37B3BC4C67100102293836E22AB5524C979F1C1AF51FBAA2ABF" "3F0EFE6818BDAF37CEC4D6CDDC98A994BFF1AC458637D528BA5" "F701DE0BF4E4E9E691149A6CD4677BBD9821511DDFA6561C419" "B473D2BA019CF1B83B7AAA3BBEE141E2FA38F032635AA559CA6" "29068DD4639CCF579118496A903BA7DDE88FF54806AE89BA397" "4B9DC0AC520241BEE278E3EBA1B3DF1C026A8E5F0D5F28C35C5" "B04145B570D2F06D25F45BEBF4DE2785D75B0BC9F1E6F9AEBE2" "AE510D422180CEF13F6B0C8A0CAF76609A158FB6F3B17E7282E" "168DCBA19E76DB7841E384B54F3AB29D78C86861560CDD934CD" "B63742933253D7BB82B453CF829F33B99B8E56B906C86131BD6" "4F64")); test_hash (&nettle_shake256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("9E8438CFFC23A52D75838690E7074D2C713B1188375D1A77F8F" "C8C24A4B89CA5979F58692D90DB14DFBFCAA5EF0AC0C2D16F3E" "84E6F771ADC26FA9081F3B10E02A3EE1A3DE40DB5DE17F7628B" "A3E20E5563BAD66BC32BBFB1CEBA7598AA4480C86A0C4ED1036" "08CCEB103AA13182F48D9FB363913000BA6559C855652B4EC29" "D06BC99148569B66C77F58A757B75C3BD5EF2FF832FAE020EC1" "C9E19C1117A107F0529EA66F0607A499DB0C32966A95D882699" "B96C4949912380150F951991AE7768E5A26267A8A43CA76AE9C" "5EDF31D7C52F2B09C9EB15E1CF47F85B20BD55CA47FEC048B8D" "F899A08DBE2E9C2F72BFDF3BB803AF10B5A1BBCD7B4E1915E09" "9C22307154012C67A39FA77720D7006B86A1ED4F095B6644AF9" "72CED451453B3DE57B1FAD8B4280AC62E1ED09E219873B92BFB" "50646343C46CD3C42E84E9C7F05F1AA5AFD583F685A20F996B7" "C0683002691CD28D454F71334C2387DFC43D32E633900699C8F" "C5E3A3F6494CA0BBA96EF10B7F367DD31623DDC14E9907F9FFC" "2C65DA666D06987DB1DF8ADCE1C74BDA7BC6C6D5263E3CD777A" "78B9020DB37D331A16C38D7419EC5036FD95B896373461E6B83" "84B2ACF96E46C7C9AB6D43C6EEEBF62B7BE5F95F8AB6B2AA5E0" "5D66BC4DF8A2FA1AD9C3CD9362CD183C10C8CCE216FE48AAB2B" "1C4F6FFA39CA9F8D7B14AC5BBD8C71F55776F6C0EA8583ACCD1" "956A")); test_hash (&nettle_shake256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("07024716B8E95D104783A37F82E66D4F5B0BAE8897F1EF6C45D" "ABF3A59253261300371A4FD20601503F6D187CED1067AECB11B" "4A4B5A31FDBDF4A2B1BA9C0EEB0C2BE7730178FE435905C1B80" "AFD9CD27BCC631C57A10F3BF3F285BB80D9C4F1C70ED3099694" "1D1ED225386B7F4777C18A01EFB5F1086BE223EFDD082E01755" "ED517AD6A3E423E924147761C95B74F6BD338F1DC0E53715AA3" "1BAC84F7E5BEDDCAF56574626B23DC247D0AEE8ED77760F53E7" "FFE467564AA3159AA300AD159159259DC3252D95942215C81ED" "5FAFE0CB065758F72366E50DF7FE6F2B41E36371408503C5E23" "A4CA0C93460C0ED713872F35CC71D1B71A34A80210069B12CCA" "79CBBB04836E6D9A15E78A638B0879F74034339BB4FB39EED0C" "8D6684A67DD89B201B46010FA73CE5FBAEE87FD89D4B5C40F04" "D9CEC8510BDC3D07539C82031FE9734826CF36BB41B30426D32" "A10225209C24B631A071FEB2A9B834810E81B6F87A6128F6781" "5E4AF6A6582EA36D9BE5DCBB1D7FD0BDA2D583D1F6BC2AED7A5" "34C33A8D183D5EDF42F3080BD07CE9D78647DF008D417D0DED5" "021D7B6996D6B541DE75DD175E820728037B531521851C9743E" "D03F8DAF292846B2EC019238655256EE960E0981DB7B65A3692" "B50F62033FD79A29F4A36C27BBE7A3B7BD1E813F3A2EDA1CEBB" "29979D91720CCD125D0C43D708892BC38D0D297047637447A19" "CB09")); test_hash (&nettle_shake256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("585F27AF67FEE2446767B05CE40627BB06D403430D94A62719D" "AE2864CD44E7A8EEA340B98DAD0520D8C16C1BB1AB562C0FDCF" "E6F1DE4F8A0601EB9A73FFDBAB82444E77487213D17BA31E2BC" "39FEC719979080A501C8E15932AD588000959A18447B98735C7" "3A2A8F4A949A8FF187520E6A9901647F47DB442BFB2772E8E8E" "22FD759F88722A98D24D01308B15A0BC715ABE9568A34201B86" "75204BF68AFEAE8CB063D6CC9EA68AF9E4CD692F9718FB5EAB2" "70A2B74AB623B521B4B085700CACE113168F56A994A639517F3" "6E3165029BF100A6F19162A8696B858A0B0716751430DB7BF07" "480427C2CDA01070F5E78E3DED7471874DDB05D2944BFB04487" "629A98E06CC4C984AE8C5F7695248D01CEE11D75A9C7F545CF8" "6BA745B8AD5564F33B0A8B72E78954A7FB253C07EC8FB3D3BDE" "29DDD91DBBD94D332FE9B7438937018E8243C2D2C30657959EA" "4D23A319854FB2CB994CED4286836E83324FEA54C58DB55A969" "165A1755D965C416E1D67468ABC701925F4A80BBD9AA9DA82D1" "48A26158712C2B9830804A4CD1CA14A2B246DFE8E8A12EAC9C1" "07E8CBBF34EF9517674350973E75799A251E72A352D2700291C" "C3F1AAD40ADC9050BEF9881170EACD3207AC0C573E238B65500" "B997DCEB347B94FCD5069CF43BF15AEEF15E4C135DD21B4046B" "201F411513AEA9629B9887D21CDC43768FC1C1B12EA4CA4595A" "D463")); test_hash (&nettle_shake256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("E57DD7DF74504F52D00B8079631F542A532610D77DDB4BFF891" "5BDFBC9B8F25352AA3D9A2D00CA2E14C77FF661B3AA44E30BCD" "3D4B110A8CEB65E150DFD9109EE948FFF11CD01F6A98C0100D2" "323F52E323E32E9FE7BBA6D4411EEE3CCF70122DA5BFEC8B92E" "72119D4B1CB1A1626DC0CB79FB4E4C938A4A7CAA7962B04A112" "9B4A0A9C457FF38E8D3379044E4B65B82336709B95401CD0CA6" "4C10F5D22A226678A1EA4E2C54509085ABDC41AEEAD761C7946" "F33140AB775D61F7B001F141D00F5209081B11FC2ACE5D9143F" "BCB710176BCC8AEE25D0182461AC1A446F3A94788B3513B88DD" "DF5DB0BEEFCB331CD2553416A3606F44B5CF36318C72501FA20" "07F76BA506EC510508B27D692CFDDEBF075B39E531BA243F3E2" "71B5F70EA6B58AFEAA0B8264202BA2C430C33D1409693AC5251" "9F44B001ABFA9C5595C0726DD1ED36C8B7CD2F29FAA912E2613" "D1C51E2D0C6F8B27FBCDD6137307ABDFC54C0E6C6FCE0630386" "2A8EFECEE12EB87CBF8423BFEF01C6FB87225DC467CA7A0B024" "3CA9D531811A5E5090351313FA6F73D413755551F6E7187057F" "DF4CB58A1B3B3A63F28A17339A835A73BF21EC013EF4B2BF89C" "B3BF1369A87239A546A6816D8B06EC5B1D5A179E67A86665EEF" "CF439D667F5F9890DA8B9E1E7E1AD08F757CB0E3EC6D8CB8FD4" "A140846E3768076D342FDF0BE4CB135D68FAF5C93FAFBA48137" "86D1")); test_hash (&nettle_shake256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("6C60955DCB8A663B6DC7F5EF7E069CA8FE3DA99A66DF6596925" "D557FED91F47091407D6FDE32023B57E2EE4C6AC97B077624FA" "C25F6E13F4191696B40A4DF75F61CD5521D982C6D09D8342C17" "A366EC6346E3528B26CFF915BE9442B9EBCC30FF2F6ADD0E82B" "A904C73700CC99ACFF480CAF0487CEE54CBA3753B6A5DD6F0DF" "E6571F0115E8737B071031023B6BB0D79864C3F33162E78269C" "EE23FCE47B91B4FDF91F98464A1D21E799D17F76C1BB807DEE6" "67B0B273054BE298299BD12B7A80FB354CE3E6D1ACF98443879" "A554ECA6B96DF061D04A117C98AEEC1CDE1AFA9CEF62DD686DA" "91BB2B1F12379BBDC9FA32A6B6998B77E8EB0B50507862AFA77" "99D018E272091F51CADD81ADB587EF67BA67618C45D1F3D559D" "BD299ABC26EC712DA8FA34BA33BFF400D1F0F8B6345CF57269B" "858578C0072A91A63EF85F9D378900CD1A55D2BD4630DB829EB" "484D89CE7A414ACA173C52534AD5F9355E80E395E79156D751A" "930F7F8B5D9F4D5A2C9A753723083C5E8EC6CB24D8EF93C8FEF" "2D1BE4ECA222C6E6C2ACFD684893CEA65CBF5B096B3D8660071" "36126A33EF496BF2310F293BFA4C93AB826821E2B93259C464E" "0AEB06D6DF8FFA30B1C1E7E384C7E427A2BA3D99FF8A666380C" "5C1B678F742C57B0C3B08849FD65300DF13499DD894EFC33116" "E7D0774064331FDD407487417D13BBA4285299AF650D3065D95" "1131")); test_hash (&nettle_shake256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("CC2EAA04EEF8479CDAE8566EB8FFA1100A407995BF999AE97ED" "E526681DC3490616F28442D20DA92124CE081588B81491AEDF6" "5CAAF0D27E82A4B0E1D1CAB23833328F1B8DA430C8A08766A86" "370FA848A79B5998DB3CFFD057B96E1E2EE0EF229ECA133C155" "48F9839902043730E44BC52C39FADC1DDEEAD95F9939F220CA3" "00661540DF7EDD9AF378A5D4A19B2B93E6C78F49C353343A0B5" "F119132B5312D004831D01769A316D2F51BF64CCB20A21C2CF7" "AC8FB6F6E90706126BDAE0611DD13962E8B53D6EAE26C7B0D25" "51DAF6248E9D65817382B04D23392D108E4D3443DE5ADC7273C" "721A8F8320ECFE8177AC067CA8A50169A6E73000EBCDC1E4EE6" "339FC867C3D7AEAB84146398D7BADE121D1989FA457335564E9" "75770A3A00259CA08706108261AA2D34DE00F8CAC7D45D35E5A" "A63EA69E1D1A2F7DAB3900D51E0BC65348A25554007039A52C3" "C309980D17CAD20F1156310A39CD393760CFE58F6F8ADE42131" "288280A35E1DB8708183B91CFAF5827E96B0F774C45093B417A" "FF9DD6417E59964A01BD2A612FFCFBA18A0F193DB297B9A6CC1" "D270D97AAE8F8A3A6B26695AB66431C202E139D63DD3A247786" "76CEFE3E21B02EC4E8F5CFD66587A12B44078FCD39EEE44BBEF" "4A949A63C0DFD58CF2FB2CD5F002E2B0219266CFC031817486D" "E70B4285A8A70F3D38A61D3155D99AAF4C25390D73645AB3E8D" "80F0")); test_hash (&nettle_shake256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("1279A95CB87B1CDF2F8A8A47CE55F0DA3766E35EC58CF921E07" "B43B176CFD6CE8508A208C9D6F5412515E0235C95397A47D2A4" "B13A357DB4882F69B9C910C985A5F82187BFCC46BD48CDDDA7F" "65C3E95481A37202EFF9C116BB3F784BD46574FBD49E19B45E5" "E2D18F57BE7DAC826A447ECA6E2A6BB44B0061930DF56864C37" "8E020A183DEEE8445648EC2F95EE5F09CFB196E3D8090535664" "46FCA6BC36896215BCE115B0AEE55737A4421316D2058F24C36" "D46279B458E901D3A8062300024068D99D8C1B8BFB6F3E5883B" "FEF3C1AED55989151C2CAD1EB940CC82398DEA1E5A92351F0D5" "AA7D47E16A949F396194EAE2EBEA1FB731BEC12D2734C2F1E74" "64CA2FE27F036BFB28A32A9657C75EAEE79F86F2CE5EFF1AADB" "68DA0B32A4BF88A37F1D66D13DF4ECE65059BD4ABF91A3EBF98" "2A1F5E9A6DA639623D0C8E5FC5C0C8071965221C4B79CDE7D44" "FC258F20CABE3C38862851952741FC9E9E87C06AB0CF8B8FED6" "C18666C5C70EA25973FED36D90429C54B157174A2583E142E26" "F2ED492A9FA74F1985FE52A421C2F97F94B73EC7D881F0D0B0F" "930461FB896B1806C704307CEF682834CB583B6E996BD31A6F1" "D8586D416FD8C91EBA59935FEB12A1E77D0F3E05F80842B14F3" "4F27ADD947EE3CA2E54BBE018FB8CA27FFD1C24227572CC277F" "723535CBA0133E359217D5522676485181ABBEFDBC31C8164F1" "7847")); test_hash (&nettle_shake256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("7A2DFE06B3AFA54B49414379BB9C7A80EFBC8D0630B8CA170F6" "B22CF65BFF168F2BA6E32806E6E7D9D366D53A319BC2C8B8AAC" "7CF8158128617229D76AE594AD71C0E0541B86078A62D71E299" "2E555EE6FBEA906CCFE58FDC7101964EE8C3C05D0C2C7D8A01B" "7E1629BCF62233C0487E36E1C25474E129B72F1F9BAFD6E0F7C" "9FDE8DD44DDC1DD9668840294C5B39C408AA1BD1395D1F4A236" "8D9D1E5168093A63732545FE594B32EE91F89B297E3A33F53BE" "9A1A00642C17DA7061C10D1525F34180D04C78BABF6B1C866A8" "AC1D19FC17C24F13CA4032D650DDA748E2A09D3D97A2125D52E" "670C1DA4AFE56E60DD789608F50E914317EBDAF125BCCA849CE" "37F38EEFE8998BB2B1B10CC1B28AEAD1FC48FBF1C95B2A0F063" "7609CD569050BB5F3711024CDE92BBEFF1C73C9B6C8DBA71B2A" "A238AA26B4007978EFB346D3FE0031C391A70F362C4C5FE1DA2" "D3C73E4BC52A400E5998660D8C127C46CC7FD589DB2C952D2F0" "77E4001B2B6B46EE5E56A44578B4B8DC1AFA33C3994CE7CE49B" "4D8181195076B938BF605F61A74F9C505C64C2A75601E7EC3A9" "4B22157308BBD481553ABFD8ED5575B828CF247F6D321FF25FB" "AA245F9B30B39171E1CFF354B9F20D55196EF66D32C4693FDF2" "49F528C86EB82779B5FEA03F8A95F31DC0579B1CBF178B23B27" "6E5618941760B117AF65B83374C919D6D423B575C5C459B5AAD" "6A2D")); test_hash (&nettle_shake256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("FBA46834A6995933AADDF85B59F60EB3B77B5AD38BC21A86207" "9D8D2227CB9B3CE3ECE89D90C70B990F7507D5C3A565974446B" "54D43288ADCCE2BFBA8914EB498DC6001BA169417AF6DA3ACF6" "85DCBE3CFA0C59963F0F0AB94D39F05A69D5DFD320EF409DE76" "FF85E01636F57DB9B2DF436D94EC2845F0C0D1959DB6308941E" "40C946F4C3B3277A065847C9E3CCDCF113DEC5DCBEF5AAA1C5B" "91C19E05EEB66F6E698178B7B02FE00B89DCC98526FA0E7B2C6" "247E1C175A21EA34F5260B0C0A625D7AEE1680B20B4667B44F7" "2F1353BC71DF6CCA4346EB54306DE3C380438A9B8E6CC47E6D1" "8D84FBECBF9A6132F63C191635999105967C2E171B74615F456" "D2E111E7FEE5DF00217B49BB49270BEFE5BDFCE1486C13C6A94" "E31A20C1D377C410324C08A17C2D04710CA267E85A2CC1E17AD" "A367C0F65AC3A70AA5FE14378371132026169657D1BC1B84C19" "08AB46689494C3E8A34835F4DC43D19E9328ED0A16341E5E9AB" "B80BDDEF1BF5FEB5DDEA560253532A6607E2E128480DEE2083A" "F54C67E971CC6B56383A564B0BBD2D802C6FAA7BC62629595B1" "7D04C3AE20F73B35A9AE4D356D401345E0A0D5174BC457256DB" "BD844F9A4BFCE0DD48F35C5F8A915E61A23899C40FA63A51F0D" "1160E16260BF4DA1902AF01C67E8997B2AAFE1989D013846CF9" "85164C03418930E61FD06F9D30F06897460DFA1987D4B5D73B6" "8CAF")); test_hash (&nettle_shake256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("4B60950081987C82C2F1A1BB9EBAA9A72E125557E296BCE9895" "561C6A959371EB1AC9A13914F4419B4A0A1048B3D422B53261B" "0AC26EB9852E9933251E154996DEC6219A7063D87228A8D72F1" "3FE94A0E75485C8F23DB2341EE7439FAF87A1B359CEAFE42903" "19F4705B49CBA0ADC24DB4FE8800AE05664C544D53EE119CF4F" "1572DAA355E48DB605695BDAE5BF22CFFB60C019934F2AA9529" "18B388EDD9C53DC8FAC2186CA0F77AC6543AC379B1ACEE9913C" "D75CA8E0F9D89616383C9541603430AA548E9A9DD8F90F64263" "FE42A9B8F66991CB2B8B45AAF683F51D194A01098A10D4BA110" "7C56173825AFD79EE0A334CE739915D4F046C814412DF526ADF" "F4F23811BF1C6A254372E8E46F0008F6332637980417043BAB8" "FC21E3715B713AB4BD1DDB3D50FB9D5D6AEBF94FFDA51D3BD4E" "25C82B295BADC7F8F11CA787DCA045DE2B52A79226ABB945F69" "732A1D0DA3A3228D44D8F43828D8958E621851F4824590C0719" "982CDBB3602465C28A97CD4CFA33D6EBA65A3F6428ACD37D669" "67B8C996969D866A02FF6EFC1B6240AB557321260EB4C9D233F" "F4E1C293ECCA825DAC943DD1B9A624AC37ACD1A818D2F74AB99" "B2883F0837F77D4D00A52DE0924EF55C7536916677D2AB4FAA8" "F19E8DCE97C05690570FF0117C32A3F500C2FE817AD651DF2E3" "C28F5E867083F607E8D0509745588ADD19F1BB7482087A50821" "7DAA")); test_hash (&nettle_shake256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("5CBBC93FED206474A11100E1973984D5BC5D06AD92996FC8928" "C1E6BFDCFAD5E32665F4743EAE8FD28289DD226A0136ABBD5ED" "BA5016E975381D4C3CC95065FA4CDAC2336B39342BE8070AB2B" "59DBABDC77B8742E4B3C86F1EE9ED0C2B5030FE1ADBE28F8271" "11FB137C180B9994FE150B1F5144081AD59131A6017CEB8FB07" "15DD2DE6B3BBECD2FDA4C3E9E8A652B5DAB4D0B39CAF6841383" "8CB1960241AF59A46C8B5FCA40552693CEDA564862DF42C5827" "EB371311FEF9231FE1B23ED07F72DB6410172597EAFB5D077AE" "D168197F20C3B01CC3C52A94546B722B4AB56211B48192F908E" "7E7A7B7020A8F6370A0B73E046E3211DF3352DEB1D59E4940E4" "5129A6667F160D2ED6EB703EF962683540E3A9C7C94A61875CA" "C09C4E22ECCED9E2CA6DC519698042F67AA518EAF3D338C5ACC" "D5C2DE5C3DF6B4A2273A0FB8880CF3F81D046AD8B24E73A8F3B" "D7CA65CD21AC2D950A7E36D0A25362788F1AA26B71CA434AD14" "EF3B002BAF6327D4A5293D91CB838E4212949675DF185B70D8B" "42C0C01F289478F0A9FF736E6838EEC5E54413CA6F7F22F51AA" "DA7F3E9C69B9009599BC437C0D806BAEDE6DC1B2FB9BBBA43FC" "3BFB5CFB408A9D8EC1C1DD1528CC2AAF144FBF9079F86577A4A" "042A085975BB1CB5DDBCD728DF6BA69CB23A8BDA0368924466A" "89DA791D4328DC55800FE8639987EFC172BB29836A901B3F4F3" "FE9F")); test_hash (&nettle_shake256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("CA9CF74ADED61A4BC20BA078E8053702BC1A444CEF69AB058B9" "C0F586286C138CF02AA36CB69E0CBCC52F455623D27B9597C93" "68EA5DAEC4278E75AD5E3FBCD480DDF8EF39B3D10808D202470" "D18118A215838A0F6C547D324FAAB761F7C8CEF462BE150DD49" "A26DF4E453F997C31FCD27280E846B15F640FF8C39BE270DF9E" "44CE57CA82F6F6762777089276A3E67D8EAB0E4A0C2E1946FB0" "8B3FDD3FAE438CC2E9EC8BC1754275FCF4060E31428B9F08E95" "3F9FB4F80560F2040E4B6CC7BFD6C278FF01ABA41F43549DC0A" "A0407E5C8346543B1F1C24D1E05475327A48821C1C1058850C1" "80776EAD66996DD5A02865702E0E4705E8E2E7D4D25F058528A" "C980EB831D6B70E7CC06EDA314D80E1433B2A63EEC405BEE2AC" "B18CAC238ABDF254DDBBE72640C8C609F70D04C77D2BE9190F7" "8C8E448035A9206841C55CF9152AE5F7CACD798AC696299551A" "5D45ED113C94CD862197EE118CAD47B8C08BF4FA1C6270A61DE" "6D538D608E126C0FFBEBC7F44D418BB87E557E550CDDA20C2C4" "7F2CF635411189D30DEDDBB9075FA6F0521D2C4FF0E4D641006" "CF5EEA1231A87D020664366EBA5C5610B63EE5B5A50C2C8CA6D" "7EB8CDCBDDC34AED08ED7E0EE437E235449D4C1CF095514E581" "E3C8A15EAFDAEF19FDEB31DE6619BEE6B17B31A96140CDEBF75" "34E0C277EE33C54319B140AF0135D6F91F7D2166026C67C71A2" "1287")); test_hash (&nettle_shake256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("9FB76F906CEF4A8C7A9CDDE3254E6D4581DCF745B26995FCBC1" "23E716F079E0A0B9F7C8CCD9DC5AF8894B2D9783395F7BC05D9" "5E20419C15D74EEAFB23B6F1BA427B4B20BAE38C2F6812B74A7" "A671384235DF3618A7531123412113D57B9C2924EE4AFDB9CC0" "55070485A2960E8E5CF1971171F604781865624B075C3C01FA2" "7F9B602C29E257821ED92B35F7941637C2BC6F0048A579E3845" "03182CA8498AE7493D398476727A2AD321785D2273F9F548F6A" "CA80FA7F1ACC1144EAE7C0AE58C3C4BCA20EEDC93C3742954F2" "E2963282084853AF5C8F30A1A4333374B4A66188DE73F773FF6" "A576A0A0DF3C690CC59521378CADB123BD673A04FAFB26DB9D6" "53D60A87F2834683D97F5D6E23FF2ACE2AD0A5FCAC71CB00320" "39EE01A2C3E37B3E1C14ACE44A5A6E43B1E1A0FBC8AFB0C811C" "911F2853C85F10D06253D29362D08523834273961E37C4BB0EA" "D4F79E33D77EBD0D843709B121F8B509C24396549D2187DF52C" "996EEA9805C4A3C4F7729003D7BD7FFAFD6384779D6B6163AD7" "C632A408922507188EA22D685E05C8851EA9C6E625D9461EF06" "AF864E93F9B4544F00244264DC57F4A91920FEC0120357B5430" "4ECD0A45DD8A6879EE01F66F222C6CBEBE8617FC06B28805F48" "0CBFE90D42A38D1981A4176985775CC92E3AA632CF4D5A49B20" "1EAE275628A3CA7BBD4992A39ED5737CE0B4C32ED4C4D84D9E1" "5A46")); test_hash (&nettle_shake256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("D512EF86B19C0FAB408DF09A8CEFF07E8259CDCCBF0C060CFEF" "D8FCD3951BED94BCC30005DAD8002227AC4524A8E6270961266" "6F54866074F2272E6CCA23A88D5A05DD5B44DCF411E137F4464" "5187BF03D8CA19DB835974CE314ED8F3F1CB3407CC48650A61A" "8352FA34C4C307B8DC438634C292E91871A5DC55775BA740B8E" "1085C14BC779A0260288B48C80AB4B2CEFF645FC47751D6DFD3" "039246A5E7F8B1D66FAE0E2B71172C24D599CD5836FAF10B567" "CBB834804C16D111B56D8961EC67CE6DDC989B0AC0FB3975581" "D3BD70043725331685B959E22AF6509D4C9CBB8D4E10C9876DD" "F6460D62AB09A97A220038952F7025993F3F3C5EAAEDC9D9AB2" "AE948F56F956CCFA1DC670C47CE1946EBBC7F1F537CBDDD3938" "686E65E58F1573806EE42DB6E22E1D5070820787198F27B8424" "09B337BF0A5647C63DD0355838F52971616FD7318164CF33164" "1FAB6E3B2282547288A76BBA5B973E138E4182783FADB159CDB" "1141DC950B70EF4609055076E7EFB532C9A944C419BAEE914EB" "EEEF7E1890B292F27ECB8B7DA25B0C7DEBC52FA75F50247BB67" "1087A0DFC15FF3DFF6A3E57791F2471889F356D44A3A10228DB" "2C3CE778ECBAC53F127DE3F4621E6D83F8714C0D66763460A01" "1958101123E9CE31F5562B73EBD4F08947475E62C6D815BD02A" "3BCB12B8D058DEF7A9DE8B4A70A00D039381D61DC6C0317A0DE" "62AA")); test_hash (&nettle_shake256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("FBE450F412E4DEA6DF16609A1C5513DDC550F7D7FBEFC4F5F9F" "193F3AC88351CCFB1C25955818DFFE5DF50AD08B3DFAFACFD7B" "FD484A628F6C9BB4E32F271F4846BFB90BE00B80572C12457AD" "35541C7FE0FCAF156AB66548A7D90458713F8E10E725C575908" "6D33685D43F3ED682B1F53453707FE17F0D389D0A8497E25856" "6E93062B31E3538ED95691CE730B1DF2F498F010A2C2DE04DC6" "98410A3D4669329E685827DEAE4BAF2C15DBBE975C9DAA13430" "C440543AD94624501AA63AC4D012EDAE314DF68D7D4954D4119" "C5B9505D566B8AB9B54007F4B8D92D9FEEC562B9E0E37FD8643" "907D8E7B6FDE785195650580373D3FC69619FDD039606064E84" "C6C6E44118E4921A2DBD185E7DE90508FFE7380ED1C9917E0E3" "8DE26D8941D6AB0D0B4FA213DB4B075A362B314BC7C3CF21A83" "41C611551057F9E07492C8D923D54336F3F0AA44422C423E2DB" "0D598216889753280B08103417F431658F1EBE267237802E1EB" "FCA862027A29AEBADF8ED9A603983E0BDBBE84B3D9A5F862ABB" "F5E18E5552C0D3E7577B96916123B4504AAF2107F643067B88A" "DE293F5B3FD3F6955CCD9AD7E134C9F5EE60F6DA78032AD1C85" "D710BC21939008111602147E0BF1D79F7F5302686729D44E44A" "7A6521B8270CC57CC8A6F16770BA66EDE8FA823FA088BB7DA7E" "EE980C6C947D7F510DEB93BF0B5F4380390408823AA8EB980CE" "0F04")); test_hash (&nettle_shake256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("6658EB2FEB9A739FF1724FE1526089D0AE807945741C2C6CB63" "0E8F5B9C88F3455017BD81A5ED8F441AFD50414ED0B9C267E52" "7786041C4E3F8DACCF1DB60A0ADE7199F689C8F0C04CC846318" "F0B8C34B122BB98386F48B0E69317938DF76C9C6D502BFAE1FD" "A37DDBA108AF9E2D07CFEB50BB79D828FD5A67C9C3771FFAA07" "C7A47FA681A1358611BA76B079F4FE14DAB9A0D3A4E5D2AC41F" "4F1374319FF9B81D970511464F5DA9AE9D6312FA8BAF22FCECA" "2B4BEC1A8D887F47811F1E7ACC1884DEE4740AB2F6E2B4F8C11" "C81C7E40BE19F90F27FD1722AB95BAA214B4096B4B11A1A9B55" "3C4ECD789AED9F22FCE58AE1963A62E450D754CB048C68EEF0E" "7D2C2A146300A902C56ED8D149BB5C36566CB8A3DFA8582562A" "48927DDEC45BE750F639881CBC33D3B48C128D91108F2A55724" "BDC5162B652CC03D5F591E96F4BB40A571E1B22F504A6BB6D8D" "897A73884057E1D2EB15DE0D3585BC14CDDFAFCE3AD5D6A861D" "7CF82B5F1AF784637A99B79F91528C4976720F34A3A12BA0A4B" "C84975CEE3167D4E72292E9295629503D642A29196B934E71C6" "3425AD701820E79DDC9220DA7C7A2AAAFFB852793E822B69157" "34FEC8B93344BBBC66C5192B7F1AB6BCC63713B11CC23D54144" "1C04428ED11444BB2F7EA981603ED4103F86E6623014FF97CD3" "2DA3C6E1CCC22EA8BBF3B6853764A733E61397302A96434ABF2" "905F")); test_hash (&nettle_shake256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("CF7D80DED88E700DED518B2F0049405AEA695691924B4EF0620" "5DD2849E7A0090647C3A23407CD4EBD5B582C32B6554C506E41" "6B9D13903A3AD69234826E36E3C5862BAEF9BD93EF345125678" "E32EBD5BAE0961935232D5BE54AC721FD75FE1165341A41FD88" "0D239DE12065471AEE6CF970CB6A0F02ADDEA861FEFFF91E6C2" "E482EA9BC255FB00CCE1FE8CE3DA479EB28768F356C2EF83F40" "0A0F0CE859606F3862A3579E609DE48F1CED3C86A9EA302462D" "E9A27B0F251798F9D0ACB22E6C71011F0DD45B11E8E33543A32" "75B24B6464980A5B6FFAB2E9C8055CDA16BE6C60FB616A8F3E8" "B759552A2DF2B05B846BEAE18A01DCAB1E92545B0B3CC2DC251" "34379021DD7DC294BD97A775C174A04F2F67591841E080308C5" "87E208D1B497E229220C38469944EF41F61A64C83E06A4390BC" "F318E53E4A6E9214F943D1EE957B71E8580E0A183C6B05924CF" "32809772CDBA700EA369448AB56F399385D4B8D851CC8D6E800" "3F1035C6E739C91E03F1FCD9662AC99E372B45FC08610265E53" "0F53FF726F599C33820AB468E6BC2C551204260271FE46C0A29" "75A18BCCFD87A53B2A7EEE2095A180B0A5BC7D64D57FF8EFA62" "8349E00C84B271DDFE13EB009387B1055F3B0E7B556CE6A738B" "9DC880B22E79666148A6C4D97B2CA581864FF4400749750BAB0" "3AF9232815BD21A1A6460483505C34F282D59863B9F491A39D0" "28D5")); test_hash (&nettle_shake256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("FDB4CBEF885524710F96F1B489099A8E5F9F5EF2BCCCC23B6A6" "19BC81F9DBFF63B9AC609BD5DA0FA7AFAC0E67BB96A54A1A64B" "4B943E0A492A5BFFF399CC9A1FDDB5787434F5034A30CA767CD" "8A31B69276435C99C64F3C567EBAF3C69FBCEC540CB2FB671CA" "3835ECD228C7C7649410107D399EDD661BC8947D43D5BC441AB" "2EF39AFAC6788BCCDAC5462D5698F60616114A8346707606D15" "01C834447031CFEA921A85AC882194750FB8E4D22573A27F290" "1B75C6887D085A6B47E2BED5AF785C9B60DA38BC9F61750F16B" "2E06CAA1CC77CAD2B95C5D583D0E1BCD7E10B0D8FA8DA7E0975" "07D11873395166E3591BAB851EF4CD7E1F05CD8401AE4967378" "94EC50DA4EF475424485BE599A4E8387B0309629D5B634BD70C" "4C95BE723932EFC24CA8FF978CD31B08666F2F6DF9E94A6F8AF" "CDDE6C6A01AECB63950A4B4BCFB4ECBC1FEAF3B54454CBC7292" "A65282C9B0D7C6A053FFC11F6888DA2BBCD6496CA74CFAF0F49" "A6F5F56E14E51955B73994015313404D46BCF0CA0854407707C" "176F36C3AE5986F67984A33F252B86B2758CDB7D2FBD63606B2" "E43F7BF0919CBF97D2E38F01ACA8B3983421CA447A78BA415AD" "D0580FE56E391817783F11533C8D70E3B8FFC4A3CCDEC56297E" "D51F80215BE98C26B343736196F5C68A65B308835C869328006" "1865435383272A77397DD6FC3249B2CE17AB3417AC9DDA62EE7" "4C43")); test_hash (&nettle_shake256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("748DE9C6E6A8886E9C34D67A5B2625315D8B0057766CE2853F8" "DD047A3B58A410B2327E56234572DB7EA886C90F6DF31B795E9" "3AF95A4C52632D7E03D255668255F54C0DC1264EE989E25DD0E" "A77A8855BC74EA1066F201C999C0BE63D1817DF33DB624F540E" "BF463C4B48569136E891C1082A37E6ADD6922C08FE512D92563" "9CC37536A324F3850932B474F313647E65FBF28CC1804D2EF15" "492CE09E84413A465C69FCA84014F15F2FF3FF5BFA6A9C38CB6" "9E75D66145BCBDC462E3A6FCDBD7835C44B9D95E1F6D72C1A7A" "F0E9E9730559499553715B0A7EDEB6E5C8C5A3536CABA0B67F6" "19AB317AA8F60A005860599BD1A1ED20FFD191CF7AD26B63264" "CE022E1CA0EEC821D6A4BFC1E97482CC33A14BE20D3F6EF96A4" "7DA800CE1A8FD6939069DF50C10145BEE28799F8A1C43D37CAA" "377AEAE5A2A19E6DA2F173124CED0AA5652AA34632BE11CFEB8" "FC3C9A0B4C45A7933B671432AA666FAFFE679562D727F786960" "609A91D0972C35B4B9AD27DADA6A24E00589CB1EB9E4706A476" "C5BF749091DF4370CF99FF6ADBE1B029505BBAD815AD50EBDCF" "22208937FBA80A453A99CA49004706A3CC3A95CFAB7F0C2FD2E" "03617F379FDFB8A91442754DE62805797ADB4CDAFDFB7A69F2B" "0CE9DC530A9EC8C741E892758512C4AAC208564935791713B49" "B95A9DF215FDD74F906F8EAA7B13A0EAA443D78A482364ABB88" "3813")); test_hash (&nettle_shake256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("1060697962EA79B9519FE3AAEF385C997B2E8028D68DEB08AB3" "B76F71CE161EADE98C89D223EF0384232AB3AF3A6CB1D43EF5D" "20C1B3BB819423C026BEF0BF54F4800CBF8E9E2D40F9A4C6CBE" "7487600BF451783A378558BA27268A5074AF0630F5F2CB890BD" "A971A4AB65CDC37C0215DB1C09BA96240BE066F95F158CF863C" "C18346866522529503E615E4CFEF990F49583EDE896BEB63B14" "89B6A62BBAD9330D5C3DEB673D42151ED98A3854C1E80E0868E" "27D8CBCDB90DBF3505610FE170537919EC7C191579148E06D7D" "89BE3F5C88C430E38FD36D820DB5A941680E08B5D1859EA327C" "82EF50ADB1D8E6E5184652064CAE2C617337ED36CBD1ED42CDF" "3ED0C411CBE1A9E92E0F4ECD3CF84CB6C07093D51CD4D5E7C75" "43D385B9F420248749675CABE9FBB87F56C865325B826C4D32E" "28B1E4BF1889F2D00BA87EF01720D73EEFBC38828CA76027C65" "6E3758DDD1CE730E2AAAC0354EA71E79D53C0D3526ED8FC024B" "B8CD675AB290FEED6CEDA91A29A71F5C128473EC94EE59A29A3" "81E5046EFEFA8BE3AF7FF0858DD54065B41FDE35F618235D522" "1AABE2B4BE62C1E7FDE8BEAD94F7BDDBAFB8A471199B3BC099E" "77D8190029CC7508D576DB31F362B09E5C1131B0572D86D4A7D" "4B533737EB4D7E504DD0852E079F2A1B2B3A526175948227EA2" "511ECD4385F616B3BB086C54F191046BD1782EEE96257960104" "93B3")); test_hash (&nettle_shake256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("F31639CA0F9455E11389937E9E58792E3D73B9CB950ADBE8066" "07B1AD53D80F2A199F577E278137035136AD2AFE7F8FAFFCF0E" "60F0B2A71E0BD9B938B28FCBA94A912F249FB9AE1779F87BB1A" "A714D1FCC57D4BFB899A233B99586F81F4885DE6693DCE78D9B" "6631957F1689E843C1463045CDA6B921173054E14BE9DBD0688" "90DF88932F68ECEFAB3AD3EECAC1B4C398292446B17E826AA8E" "35F6067C908AFCE46FD92899726677E2C0589F525AE021A22A6" "01839BEAFED00F6A8FF6223FC5A92EBCF6207341B63FA2E66E9" "DEE2FEF1217D9D39915924E522BB52FD29501247B1A7B9DBC06" "678C5F29AF7CEA3D8722374446992A4BFFB0E3E623E881EFA7F" "957DB1946496C2EAAE98F0929EF3DF633E67730D06483770197" "B9DD17C7C9838AA5003C5BDB4BC54E7389D453E769765879485" "ABB3D565749C8CD5E50DA9C4517F31ABBA38F1D7A0FAE0D2816" "CA0BA1DFFE569DF4215D215676DE0FCF55A75FA5F7E899F045A" "4B6051DD9355032DAC56FC56C4988A4C082FB85B74A4C8A407C" "E1A06C344B2E833281CA64C2F23FD8A9F996C563E9AF8742137" "617C0E46C5168E0B43877446E07563DEB3D7654D9EA3C8AE3DE" "C58C5753F34FDED605A49236336F0B355E95DEF3BEA7A367507" "F19F4E0A6DD03ED3090C285F761C48A3D3C5795CF277A87FCA6" "88495EFFDF5D10FBE07840C3F202D85044FA3BC41CDEC4D0AAF" "59BB")); test_hash (&nettle_shake256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("F04B251F8F1A9FE87E9F8B0BD8A641566174CD2157ADFBA255A" "4DDB7A001ECD9B479B7877C38E487DFF1D830D01DAB9684F143" "8C4812BEF8DA03ECFE57E7EB68A68E4FEFD3E0A70D607EC7710" "2538D5535C293339532953138995CB4F23AF709F5C103E662E7" "EDC447995FE5BC716C7BC482CD0CD13F17AB48D33C8BFAA67AB" "6AD30482B6DB8BA5B1290656BE81E1B543793D47C1D0EE7BC95" "3C812E187535A0659B2CAE6BE47284419744C6AA66B9E53F76B" "9F90D4AEF8DFCB04A98C82FB434C0946E5B98F2C3BF25C128CE" "F77EFB9F6412EB11F36E484FAF2043A40CF44C6C3D28761F9CB" "7149C3DB4620D09B220720767AE41BB097C865720185C19A474" "E4C3D706A636E42050A23766C2FF3A21C4E9DD7AF62F47ECA67" "1F473E2B487A65ABBFCA74CED063E33F75955E9958240BC3907" "BB90EC6F49F384DF5E936AE14FCB308F8ACC1F7A406DA680E4E" "FDC2D2BB74B922C7B49E4972E388596B4F05FBA68ADF9A22FE1" "6737394DFDFFE2F0D32F1283EA81996B8309C2D10D4E32D4B7B" "C3D88484BAB364D0B7E35FF5647053CB34180E037A66349A254" "AE2AA8F81CC7FB5514E76D9A01F96394E3A0044039C452ECF0F" "DF5B8A57A2A5600AB31AFFD1E15D4642F1A37DECA0EC60EF753" "797AD668B7D9F2BC02DE248C719311E5696E11688DDDDF71F2F" "1994331CBCFBB9FF22438825620033734C27F9FE72766BD9C7F" "B021")); test_hash (&nettle_shake256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("8728A95B55D97271B701B1BF2C2987AB3045D39FE0978C9467C" "41D44C006486CF3CA11B8C0D22C619A8E4652AEBE67FE9FD7D3" "5357633C8E11B865BD4C55571D764E6F92E29B5C93606273522" "A958EEE0CB2315E89A1B5C45E763B145B1166A4717784E993E4" "A7A699FAC6385957AA914BFC856E8CCC62DD39159F0FA5D2F4C" "74A4C9E1F3A1BF04F8D73BA5A3133243973562AFE874C403310" "86E7A9705AC76CE8482B7B029278CA61CF74B5AED280A6E7959" "06C4C3F525C5CB382E55AF0AC5C9EAFDC520B0AC74F14E0203F" "1209FE6641D1D971C76370204FC14BCD6A8223E30CA81B7D9E9" "4F35DC53634646A21C28E873BAF741705E4862AB6945653A312" "125F534A75B6F2D1CD4409D8F842DBDFF9FEA090F6677937DAF" "354F6130ED77C32711AA0C7CD448D92075909ED7CFED67BBD5C" "CEDFA34495624EE4373D66FC2F3B25B78AD6A1A9E9FA9A714EA" "24240161C8CD88F24FE72CC3160D5F68F2387347B580E945F40" "1B0B025A21E97FEEC0D4DCC412D2597504489B3CC20E3C883C0" "D88F26591AB840799B5E9B253FE02656CA6AE1A1EF1BE5F1961" "F29CDBE35A40BDAF2760C7BBF051ECB62322DD178753B3922AF" "4CEF0AFF4955C32F32AC28D3A44B7F1E8CF93FE6547E8C3DD35" "159E92A9F3C6E4CF2A75C97CACC0D732B984A8B7A6AF9B81898" "96FEC2DBBEA60C3B94904F154BDC8FC291E027ED03EEECFED06" "7969")); test_hash (&nettle_shake256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("B0EE2D0215F195934D2937D523D38F1AF153FC142C04E5D6848" "34596F3B909241938A56209D414BD1AE0CB43EB2B46C314C1A0" "A0B155D432947C318642FE5C5B4FD6D0E4C21A9DC594DB20530" "7B41EFFD14141454EE55DAD5667CC7459D0283CA6652CD5092E" "F8BC35C908ADD07FD5DAED66AFC6740BAEC7FCD64B838368A8F" "F0DCFE25B0D46FEE0B842F9E9F59EEE18D73C2549CCE009C388" "B5A8EBBD54B35676B6140DEED07EFD4624D5A7F816189DFA779" "929C5F6B1B9489E27492AD0F1BD085EE890794529B75E10BA00" "6C1B66F3F662C30DF8B1295E1FFC301DC7060010862CAA14D7F" "A09817F0D91E928ECD89FD8E76E69B3EF4986A15DFFCEDC9AC2" "4E5E28783667731F07998F8A36DA512BB5BA0CE50640A1A5328" "FE037F5872A85288158CD5C66B6C03F1925C12258AC4B5E675A" "CD73716AEAC389F9C235B02FE363A98CB10D9A0B44FEED935AB" "067C2EEB499CA83FEDE967F576681A13C999FC7C1C0FDE2754D" "FBA713453545C6AE722F4FACA5F5F2647378BA9308DC27D91BD" "1538624F459D0769F303AE818CC52647AC15E2AF9BEC6476A23" "2C1AE81BA4B355C9DBCD37323D125228A53086E0AFDC98C95F5" "6E12A48843170E9CAE703F5001B52DA42C0AC9D285C8A13AD72" "0104244F19C30B38CCD620EF8453401CA0FEEBC8B58025BBC6E" "6C2C788899871D3A5A363D51D8991B5CB5085F8AD525A71E985" "B3DE")); test_hash (&nettle_shake256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("19E39F7444A4A0E1C003631423A621C055D0E07F0E11EF5BE18" "36B71690CB0DE1565684C355EE9F2E6E65983B8101B5100F391" "57DDB8C8D92C736604693ABC56491C58CD66BD66498143554D0" "CE34D601072BF9D0E18EA1B018A7ED9A65EDBD0B81212EC13AB" "745728ED3A328EA157B9C4B3195F8CB8BAD94A977015B94FE80" "50F37A0BC14E58EEC7654B336A9E30BAAD27C441CF8AFE09313" "2234CE47CE3FB3722990F6C5916468B50A13C611B194D148A15" "1B9AC97A89539D1EFD2F9C6F72F56A8D22A557B23EC7D932A6E" "41B3F2C177CA9F2ECC2A1EAD4061DDFC04AB1198DB0E26C4B00" "301E35B18754DF79332A46190ECF89C0DA6834731CD19E2C8DA" "3A09ED16813D2A41F7A0A4ABE02C93F7307FEC1537ABA546865" "A3130D38ECC496E548A8EBD2858EC00A57E15E307C1A35D1355" "B8B97E9DECE5A63AD7CBC97B30F2C9DE69E4975DBACC31E04F1" "5A8C02E5D23ED01506AEFEE60A449DE20C5A50F1208097BDDED" "F6D2CB34036DA708BA53DFF7BD6A1E41057E05BB57B3F756197" "9EB69C40348DEF728BFA8382F5BC8DB63FBC08E6506AD80BCE0" "C71FC94036EEAB1C0C89A2C8AF4002BD15617834A901FFA42AA" "249F7EA700E6FF4B211F7B052ED5BDE9B242C9874ECF39B318A" "3713F1DC3066425ABE76C4AD47F43ECFEDC86A45E1E93544989" "CE7ADEA7E4CB3CF91047C4F9EAD7C98AE963F34E99874B4002E" "3FF1")); test_hash (&nettle_shake256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("18AF27FE1B4AE8A470778480F2586A370C93640BCDDC33453E6" "F3EA1346B5A4ED3EA3E2EA43B143A22FC66501DD52DF724C0E8" "F222380B4BA8BC23F2967D0A56EC241A0574E2783A461098F26" "3533389D503B5D8550C8F60FD6FE953C5631635B6990434F8C6" "8F8E9AC3701B3600C2D80F5B12D14218481904D1F15A776CFE1" "FA745103B995F9CA8E8E2CA062C5A3F1FDC848BFB0DE4A47EEA" "DA11C51C743CD15C32BF921D07F242B83086660605B29FC36AE" "394C215251B49E9777A93AD91179CFB0551E113DC372F992674" "ADBCC2D90AEBC572B4C82B454CEB33910B60CF81B1BA558C2E0" "1EC1D837FEE34B86124E15D7BEB7155E5456DC94D2427F7D916" "B9C34D24312EB2610A48002415182037AFE89B29DDF5DD7E70B" "28BEC4A1F3FEBD72CCFEE8360E838FD787D0AA2AF3A502D6454" "33AEB1CFF47E8E6769834CF0A2A85BAFE9A89B43302BBC64C88" "AB6FE4712F3181A056921F6AC281C872E3EB21590C50B915F38" "172849CC8415BAD8161DFE0A39C2532A34551441D78825FE790" "4B3FEBD8F645BE5AA6F7DCC6EEF96431086781C17615141D415" "9D6DA40A3A5C22631BDDB7F00040F0D39107BB366D827478515" "48F3ED3DBD028E3261561C8D7FCC077D3905FF42BF3CAA9E351" "207137F7E8271EE970117E56D30B35294E8B91588DD9D990027" "4DBA4108BE1595833284047739DC4E90F9E20BA5EFB2B736DE6" "548C")); test_hash (&nettle_shake256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("AE82057AC5EA69CC1B5EBAC395B0EFF26850C394AF8178B55AD" "808879AD634569BFD8D0C5F34F9A3B26821F63082C5D2C322F3" "47FA6976AA88ACFA9ED8393E126F7F47DFB523C0560DA535793" "7A74488B51FA67583C7A7E1230C015FB5F233E25B744F2FB683" "0278B123F7784C4F6070C8F905F96486B2D5FE137BE8D57150F" "47CC7DCC0011FD99F35DF4D9E15F0F937762C87153AC17645ED" "67581B38E2B34899A7D726A9ECC1CF2E5198ED5AFF13F2544AA" "A1A069CE8A30CB66E1B984002D20F769C0F94C95F99F914D324" "02741D5C4D631B9D6E561D32D1ADBD1F1DD692BB89F48C6BC4F" "88B669FE4BD2922CE6A3184605053322952E113C98B330385D6" "C4B6527303563DCDF099BC2102F915DDF3BE0989EC8BCEB029C" "E61974AC41A26D6DC7F53405A4F3A9130C5CCEAF71F828B3F7F" "58117EB476A46263423F68ECC3427D9A94C292EF7C4C1D67B32" "3FE15F69894DF362E54B441BA5C94D3E0B56B772AFB5FCBF8CE" "62647DFFD78BA7F48DEDD2E457AE9FEE60580084A05F318907D" "FB90FAAEB9F4D9C160259A6F8523AF77C8CD8AF344F41DD511E" "46C699A8F9A5A85EACA57780005AF313705820D8051D780506D" "02A09B04470398D0AD323ADBAA8B3DBF61AF68D9FD9DF29A76E" "0A37678C08C9D102BA960DB0B5D20B6BCDAD7750D3F8CDE6E99" "4267E190D7F3DA06C36CF7539B6B574034B43F55EF8DD370F72" "7B97")); test_hash (&nettle_shake256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("39B12FE62B75D707C8E18FE1C8CD23D3C1E15B7F46FFCB24C70" "A1D86604FE6BBC36282595346A3374B0B2305F60CEBD77DE112" "5373F5230535AB0E4BA011C6154F65216CE58A65856C7EF6091" "2877E44ED2527C3038CA202B5445E97BF817BB6419725ABE41E" "A1529B6DDC64920DD8396A7FE3B26054C09E310465BF65AA7B5" "6B1877D949DDA06057B7373023EB09E4CA1790D66A773BF34F1" "B9D4011322E08BBB7139B1750278C2DCE88626AB16813803E32" "0515640DDD9D6A7C5B0DFF8FDB445CD65D6BB454EDF83D6BF4F" "3387CC98E381C65AD3811C8DC3B6A42C203FD2AD6BC464783B0" "73C1A9D37C1D29F85061E9C426DD195A98DF3EB0C2584219628" "57EF89D643F8BB18DB27F339BA178E85144040BBEFEEB116088" "2C3EF2A1C4950873AC4E5C853E48DD7788250DAB58A06BEEE19" "03C2E68FF0F8D7E8F55AEB58CB0D65F5E74FB5E301BAE225831" "4D5B82E3C0D7C7782AA1B34E80BEF2EB258E0BD322451097B0D" "F4532A717E2F0FC166817E2A9E24A318E6A4DB618B6A8382A1B" "D1A600918CA08EBBC224AE9A7C1CCC8978759F512D7A97E4D1F" "05173B33F670BF3C40E2807128F752FD2995EC3A60891575427" "5EBD215821A4F04AD21DD823341B15A484D0C12BB3D829BF99E" "182FE774D2EFC726EB37638CBBB521FF14E10D73C7FFBBD8B79" "EB86470DA14236C087EC3BDD336E8244E780454DA1A8E70524A" "19DA")); test_hash (&nettle_shake256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("939D443F3AAF7809342B2EC600A9D1A47E0C4195C9E1D95CE22" "F95CB98AA970F4FDD29A7EC9DE471A1C342D4830D20DFC5ABFA" "98F8BFD4CDF752E00BFF151D7CA44D5BBE7AC18A9ECC1157354" "B2055AB08B1AE7B304623D643F6D471F23A82C2E1C67F11D527" "985208C5494138815C3CF6227A6A6FACC9E2A1E3D58B32E2964" "15E5889E58E1DC8657B0324BD1EAC60FF8DB83674B75683348D" "69978F04697A1D1D3E6D29D02094C277CF034D8203DC4D705DF" "8EAB7046C4811C18F2EC906B735BFD1C2AA3306FA0C9AA47E16" "0B6EAB89E0B390F37E53B92A1A160560E9A30EA3F005D100F05" "21AFF20A2DE0ADE53BCBEFC517647C81AB8684B2754FD62E5ED" "A0EBBF56AEED4F4992A0FD4D26AEC29BD186B2E254DA07E1C5A" "D03F8194AB350510998A3BC11F08EF33C61069D1CB7D271F7D7" "C799057E6C2ACC1D3FD8DD666E1B2C2E15CA2F99E55163BB01B" "CA7F9D53F6389704874B3E5DBE6E74D91F110CF8A4D5EACC7A5" "19F664C962B11A48E022CF65D4DB4E4E506951513D83669C786" "FDF84A79AEFDAD75414A6CC82EA84EB3A173E887D39230631B6" "CC2AD26C55C938C6C82181F57820FE88DEA96AEA2B20E330C29" "C09A645134472B1B1303B1F46DA40901A63C079689DB2C84E46" "FC548270FE88A4A2FB5EA27C58A4374F72849B9C5C7C18AE207" "5546868A05EEDC3D867F9601C5C8EE585F14A1E3A84E2FE9A1A" "99A0")); test_hash (&nettle_shake256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("FE0E80E36E66E0610581835D69A73908F1D951A81DE93FD2BC5" "F10736DEF8A887EEFEDE8BB6074862EEA4BB0F131E48D2C3FDC" "8B8B8B93AEF4C06BF97214F4D0C9000940F81664E04D88316F3" "732B39E7F9685BE377B90FD7343947E7A79FEE7BDF5757C386D" "E6D02035FD4082735CE2FE898F18BDF00F3DF5BD160D792D3A1" "56584EEE92B273F9A52ED221831942EB0F148DFBBDBC2196006" "4D0E9E1CFE4E08C7927FDF1F0956288419B0372D3DFF7D1A252" "8062D31D97D17F7F8CB09ACE01187710E9DC2CD842CC8C09A0D" "1FE34424283FCE75E64446608CAE796C1F6385F989FC93B31F1" "EDC36BD2C3EF3B71D14F25048B2E30A5F279180FF3FD0B8308C" "A93F4D1E72F7F45C7313AB6315D1F0B198F8D5B47742E94EDBD" "33643397661391A82832744EF99CAB293F26C8E9B0F9D6C9C82" "BEEEE0A4B4E6ED3EF2E7395FEF4222F3DF7B032EA28430478C0" "38E45D36379DFD182877F827D86081647DB55B2A05067913DE6" "94F84EE85BCCB1F60902F787CE27407F14C445EB5159BBF643E" "F6195DF2F23B0BC41ED595665D47B91223740709DBC82A86E35" "F615897BCDE5F597FE05047A6CEFD2529394CB85C4945F4188A" "078693C56A6124E040070771A4E509036DF1C9B24E2185908A4" "3E4FF81ADC7D10D5578B00A6DB9FB56CEA6D51590B1CDA9BCEE" "86CBD8263557AAAFB7F81418FB9DCEB0DD67EE6EE7BC761920E" "F784")); test_hash (&nettle_shake256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("083A1EBA0EE14492AF390762E0673F2B41C1179C8616870FA5A" "A69C40236A6CFF19F322A4FB8AEBDD659C5FFB5F1A953E65FC8" "8C42C12E37FBFFD6184035F0F31AD80F7E257FB2E898C9E5DAA" "5A20603A0EA41FAE59E7684646A826C4501F0A7A8C622CF5A27" "D37E998ED954F0DFDA36A86CE59C8A8DF3DA65DA575DF054192" "69438F0DC0F41FB34064E48BC4EFEEC93BBA805B5DC97F7AEDF" "F9E08E3D4B7E2AAF58747255F09A4B53658D7AE61D97EF42396" "161CBC2080DC7BB7392BFB348AEF7F4B2925CDF9F641F3BFFA3" "F140C0142D0E61CBE3D1DF06B016579A748B56C89D5BA88466D" "B79E891CFA7B70532A4D6649C4176FC21531F62F7BAF5D9EF29" "76227ED6EB614DC44CA99F9580C82418FF886E169506F8BBED5" "68FAEA7CE2551346EFCF70FD5C32B6A30572BB72C87C62B8992" "EDB3DB0B4C3EF8CA466B5144658BC4148909BD8D9E1AB5CE3A1" "801D15F93946217CE9D8C0ED536B3C2E75C17B7FEA2E99820C9" "01E80EFEB0FF7FB8226CAD685CD768A41B8CDE2C5CC8BC44B67" "3CE5C44F63840C99E557F3B45C9EC92981CFDB3E20EE040AF13" "A92DF41E8A0877D0559F6FF5D9DBCA2F53A4E2A8B47218CFAD9" "CA6AE3892F21A0D9C0FE91A4F027BC25985947AF0C906537E82" "7B3C79BBA1F37EE38F2897CBE9ABA9438CCE9D972EC262D358C" "33E2E6F2F814F0E28B4709C2ED119B50594BE98F594CCD2B7D5" "6F03")); test_hash (&nettle_shake256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("AF0FF42EE50B300F202648FBE2DC08423944429568354570F78" "7B96531A0045C76189E453369381CB7B0A537B9EC05AA22679E" "96C7BD7CA55793DDC73B6C3FAA3A0D2B03D7561D321FCB377A1" "BA87C098D9FCD1C03D7B7BBA6262687D71B1B608BF148694673" "9A69DBE87B95F0E7010103AF17A6B0C50DB308DE00442641B51" "C5852E91E621133EB561C24655C9D59C22B6AEA470E4D235350" "46FB88105E7DDFC08339E99D8A750B641E81EAAB46A18CAE3EF" "AA493790A9E942EEB6990EB0E14BEB6FCDDAAA0BDC5D67BEE8F" "DDF1931201F18D0B0EA4227D1E89BCEE6C293EEAC60D3A724FA" "6FDDA3AF62D5C4C5200E14E2D40F3E031E71A8DE27CE3D3956C" "ABE9C6A5BCD67C0FE25DBBDEB5720B823777815EC277B594C91" "4F07C989824CF0B1060ED0D4B3ECE3FB65A5AE726412E6EB6FC" "F3047C6326922A0BD1BA7604830DC4D4981FF12B0364435544D" "4836505719EEF8BCD246A326CA1A756193FA0A94EBE98A632CE" "5A0D88E115A4CCD1B030EA7B1651F43F22D2D2A530E2821F238" "0857E916920FAB974AEB69FDD7C3AF313B46F2DBD14D5B4BEA5" "14041E015EC93A6A633BD6477DE78B51E592B3D87A708B831A3" "7B70AC70730C606A7C880CE3FBC11B727E25849F2BE6586D32C" "F7F31E20A739CCB25B62C03C1DB5AFA7B1C00B003DD9C5BFA49" "606830CD5A9B9204E1A51EFA571688496D5A49F4733DAAA295A" "EE26")); test_hash (&nettle_shake256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("95D216D4FB11C900CB83674FCD99D4A0B0909B307A2020BB00D" "6D6A5590B6F82268D377E255BDDD9179249C3769AB3EA09D935" "7447E99F9C8E924FA8C39B378790CB629C46C914EC79BDB4AEF" "7C4D0ED5092B620A3CB3BF6D19DCB0ED4ECFDAFC9C049E7A8ED" "ACD6C91A3C15D7587C58669E0AC51E151B613503DB2AFCA0AE8" "1782CA58BEA22467B9FE7CF5F095B376BADFD9EBC0BDAEDBCC0" "832D80AECDD6919AB2D31646D9426CC46DA1E5398DD475E94FD" "FBA98129C8997AB4EDE6A204C17CAF9B1691160FA4362909B1C" "1BE81420092A8F5005A3FCD26FE0FCDEAD650665E4ED9CD22DB" "75382D898075BD2E68D240E13BC340C6E4A59AE944A626349A3" "E27F9C82F4DEE5B593CBBEBA0A2BA46A5C0FEBC5290675B2FB6" "36EE868AFEBE35F7BD08F1137ACB12C6D8376CC8E737827F199" "C899B3D8AAA937349CC04B3C64691931DC13F10EC5C57F4D5A1" "3A38E26614302C23E30F28AE09669C4A01F7FAC9FF0B2E10683" "43862364E799C63D74C7BFBC5F7CFFE79C24A58BC2CE1041045" "FB01653157C9945B626B3CD315D9D25CB0B694074AE8F29D372" "067C308F6BF0C44CECBE47E5528E0EF9E373DB63E554FDA5212" "E35898975D708652AD71C14A51C6E5E8A04CD9B7365ABD43F61" "FC7B3EFBE60715574C0AD0BCB0C1D53DBF51172E669E35B19F3" "33A3CAEDBC4E08617C47E51AB3863D61A13A8A2B2D5FB54190A" "0B80")); test_hash (&nettle_shake256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("C2C5A2155AB4FBD3A3997BD00ED2EA8F049205A6E0668DA09E0" "DAAC49484B0168E6767AD78868347272E6D8C97EEF06AD0A3CB" "9FF91678DEC7385124AAC34817A6DD435A0A88DB8E19A4FC75E" "8F9EB34376E8C1CC7951623171DB22DB1CC5DF9D3D607E5FB17" "E450C15A20A748C340A56142289E0B1EC83CE82D7706DDBA124" "759E895CB7B91522BC46E011B4EB98927D860D09BA48EAF80D1" "FFDF9CCA026B5360AC8C2F04E9B0C30582611B8E8085B8E986D" "28C330BCFE80DCF11246D3544F4AE7C655E46654DC5151242CF" "A7B620C429757B1D527071FEE890C73EABF1BD1630DC5BB4621" "ED4C5C6FF7F41F4BCED4D31B215DD2BE6A5952BD06DADC42A35" "5F628616DB922DB19CEC424BFCB893F948F1364AE7BE1F79413" "A879FA372EFBD59F62FC3879FBA03622CF947D0FD2C02460D1D" "735E41ECE1A2AB970FA9784DC67F0F7C2A3A0A5460F1B31029F" "B65D1A9A6809B4F2AE29F3A68CC2C780D0000F0790998C0FEBF" "AA59A1A56CED99F752684AF6DFCE832901B998156C73E007C77" "BF401CFDAB4E6BC582B6CD477FCCBB1549C870FD6E62633B90E" "D103EDB47D749D04C39D2DCAA3DD4793957EFD12D78B73F58D4" "3087F456833432124E312D499779CDAE6332EE8D884F5719D07" "786A7C85A9642FEC61B66834F98C25E0A802B3F84DDE862D912" "7923E3A20E5A20E184984F8661058D53FFAA70C5ABBBCAB51CA" "8E0F")); test_hash (&nettle_shake256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("B3CC34C482E9402EA5A209CCAF5D017BC118F61E52BEDEE634F" "D56C7616E6ADAED42D02F072AB4EE1D8BCCB8038B00FF3072DC" "D971616FD6A2B0012581638F835E5441842631D12FE303D6E53" "3D22EAB7CFCB702E4BDA509C832BBB5C24EC62A468CA885AB7E" "4E3B951C5380A30CB6F132408D31FADDEC570800B8EB58AAED9" "EBD8A0D6618D439B46F83116715568A5957D2DB94E0C2CDCF98" "21D86A71A96C622BA5C0F7C214375686E71F4AE74FCF5A75A6D" "B5F8EB274E6D93B52A2A5110C0B77A1E21E599ED0ABB78A93A5" "469747A6D1FC4E3E3BAECF8EF33580F00D55CDF9124E2BEEDB8" "814C8F5D5171CF6596DE35AFCE94CEC25FE5D6877F40DAC4B2D" "2FDAA0E98FC08DB03FDAFC3A4A2A98D0E865C99B766F55349B6" "88506D7B701BB01BB06F80D6BE98DD374BD84211C61112DD0B9" "A25EFA21F9804D724154881906A7BF815F206F4AA1175348212" "C54538BEE673B56582501A659061A157444DCE84C226936E99E" "51252418498DFEB02F2DC665B8CC4622C0326978FA7A7A8D171" "D445CEE519A32D81721F99DF529614BF09E4273B24A6809CFAB" "9A1E81E5280C84ED3CBA6D4B232080BDD034F1895F4010BAEF4" "62074898949A1CD5892AEF5DCB2B09D46201509847179505980" "A2846E58DDB22EA9FA0FCBE3AD9DFFAAA42F4FEF4A9DD839149" "5BA470A2EB80D5992DA78DCC8E893C1BA2C909CF8208A18C31E" "BACC")); test_hash (&nettle_shake256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("1A2EB5A7E3266CDADC696D082DBAD5D9F73777F5B95DAD3E9C6" "A936271F12762FF3E8D1D959ABBAC6933BB19D2A0125AD59477" "611F9F912F935D662ADE6E1E40412BDE3E00A99C06A4906B908" "55AF6095DD7E6114EA48DDC1A76F3C8FFFFDE5AC246F5C0F854" "831EE7B48DF6A32CECEC0E4243A792CE3FCE40BD5AB22838DEC" "6155C817D272F3AD602F58EF870D0126EA18AFD1F1527931C32" "1A8D6DA1BF60665D077AD15EF615584A249ECF7D3728C0E9D3F" "C09BF8D3FBB9D260FA4FF13BBD4DBA6835590D67EABFAFB92CB" "3B0435F26E7EC265F7E2077446E1580FD1747E871D7AD1E992C" "1A909E068CA3F8B8A927053CF31EF7E071D5C7B4044F2CF61DD" "D48E7B7115AE0CC2861DB7E26302DF02CAD460358D06ACB7E2D" "07615C0F3786BA02000893FEBD088584ACA9FBE9F14F85C8894" "3671D24E9CD0B8FA46601C2E40D3177EEB500E8AA2931473DC3" "BC46F71C749C281E02B67D8F0B3D012DE4942B1B3C60A2595E8" "45CA454028489417842D9A6C4706424C5C0A073BFD080E5F820" "CCCEE99CC4FD372B0BBC447C5F3F54D87755C0A59C986D98E31" "6F8F1899821CFAE312B9416A4622786B2910910B86D19692C8A" "7ED50D63E252A3A5655D6E49AF3082BDBBD07690DC6D4EA42F8" "A7BC57DB816929B9FF8375C4596F57D9359F9FCDF8A3FAB33AE" "27624265296A093DBCBDEA292450D345B8116B86FC54A0B4B55" "F12F")); test_hash (&nettle_shake256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("1E67E9FBB0568660EBA48D1C701D75653D97D9A94E770C355E2" "F3F6DD9B7C3CDC771FE82EC87BEFE4AAB21BA7C689FACF51593" "CB278F7A8A4D81B9CE798CC2FBA50145EEB0DE079F016362FDE" "491620CB0A3C26CB5D5FB09980E783774C8FD2C9D8900EBB103" "D73F0BAB02D0A8E2827D2471DB29F3D6EE5D9D620D4D13D8925" "F1933B1C66869BF74EF967204238E095927961ED5925D1A271B" "9277AB9DD7A30DE1FECD4C6BD9615618BF79850EE7E247121C9" "28AC9BE6F81D2B41378E984F4BA494180D7E45CB7ABB6DE308D" "B53804BCF43DACC10AB3A98157285FBAC9B183AA49EC18E98E9" "B40D12B022F40B213641CB2E18E3303E4C9078DA836466DB8E2" "E85962E5520E9FF66CF99F96E7699212816124313E5BA6347F9" "9DA7109940081419B4EED3F4ED2763D655A00EC6D183CA87907" "4F237BBC49D40D598FF2BD8F47D0D69F2E41397042B4398D4FE" "449CF553F6096BA25C1A2185A13BCE5545FD0DEFE4D11168BD8" "1B85CA5B0502233C43B6E863447578EB6F074EE2EEFBBE6C52D" "0E8B1046F304DE2CAF6484AC24783DD77774F0FAFEBAC731E42" "9DBACB0D95BE662ED9C71FDD6C0E6595CA063C748ECFF992064" "41F8E96C96063EF61D741B4D622B6EF6A6D547B738AB27B50FA" "D2EC5C479EA8069B9D67654C2F12D8232AB8A97C83AF190B8F0" "9E2B8F62B7DAA334DC8F26A3EA62A999433FBA70A27B9CF7FCB" "61A2")); test_hash (&nettle_shake256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("7204F8652F37D125BF692544B8BA0C8859BEAE66E4B04ADA568" "5C6B4C3C1B8A3825B2AD6BCB2F5443B4C28ADF57388FCFF481C" "A629934CABF872354E4A33942B738CCD4E1941621524E895188" "D2ACC9EFC69DE7A170BC974C430B9830E25DF96097B3785A2F6" "B86F39E59574E1D9C2B91EED2231D4D1AEFBD5DCEE3E5FAA424" "72949D0D19DA8980BFC6276E41DDD600DDF78E82393EEE5A9AE" "0C87578071D667B886EABBE6757A52AF9826F65E7CA80529825" "23F61184B5892465B3F82BAE68FE2FEC1577EB935309EDE8041" "63DEE46EFBF5C93E7A9DC3BA79CD9A866966BA1FC0A721CA4AD" "17364C3A4033E805616FAA6075672DD6FAE31A67D891646B74D" "D8AA916E078BA7736A9B00F73DF90B09732A42E38FE3EC9F8FC" "907A5868CA170C669ABAF99571D14771B91F46C68F57DC6215B" "94DC0BB03F890BDE02DD41CE5D0F8F48E4FDAEAD1F0A05DA9A4" "56DA80B82F44EFA53DB9899F42BA31CECD9D7CE6A5DE33B70DD" "6427D3A9B31C83ADEE1EE073E06EC4238FEE4EA0029876FE6EC" "A5DE76E4D32B65564EFCAA326AF3519EDA46EB3E443A85E78A8" "E26D21B158328A56AF40B07AD19734E341A45A5F43D1EC2C9EF" "FBC7C5DD92ACEF61607F3CFDA8BC72D33C045A6B883972CF4FD" "1282A0ADE3978D1803EE78BC6F6FD297EC9E3052460483DBF79" "E6C35AFDBC10FA87D769AE6A4E2849AD112EDDEC1135CDEC2EC" "FB6C")); test_hash (&nettle_shake256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("A3D5CFCDCC03334632027FA1B1ADB97C740F9C5D33F0B6D8468" "B4AA9B37A5EAE697D6DE7717B6F7C3E872DCC4A62682DDD76D8" "7657096D143DEDF97F2B9BA36734B9FF5816E247243B1F32F5C" "A122AB49647FDA690B83AE0FEE45625B4A2606C8E366CD5031A" "0C938407CC9421414CE4631477C3D4494570916BB41C60FC05A" "C125A3E81346759DCA0CEBDD763B61493997B774A582475D226" "1F6F8500D2C51C70DE11123756EB6B958EE5F20FB4A49429358" "D743E4B62D76904D23FD5DAC9ECBFF14854BF27DDA819B3F524" "21329B0576CC399EAC734D73FD9BB8729168E35E2A3490D7BFA" "A39E53E54340457AEC4C5C8F4C0FEE9339053646E4D74EF1A14" "06EBA208822B8E66DE410CFCD49A464D9FF545604C26CAA4FE8" "4B018C69BE18112B5C3D7325481078C712979DC88842E2842DF" "19F39025D28FDF45A5DD6E8FD2D12BF27D227E79210F6266B86" "CDC7BC6F81DB57AF57AA252C5BB95A235746B9C869BA7F8C90E" "0AD3F5DED409947173D071DE216ED1B137846752653CC6CFA3C" "52A32AD6CA0BCE29A5B12475C049488F0A79ADF5ADC4510E646" "8E714BBA37C0005A9CFA3DDB24363290A04BAFBBA92BBB2C2E1" "6CDD9D40707C56F49C05C5276C89BEAC3B239DE284867611CA3" "DD8250E8C7FDF522E0E84EA47A3A06554DFFF6B7DA13349A5F3" "6CA447499C45DA4C491DFC113892672B036507FF3A1E7E07B43" "FB95")); test_hash (&nettle_shake256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("23397CF5C6041FCA9F1503B12A47F1389C4C35301F1747D574B" "48DEB270CC2FD79DA5718D0D5ACB78A7F30782617AA2E03B9F4" "6736620E512A6AA4E55E2B94537A74357E5C1E6216BDA724677" "BFC4CCAC3E3DCF4AE21D7E56D55ED2EFE6FB50A2222E98139DF" "C739FC759BE57963D8427D0B5D2093CF5F42347A6D9832E1FEB" "B4576935FA18E93DDB20E8CEF2F2EBA33C66F1E5741171BB64C" "49F128A7B0A9F095A35F5A20A996A3F9D7A68AB3B0D0F84E8F4" "FD43078A80266377D0D7020DE67E18DE20656BD59B86726C99B" "1DC8FA25B83A1FC8B7C256DDAFCC67540C1287CC377AC10D392" "88CE00839AF31A1C078B403A863171CC669DD72ABF4D48CC72A" "F222FE939A2D75CD7F195D3BD8CF8069F6557F1FB37BC8F9B67" "7865E0D23BDD29C9B240CD2993874FBDD5FD3B8CC57B6226C40" "890057994A2E13129F4613D3ED31EA5804006F5753047F1128F" "9B8C0A7ABA719A1449B3A2D02ACFA0877E81306179F9AB717AC" "84819029006D73D48EE55CA13A3D39ED293AD0AFC8EAC8F8D41" "971242877788EC1286ED35F06330683FE33042A6255835CD54A" "A07C0166350B851F98F2AD2A06FDA56B180F11B9616BB51ED98" "A2FED5BC2F9EEF7046A38754B91543EBE97B8375A81B7FE9CE5" "8DE4DCAFCDF8183541E44CC96F855CAD024C24EA87313DC05EA" "A1D933D6E238E9B3A0B9628239344E8E81B5341D615B63D881F" "FE45")); test_hash (&nettle_shake256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("3753866FC2D045059FA925412D3FF0FD1254724DEC38E00F109" "6AF36D0A7603903089900F95CF9BCFECEC4CEA14B7D80CB324C" "56E60569AAD9E0F45D3A726F87E6F18559701EE6AE0E7A8622B" "45DCC6991A1FF15DE6B78BBCB96F976089F26A38EF190EE0C60" "9DB54F443F5F1014762F336F62EB5F7CB7B102E99FABD87F36A" "ED3359EB0DBF739DF4EEC4AAC458546C00D16D412841142ACD2" "E08CAADBDDE86843ADD14E3D28426295762E564E1F4854E7C61" "7F48EB6F2FAC79FFA8CDDB09FA09A8DD73EC389285036A52440" "41DBD60AB71F8FB59EB73629BB4A827A7584B20C12B96FB1F0B" "950BD3C87117DA69C7EDA0C1645B6C8C81DA8A6397DD821A983" "DE84390B1CA902F135160DB58F9F7B7AC9D010CE8D6BF713627" "0FAE0D3994F80612BB12916993AA73F22FAE642784D75E1CB5A" "CDBCC20A3AB148D6F3F171402391121BB404F8F576EEFC9ACD1" "903BF9AD2CD4EB1208F143DC84643E52570D406BA31F8DC9F32" "83B2691F826C4ADBAF431EB2F1DE1E860F9B4C0153C9F002C80" "9822875F915F7131EF63262ABBD8BF4A5D9D1699D893435C731" "DE48756C8D03C94D11D1D484DDDBC5C35660B3318468FEFD827" "78CF907FF52D652BCDF68C20349F64006C640E7A544DEC1FE17" "09056FFD9EA7D41590F84F653AD4F7474D008765BFAEFFBA015" "DE99D523A56A6C989BA11AFAE097F4D5FA63F04AE0917212E4E" "AF48")); test_hash (&nettle_shake256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("2381AA1E335043C1F7360D64C703FCF6190747A616C550F787C" "33A573B2F9E83DE427AD8EE50610A2FBB07AC92E4F912B3E5C1" "0001044FA2CC3FF1C2182C672BC03183AF502D6530443D890AF" "4571611DF65A2FC50879D08E9D664D78D5F81D74957D38726CA" "EE5451AB88DF8853CC4A034065C532346A4F0D548D65745AB64" "9683CFE185C649CEEA12D79E0904E2C059549F895DCB1ED12D1" "CDF00D530D4653B56EF9FCF8D3BCC70FA91397B87F34FF839D3" "C0DEB053D46FDFF9262219004961AF9D03F50E1016E737605F3" "5EDED16ED51F4AA8FFE0A253AA21011DC002C5C0E0B1AC706E5" "3DBFDDCB1B02C0148C3AFA9D69B6CF7A72B1F793EDAC9A99ACC" "99F988EBEE210EE108093CE8EED146FBD98436299B159760EDF" "3D07BFEC6A9C1D844E98DD632B1E773D93B9604CB635457E33C" "063991D2A6D4DD8AA72883FDD742E34ECA12975AFDBFA2EB997" "609F91CB4BD53CA40BA4793B9849ABD509A2B6C01094400526C" "493FF33E0F8F1908BBF783E0DFD92105830947338537C9F7B6B" "2D193CB2923F95CAF113C9248C601EB39147661F7C639FB0528" "1E0728B916C59D98F36DAEC1F61FAD84E7292B6A5821009FCC3" "0EE7267969243B36134675F3C8F1F18E9C341AFEB5377426BB0" "4517D1498FA7A271029936FFBBB4248A786EAB072387B991222" "017025BB84EB4DC084781F21251CD8D8CCEA15EA2C37C89632B" "B67E")); test_hash (&nettle_shake256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("325A6883E6918057ACC4D7E6863D245ED59957957AF4E8E59EC" "6ECA35EB380641BD39550268A68EBAD703A51F9B47DD05CA256" "81BDC853EF0897CBD4A0DA6BE9E911C26E801DA8F5360140FEA" "2EE9276747E1AD0879FD741E52A7DC8F0EE3CB199826F9C1D39" "7E150641E8EC348300BA4F7EA7746ED0E94520577FDD253E04C" "47223521661A308D1C996A90DF8A9AD18418193D590E75F0F17" "FE0443B5B130C1AABE9F60E538E6193A19690368A2C17516D7F" "EBC3DF95DED8445ECC260BA46156C88B5218E582FEE9EBC4F28" "CC4171936F7C5BEF008D7AD76A70BE3CD3F0701791702A23716" "0798223EEFBFEED7BC108E9C793CC42F93381BB9D5F97103499" "BDA63610303A55088FEF10FEE330C4F35D0A4D0F36C1CA06CD0" "8496DB0D06553BD612848212539DE0D698A530DC287F2FBADDE" "DBAAEF0195E050E3968850FE8E1C72F8E3F11F24BCAC475593A" "A28AB2CC69C3FE6F3ED03A38D8B278FD678697A3F6DFED6CD52" "AFA4E9947CA56D1CDF10ECEF90BA6EF87D9C2765F2777C14323" "25C464C685557129808CE3B91310C301547B673D498A4105833" "4562074A3BD3C64FC8B02BEE8EA642B12783ED71E990CA90B95" "B7020D5458FFAC57BD93F882F3EADD4707C98591CAA667BB0DA" "EE9880C3549FE9DDF7C9314387A85D308516C64FF98CCE50E25" "3CDC710927DDA784DEEC547C4442A0818045696F4D4BA4E0D72" "9D13")); test_hash (&nettle_shake256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("0E479E6C1C78B597DE67FF30F0BE1D251DC86FF0AB0F4D5C6F6" "4BDEFDCD6A77DAF29B772FCAB3EED9344D32BC3ED616C10F69C" "F4AB3B34709F3941F3951FCA1A173CA2CD707FA41B8E4586343" "77596865BEF5CC8A3CF52C0ECDA7CCC0DFD8AA8CE0CD7CC1917" "A7BB9A3BC9084AFE456E5DC02569B3FA4D9B9DA03B8E4B223F7" "CF033C1A8BBD6002B3A457C0DE35A222A30A0E86F3EF9C9F255" "D449CE4EF5AFB51577391574F8271E07EA98820E0308EE56B1E" "EA91B35058030AB6AFDE356CC83D526BDAE2E55B1AD4E4D8016" "FEF14247BC7D95C34F06DAB7D9FFD1A9FEF761AE01F8DEE1D46" "75172C1F0CA15361CBA994EF062596BB767C52A275792F48B19" "1B1078968C1793A9D274166DB592267E1822585FCB1A9734D4B" "503F5E1CB0754A7D9F47359CC91E0646C4A2E754A29584363ED" "4C8C806797FD102D6220DE1814E665409104D32BE7A346D3B12" "6FCD51F55E5625A6BCAAB74F0E69BA1F75A4D5C4625E2F5AE12" "4CEC4EA6A702858A3B03CBCB0B014D3D841CD7A87D02C622F96" "AAF3AAD96A62939602A2AA1F9D88DC555038560217BAAB657EE" "87367E05345E1612532F9B6D83043DB59837E1F75D82B8149B9" "3F1105BE13BF51E20F18CECD5DF87067A0716D3F860DE8C998A" "487C8A197149E7C8AF4B414217B8579C314F698FD6A3B612B2D" "D67FF6E3471856FD9F66799FCEE14627293EA94D1C32D915CB8" "1C5C")); test_hash (&nettle_shake256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("0A5995025C3DD9437884196FF09C0B92B5B0B51B59D0C3C9041" "AB172A1685DDCB3B0324186F11E2D7DCB6851F888ADE6805249" "7BD16C4F1D98DC468D833E4AFDD2A9E3DADCFD188C9B1E35BA9" "FB9549F88C8C7C74352A7B420C1019D2E7CDF02601E5609635E" "AD96CC57FE29A5AD98B2FFF301B3640BA441CBBED877477C0DC" "1D6143454456C0EFEA8C4038281E97C02774A7ED709A446941A" "2819F3372E18BC1A6C119EB24CD16A623CBF91816CF2921D2FC" "65DEAC91F3E0EF24F97CA518D167F295454AF8208AB25540228" "A9AB1BFD0ED0C8D09AE579B7116389B9BAA6EE388612F323D1E" "1627D1667F4E524C562B0993A807BAA0E81D02241049A4C0BC8" "EC95701E9CB045A91C4340D8C3067686347867D4FD94D48C566" "672DA8C89468D71B488F7D5E1409B3F1AA17B019C57D5A94C01" "53A887EA366253DAD36E9ECBB20DE67E5F09F4516DAF9376170" "0BB4E094B88ED56CF935F9D0E5454D2168FE5F5CE0682838386" "AD55B4C664526B48138EC270BE30135ED84A63FE04CFB99DBCE" "6B70CBDB32110F954491044970D3AAFB62B5123F2B43F3B8275" "CD2D1034068864A94A1B63532F31D2E65B9C197E13199F86638" "808D17DC9E3D914AC6E078CDE60A1EF9DB9F94E56C29F385418" "AAB5F5D5CC324F0B1E2B9F9CC9259971FC57A2BD18686045E04" "A3A74C3606B8EDE2E2E49E2B3F01CEB4B4516E695388AE331CE" "C186")); test_hash (&nettle_shake256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("9FF0E63D6E1BD2C9B671298EF08FB86024EECF3A41662D465D8" "011E44C55E4312A2F4680A92984471B885FD730A3C3AAA6329C" "CC06E9684350543475D8CFE2F18079DAFAB03B9AA1368AAFD26" "5C5ED3D0D160EF317BF5CA211642F7C86D4C59504C8E6D8EF5D" "52C7770659C91AE1121EABCE4318D58F2644DF56D18909EC977" "D75D27D25D291EC706A39A3EB13E49691F6C3188C300B827E3A" "D1F6F8088318DA476D07666AE4192C08D4AB797E53445239CEA" "485704F0266C49ACD7ED67D24DA7333AF799B40B301AAD88837" "03F03869628F8F1513629FF0888656782C23D43D435962A022B" "D19FD7E4AF8BE40CF34ABDB1D0DBAC698079312CDFD5B01D166" "E6933DE574914A62472C5B2954740A5A26217E9A67329CF4720" "5701D8BAF5E660E231E16BB87EFDFCCA4E982F44CAD53B2893A" "83DFE251ACE8C49B225C3E929221D4FBE452CBBEE2F6E59F786" "8F876E20AF55F8B1DCB4AD5CCE9F0B8966D51128D08698AD8FB" "267D3164023985F5F5E48A237F4B638437E074FA4CF83030DA5" "846E64E03A23ED2EE12EE42646D1075B8F91B861D6DAA8BBDB0" "7FBD56AC72FE8675031C1CD0622AFFDFC9227F4DCBB642146F8" "7D2930B859181CF5AD7D6AFCC87BB905AD387AC8B8A7DA70CE6" "26CBE3E13E115572780D38DCE4F3AA6A95641842109B9750AD3" "FB5F711E1F1363119BEA84B4589D0B7287BB4CD094564DB6325" "1CFD")); test_hash (&nettle_shake256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("9EC7D516BB276EE7BE68912E86FCD71EE08EA4BCB5A44B9520E" "84F7433811160E5A742BF8E444329F4FBE22D72F002F82459DD" "538D7C26401399B8882463CBCBF2457A7080F8ECC02A05F357B" "AF6BF8DE31984ABBFF66AD082CB995A180D7455BDFBAFAA83B7" "4CD95488CD8F5CFCE16EBB2D9F08E54BA341345648D0FC55700" "2487FE6F0D0418858698CAA9FD4171CCF3880FC0A9E751BFB56" "6BA907E13BB78A19E7D0CC543F9B7303C74BD957149BC505530" "B246A8D41638023B83B84BEEC79A91CD21D3982B7E57582780C" "92BE8CA813218B287C280A42E73DEB3A84F1027010F79EA2CE9" "D4EE57DE696DD1D4A13F099E4E1CF4BC7CCEAE2C7A454775628" "D09FDCDC55C6B38F545566682D3546A6F6AA8B57D44EDC36B0C" "4B9C1B92CC2465B6BC7091EB78CA0030DB7D7E31805AB459040" "494DF1120307A2DE8315C3CE802491EBB0FF3F83FCF2F99D9F5" "69D3E3F32F0CAF2D7D6057FFB6183D274919B9D4B4CBEB125C9" "002A816A83941ABB5120AD9AF40A76398D31B07E464482FAAC7" "67BFEC63CC221DB2A54860BED4D5E9405821CB176B47838249C" "689FF1D9990CB3CEC4EF1A0D9280F35E8F23246537313B77F26" "D517221F0A21E7E6D4D28D88632B44D7F1C381F8E7442A71C0B" "0473F7BC702326364489A943B6A0CD0A8B868F21D7F26A1AA3B" "8C7A4C7CEB574FC2B266CD8067D83A53AD469DFFCA9088ECE43" "9207")); test_hash (&nettle_shake256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("045E2BEF203B8E72121FC29E68F01176B8AD2E0F24352FE555C" "9F0B70FFB38AAFDDAE1B2FA04C3BC2DABAF4BF3BACDF7658A62" "3446FD6840536572EFF9393F5AB66C080A68D2341AF34AA2A13" "B6EB57D8DC6CAACCABAEA593970B4D91A3B861AEE0B6E53F326" "3DA68DDF75CDE76E5BD94AFB4AC78ABED89788BA89804D6F199" "7684CFFED40B3761A782E3EC1F1A1FF12F8151E91A935A088D2" "AA2311C43FD731CEF31503C775781EF5724508B910976DD89EC" "BFE79B17F1813B01B82B6DCCEAADD6615CFB8D2EEA27EC7377F" "8911A39E9A15E622F3A91F88333811CDA86007E57EE652797BF" "9177C898CD8951B8C123B8188BDB2E60D32493F4E94C34B9FF3" "A00893795AE0028061050E9C03A53AC787787A332DD4C75FECC" "1B7AC1E6DA30E69A46DC94C87368C2150EEB3717582D5E5851B" "B5695CCB416E4D8462F0448E0D711B42F1B6FA0DBAD40E96C6B" "69E67BB1907B460DC319B8F01591867C73655F8A28F594EA245" "8E163EF0D562B36580AABC8E9FCCE61D09CD83BC4DEC826C8F7" "DBD76028588BC905777AB6B5A5DBE81665971B23C94DBAE8B51" "3AFD7DF0B6C83469ACD22CBEF596359BA0203C6F320983A5527" "4812B49E7663A6F48B420748AB10062EBCA4DCE4440D1EF9B72" "BF4E121B76075D209EB82DE30C074CFFF86CC28E464A6959691" "C66DB995C279BF50CE2ABECB94CBC850A33315E4ECF650FFC27" "1DAD")); test_hash (&nettle_shake256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("7FD29D970989B8F0DAD5286CD8CE7F5E793B80EF8F62506F75A" "119FB3ACB39D726CDBE6F4914F8A5930D30A0AC1E36E285AED4" "90CD30FE63A2713AB0DD473A7A764A19A70BBD9AD5BCB2B2A0A" "D63A84FAD80466D1C9F513D4336E3D6C7F93645C3FA30AC5A54" "B46205322265D3EDBE4C8C58B5D8AEA1856D2FA81C81E12F27E" "ADE6958F014ED3FA3C844A65321EAF484A2E7543D362627F2CB" "C4A83415FA3CA616B9CD7EA8CD1724F426C0161AE41CE8175F0" "598FE4AAE91A3F12D6C8659B063FF5C64FED548C206329F0C5D" "A4AEFBAD704D16A1B67A38D807E64F03A3A9DAE4B464C78462B" "842B0DAE0036EB466AC7CBDA234F2DE626D14764F6F49A8AFEB" "062402CC9DBA983268333225A6678D2FD9E506ECE66135E6AFE" "7A9DC3A16295F71440ED04E8E391EDC134E91C1699F0D31F81F" "CA6105F485566C13A93A2DB218DBE8D64F4B2E242462A67FE3A" "98A785BF276E510ADA824E88C5ADBD9889EF2857D5347544E43" "1603E717EC7A7D17C98A7C326C0A4A83955C7EE31379B241C2F" "2ABE038B2357D3A9D940D875F2A5634CB47255DC92FF11AB7DA" "C4D675E13134C24FF7B058C2F99C985840287CB3009B6CC3D75" "AA5E79C29C68DFFD9D95E37592B6036A4CEEC5E34EEC8DE7EBC" "A4B80F0E103CF07D46E73734C831C0CC2B6E31C14F304D88D77" "D433699FFEA902058F8F4ED0FC7AFBC4874CD6786E6D82A9689" "3A68")); test_hash (&nettle_shake256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("EFA2939B59DC8F3527C78E384B1CF12C7E184687A0C3A1FD9FF" "B9797D72F13DF8E199B2916A6BA82FD7A914703687EE707C6F8" "7845442DECA59F08E1D5DEF48BCC43BB1A64744D4DD020C8666" "27AE212E5FF4EF9F63C14D2D1CFBB404E03573F9D110001ABD1" "56754EF41A4C48E664E31B5922A27BBA26D2B3AC79F57720A41" "90AE55A5634AF6E43CDFB87450EE8CC690749A45367250A44B0" "7E54FC1CA8EC1CACCC979751544568F0117AEBBE6F5415A3524" "4A9255FB023E7C30B013D6C47DE992141929F25B3A43DA91CF8" "853EC88BA42DA3B17CF27351785BB16849E6BA680745F0294A8" "5601D5A08CC924BB962CD8B67EE0667AF1E118E2E5144169DA0" "FBF03C974ECB202FFC473315185723B57521737CDFBCE99DDB8" "1F88D81C71C5F02AC5DB801437D46DAF31BB9308074A21DA98F" "6899F6280E449C1B55CEB3E04522D038307AABE964B720AB331" "A172A53CCEF174A82F046F42820D11947D1B316EDF390C86EAB" "E22408E0008F396A0E7F3D51B9988CD2FFBC49869FE0EC03A33" "8A1A8E0A663246A37DEA111DE5249196114996102223D628AB7" "0FB7F53B842B60F375DD6779D9426AEBAEE547662B6962E3610" "09C83CDCEF6D8BC6311CC1760E784CB3CF6241257EBE14FD955" "0EC8316D95508390909BCD23EF9F78CDCB485E4C403671E5F20" "E7EAF4E0C06344D54E157791FC1B581AAC0C4EF947ACCB642E7" "8CFB")); test_hash (&nettle_shake256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("97922E827163B8869D9A7654AE4532EA26F9895625152012F14" "7BE1E818DF802689D96B469C8B0E9010D0423DA90AB6EED2C83" "5A01CA4C386C630A22D885B511F12799EACEA96D157A4432A32" "0F3EC1CBBB6B8EFEDE3E92D99B1E79389B93AF7ACB27D7DC97C" "F88485DE6C85400A2DD88ACA540B3C921180002847B34A45446" "5D014F4742815EC64F5FBFED6229294BA5EA89211E35327CDBA" "C7CE85565EB8F23C4154AFEC0DEE188E9D854ED56BCA174E14F" "EFCD0ED039B8DDAC3A3242CEB72D9116482F8B750A126505397" "ED261D7CDFE88F8E2F4E4A80628D66A7676E28D4E68C3E97A47" "C3844FB06692E5F4664B8A583A1836ADA9AEC095D011F12B3AD" "6688B0039B1B74D016F1BD477C932DDC1944B5F301F4D5690E2" "12E45D26908BA09C52D6CA22098B7A080B0056F0CB891411D0B" "041CEA27030A2F9066AAF58CA5357344DD9AEA0B0D80932E98E" "205EE315312D19413240B2EC4B854C21BC2DC16040718D25095" "15BD45B6557083677C1882D48F687EA0EA86B05CC3F5E330DD4" "BCC17E5B4F2CC4F2C64773EDF3045FA48C53081929ECF31E84A" "905586D3AFB3120031FF75ABD8CDAD7CEE66386A7A718A90B98" "EE970864A167FA48BB7A3F78ADCC2105E0FEB27414B1B6C59C7" "BE5F7509E55D561C32523FC8C1C12628EE642D9A69F7D300B49" "A5B6551B487655B21FDC690F865196A35F138BB8E69571280FE" "F496")); test_hash (&nettle_shake256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("289C52C39044BCE5CE8D320E2AC43DDF8DBB4A5E6698D536E30" "4424CDDC251F7B181F58AD4948360972835CFA265E9B658F6F7" "D4B7BD92D68E75F0DA84F47C969C7F12CF5170117B7EEED8B77" "E3AEF06E52ADBF8F0EE6AD01DE3EC5E726BAE631A68F6FF364B" "AA1754D928386496010F0EE59390E041CC0A6EB8F3864087BF7" "BA5A57A116808BD496632081400B89CCB2A8A8EC795BF07C609" "51B46815E6BA72DB555B9CC03CAAC4BB8D60BAD5EC6C5E48D66" "F4C5B2D1669115E0F0BC80106EF06D48BA29E2899C0EF4D5C5F" "4E29CB29C8F578A824CD462A4018E889B67DA31A90BC58178D9" "04C43296E4D3F4977F0CC1009FE51F37B2F8979C97DACC92C8D" "0E0FC45A004928F96260FE2A6F27DA15307AF55EFFBAC4814C9" "F4446253064897FA1E1747FE65E4C406A3879F8E2EBE5CFDE37" "65F2D7A2065A6E0D38B6B6A5F9FC3EC3CB1B35D33386EA75EDC" "E250D5917A17A6CB9D1517684472FCDF27D61BD03F4BB43C3A6" "359286E73B67D1A618A75EFC9AE2212BB507DD1BCB12D0B11FE" "2030BAC84DEC40D04324C8354C3F3C6ED79D7257B8A189C565A" "41F72AE3585A9BD91C9FD43184814BD64F7303607CD02B6613B" "E736BD13B3AA8C668F91F398A8F5AA6BF8EF4D9058637FAA3F0" "F0710ED60C2FA0F6DCE8EF0675EFA719EB03FEA27ABDE60C5B3" "81EF4026FCEF49AC245483DA8B9B50DADCC310CD15C61E7A0AE" "AA6F")); test_hash (&nettle_shake256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("03E492E2E4C353A74245745981AEE10CB10ECD72015FC37621D" "2E07411AAB55DAAEAE78EC376CB20F268FE40392876A29B4163" "C3F1732FB58FBE26379F88C4388513C9E65DFB7A4B76DBA139B" "28673EA6691096EC526DE0084FBC516360B07ADC853A690264E" "C8C6E7F200D71B593FAAE6723C0A08B7CAC263D7F7DC5376B51" "A2C7C640359721FA93A950A7A1F07F366B0FCD5C79471EE237D" "11936B763840173710FB8CFE41DA287F61D13FBB174B451F30D" "A1A1FB0F02C2B34689A725B1F86A96247E6F48897E524E84D91" "BCC9F08DEAF189EFA84AF2A32DA7480ADA982E579A832FC3CB1" "FED55E8D0D4AA710EA5B0B779CF0667ECBE9F5827FD0ADF6FA6" "D98DEFDC0A3F3E84D5AE28D676CE703E1F060E4BAE4C0D931F8" "4A76C2777D71B02F0DFD3DD00604C6EBB32642A9EBE9D34601F" "B78AE60145E32B6AD2A362BFF609CB2EFCDC66781B5AE2976F0" "249FDA97DCC06A8F7CEBDB32A2849B61142A7E55CD15FF51A82" "1D233B3C35D9F69D47ABB6D2B55169AEA211A67475FD48D39B6" "863EF6E4ADAE89530B0A84F6D6AA9B0475289C084AE2E607878" "5289E03C6440DBEE352B9D39D11C9300730E4D224FE008696B8" "F27F6A9261C30C577B48401B2E90ED5830BD38C13416D19F9B6" "EC96F235F7A0571961F18C0F3A977740E9F5CC9CE62F695F9A9" "F797A33A2FB247A62BC635449E4FFEB2F24298BDB152E777226" "0F9E")); test_hash (&nettle_shake256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("6C937D60095B762B69A69116DDE17251B6FC76117D2173E0702" "408BFD8A215A057F25D720FAB9410BF39EC033D68CC87572C7F" "C8B3C920C720C0A34FF468711F32753E8E6813D9D8ABC30AC3A" "5EA3F6509A22E01A389399FA09052465316BE70501B70CEBC21" "B5CE57FD935F7A265FB101232E95289E4234B43AC0BB45BFB8A" "29489E7C3410F4A64028CA7BDEB97B327193A30FCC54F1A9835" "E5BF497E0BBDE269E3F01BAD497AC3E09425B7E4D5D5A345B9C" "DC256683C3D73722B6B33F525DFDF21106574ED3A1B38990C0A" "18AEAA51621C6D603D58AAE2B1D89F57E802E66F8A7122BF4C4" "C1DF38FF9B147BBD4D084E119298C9C4AF1BC6390AAC20BD1DB" "5E68EAA7361601A40119A51EF26E2328F6CD52874E6F24B3460" "A7D531DBC5DE94B0D62C35C6F56D4E8984B20BE06A248E59754" "3E29C314D67DB0B112E158321E6BC9494E14C9E33705E678AF9" "A6DC44BB567146E6D03AE590CF76C76398A4D5BFB9F0F12CB70" "7EC79BB52B5488DBCF1A19623C9777F30F153C3E71E5F9A4841" "E1F53E88421947903C9DBB58CDF75CAD297755B704E6919F25E" "BF43520CEF6D71FD41AAD277AAB2BBC86B997B6A35C4C1A8B8C" "04E6C7741E88CE198A650841997287E53CF24A2FD939F1AEF79" "AC90DC787789AE0B344B658BF493F6DA6EF59112EF76FD39A8E" "0CF7973E002FC7AC455CC4FD98C0030C7C76178D1EDD1AB12E3" "493E")); test_hash (&nettle_shake256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("176C854006AC910006248F1CEFFCF0BCA14015B7939B0065E59" "A838F213B9ED46C68A377AC3110DD08AE358D4C3C926D262A49" "06C196822D2D2031990D1F02B472B635EBD7B48AD7469671EA8" "5683328A949C4B01E9AFDD0E780EC10F2A6EECD0524B77E6C98" "93416EB73C53286CD52DCE11550E96B70154F0A06521195B7BF" "6B260AD67D85FD2D3BA79D96B3C84D2EAF96350342FB33CBF5E" "4DC12D7F7B6C5AA0F82AE2864A38026B6392DEB539637D323C5" "A246EBB7A87EC7048DFCEC1DCA98D3239FF560598AC31D0E722" "9EE0A36BD7500B991BADC5F7275BD650DE740DAE8421E1A7230" "13C9E52AF448E21919EC70FCF5D4C5FD888B96676E65B6C52D2" "353FE5D3D1423A73410234A2FF632CB09E922656FC233BE050F" "BAB499D3B0864439F79B56DF983CC67FC460B027AD14B8E112F" "898771545061DDF52652DD14AA034137764DEE5F896E3FCCA26" "F70B63B37CD8D8DF7106876F4EAECF211875D4A3392E09B8E42" "19326BA939DF7500183C3F039D1586D00BD36FBB97835FC4C73" "845DAB9639A0231C27E3C3815B4478780CD646F1157BBDA4725" "77FAA829F8B13E2C8DA1F7685719F8B979E895996DD05D1BC5F" "0ED8F8F302E38E44A0F5174FCEB3253EE9CEA73315A1DD655E9" "A6BB59A3B67F5F15F41A8E483D8C98733916638D5E8EFBEA8C5" "BBA2000D2DDF330EAF3DB1E9A6072E5BBFDD5FD201F8A13800E" "7719")); test_hash (&nettle_shake256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("F59CA6ABC514DF7EE5AF9B918A5355CAE65ADDCA95C80866EDE" "16594F5147DED549BB9187E4F51535D3EEFC20F59703E1EF74B" "86ADC45F8DE3265207B5A3B4223C3B70E9A9B24F08C2B1F15F8" "58763381C89F2AB14AEC657E7E4CCADB9EAE9348B26450E9CAB" "F9B54A56893796B2D4C04AA2B3B741D6F85E9A8CB6FBB0DD91F" "FB91E9B179D5692F9C689C4315ACE33C2E7934D49183A5305B8" "F50051242D73A225C557D787BAC8894D5987C8B4C91502C295F" "DEBB492285561286262DA7A78A87F068E07B4CBF82344E6FBA3" "C8B70A7CAE9023BB004C18A446DF8432C895A531DCAAB8D910C" "5623651A362C4E2034A314F00154A421DA604CBAAB56B40F9F3" "242E8F61CC9A9AB4C91304588AF9805180C8ADBFCD727C20D38" "F2DFDC24CC1A84FFFF83CDE8F94359AC5D1848D3385B419EAFA" "F09EF0317F99409F732EBAF75A7FCC74A4F0B7D038626078C8A" "775B1EE75591C6CF99EE2754EEEEA7DC9FB382F25F55D030293" "D53ED2F9D9DDAECB41172387FB19731639B37E3A26AF58B033E" "850880FFCA4EBACB945F7D445983042FD3EBF4F70DC2BF0E95A" "7CA9DA3C8F094BC937568A03486EBC127ABF44D150AC6DC0B70" "80A41884102172D6E6B6D819AB088CA55287D6912018B5D7F4C" "0C2A6973E532B40F9D0402C1525B2E7E11A948A5C833EFD7788" "B3CDA4501DD7884AEACD53B503313500C3D4ADAFFFFC69A2EAA" "EEDC")); test_hash (&nettle_shake256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("A8C3DD2CB2C0B8CD01C2550A1C20308B3A4280AAF80447484DC" "DFC69B5C2C2FBA310272E606D1CFB61D078E2D860F1A056A3E0" "86AF9D7485611D64D1CE5F850B91920E778010A23390033DC15" "E372AF077611C9B5A945981CD27801C9B701D892143DA0F882C" "5D8F7F06B72B7107FBD22A4D890D1B00857FDE7E9B188088CCC" "9A67BC12B0A496F3FAC72789E7E52ED7CBF36BC7B846F0B4D3A" "221A8297A4BE76A1658A1547B32F534FD13C466BF1803C13005" "93F8C53CB5530632DABC03ACB369D7E87CDD61EA7DB6D5980C6" "8F00AD5D28F50B5B499A373DAE132811C5DAFBBEDCA231E7461" "0271BCD0E733A59D5ED6A6EE77AB4EE0D64CB00AC7EC586AD30" "F1F3BF5066268519209A9EE408B0DBB1E6E7CAFB63BCA7742A5" "A7C78D7933B30CDCE0F8B502E3666FBA0C2CAAB6CB0826641A7" "4C02E5F9DF0616C001273487487C2EB693E8818A281CB58D10E" "0F911FA8EDA5DEF3CEA2136197E79A17F58E56C4262F3BDDD87" "D9BD40AA21762C43F7091659693D2BF5D8BC03632EAD0C680B6" "EBE53EADFED63727143FE47684188ADA6391EFEDB6A59770DA4" "06B00905C124680B3B23D54C0255967C3BA8722DDF064F10F32" "53972C0A4FF5B1BA17F8B9247E2D81FA1E4F7E3BD064E71A3F4" "F18858D040027B45CBFBAE7CC6F04C125B867CCF3513C40F008" "C2C961020B597F864BFF2347B8ECDCBF4AE460B1915A5A5EB98" "AD31")); test_hash (&nettle_shake256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("066F28311FEED21D06D61EEF566DEEC1F88E8D99DA9F6AE33E5" "0321FBF7C1C458DB1E0C85C2685E806C583336F5620F44FF355" "96A725D37B1A7F149B30EEE6EDF2C46EE8F7FF1B51D5ABBC09E" "AD9AEF74188FBA0EFEB82DF86C304BF505FB02FF05B1797A7EB" "3549EB9E74BF685B15FE615BC7FAB569A2E8EAC5136F97E3939" "7E091F97D7C11D8E6B6390961C0A1A08D2A75D00CB679C87087" "9C24A4AD0FB4EEF187E60297668634F06B7F2D98B85CDCEEC84" "2DB321CC7B7823D8F332FF5AB7C44D9F862B61D3423ACA66392" "9EEA2B47C9C78F890D50A4FD04079D4F77A9B303FBCA8A852D5" "CBE0B09DF7DCD2178C8450370F60CE76AFECCFD3B4B346C7963" "1439D879109357FAB4ADE37832D42D70B6390176FD864251FC6" "5B695DB788F535B76077E3F69B1B2BB2BD26BBC0D1273109F71" "199A58053A8AB6D33C9A75B8C7D4423A330D03C5BF6A2B2CE43" "F27536AAC58D9D7CA8397BAE7C6C96D7279C19ACE6F7487412C" "7370992FAFCE97342E145795D7CD22F2135D627F5BD528FA351" "1B3EFCAA28ADA12B8F229BB594E802615A213D21CFDA091B736" "DAA0B18D9E77E9AD98441F23926F6C06DECA62BB91F6430352E" "857AA1488B82820F3624BE30E7ABD2785E8E9D6A3CBA0A926AE" "425253E1417AD70F80C1CFE49C730E1B287EF47FE65255AAEF1" "408C66F622CD1B6484FEC1675F1A74AFCC349EF4746B4468DAB" "F577")); test_hash (&nettle_shake256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("DC2A3560C3644C4ED659240CC9B275B7163F5C88B28839FA74F" "CA4A055B265E8E8DE186EC35097511D12F125B9EDAC4665EFE2" "E41DEFFFD4FECA65386D9A5B06DDE6B1AD1F70772ECC871C445" "29D413C603D7D8BF2CFDDC72C11D3B9684CDF4696EBEE1A88F9" "39A997802AEE46BBE7ABE0915C4DF68C43EB06A1412C690EDEF" "8FD21F94D16EC47D42168C30B8A3C2A87E348352200040CEC76" "97835DD66A8E0596DB943ACD2BA8424A7D031C5AD0322C913AA" "9B11C4C1E09ACCF8B941FDA2CEFFAC3F38BD43FEB3E67D002E8" "D45D9C091D287A5F6C4B70A58129867C46FF1E98D402202C27E" "088DA5063157E0BE4A7C82638EB623947A59D15B1FBC965A734" "49711FEEEF521B61C4F94B7AFB015185BC7C696200F10C2657E" "233F643C0B20A72EE57E7E17EC806B0B4A128F9F0F6BAF129CC" "D82B19FCC72F62FA10456CBE37317BDE49BA0EE9FD83559E322" "04387CBB5D26064127448D2F2702CB37C3CA5B49989C7B90385" "4907E1A748FD9E589A01EEDA6FB374178CE57C6027334399A78" "96C91FBA3F8C2EC917F2FDE3942D60FD37BEFDA64909A34F5D8" "BDEEEC6DEDAD93894E9C6A894637B8193895973C5DD8424326B" "592723C06583F683281AA90C3FB3A754AC8AEF614DC30DC608A" "D26EAAB42B4899137F4D42E4142F93706F88C8C98BB6B15E099" "2834785A27FFCC9FC2037A3A3B4B3C262ADE59E3A6718C79A8C" "0C82")); test_hash (&nettle_shake256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("5D5AE597772925F37C5D78176E15392BD53FB65B2925BF589DD" "F97D92EE412F2847ACE1B5A4A22515C910A0A7479AD4CFF5948" "C4A736EF021F062850383EA778389BF5F33C5357CE1D11D11DE" "27BDD076720692737E5887B0FC6B8FA46F2675650072848E26D" "94D596B921280649389A9C1621037AE9D91D460BDA8FEBDA762" "7C181F8EBB77F43DE66F9D64EF1D7CB66622E13FACEEBC7AB34" "6C0C71A1FAA0DF2659D980AE4ACF04317379B81DBF8E9206F66" "7EBCD2A8D736766D2FC64EA442A4BA0E331E7D3EC0AB1618BD9" "0A9B97A4AB6556EB09DA3C551AC3F2714BE4CB094AC454F0DEB" "D1964ECF15118F677464C60108A87E8895046269DB21168E35E" "C4DFF11487E93B49A8FAEE8EE6C3FF05394D1D0C9030123CBFB" "9576C9015C30F9DA04331C995101F4589D27CE664D2D6928C80" "3EE6ED655B661F286F12499427B0B3D4C19A870CC6065528D0D" "482FAE121766275ACD12731B127C454D17BBD32F779BDFD59D2" "221CC923764A023D48A109F259C2C4D9213E35411A7E4F03C18" "78E576F9AF4B84A983F64ED1255EE7CA9A4696762701950C97F" "374F207ACF4023C0E42651C650C330EBA2A7773AF833A9A7B1C" "9360BEC7FD788DB63AF83B699E1BAC014A86AE976F15809E4DF" "C8EB8225DE57C97CCCD0683ED0BEB67B752A6BD5EF128D9BC6A" "D343B04AEAE8C76D7A24E3025D436ECD9F03432991A19D1B164" "2AF5")); test_hash (&nettle_shake256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("B34E968BDD16E68C71ED69202A38C554F8362FA382F1DECCF89" "536B0D2FFA7CF8725CEC1D2D7AF57665496B643E8206566F8CB" "E4CBC42DB65481750319BBF37D9DEF13D050B2DAC53E163AC36" "5E81AAE03BDB40B67D0786EDEFC2B339FEE7176DEDC90C92B16" "A726E61A3E4AB5B29741869A4E8FF254D335C62053EE9FCB5BA" "D309B11B916EDE9BA5D1594B0ABBCF73A7A231B4104037D10C3" "2433F99DC35A356088F90298BB9BD150FC8252017BECF06111D" "AEEAC705BCCF25E8098995A8F7EFCBB10FD2C443223325FAC91" "72BE8B5FEF5FBCCC8D9361DEB61B361FBEA3D5CF13F4731E8AD" "4F567BBEF2655A79213193131020123E5FADC2782E8224208EB" "98C736FA9AF25EA3D00CAFDA04EB8F0544B58B29DA5D438A969" "14CA1D47F2A729128F60E56F5634A73133C1A0435A40FB7FF6F" "88105BA307B4B6479D0DCBB80A5F1A71954EE049E99B944E41E" "E89DE4B78A78786660A1516A3BF64779DF724BD82045245413C" "D82890340D29D07879C000934FBE4B4FEDA2EB4CD795C528E83" "BA11A92C9476E3273DD5D4553798489B8FFE76104EF154FECE0" "5E4BE9775256F278DEB61552266745FC21DFD699DB5A34F4DAE" "4FB3E23146DB6767561F15EA776B67240C92C695EC83EE10978" "FCDAB7A57C692861F15E5E6AE0E3DC2C58489445DEF81F884A5" "0DF8E78CE67C23967B27B419F36B905DC2D9EF1D27BFC94B456" "836A")); test_hash (&nettle_shake256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("2D48CAA033F0273CEE712401A35D143C7E91216139682A77CA7" "75F08BA77620DD02EA885667355740363D95DA3CEFD3E9F8D05" "75A41213C1E7F2A6C4B7212DD617C9B0A41D48674B6A19C63C1" "AB3F2CE7F1A0FA694CA8401A0121077F281CD5D6A5424AC1D3A" "11AA97F88783722E68ABDD3684907F63EE045D7F3E10545F33B" "84C30200DE3B135B4BE5033B854084E5912F17B14F2AC16D027" "FD02FCFF1AE096C983F0F4FCE7D6B641D2280DFB90D8A066D8C" "F53E2A5A1620DC50008CA375743C416C379FDC5AED3DE23244D" "E23AADC33BFD9609702DA4776881A1F588EE1FD98602FB831C8" "D857CB73DA50C99ACB34DC79D0F32FABE25FEFB54DBD494014A" "24EC55B4D4ECEF9D4B7A98A8BDE06E324E6B2BDBE7BEEE6A45E" "4FE8948D331561090B737CE14D302C9CB1D7EE3E78D0B7CDA6F" "D12CF038F8B92E35F7BD6E1664A5F4F75EE569F67C41A434330" "DFC06F8C6C7156208A11BD6708B22F3115E5D4D99F54451D967" "BB7935FC937AB2EE21C3DA93B1A3DF94DDD600D6AE8F43A35F8" "5794E3BDABD82D4ECC923B0BC91EA85C3A2599F492495E8AAE9" "70E1605FB642B6B93E3947B45D78ED6A563FA9D10CDFF934C61" "D78B46AEB754CFFECF00AED06839365D1A4B7D9CC5852A4F755" "F01723C8E3961C92F320A43EC23D8292C4F44336E78424A4E65" "0D74BC47EC05EA8D692560206B9DC2310C893598370E5DF5D93" "ACB6")); test_hash (&nettle_shake256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("6F7549D58E91D97F0C1243C519EB6AD2CD72AE27E3C5DA2C6B9" "2407823D1275210ED93B95692880015BBC14E72892A36D4D492" "4A48DBDD2E774ED36B739F587D200D9A789FF56542061AB4DE0" "06B08749C31BAC057DDAFA581C6F756BC3FF23BBC43C1048BD2" "848204588C89E6C3199EC38DC9F4BB10BCEC5A5D236AB28113E" "4E43D529DE8424F118CB14A5FB02BA721BA4650CFFA35663820" "148E00A2A8C0B8F4C20DBBE20C146E4B5294A17C99C2DF7EA62" "F9107ACD5FEEB01ECDC064F2911A466BC1024B1AFE10F3DD784" "3BDEB8682339A95F7A0E615A216C89AE7E8A688926884F82BC2" "A487CB2695C658DB670EC286E63AFB5B244950497BE33081CCA" "0FD14A4958AE4EC94B642E3A9BFECA9481FEEDCEE34B6C13F30" "1CFAF882105C14F20679B5E7E4263C29397F62B094490BDE56C" "BB1CFFEC550819E0ADD12DA85935AF2A9C08537ED3034D39933" "B80471D98B1562BA12C9B98A462093E79D247BFE4EE59CDF9F6" "533DAE9C2ABB66437B90D845B16C5318D0D12EC5CE30AA63B8A" "754CA93F04A3E3013A197A34DD8AF463A7AAE48D51C7EEEDC45" "B5BD4F9E5BE06D47C7991956E7BD828DEE21A4C4A69C3BCBEB9" "14FB93832BE8A986A077FC3A990301532CEDB59CC03A0EFBE5F" "F88413F0DB07481D134B77200E05341C21C43A7FC0EF20F254A" "4438F9F49C28136EB7FF5D64E8812D4137CB3410B2482D3289A" "CC07")); test_hash (&nettle_shake256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("2D534DC9501C6B18F9662128E227E3C7D8BC7F6773945B8CA65" "3BF93F9B07BFBAD84F195CCFEAF35FFE97E1109212DDAF5701B" "F2F81A72B51A66FC1590534823172927BC3EA342A96DF9B0CF5" "952690804C37814BAD3A41849D71AACE71304183A4477D31365" "4C731CB0A9AF39CAC8A8E4B6883AF7C4F94720A5919C2371C1A" "E472724F7062E47754066976B583CDFF98CB41796664C9B0C76" "3C4530FB62DC22AE7B3C6B4DB593942F6144DA79AAC3F3CD53F" "90B7B634CAB679ED27341C83A3F9DE8763A0D083C4EA4EB3B8C" "189967E6970178CE26A3F2D43D1A62E4D26D61636257DB145A8" "9EEEFB8C38AA9D69F0630B99B4FFAF9395A6AED9C63E78A7F8C" "EAF4884E4663E7C9E39F737703F5D1C73B2E846FA5AF03528C7" "F1D1378C9AC7CE02599278455FA6E1B7BEDF453ECD680A89A8C" "77FB727A688AC573A5ECB545218F5DDAB304DFB786219451467" "4A52F2F0EB2151BD936974FB5B677F621FF9E92A10C76E3B6A3" "4E4279BF2E395743EC8FEEE4F4BB1D951AF744F9BB923A13C1D" "6F159F96B90D0371B135A8F64351DC8C9DFC0AF38098D3A8583" "DDA8978103B25495BFAB2B144E4D82774C06C4CCEBE085A5B90" "2DC391B60035F4EA929DE8A56DB1EFECFB928BE97C23E6DACC7" "9EF2C05D5C08F2CB3ECA5CF7626F13A95F29239AC8F457DCE85" "815BA83F099B1DCE79A32C6E04280B8CEFE8EC213E2375553D2" "214D")); test_hash (&nettle_shake256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("4D0E55472FAEDA7E9F092EC4A561E835E261935BA5E6D115E9D" "4C4021725E7831C5B7F102F2D1494B019FFE9BF5525822C4978" "83F0E5194B0B0989DBDAC834CBFCFDD31294DAE5752ADB56C23" "D45668F370963219D3A9BE504D8E93721242DB7D4D1CCD22F84" "687E3945E2037BA24670649913712FE6B5D99BB6C8492C3B853" "E481CA9C32B3E601D31C60D6B5F43A240B0711FDFCFC0AAC6A6" "E5F881B2AE1123F7568663D8415DB5ECB3000AAB268256888DD" "47C0FBB5C95AAA9450947244EE4CBCFABD76326D2D079C9F1BC" "4F3D43AE1D01028FC1705F74CD16132C79D3A43539D2A842DF2" "B69243CD37491CDAB57AC7E4E00350F8C08737B6CCB8A7C48DD" "50365A85C07A525C15AF65EC3B2AC1C73AA6B3433483D5EC77E" "D832B73A30C672E9DBF0778DBC20BA5A3513EC93B4165A60E68" "717AAABED5041D9EE445611EBDDC8597FDA3BA05245228D7C56" "7BE1CE5D2BA75A256361E8259F43F3402E09B96A14014389B8C" "E19461A6512A4DD7F866E73ED26B1C454E014F901DD313D5E72" "14CE7A62C476DD28E4152EEEE89F309161C8F494F0BEE613B72" "696F496BB41659A3804683729B40682DE5D0F17AFC0FA9C27B2" "C96B55A05C536D283957783BB93C8F3E021A30D6051C9839DC4" "8A70C127611449823B06F0DD460CA1DD990AEBCF3FCA9732D01" "2E9650907BFC44729DF2827AE4055FCCA246ED3D75DC3B69DDB" "3666")); test_hash (&nettle_shake256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("C7EAAAE0CA10AA1CB0225920A8F2288EEC0E5889ABEB096A983" "10782D918AF4CB8C0A41384D8E0C408950EEA95DE8CA6EB87F5" "E86780FB91293C5D14A798DAD9B77EA8A5B50E17C19EF37ACC5" "166A74A1B37712290CFCF98AE6349DBD4842D8ABEC6735ECD39" "2D59591824963D403B2804135BD46D17E26D5C498FD7111BF27" "82F758802A20AE6A169AA65CB0D6640396E982E30126C37F68E" "19CAE5FF9AE3743E38F902D306D8FEC8042DD914003F960625E" "8F2104C369CEC0CB8D3847C28D050802EEB53C5AF08D70EC029" "79019700E182B7127661DF869807C16F309EB08F376C5C30B01" "89F1B4B32423BE060402C1EC9B1E7AF2432FAFC09E4EFF7DC6F" "55A52108C5599BBD5A07F433B3EB4D439D43EA79407FA711132" "CA9A5E2F528E18821F38B894F624EE42400832F8C85AAAD0FEA" "54261E2B55647D9FF5F31AC212E7C38CC96689C72A4F543A256" "7D8EA79913727DAC3172F69CB16694E5D4EED7C16494A297C87" "6C73256F6B30F88B6E180E8E62DB68458F2CA416C4A0317F70A" "3E2465BC543FB07AE518B6571664FE9C2E49E2AAD57AD933869" "C04A1CAB60903F9AB1C14E4FB3B6502F387B30693AE4A85A172" "FE6813C42026DE57291B3D854A191F553893B3D4A79C84B08C3" "7E80C1ABDF03FAB58966410C2B8B950A275F68852F006B2B38A" "49E09165AAE5BA74B934A6B7133E431F01099F930B5FAD2790F" "126E")); test_hash (&nettle_shake256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("CF55585AD2CF64217E5CA23319EBA00C4EC74B7B9A453D1D7C1" "44E8B68FA8EAA16B853344ABC905EEC90B35B681FD8A4A52460" "999BEE62489C467151EA5C0D7C8EF2B9959FD44D171D530AD4A" "576A0C76B147127921817B167FB43050D7F2F552F8E77ED5161" "AB00907599AB80FC546C859DBDC04F2CA3E38A7593DCD22EC89" "E73C4924152C7D1B5281699154A3325196E97E73DA29251F60B" "C68706885462002C126517E00D02DA6A23B0CA9410EB916C19F" "EC76DE9A907447A8DC1F8304EEBB6E38D0694821EE03865A5BE" "DE036E01AD74AB397AFBEF6C62C5DC211A47BCDCDDECB48B17B" "F5336FF831DB7EF9CE7643B285504D495161D4E864B6FEE67D0" "EFAD2888C04A8992F019E52A6632F72539FD65271E81537AFBE" "9E7795C658AA0C3B2C64EB34BDD0E5F19EA217B6EC9520FCDE4" "46C2207C9AEE94A6AAFF4F1F39A91927DAFDC37BCA8173034A5" "4FD535BF03212995975240F3002446DA1D111C0F97C92E395D9" "6E120B958F643CB4EC52C6D2C148E6A0A497323565500AB1174" "21C4A0CF0A055DC8B4D287F66FCF7EDAF931B614589EF6C6F46" "84A80A9DBFBAAAD85059B9399CE2617B55E04C2112B32A210D7" "530A3C58678B1D48EF24E2FB6B6F90D4FC605805B903085198B" "2C50432D9A99454B68AEF0C9D0D81931123D7D14C0DCFF84A54" "F3D4DCDC9E232BED26E2EF3334220F7B39EFADAB2CB9E247EE4" "E880")); test_hash (&nettle_shake256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("85225E389DF45458881A78277858D3B12EC5527BEE0D03F41EF" "BA24671F1C245EF33BC8CECF3CFB7EA82263EF8F5F4E2C0D033" "D1DF6AD35F1ECAEB2E40F22ED9F4CD0D1B9FB1FF5AFC3ED6054" "9F1836E325AD6641E4444913A9AEACF36067A7E6EAFAE4F5D17" "38F4B42F5185AF334FEEE2838FAEA6203032F3C5C3D22863C02" "783D1562E12B0C73DF3098CEC208BC855BF84A9C231021AD5F1" "FBBE51A21E2BB66BC555612500822F43DB5594D0D60532B726E" "3A430C26D9E5BCCD57F83CD1CE3A5A31DDCC21DFD8A76D03A10" "6FC77EB55EDF19A46023B5D70835C865952C463475769067FAB" "2BA2A11FBF7F29D6400D10A34B1DB497B5B1D8D8A30A5C4DFC4" "0EBDD1BDC992380074ACCAC904DC24F22547A99E7F5ACC53BB8" "3BF94A522E595D9AB54C4E7EE052ABF95FC5FF52967CA2FBB92" "7ACF7127349BA7FD26AC820C380107B0E341866A9F57852DF4C" "E28C2989F04A40FF14033B3D36AE7D24A8E377AA40BABFB8502" "B0B9B12DF9B42C2A9982AA29697A2ED522E344814E59D91132F" "39AA537A521BB4B781CBCB5E1503354FE6A25072A52C54D248E" "13F8253FCAF93E849597C23F6952D0F7F38D1A4E7D08FAFAEF3" "ACBFC4371779C6795D1CAC6BF86C34FB227AAEF0AB51C480C45" "10C9F1F463CE311CF931E8219D71BCD3FB55D3A8E9A6C86710D" "18F9FEF6A00D1FB878069AD4A4E32653B0EE15866268D5772BD" "4990")); test_hash (&nettle_shake256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("561A3E8D8D57E0E32D7E9EA8AB6F58AEEA509CCE8740FE54E8D" "B9AABBB14AD782BA33C7F9A5007796CA2BA9089F525BCF80BCE" "DF4C09E24E8D14F1766AA97A82B807FB1ADF65430BBF5F87AF0" "A7FF26578C97AB50148B6B15711311FEE962A8B9C3D1ABAF624" "41CEB100DF3A8E588DFE3F6A356B348E312CA017C94143B3DF1" "7F255DFAD5A7341B163C0562D24897FE9E4B99262FE5BF6920B" "79ABBAF856CE38AFC756A77F2BFD5C3A039C08480BAC81D641F" "8B955B22B66B455BC0637DD49A1218C4E8CA73BDB68B8849D21" "48C021C75BF8470D36167AC32FC88128C4E0568724BB2D631E7" "FEDFABB91F0343D267BF3A57BBCA57C21D56E339CB13DFA5E56" "F3A90F0241DBC0D0D73F40BA282ABD5E031364ABAF427713463" "EC5072B7AECCA62E074097BD0CB3169DDC06243F08B62527921" "F5FDC9332E99B2E6903D65BF809DCA706C5C0F93AF85B9BFEEA" "40504A3DBB390C6A417203979687A7C86CFE5AD3F0737DA1B90" "7F8F941EDF44F8367B65EA8BB92B5285A3ED8E1F7EB0FC00536" "C15005E4F6D9F2969AD96721BFE7A6A4824A37159EF08B0FC60" "C68518FD4CE54E4033C41ADE6CB218CD7DAEE76622B711A1609" "168BC115AD4F6219EAFBC492E35BDC446E866433C7446506692" "94E8D1827A2500F3E30893C14820DC24E36B3B451E9459BFDCA" "E62168706228BCD9C3EA22C4F1D0286367C7939DF31E28E7A2B" "28CF")); test_hash (&nettle_shake256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("3340B37AEDD2F0C66F2483ABDC66C97B45055275231F1C7A925" "687B946C9135BB75AAB2D11E6463073A1A8CED0EA83A42736AE" "85D1B99D1D2EE9AAFB6FB9F4E7ABACB39BC9F6D59883A9D1B0D" "F86C259394A05842684E8A4573F1A3CEB46ECE59DF77259A0B0" "25B831C2CC0DAE259551C86DB7DE0C434FCBC35328810201903" "B92802CD5DACF9A6F4ADCB05EC5E0629A3FA99BDF2A5CBDA2AF" "81CBD1438821A319408D67E5995342BF9BB4DA85BDCF43C5A2E" "AD9CB4FA26542EAC044DC70857FF1B1CF95026B6464B96A46F3" "A138FCB26B525E6A09F71ED05E57ADF4A3FAB611CD8069E016F" "ED7B9F2F14C38102612D66803EF0854B2C7678E870AE7BE6CE4" "3EDF447E476C0AD407F0D1AEAE1265521F43AD6CCF1F2E0C82E" "5395ABFC41E08AAB436A806083E246CAC452513BF8E9C9E47DE" "645055AE184D988D0D3CC1E5DFF6AA98B3EED26E788EA342C6B" "1914269113248B15D0B79A6BD71EEA6C0BF9D89698A2B943AE2" "4F843B00B34620DEE9DE5AE1FA1E00677D8FD9716CF43EA1EBD" "BBFC2984FB1B27D444AF3B2D01A86412A32090A45385A912F39" "4373F0610AF7D3C06D8564FAFAAD3B88C70196A1DEDF247AB51" "5E5FCC8490A889F974E12D8DD5FDDDF8DE55500CDAF60FF2B70" "E7D26B481389C2232FDEE43AE99B221893FB7CDB688C0648657" "1A09B9A9B5D2DAC509BA166D0C5F5D8EAC363324234C657678A" "0CD7")); test_hash (&nettle_shake256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("FC9C58940908E1F78AA90E888879C9EF903CD450DB94E5BEE0D" "8ACF6A4E453A32A610C6209D9F5A44ECABD634D45D04F5D946B" "CD388E2943D00AD8A6C4682D985F45D796ABEA85F419D3990BB" "DC5A21294970FD42B6D06363E18EF7C00250E96AA96FF730DE2" "D92E69BD19C2EC40BA78F94B7D120CECE0B0A44890CC17529A0" "54EDC97C25BF7AB6BC3C955466F656FE450BB25C34997DA9425" "8A4473128DDBBF6EFBA41C1843F69AC2B86A5F13EA652EC19CA" "A10FD0D605B4F31CE170F9FF1D6C7DC064EB4106C6F4F54C88A" "463EA9B97206E567B370DCE4DCA5B998831362DE38D8DCBC0FE" "04E87BA9EC6CA571E6A3BDC246D316A55FAB5CE8AB0B71E0E8E" "DD9790B26E3482A95C732A304C1DD48A3955ED995DDB86AA7B4" "E6406D08E189596BC8C5A5F61A2AD336E39D94F6188DA5A1E4F" "2CC9593E92B0D89E12CB4E6FDF89C5C24ED83D66F5AC6BB0A6A" "3C88B151C35123DE2F3D2D18D8D302FB10299F68F65C9EA2E55" "21AED6CB9FF5E357DDC1B9D4D5BD7B13DC9B4FF63941BEC300C" "C787FA6DD0BC617F5389EB6058D05BFCAA16F08393F4F1DC5FD" "4226542F49F771E5E93D87E06C4E663ACFB2CC365F3F7901635" "6656F92EE52DC6DDE14482E2CC8A9EDA71189E3C5A431EFE0A8" "768D014F05D45685E472BF22E359B8A6C8429D8F048314BFEF4" "9AF2637108E774D5E41D6B38FDA700FA2145B0235E1DBA03BC8" "DBF3")); test_hash (&nettle_shake256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("F723334037CE684CDEBEEE3F14B0D109B075EDE85C489EDF798" "1B3BF88B946E2851C9453B0E891349080405BC3B16A99879FD6" "3AD7314FB7D26C050061D3A2F971E2A79C4B23338FC92E21466" "C27BEABB1FE045A0A10F33516BD77E7D87C49003F1CC173B61D" "4ABAE5151D5A723C2E6571B0B7039FCFDA72C149744512D5FA2" "0DB8C736A70FC009211FDBE0D7245C5C26DD878CE52DA760AA9" "0D45A5501EFA74677B85A736B2860876B23424D1CC47660040E" "919DDEE1F67314FD902A1D5C1DC69B70BAEA890B5691322C81B" "210DDCAA3CAABCC770E68B1BBA5B08C3D7676771608924A853F" "D770B2AEDD8D42B1E7CA6CC0499E22646732EDAEFB94761405B" "76C3A58D5CDD1439ED1BB06CEDEC79DCDF38E373ED17798A51B" "80665C026DC2BBA3EEAB43CB9024FF6F04B371C07423CE2D0B2" "E2A800B213D9FE193403FE868180569EBD002591959B8687E09" "F81C9B2B8DE7672D173F8EBD0794ACD309A2629ED0AA7E14B58" "635115A58CEAD5BE08D3105E2E65429D1F7823BD8DAB99084E1" "D63BBC637EE37AD4627E57E15DE35CA52FB8407760BD2AED167" "B6EA65B0C72B9B53C58A16D030A227CD92F19F14BA5AD6BB00A" "5775E4A091D7844AD2DE44CB9D866154127CA1B1A2422483A14" "6C729AEB85E67D597EC6F700C9DC615F2BDFA6A1C9AB038B81A" "D0307DAEEFF021EBE7ABBA47BA002C27C2A07611027FC69C9B6" "3992")); test_hash (&nettle_shake256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("37A534CC68DE78F87B85212464858780E143A5E0DC7D46419EB" "17E45E1872186DF8051353A6AF703C167B9233612ED68E95352" "44DD99A613FB43F277C833588F7A2ADF2EAD15ADA2D6ED7CCA6" "AC786741B7453EED605C7F8EA3A8E2AA8D5688D72EDF964C085" "42422DE589D402DA18E10E7ECBBD132A10FE382A7EA0A94C9E5" "C7F31C7BDF018F44BB6693EC64B266E1AEF1A3A941E336E479E" "FBE2BC897C93576F5F1BC9C6D4F6E948A14464287D1E82DFDD1" "E0CF0A68E9FF696B5D5392F4C46845DF19AD5BBF2B158659E85" "6BBF6732A9AC0ED722BB5EB2C25D35FF83B892DD30BB01FE20F" "49A28C52B6F28550FE56D176790AE2D96648C66E389569BC2D4" "7D0A5775E0F6F1B7AB8F999415B3EEE8AAE8A3B663F13E0EDE5" "C81CD001307FFB5AEA2801CAFCD1B09D31182220F52D39855E1" "DF732F1CF2671538AE37726B3B47760830B391EDBBAE70B52F1" "F2116762C685FB8523742D90A427C991F80DB823E3496994566" "10720744BD2E4FB9C40D1371DEBDC7D01B2F5BE45C0231D297D" "E09D66616509BBDB854D84A2D7C140E8489884794D3679FF8E2" "4F7F04CD72058EC305EC21823AB5A47AE9AF8D10EFDBE2642A9" "7DADD44F174622597E4BD88698FA75F24314E82ACA60B42F66F" "84602C831FB9FA73E95955151F931841F1B9DE7C3F95DD78689" "3B45DDF66045AAE6533AAA59060B415FE392BC585EB4C39115C" "C163")); test_hash (&nettle_shake256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("60C681E527396D6C9DC1E5FD71842F760F9873621A9BF2B9B98" "C5DF450DC7194379991D7A94397A206913AE1821259D308A5DC" "4D53E552DBF2287B8694F0B6184B737D5E32E1258CD7FF58E5A" "A9B5F37571413395B833CCC5620E37B0A64112968D4D7ACFFA3" "A66E044C36E23363F1A09EEE48EB6713FBACEA29ED63AF0DB94" "ED2BB22CC01B89D05391C1BC8844BE8BF105448925AD2373D46" "D3417F920046E8E4AFA0C11A8057B4A42FA4CAFEC592F8C2F8F" "1E2D603612FA38DFC3D3FD768EF7317802342E76E70D30745FB" "AFC0BD007EFF874CB32761D700C88E27DBEDB57CBFEEA688E0F" "06801847C1046CBF47E2C12EC0A4016D5E8238916DA887DEAB8" "25F965F936C79A7316465B48A2B8BD5889BD04580FF7DC91C50" "DE8EB60AF74E74BB4F896FF73CD3D1C55948C19DC0ABC841D7B" "C3384AE4D60BD855F24BD2E402FAF5E47D66DDD2F0533F9A73F" "D483E3965E967C979382F643CDA535C4AE3AECBBDAA51CD7A89" "C8B2D9EBC0B7F9CC1C1EA355F9FECCB62345BE39A7D1073CBA7" "C5C46F2163DBC1E9A6190EF620D6053B88586E73B18E816206A" "72F297EF946C8B302A6E3FC92A3E7A9AA87E26C1466251CE1BB" "D204BBA7D08FEB28F99CF27BDB3E8479C9C57FAB8F00797938D" "471D53A1666156B66853C067E64695978D2E9AD5250FFF6CD14" "91F7BAC09B77ABF42249FBBD63DEB5919A1FC96A4E26DB9D789" "320A")); test_hash (&nettle_shake256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("D8EF59E48FE97B07649929B9194BCC57EAD8E0EF010FD65031C" "18B4CFCC0933152054AE17841D06C36BC375CB1F98D83E2F9C3" "DFD54B88312AE71D7A00590A759E4B8D524124CF480BCEC6816" "FCEECABC9E13356F99ADA2319C3EB0CC9E3BB504EDDCF7D3839" "511BA0B412A72C3A8C49F7964A4F2EED7B814722A487E3EA6E3" "47CDC2585090130B4DC535C3FA98E085F107FA43222B167EBDF" "2BBD65ACE691D8C23D64DE52F966983A3D4479CEAC8AAB17794" "7079656A454B7BA4548BCD5762974264C7BEB17DCB4FDAE572B" "D67067F304990611E7C7F4D50BBD2B29D19C02D51918D5BE6E8" "56BFD8DCECEAB2EA9F82F5BE53E57D4B00AC371436EFF3898E9" "30193DD1A21C5B54506C6C91EA665D0D9992BE999F1DC434BA5" "87DA4EF05BB296087314C4408CE0C5851660D0B5D1746232E03" "1934284F85B7AA38420FA6EB469171FAABE88F85CE64A7FEF84" "20ADA1F9BAAA4BC93D779C5A268A3F1F8A57CD2FD3B19CDD4E6" "48E622552C1F16455F32631A3D91EC2F7A882DFD0EB13C4B85B" "0A23E2477B53E0FE5E174F058268F6A24BA3CFA38D090AE6088" "339957863733E1DA245432AB0394EAC05ED82428C4418DDEA00" "C45E57A1719C7D2D04A781F8D0187C7C33117A3FF5473BD5C12" "11476FB4EB64AEDE5A9E2DBFEE00671E7A9CCFEF7624E1F688B" "77CBC755B95B6EC391D8E9DD0B65CFF4E1FC22F566F0B598BF7" "ED6E")); test_hash (&nettle_shake256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("984570A811CB6B53213280F8C06C69FF1D17E767B163F8AFD76" "674AC018A1CAFDA4D94B69BCF58F3AE8A53B107976ABEA6C616" "D85AEB98BC10F29177A3590BFE943F53D2512323E5E79D64F9F" "1319D47D6BA84C7EA37392BD15224D94BB16D99E0E1E7062FBC" "3EDD7C81418D816E875FBC9D7434249D89A6002BB777E367F79" "219BC7FACA03E1B9488307DEA98F304258FBCC53C58A483A6FC" "C78D9D9B28D99DB3709E32C1EE91FE305F72B041933C8CAE6F6" "8C6229658D591CE9B1100D6974706BC21A45224778D12DFBA63" "CBE9A1A3FE9680A34771D9BAE39B4DC9C191C0A4E092F8EE92A" "F2A02C95242CBB24580E04774AB41B07FCB6F61ECC6ACB2E48A" "77E544AD9F25EC0ED7F440C26B8C9D25C7CF4494AF0802C4B48" "2DA80251F7D1572DAE337725B9A976F70BB70B5037F333D53BC" "3C252AD9AA13EAA7C9DE1AE4B24F6C91D17A489AC9D392038B8" "0EF7679E75CA6994821F153C62D6CD7EF58927636EDF95EF6F0" "5520025C4BBBA23685A862F244AB3802AE1D842184A5F5F344D" "1193E1239990C331488C1A8B98F1707C389C05AFA919F5C17EA" "C158064350ADFB9532EB0AC9111E256251B11D082DB28206AF2" "AC514707D956A35E26495EDE4E98C2578427B48BC99B9AEB29B" "0FCBE44A0E51CE9BB37864DEDC30BBB5FF9A055423D8BBD453A" "65AB54E65CDF773CA695303FFD4767193D65F26706FED1CF35E" "740C")); test_hash (&nettle_shake256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("2C2E6AFFFDC10D54F74AFAAD553CCA0DDA3AE5A5EDE3BEB611E" "4C1441AD4E51B67EAA2306ABBB39115457FDF15FCE9607EBCF0" "537E4F9AA2703D222A2B5FE602F87F6B54CC7A9427807A10E56" "BE5B29BC3DD91FED0322F291D87F563BAF5B705534AE8BAC35D" "4AF68A23963C040F4A1AED9B3E51124303DFEBBAEDBAB35D7CC" "BD38D482EE45E261BCEFC53D0A25DFCA5DFB60CB2672D34CD41" "54873F92B33FAFB8068A95458BC1166B36C3977643BA159B655" "654D1755FD5E396AB9690718266EF6AE670452FBE332BE84750" "BF7A26778E555FDB59AE0F48D6EC3FF4A1FEABF2FF7F1CE4DBF" "3269DCD91E3CA9962D88DB9C527874DF15F7A6DB9682B1F0D90" "4AA875D29A8885AE63E90461C69B688046FC771321FD6A61A6F" "1A93FC95FAC72BF86ED76EEBDFF0CD6960D72FC460753ABA032" "4F2D7CD7372F413D4A49E761CADE4F5911D18F7C712F61CE1A5" "C9F07ED2B042D5C86B4DB97E1B7ABA57E2F2DB98CCB4041A16E" "E21E08ACE213412C6D61CD3C42BB5D8DABD7B5A945FE512F2E6" "4C3B1817D9BC5840D6E16F7E5E2AC36585BF8107ADDD0C269B8" "510DFE11222DE1BE13CCC2A5BA8536887A11A0A733EB81D9372" "9D487481655F531BF4AAE624918401097EC0951F7FC535CBD85" "691E0E0EEEAC4A5848A61AE8D6D6121D3FBCBA345AB755C4E84" "41ED7853FF46CAA48090728A7AC39496C3002BAA99DC90F049E" "FE4C")); test_hash (&nettle_shake256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("E36806AC60D67682D34D80AD11A1415901FCCC216D7548DE3F2" "428B1963023A9394BC0E1766E279AE3509AE85D773D11DC8F11" "AE65C5C0D6401575CB33835081492C2B657F34514ED6B0DFCC2" "639FB758B5FDDF638576A64BD34759D629FF133112CC5200267" "D8C9997E1538D602CA356E821F06EF84C3125D8466673312C69" "03CE166FB97FCB3EAC9D30D61E13A1DEABB922DA6E5675DC897" "6CD4426EDF7A7A797DED8936E0A3E721DE5C4D956E8287C4B05" "D1210BBD36CE0E36B7F2A31945FCA6BAC1CAAB3C46D4C8245E3" "E589DBDDBD00A3B99D8DFE33783235026C1A990F1C383CF71C7" "55446D8F5DF4A114B9004541065BDB81AB81B98ED47A1D05595" "AD5E168159EC620B1DA439C6CCB6C4D57A2ADB33A0E113FD0D8" "ACBFF5C759BFFA29B36E8416EBA1B8F45285EF3F496F6946EE1" "DDE798CF8F5BB78900E59785597101DAC9EC5E5F5CE0F0D6B17" "3B6418A75BE30A84140FAC4899C4EB8DDCF87A0F78F22E23780" "6E0871CDA9976DA0E7E42C4AD73FA49D3F9C257ED1CC6C38980" "6BB2C32B1F7744DDCA53BA515237F1588F5FA7C636360B6B8D9" "8DAFA7175DB320A1A3FD1B3A092D9E8A4466971B87E5B051898" "29AD8D3B407F3C5E4265026C8B801C391BE0F9C9DBAB2F56362" "F820384D859EAE1ED9B291F5F03F14F12D0FF8ADDAC128988A5" "9707FACBE23814873246C99DB793099E6DC79712C612D41302F" "8B59")); test_hash (&nettle_shake256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("939F4A4B5E37B675450782B0E8554BD6A2821EC805CE07FD4F5" "A3BC3816A2305F2353FFAF15883E760A3DEA064DF1583CFF5ED" "83A97A62DF9D174AA80958E7649460FB4880DFA21DD7C00F373" "AA9F010EBD1DE7E1AA73F51F84DF36BD2DCE6B37D7A1112C6C6" "9EFB734CCE2AB12517FAE38F0F3592A4693251CB4F41AF7E820" "F1E6F432CB9F88B82FCF579B2A5FD0E9A5B3C28542ABDAA9C65" "1EF1A05A385051682B3238262475AEEB53894B8274EF37B223F" "66A32C0D3DF45F3F191414FC0E8878E3D58852B4CDBD826D236" "A7010CA49C43095786CDE671070EDE3F5BB74F34DFFACEEE281" "042EAF3D2B39E53C25A61F3B0B2D79E4305B9A17C47787747D3" "CCA46E88BE79464BDFD16BB44EC7D862503077D3E4E3C55BA1A" "1FCDA217D53F5C22A35F883FBD0E786AF38276B341733F82BEE" "BC4118D486C32A3E7A460E24951BFBE760556E36981805B40B8" "37B514FAC3E8213937ECB018449319AD3FE1C0EC19B502E8E03" "99398F3F8C74601F61A9BA3021F153ED45A99BC150AA886BF09" "0B0134DA25B2740EE5156CFE28151EDA24A2C758303F505E465" "F9D6A409651D4705A80B3FF660B2D66AD061960A3C6B81FA8D8" "31659830C5243AAE26334917660FFFF3B977FBDA3730313753F" "ACF7E319CDFEFC064F2072AF7195A70EA74DB24E5FBD36D6FA7" "8C0D0D1085D05E81A62D3449F16007D3CCA29E4403DCE5DE01D" "579B")); test_hash (&nettle_shake256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("3C78C3BD49493560231A71A867BBB666536B22562F150224599" "1E3FF28E6F058264B382BBD61F9A16D4DDA0B3A72F84606F97E" "7CE53F4A57C132A920FE738F818E987095C1292D9873A772E12" "F74BF42EE1281F408DC2ED7BCEEB2FA6FD856B7A01A95535058" "2C111B2CFBB65E26B745939E1DD4781A0265EC5AD4BDAFDE1EA" "40AD504EFB0E9F34E15E1526B1873F251D33C280F9CAD71BCA1" "7C4925AF9C3DBD4C6798BD393625017C5D3B03666FBC3AEE276" "AE669AF2E9E10AE2D608247F3DCE876A8EA3BEE6EE001C3D5F8" "47FC92A2A9CD0FDDEAD45C1F92414B23722005AAF8A7A0159D9" "1B77F4A0E44DEBB9A0967977B04072633B4588DF0D699C8F990" "D60FF5A2E09690A624DBE88B998424620B5634ACDC02C75DED6" "DBA9431AA7A0FEBC01CC5DAA3094CDC818B2A6CA4D808901134" "08565A714558B6BDC3E1735BD1FC9FE84210D7D78E0C50E8961" "C39725F68F083094277B7B7ED3300A1FBF42F72AC9A79FF927E" "4F76ABF0BA233A9E82E535C32D7054078A6A4A63F1EA454C6AA" "33C5A2299DF7BECB5F911C25BD74532EDC882FF4312D2AE0ADD" "4D0F67958A520011851988F9D3846C0100B4C119EA818062A3C" "69401344CF94F49AB995C286F441D8241F60A73863628AD8AE1" "CC780EA99CEFF0DC18A3D85E16CA00756627F6A1B7546359451" "20890313EE136438E01A41593B6EFD26926F48309122CF1DD80" "6C8C")); test_hash (&nettle_shake256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("1A73A838FBE2AEAC592433B7CAABFD17068510B165896F00217" "A1F9E2093591A77330E656FC53D1223BC9446C11D329673B418" "6A85DC6091140C070843760EFFA56918F414A9C6F2D198E7D0C" "19F44AD19D1E89E25365CEF40890987D255A616524AD68574C3" "C284825A48C3BCB0B48D41EE284B53BE97127DECF90402E8FE1" "317263D179814177B79DF92B9C71EFE9C3C2F3CBF8329BD9711" "E6393457F076C8BCF16A70E854DAF7BCE58C31F55B4D0E9681B" "39FDC19D0703A795C234016C5879857F25A64EAF0700C681E59" "0B6D29605311F1BDBEA47762BBFB012BF103D34C2CAB53D53E1" "962BA6850B779B8673BA280B0FB79CC387E2559105DDBA2884F" "E493B85EE0F0747436013CED0ACE7280854E9BED8A42FC98DCF" "1AE5F845B677F4B802D01AEF9529FFFB6ACFBA047429D4DE318" "1FA959A3B74AEB5934E3F25498CCC850BFAED46738736DB5E5B" "DA73AC03162923D310A1F91658D15CFC5268FD5BCD9AE6F9D56" "52558F74C1DD85696233AB9EFEF5CEEE75F0A3489F46867B0BB" "1344CE24E5BE88ABB706CB49A07FEE3DD5911DCC0486B58FF2B" "024F844C3773A1C03CE35F02256157A6A2E6616569FB751ECC3" "E4CF01EF99BB0EA61E4AEFEBCC65450EF2999505427B23C7CB9" "278E27AB58C5FA2D5B0A432A6172CB1C23DAC420C92631495DC" "30DBE0AF3B6944F1E101D1566F0A1F4BA06B82C36A7CD068864" "FD3B")); test_hash (&nettle_shake256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("674343644B198DA1CB0709F842239CA1559AB643E48F8EEDB37" "3671473CA24A99A74E20AC6368B661BA1824AF92985B3E7F957" "F9C935C715531703A6B8B5113A364F52C7DF7C5488997A3FF71" "873FDACB1A6F4AC3B631A3341BC36CB742F8100B28029ED6C44" "FCB41E93B6F171A064B0F13B2F83B1790330DEF22A387C52CEF" "7F16D1E398123CA0231B76494D708CC694A28E281B34ED163B7" "931312DAA56752080C4966F8638134680CB96C4F815AC678106" "FB243ED3B9C9A5599D3851BF3D89CB7BA463C71A868F74D07F0" "C6F9C6F940F53D88E18892EE6CFE5FE9C17B92569E5C1222FEE" "87792987663757459C35630CB355F445630826807909BB5CBC4" "F5C8E0BC669BE6C705C12BCB2B39552D4AF42204D237FAC5BEC" "56EF9AE6F60BA836AD865983DF2F25A1F8C3F5DF93F87EB7647" "2DBEBDB20FDF894C0167287EF1A6355040C4D4A6949F4886974" "98529217E4532A445CDED47687CFAA14DB98260DE9321A16FE8" "4E4D82D2B1B0C2EE639B2ABA48D85E4D06A369CDD9B03A0A846" "EBF83ECD5ED257876BD5E3E7838108FB3B86B6558F8BB454F1E" "76FABE18F3B66CA1448C1B02DAB1BCD485E709CA800D5271952" "602E9B1BD585F61936D8DD678C900407892756A08730B891C15" "4B33D83BCD1B2F441F1DFA79AF235316BE9A3E20ECEB4EB23AB" "76D9E9564C367BC27424DAE397E35BA16A8CD4BA15CFB7D9EEE" "2B82")); test_hash (&nettle_shake256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("791BE2551F426CD350322EB1AC0E6902996546D446C229E03D7" "4E25CDFCAD06CD99BDD3658026EDBE8708AD18DB91305770245" "0BAA457EE767B7F6085B0F1D35A86D8C5C62A35E5A11B81D409" "C12C8AD5777E245ACC369ABB5EA9D8D9517AE7FB4033EFBBBCB" "B70FD6CC1E55187AA8A27C75E5116EBA46DE2C8378997504A82" "390E6B085A45C5FAE52FC314E876DA7A7F90226CEDD3C4E9858" "87F162513BDDAC323E85737F3954DC58D12E986BB1840D0EB04" "6102C01381DB2915981B23DECE4987661B41B56D30C35A13DA2" "1C6D2AB0BB7951F04804986DC2127F7F33C4937D27427C7B706" "2EF7EDE944EFD0015681C2FA0C115B67652A7EF1AAD03C0FC45" "42BADE7CDA11F0AFC57D8E2C6DF0E5BB5440C2B3ED2807C2798" "CADC6F371A2D6F2D647936B82936BA4B19A16F599689814AC4D" "E20CC7CD05A3452D9286B345037ABD23850F22A56BBA707B1D9" "CF299ED3EA21943882669735F69D25F240F87F3B34CD794B0C6" "353681006AAC5AD75CF46BC6464579BF5B715AC741CD1CC06CD" "CA6E8D579F2FF839E263C94588CCD268B1D375E5DF5BFC8B7A8" "9FD72CFBF9BF5400EFEF53186B50497D942963EEDCD6A742678" "4F38F8808C50F867D22C10FA4D7DEDB4F5354FE1EB1484C9F64" "5397582838F1C78076891C5E1E44959B5C74E28D7BCC3F6ACEE" "4E5393A5CE24E97CDBE1B22AE853C567068ACEE03CDB3157A3E" "F657")); test_hash (&nettle_shake256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("7C0247B191C924335D843B81614C0F1A6A9AB1ADB6C28692239" "7D8C1B26220A35C13C7151E35FF9B3653A086DA339EA1F05881" "F414E7A16C61B1453287F924C48EA933995000A9C9B0EBD5E8B" "EF2C92820CCF9BB6CB0F465AAC124B5E794FDBCC60584B05CC3" "BAD06D41CF9DD5D3D3B7FE1CEF634DE558B6642E591BC2F69AB" "EAE61EF5DA27BEDF291D2A4106B3DA946FB57328E827C8D4EE1" "C3665AF79F96CC290F924348C30205D75B01BB05AA9DFC317CF" "DDEEB7E3764589C003E2AA1DDF60A3C98ADDE4517E40D08CF80" "646205EC9FC6E9A3E1B64B2EAD561957C3E2710DFF720BD7E58" "41481D9E1A048D1C76A3E1A08BF010428C8FD2A6F2DCA4FDE7C" "8CF59C826E6DF246CDE77D5823DD1E0C0759AF8356E89ED4C03" "276A37EBBA73DC196E7915B57BAADE13A7A276AAA4456E23E44" "54D44260D9EADD748D4E7E1857B6D2D9C301AF6118270859ACC" "43603C79A2F6D698871FD5384DAF43B16FEE4ECE1146ED54E1C" "A28EAAF2D94306383609BFB26D6634DF00198E0D19500215E17" "8D77329F7504AF80DC6B727EA7791305FB38FDDB1CEF7F626A4" "9AC6E34C3A6ED630F9310F890392704A2CDE00CC850FF7CE9F0" "E1F0CB4B1D0C161CA3B812309CB3C9E9D071024D61E5265A71E" "7ADC58A3D47A567F5B19F9E13FDCDCD34F3DEB12DA3151FE817" "E5844F5FCE12805B064895671F0C3767AF5A3D203D095BE306D" "4A26")); test_hash (&nettle_shake256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("73F5EDF85CBE959CDFBEABBE2A96A1812134EC9D3CCB72D6039" "D4FCDEF0B57BB72A782B76963C97AE0C2713CA657B9424851DC" "903CC0488A169538A0DB3EC58E67C4EEA1C18ABDB2036C79381" "E76F5C9F6CF1F830E0DAD77D2EB90F120EFBA42B20B15B8C8CE" "8532C5B668464AD4986A281E75E4FB2CBC59ABF886A8540622C" "2458FEFD190908A09FCD7F16B6E5BCC7E950917794FED485C82" "CEEF7FE0FE4665E0922406AE1F8D34E5F77BFC0AF8B4C881BF9" "F76C78A233898D120981BE96F67D135723407ED252432928C7F" "2580FB80000CB51E3EE8DB02D4EF4FCDBABB704DB0CDB9E31FB" "E76930D285702D91A74DB806DACCC01A15C0129A7F7D4712668" "ED633462A6A036A9EC2C4A7E4AACD4D62DF9DA1FE959DB9ACD0" "FB6F01A75F95CD9768F408AAB1760EDAD70E936EEC344E9506A" "586B9D42DB99EF828E58D281128FB0EAC1185BE704CC9D16E35" "9EE3BC1361A776DE4803132822F99F7E477764C9408B0457451" "50AB8A7481D266995C91EACA7A9497F4CA1848828FB5ED127B7" "A4A5FA0F23614165A8E4DE1E619A40D4E55AC28075AB2FF1BD4" "2BEE19F2F9D63630CAC85EECA329A0A1877E848FB2A64176411" "A7FCC2DD63D6CA19452780BBE4EAB208B0FA7B25F21F17BE1CF" "7C5415A04FCAB687B7D4BA2F657E39D5EFC17F36A1A0E3DE461" "0788ECC43CBE70BA2DDC33ABF4C335940DD53891FB6DCE20DD0" "39AC")); test_hash (&nettle_shake256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("9F303DECCEA9369400C533CE2E162818957E18F65C05A675404" "CF8637FDB57F3251FDC2844CA194ED97CD021416E764E072598" "106E9D97D420087087DCF5F8ACF1047A7B4518E683E5AC6DF1E" "F1BA7EC7A418F12E386DFB7A4A5EDD9898CAE54D645AB319398" "2F4363DA670F1FBC7AAA1194A03BB76391A78DAE7E4FFF733A6" "F19393E9C4CC5EB3F5503D8B1CEFEEB7038B0565F29D6CD4460" "090FC63E3C4DBC7D5D3D107F8E905B21CC9B9EF3C535AA0D8EB" "CF787631744F80A05CACA3E50968A05F85E9CB0D775DAFCC714" "FD6D93C8B110E58F9AD1F8077CC80427515FC5C0CF081DE5FD4" "CFE6EA6DD2F33A2DF212918A3F86BBB8ABA45D808BBC2CAD8DD" "09E7B9AF1C33B0E58B988268DB39118B2B2090EABADEC0B84FD" "836DB6944E8E27B5F4F3B2876077D52B4648885EF55DFFF266C" "7264C46EF5A3CB63588D1A86C82D19449E0C93D968619CA4D33" "BCADCB21E6787A5E41F0D4E95E2B47E422FCFE5BD7EBC65A302" "3479330E989B3EDC8320EDC868FB122DF078470B0373732E187" "110D3964B6E7757E84F177106C2BFAC5BCC43A13DC40BA8AD5C" "1E772C58DF0F32FF0F10348686CF0662F2F30D41BA48B121E1A" "146C70E6131E13080CD8B63AB79869AF74E64B9899855C81D20" "F753F22C67F1E4DE2450740944CDF4FDEDED59927F92A9568DB" "95E5B8515C07BF4E9ADF952D4AD498F3DC19A2205640A8378A0" "FD5F")); test_hash (&nettle_shake256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("1CC30597732904C49C0F6EAF777F82B1C33B4CF00FA720C7DB8" "473139266E7304D81999F322AE6803736D242E7408DBB8955D8" "F1C0B14C6F7678CACDF2F3CC2A17208033E8C70BC5141A072F4" "1E759AD8EEDFF745DF0162C2EA877A7D673BC63D80C0F1DB765" "F9F5CDEB2EFF214411F95AD7C3C41F6AFEC798E001D31AE2243" "2A54BADC751F7F713B4A3693267BE3CDD3A1DDE1A5E638143A2" "FAE59A2A359E197CF4E5E1D933DAD9F99773F164173E3E81898" "7F19D122AAB725AF24497CA116EC201B2482F0539EC454292DF" "4D018E286247F8C857B53816E9623D580D69FAEF60009FE72F2" "5B4609E8DAD73A06C006280EDB0137A25D5462368B18B8F3752" "5C2C74FFEB4A7942683B86ACA6FB1D773E9C92311C4E197C546" "6CE90CF01C661EC2D928EE0D35A2FCF0EF1A87FA7D298747E44" "DBAA4C90C655348B8C2771F378FBAF0702EF9CB4B42CD5B2601" "6D8F5FAC1B79A49F8022A180F04F8988B5895822404D346A036" "22A5DF8AD2E3F6841AB14644F6074A72DCDA253D7C9423DF9FC" "15D98F49E3B2A1DF2011CEAA61BB7DCEB3860B9B66DF3926A1E" "79E73EF6C4429AA9F344ADCE7D9A7451AD97D0C9653B916B029" "C4971E6756FBA775F191751416C3B0587C2FC5043F38D2B6205" "804C47DA3E85A99B47F1AAF42D9C709F21BEA94B8CA7340FBB8" "B262DE6C47B79DE5222AFEE7B1C994ED526AD4D5641136F5227" "A5BB")); test_hash (&nettle_shake256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("6D96D224006DFBE8EEC28892FD2BF888FF543501F2F8AE5B6BE" "B67713173C88671E4B3804D695730FDD0CB04FFD873B0E40110" "3DFAE8F014FFB0EA382333E33985D1037403029F0C642323183" "AC8668907DE791BDB0BF7112FD2C8BA5D3B933273B51082810C" "7515C78173DAB93C7AFC48B0A76D5488B76CA0E5DA2226B669A" "2EFA56F0A2041CC4A60212B2B4F4B02749B211856839868CCC0" "A935DB1F7305EF356024FC78795690B69CBEA01EC0B5AA8B3C4" "AC2D1815176B57062DC4742DEFA68081F21384FC875339F4098" "5E85DEBF3AE9EF80CFCA746375492614FE5E76A96E506403FE2" "CF5BCB43AE6E4E697E86237E825BDB16087EB32D3DBCCF2AF2B" "624ACB4A960E0781E7C686B0B3A8A0E4BEB1F904E0D84B00038" "788A02CE66BAA59EF185E2678598013C60208E5CEB50B701BDD" "2694A24837F786931027AC0D64A229400B5783BF29AB39DF9AE" "CED0CC8B9D6FEA52DE3E9220575B4F3AF6E2DF155A20D87FF3F" "5ECDC0437CF7A8A648A0BE9C81F0EC3457BBA5D5948149C3FF2" "411053549AC24DFFC65B54BB89B227499E35226FD9E1A85EBF5" "DD534852921BEB63BF850EDB495F9DC1876C6A481E9B774E6D4" "368974BD5A7BA7A16E90D078BD651F128CA7AC160EEC05CB8F3" "AE3CEE4BF998579B84418D7A70DA95E65E4DA9933EF8E399359" "D6D1993E5D9753CFD1B10737F6930FF0CBA3510D3BD9CF78F5F" "79DD")); test_hash (&nettle_shake256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("E0335CBFA877DA0DDD79072BD7F46EA6313144E633BA2C207CB" "D6948237CC32A39DB06F951A1A4B9B0B91011158D38938ADC1E" "42408A2D8A95C3EAC579C922943155624F6318E12BE7EB6A836" "79508E0910FB6E85A84998F0FBE06B087EFC6EC91EEE277B48D" "289DD6E12C820D0909E206750C82995DB86031E71B0D005CE89" "8F1CF7C782F10B8CED5370CF27B74C6822910B653BBDD328AE5" "A4921478A4072B8C7C89B446E057F6DC4692186CAC39CF08E3C" "3F0C9457FF44DA73B88CE131A1E2B4C6A235DD464E4777B069D" "39A9EE2A5877E07E8669B0D610513102B00F8E2A7EC210C403F" "2E398EFF22E193A66376D0D08AB3013AEA4D508EE88EDD361FD" "A5AA4E17BA899632CB7222EDDD5B320AF686C80F2777D94FA2A" "3428A47AE7340054D2DEC1C42569A5EEE01759846FD10AF9D2A" "D2AE9F6FADFF825D184EAF7E8AB9D7C7C64AE07CD5A95F2B24C" "C3857BB239F5C0824EA7CA0C84CCCD9601580EA7A4C89370086" "17468B9122B466624D51AF29AE1B66D14C332F2535BD7C3603D" "E07A0B25C6A260E9E70EBD2DA622ACBCA660D425DE2E44B7E62" "42A83077BD24025ABD5F0F2F21743F80D9A6F1552C3957B2200" "88D861F3E25823548BDCB448D19B3CFA14FC8F11CEAC5BB2623" "64F100655D5099D564041F113503AEC817BB03CCB9A6E021967" "06FBB836C28421AFE0AB276772150FD0677ACE7655EA6214F61" "D2A6")); test_hash (&nettle_shake256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("74B8E6A2245E18432DB073B046FA0D6F63C85A05B9FB3B3098C" "8F2AAAD938CEC8A8232AC2CC4CD7EA85A29BBB4A2D03311CFA7" "F1ED8107DA574E659358408C60B1CDAE6A4BA6F3091574DFF99" "8C97CA31E410B4132013AFAE543076BACA1989E7B5DA17E654E" "664C856A00D7DE43EB3A2C5B8E347EA3B18A94D534C0448671F" "E2C360034550F145F911ACB7C245A99FE37CA167EB8AE0FF5E9" "D0B65F255D24DE4239BA87C2E8B757192020B3A28D53861D29C" "845D4E4A21604ED2D5DC8E4C107CD47501847B50CE2452A3168" "5012C5949E0CB630088178AAA5C9B0EAA6394E00096CDAFDC78" "1833F37C64EE2955DB09F1C3B3767A0F0928863567513D5B02A" "3D24E66A79EA590D5DBEF5E8B5D9953ED9F72610C0D4F5EAD67" "B3421E90710138E09BB15959DFE9AE408AFA9ACFFCA19DD083B" "DF508D8FBA9F75A18F6229A9850DE36653A0A39987781EAE3F7" "40E2CE387C004D47811E3F8B5F8DA9ECAFE90C5AF4ACE449FF7" "AF57B271B0C3059AE42180A1746EB3AABA944DBA5BF3946907A" "18B1D94DF4819872A24DEEDDA3AF7A3787AB6B3D5F128D0C3CC" "AB6AD0C34371BB76DAA321E36F6FF935FD58B590858F894B54B" "F9997DF8B73939919AF342D6593F31F76C3251AB3812E27F00F" "3AAE0C0535A8CBF9C6A9D20E26E619D6899ECA8A46526D7205A" "3F2F3971C60E432CE438F40C2CBEF0F2AD7253B18AD53C3BD8F" "108B")); test_hash (&nettle_shake256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("10B27D45E1E91C3568B990F306D4D0338380C4A24C543DB7905" "AD8C20B9C469A79E50F7FE705C03D2D1CFF9E2C35FCE1E6E203" "5D3F464B6D2861EED223C32E960BB223F21193CD4734F36422C" "1DE6F0F81791D6A5E9DB7BA8C2CA1F2B7FEF2F94C5392869591" "3471B5E1B02B75FB9B0DA1FEB46520F3E8558E03427BF371180" "EBACC91F3989F849B4EAB233C529006EE02050D85B548344C09" "CC7A6C6C40FCE5C55348E1BEB801482BA70D6CC5A24B3B0C9A3" "258B0934C3A41FBF07EF50460E2BDA507711954C83FFB91CF2B" "2827D5FCC6DAE70DF5882689C573F159A9B45694458D0FB8A50" "00B109BEA868160FCA781F50DB7B5EE56AE55BAE1FBEABDC155" "EC46C0EB16314851FE0446AC2BF171D99FBCFBE2ADFBAE4A638" "7B42FE41C5EE8E2AD1819D7F80BB1B4EC2DAFCD1D06C2C9750A" "600EE6627F62089B2EE59EA461E0DCF47188D1A8DC80B029447" "9C7EB03953C425D6EB3CAC6FFC34E484A35127B605CABFA5971" "2141C4FA0840FB520A1D0A8DB4B298D24DE2A7246F28E036B51" "1DB91794E35B75DAEBCB3B8833794B764F936200E7784348AE5" "0B95363C027F3AF85762F3B8E6F31B7C2D8BD18814A723C0DE5" "17F7B3937AF574A3FB5F52DE8A10A2055E8EB4281D383797DF4" "B8D5DD5266C5D438A10DE4BAD00E4C0B252110CF368707AA2FE" "785F518CC2F3DA5221634B52118348F231AAE0712DE096D70A4" "3929")); test_hash (&nettle_shake256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("69304677315720D586605521E24D32745DFAB082D2BC23A3165" "C419831C19468A088D972AC672D7BAAB907005A0AE3910D4F06" "F0BC5ADF6AAF9E1D8CD7CB85DD166D0FB9703CDC7D45DAFAC48" "05612137D4720FB3FCE90D69864403E6C456FBD87677312ED7C" "AD9A28F7A98753265294F4820FA50868CFEA157EBA50DC5763E" "223238FB2032DBC6DC00C3710B6976F16034A9D851CD1BADDEC" "6071CADF10C8F9FA123FC0EB81ECAF4C16B8D52A6C1FFE330D1" "14D71CEADE28BB0422855AA1E7E838A93523315BD0F8384361A" "58529A2264D66D65806659C49B7F80D95474A7965A0733D3DA4" "FE317C5AE6180746BD8DC70589F97B15E0FEF29D34D6BE4416A" "CB3F9EBA2F3E34F8E636A6B111DFD4ACEB2C9DE051B942EF021" "C78E0671F771058C4B59D34991DD2EFC6943C6E0156CC0E3FEA" "D10968F77BF4DA82B9FD3AB73B43E2890BC8AEB02D7178FAEB2" "FE1A0A194B1581F6322D817AFF2DE7DAA96F4A725EBBD8C9FC9" "C815D0A8E9FAC425F278F121084AD98AF9BB119235FFFDF1751" "AB6A805FA80F43A5682C2FD5BF9241FCA866DE6B5EFD36E6923" "13F51FA8DD64B52DC2FC33C56687417C942680676143A459068" "401690DF9213E18604058E74011B111F1410531FBED32567AF7" "A0319B5A4A717F580D16D9E9341E78F717E27258A84A2CDBBB9" "CA118FD0F81568639F40176A1754C743B4B5E377DBB0175D160" "B414")); test_hash (&nettle_shake256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("B32E9585694532B1018B05B9DFDB23B8924025786F5733769B4" "913B73B0FC35513D4C0FA1A1A5019DB5FC807ABADCD4589B4C5" "658A854FC919105A5F08799F7CBA3B8DFE72DE84027B341CB19" "46D6A4A907D6FFBC15B6A00805ABE25047476B99D53A6AABE9C" "758B3BF4476DFEFEF2E366617A1407853B0D0278DF42FB7003B" "B1610DA2AD52422A0ECCC74818EBB4DF264D0ADB9623B9EE0C5" "371E9F0E73D7FD31A2B41F9DA8C9955310166FCAE6BE9AA75D3" "F7C532F1502BEACFCD81A034B5D4A87647A5B9E2C49B7BF055A" "0F4BC3F555FEF5147BB7B9BD75772878FDDCFFD58FF2B09A61D" "6067C0F3498EFBB5FCB736813F798E213102E47A3DD61A6BF99" "DB2834DB63BEFDA6E290EA953A8B96FA37650DF510082294891" "C86892215850A34AF1EE0659694431DA636C9BDC854AB98FC79" "6C28BD6272C9C5DF1D199CE9F55BB575786EBCD6851DAC97924" "AAFB102491BF4B80351AFD26EF027C745F98607C19ACF96B66E" "CFACD4C512BCC9A8E609DE5FFCDE0DF0E77760D8D44F1230133" "6247F53CBED8894831765D12221C902127B65DD549E6C32124E" "0CA555586FCA8043097B9AE3D9BCF899FA06EE5D0A17EC0A2E6" "57E37CF5D4A55CF4C99E9F10691602412D27F9B8DB5C4C2644F" "C822E11833B32168AC89F2D591748D12B527FD5EAB2291F2015" "79A48AA9C370979DC2265B873AD65266E98FF668579B0F4274C" "73F9")); test_hash (&nettle_shake256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("E6BBDDC5B154ABAB888F4E00C2BFC18A200DB6DED8EBAD70ECE" "03D10D123C52D4B5124CDFDE2D5A803B8BE98C646E29F64F2BD" "D55492531B2741C6040FC51F7DF18106D9AAE62F1930BAB26FD" "5167D516C4E4AFD3035D6AFDDD06DAA59B56BE3F188CBC11529" "909F6CA0618C321349B1B918C1CEE491C8D7996F10B02E0A085" "CE790648C586710D4916A528398FAC1E1FA71971EC85B203B83" "721AA006D7026C2647CEC53296E80EE3FBB6B880BD296D6B9DF" "FDF40C5537551EB0DDE86E85A72FD280888C08D67A9839EA618" "49B47FB010540BAA15530495CC8BF941F82B4B3114F6AE055C8" "52B0978ECAA67108AECEB12E78C339071CA058FA4A534558899" "D71ED36C2164DE0C92612F07CF465F92C0A1987F7462AD303DE" "358DC9C9929AC205F366FE564C0B32B1E4D65EF4E0B45B2AAEA" "6A93C5626ED40C597B54A2074F255FC6C33F7DE535B5041F320" "85274EBDE9D7ACE9B458E7E7CC47193428A8873560C561230B0" "3A72D993100B73FDC24231A39C227B05630B328645349E0025E" "F02002C34E6A7EF07AC5F7E299CFE0ECCCF01E1DFBDAC9BBC95" "B09B2EA505D8E74C85B9BC8E939363F3F062260711C44C132E1" "F3663123EC0B0A253DE7DB1DC2A08481571F64BAC3FCD9EAC73" "7BDB42AA4D392DDF9547126191DDCB2F88A5705BEC9BE7C8D88" "E9521EF7BF9753155F6F3A75ACD4C9C913785CBFF81761DA8DD" "73B8")); test_hash (&nettle_shake256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("F40B4A6A7D88482C5BA65D17038D68184E1AAD676D340300301" "7A4348A7E3ABFE89804EF65D96EA5A467CAA938702071918452" "8944AAD358960B66A0E78F2E4C19F244C82CB0D10BD1DF49CFB" "89C24FBCE8AF1DC6B13DC61F40116ED3D1B51B80ACF08A7A9BA" "DC6318DA75EB4CABBF4798923D639C2C3C24778660089384DE3" "3F0EE7F957C78D4BF8D74EE1E3EA5E330C350584C319298166C" "DAFFE0C7ACE6A50D1551B30FA386A0ED5C20DA31DC35FE2DDB7" "FF030AEF1C0F2ECB0C1915554722DDD5A38DF758E321048FC46" "43FDFAF54AE558F9B40EB38DBE516256E8D97701022B68E1F09" "83A14D7DBEFB59DAC5073062DE8698BEB9C94DAE0A49FD51A66" "1FA6AA84FE1088EB4E0F964953625A898B03993ECB248EFD5E6" "6380667C2ED185FC568AE58E15B5A57ABFD84966094EE5C8528" "4F3248C92E1300DB80CD6AE08662412D01503D598A1FCDB0EF8" "CA773EADACE543B867BADE24EFB25518E59E27FC921D8DB6D3A" "C286BD1ABA53D48983DF63D493F95B88610CBCF6DE2130AD63F" "B9860A839C3F98F5532B90225D1ADAD79B478F5C9D836435A9C" "9C0EBE229FA494B5F4253DA92C7382AB388C4F052911E9FF28C" "C43415C8A82065433D8CDAB9152CC13191F1729EA95693B4BBE" "BC3B03F298EF6B3739A0F34A545198FF5D2B4292AA8D6A04271" "463DF95145C99EC769167761690C97361984A665B0D5C2169AD" "DED2")); test_hash (&nettle_shake256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("92951EAA72195331ACDD63572FE112E0DF4B43CA1B67BA5C918" "4DA5667A8439E3AFD8784461010EB80178B07F278C0BD52582C" "EF5B4D869D77E764342651ACE52F1F5DBB5316A36CBE2D6FA45" "5403A8FF0480A5DF002396B8E444B9005A9A97D301529F5FAEF" "77C0FC04C3B01C7C4907F197927904BC56DA2F850A0767E91C5" "B77D8A41CAFCBDD5CC768E220E844786093CE425BCB3BF6CF3F" "E9CCCBF6A5CB84D46AED8BEB079AC0F12F68836A71D8C9D738F" "9BE5A8311299EEC2AE86AB774D0D8345C6FA7A341223A43DBB8" "5AD5274806B23A3BBE312723BED548F4C64353EE2875A44A8A3" "7153DAFBE98E96EFAA402E7A68BCA09EDA8A744C3BB8FCDAEDD" "7EC54CA4066B69B4828AFE6285B6909BC2AE96CD62F3A523898" "7279F206C2593FD2BF4D5A643484A5155FFF290253650387C7B" "DC0B3FD749EB1A84F7A11790AFCDD3FC72FAE3BBB1C55596584" "B7246E77D0712562AEAFF1C5316A698DB9AA3524DC4AF4AA461" "9C5F9CBBE41AA1FF2A0BAD12F17ECF7C90E6FBC20EBF374D633" "5EF245BF449E3EE5870651587727D35BBED64885A8D375E43CC" "350E398C3D5DE83CE92354C08E16A6AC69AF10EFAEC2F0268CB" "7F998CEB45DB988B193C8D35E89A387DE6C212A2D2D5A9FFEC3" "D4DFF92D66992563C85E4E707730BDB669783357E5ED038ACEA" "7D8214313FC027733D51B2D21F47666DAB6C6F3E50A335E83C7" "2ABD")); test_hash (&nettle_shake256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("9107BC54F9AE29BD282C37CF4BE15D2EDC4B5A20FCD8C131620" "CEE6C9326AF25896BD25550CC3B46C19BB58D825A7156A4AAC0" "AE72E38601AA6AAEDC4DDC578D145AE8A0AF4E630914B49FCD3" "9C41924A19ED6E52EC150D1BDFBFE2717B9B46D6BE9BD637876" "1F167C1133EE31981F9B681D674E267B3A01B0F455F9A0C86B7" "E6BB3EDEDC2DD86C8EF6F6BF736BA9CFC4A20E602779F0CC626" "E0F3513807C8BC71546DD1E0E5210A6ABDBDB284F90EAEBFAE9" "70CEE9EB8C58A5F0F197FEB3292AA8EE814DF5D86D6B1F43AD7" "87E82AB6D1C01CF44F3B32522609CC51967FA9D2417A8B91461" "B41A5390BDAEE3763E152A2DB2E8B7842A73F1E05A05F7A7D19" "FC88F576B049F87E85835EA4DBED141AC1321B47AEDBFD285B6" "488B7613206E483559A8B0725D3091A04F10736EA1920FE2346" "58AEC2A5FD0F85F50BED9EEA3E5513EE3B45F0CAEE09A1CA3DD" "8E96EBB408EC6A31F07ACEC024097C20038A6DB8B5A10396C6F" "3532D8B356BD664A9C3C153D2248F9D8587D21AD3ADB20D06C0" "20F5AEA40E96C776202A17740F59BAC12195B49E19ABB87F693" "BA0B1B414C4C83DD7474FB212F0F8015D0019D33250BB890079" "278E027F0191B1A92FC40004050C4E88D1CD3469B656A2F6D1A" "B9E49118B18701FA85A5B1497F1FD0D3C999567F99D05CD8F20" "DBC05333F547598615FEE2452861AF0CDE27ACC4D763074DE84" "0004")); test_hash (&nettle_shake256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("02D21B8FEE4BB59B4D39D88DF91B675762640994D3A300BD725" "9A3E97DED831112D27339FC4F59C7F17DABEED310EE901D829A" "2193421C4D828DF1248A68F6AB928EE87AFD727DDC2766DE071" "103B144040F9EF22592599A0FA6CEDC2FCD9A774BEF862D2D51" "C8E2538D1DECE789A6756A1F9034C0949C3FF13190A141F3DD4" "F015A89DE643D65E5EC4AB25300739892A81911E3C48D8A5823" "9203C7E828E8867230E46BB8BEFD018E9ACE92061E2BAA09B0F" "B8C0CFA7FD5024CC65826AA96BDDA6E21ECB7D0D77FE651CC25" "EC260C1C41F4D0DFA82963A2EEEF0AC0C6123D9726A02396A06" "12E8BA6CD4988C132E7CAB1B5097174B6BCA798C7B04E5F7175" "A3A5BFAA9D23DFCF5E531557BE9BA6F4B5D806287BCDF1CB503" "4FF94F709544E81D856CD8A1380774C5361710460D52CDFEAE9" "AF4AF3E9DAF7E6B679A6B881A378A1254DE7105396DB2449737" "3430C36D24BD49425E7613FAF651747217EFC4E24A761CB4694" "A2AB3E0B43A8A4CDA5EBC9D7299B27EB600122C7EF54703E48F" "51DB2A5A8F3EB59A2C174DF966AD728DF0BC2E94418775E0186" "D3A527F86547980C8998B32F0365D9E430D33A92CF081A15258" "92FCCF3D8FB4DB1E0A728A856F2E2CC8EC4A08FEFF53DB85C66" "20CC8B57106097A96B668F97C3BDE8CFDC9600419B46EA24839" "D27A574BF63147A97B2B48CEE1C6FDA32F3B945E36FC03EAB48" "5B4B")); test_hash (&nettle_shake256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("76919B60D28A57717EC190FC9990E32020E6436828D90D8A2F4" "A7AD21F18A4F5F1CA753ADCB0AA010D40334D1E58B8BD165B01" "51E631925055F4800DC01D466D11E88AE945545365B7F6072B3" "6E11CB6F15DA6BA3B53E12473BEED09C5AA275CAD795E03838A" "EBF74A6B1A3371344C1E3104CDE3C768026963DE2ACC8935F51" "62D1D09C966B5FE2943CC723E8007559C0537126400F1A4C3D9" "004DF88126A23F9051630DE9FCAC524BF4A109CCCF5CD7F7972" "B64FCB5A8E5A78A85EE82FE553AB90754CD12EC77E2E3CC09AA" "1F172963DA44D29FC7F95F0C7C1207BDC858FE8B9785EAB55B6" "EE33612863FCFD1668A2FB13715F7910968708F22A9A88D97F8" "4EF4212551D8FCB05992670AAFC9EF5CC34F0843246241C9EE0" "11470131E0E6B56C9EF6A0E38423943BA502EC9D08C39F70797" "BD85F6D9207684022CADC282EED833B43CE450445075013F1B3" "270492AA6E412CCE8E9D9534C0A380B45CAD9328610EF3FACEA" "7FF5199F1E4D0342163B16961B0F98E46E8615AE2CD74D92E2D" "F30A3DF00BBBA2AE43A67F51EC52CDB37E00D979ACE6AF3AFA3" "4A58B8CFC07DDC3C98FBE4A5E18539D03ACFA18152F4CD32CBD" "84AC30A99C325EBD57EF2870F36C711900CC23539BE7C19DC94" "F75457BDFF28B9B5DF876B5576CC37FB30B291DBF44904B36C3" "D96747DCD92A1550CF9323F358D15471FDFD35C2F4C4B104CC9" "1FBA")); test_hash (&nettle_shake256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("72A343DF2C1854005653E1EC9C8F9492AF9EF7FACF46DF729AD" "910FA3A8B830971D22D5E017ECD515C0E972197C87968FD05D5" "9C570634A3864DFEA159229746A967A2847F0F4E3C48DBDB21E" "BFA400E18BF289A2B146758EAEE64AA200287F7F55E57817ECE" "0470C35531D35BE824AD7E825E7A1FCA07CE5325DE6E27D6C6B" "F1602EC1069117E230ED9A0873D6538881992FDBCE93A4E1201" "3A56F4D22F5846B4E04BD15E9AE9590C703EE7AE346B860D1B4" "B181A963C1DCD36AD485AA484CE534138789C2874AB5888B70E" "278E30534ACDF0D9798A44E1701D9447B5D6FD212344603A269" "A9D2E0437304F5153FBEB7BB5A1E437B63014ED6F01D4F6135E" "F189EE290E30C25DC2F63B7D8CF19E9D7959EB2F61703842E0C" "89EA487441B9C17FA6800A63C411F1D3FF4C35F1E89BB820D60" "B25CB1AD71E6583390E753934759A5467680405B1C9B6E391D6" "DDC4510FF24496559FE2604C038A5DF6638FD7F7880E0847B88" "0C1628F47BEF49689D0C31C4867BAF6FCA08FEA898056DCB171" "6C95341ACA367BCD9BB372A93D2FCE947B5CAB707E744F15FBB" "85230FE7F86A9EF7C36069CA79D781D1CC76193D423229E51CE" "0612A2D61680D35CFD5AA482739442F94D205D72080BEC7A259" "B23B8D9B4F76F2A75235CC3BBD6738FD870905FA21BFE1315B0" "C678D7DB5F4DF36F5D43D04C11F3BCE3FB71B3B7AE410AD51CD" "E033")); test_hash (&nettle_shake256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("AD4DD99AA71DBDEABF22FC7C82BB839F910A22E4CEBF8317899" "D0AF87279EBB321C442DFB9083C4676C16506C4006F18E8BF84" "EA9024B1DEEE4ABE6F90DBE0EFFCEBF4CB7B94D8A8B107C5BC3" "198277BEF87C9760AE2BEA86AC50C39A666AB09F276F2FA4C1E" "B5B8C37ADC3B4C9DE4BDC28074FF4B997518B44FE49B0D4E4F8" "3CFE9E12EF7389625766A54BEA82DB3FB57276F47C418BDD5F2" "0C8146C792DCB8E42C7ABF09331F599318265776CBB19C65BAC" "6DC4A683956C052AE5CEA02F1E4EA690F9E5D3BF3A06A726F0E" "FB6DAB5350753FFA7ADC477E9AE454C5E18F9D64EDEF0157D1F" "01FA78BF281468F14D79C39405D2B5B604C0EE116731C52C243" "2488C45A3E56D3F999855631381B5EF3C99A0352C16B92812A4" "889C1B8A72C84273A90ABF29C7EAD82F2E7C6DE67E7369DC02F" "B0F1D62BB8D245030A6D26E930476171547F33B9C9DBCD542F0" "4C97B0A278D24E2BFEEA0209FA83D634AFE65EC9E7A5550774E" "DEDFFA36250DC5A400AE5FD6696F20E5FC6AFB15F54C7240A24" "CF11BF16730B8E676F948304D3EABF315E95B723FFBDE6D931E" "CF3BE6C69D8CC82F31D1F499BBAD8ADA9654630E7185BF6C1D8" "82DD700F7F1B1ABBF384F58994D55C9E831ACA847B8F654B070" "F424267685103BB339A4CD43DF94894E912B64ACB15AAC65FD4" "96424FDF02BE7A96E161CB6A0034997DDC918F6FB604D6DD55B" "4D92")); test_hash (&nettle_shake256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("7623AEA16ED0AC8AF23A7911BE015D44F93F3329AD1C0023BB9" "A6E486477D9CF5307B358527BF479FDAA473FE60CDCE59C33C4" "D1DB930057438CACB4006D2E6C327B3FB033BE384FF07EB40A4" "4AE4D39EA9794C29C9F3A91F679EF4690C41422B193929654D0" "0D44D06FCE9B35E5FEEA5C20CC02FD104A74764F3BBFF273086" "023AF4AFB3A29F9F9836C17C5A883BFA0FC4D8FCC9808FEBD82" "DF88F7DFC3F715C8B07DB1F2B61403CB6F4F7B18F898FEF9741" "E016CA0CB3A4B8F54F57DB2F2BB63289AA38A7A9FEBDE32089E" "4B479D9CF184F7D1C418B648CFE7E6079F7DC1CC35F22E31E62" "0704736B44FE1E3A677CAFF61FD956883E6F6CB278284A05BF2" "B4CD9B832DE2058FAB356052C55B03D245BAAD53B8641444101" "0767ABEA201E26F270649EA35B0479A66ADB9439C57A77E84B7" "54A7E328E4AED0618742CD49AEF0AF116462F3A5B24343E141F" "C51F6B9FF376A30989B17BF4CA9DC2ACEBD4F22D8EAB082E62F" "FF99CFC55CA5E7C4B86613356F1CF05A9A3E8FD79123FB19627" "A75810D3AF44213DFDA590245FB22B48E8EC5F58EE1D51BEEE4" "D6BE0BDF7E8D18AEB37995D602E1EA1FC25D0D47D64D8A88B27" "3FA8CC649C017A63F34C140A1D801F2558C8639FBEAACD1D961" "893E111450B85ECA907CB3B66027587FE9B39D635D01C4C3695" "89B9D8907D54A9B73FDE7FFCED9FD443B18892F29FDEFD7B3E7" "17B5")); test_hash (&nettle_shake256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("A2CD7AE2955E2C2CFDCC374AD99E46F29FCE072E2C085E0F022" "81A4A85A822A2424546410466299CCA501BA5A86C12085320D2" "D0116196CD31E67E175BFAB909E279846C8FA2CDA475B0C9D60" "4942D6332F3ED46E81D3DCA880527DEBABE55BCAE22C98EC428" "22BD1874561E7F8E8CC8092DC461577F2AE548580FAAB59AFDF" "EBF359847DEE5271C2E972C12D13424A50A9B3DC3DE5FA6F5B1" "90F3DC060481118A595A8859ECDAC8C57FB16FD4DB9802C7BF3" "44A68A0A91CA8629DD0A8FBB26FBA0E21C4D953626F66C0B33D" "30C2569D73BBEF7ED708212B2F66DDB9AEAC459A11C9862CB56" "74885619D240BABE380BBF23564F6D946D03AA544E348943A48" "8C0FD223B36DB5B0EFBBE5C4E1253C3FF6C058AA95A80925523" "749BD228D89BF99F5CC681237FDCC8C872F652DAE6306A20D94" "22818A8DE2FA68C5A334EFE828A20A48CBC49EB6D7ED779B00D" "F50751446D0C850FF1F096FC50A03A8C407B8362CE03690D2D5" "699C70313B4F2D39E18ABE998EE73DE38308DCBACA27B8F6CBB" "3305B35C98B620A811C94AAE44B5DFA2F8664FB678FB1D73DDD" "F9FC27CF693DB9D5CF3B46C185B72C33E3BD0F6FFC01108C8A6" "5772ACFC13DEFAF21596F2C9B9512F369588F6F8767FF61436A" "C67ECA3DE25D6C5A9746AFB3B3464A49F3A583740C432ED806B" "FD16EAB27D59A12975D7D09F7ECCD67C2527333FA95509F7209" "DFCC")); test_hash (&nettle_shake256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("A74B8704CCA1F4234742A5C8AD6B138E58D56281C98D95F76BF" "C0A0AE309D3DC227543F9AEE711C85021B89F259D002188F4E7" "53DDDC4340DCA27B84445AFA007A1E502A1903A857583796BB1" "24DDFD64B5C91B69CD9B230F27DFA5D22A09B07FCA1D860DCF3" "16C22E57DA3589FB0F07ECF671DCB150913CE8606DA9CE39A58" "57B8382853056A5930F25E3647015B77B2DF4954314F1F8B1C7" "74DE0BCD1842CAD3BFCAF5DAE8AB9D77290DDD2112AB060F5B0" "17630C318A1A3DF5C15E6F8AA348EE3F3C171C4E8B98CB4A295" "6FA240EB289561E7CA30EEAA9CF79683DB7A2B0F28B3B1BF30B" "D5A62C96ECC8BD74D1F2D131295597C668838A8D3B20CE1A4EE" "4D1103DE547AC21F6442DF2CA10181319C76AE5827FD60EABA7" "C788CB369591E429B5DBBCD95049BFEE2A5829FFA0417772DB1" "BBFAC2EAF112B9712A02C1ECE830E17B22696AA6688E08BC705" "EA7F7010684D7006BC0A017BBAAB1D6119B1B589B326F1936C8" "2C470245298F2167D884398ED408814323D369BD1126031DFEB" "56A160F90359054400DB3B3D267D42FFDA5BB710643721871DD" "4DE52446004AF00BA55706C93BEAF01F8D77664AF27AAD65C6D" "61FAE24E65FEB4310AFE6CA5322EE4DD2A55CA5FD7E651AC8D3" "118C0FDDAE4B2E42862AACCD8CD2134340DDD760BC7918A461B" "16ECABB601861B58EDEE6E78AC3FF75055997ABA8C0C57878AB" "A5A7")); test_hash (&nettle_shake256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("4E12A03995768C80408869A5C45B174783EA2FB5E4C153A2C01" "4A3FB8AB968D74C9B835D9C4C5FC304B5E68CF9AA72C2ADFC2D" "E961CC9A90E1D515A3234BB79DA1D5FA330C03DEFF46D304F0F" "0378324BE4FEC285758B2DE3788E71EDCD05754366C71B783A2" "6D105A48BBF51C4F4E769BDD19CA477D80FA55695A04B06A097" "0B98BE48EF1E861F17B9540E63F54B6156FC2996B2D2CA69326" "E0CB7A4A5761B39FE089017322BF23B7B5DDBA1490541843BF7" "03508F5512117370253248F23F30DCCF27061B8F81C1090CC8E" "D866263FB50AD6F3A027EFBDAAD7760EAFCEC0928BA40173A50" "C61596B75AA4D72986A8BACBA61DADDA139374D17843735136C" "8DC0E14C2EBCBC9EB110A682CB77A72E790C68E11848431441F" "F70CBBC513A9D389D349A63AAD6A948A42DD798F1A576DF57ED" "0613FFF5F569CE5D24061A386B2A5B4B1FDE6E3359CE4125241" "628B9A882CCFD34F266BD8B7806392D52DC8CCED80C52ECB632" "1CF3B3C911D206809FAF8FDA3F918F93FF507089CA4BD647AD4" "B5498F0FFCC7563FE5DB7BCD613B84EDF4A95A4F8D29E3ABE0C" "39C8A76B6FB5DB51DB09A21A48D3E2C0786B6A13351715F8DCA" "25EF288C46631B25D55A7473E5059D6A16661F948D8A7C1B4D7" "A21B531F915FC5A18305B6FDAADBC1F201C9A09DE221ADA6DE8" "BAEDFA4614E578156137FBF43896CB61CE38EF386FB68D55311" "C63C")); test_hash (&nettle_shake256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("8BB1E121FC89EA0F3D79EA823D876EAA74B6CCFAB369E7E4783" "CBCD3701875F1BE59B0F8B48C2587E7001B6E7ED1821E264906" "9E84201583B2562E5945AF5CF734E2F0C6090DC8281969CC95C" "861ECAEECB1CDA78E8FE119B60B05C54484BAC951B7784ED025" "FB878E29215916C5886B85B24BB2521FEEBEC3B8766BA14FE47" "EE0E81DAD68B238905377AFDBD55E41364A12181D46D2E272BB" "F1FBF41A83C29ED88361435396614A23730D84684D3F5A622A2" "33FF1AD5583FA707DB008E3EED5A9716219EBF3571FB1CE9842" "D4A37B519767B7392F008193DE676F0CD192CD6D0CF651EE5F8" "331B0982F150A7DCC264C1465177AB98CC590BCA81E981AD2E9" "8E47D2D855C0A74895970A96994700A5D55CBBAEA2472C4160D" "A0EF3AEDE987A99065948ADC558E7CB9A952495F70CEDE70CE0" "E3DECCB798EB58941F38C4B13C28B2E5CA4FE3A7CF3C973EB33" "91B705B9E9E7689E264F878396F438C393EB49E70D6A2BB0A6A" "92F80FDC2C2F70AFBB2A1DF1EC4634BC0CFDC9D1239182DFCFF" "D30096E11FC4A32BB44CF510A44D35EC3CBFC354E088E0B5393" "2D0DE4DF83A963D902971392B74D95C475D26184559F6F9F5F9" "1502A07011B9070F8E9BE5F5D1E599634E3BCED756A49AC7CB2" "73396F7ACDFFB3BE1E441E8D8ED0588D0931353736DC1D9E889" "650B503A4FDBF5DF7B5708D4218404306B0E11AA08067B7DBE6" "3E8C")); test_hash (&nettle_shake256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("1887576149594F7FCD27145B5F535219BBC4313E62E7ABB6393" "D6015E8E45B48A211300F8303FB9BF370FE0A117D268624BB74" "1E0BC343487015872E14F84B1EC1E2FAEB828F521ECE9E7E5EF" "B281DFEF05D86BD8EB0B51CF4C46D94EE0AFC72DA29C3D77EAE" "E07E24035A68792E8EAB1E0B96282E1D95B1B9D36B09D6A2E0E" "DD37227B0D29F9E490F1D6156DFCE1554E69A49B7660D288CCB" "6FAEF9A40F656A90A825A07C5EE0730926CEE14FF2694A3BD10" "5D889C88A8CA1D271727DD0FCC0DDD1CA2EE955D02CF8CDA7F9" "E3A00B4362C69AC631523345DABD396354AD862458736D1BEFC" "4BC35EF4775F02F017BA2EB9FFF9229292432AB5603BA20342E" "627D380824050FF61C23B5E789DF2E835FD56C65FEBD001EE69" "60C782B627F90A7087EE24D32A85D0D780A8911945F3719C5CE" "EB9C7024DCB112C0FCDD72237040C5E964CA57EE504849E3015" "C200C44CA3A0EEC097BF718F6959C4D3E39455976F98DB5FD84" "F01EACBC1B2B57B6483C9E3D58EF76E18F8FBFA341E6399A3D9" "86834E315A2762D239DBB6D1EFBD60BA4EE974523D2EC7A9F0A" "171484D3F09D59019FCBB6A480ABEBFC06A21DC5AF8FBF1B538" "8278CF84311E56329A6FC3A9426517C3CC581C8C8EADA1C656E" "568BF108F66287FB66A405EB307EDA530C18DB2CDEE78D8DE9D" "CB8E93F195F54086F875935F7736C7C85EAAC106F00D28D6753" "843C")); test_hash (&nettle_shake256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("EA520B7CEA0750C8F1AE4D7E5C80E95140D5A980D68F48807E0" "408A0D17DD084575191EC17A8D5B3D7A458774C453124509AEE" "866183DFCA7636D743B6B5798C4D62951D7DB5640D1F4467D87" "03E08411270F3493241AEF38FB757F00F0EE6A66C732F138294" "076DE25F0811E8E1BAF602E9F38CF92E96ACF630EBECCD62C28" "37DC0F361C014698B3CCF586D372BB0591AAFE68D138E1FBF05" "D205A6124B0AE5F483BBB429EB1BD517C799FBD2B9A154FDB7F" "687DD320106793D95D2ACECFCB4811C627B3287490116C5F5A3" "082B0C2BB3B703FB2BD92B65E1CC07C61E1AD67C0F5B45C33C9" "81E56CEBD6C12D00D9D33C5DAC18A41C1025AD24798DE28518E" "5FAA6CECA295CD13254367F04CAC72FE0A0FE87214103FBDCD9" "AF3FDE362D6B7C0997B86CDDAB824210D1896DEB7C75A3EB92B" "E415F450CD62CAA1FE4D7A9DA2E8B57F2C31999F81CA8A22936" "684133DDDE9FBEC522C92B928191220E75F8FD20C29A1DA6624" "55FE7B94A2292006052B354DB4F03375ACB65044C2FDAEB977C" "A8E81318D2EA95C3981CE76DD9292678BC5F05351D2B4A4A410" "DEC6790DCFA90AB7D9F8D7FE71B1A1E22BFC3EF06F21C7C99F0" "1E11060ABD9122DD3FFA6F0C2B402D15C6D4E8F8524A5AE6F12" "48B6878170F8B4A7D95C85B04587066E340156D80B20E708F54" "70801F4A5F46A74DEE3332FB0ADF0472CCD592B2462EAE969AC" "5140")); test_hash (&nettle_shake256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("AA38A2AA24D83C0055C05A4D8E5FD6E538DDECDDBC6876D8169" "00F4329A5E6D00A25B14CA626F3C9185590A151E438CEC7164B" "D7135BF60AFB78AA0C4148FEBB606C50A0449360952C1BD6C46" "54804102521315E457AFDFA185565D96B6B230A4B36E0DBF215" "B19FB9B0BB3CFD6A8CC2E4ABD6A1A50D978EBB5D351F7A65D39" "855E9AE57D7343E8FF7EB6FE7974791EDF14861F30A428CFA9F" "A08E3EC4C4F1C6C5CF29A06D777459AECC379BF17E89A54B753" "FCBF3846835CEE9FA834CB294AE3699893ADC7DE63D96F1F7CB" "60739E7D672A9D70078F9903F6617EAD83EC5847424EBDB89B9" "A07762887F3A4CE8B7A839F0FFDEE21822DDF92A73E85F112D2" "A6E023C620056E97E3435CCC172E768A195BA50F0238AD3A474" "FDDAD6ECD5B90262170DD026826F69CC2ACE1D7D9AABA9F14C7" "3C6F114ED5E5F75679679B7A2ECC81432BCBA993C4E1CAAD6DB" "7D9908B56E1404EE5080641A4D261D488457A1DA7D5E1F09BFE" "9DB23E3CD4BE23B8FA84C93011958D57588A06D8DF433428AA1" "3CEFD6EC348A52E0076564F0DC849058A601137835F90478B41" "BD58D24ED9B5E4EE5940A0963BB4FD7A2F5817BE1903AB7D960" "F58EF88A310675AC0452AC6D1EE0CD65E2114865C4ADF78B983" "EB7E894F28A716ABBC766A1BAB1858641C8CBA3A18BA55584A1" "FDC2F80A61C36A9A56CD0289257CA0402ED99BC680AADCB2928" "7119")); test_hash (&nettle_shake256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("42DB17A940111F1A93B0D583F6173991252286BC5098E136D27" "196697AE45B878767E17AA8E826DCDE186CD76F2024E6772A0D" "EC4C4A8DB71959D75CFEF0F20CBCCD85F15AB5960C0CCDA5F14" "BA0F02958752A0494D4B50E2CC67C554196BFC061F651440C68" "12CF5319639F93DF1FE51D1511DF6A3A6AA6538F46EA2D00A3A" "0F64B25CC9EE8AD05E321649987C36387E2D31DA77EDC1AFA96" "32D77EE2D4ED54992BD51490A34DD743DCEC567DE957D55505D" "1D8DD43BE3309F25AE61275203BD9743F3027B9F34B34DB7504" "C2D7FD1AA99B936E7284F9E252DF2E3359D868C0C83AB140E14" "C01B4B650D99AC6DC54AB35DD825116EA96C5FE88822B2D7182" "FBE9B3F3CFBEDEE129EF0814C171A207FC9793E1EB72EDCD605" "C3E3B1534106093AA550BC8CFF8DE3C5D7152F18C87E161DA0F" "C90594161F03B0FF9F9EDD41F360DB7347B067D8FE1E901D78A" "77F1EC44E33ED7AADD463C7D676E50B03A92B5417628CF986D5" "F93197333BFEB5D7B6A7C7863707B7EC032E3F5C62CA6A02938" "313140E62479842F4CF68A54A14AE0AB35538025920F3170391" "69636F35F02A8E05C344E15492EA02164C62392B0795D4889F7" "AB68AC969B3B096C21CFE179833BA5FB857751C4713FC928B46" "23DB593C9458AA36BA3B3693E07C3C5C84470F77E5CBDFD9770" "877A0999DCF8FF1AE27F51B65AAEF9754E8A71739AC00BE0F94" "58E0")); test_hash (&nettle_shake256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("82F8C16B8487E008284598FED9C5670C86FE35C8DEA51AC59D3" "8722829C94094BB2766AA4CDA3139A15DD2AC0309253EC1A15B" "2969F84899637D3E2A5D55ED1E87561A546A2A7C190008BCF3B" "EC233EBD1DD55242D7FAC3A522C6016E62670F66EDB6290AFE8" "01630E2BCCABB450E4D44A9BD8F63D4B04E9F280A2A0972AB22" "9351906F5F32DE714867E8F04D276488F2AA5E62DB8B6342874" "04A73723ABB7E152107A6DA60F0C7EFAA953DB706398A09835E" "5EDD99393DB5A162FE3E564298395FCDAAE8FA7E7A9081B8E14" "FA0E99E433E0D44326DC2E9E33378EA719EF780D303589F0A63" "841B5D5D74EC6E2BB073B55287A6419BC6AF759D13F8C8875C3" "72C12D392D7F80608412EB9A92A786048BF9A6F03D11C48F48B" "96FBE8BBA329268242A5463C49B112AD71B8EC42A9A7F272F25" "819509E5C7A10D9C9F1A386E034BE2A89AE28917CF014156211" "C795D9D6EFB267D8F2BC48B5AA767CF8269A6E349701E77EF69" "F03FBB56C8E2A0C90905F1FDA649B75D716C67894E932C63B13" "911C80339A1DF4B7AE2035C7572BBB599E66E7CD9CF447F4F1F" "1DEB63F64508EBE19485DB3EB98607F3C87DEA60FAA331310FB" "4BA5730CE4024E07B4B134286472BC7B6C816C3F680618941F9" "6539B81DF82CD15EDD426206F363A9E487C9FADBBB9DB90DA8F" "2D73E940C515A7B4FFA07443D35CAA0C89EE9E511D66C2C8FE2" "F0FF")); test_hash (&nettle_shake256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("706CA15167517D46C47844D044D0FC94CAC5D23B90BDB64CE0A" "2DF052AB37C967E57A476FA23C4D3C160C47371CBADC07A48D6" "A7C0E0B8CE8B337CAC62E74E10B68C6FBB109B03547CE998780" "B605429D6E3061334C702B218C1D6686E3E8C7FCC2C4DEC034B" "9FE68572B45E58DE9661216D6A232D13A0EDDDA45892A4ABAB6" "66CB528694DE50A50D1368BE99D257BC8C245429FE55000D3C9" "CC861FE9228E6EBFB7DDC53148B530E2FFE153B8F40007ED321" "B4464C0BD5DE00C9791073B199AD57F6C242F7CB772FF05A06D" "010D156AD35DD0ED74C9593855576B1C7A4360770AA88BBF56B" "65395B163471E4057D27B59B554EECCD9AB8F24F457E400150C" "5F83B55D703620D68ECD7A01A9B3FEC468B75C0F8BBBB083883" "18D50D38BECDCD30F8644A2EBD11FD8E1D103AF5F9B64D92BEC" "64FDDEFFC73D9932871CCD1DC62515F0EFA438393109C638F5C" "11405FD923D784B217F3417BEC855A7CA290253CDD902802EBF" "400015CC2AF646AEF63684ABB39BB98AA598AB767AC4DF96CDF" "631D0500BC61DC822F2C54D761F0C926E023310AC11F3748E8A" "75564FBDB7039CDD3A42B601339BE64BBDA4B3F70899700FBDA" "55D1337F5E33F5B00DF97E6CA218D212EB771ECFE27B265A8EE" "8AC9D9F34BAF279C49B318EBFBA497CE77233CAC4A9146EF5DF" "7B93672A553A3EC46DAFE8B7F93F233161FB91F5BCA89DB4D5F" "2C42")); test_hash (&nettle_shake256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("A90A149C4B7BA649888F90721E9FF91CC3589E2094B07909959" "C9A15FF010C610824F7A49AD3CA2864089E93AD7075C1966033" "AB55E9263871DDD56943D568FE0867221034994B74A3F855544" "E77E313A29EFBA367F309243DB8A3027EB4DA5371439CF39C21" "EB57823E1E6C73C0707356B68828AAC6C8FD05F222F4C58B33C" "EA1AA6344DC33FA88D9A5BECC263B7CBF00045378910814C77C" "2224E56D913D2CBDC48EA6700DE0E0306B499A3888F53527406" "9E7ED493C12D46D23B7344CDC11B3433E39ED9CFAEA6787704F" "FD63BEE0072BA60F526FB52DADDB41EC7E8216AC2A79BBE27E3" "15A2E2824E1DD0BC2943F92393550AA6DC75F1C9755E5D8F811" "CEDBC2139805D5599C1E1F6D4F56AAD38E91FFB529A4820F260" "D752A93D7BE57BC2F75234FA615AC72AFEC7619E0F26071D8A3" "C90F1FB486497D5AF0EE45FD9D0B4AA0E07201B9E5F277E73D4" "8EDFBF75DF8C3F1A635A733591615C392CE37738851D2AE847C" "6EB9AB5D91DCDA7E953041CC6CF02F0E6604E8AE5756DE52864" "5FEAA0E8F1C5F6F0C53ABB72F84D0397A39A7FA3C7E8BC72B23" "7E0D8B81C91ED18E09273CA20B763D34B779BB79D95C3749AAA" "703DE53FD7FCFB361E2D3E13068FA076021C1373CE99DDA0DDF" "931D2BEDD095A3F95E41A0B09C56D01253F29558348D6F84190" "8984E3096A7A0DA6DE77A5DB124AA442EDC394126C2F67B1B4A" "0DEE")); test_hash (&nettle_shake256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FCD5FEF0DE750C6BE7615BCB850676E9E83299C522BDC14FBAC" "162F927B0AA4EA6DD76E43B1500C72BE0D569566B57054B9340" "216904D518ECDB25EF39A62891290A1034F262A5E2C0FB37333" "BBD24323730CFD40FC161EDC37EEB7C69769D3AB1F1454560CA" "78FB96CF133689EF8E75F57C2442E2CBAE4F5C648666BFC7FA5" "DA87E7C0DD4816292DFD56B2BCB383B3FF971185B724430F959" "6F3509C767E159873614B1D4EC45FA8586EC2321B791560785E" "5E3CE13AD5E8E1550A3290175ACF2D78CDD17C0EA205ED7C139" "6BF9DC0844168BA3A66B4CB01C22629C80577DE68D72EDB44B4" "19B13A2DB6D67877D9CC0A0201C14DAD69F25C88C3418AC45EA" "0D7ADA58A02BB7DD0C276DFAB29164E1844BAD901ACB6374AB7" "5E21BFE2F3591B2C8F111A4606C8C52D85B4C073FDBBF25FC81" "758214CA172FBFE1C6B14476532F35F981C312739CE435F7AD3" "D0785DCD648E2A5391B64525A8785F3E06446C6BC1E09BFA19C" "7CE52651BFE1A2E355CD7C1C9CED6540D33194A2212B2A8768E" "7347042B560F68B4E22E42ED8F51C38375F9FA45C133A90D4F6" "F17CD5BF19DC9E1035DF78F7E0077411BFD0FDA23E6759388AF" "C45485BF271C8FDB316A32B898C3D6DCC0738B3AA043ACD1848" "FB7C6FE86A844FC764953D392569520E78FA11BCD6B0AF3BE8E" "7BCB0006F56881889CDDE27870FE7C9E703F57B6CBE0D6372F2" "322B")); test_hash (&nettle_shake256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("D4C1F39098D123B0DD88504FF6AB424E31F5D3726EFBF86500C" "E730BAE87EC671C97F768F9593C8411B57E306B0CB394F33B86" "6493BBFC3F089FA4E875858FBCE814DEBB905FA7249F7DBE737" "F5F6725CF76D2A50B319D96BFCD55E03A6E923B01003E6D5976" "A66AA5250C337C9C4C402B9733C8F626789FB23FF1043494A73" "960297CA9110D23DEF1D72B601F6C42CF83938003B3A386CDDE" "D4A70B24975C958597894FD6E2C412CDC6E32EA7F398242F84D" "4F4BD469DEE9AD10B717EBAA26F2481224F47135219231279C3" "6867751A476AF60AC4AF8F151F301CACF5D7890D62A135B4414" "9CC7405208212B7547EC0617ABF96A7741EB2E08D18AAA17357" "B4F2DDAB92257E893CFCB91BDD73DFF3F8E6C28FDF38DC89094" "C719E69508AF7ABEE4D1403E0F139348632A45708AAB27D4403" "F5D5B85A81AC72EDE9E2448F1FB87571CCA3631BDA9F9D0DC06" "0000B03450FBC7D98AF74F0B0A8A1BBDEED01C4C8300B05E05C" "F7AF7824B246666EB53119FCFAAD3C7AAEEFE0274A55ABC01AB" "F0A38189E46CD3CE56F0A4DB8E9B498EEC68E03DB7FDC917723" "0DFC72F45A41A7064F42F3C527A5E5473B2F68D1C8BA960BD3B" "458BE2BEF2C3623B38A66266EACEA3CC93C09F4CF566327E78E" "C39CE5541E48142FEF380AF5161ED9C63724FA16384F574B1D1" "CBC3F1C852028CB9A8D1F411D6AC119E11E6202E566B49341D4" "0D19")); test_hash (&nettle_shake256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("D6FC1E61D2BC27CA5DD5ACD290C2831070E66C38F03D2DC9118" "4AA9EAEAF03A28E009A1AE1C775F4274B3AE6B5491C9B0C838C" "F90D185FE94C49EF46ABABA62D6ED1F550D83466EFC6B97789C" "A36AD1A6A3E6703A5DA9764E47F29C8096E3D317FC7AFF0B79B" "1C278610AFE3F5E7FA7FD52FD36CC9E7000DA809346281EEBA1" "EE9BB06AAD61F3E02CF4A5BB7B211E2437ED21437FAE78378F2" "8B14184B7DE7E80E845837A483C0C6DF8E233687F71F0F9745D" "585411F103356A0C474F9238403E40960F63A3418199325EA6E" "8EADA31C94F78CFF1B83A2EFA4E49045E0CE34A5C6102539932" "8CD7F79A1E4CC792D8AE9F1AA954235B515158BE5F4064B889C" "14A3A83AB59CF26945DBBF70F3A5F3BDBE8674546D6DF384C40" "D56B286D309A114871BC18E144D2334C88C32F141F6DFA70859" "A9FF7D4996BD3FABA0299794E861DB8BE8A324822C4B1DFBFA7" "0F8D9149C3DC01E0E556DC744C98FC2F92C8600C856BD174759" "AF467D6618C4347366CE04D06A0EE4FEB9A27B79BED01BEB7DE" "E41859C1306939D55B0E319DD2E0E001F6174361CB804CD3AC3" "332B8D8A1D8204D5255F81FAA0BDC29AE71693586C987E35C81" "E314A3848B03CF7B37EAEE2AD6ED4736E1F20A098DDAEC612AE" "E17294313DA16453D7901CF80FC729962206AD4820B00E8EF0D" "999857832256E5B784E8A89DFDDD38F6E15DE081A82E19A2A05" "D417")); test_hash (&nettle_shake256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("F61115AE2FD5442877D08E39A57DF8D4A5F117D57C2688617A8" "DA64F9482F5A817E0D3DFE41A9CFF331F4D5E3240DA38E43B7B" "87925FE378512CD83172FC3CC2396A8ACDBF5010CA576603581" "BF7DF6D7529423709B30DB81620B9F660B5AA82EA6C98656DA2" "7B4709DA85D364EC015C2EAAF2AADEDA2C040BADFAB16F7C2AE" "39DA6A1691057301B7C3252884CD9EE079E68857D6D3B7F4F85" "556140DB03421F09E98B80A8422500A349B5C0D8FFB25433A41" "21B7682F8517500930E5F2766C687846553C9F76DE38A0EE41F" "76D3A22696B95774BD5EB747F6445D8044147EE38B127892F4B" "0B1932470B454F8F1BB697A2F6659AB13F3E2003C97D292A787" "8E12CE47AA9619FCFE2135D8890710B2733DF40FC75DAD57B99" "042E4F54AEA9332ED52CAB8FFDE5195EDA05368B09E9FD55731" "DA20012A7D255AAA33D74E22917E58BD546EE90947A16044B14" "DFFFAB05916C382D1F038B63D2F20DC09C117C8724A4DB3970B" "7CB143B1522D010881FE6663410DB3400DB33B62A6E70DFD48C" "2FE773054E1494944B60FC5D3BC803027C4B12E6A230FE41CA4" "D072F3628D20782CD7DE4E98A29DF083FEF503E46EEFA787F8B" "0E9B1E7C884B9122977532BD71FB63120C1069156516D265FE3" "559B18965E968B9BBD653484866847E76262D0CCBEE8FB0314A" "8C40B8C35725337CA4A241592E47D5B8981D3212C62AE7E25F2" "7495")); test_hash (&nettle_shake256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("3BBF30FAF9241C9E3E27EC2C17AB24AA3673799371528CB98A6" "D9B91E553553680505D7CD6590377AB54E5DC7D7C72035300AF" "651AB0EA52ABA9FE1D490EE5C95B146138F61F957C5CEC8D463" "3175C99A00590DDB987D2E032547D99C691B32C12D7392742A5" "AE47D03B5A08A544548BBEC45B9580DE1CECB7B9F06A88614DA" "A116D7200DC8E81EF3C7C5A716044133D2A66FFBFA35E1668FE" "D9C1045DA77DF92564F60087D173F71B75F040BC6CC14923465" "9C1213BEEF18C53CDEFEF2FF466A2F16823D7659E04AD61F6B2" "3DDCA8BF35AF892BFB8A952DF4ED254FFAC52CF71F4C872EF15" "EF11FAE9967FC8F1C218E7CABA5382936F4CBBDF7F41AA2A239" "BCF36FE158B7D771BECF8981DDAAAC31F744D949396623CB3BB" "754189FB5E78DD94171C1BD6AD3953DDA6D4DACD3B57D37B1B7" "3FAB0D2CAA0B5B3F6A2C9F324F4B93C912991E50F8872BC2764" "51969FF379AAEFC3C710DE16128136AE0D1268D106BBCE2AA4D" "2DB0C5EDB171DFF104DF4F7D49FE017C82083DD1E9F7DEE489B" "B38CE091C222C3A0898F17A0DA1D4B2830C7B7C3C372FDF2A4E" "9CD7B468107513D6E3ADCC91F662218A7364A7340966A4D692C" "F394443203DCE8B33503AEE6C1259BBCF36351AF93EF01764BE" "4863759ED0ABCA9E59CA6004F2E5738AF7EFC7BE8F9A1E10655" "1B77AEFBFF9DBE99ED5ABB12207CF38F7FB9BA77D776FA0DF3B" "FAAC")); test_hash (&nettle_shake256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("32FFBC063291BD2C957DCDC76632DD1BCE0DBFCAC549228D277" "D81B6ABBA904D43330EF8081E164D8FCAF520E12B388C401682" "95A63D365B57A7694D4C50812B99C86E036116A07F0164B7088" "537688D4BAF1E0FCDC84C6DA8D92789466A606F1EE25CE7461F" "A65DF04BDEBC24A3A4BAC3B02B469C8E85F53D9481DBE244DC6" "7B8BCE84CC7175113D4D7B2413601E9140B7802D9FB712938E9" "C5034CEEA753B7C77C08BC1C03D511ED0B4D5007BBAC38EE76B" "675B73AEF8623CA9CCD579E28BAE7D695BE25FBDB673F3401A7" "5D5A57D142034A7BEE554ED30CC7F03CBB363C10A54F818937A" "E468F5845ADA4F9A2A1BF6887105879DA745AAE64D87F26F489" "A622370405ADA3D3688697DB8F04557736C51725ACA02E4B76F" "6A9E88DC6D52D5A63806BBA1BD687FAAC522D7B5B0A8D607328" "3659056E784320822EAF70666180ADFDBA2675B4EAD6F6B2EF8" "26E7598BBD8C1956A15C1864D249368900D82498297C3E77A19" "EBE20A111D13FC03CA88D9332F919EA4AD15BE8E397ABA0A4E2" "BA85F3FA5999EB553780F0D2F35D76A63B0106406FC3B455047" "6572E1464C986870027849ADA0F164B48B839ECD3CA9AFEADEE" "3F63AA6CA06C635990922995DB0BB99A4AC4B7F3AAC52069F31" "30660AE0F074FBAA1D103A086B59AEE4DA3188CCA3227670FD4" "3597ABFC1A2F6CFA67FA24EF0B20B4AADE9CE8E68CAB34111D1" "0464")); test_hash (&nettle_shake256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("BA2B1CEC1BBB46EA19AF7A869FDC73CB3791708DEFDF530DC99" "99E9510FCB02AEF571B3C5E7258D86DC80EDB53B71644110B9E" "82C239FF17EF523840E6AF4D597D814D4E5EC2EA98E451C0531" "8402D5BFF6E6E573565AB640E00BF6F8C3646B3F6656047C60E" "D43393AF7F2D8DF8915A0F6F44D69FE193DD5617FE39BDA638E" "4DDDA771B0E771318A53ADECBDBFF07D6CFEAA04A837034C6EA" "0E70C8FC244304804E0E890F31F951007A2F897BF3F00221B63" "EA3DD8D9D1DD3608596EF7817190D56D36EB99266F83B7F1A20" "80F7A5405CDE86017948BF977C6CC78565B3EEC570B36FC0656" "6909951F31CAD6094F296F759E858BF7AA9298B2F4F7F5C3167" "C145EC126C40F6E5DCCD87C82489400FF8B9B79B19E47259661" "8EED3FBC6FE5545BB3276ED710CA128A3C2FA9B831FA6FA3B12" "6380C4BAED23D9186FAC830891F98C81D401A6513E139F6546F" "065E8AF6E1A9595218A025D8292176F8ACC4ACAEE6308C08DB5" "215FC0064D7279FF6165033E0946FB7C10BF5DEC2D26950B2AB" "DF71AE2B5BAB856386A25117214D5830B7D5E250FDF200CC5EE" "A0085648FA2AAB6EEC363DA41AFD82E14EDA957EA3AB7C65100" "F4A8071ACA6F1891B5465B7C46CAA9612CCB0875369CEC4BCF9" "D99BE35E03AE57C83FC80903AFE25ECF23D016CF6989EDA5B90" "0EFCF59C529FD299CF155A1310B239CD364301F520D16C74E27" "0D0D")); test_hash (&nettle_shake256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("481CF76E2ED1A1EB74050E9632A3BCE4913D2D516E251816A2D" "55706314D6483B955B87B0A6EE013F248E2AB4517B800E23C8A" "D85926C36EABAB1F2C36625D0492C7F001760E3715EBA80AA91" "2F5E3E1A7918D1EDE2FA7FDCBBAE23FF75ADB2BD88527BCE6F0" "2FEF73175487781F26C7C7DBFD04143B70D636217ABF7EF6936" "4B8B7C493C64434DD1CCB523E5CBCC81211A64FEFA9F41FFDB3" "8D9D8D5E0A9E51BE38DCCE5225652CAB5A0EF8D8EE7DD175B92" "9ABA19480299176D7122CE1A763345A091AEB8C5DF8AB37CD4D" "96C3230E8EA847C1D28986D3398DEA80F2C48C3B4406524BCD4" "850DC02621B470AC7DF27372D95822795E8A2D81AACCD72F535" "110FA01FDF0CABD7D848960603B80758406FFA78FB6C68DB4FD" "F40C146318C2D296CD1A5BD7C1E11EA967B72792A3A7FBAC908" "9588D3FB555F122F7AFB499AA3B3C43E07BD3D8F9FE980213C1" "74D37DB9FBC8ECD318CC207689766A327614ED6B01BB0A5A2CF" "04F5B54EDD97BE72E5F894328EE86A1C9D2FFB65C9FD0FEA4BA" "865D0EA4F16DEF67CE1D6D42095C1C8488376A4326396FE3448" "484754153B2D4A94C442BDE7CF67E8B9994E958D3CC17D5B0FD" "7A4F203024EC29CEBF40B549F2936CC6C196AB83EC8C4585D28" "E31D3ECF5BB59AB24B2CC6908E51A9BCD5BBCFA92C02E61B08C" "A7E3AAAED73C450909C8B9BDB422CCAB0A86C5A5C3C10A634B1" "7332")); test_hash (&nettle_shake256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("47929C7D0C4DB7F9EBAEF5EA93BBC7B255C8E249EDF893257C7" "AEB996CC8EEAB1A6CA4520F4D4257144CD5A9A850A372BD00DC" "CA339C4781479E976B7508688DC63783CA9EC7A9FB8196721C8" "C24AFF5BF9385453E9B85A1F7FC75A029E09D45910DC24F1304" "D1E51EC702E79DC731B6120596BF3DF30DC0F756834AC0BB94F" "99243EAC8910015D10DC618252A77D8B900C4141CFF2461C408" "C19B978D1B58E690815C0C07B901137A45F045ABBD85428ACF5" "1410135EB27128EC6725062665D1E6A6B8EBAD3B81D36770B0C" "D14303B9264D25DFEE14B27798E22B46A77ADF456FDAFEB6D59" "7F7E3152AAD40E29AB7E7808A4E46F43E18856518CE6D716062" "029024AFE0EF0A7F3783F755977F8B10EEC658AABC20B2EE0E8" "D3ADE73E2A7E78E4CEC3C09ADA3089247C678238580891ADA46" "0D60DA297A4EB7DDBA67D117E21E7461BCE7CFC7573352696B4" "643D6D9C9EC97EB431F6159AC438479BC6547BA04552748171F" "4AEAAA2EF0DD7ECCB4ABDB2E07AB536F0183516B1DCBF0E12FD" "134F9AD85B854AFDCCE14C1C52D0BF1EE1E52A12FDD63632D9D" "F1B78E7899B03527DA8597124AE3C8797E6832138508AB89069" "BF692A9E5D102CA20807A4BD5033D7BF7C918998D3D52B240B8" "449D12B402EE7F50B211F597F1BD39B69A4DFF9A0E6DBE347AC" "1137B3631DD15F97217A5BFE2C6579BC3C44F8789DED23EFEC5" "1A64")); test_hash (&nettle_shake256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("401A2897FCA682A6949D88F939ECF943140ECA42F90D86D2DC3" "01EFEA2DBD4C03998D686DCEC124334F0C5BA7674F25CDBF36F" "B9480E8DB2111BA4E78221D1855893A526F97535936AAC3D88D" "8908786BF5A9334EEE1A4D9B346A95573993DB7C9C7A75CE692" "DF5118963083B778865396501845E12E4DDDE82035B03A6C436" "97CDB2B1C5C4EB24D0D484ACB105549290B9FCD5C8B4EE31D4E" "B542A2C9637D8E34687B18AB2DCF92A826877F9F1766ECBC43E" "3879E481C4B6AD994586F110818A20B6F93C8CED8C1FBC0B545" "72714EF722E83046A93CE23D118E494969D5BD1A9E9C744C5A5" "6D193D2BC7054A4A0BB22987AA2CA672E69C2B733C860F292C4" "F218557B7B921C4367B611E1D7FE30CF454EEBF09990C5ACD7B" "43A174A92E0B8D8180DFD409261274FF09F55013A7F58242D29" "330426BD4D8EF8365E4DE86469C436FC0FDC3B858EEE3E29C2E" "D6F650266A7B34D2A0E5ED438E60891DF92FE6B950D95BB99F9" "0344FC5EF5B210692059E9F859A476A3AFF4BB478F5DDA80629" "E236AFD3742E35F46046BDF1522590562C8337C39FD38B8F57C" "EDD49198F8242D951330FC4D0BDF5413345BB7315EEB67E4B1D" "561D185FADF23C0979B036D885391643D7514B3FABCD16382CC" "C49E6B7C0707B90AC0F86176DCF9D7F1DCD270374D2AB8E1E9F" "AFB7DEC0F952FBD4456C9E7FCDA80CF0A46CE98AF6E9B588A37" "0741")); test_hash (&nettle_shake256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("8E756B09EE1679DFB957AEBC5B55CCCA4414AEAD58229106040" "A1A58F4768D241A0869A3A7D682DD937FB13352F635EC3D5783" "8469BA6AB93A9DC86EF3598F53E044FEA98301971A2182A1725" "C32BF5529FCE04665C9F2C1275D484543E038E964D855E1D919" "83EA34F7D66E19E27B6F59B23E9690C291432793167A5E8A9B4" "4AEB9ECBAA500E2616AC32AF6B6ACFB6C2B4A485BE4FE5072BD" "1F0E08AE343BF0C5CB241111F894BFD4BE6A26DBC7ED352D717" "44BD9A4D51F149AC4EA5AD323B063D93E56AE12B81D88EB0830" "24D3D164C0FD7B4BCE8A800F69CB7C66594D7AB20818DC79F01" "853FEE81B345210CDF2964C3A25A0934ECE6B13029B5FDC3B78" "0CD85A46E54495328F0BAA63078B3948172443B57D8571A82C7" "17A4D93A6FD9ADA3A1EFC41F3697600D02FCB555EEF1D5162B3" "46D892EABC60251B048979F49E3855FD5A49520A60D099ED2F5" "A5C8764875A4EA242407856B5DC393BA1E71FD04C53181572AD" "90E0184934D7B65E0EA56A8521A284E6A5B98BC704AD92E658A" "8B4C64CF67157AC0673159B9E2A9EA9D94C6FB3E5BD963DFCAA" "D484CF06BE75E3F23A11287B82BC6618B6EDA760D29D1D8400C" "41EC3B42A24EC1E070BCE0EEC7DC6C6F19E2A6BA7FAAB72DD81" "F31814A18CE984C7AAE6D9CAAA800318418F56871C8CFD8778F" "AA7DAD3426849E10B041D6190EB445410F5F5E476068579FEDC" "5869")); test_hash (&nettle_shake256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("8A5199B4A7E133E264A86202720655894D48CFF344A928CF834" "7F48379CEF347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA" "03B9EDB02B9635470AB9F1038985D55F9CA774572DD006470EA" "65145469609F9FA0831BF1FFD842DC24ACADE27BD9816E3B5BF" "2876CB112232A0EB4475F1DFF9F5C713D9FFD4CCB89AE5607FE" "35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B6096E2B3" "FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F3" "9F99B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB" "5663727AAC34A401247FBAA7499E7D5EE5B69D31025E63D04C3" "5C798BCA1262D5673A9CF0930B5AD89BD485599DC184528DA47" "90F088EBD170B635D9581632D2FF90DB79665CED430089AF13C" "9F21F6D443A818064F17AEC9E9C5457001FA8DC6AFBADBE3138" "F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F189B5" "34E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73" "FB1775B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA" "77114A16C15355B42877A1DB2A7DF0E155AE1D8670ABCEC3450" "F4E2EEC9838F895423EF63D261138BAAF5D9F104CB5A957AEA0" "6C0B9B8C78B0D441796DC0350DDEABB78A33B6F1F9E68EDE3D1" "805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9096F2EDB2" "21DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39" "73D4")); /* Test incremental API */ msg = SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"); digest = SHEX("8A5199B4A7E133E264A86202720655894D48CFF344A928CF834" "7F48379CEF347DFC5BCFFAB99B27B1F89AA2735E23D30088FFA" "03B9EDB02B9635470AB9F1038985D55F9CA774572DD006470EA" "65145469609F9FA0831BF1FFD842DC24ACADE27BD9816E3B5BF" "2876CB112232A0EB4475F1DFF9F5C713D9FFD4CCB89AE5607FE" "35731DF06317949EEF646E9591CF3BE53ADD6B7DD2B6096E2B3" "FB06E662EC8B2D77422DAAD9463CD155204ACDBD38E319613F3" "9F99B6DFB35CA9365160066DB19835888C2241FF9A731A4ACBB" "5663727AAC34A401247FBAA7499E7D5EE5B69D31025E63D04C3" "5C798BCA1262D5673A9CF0930B5AD89BD485599DC184528DA47" "90F088EBD170B635D9581632D2FF90DB79665CED430089AF13C" "9F21F6D443A818064F17AEC9E9C5457001FA8DC6AFBADBE3138" "F388D89D0E6F22F66671255B210754ED63D81DCE75CE8F189B5" "34E6D6B3539AA51E837C42DF9DF59C71E6171CD4902FE1BDC73" "FB1775B5C754A1ED4EA7F3105FC543EE0418DAD256F3F6118EA" "77114A16C15355B42877A1DB2A7DF0E155AE1D8670ABCEC3450" "F4E2EEC9838F895423EF63D261138BAAF5D9F104CB5A957AEA0" "6C0B9B8C78B0D441796DC0350DDEABB78A33B6F1F9E68EDE3D1" "805C7B7E2CFD54E0FAD62F0D8CA67A775DC4546AF9096F2EDB2" "21DB42843D65327861282DC946A0BA01A11863AB2D1DFD16E39" "73D4"); test_incremental (msg, digest, 16); test_incremental (msg, digest, SHA3_256_BLOCK_SIZE - 1); test_incremental (msg, digest, SHA3_256_BLOCK_SIZE); test_incremental (msg, digest, SHA3_256_BLOCK_SIZE + 1); } nettle-3.10/testsuite/gostdsa-keygen-test.c0000644000175000017500000000443214633602172020061 0ustar nissenisse#include "testutils.h" #include "gostdsa.h" #include "knuth-lfib.h" void test_main (void) { unsigned i; struct knuth_lfib_ctx rctx; struct dsa_signature signature; struct tstring *digest; knuth_lfib_init (&rctx, 4711); dsa_signature_init (&signature); digest = SHEX (/* sha256("abc") */ "BA7816BF 8F01CFEA 414140DE 5DAE2223" "B00361A3 96177A9C B410FF61 F20015AD"); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; struct ecc_point pub; struct ecc_scalar key; if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* Exclude curve25519 and curve448, not supported with GOSTDSA. */ continue; if (verbose) fprintf (stderr, "Curve %d\n", ecc->p.bit_size); ecc_point_init (&pub, ecc); ecc_scalar_init (&key, ecc); ecdsa_generate_keypair (&pub, &key, &rctx, (nettle_random_func *) knuth_lfib_random); if (verbose) { fprintf (stderr, "Public key:\nx = "); write_mpn (stderr, 16, pub.p, ecc->p.size); fprintf (stderr, "\ny = "); write_mpn (stderr, 16, pub.p + ecc->p.size, ecc->p.size); fprintf (stderr, "\nPrivate key: "); write_mpn (stderr, 16, key.p, ecc->p.size); fprintf (stderr, "\n"); } if (!test_ecc_point_valid_p (&pub)) die ("gostdsa_generate_keypair produced an invalid point.\n"); gostdsa_sign (&key, &rctx, (nettle_random_func *) knuth_lfib_random, digest->length, digest->data, &signature); if (!gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify failed.\n"); digest->data[3] ^= 17; if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid digest.\n"); digest->data[3] ^= 17; mpz_combit (signature.r, 117); if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid signature.r.\n"); mpz_combit (signature.r, 117); mpz_combit (signature.s, 93); if (gostdsa_verify (&pub, digest->length, digest->data, &signature)) die ("gostdsa_verify returned success with invalid signature.s.\n"); ecc_point_clear (&pub); ecc_scalar_clear (&key); } dsa_signature_clear (&signature); } nettle-3.10/testsuite/testutils.h0000644000175000017500000002060314633602172016223 0ustar nissenisse#ifndef NETTLE_TESTUTILS_H_INCLUDED #define NETTLE_TESTUTILS_H_INCLUDED /* config.h should usually be first in each .c file. This is an exception, include it here to reduce clutter in the test cases. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "version.h" #if WITH_HOGWEED # include "rsa.h" # include "dsa-compat.h" # include "ecc-curve.h" # include "ecc.h" # include "ecc-internal.h" # include "ecdsa.h" # include "gmp-glue.h" # if NETTLE_USE_MINI_GMP # include "knuth-lfib.h" # endif /* Undo dsa-compat name mangling */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_generate_keypair #else /* !WITH_HOGWEED */ /* Make sure either gmp or mini-gmp is available for tests. */ #include "mini-gmp.h" #endif /* !WITH_HOGWEED */ #include "nettle-meta.h" #ifdef __cplusplus extern "C" { #endif void die(const char *format, ...) PRINTF_STYLE (1, 2) NORETURN; void * xalloc(size_t size); struct tstring { struct tstring *next; size_t length; uint8_t data[1]; }; struct tstring * tstring_alloc (size_t length); void tstring_clear(void); struct tstring * tstring_data(size_t length, const uint8_t *data); struct tstring * tstring_hex(const char *hex); void tstring_print_hex(const struct tstring *s); /* Decodes a NUL-terminated hex string. */ void print_hex(size_t length, const uint8_t *data); /* If side-channel tests are requested, attach valgrind annotations on given memory area. */ void mark_bytes_undefined (size_t size, const void *p); void mark_bytes_defined (size_t size, const void *p); /* The main program */ void test_main(void); extern int verbose; extern int test_side_channel; typedef void nettle_encrypt_message_func(void *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src); typedef int nettle_decrypt_message_func(void *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src); struct nettle_aead_message { const char *name; unsigned context_size; unsigned key_size; unsigned digest_size; int supports_inplace; nettle_set_key_func *set_encrypt_key; nettle_set_key_func *set_decrypt_key; nettle_encrypt_message_func *encrypt; nettle_decrypt_message_func *decrypt; }; void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_cfb8(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iv); void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext); void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest); void test_aead_message(const struct nettle_aead_message *aead, const struct tstring *key, const struct tstring *adata, const struct tstring *nonce, const struct tstring *clear, const struct tstring *cipher); void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest); void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest); void test_mac(const struct nettle_mac *mac, const struct tstring *key, const struct tstring *msg, const struct tstring *digest); void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, const char *ascii); #if WITH_HOGWEED #if NETTLE_USE_MINI_GMP typedef struct knuth_lfib_ctx gmp_randstate_t[1]; void gmp_randinit_default (struct knuth_lfib_ctx *ctx); #define gmp_randclear(state) void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits); void mpz_urandomm (mpz_t r, struct knuth_lfib_ctx *ctx, const mpz_t n); /* This is cheating */ #define mpz_rrandomb mpz_urandomb #define mpz_rrandomm mpz_urandomm static inline int test_randomize (gmp_randstate_t rands UNUSED) { return 0; } #else /* !NETTLE_USE_MINI_GMP */ int test_randomize (gmp_randstate_t rands); #endif /* !NETTLE_USE_MINI_GMP */ void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn); mp_limb_t * xalloc_limbs (mp_size_t n); void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n); void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key); void test_rsa_set_key_2(struct rsa_public_key *pub, struct rsa_private_key *key); void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected); void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key); void test_dsa160(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected); void test_dsa256(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected); #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected); #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref); void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size); extern const struct ecc_curve * const ecc_curves[]; /* Check that given point satisfyes curve equation. */ int test_ecc_point_valid_p (struct ecc_point *pub); struct ecc_ref_point { const char *x; const char *y; }; void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p); void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p); void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p); /* Checks that p == g (affine coordinates) */ void test_ecc_ga (unsigned curve, const mp_limb_t *p); /* Gets the curve generator, with coordinates in redc form, if appropriate, and with an appended z = 1 coordinate. */ void test_ecc_get_g (unsigned curve, mp_limb_t *rp); /* Variant with only two coordinates, and no redc. */ void test_ecc_get_ga (unsigned curve, mp_limb_t *rp); #endif /* WITH_HOGWEED */ /* String literal of type unsigned char. The GNUC version is safer. */ #if __GNUC__ #define US(s) ({ static const unsigned char us_s[] = s; us_s; }) #else #define US(s) ((const uint8_t *) (s)) #endif /* LDATA needs to handle NUL characters. */ #define LLENGTH(x) (sizeof(x) - 1) #define LDATA(x) LLENGTH(x), US(x) #define LDUP(x) strlen(x), strdup(x) #define SHEX(x) (tstring_hex(x)) #define SDATA(x) ((const struct tstring *)tstring_data(LLENGTH(x), US(x))) #define H(x) (SHEX(x)->data) #define MEMEQ(length, a, b) (!memcmp((a), (b), (length))) #define FAIL() abort() #define SKIP() exit(77) #define ASSERT(x) do { \ if (!(x)) \ { \ fprintf(stderr, "Assert failed: %s:%d: %s\n", \ __FILE__, __LINE__, #x); \ FAIL(); \ } \ } while(0) #ifdef __cplusplus } #endif #endif /* NETTLE_TESTUTILS_H_INCLUDED */ nettle-3.10/testsuite/sha384-test.c0000644000175000017500000000365214633602172016152 0ustar nissenisse#include "testutils.h" void test_main(void) { test_hash(&nettle_sha384, SDATA("abc"), SHEX("cb00753f45a35e8b b5a03d699ac65007" "272c32ab0eded163 1a8b605a43ff5bed" "8086072ba1e7cc23 58baeca134c825a7")); test_hash(&nettle_sha384, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("09330c33f71147e8 3d192fc782cd1b47" "53111b173b3b05d2 2fa08086e3b0f712" "fcc7c71a557e2db9 66c3e9fa91746039")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha384, SDATA(""), SHEX("38b060a751ac9638 4cd9327eb1b1e36a" "21fdb71114be0743 4c0cc7bf63f6e1da" "274edebfe76f65fb d51ad2f14898b95b")); test_hash(&nettle_sha384, SDATA("a"), SHEX("54a59b9f22b0b808 80d8427e548b7c23" "abd873486e1f035d ce9cd697e8517503" "3caa88e6d57bc35e fae0b5afd3145f31")); test_hash(&nettle_sha384, SDATA("38"), SHEX("c071d202ad950b6a 04a5f15c24596a99" "3af8b212467958d5 70a3ffd478006063" "8e3a3d06637691d3 012bd31122071b2c")); test_hash(&nettle_sha384, SDATA("message digest"), SHEX("473ed35167ec1f5d 8e550368a3db39be" "54639f828868e945 4c239fc8b52e3c61" "dbd0d8b4de1390c2 56dcbb5d5fd99cd5")); test_hash(&nettle_sha384, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("feb67349df3db6f5 924815d6c3dc133f" "091809213731fe5c 7b5f4999e463479f" "f2877f5f2936fa63 bb43784b12f3ebb4")); test_hash(&nettle_sha384, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1761336e3f7cbfe5 1deb137f026f89e0" "1a448e3b1fafa640 39c1464ee8732f11" "a5341a6f41e0c202 294736ed64db1a84")); test_hash(&nettle_sha384, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b12932b0627d1c06 0942f54477641556" "55bd4da0c9afa6dd 9b9ef53129af1b8f" "b0195996d2de9ca0 df9d821ffee67026")); } nettle-3.10/testsuite/cxx-test.cxx0000644000175000017500000000610514633602172016316 0ustar nissenisse/* For FILE, used by gmp.h */ #include #include "testutils.h" #include "md5.h" /* Test C++ linkage */ void test_main(void) { struct md5_ctx md5; uint8_t digest[MD5_DIGEST_SIZE]; md5_init (&md5); md5_update (&md5, 14, reinterpret_cast ("message digest")); md5_digest (&md5, MD5_DIGEST_SIZE, digest); ASSERT (MEMEQ (MD5_DIGEST_SIZE, digest, H("F96B697D7CB7938D 525A2F31AAF161D0"))); #if WITH_PUBLIC_KEY struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_set_str(pub.n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub.e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key.q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key.a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key.b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key.c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); mpz_set_str(expected, "53bf517009fa956e" "3daa6adc95e8663d" "3759002f488bbbad" "e49f62792d85dbcc" "293f68e2b68ef89a" "c5bd42d98f845325" "3e6c1b76fc337db5" "e0053f255c55faf3" "eb6cc568ad7f5013" "5b269a64acb9eaa7" "b7f09d9bd90310e6" "4c58f6dbe673ada2" "67c97a9d99e19f9d" "87960d9ce3f0d5ce" "84f401fe7e10fa24" "28b9bffcf9", 16); mpz_t signature; mpz_init(signature); /* Create signature */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_sign (&key, &md5, signature)); /* Verify it */ md5_update (&md5, 39, reinterpret_cast ("The magic words are squeamish ossifrage")); ASSERT (rsa_md5_verify (&pub, &md5, signature)); /* Try bad data */ md5_update (&md5, 39, reinterpret_cast ("The magik words are squeamish ossifrage")); ASSERT (!rsa_md5_verify (&pub, &md5, signature)); #endif /* WITH_PUBLIC_KEY */ } nettle-3.10/testsuite/memeql-test.c0000644000175000017500000000176214633602172016420 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #include "memops.h" static int memeql_sec_for_test(const void *a, const void *b, size_t n) { int res; /* Makes valgrind trigger on any branches depending on the input data. */ mark_bytes_undefined (n, a); mark_bytes_undefined (n, b); res = memeql_sec (a, b, n); mark_bytes_defined (sizeof(res), &res); return res; } #define MAX_SIZE 50 void test_main(void) { uint8_t orig[MAX_SIZE]; uint8_t a[MAX_SIZE]; uint8_t b[MAX_SIZE]; struct knuth_lfib_ctx random_ctx; knuth_lfib_init (&random_ctx, 11); size_t size; for (size = 0; size < 50; size++) { size_t i; uint8_t bit; knuth_lfib_random (&random_ctx, size, orig); memcpy (a, orig, size); memcpy (b, orig, size); ASSERT (memeql_sec_for_test (a, b, size)); for (i = 0; i < size; i++) for (bit = 0x80; bit; bit >>= 1) { b[i] = orig[i] ^ bit; ASSERT (!memeql_sec_for_test (a, b, size)); b[i] = orig[i]; } } } nettle-3.10/testsuite/drbg-ctr-aes256-test.c0000644000175000017500000000435514633602172017650 0ustar nissenisse/* drbg-ctr-aes256-test.c Copyright (C) 2023 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "drbg-ctr.h" void test_main (void) { struct drbg_ctr_aes256_ctx rng; uint8_t seed_material[DRBG_CTR_AES256_SEED_SIZE]; uint8_t tmp[DRBG_CTR_AES256_SEED_SIZE]; size_t i; /* https://ntruprime.cr.yp.to/nist/ntruprime-20201007/Reference_Implementation/kem/sntrup761/nist/kat_kem.c.html https://ntruprime.cr.yp.to/nist/ntruprime-20201007/KAT/kem/sntrup761/kat_kem.req.html */ for (i = 0; i < DRBG_CTR_AES256_SEED_SIZE; i++) seed_material[i] = i; drbg_ctr_aes256_init (&rng, seed_material); drbg_ctr_aes256_random (&rng, DRBG_CTR_AES256_SEED_SIZE, tmp); if (!MEMEQ (DRBG_CTR_AES256_SEED_SIZE, tmp, H ("061550234D158C5EC95595FE04EF7A25767F2E24CC2BC479" "D09D86DC9ABCFDE7056A8C266F9EF97ED08541DBD2E1FFA1"))) { printf ("drbg_ctr_aes256 = "); print_hex (DRBG_CTR_AES256_SEED_SIZE, tmp); abort (); } drbg_ctr_aes256_random (&rng, DRBG_CTR_AES256_SEED_SIZE, tmp); if (!MEMEQ (DRBG_CTR_AES256_SEED_SIZE, tmp, H ("D81C4D8D734FCBFBEADE3D3F8A039FAA2A2C9957E835AD55" "B22E75BF57BB556AC81ADDE6AEEB4A5A875C3BFCADFA958F"))) { printf ("drbg_ctr_aes256 = "); print_hex (DRBG_CTR_AES256_SEED_SIZE, tmp); abort (); } } nettle-3.10/testsuite/meta-armor-test.c0000644000175000017500000000106514633602172017200 0ustar nissenisse#include "testutils.h" #include "nettle-meta.h" const char* armors[] = { "base16", "base64", "base64url", }; void test_main(void) { int i,j; int count = sizeof(armors)/sizeof(*armors); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_armors[j]; j++) { if (0 == strcmp(armors[i], nettle_armors[j]->name)) break; } ASSERT(NULL != nettle_armors[j]); /* make sure we found a matching armor */ } j = 0; while (NULL != nettle_armors[j]) j++; ASSERT(j == count); /* we are not missing testing any armors */ } nettle-3.10/testsuite/sc-cnd-memcpy-test0000755000175000017500000000013614633602172017353 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./cnd-memcpy-test nettle-3.10/testsuite/ecc-mul-a-test.c0000644000175000017500000000461414633602172016702 0ustar nissenisse#include "testutils.h" void test_main (void) { gmp_randstate_t rands; mpz_t r; unsigned i; gmp_randinit_default (rands); test_randomize (rands); mpz_init (r); for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_size_t size = ecc_size (ecc); mp_limb_t *g = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *q = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *n = xalloc_limbs (size); mp_limb_t *scratch = xalloc_limbs (ecc->mul_itch); unsigned j; test_ecc_get_ga (i, g); mpn_zero (n, size); for (n[0] = 1; n[0] <= 4; n[0]++) { ecc->mul (ecc, p, n, g, scratch); test_ecc_mul_h (i, n[0], p); } /* (order - 1) * g = - g */ mpn_sub_1 (n, ecc->q.m, size, 1); ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) /* For edwards curves, - (x,y ) == (-x, y). FIXME: Swap x and y, to get identical negation? */ mpn_sub_n (p, ecc->p.m, p, size); else mpn_sub_n (p + size, ecc->p.m, p + size, size); test_ecc_ga (i, p); mpn_zero (n, size); for (j = 0; j < 30; j++) { if (j & 1) mpz_rrandomb (r, rands, size * GMP_NUMB_BITS); else mpz_urandomb (r, rands, size * GMP_NUMB_BITS); /* Reduce so that (almost surely) n < q */ mpz_limbs_copy (n, r, size); n[size - 1] %= ecc->q.m[size - 1]; ecc->mul (ecc, p, n, g, scratch); ecc->h_to_a (ecc, 0, p, p, scratch); ecc->mul_g (ecc, q, n, scratch); ecc->h_to_a (ecc, 0, q, q, scratch); if (mpn_cmp (p, q, 2*size)) { fprintf (stderr, "Different results from ecc->mul and ecc->mul_g.\n" " bits = %u\n", ecc->p.bit_size); fprintf (stderr, " n = "); mpn_out_str (stderr, 16, n, size); fprintf (stderr, "\np = "); mpn_out_str (stderr, 16, p, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, p + size, size); fprintf (stderr, "\nq = "); mpn_out_str (stderr, 16, q, size); fprintf (stderr, ",\n "); mpn_out_str (stderr, 16, q + size, size); fprintf (stderr, "\n"); abort (); } } free (g); free (n); free (p); free (q); free (scratch); } mpz_clear (r); gmp_randclear (rands); } nettle-3.10/testsuite/yarrow-test.c0000644000175000017500000001060714633602172016461 0ustar nissenisse#include "testutils.h" #include "yarrow.h" #include "knuth-lfib.h" #include "macros.h" #include #include #include #include #include /* Lagged fibonacci sequence as described in Knuth 3.6 */ struct knuth_lfib_ctx lfib; static int get_event(FILE *f, struct sha256_ctx *hash, unsigned *key, unsigned *time) { static int t = 0; uint8_t buf[1]; int c = getc(f); if (c == EOF) return 0; buf[0] = c; sha256_update(hash, sizeof(buf), buf); *key = c; t += (knuth_lfib_get(&lfib) % 10000); *time = t; return 1; } static FILE * open_file(const char *name) { /* Tries opening the file in $srcdir, if set, otherwise the current * working directory */ const char *srcdir = getenv("srcdir"); if (srcdir && srcdir[0]) { FILE *f; char *buf = xalloc(strlen(name) + strlen(srcdir) + 10); sprintf(buf, "%s/%s", srcdir, name); f = fopen(buf, "r"); free(buf); return f; } /* Opens the file in text mode. */ return fopen(name, "r"); } void test_main(void) { FILE *input; struct yarrow256_ctx yarrow; struct yarrow_key_event_ctx estimator; struct yarrow_source sources[2]; struct sha256_ctx output_hash; struct sha256_ctx input_hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t seed_file[YARROW256_SEED_FILE_SIZE]; const uint8_t *expected_output = H("dd304aacac3dc95e 70d684a642967c89" "58501f7c8eb88b79 43b2ffccde6f0f79"); const uint8_t *expected_input = H("e0596cf006025506 65d1195f32a87e4a" "5c354910dfbd0a31 e2105b262f5ce3d8"); const uint8_t *expected_seed_file = H("b03518f32b1084dd 983e6a445d47bb6f" "13bb7b998740d570 503d6aaa62e28901"); unsigned c; unsigned t; unsigned processed = 0; unsigned output = 0; unsigned i; static const char unsigned zeroes[100]; yarrow256_init(&yarrow, 2, sources); yarrow_key_event_init(&estimator); sha256_init(&input_hash); sha256_init(&output_hash); knuth_lfib_init(&lfib, 31416); /* Fake input to source 0 */ yarrow256_update(&yarrow, 0, 200, sizeof(zeroes), zeroes); if (verbose) printf("source 0 entropy: %d\n", sources[0].estimate[YARROW_SLOW]); ASSERT(!yarrow256_is_seeded(&yarrow)); input = open_file("gold-bug.txt"); if (!input) { fprintf(stderr, "Couldn't open `gold-bug.txt', errno = %d\n", errno); FAIL(); } while (get_event(input, &input_hash, &c, &t)) { uint8_t buf[8]; processed++; WRITE_UINT32(buf, c); WRITE_UINT32(buf + 4, t); yarrow256_update(&yarrow, 1, yarrow_key_event_estimate(&estimator, c, t), sizeof(buf), buf); if (yarrow256_is_seeded(&yarrow)) { static const unsigned sizes[4] = { 1, 16, 500, 37 }; unsigned size = sizes[processed % 4]; uint8_t buf[500]; if (verbose && !output) printf("Generator was seeded after %d events\n", processed); yarrow256_random(&yarrow, size, buf); sha256_update(&output_hash, size, buf); if (verbose) { printf("%02x ", buf[0]); if (! (processed % 16)) printf("\n"); } output += size; } } fclose(input); if (verbose) { printf("\n"); for (i = 0; i<2; i++) printf("source %d, (fast, slow) entropy: (%d, %d)\n", i, sources[i].estimate[YARROW_FAST], sources[i].estimate[YARROW_SLOW]); printf("Processed input: %d octets\n", processed); printf(" sha256:"); } sha256_digest(&input_hash, sizeof(digest), digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_input, sizeof(digest)) == 0); yarrow256_random(&yarrow, sizeof(seed_file), seed_file); if (verbose) { printf("New seed file: "); print_hex(sizeof(seed_file), seed_file); printf("\n"); } ASSERT (memcmp(seed_file, expected_seed_file, sizeof(seed_file)) == 0); if (verbose) { printf("Generated output: %d octets\n", output); printf(" sha256:"); } sha256_digest(&output_hash, sizeof(digest), digest); if (verbose) { print_hex(sizeof(digest), digest); printf("\n"); } ASSERT (memcmp(digest, expected_output, sizeof(digest)) == 0); } nettle-3.10/testsuite/md5-test.c0000644000175000017500000001046014633602172015620 0ustar nissenisse#include "testutils.h" #include "md5.h" void test_main(void) { test_hash(&nettle_md5, SDATA(""), SHEX("D41D8CD98F00B204 E9800998ECF8427E")); test_hash(&nettle_md5, SDATA("a"), SHEX("0CC175B9C0F1B6A8 31C399E269772661")); test_hash(&nettle_md5, SDATA("abc"), SHEX("900150983cd24fb0 D6963F7D28E17F72")); test_hash(&nettle_md5, SDATA("message digest"), SHEX("F96B697D7CB7938D 525A2F31AAF161D0")); test_hash(&nettle_md5, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("C3FCD3D76192E400 7DFB496CCA67E13B")); test_hash(&nettle_md5, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("D174AB98D277D9F5 A5611C2C9F419D9F")); test_hash(&nettle_md5, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("57EDF4A22BE3C955 AC49DA2E2107B67A")); /* Additional test vector, from Daniel Kahn Gillmor */ test_hash(&nettle_md5, SDATA("38"), SHEX("a5771bce93e200c3 6f7cd9dfd0e5deaa")); /* Collisions, reported by Xiaoyun Wang1, Dengguo Feng2, Xuejia Lai3, Hongbo Yu1, http://eprint.iacr.org/2004/199. */ #define M0 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 87 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 71 415a 085125e8 f7cdc99f d91dbd f2 80373c5b" \ /* ^^ ^^ */ #define M1 \ /* vv */ \ "d131dd02 c5e6eec4 693d9a06 98aff95c 2fcab5 07 12467eab 4004583e b8fb7f89" \ "55ad3406 09f4b302 83e48883 25 f1 415a 085125e8 f7cdc99f d91dbd 72 80373c5b" \ /* ^^ ^^ */ #define N0 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a c7 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 cc 155c ed74cbdd 5fc5d36d b19b0a d8 35cca7e3" \ /* ^^ ^^ */ #define N1 \ /* vv */ \ "960b1dd1 dc417b9c e4d897f4 5a6555d5 35739a 47 f0ebfd0c 3029f166 d109b18f" \ "75277f79 30d55ceb 22e8adba 79 4c 155c ed74cbdd 5fc5d36d b19b0a 58 35cca7e3" \ /* ^^ ^^ */ /* Note: The checksum in the paper, 1f160396 efc71ff4 bcff659f bf9d0fa3, is incorrect. */ #define H0 "a4c0d35c 95a63a80 5915367d cfe6b751" #define N2 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 b4 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 a8 0d1e c69821bc b6a88393 96f965 2b 6ff72a70" \ /* ^^ ^^ */ #define N3 \ /* vv */ \ "d8823e31 56348f5b ae6dacd4 36c919c6 dd53e2 34 87da03fd 02396306 d248cda0" \ "e99f3342 0f577ee8 ce54b670 80 28 0d1e c69821bc b6a88393 96f965 ab 6ff72a70" \ /* ^^ ^^ */ /* Note: Also different from the checksum in the paper */ #define H1 "79054025 255fb1a2 6e4bc422 aef54eb4" test_hash(&nettle_md5, SHEX(M0 N0), SHEX(H0)); test_hash(&nettle_md5, SHEX(M1 N1), SHEX(H0)); test_hash(&nettle_md5, SHEX(M0 N2), SHEX(H1)); test_hash(&nettle_md5, SHEX(M1 N3), SHEX(H1)); } /* Intermediate values for the single _nettle_md5_compress call for the first test case. Each row gives the values for a, b, c, d after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. i a b c d -1: 67452301 efcdab89 98badcfe 10325476 0: a5202774 efcdab89 98badcfe 10325476 1: a5202774 efcdab89 98badcfe f59592dd 15: f56c7cf1 d6819c6a 5aa53f75 374943a7 16: 1c7d7513 d6819c6a 5aa53f75 374943a7 17: 1c7d7513 d6819c6a 5aa53f75 7bd57a3a 31: 13707036 a2205f1f 1c31c384 ae7813db 32: df63eaa1 a2205f1f 1c31c384 ae7813db 33: df63eaa1 a2205f1f 1c31c384 c3689f5b 47: 3f55edfd ca7d2dbd 68d84ea2 22a31f54 48: 93aa2577 ca7d2dbd 68d84ea2 22a31f54 49: 93aa2577 ca7d2dbd 68d84ea2 1688dc85 63: 7246fad3 14e45506 ff4ea3eb 6e10a476 99: d98c1dd4 4b2008f 980980e9 7e42f8ec */ nettle-3.10/testsuite/md5-compat-test.c0000644000175000017500000000265414633602172017107 0ustar nissenisse#include "testutils.h" #include "md5-compat.h" void test_main(void) { MD5_CTX ctx; unsigned char digest[MD5_DIGEST_SIZE]; MD5Init(&ctx); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("D41D8CD98F00B204 E9800998ECF8427E"))); MD5Init(&ctx); MD5Update(&ctx, US("a"), 1); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("0CC175B9C0F1B6A8 31C399E269772661"))); MD5Init(&ctx); MD5Update(&ctx, US("abc"), 3); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("900150983cd24fb0 D6963F7D28E17F72"))); MD5Init(&ctx); MD5Update(&ctx, US("message digest"), 14); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("F96B697D7CB7938D 525A2F31AAF161D0"))); MD5Init(&ctx); MD5Update(&ctx, US("abcdefghijklmnopqrstuvwxyz"), 26); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("C3FCD3D76192E400 7DFB496CCA67E13B"))); MD5Init(&ctx); MD5Update(&ctx, US("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"), 62); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("D174AB98D277D9F5 A5611C2C9F419D9F"))); MD5Init(&ctx); MD5Update(&ctx, US("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), 80); MD5Final(digest, &ctx); ASSERT(MEMEQ(MD5_DIGEST_SIZE, digest, H("57EDF4A22BE3C955 AC49DA2E2107B67A"))); } nettle-3.10/testsuite/pss-mgf1-test.c0000644000175000017500000000247414633602172016576 0ustar nissenisse#include "testutils.h" #include "pss-mgf1.h" void test_main(void) { struct sha1_ctx sha1ctx; struct sha256_ctx sha256ctx; const struct tstring *seed, *expected; uint8_t mask[120]; /* From ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1d2-vec.zip */ seed = SHEX("df1a896f9d8bc816d97cd7a2c43bad54" "6fbe8cfe"); expected = SHEX("66e4672e836ad121ba244bed6576b867d9a447c28a6e66a5b87dee" "7fbc7e65af5057f86fae8984d9ba7f969ad6fe02a4d75f7445fefd" "d85b6d3a477c28d24ba1e3756f792dd1dce8ca94440ecb5279ecd3" "183a311fc89739a96643136e8b0f465e87a4535cd4c59b10028d"); sha1_init(&sha1ctx); sha1_update(&sha1ctx, seed->length, seed->data); pss_mgf1(&sha1ctx, &nettle_sha1, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); /* Test with our own data. */ seed = SDATA("abc"); expected = SHEX("cf2db1ac9867debdf8ce91f99f141e5544bf26ca36b3fd4f8e4035" "eec42cab0d46c386ebccef82ba0bb0b095aaa5548b03cdff695187" "1c6fb505af68af688332f885d324a47d2145a3d8392c37978d7dc9" "84c95728950c4cf3de6becc59e60ea506951bd40e6de3863095064" "3ab2edbb47dc66cb54beb2d1"); sha256_init(&sha256ctx); sha256_update(&sha256ctx, seed->length, seed->data); pss_mgf1(&sha256ctx, &nettle_sha256, expected->length, mask); ASSERT(MEMEQ (expected->length, mask, expected->data)); } nettle-3.10/testsuite/pkcs1-test.c0000644000175000017500000000056614633602172016162 0ustar nissenisse#include "testutils.h" #include "pkcs1.h" #include "hogweed-internal.h" void test_main(void) { uint8_t buffer[16]; uint8_t expected[16] = { 0, 1, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0, 'a', 'b', 'c' }; _pkcs1_signature_prefix(sizeof(buffer), buffer, LDATA("abc"), 0); ASSERT(MEMEQ(sizeof(buffer), buffer, expected)); } nettle-3.10/testsuite/sc-curve448-dh-test0000755000175000017500000000013714633602172017275 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./curve448-dh-test nettle-3.10/testsuite/meta-cipher-test.c0000644000175000017500000000174614633602172017340 0ustar nissenisse#include "testutils.h" #include "nettle-meta.h" #include "nettle-internal.h" const char* ciphers[] = { "aes128", "aes192", "aes256", "arctwo40", "arctwo64", "arctwo128", "arctwo_gutmann128", "camellia128", "camellia192", "camellia256", "cast128", "serpent128", "serpent192", "serpent256", "twofish128", "twofish192", "twofish256", "sm4" }; void test_main(void) { int i,j; int count = sizeof(ciphers)/sizeof(*ciphers); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_ciphers[j]; j++) { if (0 == strcmp(ciphers[i], nettle_ciphers[j]->name)) break; } ASSERT(NULL != nettle_ciphers[j]); /* make sure we found a matching cipher */ } j = 0; for (j = 0; NULL != nettle_ciphers[j]; j++) { ASSERT(nettle_ciphers[j]->block_size <= NETTLE_MAX_CIPHER_BLOCK_SIZE); ASSERT(nettle_ciphers[j]->key_size <= NETTLE_MAX_CIPHER_KEY_SIZE); } ASSERT(j == count); /* we are not missing testing any ciphers */ } nettle-3.10/testsuite/sha256-test.c0000644000175000017500000002015214633602172016142 0ustar nissenisse#include "testutils.h" #include "nettle-write.h" #include "sha2.h" /* Test compression only. */ static void test_sha256_compress(const struct tstring *input, const struct tstring *expected) { size_t split; ASSERT (input->length % SHA256_BLOCK_SIZE == 0); ASSERT (expected->length == SHA256_DIGEST_SIZE); for (split = 0; split <= input->length; split += SHA256_BLOCK_SIZE) { struct sha256_ctx ctx; uint8_t digest[SHA256_DIGEST_SIZE]; sha256_init (&ctx); sha256_update (&ctx, split, input->data); sha256_update (&ctx, input->length - split, input->data + split); _nettle_write_be32 (SHA256_DIGEST_SIZE, digest, ctx.state); if (!MEMEQ (SHA256_DIGEST_SIZE, digest, expected->data)) { fprintf (stderr, "sha256_compress failed: length %u, split %u\nInput:", (unsigned) input->length, (unsigned) split); tstring_print_hex (input); fprintf (stderr, "\nOutput: "); print_hex (SHA256_DIGEST_SIZE, digest); fprintf(stdout, "\nExpected:\n"); tstring_print_hex (expected); fprintf (stderr, "\n"); abort (); } } } void test_main(void) { /* Initial state */ test_sha256_compress (SDATA(""), SHEX("6a09e667 bb67ae85 3c6ef372 a54ff53a" "510e527f 9b05688c 1f83d9ab 5be0cd19")); /* Single block compressed */ test_sha256_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY"), SHEX("932558b453a68273 4daf0008efb6b5e5" "32808baaf92bc749 2ac377107618ac67")); /* Two blocks compressed */ test_sha256_compress (SDATA("0123456789abcdefghijklmnopqrstuv" "wxyzABCDEFGHIJKLMNOPQRSTUVWXYZZY" "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345" "6789abcdefghijklmnopqrstuvwxyzzy"), SHEX("d82038b1732bbe97 94b879b41f98e9fc" "2777fd8ab76737f5 60919c4fe1366c8e")); /* From FIPS180-2 */ test_hash(&nettle_sha256, SDATA("abc"), SHEX("ba7816bf8f01cfea 414140de5dae2223" "b00361a396177a9c b410ff61f20015ad")); test_hash(&nettle_sha256, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("248d6a61d20638b8 e5c026930c3e6039" "a33ce45964ff2167 f6ecedd419db06c1")); test_hash(&nettle_sha256, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("cf5b16a778af8380 036ce59e7b049237" "0b249b11e8f07a51 afac45037afee9d1")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha256, SDATA(""), SHEX("e3b0c44298fc1c14 9afbf4c8996fb924" "27ae41e4649b934c a495991b7852b855")); test_hash(&nettle_sha256, SDATA("a"), SHEX("ca978112ca1bbdca fac231b39a23dc4d" "a786eff8147c4e72 b9807785afee48bb")); test_hash(&nettle_sha256, SDATA("38"), SHEX("aea92132c4cbeb26 3e6ac2bf6c183b5d" "81737f179f21efdc 5863739672f0f470")); test_hash(&nettle_sha256, SDATA("message digest"), SHEX("f7846f55cf23e14e ebeab5b4e1550cad" "5b509e3348fbc4ef a3a1413d393cb650")); test_hash(&nettle_sha256, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("71c480df93d6ae2f 1efad1447c66c952" "5e316218cf51fc8d 9ed832f2daf18b73")); test_hash(&nettle_sha256, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("db4bfcbd4da0cd85 a60c3c37d3fbd880" "5c77f15fc6b1fdfe 614ee0a7c8fdb4c0")); test_hash(&nettle_sha256, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("f371bc4a311f2b00 9eef952dd83ca80e" "2b60026c8e935592 d0f9c308453c813e")); } /* These are intermediate values for the single sha1_compress call that results from the first testcase, SHA256("abc"). Each row are the values for A, B, C, D, E, F, G, H after the i:th round. The row i = -1 gives the initial values, and i = 99 gives the output values. -1: 6a09e667 bb67ae85 3c6ef372 a54ff53a 510e527f 9b05688c 1f83d9ab 5be0cd19 0: 6a09e667 bb67ae85 3c6ef372 fa2a4622 510e527f 9b05688c 1f83d9ab 5d6aebcd 1: 6a09e667 bb67ae85 78ce7989 fa2a4622 510e527f 9b05688c 5a6ad9ad 5d6aebcd 6: 24e00850 e5030380 2b4209f5 4409a6a d550f666 9b27a401 714260ad 43ada245 7: 85a07b5f e5030380 2b4209f5 4409a6a c657a79 9b27a401 714260ad 43ada245 8: 85a07b5f e5030380 2b4209f5 32ca2d8c c657a79 9b27a401 714260ad 8e04ecb9 9: 85a07b5f e5030380 1cc92596 32ca2d8c c657a79 9b27a401 8c87346b 8e04ecb9 14: 816fd6e9 c0645fde d932eb16 87912990 f71fc5a9 b92f20c 745a48de 1e578218 15: b0fa238e c0645fde d932eb16 87912990 7590dcd b92f20c 745a48de 1e578218 16: b0fa238e c0645fde d932eb16 8034229c 7590dcd b92f20c 745a48de 21da9a9b 17: b0fa238e c0645fde 846ee454 8034229c 7590dcd b92f20c c2fbd9d1 21da9a9b 18: b0fa238e cc899961 846ee454 8034229c 7590dcd fe777bbf c2fbd9d1 21da9a9b 19: b0638179 cc899961 846ee454 8034229c e1f20c33 fe777bbf c2fbd9d1 21da9a9b 20: b0638179 cc899961 846ee454 9dc68b63 e1f20c33 fe777bbf c2fbd9d1 8ada8930 21: b0638179 cc899961 c2606d6d 9dc68b63 e1f20c33 fe777bbf e1257970 8ada8930 22: b0638179 a7a3623f c2606d6d 9dc68b63 e1f20c33 49f5114a e1257970 8ada8930 23: c5d53d8d a7a3623f c2606d6d 9dc68b63 aa47c347 49f5114a e1257970 8ada8930 24: c5d53d8d a7a3623f c2606d6d 2823ef91 aa47c347 49f5114a e1257970 1c2c2838 25: c5d53d8d a7a3623f 14383d8e 2823ef91 aa47c347 49f5114a cde8037d 1c2c2838 26: c5d53d8d c74c6516 14383d8e 2823ef91 aa47c347 b62ec4bc cde8037d 1c2c2838 27: edffbff8 c74c6516 14383d8e 2823ef91 77d37528 b62ec4bc cde8037d 1c2c2838 28: edffbff8 c74c6516 14383d8e 363482c9 77d37528 b62ec4bc cde8037d 6112a3b7 29: edffbff8 c74c6516 a0060b30 363482c9 77d37528 b62ec4bc ade79437 6112a3b7 30: edffbff8 ea992a22 a0060b30 363482c9 77d37528 109ab3a ade79437 6112a3b7 31: 73b33bf5 ea992a22 a0060b30 363482c9 ba591112 109ab3a ade79437 6112a3b7 32: 73b33bf5 ea992a22 a0060b30 9cd9f5f6 ba591112 109ab3a ade79437 98e12507 33: 73b33bf5 ea992a22 59249dd3 9cd9f5f6 ba591112 109ab3a fe604df5 98e12507 34: 73b33bf5 85f3833 59249dd3 9cd9f5f6 ba591112 a9a7738c fe604df5 98e12507 35: f4b002d6 85f3833 59249dd3 9cd9f5f6 65a0cfe4 a9a7738c fe604df5 98e12507 36: f4b002d6 85f3833 59249dd3 41a65cb1 65a0cfe4 a9a7738c fe604df5 772a26b 37: f4b002d6 85f3833 34df1604 41a65cb1 65a0cfe4 a9a7738c a507a53d 772a26b 38: f4b002d6 6dc57a8a 34df1604 41a65cb1 65a0cfe4 f0781bc8 a507a53d 772a26b 39: 79ea687a 6dc57a8a 34df1604 41a65cb1 1efbc0a0 f0781bc8 a507a53d 772a26b 40: 79ea687a 6dc57a8a 34df1604 26352d63 1efbc0a0 f0781bc8 a507a53d d6670766 41: 79ea687a 6dc57a8a 838b2711 26352d63 1efbc0a0 f0781bc8 df46652f d6670766 42: 79ea687a decd4715 838b2711 26352d63 1efbc0a0 17aa0dfe df46652f d6670766 43: fda24c2e decd4715 838b2711 26352d63 9d4baf93 17aa0dfe df46652f d6670766 44: fda24c2e decd4715 838b2711 26628815 9d4baf93 17aa0dfe df46652f a80f11f0 45: fda24c2e decd4715 72ab4b91 26628815 9d4baf93 17aa0dfe b7755da1 a80f11f0 46: fda24c2e a14c14b0 72ab4b91 26628815 9d4baf93 d57b94a9 b7755da1 a80f11f0 47: 4172328d a14c14b0 72ab4b91 26628815 fecf0bc6 d57b94a9 b7755da1 a80f11f0 48: 4172328d a14c14b0 72ab4b91 bd714038 fecf0bc6 d57b94a9 b7755da1 5757ceb 49: 4172328d a14c14b0 6e5c390c bd714038 fecf0bc6 d57b94a9 f11bfaa8 5757ceb 50: 4172328d 52f1ccf7 6e5c390c bd714038 fecf0bc6 7a0508a1 f11bfaa8 5757ceb 51: 49231c1e 52f1ccf7 6e5c390c bd714038 886e7a22 7a0508a1 f11bfaa8 5757ceb 52: 49231c1e 52f1ccf7 6e5c390c 101fd28f 886e7a22 7a0508a1 f11bfaa8 529e7d00 53: 49231c1e 52f1ccf7 f5702fdb 101fd28f 886e7a22 7a0508a1 9f4787c3 529e7d00 54: 49231c1e 3ec45cdb f5702fdb 101fd28f 886e7a22 e50e1b4f 9f4787c3 529e7d00 55: 38cc9913 3ec45cdb f5702fdb 101fd28f 54cb266b e50e1b4f 9f4787c3 529e7d00 56: 38cc9913 3ec45cdb f5702fdb 9b5e906c 54cb266b e50e1b4f 9f4787c3 fcd1887b 57: 38cc9913 3ec45cdb 7e44008e 9b5e906c 54cb266b e50e1b4f c062d46f fcd1887b 58: 38cc9913 6d83bfc6 7e44008e 9b5e906c 54cb266b ffb70472 c062d46f fcd1887b 59: b21bad3d 6d83bfc6 7e44008e 9b5e906c b6ae8fff ffb70472 c062d46f fcd1887b 60: b21bad3d 6d83bfc6 7e44008e b85e2ce9 b6ae8fff ffb70472 c062d46f 961f4894 61: b21bad3d 6d83bfc6 4d24d6c b85e2ce9 b6ae8fff ffb70472 948d25b6 961f4894 62: b21bad3d d39a2165 4d24d6c b85e2ce9 b6ae8fff fb121210 948d25b6 961f4894 63: 506e3058 d39a2165 4d24d6c b85e2ce9 5ef50f24 fb121210 948d25b6 961f4894 99: ba7816bf 8f01cfea 414140de 5dae2223 b00361a3 96177a9c b410ff61 f20015ad */ nettle-3.10/testsuite/chacha-test.c0000644000175000017500000006446114633602172016354 0ustar nissenisse/* chacha-test.c Test program for the ChaCha stream cipher implementation. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "chacha.h" #include "chacha-internal.h" static int memzero_p (const uint8_t *p, size_t n) { size_t i; for (i = 0; i < n; i++) if (p[i]) return 0; return 1; } /* Test with simple structure of the salsa20 input, to aid debugging. */ static void test_chacha_core(void) { const uint32_t input[16] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, /* Second block will have carry from first counter word propagate to next word. */ 0xffffffff, 13, 14, 15, }; const struct tstring *expected = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" "0aab2d67b09b2a63 6127fc965d831b2c" "ddc9e25ca7841f3e 938e3566a7702a0b" "7f80559e639ef6da 6d39627abc7da6b1" "0090a54241e68b6b d870f3b60adcaf89" "09d3c7b8a8c76aa3 941d726c649636db" "d6c3f0490fd38a46 070b77a757972126" "6323aa95eef9d68c 7eac86e913caa80c" "17dd18ae19b0b72e 0ef6e66a58c0791e" "e574e44162c99484 68085365916e0fee" "e3d0a5d3d2b93b4a ff245cb557af3ead" "2395f5cc7a00e25a 4f69a17969360781"); const struct tstring *expected_32 /* For 32-bit counter */ = SHEX("32f216b0eddeee3b bade2bf5a4c0b3b3" "0aab2d67b09b2a63 6127fc965d831b2c" "ddc9e25ca7841f3e 938e3566a7702a0b" "7f80559e639ef6da 6d39627abc7da6b1" "ea56196ace461eeb f898ade2f51c425f" "ff0452d728f13505 e23a1d017b40becd" "6482114a4586f48a 85c5cb9f92333de6" "9c248f2a809275fa 4786d5d6854fd7d7" "77dd6b03073f9dbf 294eabd6affa3104" "fccb19c3182a330c af2fdf0c43ebfa52" "7f845ffc0a897bea 2cf27a3dfc6f31af" "7db66563de442b71 f6d51f96930587ef"); struct chacha_ctx ctx; uint8_t output[192]; ASSERT (expected->length == 192); ASSERT (expected_32->length == 192); /* Three blocks, to exercises _chacha_3core, if available. */ memcpy (&ctx, input, sizeof(ctx)); chacha_crypt (&ctx, 192, output, expected->data); if (!memzero_p (output, 192)) { fprintf(stderr, "chacha_crypt failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(192, output); fprintf(stderr, "\n"); FAIL(); } memcpy (&ctx, input, sizeof(ctx)); chacha_crypt32 (&ctx, 192, output, expected_32->data); if (!memzero_p (output, 192)) { fprintf(stderr, "chacha_crypt32 failed:\n"); fprintf(stderr, "\nOutput: "); print_hex(192, output); fprintf(stderr, "\n"); FAIL(); } } /* For tests with non-standard number of rounds, calling _nettle_chacha_core directly. */ static void test_chacha_rounds(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, unsigned rounds) { struct chacha_ctx ctx; uint32_t out[_CHACHA_STATE_LENGTH]; ASSERT (expected->length == CHACHA_BLOCK_SIZE); ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); ASSERT (nonce->length == CHACHA_NONCE_SIZE); chacha_set_nonce(&ctx, nonce->data); _nettle_chacha_core (out, ctx.state, rounds); if (!MEMEQ(CHACHA_BLOCK_SIZE, out, expected->data)) { printf("Error, expected:\n"); tstring_print_hex (expected); printf("Got:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); FAIL (); } if (verbose) { printf("Result after encryption:\n"); print_hex(CHACHA_BLOCK_SIZE, (uint8_t *) out); } } static void _test_chacha(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, const struct tstring *counter) { struct chacha_ctx ctx; nettle_set_key_func *set_nonce; nettle_set_key_func *set_counter; nettle_crypt_func *crypt; uint8_t *data = xalloc (expected->length + 2); size_t length; data++; ASSERT (key->length == CHACHA_KEY_SIZE); chacha_set_key (&ctx, key->data); switch (nonce->length) { case CHACHA_NONCE_SIZE: set_nonce = (nettle_set_key_func *) chacha_set_nonce; set_counter = (nettle_set_key_func *) chacha_set_counter; crypt = (nettle_crypt_func *) chacha_crypt; if (counter) ASSERT (counter->length == CHACHA_COUNTER_SIZE); break; case CHACHA_NONCE96_SIZE: set_nonce = (nettle_set_key_func *) chacha_set_nonce96; set_counter = (nettle_set_key_func *) chacha_set_counter32; crypt = (nettle_crypt_func *) chacha_crypt32; if (counter) ASSERT (counter->length == CHACHA_COUNTER32_SIZE); break; default: die ("Bad nonce size %u.\n", (unsigned) nonce->length); } for (length = 1; length <= expected->length; length++) { size_t offset; data[-1] = 17; memset (data, 0, length); data[length] = 17; set_nonce (&ctx, nonce->data); if (counter) set_counter (&ctx, counter->data); crypt (&ctx, length, data, data); ASSERT (data[-1] == 17); ASSERT (data[length] == 17); if (!MEMEQ(length, data, expected->data)) { printf("Error, length %u, expected:\n", (unsigned) length); print_hex (length, expected->data); printf("Got:\n"); print_hex(length, data); FAIL (); } /* Round up to next block boundary. */ offset = (length + CHACHA_BLOCK_SIZE - 1) & -CHACHA_BLOCK_SIZE; if (offset < expected->length) { memset(data, 0, expected->length - offset); data[expected->length - offset] = 17; crypt (&ctx, expected->length - offset, data, data); if (!MEMEQ(expected->length - offset, data, expected->data + offset)) { printf("Error, length %u, offset %u, remaining %u, expected:\n", (unsigned) length, (unsigned) offset, (unsigned) (expected->length - offset)); print_hex (expected->length - offset, expected->data + offset); printf("Got:\n"); print_hex(expected->length - offset, data); FAIL (); } } } if (verbose) { printf("Result after encryption:\n"); print_hex(expected->length, data); } free (data - 1); } static void test_chacha(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected) { _test_chacha(key, nonce, expected, NULL); } static void test_chacha_with_counter(const struct tstring *key, const struct tstring *nonce, const struct tstring *expected, const struct tstring *counter) { _test_chacha(key, nonce, expected, counter); } void test_main(void) { test_chacha_core(); /* Test vectors from draft-strombergson-chacha-test-vectors */ test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("3e00ef2f895f40d6 7f5bb8e81f09a5a1" "2c840ec3ce9a7f3b 181be188ef711a1e" "984ce172b9216f41 9f445367456d5619" "314a42a3da86b001 387bfdb80e0cfe42" /* "d2aefa0deaa5c151 bf0adb6c01f2a5ad" "c0fd581259f9a2aa dcf20f8fd566a26b" "5032ec38bbc5da98 ee0c6f568b872a65" "a08abf251deb21bb 4b56e5d8821e68aa" */), 8); test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("9bf49a6a0755f953 811fce125f2683d5" "0429c3bb49e07414 7e0089a52eae155f" "0564f879d27ae3c0 2ce82834acfa8c79" "3a629f2ca0de6919 610be82f411326be" /* "0bd58841203e74fe 86fc71338ce0173d" "c628ebb719bdcbcc 151585214cc089b4" "42258dcda14cf111 c602b8971b8cc843" "e91e46ca905151c0 2744a6b017e69316" */), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("76b8e0ada0f13d90 405d6ae55386bd28" "bdd219b8a08ded1a a836efcc8b770dc7" "da41597c5157488d 7724e03fb8d84a37" "6a43b8f41518a11c c387b669b2ee6586" "9f07e7be5551387a 98ba977c732d080d" "cb0f29a048e36569 12c6533e32ee7aed" "29b721769ce64e43 d57133b074d839d5" "31ed1f28510afb45 ace10a1f4b794d6f")); /* TC2: Single bit in key set. All zero IV */ test_chacha_rounds (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("cf5ee9a0494aa961 3e05d5ed725b804b" "12f4a465ee635acc 3a311de8740489ea" "289d04f43c7518db 56eb4433e498a123" "8cd8464d3763ddbb 9222ee3bd8fae3c8"), 8); test_chacha_rounds (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("12056e595d56b0f6 eef090f0cd25a209" "49248c2790525d0f 930218ff0b4ddd10" "a6002239d9a454e2 9e107a7d06fefdfe" "f0210feba044f9f2 9b1772c960dc29c0"), 12); test_chacha (SHEX("0100000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("c5d30a7ce1ec1193 78c84f487d775a85" "42f13ece238a9455 e8229e888de85bbd" "29eb63d0a17a5b99 9b52da22be4023eb" "07620a54f6fa6ad8 737b71eb0464dac0" "10f656e6d1fd5505 3e50c4875c9930a3" "3f6d0263bd14dfd6 ab8c70521c19338b" "2308b95cf8d0bb7d 202d2102780ea352" "8f1cb48560f76b20 f382b942500fceac")); /* TC3: Single bit in IV set. All zero key */ test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("2b8f4bb3798306ca 5130d47c4f8d4ed1" "3aa0edccc1be6942 090faeeca0d7599b" "7ff0fe616bb25aa0 153ad6fdc88b9549" "03c22426d478b97b 22b8f9b1db00cf06"), 8); test_chacha_rounds (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("64b8bdf87b828c4b 6dbaf7ef698de03d" "f8b33f635714418f 9836ade59be12969" "46c953a0f38ecffc 9ecb98e81d5d99a5" "edfc8f9a0a45b9e4 1ef3b31f028f1d0f"), 12); test_chacha (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0100000000000000"), SHEX("ef3fdfd6c61578fb f5cf35bd3dd33b80" "09631634d21e42ac 33960bd138e50d32" "111e4caf237ee53c a8ad6426194a8854" "5ddc497a0b466e7d 6bbdb0041b2f586b" "5305e5e44aff19b2 35936144675efbe4" "409eb7e8e5f1430f 5f5836aeb49bb532" "8b017c4b9dc11f8a 03863fa803dc71d5" "726b2b6b31aa3270 8afe5af1d6b69058")); /* TC4: All bits in key and IV are set. */ test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("e163bbf8c9a739d1 8925ee8362dad2cd" "c973df05225afb2a a26396f2a9849a4a" "445e0547d31c1623 c537df4ba85c70a9" "884a35bcbf3dfab0 77e98b0f68135f54"), 8); test_chacha_rounds (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("04bf88dae8e47a22 8fa47b7e6379434b" "a664a7d28f4dab84 e5f8b464add20c3a" "caa69c5ab221a23a 57eb5f345c96f4d1" "322d0a2ff7a9cd43 401cd536639a615a"), 12); test_chacha (SHEX("ffffffffffffffff ffffffffffffffff" "ffffffffffffffff ffffffffffffffff"), SHEX("ffffffffffffffff"), SHEX("d9bf3f6bce6ed0b5 4254557767fb5744" "3dd4778911b60605 5c39cc25e674b836" "3feabc57fde54f79 0c52c8ae43240b79" "d49042b777bfd6cb 80e931270b7f50eb" "5bac2acd86a836c5 dc98c116c1217ec3" "1d3a63a9451319f0 97f3b4d6dab07787" "19477d24d24b403a 12241d7cca064f79" "0f1d51ccaff6b166 7d4bbca1958c4306")); /* TC5: Every even bit set in key and IV. */ test_chacha_rounds (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("7cb78214e4d3465b 6dc62cf7a1538c88" "996952b4fb72cb61 05f1243ce3442e29" "75a59ebcd2b2a598 290d7538491fe65b" "dbfefd060d887981 20a70d049dc2677d"), 8); test_chacha_rounds (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("a600f07727ff93f3 da00dd74cc3e8bfb" "5ca7302f6a0a2944 953de00450eecd40" "b860f66049f2eaed 63b2ef39cc310d2c" "488f5d9a241b615d c0ab70f921b91b95"), 12); test_chacha (SHEX("5555555555555555 5555555555555555" "5555555555555555 5555555555555555"), SHEX("5555555555555555"), SHEX("bea9411aa453c543 4a5ae8c92862f564" "396855a9ea6e22d6 d3b50ae1b3663311" "a4a3606c671d605c e16c3aece8e61ea1" "45c59775017bee2f a6f88afc758069f7" "e0b8f676e644216f 4d2a3422d7fa36c6" "c4931aca950e9da4 2788e6d0b6d1cd83" "8ef652e97b145b14 871eae6c6804c700" "4db5ac2fce4c68c7 26d004b10fcaba86")); /* TC6: Every odd bit set in key and IV. */ test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("40f9ab86c8f9a1a0 cdc05a75e5531b61" "2d71ef7f0cf9e387 df6ed6972f0aae21" "311aa581f816c90e 8a99de990b6b95aa" "c92450f4e1127126 67b804c99e9c6eda"), 8); test_chacha_rounds (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("856505b01d3b47aa e03d6a97aa0f033a" "9adcc94377babd86 08864fb3f625b6e3" "14f086158f9f725d 811eeb953b7f7470" "76e4c3f639fa841f ad6c9a709e621397"), 12); test_chacha (SHEX("aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaa"), SHEX("aaaaaaaaaaaaaaaa"), SHEX("9aa2a9f656efde5a a7591c5fed4b35ae" "a2895dec7cb4543b 9e9f21f5e7bcbcf3" "c43c748a970888f8 248393a09d43e0b7" "e164bc4d0b0fb240 a2d72115c4808906" "72184489440545d0 21d97ef6b693dfe5" "b2c132d47e6f041c 9063651f96b623e6" "2a11999a23b6f7c4 61b2153026ad5e86" "6a2e597ed07b8401 dec63a0934c6b2a9")); /* TC7: Sequence patterns in key and IV. */ test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("db43ad9d1e842d12 72e4530e276b3f56" "8f8859b3f7cf6d9d 2c74fa53808cb515" "7a8ebf46ad3dcc4b 6c7dadde131784b0" "120e0e22f6d5f9ff a7407d4a21b695d9"), 8); test_chacha_rounds (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("7ed12a3a63912ae9 41ba6d4c0d5e862e" "568b0e5589346935 505f064b8c2698db" "f7d850667d8e67be 639f3b4f6a16f92e" "65ea80f6c7429445 da1fc2c1b9365040"), 12); test_chacha (SHEX("0011223344556677 8899aabbccddeeff" "ffeeddccbbaa9988 7766554433221100"), SHEX("0f1e2d3c4b5a6978"), SHEX("9fadf409c00811d0 0431d67efbd88fba" "59218d5d6708b1d6 85863fabbb0e961e" "ea480fd6fb532bfd 494b215101505742" "3ab60a63fe4f55f7 a212e2167ccab931" "fbfd29cf7bc1d279 eddf25dd316bb884" "3d6edee0bd1ef121 d12fa17cbc2c574c" "ccab5e275167b08b d686f8a09df87ec3" "ffb35361b94ebfa1 3fec0e4889d18da5")); /* TC8: hashed string patterns */ test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("838751b42d8ddd8a 3d77f48825a2ba75" "2cf4047cb308a597 8ef274973be374c9" "6ad848065871417b 08f034e681fe46a9" "3f7d5c61d1306614 d4aaf257a7cff08b"), 8); test_chacha_rounds (SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("1482072784bc6d06 b4e73bdc118bc010" "3c7976786ca918e0 6986aa251f7e9cc1" "b2749a0a16ee83b4 242d2e99b08d7c20" "092b80bc466c8728 3b61b1b39d0ffbab"), 12); test_chacha(SHEX("c46ec1b18ce8a878 725a37e780dfb735" "1f68ed2e194c79fb c6aebee1a667975d"), SHEX("1ada31d5cf688221"), SHEX("f63a89b75c2271f9 368816542ba52f06" "ed49241792302b00 b5e8f80ae9a473af" "c25b218f519af0fd d406362e8d69de7f" "54c604a6e00f353f 110f771bdca8ab92" "e5fbc34e60a1d9a9 db17345b0a402736" "853bf910b060bdf1 f897b6290f01d138" "ae2c4c90225ba9ea 14d518f55929dea0" "98ca7a6ccfe61227 053c84e49a4a3332")); /* From draft-irtf-cfrg-chacha20-poly1305-08, with 96-bit nonce. Manually sets the 32-bit counter value to 1. */ test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" "1011121314151617 18191a1b1c1d1e1f"), SHEX("000000090000004a 00000000"), SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" "c7d1f4c733c06803 0422aa9ac3d46c4e" "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), SHEX("01000000")); /* This is identical to the above 96-bit nonce test, but it manually sets the 64-bit counter value */ test_chacha_with_counter(SHEX("0001020304050607 08090a0b0c0d0e0f" "1011121314151617 18191a1b1c1d1e1f"), SHEX("0000004a00000000"), SHEX("10f1e7e4d13b5915 500fdd1fa32071c4" "c7d1f4c733c06803 0422aa9ac3d46c4e" "d2826446079faa09 14c2d705d98b02a2" "b5129cd1de164eb9 cbd083e8a2503c4e"), SHEX("0100000000000009")); /* Tests with long message, 16 blocks. */ test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" "09742e5a6858def1 c1413425719ba204"), SHEX("f9a864f273cc10fe baf531d7"), SHEX("3bed2adca04c96c8 d74e08aff4d5d9e0" "836209a15db7ea25 87c61d61a3472c4f" "b09ec92d020a25fd 183eb31870bf01c2" "9a87c2280ca12718 2af7a0b626ba4906" "51268430b180c7f9 5bb680bacf4a84e7" "dadd67bb6e2aa32d 22fb99ae4dfac283" "acb0f596f75518f9 3227448d63048f1a" "20108699cc0504e5 524e11e71f05d3f9" "b37725c68260448d dd61b690f614571b" "a57a848f6f2b0e10 5c044986d9d2f7ca" "10177a27c5ccbb94 ffefcb87d836b02a" "e6c312ebd5862520 c67d05259326a1d5" "645a6f4cdda94de2 8d5d8069d95263e7" "037c4fbe1322fcb5 cf5ab14237039b76" "f76134345777d647 799f248b7f8c9a94" "713e5678bfdef4f2 7285a34be8800146" "1f9cffbf24228377 d583f34ddb9c6010" "8c035f7e5285953c 74b56e1508531705" "f49398b409d94276 435814ee76232b57" "0b461913fa88381f 238a241afa7042f0" "35e796cb4a058dfc 4098b614464ad230" "9c6e7719d940e26b 8d77472d357230f5" "cb35cfa86bf46324 eafb305ae2d50509" "0e635ebe9e4a090a 41c8e9e931d7bf5f" "22a59d75130c62e3 a4829fc38d07d458" "072956a6282b9a90 f9a491e064dcc689" "28e47fd1c7131e97 6f755027fbf190cf" "977de188faa80a7c 83921745bb14f534" "3cbc9d86d01379f3 d59fa5b454ed8855" "46f34b9e419dfe08 9879cae4b297a3d8" "28367da777756aaa 9de2005e0ad1af6f" "af6daf9c14aedc39 fcbf95863a128816" "93f22a580c96ca98 da6c13166cd17b22" "2c468df637bf2961 e6b7692c6ed3463b" "84a1837108de1ea4 20c0a890c92768b8" "ac6732645a1a609c 28345d5e69f9475c" "21401fe2b7504230 ce4866d09484ffdc" "0bdd08f193993b26 083808e88f109d3b" "753d61a4391b1461 fe3a9bc07e2fee7b" "b37c9997c8f3d081 d6d145fb060da3f2" "28a31a2be1a35c6c 4c6181bac0f1119e" "e87bc230512e0fb4 38040e89e8af7452" "71530ae0e34bca8e 0cfbe5bbad577bea" "bc1c9c673d197185 7033822cd0ea21ed" "ccfdf4788f62c26b bd2718e576db61f5" "4ebef978884c7fe7 b4934918cb89e3a2" "df3b5c664ab9ff09 0c016ba84ebbbd73" "8cf905fc8ca95dee 757a901ea27a33d2" "813f0a17692c5646 6f9690cddb3e15f7" "1020f9321bd45ccb 49c41deb49103a7d" "b8535b705e4d3389 f4495ee49f96dc5d" "c7eab39129652078 8b3876576f5dadb0" "a674bdad75a9f581 d48fbc2e6de734f0" "73f78ed77b041a09 760ef6eb754cc60e" "8fabd6e1b3ce02bb b302f8a73be42ddf" "1dae4d8b251320d2 184adaf92eb76b12" "37d169621de761fb cb6942a7b9972cca" "9d35d58b2779523b ad584c27bb991acd" "a0be4174dcd85ffe fe16abf2235829c5" "0ac49897e2b2a7ef b1c5c07e80d7fce1" "c4f5596231ad3436 0c75cd60b5088281" "83c74ffc805177f7 c687454582a3cbc3" "79180c9a90680eda 68499e0ee435c7c6" "e028d305299b43dd eb68c387ae694a53")); test_chacha (SHEX("8c34799cd41aaece 303d33eeaac74e6b" "09742e5a6858def1 c1413425719ba204"), SHEX("f9a864f273cc10fe"), SHEX("bd11678b8300a275 60dadbde311b1660" "edf6ec14eff4b553 418c7a99c8a0512b" "f79cfbf853f0df4f daa806dd6ac12aea" "bc92f8d4964f4d86 e12934589e46b6f3" "cb00ac786355852a f066f1ca2485f7bb" "232096e5a6042498 149600c6d438598a" "8b89bf6b3adcbbd8 010e91148c01c06d" "4f5b651333f32292 0e149f6fe2dcc8a4" "98744655d32732f8 69a88b5cf80761a8" "218888d5ba5788c8 7eef9340e2f03b0c" "b1caf7cfe0d9cde6 434d615a7f1c603e" "1302e311cadb7c69 95ca53981ae58aac" "40718e7dc61eabe3 35c253988217fc10" "1a1633b9bce6fbc9 b9fd9c9a2ab319a5" "9ba134ef7505e64c c35cccbb320bec09" "4dc950849b49d86d 572f795c1a24dbe3" "2d51e61a7291375a 85b150f0530f53c1" "3c987c0beedb2107 49c847c774523858" "dbeb997609cf89ad cf7433e668a460bc" "52cfa00951daac95 e5edc8baf32a867e" "81c3d7de7f34ea28 f74339985f2643cc" "9b5d30d76872d20e fb18d914a58f0083" "d5d322f5cdd5a3dd 63148988bb79e97a" "1e8a9595e1f4cccd 8910a043f1b07cd1" "bcb8e7c4c8018de9 8ff65b2787304751" "333b94ae56dbbb36 4e9ed750dc77d9ce" "c9c5a440663b78a6 0dba2ac3b5e7fcf1" "c1f14cd1a9794c49 ff082df137a4a35d" "bee8409979b49275 3a4a32825b6c9903" "28440e2c7d2c2cae 4bdd5769dc0cc31f" "4bd5b8d090ec6cbe d743b44bf62531c5" "f12e1bbb68cca686 36953a259c9d4b9b" "c1ec206c8a506f49 9a13a2e60c026f53" "61bd34428f9d6fa7 207c63589d1efd5f" "161cc957275a7f00 992c7e1dfda6f913" "9d35ae670cff55da 1dba6a2f13424b3f" "61c68580885eba6a f2aecb29d138b209" "1c7227902aceddfb d4761f7cbae75d89" "aaca5808a4704410 448a6eb13cf4b4f6" "cd7c37341ae80b23 6affef543aef78aa" "15a4581380cb19b8 e684ddd3efaea4e6" "bb88c07aa9325398 cb67e241a59732d0" "dfe999532b53d255 fb34a937aa55ae4d" "02b7850831b7b669 1e4ee269c5d38a9d" "80133265072ab3f3 af627298a265d7c0" "1fe95f895b08d4c8 7dd4f6f7a6ce1393" "de4225fedd1bf3c1 fe76a171f99d5e3f" "975e31ca21d58fa6 daf580dcb46379a6" "8a6a65e72b4df392 d3f94697f352286e" "0f00ce97f2656011 4ccf17bdcedc9589" "a9c8041e9f3daf9c f5c222d6ddbd2cfc" "b26065a9f85592d5 e6f85a46e0e9fd79" "f25197451c8d18d3 ed15cac7ba27870f" "8f0cbe7c17409a4e 66e95adde633d2d6" "270e0d17ca774efa 1ce9908e03baf208" "cfee33add11dcd9e 032db6fbb7b209a6" "30ac76c88e695413 a3c75d885a2fe9c4" "50236bf7a59110d5 62c77bc046afeb0d" "a8210a75a79e6732 9e49a225bee17b84" "bf24bdd32f77fdf4 05fd06955b0802d9" "7a4f115b8b052184 1a80620b2d66e572" "41d137cbcb2131c5 c8cbabe8a1b0ca25" "d760f988e68843ef ddc7449daf2b18ce" "5825cc4f79aaf7ac 659c77a1ad294b51")); /* From https://github.com/weidai11/cryptopp/blob/master/TestVectors/chacha.txt */ test_chacha_with_counter (SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), SHEX("0000000000000000"), SHEX("032CC123482C3171 1F94C941AF5AB1F4" "155784332ED5348F E79AEC5EAD4C06C3" "F13C280D8CC49925 E4A6A5922EC80E13" "A4CDFA840C70A142 7A3CB699166991A5" "ACE4CD09E294D191 2D4AD205D06F95D9" "C2F2BFCF453E8753 F128765B62215F4D" "92C74F2F626C6A64 0C0B1284D839EC81" "F1696281DAFC3E68 4593937023B58B1D" "3DB41D3AA0D32928 5DE6F225E6E24BD5" "9C9A17006943D5C9 B680E3873BDC683A" "5819469899989690 C281CD17C96159AF" "0682B5B903468A61 F50228CF09622B5A" "46F0F6EFEE15C8F1 B198CB49D92B9908" "67905159440CC723 916DC00128269810" "39CE1766AA2542B0 5DB3BD809AB14248" "9D5DBFE1273E7399 637B4B3213768AAA" "89B1889375E99FE2 442C4F68ADF54158" "F4B8135713D00999 B92B38E3AAFE5FF4" "959B1834BE3DC54F C36AA9D32EB121E0" "F688B90E7C7E2649 F4AAEF407BDD2B94" "09EFEC03114CB5D4 FFD1788E0FE1897B" "D176C1311E368368 C657A5EE55C9CA03" "CC71744F030822D5 3A0486A97B9D9824" "0274FADEAF262BD8 1B58BCE3DFA98414" "C24B5BC517FD9199 3A6B2E6232B05021" "25C6F48A6921E2DD A8EB6B3C4ECF2AAE" "889602AD90B5D253 7FF45DF525C67B98" "3B51DBD23E1280AA 656EAE85B63CC42D" "E8C70E7C19C1D66E 3F902BEA9D1ACFD3" "326B5985AD7C8CAB D431ACBC62976CE5" "23C938EA447D4AF0 F560DC52B0AB1D7D" "66A42AB8272E2C40 BD66470FE6F68846" "12A11D899A0B7EB5 4907BBEDD6483EFC" "ED1F15621D4673FF 928C5AAB5F465257" "123679EF17C39648 C537E150108E0F66" "08732E9F5B240689 EEB5402FA04CCB89" "B7CA9649A361C526 B41ED110402D9497" "715B03441118BC49 53FCBEF395267570" "BD43EC0EEF7B6167 F14FED205EB81290" "7D0C134DC49FA5B1 8F5A3A3A9BD0A71B" "2FFE445EE4FABEB4 054CC922BA360E45" "89B681F01E2A43B5 A0C0F0C39A5ADB94" "B3BC2D20FF7F287F DF17F53B7CB5E3A1" "ABD46FC0819A3559 C03C6B4106603066" "359A4A09B468B6DF EF8A363C7B31D9E8" "8ABB85914F4A27C3 0E9915C66AAC3576" "9E481C87AEE4C313 8CF40F288ED3C172" "FFC17D3D78F8D32C 3C756C13CFBFB95F" "3ECCE6D8B54344D7 8998F58148C4B43B" "1A6201ABFF3D4FB4 B76E3BBA104CFAA5" "5D8DA4319A9E0606 644B07DC204E9635" "502186C1EF9E4332 2EFD69F86D4DA1F6" "A98BF0B800BA04BD 9FBA5C5BE8EC49D4" "8D9EECBADEE669EF 69C9522C730110BB" "8339AF0E45185262 C9183307C5EEA59D" "E5095CAC26E8428D 4CA9E44DCF8FC7B4" "1F9624A2DBA36F44 415BAC489BF46CB6" "BB1BD2B70D719772 FDABB3B166EA615A" "BDF208C39BA8A708 D933CBC8A3236D4A" "15629FCAA35E00C2 B361527326E7AB51" "409A7DE42C909334 6E41D3A3C4529D95" "57BBC01EEFF927F1 052B5E02F74542B0" "4E78F1E933C67DBC 2C9187527C86DA77" "F045D4B07CF646BA 9547646905F1F117"), SHEX("feffffff00000000")); /* 32-bit overflow */ } nettle-3.10/testsuite/sc-valgrind.sh0000644000175000017500000000040714633602172016557 0ustar nissenisse# To setup a test to check for branches or memory accesses depending on secret data, # using valgrind. with_valgrind () { type valgrind >/dev/null 2>&1 || exit 77 NETTLE_TEST_SIDE_CHANNEL=1 valgrind -q --exit-on-first-error=yes --error-exitcode=1 "$@" } nettle-3.10/testsuite/version-test.c0000644000175000017500000000247614633602172016630 0ustar nissenisse/* version-test.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "version.h" void test_main (void) { /* This also checks that we don't by accident link with a different version of nettle which is installed on the system. */ ASSERT (nettle_version_major () == NETTLE_VERSION_MAJOR); ASSERT (nettle_version_minor () == NETTLE_VERSION_MINOR); } nettle-3.10/testsuite/sexp-format-test.c0000644000175000017500000001013614633602172017400 0ustar nissenisse#include "testutils.h" #include "sexp.h" #include "buffer.h" #if WITH_HOGWEED # include "bignum.h" #endif void test_main(void) { struct nettle_buffer buffer; { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "{KDM6Zm9vKDM6YmFyMTc6eHh4eHh4eHh4eHh4eHh4eHgpKQ==}"; nettle_buffer_init(&buffer); ASSERT(sexp_transport_format(&buffer, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_transport_format(NULL, "(%0s(%0s%0s))", "foo", "bar", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "1:\0""1:a2:bc3:def4:ghij5:\x00\xDE\xAD\xBE\xEF"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%i%i%i%i%i%i", 0, 0x61, 0x6263, 0x646566, 0x6768696a, 0xDEADBEEF) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(4:bar))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s%l)", "foo", (size_t) 7, "(4:bar)") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "([1:t]3:foo3:bar[6:gazonk]3:baz1:q)"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0t%0s%0s%0t%0s%0t%0s)", "t", "foo", "bar", "gazonk", "baz", NULL, "q") == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Try literals */ { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar%0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar %0s))", "foo", "xxxxxxxxxxxxxxxxx") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } { const char e[] = "(3:foo(3:bar17:xxxxxxxxxxxxxxxxx))"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(sexp_format(NULL, "(%0s(bar xxxxxxxxxxxxxxxxx))", "foo") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } /* Literal parenthesis */ { const char e[] = ")3:foo(3:bar"; nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(sexp_format(NULL, "%)foo%(%s", (size_t) 3, "bar") == strlen(e)); ASSERT(buffer.size == strlen(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); } #if WITH_HOGWEED { mpz_t x; mpz_t y; mpz_t z; const char e[] = "(3:foo(3:bar1:\xff""11:abcdefghijk13:\0\x81""abcdefghijk))"; mpz_init_set_si(x, -1); nettle_mpz_init_set_str_256_u(y, 11, US("abcdefghijk")); nettle_mpz_init_set_str_256_u(z, 12, US("\x81""abcdefghijk")); nettle_buffer_init(&buffer); ASSERT(sexp_format(&buffer, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(sexp_format(NULL, "(%0s(%0s%b%b%b))", "foo", "bar", x, y, z) == LLENGTH(e)); ASSERT(buffer.size == LLENGTH(e)); ASSERT(MEMEQ(buffer.size, buffer.contents, e)); nettle_buffer_clear(&buffer); mpz_clear(x); mpz_clear(y); mpz_clear(z); } #endif /* WITH_HOGWEED */ } nettle-3.10/testsuite/sha3-384-test.c0000644000175000017500000032637614633602172016325 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_384.txt using sha3.awk. */ test_hash(&nettle_sha3_384, /* 0 octets */ SHEX(""), SHEX("0C63A75B845E4F7D01107D852E4C2485C51A50AAAA94FC61995E71BBEE983A2AC3713831264ADB47FB6BD1E058D5F004")); test_hash(&nettle_sha3_384, /* 1 octets */ SHEX("CC"), SHEX("5EE7F374973CD4BB3DC41E3081346798497FF6E36CB9352281DFE07D07FC530CA9AD8EF7AAD56EF5D41BE83D5E543807")); test_hash(&nettle_sha3_384, /* 2 octets */ SHEX("41FB"), SHEX("1DD81609DCC290EFFD7AC0A95D4A20821580E56BD50DBD843920650BE7A80A1719577DA337CFDF86E51C764CAA2E10BD")); test_hash(&nettle_sha3_384, /* 3 octets */ SHEX("1F877C"), SHEX("14F6F486FB98ED46A4A198040DA8079E79E448DAACEBE905FB4CF0DF86EF2A7151F62FE095BF8516EB0677FE607734E2")); test_hash(&nettle_sha3_384, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("D92BBD604BDD24B9889508F8558B13E96595AC90BC8A441DAF9B51D6ABC14FFD0835FB9366E3912504264CE87E421CB8")); test_hash(&nettle_sha3_384, /* 5 octets */ SHEX("21F134AC57"), SHEX("E248D6FF342D35A30EC230BA51CDB161025D6F1C251ACA6AE3531F0682C164A1FC0725B1BEFF808A200C131557A22809")); test_hash(&nettle_sha3_384, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("D6DD2ED08C1F644857A15DAFAF80538BEE597278C9ABE047BFBABFB8B1FCB7543E80AE9F7143D00F4DAAF39B138AB3FF")); test_hash(&nettle_sha3_384, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("49CA1EB8D71D1FDC7A72DAA320C8F9CA543671C2CB8FE9B2638A8416DF50A790A50D0BB6B88741D7816D6061F46AEA89")); test_hash(&nettle_sha3_384, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("89DBF4C39B8FB46FDF0A6926CEC0355A4BDBF9C6A446E140B7C8BD08FF6F489F205DAF8EFFE160F437F67491EF897C23")); test_hash(&nettle_sha3_384, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("D6154641D7D9DF62F0CEDC2BD64EE82412B3A80F6EACE7C45F9703373379007EABF592D2D2116E093DC33DCBBA4649E9")); test_hash(&nettle_sha3_384, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("2EE5DF2591CFC4CB1E1D0BD8B28727F0FA5359A75F7819A92A3CB80DDB5708E4705177B981396B4818D11E3CA615EC93")); test_hash(&nettle_sha3_384, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("786C3F73FB092BE184FC2B19F5920F3D94F25D4523165AE82F9B39B2C724FD62DC9A3263091A239D5EF1AD562DD4FD26")); test_hash(&nettle_sha3_384, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("79188139EC2CAD8D197D308B806CF383782C29A8C27EE29C5E31425B2DD18B2F5F491FBFB38D7078F58510125C064A0A")); test_hash(&nettle_sha3_384, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("0C82B8C75C5D540E7D624928281FBA8B8D0B1583D74F3F0EA4F200F1CE5475149C282E05DB695DC67BAF42DEFFDC3F55")); test_hash(&nettle_sha3_384, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("830D2325C001623EDFEA97EA1D0E65982D4ED7ABB8E64EA61C85E9BC1882D11FC4153C30BE63FC66F5FBCE74BB394596")); test_hash(&nettle_sha3_384, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("1DBE1BC60A9C6FBE10A727E2A6D397930D547AD2C390286948C3167EE77FF6E275EC8431C5AD4B4E4E5AE67A4BC88D05")); test_hash(&nettle_sha3_384, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("FEEE2EF332515284E0BA247C62F264199044D03877C58E54B51A62E39E91C27AAAE384837EB9D479B4C0308CFC6B779B")); test_hash(&nettle_sha3_384, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("1888E953727CB837DE40C69869560C20729C50638E4561B385937BFC4C297E789EA6C03EFCF2DF3290B1FD36BE268C32")); test_hash(&nettle_sha3_384, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("30DE7B544265422CE689E667F48498F455E8BF1055653F21294EAD7D2E898B05FA75EECA46DC2575C475C480AA49CA62")); test_hash(&nettle_sha3_384, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("041B7C89BD4B582A7D20E579C6FDB18BA0C1251DABACC687AF448EB49151BBC04ADCB81D797D4BC51F03BFFF230FFCC6")); test_hash(&nettle_sha3_384, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("EAF751EE6E75AA2C56453F316C019BDA7D7AE1FDA03B79AC413BB1F2840D58AAAAC77F2DC106D22F1A71157F9F841C4B")); test_hash(&nettle_sha3_384, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("16C4A7F7E8BA7EA13C59576BE602F885E21BE7C34B3AC05CAC4262BAAD8AA3F95BD9260F13F08550CE331EC773BA758C")); test_hash(&nettle_sha3_384, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("5119A4FC11DAF2EF5DEB7AEB35549162D9AFC827392A8868E7F8594A5C194D9C8F6A430CB386B8D825CC6DAB4EDB742A")); test_hash(&nettle_sha3_384, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("A91F0170457E78B3BB15B0BDC0FF4EFE8D7313D2725D8E8DB875BCAFBC11314126559F45E86E78136EB214FF02764CAB")); test_hash(&nettle_sha3_384, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("98FE81746CCF7CFE5571D6D8B09943ECAE44F606444F9DABF1A57FE4E871F6962266D18652FD4EEBDBE492CFC5B2B21F")); test_hash(&nettle_sha3_384, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("3DD9054C105C40798DF45CFB5880F97A9536FA7BD13F1D816B8EE887FCBAFC102A7D4BDE9FE6E265538EEC2525B50D89")); test_hash(&nettle_sha3_384, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("DECD778B89B4295072DBF98689E2EB6066E406356EA4B7CAD550019F4A2ABB25163E9571D0ADB9ADC6A802B7E03C152C")); test_hash(&nettle_sha3_384, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("37F14B317D46BDB3E5DD6F68986A08A098C46B9D85D1F254A17878C008F97926C8A13C3838721CFE3A58076F3992F26C")); test_hash(&nettle_sha3_384, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("641A7AF13B889D1A0F1AA3E4E4FF8CC5903C47E1A52BDEA257D80E37E596564AB33EEAD06717CDB6B706CB6986293D4F")); test_hash(&nettle_sha3_384, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("122B8B86103FE3C18FF28178A256ACB0CAB8518338D2CBA697E3F560ECFEE09B024B97D8D1F69632AD1F2C5F5628D3EF")); test_hash(&nettle_sha3_384, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("F35A292E197007E28CE652A067173F3659C51B70438AA9E433081D3DF71B4A11E3F3BE5AF32E2C08D23A0B44E30B0BDF")); test_hash(&nettle_sha3_384, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("2EA596B446D5CCD8F0927A2E3790911E00F1F52CFBFC41F12290CBACD1C903C74DEEF840FD1398E12EE863ACD92BAEBF")); test_hash(&nettle_sha3_384, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("BAAE7AAED4FBF42F9316C7E8F722EEB06A598B509F184B22FBD5A81C93D95FFF711F5DE90847B3248B6DF76CABCE07EE")); test_hash(&nettle_sha3_384, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("32CFC8A18A7116D4B9029051941808C3B332EFDB132C515F9110E19B8354355D94616C9965BC2D1F2489F8452AF7FB2F")); test_hash(&nettle_sha3_384, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("73443EA38A8801395C044E3CBECD45DD62D6E304C5440FA9FE9651A438C010A76712759BE20681F1416661E746E5EB77")); test_hash(&nettle_sha3_384, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("6E82F460660F3D2CC33AA59A37F325EED0133FE29A9CB428A3C22572B6BF6C5DA2D0D4645C49135653A049795D4E2AD0")); test_hash(&nettle_sha3_384, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("229160A61CF2842B37EA85788BB1CE8294DED9EAD266359D61DF3D6DF98EE155ED03AB1A51D6291B41680A00553298EB")); test_hash(&nettle_sha3_384, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("F5D838DEDF07AC3A5646221ADC6CA59045976DF9C33367FDAA0BE3AFC57EEF0D434EE92CD618B3FA26C7EABD18D78772")); test_hash(&nettle_sha3_384, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D41A324A1739BBCFC983A2B250750A1117E57BD26512CC5DCA7066D8B972AD9EB0BB3C7E36B9B84FC0E8129B69CD3847")); test_hash(&nettle_sha3_384, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("170D73BAF77EAE7A852A1BB19BA6665F9EF425A66F2649E959B5CAA82D01FDB89C8C7FA6F40702F7C3391B146F6FA33E")); test_hash(&nettle_sha3_384, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("A8F4A60A8FF5B3EBB4EADB9C46F1F403AB7FF632C7A11F80FC9153858B484291B3936713076955207D0C7E1964DC1346")); test_hash(&nettle_sha3_384, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("5815D78ACA9600632239B7CE8385D7E837F883857601EFB78F9C2DAC9A96AE0BFD107526F268D06FB4227D4774A9E727")); test_hash(&nettle_sha3_384, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("A5D91B01650D24B4753F41871FA700E997D5F1EF9C06D8F9B3A9B2D318716408E1566BB04B49B84E77F5F73D8F640541")); test_hash(&nettle_sha3_384, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("C7BA066881DB931E9C674D74CE2309B3002C6D5BC22056C454261CDBC5D93FE310EADD755E41FB1D789FDB9A73FDA28F")); test_hash(&nettle_sha3_384, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("A52CA3413BB83934B1EAD4686F639B90C5EE3CB5BE7E29A1A5293C868441D79BE2EF246B427FFCF0568D4D01BE54FF0D")); test_hash(&nettle_sha3_384, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("13E60554FA18CEF87CEABE147541886D97C2FB5F40F163D953306D2A26B013B33CB202D78AEF49FD47E7EC1C745920CD")); test_hash(&nettle_sha3_384, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("E4E03CCBA92BBD28182D005F69DE4E71C61C62CD323DECFB2ADDBEEFF7EE74933AA7A167E4E1DBB3DF7E5C91184F2D88")); test_hash(&nettle_sha3_384, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("9B26E9BF13B6FC33FD335DF976C8E1B781C800895EBD72E34F96EB875B41F04AAEE825CD8F0EB6C43D803F4E6EF688A9")); test_hash(&nettle_sha3_384, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("A127FEFCDD240F762CCE3F5F1551FC7E1CDEBC7950D1CD94C6888F490CB2285A10FD0EE797B168C5CA4761FA232AAF05")); test_hash(&nettle_sha3_384, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("FEB5A24EDB05BEF846B0A1F3F48DA212DFC2D0BAC746890D4AD72FBE3A7B4FF8E2B542B827779467122271B1E0DF2BD2")); test_hash(&nettle_sha3_384, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("8DA4F3D1A13197171B02E1CCB07BF51CDBABD833FDC3C3797A113CFA5C71795782C47CE36C389FBAD461D0D5B59CA684")); test_hash(&nettle_sha3_384, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("D19FE4A5F93BCD483DAA7AF8CB636807962D40AF9A507DC4FA4E1FD480A6E8FA3C25FA30EB6B74979EE456C1644A5C1D")); test_hash(&nettle_sha3_384, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("63FF3053ACE687FB91070CA7FC6A51C259E13DA8AC0DD741AB36D1FA930E3BB9AC6A1FAD654F7238CFC4485C5F9F8252")); test_hash(&nettle_sha3_384, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("39DDE02A319B5E869F4C51A1D30FF4D4D88EBE504C54F155AA5FAD3316404FDBD1918074D35D14BAC88D6F359108A1DC")); test_hash(&nettle_sha3_384, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("1959378F32117E58C0141160E16FACFE336590196BE805D149EB5AEEA641F9BB119B3EDDFEFD817701C82D2F528B823E")); test_hash(&nettle_sha3_384, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("7B172A9BB311B1375E15ECE1C1E8F092BECFAFEC9F3144E93F596EB7E6ABFB34FCEDB08EDA7883EBBF40038B7A754F9F")); test_hash(&nettle_sha3_384, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("6BA32ECAAA0AA9C59E72173F2A7816AC51F313C467A017190DB9832C6311EC23B8D56B7B220FA09A9081962EFED5183E")); test_hash(&nettle_sha3_384, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("55FDF2EC27D334B5B59EFB9B6D518E25BE0F5FF6379F7B97945F3E1235EC70295B39EBEABF70FCAF1E61EDB1C21A4C06")); test_hash(&nettle_sha3_384, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("D51A3F33919FE5DA0EFEA6EDAD201F01FA8416C385A89D96DF743D243A6AABA5B7690D187B95CAFFDACD1E85F56B813B")); test_hash(&nettle_sha3_384, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("F1D6E8F95C497D5BEAFB4215E07CDB59E0E3709CF561618F67E301931D204C6CE477E0F750099584B645E2F718650813")); test_hash(&nettle_sha3_384, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("B1D347D057CCD72867B12BF00BF511F87DEFCD0FA6ADADAF4BB1AD790F06ECBB1F4488A0319B05C46A7874857370CE76")); test_hash(&nettle_sha3_384, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("4F192EDFA54FECE64AC0B3EC9E120B291ADE99948805A87BBB04947E928BB5EBA87E2EE599960C436EA7C7884187E78C")); test_hash(&nettle_sha3_384, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("75E23FED3B59DB6B1D3378B7E8772642CBBFF7710D8A91B249BB6C68E384CD416F19AC1E8ED92B71D0CA303D247EE9BD")); test_hash(&nettle_sha3_384, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("C8D1E6BE5485FC13BF433F11A580ABBE89B12A66D0E5CB141E1D62CDC6A367725793FB25840B36CB7003F2E7DF3E5F2F")); test_hash(&nettle_sha3_384, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("423BA134D3BCB5E440AC83372C7EDDBA3AE3BDDF1222F505C19CDE246AD76A2B0D07239A54E1D0934C9B3D29D49E5FBD")); test_hash(&nettle_sha3_384, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("662C4851D311A786DE4CDA7E9EA1EFF0BFA462761FF6CF804E591ED9A15B0DC93A2BB6A6CFFDC8D7D23A233A52C86EAD")); test_hash(&nettle_sha3_384, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("5F54B1DAFA67ED9B498125E064F0B07F54E754E3F30720DD4A471E9BB6E307F05FB69BC81D391F503C95C3BB671E6973")); test_hash(&nettle_sha3_384, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("A21B55DED8FE41FB2B193FA490420A8B62FCAE9A185DA85E253DAEFE85270B6904BA4ECC76BB5128926FFF9D79F728AD")); test_hash(&nettle_sha3_384, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("341BE5677A05EED816A219669D680BBF185B31CF3EB0D289F90210FB1A7940D9BFF4909320AE4E3B7274E5BE479C46F1")); test_hash(&nettle_sha3_384, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("D70F78894E292B075A0FE56FB952B2CE87A94CA029347159FBB12B22103DD4DC4C265B7AE88950CCA89C40B531437AA4")); test_hash(&nettle_sha3_384, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("89BD6B7CC9ADDDFFE46BF85C56B8CE66E1B1B46969B197ADBF2E34B7059D8BB05F9F53BD1A58A7E0A66E5EF208BF5695")); test_hash(&nettle_sha3_384, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("AE651EF50A20B0F496F104F56F845206ED544B28D0374CBB779146DFF2EA5894EB29301FE33872F9B299A79C0C0F28C4")); test_hash(&nettle_sha3_384, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("A842918DFBBF3BFFCCC527B6DD2C0DF4EB3F100F0692727DA77DAF44A654876013B37031C493AC18950003EEBD107A29")); test_hash(&nettle_sha3_384, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("20D16CC6AF5B4D5AECCEAD09F300B1DC1DA93A608370EE0B2CF15C316508B5EF8C9BE27D0F7288617B1E529FC2932038")); test_hash(&nettle_sha3_384, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("69A3BB36F52EB650C6E8242DB05659573AF811A1A5DB908F773D65E74D327F5B65303DD0DD9BD07FF100D050E46FE97D")); test_hash(&nettle_sha3_384, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("D239F2FA1675A1A031E2F6E8A53D6E2F37D081CDB029727B3ACBDD7CBFC7D3581BDE8D3068AA9A300AE12B7245124508")); test_hash(&nettle_sha3_384, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("2F8D747DDF64320297B44F8547EF42FCE78A48F0A59A18DB1CFB9F43C049628F97C0BB93ADAAB9617155272424F74027")); test_hash(&nettle_sha3_384, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("714BE6F2F934E0B6FD69E392D99ACC98592B015E48A1637262F99286502B06774783BB9F371C760C3EB78AEADFBD0DF0")); test_hash(&nettle_sha3_384, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("22A41B117464F7F49682E8139A0D5BD23FE00D1190B1B419F27B490B729B56BBA9DE649DD7C988B6B308038661E1C362")); test_hash(&nettle_sha3_384, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("77780F3646D288291790F2A5F4AA9C98A64A1115306994CD65C7620DDE06D35117CE4B79DAE08B5B4E798459010941BB")); test_hash(&nettle_sha3_384, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("5CED3B7368582DD6DEBFE41D6AFFD82B72894B51FF4C4ACCBA09C595B36E23E347AB4BAAB0E5191D86E26E6596D62E23")); test_hash(&nettle_sha3_384, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("1410EF9ABB8D98B1C65E113A61915B0E6933BC59DA31C8FCC39B7165E715919184375D822A07C778F63431BE2AEECD99")); test_hash(&nettle_sha3_384, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("330ED51B045471DEA8CFF26510D68494611ECFD614D49E5A9CC8846A132519BBCF49907691AC5ACCFC0528DA0C14D49E")); test_hash(&nettle_sha3_384, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("387111A206FC6488F78D41786886A9E5EC9F73E1131D92F290F68512320A408D5F63EAA5ABA32D9853EB11B5B0887E62")); test_hash(&nettle_sha3_384, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("78573F5D075200D3823194A71E55880F4FE78489234DBF3DF3E3734CBCAE8DC1D8C1AE95F9EFA9903DC4C4581B59DDDE")); test_hash(&nettle_sha3_384, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("FDFE4F1B034733C2C94A7B36E2B52774A95C2BDE22FCDDFCEF52F7FEF7C67F08E2F7B9B8967E447F76EF91960DA76288")); test_hash(&nettle_sha3_384, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("48D66A4165AA54528ECE89BD9AA00EAB196F32DFDC4D76F236655835527AAA1642E6BF4EDF24F030F5EEEF07FA40F5D2")); test_hash(&nettle_sha3_384, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("3C2575372CE1F380A6E66BB075FBAE98FC2E6D3D267A20FF0313ABC3DE252E03FD5BDFA8BC2B79FC874CCDA4ABDBB4A6")); test_hash(&nettle_sha3_384, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("0EE6AECA8DD80B74225AC4882E2BC1E6819C9B94F0D0BC0A1E21AABF4B11CB74DB4734BC8D1179D7DCEF535BE9F3DA28")); test_hash(&nettle_sha3_384, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("8027E5044923F8EEE1DF184865CD97B635A78DA199FD80AD3D343A5AE03D1B165E58D1B0BD093EF916A16D6641BDA17C")); test_hash(&nettle_sha3_384, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("796818E047913D5AFB4AE4C5B7C5D5EF699A3A9EBEFB44462EE8FE603CA5628973369E4A9D8E10115FDD75C89707A8F9")); test_hash(&nettle_sha3_384, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("1E96EFF62E9F464B4802972FDAC77C3EA1131B2822619D2C5D863E357D0945C17F93EDE66AF05D46E63C2857A54F67F4")); test_hash(&nettle_sha3_384, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("4CC41C2FB7D71DA1AD36D18029F755DAF342E732EC31F0C06E27091307718ACB53FA113AE508DF38B8C96834DE33F9F1")); test_hash(&nettle_sha3_384, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("9A8D4B560421C82991BDFCA0898A29A59BDB09D20F8A5B279096723BAB382789F081EAD50D273ECA436C526ABA6D5CFC")); test_hash(&nettle_sha3_384, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("367CB3FE03A3CBB50FAE1FE7EA883A0AE53CBE772F709DC5505F3C907564C08FC49707CFF9639B25C746B6039FF48AE9")); test_hash(&nettle_sha3_384, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("BBBD05D69D7A082FCDA8ED535D7E4E5DE1377BD91E72D42DC95295C9DB780169E2F9620EC7A5AFF959FF2D946FD20A72")); test_hash(&nettle_sha3_384, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("BE8BEC0C2EC721E0C326037CE86A1518FB395C3A9802DE01C3E234268EBB9AC9A39A6E404F25FB7FEBDCF1F7F25DC083")); test_hash(&nettle_sha3_384, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("2AEEAF292AD625221BA79A621217FD1B3F8978BA83FE7FF13B38574FCFAFFBD207298854B6F9C27D6677494204221FDA")); test_hash(&nettle_sha3_384, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("9A1761C5759CE67C9C093EC5C831C1FF7CAB64AC7C8002066EDCAED044DEF57CEA3EF6BE98578363D2CE3D1F5BA448F8")); test_hash(&nettle_sha3_384, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("4A24A1AF68DB65C3977431EE81092C776F7CB33D6F08940100EA240A2D1F8623A41D07CE9937BCBEC8CA1072A1A78E8B")); test_hash(&nettle_sha3_384, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("928E94D19FC60065A5EF7E48018387C80F2D350F306D0F610173719D5C874D4A8ACC340FEAD4BE357E1F78124198AD77")); test_hash(&nettle_sha3_384, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("78A18D62F8A7EFF5C6DD75B8CB073FD30EE68C878C2EC58AAD1C5DD0EB0AE43698A617BB0C670FCE2AA098E0ADF425B2")); test_hash(&nettle_sha3_384, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("EEEB56C3E54FA833B985EFA5923C3F0225F419664CEDD898C79F64D72D2AD4B125A38BE0201846C442EAF0051D516DC9")); test_hash(&nettle_sha3_384, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("0A834E111B4E840E787C19748465A47D88B3F0F3DAAF15DB25536BDC6078FA9C05E6C953830274223968847DA8BFD20D")); test_hash(&nettle_sha3_384, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("D1C0FA85C8D183BEFF99AD9D752B263E286B477F79F0710B010317017397813344B99DAF3BB7B1BC5E8D722BAC85943A")); test_hash(&nettle_sha3_384, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("6AEDCF4426B2483C0D0D04695BCC052BEDD04FA4D17A1BBB2797F6272FA476BFC138E4091409FEB1AC0E8BFF350A6663")); test_hash(&nettle_sha3_384, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("ACB7013CE75124388187DC0E7430CB74A314D601B6C8D7A7DE5CF03197A84F7874FF058808575CB2F10185F561BB06B1")); test_hash(&nettle_sha3_384, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("F947469DB712EA26F25F709FF7879136EA2A79E0A2D0ED5EE4ADF0E167F106BC410C93AE1D986EC211E0FD9A40741857")); test_hash(&nettle_sha3_384, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("65989BF4EBBF4C21B3DD34551D3F6167910236671BB7F348DC552ADB8028A468FA40EF4A8C1227A1A41C28105E64AC20")); test_hash(&nettle_sha3_384, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("B77A69E373AF0F733CDAD399C9B12642A046E1A7893D3382943A8367D37740DF53916F6DAF90517B39621C14343754A2")); test_hash(&nettle_sha3_384, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("3D14B6FAE6156E7876367897A49269181EA58CC3CA9621C0F81D6A5FB6F615680D909B29F6AF7E62FAD04D70046BE997")); test_hash(&nettle_sha3_384, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("456AD01908E187CA2CE9E7A4DAED8788C909E9BC974EFD1C9A44AC36DB9B6DA985C947C7E0A47AB27BF10CD760FA48AF")); test_hash(&nettle_sha3_384, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("C26BDAC454E1ADC0D090D0C5254A29966611B6673014CBACA24D26B6F63EC7E8F993BA3DF7DF89770E902D5F6574F6A8")); test_hash(&nettle_sha3_384, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("1D85BF9AA2B6DCC3105E7D7F91069F01E4C998D6F03B77650D75839D65A7A049196FD935AFEFFDEB657BC8F96B7C17B5")); test_hash(&nettle_sha3_384, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("085CFA581CF3F4F19416BEE3ED5AC2544662AA51BDF1D2E348D9BCC27343487DF20B18D9F6FB64565868504A6805D176")); test_hash(&nettle_sha3_384, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("376088F09039CAA40BF19FF5E5F193FC9ECB6116A0ACB3237AAAB6CD807BD7AF45D804D837A18D2BD9A8C3DAA3A1D153")); test_hash(&nettle_sha3_384, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("CD40B35FBD90B04D0641F71088F7C6159D8EB16DE8AAE09F355877A0333B53150B81D36C5C2446BF5AC462EF84D4E572")); test_hash(&nettle_sha3_384, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("DB14442400597871FA56D10F53BE7BB4002C44624C44E89C99B95122676A76FF28840285239E2E4FBFB751E4179577D8")); test_hash(&nettle_sha3_384, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("4509ADB6177BC6DEBCA7E36948F07001159A57EC8CCA2B76C770735C5BCCC679DA6AB4E64D915D0E1A754C3FDA11B524")); test_hash(&nettle_sha3_384, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("193AF71BDD228AB3E8AE50E1B1CBF1984B0AF92AAC5A71CBE618AFD4187DED6B461411A39E72EA4E213FE0A5231C498D")); test_hash(&nettle_sha3_384, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("3E419569A4197BB71BAF416B38772EEDD9C1D5A3252111609F0FF8A18A749D5A56143A14925A82CD35C44400A49AFDFB")); test_hash(&nettle_sha3_384, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("6215C070D0CB388A134766035C4BA95143E608D15CAF742796304FFA1A62E55660AB9AB1F6538B4AF1F3EA89BE7D51FF")); test_hash(&nettle_sha3_384, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("0E27ABAD85255A66217722B7D4E032BF29F638BAE965B99F8EAF309071FF8C107F5B6BBB6AB1985228E697DE60595DF6")); test_hash(&nettle_sha3_384, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("AB9FD51B3AA4CD944ABB6CDB063708B2D1203D65A1A2EBB48E0C19722A18B9EF54D7A11F7684462B995B6D38CDDC0463")); test_hash(&nettle_sha3_384, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("03945325AC50E56BC8B515576529ABAA9A22BC2A7CED9142A75CE939A388AF0022A4E75A33964BBB3580564E0AF809D3")); test_hash(&nettle_sha3_384, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("59126910A3462E3B7AC22892F637D87D90686BC0A9BBD4A32E2C4C71A168BA685F2184560E125DB3DC23D90B9E820F1A")); test_hash(&nettle_sha3_384, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("D3239A33BAA55B0F21169E0FDE6114B08106BAF3F4BA0CA19D7B5CF44030057AC672CE529EB0F3BDA36819967819AAFA")); test_hash(&nettle_sha3_384, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("38A11581D874A574929C51F8DCC9E501900743864AEC3AC0889E62C1071CA5F8B6CCF9C0BDB3BB365916EB4340973DC7")); test_hash(&nettle_sha3_384, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("8FD01909381EB713803419361D8E82E92476A08EDCC225BB8A135D215CB48D07B074624FCF2E73E666DBA59334719839")); test_hash(&nettle_sha3_384, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("5D7DC5FC9DE88B1C0C46AA6D49273505FF7A76A179E31AB5D976A69D89B83DFA6DEAE9E1B93440EC055DE1CC824D6B15")); test_hash(&nettle_sha3_384, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("3D6BBA145D7E69DBBB0F099D47A1F2138D4A00F26B07C62CF38471F0FB9CA022C61F7A769013A9BD8D5D87D8E01D9B4D")); test_hash(&nettle_sha3_384, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("FBCEF80DD06E7E0B3B7A5485CA5BC2B388CB91A2890F181C857B3E0ABEFD6065499D82DD55F3FCD17E351C0A3636B859")); test_hash(&nettle_sha3_384, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("338AACBAC8AC5BCC13FAFC0EC6D2ECF4A871F9B09D7B1BC5BD6F8D7C9DD1354B8E28C68158A36551DDDAB8B684579EE1")); test_hash(&nettle_sha3_384, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("FFC98D84C268BD09CAD09CD7B4BF9D35EDE97EC55885E839E557D21ECC0E28A855000386E68FAAE3E64A19B443B2587D")); test_hash(&nettle_sha3_384, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("471465890C3B9C03EDFBF0F6883D565740BADA3B7628AD6A27F729C35C1A8666953E8B99D2C89EDE0BD2D5D70FDEF11B")); test_hash(&nettle_sha3_384, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("0F8BA7214DE0E3A9E13C282BFA09CEA782C31C052F516D0AAA403D97716E0D08B1F7F9BB4085B555740C813C4ECE1B90")); test_hash(&nettle_sha3_384, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("CAD2D28FBDCC3A5D71FB3ADCEEC52313AD41D4FF1F915CAA34EE127839DBF2E9A7B06E1C4ECD6255926C16C06E51EFD0")); test_hash(&nettle_sha3_384, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("5B192EBAB47215A8E9FB8E4D561B220B1DC36707A3F085F7BB0175335C393251E3467F945570420C743365D0F09B9E09")); test_hash(&nettle_sha3_384, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("DF6F80B6D56CFFA8545A27A245A50E6C2D117FC3598F465B6CD78560F4B3C7D2123F28F67CA9E65BFE0B7F566C57B9EF")); test_hash(&nettle_sha3_384, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("CE97E9DF08789D84151A95C8134F0DB74E5D4E076E0C15966825C371B79B3192FD7C9C6BDAE86B775804B5363D1152C7")); test_hash(&nettle_sha3_384, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("89BF889FBD7A384290D3B1D52709DBA686351E53937630B7C7F01BCDDA19B1517D317D65E799E686C71A0AB4D65B60B8")); test_hash(&nettle_sha3_384, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("5D40E392C2E5B29C80C2D760A93AA1E193472D7EE59E203DD478FE24C5A6264E2873AF31ABDE81827862901AE59571BB")); test_hash(&nettle_sha3_384, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("7C63A0DC1C39CF4FAB2D22F62C1B00757AA4B89ED0D7128DA243D9082AD0C78784AC24DF34F5AB30375F1D581E7420BD")); test_hash(&nettle_sha3_384, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("ED085D830AFD2D8F79627281C2A8163C391FEC2C58268F66F74CFF9751BB29E0D071EA8FD2FCF943020D0AD758281BFD")); test_hash(&nettle_sha3_384, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("29124752CCD4AC724A9C3D53B0B352AF2DBD76729F8C5C648B1E9D77819F32E2A7DE0E15286478A24DF9BB370F855C1C")); test_hash(&nettle_sha3_384, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("FAEAB5687F39EC9894C5CCFFB57E82A84BBB7D493CC6AFC03D07AC7B4F181E61639B9A4771C99985ED7FA1773E1CA3F4")); test_hash(&nettle_sha3_384, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("E4E352B1D2D987A37C831629FE0C6AB9EAB2C35E401D1B5F443ADC54A96EF3C91D0876CCF46ADEF819C460369136DA87")); test_hash(&nettle_sha3_384, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("6C288FE4A74F0ED1B36D12F2DB697FBC44017BB57D38C9EBD45F5A8B4FEB59148060AE4BA1FFA162E10E6916CEA1A794")); test_hash(&nettle_sha3_384, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("E1B6DAC3F138B5F336F1F75894F825FFC197836C92BF359B55BB2A78239F24F9C4AA1E063C9C2B273B9CFA766FBFBAE5")); test_hash(&nettle_sha3_384, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("6E07B59E93B22475633B5BA1AA6891119CFF690697AC679E9349E8694C654074D965F0C32FF517B10EE8F6993F6E4646")); test_hash(&nettle_sha3_384, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("19EB2E15262A839538846F7252676971207913279B9AE9B6BA3650D8F3A8E558B13C35B31F1AB7429E376255338C4AA2")); test_hash(&nettle_sha3_384, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("F4DA80B26FB5E6F7E5DFE47128EEE095D46D9ACEFBE76F74EFBC8A1AD68E8456634E9376025648EF7A3350299F366E29")); test_hash(&nettle_sha3_384, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("BDBA7838A1E7A601D559F49EC1323B7C5FABE1E109FDCAFF3F7865F9AF4196ABBF60AC123097A7B860FE438684355EB0")); test_hash(&nettle_sha3_384, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("96DFE9996BFFA5E5D83C39B11F47F12D11210F7D4300B7180D1891EAAA7FE4809F9489B1E2407FF87FB2628DDF1FC020")); test_hash(&nettle_sha3_384, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("79CF2A3017F82693C0A531A367186D055FCE63081EDF980C6A0B967B6ECCE75D635B98485E9B6B285B08336FF34E61C9")); test_hash(&nettle_sha3_384, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("0ED3CA1620CE3A923A22E9D13BBF7543ACEE05F66B67E6D6F435BC513F4698949C27528068F892F0871916FE2D0433C3")); test_hash(&nettle_sha3_384, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("69A27BBF080E015592893D3B55D1957D267784569923A466165A6FB129613D8EA6F610F3760E349D46B09277CB854546")); test_hash(&nettle_sha3_384, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("E9C8830140629669A1DC5C8EE27BE669B7122F4DC88224635CDE334AD99615F3FDC4869E56263E3C7F4420736F714E26")); test_hash(&nettle_sha3_384, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("4DF060276105BF002F8E9F3F08D5B51F7C2ADFE5AAB9A1A683C053E045C89A883028B1093461368262EA85F5239AC7B1")); test_hash(&nettle_sha3_384, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("816AA6DB9B663288E5F932F0FEAFF0EE7875C3B3E6FBAC0CDDC458BD646371969CF50D2D0942FCC7403573B01B05B455")); test_hash(&nettle_sha3_384, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("125B51C253391677C59C0332C6A13D07DE55EAB80857593F0839A56FA678C5E2F7CB2F934ABE5E5887804AAB5D8F13E1")); test_hash(&nettle_sha3_384, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("130C4B06A55F11C80C41608ADFD7B4CE8795871BCF16900F20D2751E123B41D3B2048FD05267C2F9653ECE3630BDD330")); test_hash(&nettle_sha3_384, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("3EA0FA3FC035EA40CBBE9A3C1C6F7E5A437BA20F26736F2895F81D53BEC92A186E74762910C4AA62565373D38B28D5FD")); test_hash(&nettle_sha3_384, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("7C1F1A46E409046B5A314767E8B7E7B1D9A92931443C5D02A581371B380AFA1867E554C3F7DF2E4557ACFD9F8E230C44")); test_hash(&nettle_sha3_384, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("2AD23817002C8F0089D423760F5569EB67CBEED2F0F2AA12F8EDE7856EE22AA6EB684F86AE91741A4AA3C80AC97C4A0B")); test_hash(&nettle_sha3_384, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("D34974759C6A4AA9D1A4ED3DE341A2BA022DF127BE92EB0BBC1900EB5AC7B8AFE909B52DA5714668C3C4B7DB939F2436")); test_hash(&nettle_sha3_384, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("0FB38AE233520D4F57469463E1E68D5518EA4E965755C03AD458DD285AFB2DF518C3D389BD361CBDCE46B654631A18C2")); test_hash(&nettle_sha3_384, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("CB8F1CC9EB72465176B97B6226A87E69D77C65190114CCE1F830A3DFEFA5A8A278D5CF594B173AC58C06EC74958FF8C6")); test_hash(&nettle_sha3_384, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("87776D7022DC18592B578C534E2FCF57946E0F74C47DF85612F89C6593FD50A9E445C048D6CDA9A1D1D10EA3B3C973D0")); test_hash(&nettle_sha3_384, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("83F4442147FEFC8E5BAD3E9EE4C6661A771AE8C87458AB67153DECD35DAF6756EEF28E4AE72E65EBFAE08886A6E773E0")); test_hash(&nettle_sha3_384, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("51358159074D960C0B9D73D5F12AFDAFB8F5D7905BDA62379A6E0D6727D03EFD26EEA51B434368E2E566CB4747D0BA35")); test_hash(&nettle_sha3_384, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("3ECEA8CAF0D8EFA42D54AC5EF36E624237D9F5508ED6FCB6434D67F3FB788C538C635798F52B2F073A4A7376FD31C4A3")); test_hash(&nettle_sha3_384, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("A8876FE4652ACF72DCC8FD5133E5D4CA4E3766AB987CF66EAE5E3770E252D2FD2A890525016623EE69064690828C727B")); test_hash(&nettle_sha3_384, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("6A09735736780F199D75C60903AA24D7F8AA17516690854F7522EF0BBF47D41CBDC8BDB2CB2F3C5596510539677607E9")); test_hash(&nettle_sha3_384, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("83FC2B91AB81D4B15363F15E53BF639063BAC55502B4421CF9A53BCAB9FF47FD77DE5AC6934F67A412EA1910FAD67768")); test_hash(&nettle_sha3_384, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77C0480B91F32EF809D8C23AB236581F0BCA8B9447A4D36228052B3ABB6AB69C61D19D720486A3FF497A4673B84CB951")); test_hash(&nettle_sha3_384, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("781466E257D2FA594E39DC220A260C7478D2158BB70E426F9E9587F5A51A7C29FDC7AF23E7AB9C774E33C08AB38CEDB7")); test_hash(&nettle_sha3_384, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("51BEBFB5AAFE777F390E2851B7EB9AA3809194FE3BA1689ABEE7E43D44A5874E0C252793DFD42C1270C63C407AEF6780")); test_hash(&nettle_sha3_384, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("FCDF0032F34BA6C42D679B182D07B10F4DFF2189B0A5EF6642FBB71B16F910E3240ED9B502B1C6B395BEE74AD0FB4191")); test_hash(&nettle_sha3_384, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("92AADC02BB9795A48B031034EE6AB873DF481D232932FB5FD6C3762E50E58DA46D1F5E5E874597F15C83127F0A3042B1")); test_hash(&nettle_sha3_384, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("0D0CCDBFEB0A933F211EAA94EB452900324340505CCF8DB7AD93E976271F812FB8907805F6313D0B0931F5C9203BDBA5")); test_hash(&nettle_sha3_384, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("FEF6B1F27B0CEBC4568588E627D28DD569A58A8F9A51A1D2887B40F5547B2C67C71917BE998D1987AC78E9077CC790AB")); test_hash(&nettle_sha3_384, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("E9957732E7DAB64550F003EE6D0353AE89BDC6D69D05766024CFF189E4FC8FAA41DB72954E8E5AC0B29265C8F785E737")); test_hash(&nettle_sha3_384, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("98D73B3555F003058F7B5A145D89FAEC46C17099A354EF3834A20142DBD50A0E8054598CE7941BF5DD4DF7CCF218F02F")); test_hash(&nettle_sha3_384, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("3795DE490F43B9899947C1C305C30E26331BA0E611DCE7961172B2E4299932147BC9E241C32E61FA964D4F436ECCFD37")); test_hash(&nettle_sha3_384, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("E9F289E671541FEC4599915A0D9935BF5C20A12C203BCDE88A46EAF5CAB2D437F9FCDEF67B98768BB80C9A874B3F46C7")); test_hash(&nettle_sha3_384, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("88C23BE040BE64D23AEE8D7EE962228A6F07831B0E05FBE2F25F07729F00C2C617EB6975F57B3F17DD540E8EBCA654A9")); test_hash(&nettle_sha3_384, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("6C42DEE61CD97C50F5340CF4DC4F7E319FB5FAC7A26B41DEE66D789804BD1FEF1EF2911643C9C1E2C0485C979B36D927")); test_hash(&nettle_sha3_384, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("720150FD5A1CF94A42F922EFCBB723FF948F74CA6D0A3F399AC54DA8B3BC07F39E6E2979C16C875866CF2F584CA7F2DB")); test_hash(&nettle_sha3_384, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("FA6F90935843D4F58E77CABE4BA662B4FABC1732725FAF952EEED70FA0AAD6A98FE67F3B6736A1C8F7C5BED4D9B017E0")); test_hash(&nettle_sha3_384, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("4E2832FEE290D1917C15B31893F6578C1299445B99BC48708E13348A11EB2F27FE217A63F532583793D18CDECCAA78B9")); test_hash(&nettle_sha3_384, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("1FB97D6F42480E9F13C934C4A874877A808F1D73314C544D8570C0749F20FA35F53A0C0BDA1F10D1A10A029ABBB50BC7")); test_hash(&nettle_sha3_384, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("86B3C81AA398C8819AFC4F282DFBCE24F4192B2530C267A78373D253C35C1DCC4F40835529563FD42A33FD2CBD680515")); test_hash(&nettle_sha3_384, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("A6BF548AB19FF60D6A8729FA62FDC9B59237843739AFFF877233ED374BCF70A017126974C2D1A3222D8D906BE850A25D")); test_hash(&nettle_sha3_384, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("BA7D3B6AF5966C8C2723B1318820505D040DA810126ABC3E65088DC421E46D3E54DD31777C539AE083B7B8A4E2303836")); test_hash(&nettle_sha3_384, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("48CA5912C111DB667A77BE7C77F841E8B37130248377A19CD2FA3CD2EEC48B337CFE07C290F2690AD49E79CE3A9F9E53")); test_hash(&nettle_sha3_384, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("4B3849B0916DD445B1856E1B908C414C752D280DE2183DD1F0193E73FD1BC02198599502391E8CA48D65E610D6EDCD8E")); test_hash(&nettle_sha3_384, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("02C90820D5FA9A91072991E87BFEEC7F18315F8CA1908EDBF19886C4CA5BD54AB9EC96A6AB7B815B58538F088867030F")); test_hash(&nettle_sha3_384, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("75967501FF781EFC3C9D597179C8CCAEE4373D9BF6AA6A5BED5118303EDC8B7478A47F2CEAF0A6B5B7224E53D5F1CDB3")); test_hash(&nettle_sha3_384, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("298387BA8A3EB88EE36B4206E54193BC5857F2A303CE41DFF7C3BD53EF7EE3D34AE7E0C714311A7BD8D25502CAB414B7")); test_hash(&nettle_sha3_384, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("27CEF65D1AECB7051BAD55DA0D601BC9D7A16D938A5715374A43109DD41B5C27D26C91CB44E4B47002D9B90ABA0584D1")); test_hash(&nettle_sha3_384, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("4AC9BDFD9F717D01598908BA457627D3AF7C8123F7110DD7FDB40E91EE6CAC201A8B728A384E663890847DFD4DE7FA76")); test_hash(&nettle_sha3_384, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("F03FA03E4CF9C23443D7DBDBB66D9ABBAFEFB6500143FF0BFB5D7D6CA2BF1D7CD043A7BA7EFB48F15EBC68D1F94598E7")); test_hash(&nettle_sha3_384, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("9C779D981F9B7E491FF868BE22B37FA9DF72DE55672A0226A821B29C045DF4FF788FA7271D557EF6025EEA255809F241")); test_hash(&nettle_sha3_384, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("2C0BC54A67B00AD703FC595751074C4E447EFDE00CAAF8C8FCADF5768C330B6C7F1918F044F5C5C55810D078534A7BB3")); test_hash(&nettle_sha3_384, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("2DB19CA557723CD3C17E7D8140CA301A5A2CB77E3F1F595F5B850A78943C7F36FC37056DCF2BADB90DDA77BFA969C0AA")); test_hash(&nettle_sha3_384, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("71E5DD0755CF8B82BC79AED6FB61C9E4FF8361C9AFC5AD980808A8BC480E09D59B234074472851080714E0275CE72DC5")); test_hash(&nettle_sha3_384, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("51F951B8F1013BA9BCED90478E248CD89D4DEBC6A19CEB6EF81BA1A5D8D3339D426D50A94C7CE3D143C45DECCEF94965")); test_hash(&nettle_sha3_384, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("210EBC1556E31A27EAF60A5FE3E181135C5EA117E3FF21AF2D04BEAB9A243FFFF632E3D7778F9A6D0304C1ACF3659A3C")); test_hash(&nettle_sha3_384, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("F5F659F6999BAD8CDC77C42901A8D64C1FA827F7848985136140BF5D4B3BBB3D964D2D8156F9FD02B6D382BC8410A88E")); test_hash(&nettle_sha3_384, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("B151BF98C52F63F294A4B1E990C86CB73C4BDD476B25C138CA66B2BA08447540B0A787DFDDAA3D38AF44CA8EBBED74D8")); test_hash(&nettle_sha3_384, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("47D74FDD9A19A5389313610643FA859FF0BD7B583B099FDDB9C980DCC000AFEB639DD99071EA31976DA35B7BC949BD4E")); test_hash(&nettle_sha3_384, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("9B809198DCCE24175E33098331D3A402A821AE9326E72775AAE34D1A9BB53D2B57863905CFD60543BBC42B454007C315")); test_hash(&nettle_sha3_384, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("93C9834501FC728508A15EB9205E678983F3BDB0BA447EE739AE5082DB37F2F2D485088130E0B1CBF0039D18BDF429F7")); test_hash(&nettle_sha3_384, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("C0AD8C3E7EA595104D4BC0A08DCBC85042ED50DD8D9B01AB47C9F066F91AD3BFFEDE4107F1EB1F5B61CA7D4091D68327")); test_hash(&nettle_sha3_384, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("AA8DAA02ABCBC5A4B3003BFF5CBC2C84594C5A0F84BD449A1A56BE59566E13EC6803010D422A4C244B99812F4537C93D")); test_hash(&nettle_sha3_384, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("CAEB4F829A925679416F7CB177ED4C99721B851AB59D52979BFEC6D2AAA1E602F4310B15624F9D7BF2D351DB73BFB5EA")); test_hash(&nettle_sha3_384, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("FC1FC7F19F6C9D0AD1462B24C121C89B01B4E083EDAD02A8DBDEB990D98CAFE0AFE01E2EBA646872CD816B5203EE8A87")); test_hash(&nettle_sha3_384, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("84803E50DEC901FF930C8A76EBC1F98EC72874DEEF0D249020B1DBEB4EA7D8C7DA4761EDE077158460E054A7F71D1994")); test_hash(&nettle_sha3_384, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("05586BCB8077E19F3F43015216D623B1439C49ECDD3C53255553E9133FD1A9008891520D2EEBE5684C546028CA2CDDFE")); test_hash(&nettle_sha3_384, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("A200D8EF3D120B917561EDC8420BDE022B3ACE792925C8FABF25AD9B0FA676D2260ABD8098F383C0F93043D5D3F56C47")); test_hash(&nettle_sha3_384, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("A8905D1E9F4FC96F2D769D31C9A120DE43A0B20115C8D17BF0313206EB9CD87AE41DF2D444C9D75F9366998263D61C07")); test_hash(&nettle_sha3_384, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("88249AF84A7F1E49D144869A3D4FE8AA6E1A4874EE467BC99E9C33E2105AF2D097417D6B78537925392DB2C5CB1E0B92")); test_hash(&nettle_sha3_384, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("C46122D00B61E79DF025A4D525B8A602C7AC004304A993872E3A8AA37FC0E8EAAE5FAD9A220C5C6AFBD5A4783680013A")); test_hash(&nettle_sha3_384, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("ABA0EE3C16D3DC753F6E466C33A998A73282C0DBEAF51324979A58437636886E5521B567C9A62D405EE558FFEBAE91BC")); test_hash(&nettle_sha3_384, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("28B37125F233BA8D527E5284A16E6EFE9AE84D3EBC6EE4C88AEE0AB165C111A32FF2CDCC4213AC3267B0546DC0D74C84")); test_hash(&nettle_sha3_384, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("258988E54D66E0C53B263BA68D9E3AA47D278DF87C51219CCE6F2547281EA6581540E28C1D7E069254791F0D385EA694")); test_hash(&nettle_sha3_384, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("F6A9399B482A3A5EA6FE79A2DB7BAE7E588C9B7DA03DD85C120112FDBC234350529A1F37ABBEBEB770299E141EEA7BA3")); test_hash(&nettle_sha3_384, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("C0F957E52E40F9B8EA945D40779286F7257AD463A934B049DF40C31D3547AEF41AEA2DD981FD2579327229B54EE04E66")); test_hash(&nettle_sha3_384, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("779EECF39311318051BF73C441FB799708912049E28DF3FADDE449E4CD820CC4CA1BD0F8513927D9A64F5D34FAABA039")); test_hash(&nettle_sha3_384, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("3D6495EB3DA4E81D3470A050F416E2C8ABF657A26D4FD64AF35735B5782B611FB798A72FE7A61CE79D0496F69654CC80")); test_hash(&nettle_sha3_384, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("F8188EAFD0E2F9C7F44E70B38DB1FE3E12B1469739CA6A13ED5A8661673A318296FFAF8D37F6FCEC22A2D00EEE2ABEBA")); test_hash(&nettle_sha3_384, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("7D83C3F2265C90FEF4BC6BD0D17A218F0E196489CB2D8455BBEE80AB989FFEA46DE753346EDBD5C88448FEDB0D4AAD4D")); test_hash(&nettle_sha3_384, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("FCC5FCFEF5BA874A317B73C9B1B4CF6877373D41F0B8080A5D4F021E0D67F3B9F8CCAACFD4244FC10BA58B3A470DB48B")); test_hash(&nettle_sha3_384, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("9B336B4C2B530F65C01AF3F0A46CF1B626D5DBF1B2E50F790B9F34CCA367315FDFBF7D9619CDA4DA22E39F9315303816")); test_hash(&nettle_sha3_384, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("CAC442227F10C4935D42C2914043167890C3EE1F4556D38D20767E8402AEC4D70111F2034276E90F28102DE634E26AFD")); test_hash(&nettle_sha3_384, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("05E3FB83EE8D609874D5935283702F29E5E896BB090C48033489295989C45DD2C06F5BD558B6BC786AB1251F75664B06")); test_hash(&nettle_sha3_384, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("6E463C7FB5CF436B1444921AFE76D2FA4E7A23EDFC9D496AF1DC7E78A0173D797EFF80F2BB32CFD34DAF5633C4E6BCD6")); test_hash(&nettle_sha3_384, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("90457E3D33FCE103420056A1C712441E04856B17CF37A4E133841E6D9A944B5EBEF98CB1C1CCD575632CD3B5C177669E")); test_hash(&nettle_sha3_384, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("E5FC73C70028D1B82A9AA976D34F5FC72916839027038E79DF2E29149E861F09A41A8203CE922203F710964B4F5BEC2E")); test_hash(&nettle_sha3_384, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("B0A1BBA912DAA6D80EDC6519B501B629456394D7BDA24D46AFC9FC1D93A0B5962FA4F95214273290D32B3EAEFF6F9DFE")); test_hash(&nettle_sha3_384, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("FCE4637898BA0CBD9D7B636FEBDDC02A435901CBBEF8BF76D3E866D97D55354B71FC12E67A09E793D749316D714FE08C")); test_hash(&nettle_sha3_384, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("2B5471FAE3805852F4CF39541F8A0A3774818F79FE50476E225D89B62E43BE3255E96D19CBC334AEF04192840F075C7D")); test_hash(&nettle_sha3_384, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("D4D3B49878AEC72E2E7FAFB687DA7EFE242CB60ADF5C65C577C444CFC95A2A2EC670000C8A78898A07400E3502D73F27")); test_hash(&nettle_sha3_384, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("FE1C2143F2957819DF9C9DD05D004BE0E557EED8C5A2B7CE457D5856132B1C43EECEC36AD704A930A85485A34C3860FE")); test_hash(&nettle_sha3_384, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("4D1F626688E6899B5FCCD47FAAB45E96C61E169869CABEF40283B2418DFB2888FB80CC9F2C526497C50C5244784F195C")); test_hash(&nettle_sha3_384, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("A063D778B0A2A11D3A9CBA425EE5938FCAA6E2BF1F30A665FA811601444D5749AFA18766DB5F0426C5B8392238B7862E")); test_hash(&nettle_sha3_384, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("470EE6D35157846890A01B3809EB923CC45DFFF2FCA2826F458325466C983B1C64BEA38BCAECA921C90DD00432ECCF89")); test_hash(&nettle_sha3_384, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("A8F0A3C89CF7E56ACC18ACE1638BCF133094FD9F75F05677C3CD0ED3614A593CBCEB09C78C86E350FD07FF4429A6A165")); test_hash(&nettle_sha3_384, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("C8A9A24464F21B133EBE20BA421A81EE34DCEACD5F04DCFB66D219F7F4145633692C572B63007834A406ECFB938A14F6")); test_hash(&nettle_sha3_384, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("91BADA31B57A4BF3D2EB19A34FF921DB10BD6406191486D25D5CA4DE5E00B5E2815DAE741064E5B877AC57511B949F91")); test_hash(&nettle_sha3_384, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("F310E80951C7BB6395CA168AAE7EC42DEFF6C4CD3F5BE9C8B49B85B405F731911AE8267FFEBD543DBDF409EC20A858D2")); test_hash(&nettle_sha3_384, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("CFD05E080994FC6D7AEF2D8C6E44D8A5E90F5A231676E0FAE0D2B8CE162CA9D06712580C99997A7709A06180DD42FB91")); test_hash(&nettle_sha3_384, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("8FA26DD5A54BF94A037A165EC5CE3ED86147A08DCFE3B48818B0C0BEEEFA33B145323B598F761DE2B639D05127F1CF3E")); test_hash(&nettle_sha3_384, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("283FD61D1E50572EF403BF9C554D76D694A54F902C49795D1CF506F0EE263E7BA994F72BDC4732531FA7194257F2DFDA")); test_hash(&nettle_sha3_384, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("128DC611762BE9B135B3739484CFAADCA7481D68514F3DFD6F5D78BB1863AE68130835CDC7061A7ED964B32F1DB75EE1")); } nettle-3.10/testsuite/meta-mac-test.c0000644000175000017500000000132114633602172016613 0ustar nissenisse#include "testutils.h" #include "nettle-meta.h" const char* macs[] = { "cmac_aes128", "cmac_aes256", "cmac_des3", "hmac_md5", "hmac_ripemd160", "hmac_sha1", "hmac_sha224", "hmac_sha256", "hmac_sha384", "hmac_sha512", "hmac_streebog256", "hmac_streebog512", "hmac_sm3", }; void test_main(void) { int i, j; int count = sizeof(macs)/sizeof(*macs); for (i = 0; i < count; i++) { for (j = 0; NULL != nettle_macs[j]; j++) { if (0 == strcmp(macs[i], nettle_macs[j]->name)) break; } ASSERT(NULL != nettle_macs[j]); /* make sure we found a matching mac */ } i = 0; while (NULL != nettle_macs[i]) i++; ASSERT(i == count); /* we are not missing testing any macs */ } nettle-3.10/testsuite/sexp-test.c0000644000175000017500000000610214633602172016110 0ustar nissenisse#include "testutils.h" #include "sexp.h" void test_main(void) { struct sexp_iterator i; uint32_t x; ASSERT(sexp_iterator_first(&i, LDATA(""))); ASSERT(i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("()"))); ASSERT(i.type == SEXP_LIST && sexp_iterator_enter_list(&i) && i.type == SEXP_END && sexp_iterator_exit_list(&i) && i.type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("("))); ASSERT(i.type == SEXP_LIST && !sexp_iterator_enter_list(&i)); /* Check integers. */ ASSERT(sexp_iterator_first(&i, LDATA("1:\0" "1:\x11" "2:\x00\x11" "2:\x00\x80" "5:\x00\xaa\xbb\xcc\xdd"))); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x11); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0x80); ASSERT(sexp_iterator_get_uint32(&i, &x) && x == 0xaabbccdd); ASSERT(sexp_iterator_first(&i, LDATA("3:foo0:[3:bar]12:xxxxxxxxxxxx"))); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); /* Same data, transport encoded. */ { struct tstring *s = tstring_data(LDATA("{Mzpmb28=} {MDo=} {WzM6YmFyXTEyOnh4eHh4eHh4eHh4eA==}")); ASSERT(sexp_transport_iterator_first (&i, s->length, s->data)); ASSERT(i.type == SEXP_ATOM && !i.display_length && !i.display && i.atom_length == 3 && MEMEQ(3, "foo", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_ATOM && !i.display_length && !i.display && !i.atom_length && i.atom && sexp_iterator_next(&i) && i.type == SEXP_ATOM && i.display_length == 3 && MEMEQ(3, "bar", i.display) && i.atom_length == 12 && MEMEQ(12, "xxxxxxxxxxxx", i.atom) && sexp_iterator_next(&i) && i.type == SEXP_END); } { static const char * const keys[2] = { "n", "e" }; struct sexp_iterator v[2]; ASSERT(sexp_iterator_first(&i, LDATA("((1:n2:xx3:foo)0:(1:y)(1:e))"))); ASSERT(sexp_iterator_enter_list(&i) && sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 2 && MEMEQ(2, "xx", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_ATOM && !v[0].display_length && !v[0].display && v[0].atom_length == 3 && MEMEQ(3, "foo", v[0].atom) && sexp_iterator_next(&v[0]) && v[0].type == SEXP_END); ASSERT(v[1].type == SEXP_END); ASSERT(sexp_iterator_first(&i, LDATA("((1:n))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); ASSERT(sexp_iterator_first(&i, LDATA("((1:n)(1:n3:foo))"))); ASSERT(sexp_iterator_enter_list(&i) && !sexp_iterator_assoc(&i, 2, keys, v)); } } nettle-3.10/testsuite/cmac-test.c0000644000175000017500000000702014633602172016034 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "cmac.h" #define test_cmac_aes128(key, msg, ref) \ test_mac(&nettle_cmac_aes128, key, msg, ref) #define test_cmac_aes256(key, msg, ref) \ test_mac(&nettle_cmac_aes256, key, msg, ref) #define test_cmac_des3(key, msg, ref) \ test_mac(&nettle_cmac_des3, key, msg, ref) void test_main(void) { /* * CMAC-AES Test Vectors from RFC4493. */ test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SDATA(""), SHEX("bb1d6929e95937287fa37d129b756746")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("070a16b46b4d4144f79bdd9dd04a287c")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("dfa66747de9ae63030ca32611497c827")); test_cmac_aes128 (SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("51f0bebf7e3b9d92fc49741779363cfe")); /* Additional tests with different keys (same plaintext) * to check all variants of set_key() */ test_cmac_aes128 (SHEX("2b7e151628aed2a8abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("87dd33c2945a4e228028690ae8954945")); test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("f0dc613a88886c7ed76eeb51f1c5e8d3")); test_cmac_aes128 (SHEX("2b7e1ab628aed2a8abf7158809cf4f3d"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411"), SHEX("b9d092dc387a9e42cdfeb9f9930cf567")); /* CMAC-AES256 vectors taken from phplib */ test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SDATA(""), SHEX("028962f61b7bf89efc6b551f4667d983")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("28a7023f452e8f82bd4bf28d8c37c35c")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411"), SHEX("aaf3d8f1de5640c232f5b169b9c911e6")); test_cmac_aes256 (SHEX("603deb1015ca71be2b73aef0857d77811f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411e5fbc1191a0a52eff69f2445df4f9b17ad2b417be66c3710"), SHEX("e1992190549f6ed5696a2c056c315410")); /* CMAC-3DES vectors from NIST SP800-38B examples */ test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SDATA(""), SHEX("7db0d37df936c550")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172a"), SHEX("30239cf1f52e6609")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a57"), SHEX("6c9f3ee4923f6be2")); test_cmac_des3 (SHEX("0123456789abcdef23456789abcdef01456789abcdef0123"), SHEX("6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e51"), SHEX("99429bd0bf7904e5")); } nettle-3.10/testsuite/arctwo-test.c0000644000175000017500000000672414633602172016442 0ustar nissenisse/* arctwo-test.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2004 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #include "testutils.h" #include "arctwo.h" /* For tests with obscure values of ebk. */ static void test_arctwo(unsigned ekb, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct arctwo_ctx ctx; uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length); arctwo_set_key_ekb(&ctx, key->length, key->data, ekb); arctwo_encrypt(&ctx, length, data, cleartext->data); ASSERT(MEMEQ(length, data, ciphertext->data)); arctwo_decrypt(&ctx, length, data, data); ASSERT(MEMEQ(length, data, cleartext->data)); free(data); } void test_main(void) { /* Test vectors from Peter Gutmann's paper. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("00000000 00000000 00000000 00000000"), SHEX("00000000 00000000"), SHEX("1c198a83 8df028b7")); test_cipher(&nettle_arctwo_gutmann128, SHEX("00010203 04050607 08090a0b 0c0d0e0f"), SHEX("00000000 00000000"), SHEX("50dc0162 bd757f31")); /* This one was checked against libmcrypt's RFC2268. */ test_cipher(&nettle_arctwo_gutmann128, SHEX("30000000 00000000 00000000 00000000"), SHEX("10000000 00000000"), SHEX("8fd10389 336bf95e")); /* Test vectors from RFC 2268. */ test_cipher(&nettle_arctwo64, SHEX("ffffffff ffffffff"), SHEX("ffffffff ffffffff"), SHEX("278b27e4 2e2f0d49")); test_cipher(&nettle_arctwo64, SHEX("30000000 00000000"), SHEX("10000000 00000001"), SHEX("30649edf 9be7d2c2")); test_cipher(&nettle_arctwo128, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("2269552a b0f85ca6")); /* More obscure tests from RFC 2286 */ test_arctwo(63, SHEX("00000000 00000000"), SHEX("00000000 00000000"), SHEX("ebb773f9 93278eff")); test_arctwo(64, SHEX("88"), SHEX("00000000 00000000"), SHEX("61a8a244 adacccf0")); test_arctwo(64, SHEX("88bca90e 90875a"), SHEX("00000000 00000000"), SHEX("6ccf4308 974c267f")); test_arctwo(64, SHEX("88bca90e 90875a7f 0f79c384 627bafb2"), SHEX("00000000 00000000"), SHEX("1a807d27 2bbe5db1")); test_arctwo(129, SHEX("88bca90e 90875a7f 0f79c384 627bafb2" "16f80a6f 85920584 c42fceb0 be255daf 1e"), SHEX("00000000 00000000"), SHEX("5b78d3a4 3dfff1f1")); } nettle-3.10/testsuite/sha224-test.c0000644000175000017500000000306714633602172016143 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From FIPS180-2 addendum (http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf) */ test_hash(&nettle_sha224, SDATA("abc"), SHEX("23097d22 3405d822 8642a477 bda255b3" "2aadbce4 bda0b3f7 e36c9da7")); test_hash(&nettle_sha224, SDATA("abcdbcdecdefdefgefghfghighij" "hijkijkljklmklmnlmnomnopnopq"), SHEX("75388b16 512776cc 5dba5da1 fd890150" "b0c6455c b4f58b19 52522525")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha224, SDATA(""), SHEX("d14a028c2a3a2bc9 476102bb288234c4" "15a2b01f828ea62a c5b3e42f")); test_hash(&nettle_sha224, SDATA("a"), SHEX("abd37534c7d9a2ef b9465de931cd7055" "ffdb8879563ae980 78d6d6d5")); test_hash(&nettle_sha224, SDATA("38"), SHEX("4cfca6da32da6471 98225460722b7ea1" "284f98c4b179e8db ae3f93d5")); test_hash(&nettle_sha224, SDATA("message digest"), SHEX("2cb21c83ae2f004d e7e81c3c7019cbcb" "65b71ab656b22d6d 0c39b8eb")); test_hash(&nettle_sha224, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("45a5f72c39c5cff2 522eb3429799e49e" "5f44b356ef926bcf 390dccc2")); test_hash(&nettle_sha224, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("bff72b4fcb7d75e5 632900ac5f90d219" "e05e97a7bde72e74 0db393d9")); test_hash(&nettle_sha224, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("b50aecbe4e9bb0b5 7bc5f3ae760a8e01" "db24f203fb3cdcd1 3148046e")); } nettle-3.10/testsuite/sc-rsa-sec-decrypt-test0000755000175000017500000000014314633602172020322 0ustar nissenisse#! /bin/sh srcdir=`dirname $0` . "${srcdir}/sc-valgrind.sh" with_valgrind ./rsa-sec-decrypt-test nettle-3.10/testsuite/meta-hash-test.c0000644000175000017500000000172514633602172017006 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" #include "nettle-meta.h" /* For NETTLE_MAX_HASH_CONTEXT_SIZE */ #include "sha3.h" const char* hashes[] = { "gosthash94", "gosthash94cp", "md2", "md4", "md5", "ripemd160", "sha1", "sha224", "sha256", "sha384", "sha512", "sha512_224", "sha512_256", "sha3_224", "sha3_256", "sha3_384", "sha3_512", "streebog256", "streebog512", "sm3", }; void test_main(void) { int i; int count = sizeof(hashes)/sizeof(*hashes); for (i = 0; i < count; i++) { /* make sure we found a matching hash */ ASSERT(nettle_lookup_hash(hashes[i]) != NULL); } for (i = 0; NULL != nettle_hashes[i]; i++) { ASSERT(nettle_hashes[i]->block_size <= NETTLE_MAX_HASH_BLOCK_SIZE); ASSERT(nettle_hashes[i]->digest_size <= NETTLE_MAX_HASH_DIGEST_SIZE); ASSERT(nettle_hashes[i]->context_size <= NETTLE_MAX_HASH_CONTEXT_SIZE); } ASSERT(i == count); /* we are not missing testing any hashes */ } nettle-3.10/testsuite/ecc-add-test.c0000644000175000017500000000421514633602172016414 0ustar nissenisse#include "testutils.h" #include void test_main (void) { unsigned i; for (i = 0; ecc_curves[i]; i++) { const struct ecc_curve *ecc = ecc_curves[i]; mp_limb_t *g = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g2 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *g3 = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *p = xalloc_limbs (ecc_size_j (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->add_hhh_itch); ASSERT (ecc->dup_itch <= ecc->add_hhh_itch); test_ecc_get_g (i, g); ecc->dup (ecc, g2, g, scratch); test_ecc_mul_h (i, 2, g2); ecc->add_hhh (ecc, g3, g, g2, scratch); test_ecc_mul_h (i, 3, g3); ecc->add_hhh (ecc, g3, g2, g, scratch); test_ecc_mul_h (i, 3, g3); ecc->add_hhh (ecc, p, g, g3, scratch); test_ecc_mul_h (i, 4, p); ecc->add_hhh (ecc, p, g3, g, scratch); test_ecc_mul_h (i, 4, p); ecc->dup (ecc, p, g2, scratch); test_ecc_mul_h (i, 4, p); if (ecc->p.bit_size == 255 || ecc->p.bit_size == 448) { mp_limb_t *z = xalloc_limbs (ecc_size_j (ecc)); ASSERT (ecc->add_hh_itch <= ecc->add_hhh_itch); /* Zero point has x = 0, y = 1, z = 1 */ mpn_zero (z, 3*ecc->p.size); z[ecc->p.size] = z[2*ecc->p.size] = 1; ecc->add_hhh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc->add_hh (ecc, p, z, z, scratch); test_ecc_mul_h (i, 0, p); ecc->add_hhh (ecc, p, p, g, scratch); test_ecc_mul_h (i, 1, p); ecc->add_hh (ecc, p, z, g, scratch); test_ecc_mul_h (i, 1, p); ecc->add_hhh (ecc, g2, g, p, scratch); test_ecc_mul_h (i, 2, g2); ecc->add_hh (ecc, g2, g, g, scratch); test_ecc_mul_h (i, 2, g2); free (z); } else { ASSERT (ecc_nonsec_add_jjj (ecc, g2, g, g, scratch)); test_ecc_mul_h (i, 2, g2); ASSERT (ecc_nonsec_add_jjj (ecc, g3, g2, g, scratch)); test_ecc_mul_h (i, 3, g3); ASSERT (ecc_nonsec_add_jjj (ecc, p, g, g3, scratch)); test_ecc_mul_h (i, 4, p); ASSERT (ecc_nonsec_add_jjj (ecc, p, g2, g2, scratch)); test_ecc_mul_h (i, 4, p); } free (g); free (g2); free (g3); free (p); free (scratch); } } nettle-3.10/testsuite/sha3-256-test.c0000644000175000017500000030637614633602172016321 0ustar nissenisse#include "testutils.h" void test_main(void) { /* Extracted from ShortMsgKAT_256.txt using sha3.awk. */ test_hash(&nettle_sha3_256, /* 0 octets */ SHEX(""), SHEX("A7FFC6F8BF1ED76651C14756A061D662F580FF4DE43B49FA82D80A4B80F8434A")); test_hash(&nettle_sha3_256, /* 1 octets */ SHEX("CC"), SHEX("677035391CD3701293D385F037BA32796252BB7CE180B00B582DD9B20AAAD7F0")); test_hash(&nettle_sha3_256, /* 2 octets */ SHEX("41FB"), SHEX("39F31B6E653DFCD9CAED2602FD87F61B6254F581312FB6EEEC4D7148FA2E72AA")); test_hash(&nettle_sha3_256, /* 3 octets */ SHEX("1F877C"), SHEX("BC22345E4BD3F792A341CF18AC0789F1C9C966712A501B19D1B6632CCD408EC5")); test_hash(&nettle_sha3_256, /* 4 octets */ SHEX("C1ECFDFC"), SHEX("C5859BE82560CC8789133F7C834A6EE628E351E504E601E8059A0667FF62C124")); test_hash(&nettle_sha3_256, /* 5 octets */ SHEX("21F134AC57"), SHEX("55BD9224AF4EED0D121149E37FF4D7DD5BE24BD9FBE56E0171E87DB7A6F4E06D")); test_hash(&nettle_sha3_256, /* 6 octets */ SHEX("C6F50BB74E29"), SHEX("AE0CBC757D4AB088E172ABFD8746289950F92D38A25295658DBF744B5635AF04")); test_hash(&nettle_sha3_256, /* 7 octets */ SHEX("119713CC83EEEF"), SHEX("E340C9A44373EFCC212F3CB66A047AC34C87FF1C58C4A14B16A2BFC34698BB1D")); test_hash(&nettle_sha3_256, /* 8 octets */ SHEX("4A4F202484512526"), SHEX("BA4FB009D57A5CEB85FC64D54E5C55A55854B41CC47AD15294BC41F32165DFBA")); test_hash(&nettle_sha3_256, /* 9 octets */ SHEX("1F66AB4185ED9B6375"), SHEX("B9886EF905C8BDD272EDA8298865E0769869F1C964460D1AA9D7A0C687707CCD")); test_hash(&nettle_sha3_256, /* 10 octets */ SHEX("EED7422227613B6F53C9"), SHEX("FAB8F88D3191E21A725B21C63A02CAD3FA7C450EF8584B94CFA382F393422455")); test_hash(&nettle_sha3_256, /* 11 octets */ SHEX("EAEED5CDFFD89DECE455F1"), SHEX("9363ACD3F48BB91A8998AA0E8DF75C971770A16A71E7D2334409734CD7D0A9EE")); test_hash(&nettle_sha3_256, /* 12 octets */ SHEX("5BE43C90F22902E4FE8ED2D3"), SHEX("16932F6F65DEAAD5780E25AB410C66B0E4198EBA9F4ED1A25EE24F7879FAEFE2")); test_hash(&nettle_sha3_256, /* 13 octets */ SHEX("A746273228122F381C3B46E4F1"), SHEX("1C28100E0EF50671C7EA3E024FA3BA9DA2EBDDB4DE264C3A2426C36AD3F91C61")); test_hash(&nettle_sha3_256, /* 14 octets */ SHEX("3C5871CD619C69A63B540EB5A625"), SHEX("8183BE4875FAB7EC5F99ED94F5F900CF1D6B953D8F71E1E7CC008687980E613A")); test_hash(&nettle_sha3_256, /* 15 octets */ SHEX("FA22874BCC068879E8EF11A69F0722"), SHEX("3B1A6D21FE44691DAC4EB7C593A6D8523CB606E63CF00E94D711A574248DACA5")); test_hash(&nettle_sha3_256, /* 16 octets */ SHEX("52A608AB21CCDD8A4457A57EDE782176"), SHEX("2C7E7CB356FDC68EC8927E499D2A6BAE2B781817919C829EBBE8225BAED46967")); test_hash(&nettle_sha3_256, /* 17 octets */ SHEX("82E192E4043DDCD12ECF52969D0F807EED"), SHEX("C7B12EFF692D842110CC39AC60616707ACB3F9B0F1CB361B94577EFC529CA26C")); test_hash(&nettle_sha3_256, /* 18 octets */ SHEX("75683DCB556140C522543BB6E9098B21A21E"), SHEX("493EBAEBC04776F4E067555AFA09B58C850FDF1B0E22D4BF006CE41C091DC762")); test_hash(&nettle_sha3_256, /* 19 octets */ SHEX("06E4EFE45035E61FAAF4287B4D8D1F12CA97E5"), SHEX("1D01F3120ECFBDD28DCE44317666CF864F52391B9ECA3843DB45667C2E0A98AD")); test_hash(&nettle_sha3_256, /* 20 octets */ SHEX("E26193989D06568FE688E75540AEA06747D9F851"), SHEX("2C1E61E5D45203F27B86F1293A80BAB34192DAF42B8623B12005B2FB1C18ACB1")); test_hash(&nettle_sha3_256, /* 21 octets */ SHEX("D8DC8FDEFBDCE9D44E4CBAFE78447BAE3B5436102A"), SHEX("AD0E3F29767067E929D1CECD95582DF8F2A9BEB92EAA27EEB315F620365A9244")); test_hash(&nettle_sha3_256, /* 22 octets */ SHEX("57085FD7E14216AB102D8317B0CB338A786D5FC32D8F"), SHEX("2B4EB5DE20E86074CABB55BFA63A5C8C6AE15679302061845B9CF233E17C906B")); test_hash(&nettle_sha3_256, /* 23 octets */ SHEX("A05404DF5DBB57697E2C16FA29DEFAC8AB3560D6126FA0"), SHEX("6AE04C6C6F3651F1F64C0AD69733990B41747C93F87ACB813BB25BB1FC0EFF07")); test_hash(&nettle_sha3_256, /* 24 octets */ SHEX("AECBB02759F7433D6FCB06963C74061CD83B5B3FFA6F13C6"), SHEX("40F9F55BC55DA466BC3DC1F89835A64094572DE73D64ED6646A1D3B667BE70A9")); test_hash(&nettle_sha3_256, /* 25 octets */ SHEX("AAFDC9243D3D4A096558A360CC27C8D862F0BE73DB5E88AA55"), SHEX("C64BECF7B75FC885D5853924F2B7D37ABCEFD3DA126BB817697E1A09152B1EBE")); test_hash(&nettle_sha3_256, /* 26 octets */ SHEX("7BC84867F6F9E9FDC3E1046CAE3A52C77ED485860EE260E30B15"), SHEX("57D46A6BC8FAB33601538DAD27F98C66443032CC3912434C28EB88D0AF44C52C")); test_hash(&nettle_sha3_256, /* 27 octets */ SHEX("FAC523575A99EC48279A7A459E98FF901918A475034327EFB55843"), SHEX("7C956503D5B4DBB764FF8E66FA74CE0F9132DA90EA3543F669C9DD08E413E33C")); test_hash(&nettle_sha3_256, /* 28 octets */ SHEX("0F8B2D8FCFD9D68CFFC17CCFB117709B53D26462A3F346FB7C79B85E"), SHEX("6DE164A9626D5A4F54D854AC158994F35A8E362ECC753F55182790934A2E0D06")); test_hash(&nettle_sha3_256, /* 29 octets */ SHEX("A963C3E895FF5A0BE4824400518D81412F875FA50521E26E85EAC90C04"), SHEX("B760312BD1B279FC672479D21C5ED349E5FE96F08940237B4515452721C49A16")); test_hash(&nettle_sha3_256, /* 30 octets */ SHEX("03A18688B10CC0EDF83ADF0A84808A9718383C4070C6C4F295098699AC2C"), SHEX("94FC255DE4EF19C0DA4B09B2E2FAC21F20048B46F17C30685ABE40D5C743F375")); test_hash(&nettle_sha3_256, /* 31 octets */ SHEX("84FB51B517DF6C5ACCB5D022F8F28DA09B10232D42320FFC32DBECC3835B29"), SHEX("39A4A0FFC4603698AE0A4F3D24B1BC42AC7A2D7D923E7A5D602453E82D5323C5")); test_hash(&nettle_sha3_256, /* 32 octets */ SHEX("9F2FCC7C90DE090D6B87CD7E9718C1EA6CB21118FC2D5DE9F97E5DB6AC1E9C10"), SHEX("2F1A5F7159E34EA19CDDC70EBF9B81F1A66DB40615D7EAD3CC1F1B954D82A3AF")); test_hash(&nettle_sha3_256, /* 33 octets */ SHEX("DE8F1B3FAA4B7040ED4563C3B8E598253178E87E4D0DF75E4FF2F2DEDD5A0BE046"), SHEX("1C57FE0E38CD3A124EAA6CD87F70A079BCCC073A341E8C0EB1976FB3A3F7B774")); test_hash(&nettle_sha3_256, /* 34 octets */ SHEX("62F154EC394D0BC757D045C798C8B87A00E0655D0481A7D2D9FB58D93AEDC676B5A0"), SHEX("A905603B186EF4F2D5B2D1BCFDA504C68ED5EB9B0C7B7EA2A001575F5AA69E68")); test_hash(&nettle_sha3_256, /* 35 octets */ SHEX("B2DCFE9FF19E2B23CE7DA2A4207D3E5EC7C6112A8A22AEC9675A886378E14E5BFBAD4E"), SHEX("FFFD39F7C451788EB0316F429EA0A7C0AC8091657ACA28F1560ED5775E8C4C12")); test_hash(&nettle_sha3_256, /* 36 octets */ SHEX("47F5697AC8C31409C0868827347A613A3562041C633CF1F1F86865A576E02835ED2C2492"), SHEX("6F55BECD168E0939BA2FA090257B1727FC66491A44493279A5BEACB9E3435324")); test_hash(&nettle_sha3_256, /* 37 octets */ SHEX("512A6D292E67ECB2FE486BFE92660953A75484FF4C4F2ECA2B0AF0EDCDD4339C6B2EE4E542"), SHEX("84649BFFCD48527B9288E8DA5F52FBAB2604DC5A91C4B0B87D477DBD7B40B6AE")); test_hash(&nettle_sha3_256, /* 38 octets */ SHEX("973CF2B4DCF0BFA872B41194CB05BB4E16760A1840D8343301802576197EC19E2A1493D8F4FB"), SHEX("D4055B4E3E2AEA1C67CC99FD409D574E53E1E296CF9EEF73C472AB92A6CB6609")); test_hash(&nettle_sha3_256, /* 39 octets */ SHEX("80BEEBCD2E3F8A9451D4499961C9731AE667CDC24EA020CE3B9AA4BBC0A7F79E30A934467DA4B0"), SHEX("5694CA2F3B9962226A87163AB38325BCDC898A732DFEB2C36DB4EB88616B8741")); test_hash(&nettle_sha3_256, /* 40 octets */ SHEX("7ABAA12EC2A7347674E444140AE0FB659D08E1C66DECD8D6EAE925FA451D65F3C0308E29446B8ED3"), SHEX("8CF287AD03AB4A74086620CFA4CCE74F48FA5CDB15EC02B1F721736A4F849E60")); test_hash(&nettle_sha3_256, /* 41 octets */ SHEX("C88DEE9927679B8AF422ABCBACF283B904FF31E1CAC58C7819809F65D5807D46723B20F67BA610C2B7"), SHEX("C5D5AF22A4DF9ACD0C056FA30D8E240B679A20D4D2630260F779FF815CA82D7D")); test_hash(&nettle_sha3_256, /* 42 octets */ SHEX("01E43FE350FCEC450EC9B102053E6B5D56E09896E0DDD9074FE138E6038210270C834CE6EADC2BB86BF6"), SHEX("0AC75279ADFF65660464550A283FECD4E0610D88F35574C3D7AC5D22262A2FE8")); test_hash(&nettle_sha3_256, /* 43 octets */ SHEX("337023370A48B62EE43546F17C4EF2BF8D7ECD1D49F90BAB604B839C2E6E5BD21540D29BA27AB8E309A4B7"), SHEX("81917AE290DBBA17289A8A67E5C2E8B12D3DDE0EFE9F990198A1763FF4F3DDA7")); test_hash(&nettle_sha3_256, /* 44 octets */ SHEX("6892540F964C8C74BD2DB02C0AD884510CB38AFD4438AF31FC912756F3EFEC6B32B58EBC38FC2A6B913596A8"), SHEX("138E75E72FDDD927E591315AF8D3ABA280EFA36230A3309A97BCDE5A78C31589")); test_hash(&nettle_sha3_256, /* 45 octets */ SHEX("F5961DFD2B1FFFFDA4FFBF30560C165BFEDAB8CE0BE525845DEB8DC61004B7DB38467205F5DCFB34A2ACFE96C0"), SHEX("21BCDAD3FEF3E5B859CB0912A2991EFA661BAD812747292EF0F79A8FCC6B4E98")); test_hash(&nettle_sha3_256, /* 46 octets */ SHEX("CA061A2EB6CEED8881CE2057172D869D73A1951E63D57261384B80CEB5451E77B06CF0F5A0EA15CA907EE1C27EBA"), SHEX("8D6FD9C559B0B4948F91337916084C0082A16A0755B0A00811096E973E48B3C8")); test_hash(&nettle_sha3_256, /* 47 octets */ SHEX("1743A77251D69242750C4F1140532CD3C33F9B5CCDF7514E8584D4A5F9FBD730BCF84D0D4726364B9BF95AB251D9BB"), SHEX("1DD23AE7AADD61E712BDD82BD60A70DD9D66C9FD79DBFD8669E3EAABF7901CDC")); test_hash(&nettle_sha3_256, /* 48 octets */ SHEX("D8FABA1F5194C4DB5F176FABFFF856924EF627A37CD08CF55608BBA8F1E324D7C7F157298EABC4DCE7D89CE5162499F9"), SHEX("34F8607EC10C092C1BA0B6565CE6197062C4E1A35A8E8C723E48A2D2416C3790")); test_hash(&nettle_sha3_256, /* 49 octets */ SHEX("BE9684BE70340860373C9C482BA517E899FC81BAAA12E5C6D7727975D1D41BA8BEF788CDB5CF4606C9C1C7F61AED59F97D"), SHEX("19A8577FC90FAE5D6A6B2E0C1FF155515502CFA1757029C09BEBBFA263D9A363")); test_hash(&nettle_sha3_256, /* 50 octets */ SHEX("7E15D2B9EA74CA60F66C8DFAB377D9198B7B16DEB6A1BA0EA3C7EE2042F89D3786E779CF053C77785AA9E692F821F14A7F51"), SHEX("9D9DBB4CE7D01D009E72A66051ACC16805E49F598CBE430C5D4C22A881A64B3F")); test_hash(&nettle_sha3_256, /* 51 octets */ SHEX("9A219BE43713BD578015E9FDA66C0F2D83CAC563B776AB9F38F3E4F7EF229CB443304FBA401EFB2BDBD7ECE939102298651C86"), SHEX("13F0D951B64481135466CFCCBE52418CC1D03FB16B5B696C35D724F6F55CBB6D")); test_hash(&nettle_sha3_256, /* 52 octets */ SHEX("C8F2B693BD0D75EF99CAEBDC22ADF4088A95A3542F637203E283BBC3268780E787D68D28CC3897452F6A22AA8573CCEBF245972A"), SHEX("FB2FE7B00B75C42305CF31DE14D98F904E8C46DC57BB6F94C282CA8C13DC45DB")); test_hash(&nettle_sha3_256, /* 53 octets */ SHEX("EC0F99711016C6A2A07AD80D16427506CE6F441059FD269442BAAA28C6CA037B22EEAC49D5D894C0BF66219F2C08E9D0E8AB21DE52"), SHEX("D54CBF7D5C80AE11A0D0BAD4E95AB18B5F07C970621F3936447A48EEF818D06E")); test_hash(&nettle_sha3_256, /* 54 octets */ SHEX("0DC45181337CA32A8222FE7A3BF42FC9F89744259CFF653504D6051FE84B1A7FFD20CB47D4696CE212A686BB9BE9A8AB1C697B6D6A33"), SHEX("FF050A45ADEEF4CFC7D964102BA877C80320A37794893E6865965EC2547CD4C9")); test_hash(&nettle_sha3_256, /* 55 octets */ SHEX("DE286BA4206E8B005714F80FB1CDFAEBDE91D29F84603E4A3EBC04686F99A46C9E880B96C574825582E8812A26E5A857FFC6579F63742F"), SHEX("1BC1BCC70F638958DB1006AF37B02EBD8954EC59B3ACBAD12EACEDBC5B21E908")); test_hash(&nettle_sha3_256, /* 56 octets */ SHEX("EEBCC18057252CBF3F9C070F1A73213356D5D4BC19AC2A411EC8CDEEE7A571E2E20EAF61FD0C33A0FFEB297DDB77A97F0A415347DB66BCAF"), SHEX("F7BDE239AD087AA7DABE42CC4D3C49380A026CD239A7FAAF34A2233469A44A4D")); test_hash(&nettle_sha3_256, /* 57 octets */ SHEX("416B5CDC9FE951BD361BD7ABFC120A5054758EBA88FDD68FD84E39D3B09AC25497D36B43CBE7B85A6A3CEBDA8DB4E5549C3EE51BB6FCB6AC1E"), SHEX("EF845AAC2AAF0A793108204FF380E0A30F2558E7ACDE4531AB22F8EC79E26A69")); test_hash(&nettle_sha3_256, /* 58 octets */ SHEX("5C5FAF66F32E0F8311C32E8DA8284A4ED60891A5A7E50FB2956B3CBAA79FC66CA376460E100415401FC2B8518C64502F187EA14BFC9503759705"), SHEX("26DB514E01E034C678B636D40BA367DA2F37F67078BB576FF2B8559B3517484D")); test_hash(&nettle_sha3_256, /* 59 octets */ SHEX("7167E1E02BE1A7CA69D788666F823AE4EEF39271F3C26A5CF7CEE05BCA83161066DC2E217B330DF821103799DF6D74810EED363ADC4AB99F36046A"), SHEX("5DBD4B558463196211465C1FC32401FC2D8E41EBC5E6BADD1D8F7C4F090F728F")); test_hash(&nettle_sha3_256, /* 60 octets */ SHEX("2FDA311DBBA27321C5329510FAE6948F03210B76D43E7448D1689A063877B6D14C4F6D0EAA96C150051371F7DD8A4119F7DA5C483CC3E6723C01FB7D"), SHEX("355C79FD6E6FA88ED402B6979FDE1ED805498ABEB101F4231B5D64D1439D552D")); test_hash(&nettle_sha3_256, /* 61 octets */ SHEX("95D1474A5AAB5D2422ACA6E481187833A6212BD2D0F91451A67DD786DFC91DFED51B35F47E1DEB8A8AB4B9CB67B70179CC26F553AE7B569969CE151B8D"), SHEX("3D9C9BF09D88211C7E0056112D073EE85D00ACAA4DA7A668FA017B3273CD4D4B")); test_hash(&nettle_sha3_256, /* 62 octets */ SHEX("C71BD7941F41DF044A2927A8FF55B4B467C33D089F0988AA253D294ADDBDB32530C0D4208B10D9959823F0C0F0734684006DF79F7099870F6BF53211A88D"), SHEX("67980D28E2E658E7A24A2593A28167A13D907D06F47729D47CA4FE1772F8B3DF")); test_hash(&nettle_sha3_256, /* 63 octets */ SHEX("F57C64006D9EA761892E145C99DF1B24640883DA79D9ED5262859DCDA8C3C32E05B03D984F1AB4A230242AB6B78D368DC5AAA1E6D3498D53371E84B0C1D4BA"), SHEX("A8DF6B76DF41994F7593F1A81967E77EE180E31183D1C4A569DB854E61E99B05")); test_hash(&nettle_sha3_256, /* 64 octets */ SHEX("E926AE8B0AF6E53176DBFFCC2A6B88C6BD765F939D3D178A9BDE9EF3AA131C61E31C1E42CDFAF4B4DCDE579A37E150EFBEF5555B4C1CB40439D835A724E2FAE7"), SHEX("27A6441EE939B46E2C378D7AFEB0E891C47A28120E488EFF0AB71AF08788CEB3")); test_hash(&nettle_sha3_256, /* 65 octets */ SHEX("16E8B3D8F988E9BB04DE9C96F2627811C973CE4A5296B4772CA3EEFEB80A652BDF21F50DF79F32DB23F9F73D393B2D57D9A0297F7A2F2E79CFDA39FA393DF1AC00"), SHEX("C4BB067383002DB44CA773918BB74104B604A583E12B06BE56C270F8B43512F2")); test_hash(&nettle_sha3_256, /* 66 octets */ SHEX("FC424EEB27C18A11C01F39C555D8B78A805B88DBA1DC2A42ED5E2C0EC737FF68B2456D80EB85E11714FA3F8EABFB906D3C17964CB4F5E76B29C1765DB03D91BE37FC"), SHEX("AE773915CA642D80413330C9E0EE9BD06653C0023C5C0277100F3B1526EAA51D")); test_hash(&nettle_sha3_256, /* 67 octets */ SHEX("ABE3472B54E72734BDBA7D9158736464251C4F21B33FBBC92D7FAC9A35C4E3322FF01D2380CBAA4EF8FB07D21A2128B7B9F5B6D9F34E13F39C7FFC2E72E47888599BA5"), SHEX("1CF9D6CE9CB658556B76CD7EBA3E51393699AD500B1AB3F56172748DB7F59667")); test_hash(&nettle_sha3_256, /* 68 octets */ SHEX("36F9F0A65F2CA498D739B944D6EFF3DA5EBBA57E7D9C41598A2B0E4380F3CF4B479EC2348D015FFE6256273511154AFCF3B4B4BF09D6C4744FDD0F62D75079D440706B05"), SHEX("8D60E889E2B1020DAD4B523301F5F6BBAB6C781AF276085AF6765546FCFB95AC")); test_hash(&nettle_sha3_256, /* 69 octets */ SHEX("ABC87763CAE1CA98BD8C5B82CABA54AC83286F87E9610128AE4DE68AC95DF5E329C360717BD349F26B872528492CA7C94C2C1E1EF56B74DBB65C2AC351981FDB31D06C77A4"), SHEX("DD4FF4B530552F48AF9A7530A6464819ED1A5B733084F709E41DAF1ACB35ECFD")); test_hash(&nettle_sha3_256, /* 70 octets */ SHEX("94F7CA8E1A54234C6D53CC734BB3D3150C8BA8C5F880EAB8D25FED13793A9701EBE320509286FD8E422E931D99C98DA4DF7E70AE447BAB8CFFD92382D8A77760A259FC4FBD72"), SHEX("7AC8D4BB53FC434DD8712DAEFEB474668F541418E6F617DBA523D8392EB0766E")); test_hash(&nettle_sha3_256, /* 71 octets */ SHEX("13BD2811F6ED2B6F04FF3895ACEED7BEF8DCD45EB121791BC194A0F806206BFFC3B9281C2B308B1A729CE008119DD3066E9378ACDCC50A98A82E20738800B6CDDBE5FE9694AD6D"), SHEX("F7B0E15A63232A2B800B23B311D357617DDFD1293E1FFE3F772692ADE3427152")); test_hash(&nettle_sha3_256, /* 72 octets */ SHEX("1EED9CBA179A009EC2EC5508773DD305477CA117E6D569E66B5F64C6BC64801CE25A8424CE4A26D575B8A6FB10EAD3FD1992EDDDEEC2EBE7150DC98F63ADC3237EF57B91397AA8A7"), SHEX("B3D05AF7E8C406A7C2709223791D3F5F4B3129329993220053A36293AC2B0E06")); test_hash(&nettle_sha3_256, /* 73 octets */ SHEX("BA5B67B5EC3A3FFAE2C19DD8176A2EF75C0CD903725D45C9CB7009A900C0B0CA7A2967A95AE68269A6DBF8466C7B6844A1D608AC661F7EFF00538E323DB5F2C644B78B2D48DE1A08AA"), SHEX("6C47E2EA4BA29E17792DEFC4B707754C4664BDE15168A5100BF881EC7C02B258")); test_hash(&nettle_sha3_256, /* 74 octets */ SHEX("0EFA26AC5673167DCACAB860932ED612F65FF49B80FA9AE65465E5542CB62075DF1C5AE54FBA4DB807BE25B070033EFA223BDD5B1D3C94C6E1909C02B620D4B1B3A6C9FED24D70749604"), SHEX("82A66BED668DCC14AF12C14C976CE650049E9D1D9969B83D1DD3B6F1C07D252B")); test_hash(&nettle_sha3_256, /* 75 octets */ SHEX("BBFD933D1FD7BF594AC7F435277DC17D8D5A5B8E4D13D96D2F64E771ABBD51A5A8AEA741BECCBDDB177BCEA05243EBD003CFDEAE877CCA4DA94605B67691919D8B033F77D384CA01593C1B"), SHEX("2F21D07D7B10683B9AC7A63E9FCC70CF9F887CB905F9BFF5332551288B288524")); test_hash(&nettle_sha3_256, /* 76 octets */ SHEX("90078999FD3C35B8AFBF4066CBDE335891365F0FC75C1286CDD88FA51FAB94F9B8DEF7C9AC582A5DBCD95817AFB7D1B48F63704E19C2BAA4DF347F48D4A6D603013C23F1E9611D595EBAC37C"), SHEX("80202F01E7140DB4FEE490DCC50AFAFDF6A48CA33D362C7875B8E8DB9C9D0655")); test_hash(&nettle_sha3_256, /* 77 octets */ SHEX("64105ECA863515C20E7CFBAA0A0B8809046164F374D691CDBD6508AAABC1819F9AC84B52BAFC1B0FE7CDDBC554B608C01C8904C669D8DB316A0953A4C68ECE324EC5A49FFDB59A1BD6A292AA0E"), SHEX("B2330A189047E3117479A2F20B3407A7D119E4AD431FE06FF1FF2A106F2AB3A2")); test_hash(&nettle_sha3_256, /* 78 octets */ SHEX("D4654BE288B9F3B711C2D02015978A8CC57471D5680A092AA534F7372C71CEAAB725A383C4FCF4D8DEAA57FCA3CE056F312961ECCF9B86F14981BA5BED6AB5B4498E1F6C82C6CAE6FC14845B3C8A"), SHEX("BB9B9BB685C241F8D63FDBF0DBAABCEF7075ADD7BA405A2FFFE7AD5B23E021C7")); test_hash(&nettle_sha3_256, /* 79 octets */ SHEX("12D9394888305AC96E65F2BF0E1B18C29C90FE9D714DD59F651F52B88B3008C588435548066EA2FC4C101118C91F32556224A540DE6EFDDBCA296EF1FB00341F5B01FECFC146BDB251B3BDAD556CD2"), SHEX("F8316A367AA0316DA3562F319D522E81F4A8BD2E2108D2532126F4A903704BA3")); test_hash(&nettle_sha3_256, /* 80 octets */ SHEX("871A0D7A5F36C3DA1DFCE57ACD8AB8487C274FAD336BC137EBD6FF4658B547C1DCFAB65F037AA58F35EF16AFF4ABE77BA61F65826F7BE681B5B6D5A1EA8085E2AE9CD5CF0991878A311B549A6D6AF230"), SHEX("89E3EBD02B229CD759612A5521D867AB2A1594BC0B1FE6A78B7954CCC84CAF03")); test_hash(&nettle_sha3_256, /* 81 octets */ SHEX("E90B4FFEF4D457BC7711FF4AA72231CA25AF6B2E206F8BF859D8758B89A7CD36105DB2538D06DA83BAD5F663BA11A5F6F61F236FD5F8D53C5E89F183A3CEC615B50C7C681E773D109FF7491B5CC22296C5"), SHEX("2E7CC875305EA6BB9C2FC770B9D84FD93B96405DF9B93307F6B5DE26E135724C")); test_hash(&nettle_sha3_256, /* 82 octets */ SHEX("E728DE62D75856500C4C77A428612CD804F30C3F10D36FB219C5CA0AA30726AB190E5F3F279E0733D77E7267C17BE27D21650A9A4D1E32F649627638DBADA9702C7CA303269ED14014B2F3CF8B894EAC8554"), SHEX("ECAB75F28A728429CB433EC13310D1B850CCF522C38D2FA6DFA489963D6D6CA7")); test_hash(&nettle_sha3_256, /* 83 octets */ SHEX("6348F229E7B1DF3B770C77544E5166E081850FA1C6C88169DB74C76E42EB983FACB276AD6A0D1FA7B50D3E3B6FCD799EC97470920A7ABED47D288FF883E24CA21C7F8016B93BB9B9E078BDB9703D2B781B616E"), SHEX("021C9459D1451F3DA4C07C029A8681945C87C5BEBC6C30DA1D95C5C49D8AB95C")); test_hash(&nettle_sha3_256, /* 84 octets */ SHEX("4B127FDE5DE733A1680C2790363627E63AC8A3F1B4707D982CAEA258655D9BF18F89AFE54127482BA01E08845594B671306A025C9A5C5B6F93B0A39522DC877437BE5C2436CBF300CE7AB6747934FCFC30AEAAF6"), SHEX("4642E21622F15B09B9413659680116BF2F96CAC2384B8C79F1328D5DD36D7A01")); test_hash(&nettle_sha3_256, /* 85 octets */ SHEX("08461F006CFF4CC64B752C957287E5A0FAABC05C9BFF89D23FD902D324C79903B48FCB8F8F4B01F3E4DDB483593D25F000386698F5ADE7FAADE9615FDC50D32785EA51D49894E45BAA3DC707E224688C6408B68B11"), SHEX("8DAA47C3572157266AD0276D5926AFF2872F06B0CD7B974A80D7A6827D41D782")); test_hash(&nettle_sha3_256, /* 86 octets */ SHEX("68C8F8849B120E6E0C9969A5866AF591A829B92F33CD9A4A3196957A148C49138E1E2F5C7619A6D5EDEBE995ACD81EC8BB9C7B9CFCA678D081EA9E25A75D39DB04E18D475920CE828B94E72241F24DB72546B352A0E4"), SHEX("345365232CE9AFC655DCE4BAC23F43C8ACBDF9016D4BC2344BE8D396A4919C34")); test_hash(&nettle_sha3_256, /* 87 octets */ SHEX("B8D56472954E31FB54E28FCA743F84D8DC34891CB564C64B08F7B71636DEBD64CA1EDBDBA7FC5C3E40049CE982BBA8C7E0703034E331384695E9DE76B5104F2FBC4535ECBEEBC33BC27F29F18F6F27E8023B0FBB6F563C"), SHEX("F52E102E57293878C28F29DEB47792324FE455A62FA7441AABCC16A9CFC40FFA")); test_hash(&nettle_sha3_256, /* 88 octets */ SHEX("0D58AC665FA84342E60CEFEE31B1A4EACDB092F122DFC68309077AED1F3E528F578859EE9E4CEFB4A728E946324927B675CD4F4AC84F64DB3DACFE850C1DD18744C74CECCD9FE4DC214085108F404EAB6D8F452B5442A47D"), SHEX("2B89AA88B1B7F9F8EA461C4C5CAE4829125F45F5697DEADB8DB2E964524C0D91")); test_hash(&nettle_sha3_256, /* 89 octets */ SHEX("1755E2D2E5D1C1B0156456B539753FF416651D44698E87002DCF61DCFA2B4E72F264D9AD591DF1FDEE7B41B2EB00283C5AEBB3411323B672EAA145C5125185104F20F335804B02325B6DEA65603F349F4D5D8B782DD3469CCD"), SHEX("3F3092365982C0B4278055BEEE9032FF9D1060E03C3B087E1A6197DEFC707E1A")); test_hash(&nettle_sha3_256, /* 90 octets */ SHEX("B180DE1A611111EE7584BA2C4B020598CD574AC77E404E853D15A101C6F5A2E5C801D7D85DC95286A1804C870BB9F00FD4DCB03AA8328275158819DCAD7253F3E3D237AEAA7979268A5DB1C6CE08A9EC7C2579783C8AFC1F91A7"), SHEX("3C74AAE2F340A24178CBAB51004CBA1AAC3D91133C300715EA82C177269C0556")); test_hash(&nettle_sha3_256, /* 91 octets */ SHEX("CF3583CBDFD4CBC17063B1E7D90B02F0E6E2EE05F99D77E24E560392535E47E05077157F96813544A17046914F9EFB64762A23CF7A49FE52A0A4C01C630CFE8727B81FB99A89FF7CC11DCA5173057E0417B8FE7A9EFBA6D95C555F"), SHEX("0157C4BA44618DED11E9800AFA07A0D5B6C711FC16A576C5EDB71C4CC6894F82")); test_hash(&nettle_sha3_256, /* 92 octets */ SHEX("072FC02340EF99115BAD72F92C01E4C093B9599F6CFC45CB380EE686CB5EB019E806AB9BD55E634AB10AA62A9510CC0672CD3EDDB589C7DF2B67FCD3329F61B1A4441ECA87A33C8F55DA4FBBAD5CF2B2527B8E983BB31A2FADEC7523"), SHEX("8D53DBA107AAACB8422D6667F6778839F8965F8E4C8F4A851284CC91168A9030")); test_hash(&nettle_sha3_256, /* 93 octets */ SHEX("76EECF956A52649F877528146DE33DF249CD800E21830F65E90F0F25CA9D6540FDE40603230ECA6760F1139C7F268DEBA2060631EEA92B1FFF05F93FD5572FBE29579ECD48BC3A8D6C2EB4A6B26E38D6C5FBF2C08044AEEA470A8F2F26"), SHEX("5163F02233E332AD9BE32C2346C9FCFE39AFA5FBE9BC1CFEB92F4920155B20EC")); test_hash(&nettle_sha3_256, /* 94 octets */ SHEX("7ADC0B6693E61C269F278E6944A5A2D8300981E40022F839AC644387BFAC9086650085C2CDC585FEA47B9D2E52D65A2B29A7DC370401EF5D60DD0D21F9E2B90FAE919319B14B8C5565B0423CEFB827D5F1203302A9D01523498A4DB10374"), SHEX("FAAF0E95217CA4B1568751EF2E4CD341D9EC33E16600BF09B92C6F1A6DF84D2E")); test_hash(&nettle_sha3_256, /* 95 octets */ SHEX("E1FFFA9826CCE8B86BCCEFB8794E48C46CDF372013F782ECED1E378269B7BE2B7BF51374092261AE120E822BE685F2E7A83664BCFBE38FE8633F24E633FFE1988E1BC5ACF59A587079A57A910BDA60060E85B5F5B6F776F0529639D9CCE4BD"), SHEX("B2C175D9D92AAA9EE72672F995B8DFD2DAAF6555A0327A508218A9B447F00BE8")); test_hash(&nettle_sha3_256, /* 96 octets */ SHEX("69F9ABBA65592EE01DB4DCE52DBAB90B08FC04193602792EE4DAA263033D59081587B09BBE49D0B49C9825D22840B2FF5D9C5155F975F8F2C2E7A90C75D2E4A8040FE39F63BBAFB403D9E28CC3B86E04E394A9C9E8065BD3C85FA9F0C7891600"), SHEX("FB5388122306D37CEE790CAD1D3CDDBA8E9A93D5F9D78288B052482739C883FD")); test_hash(&nettle_sha3_256, /* 97 octets */ SHEX("38A10A352CA5AEDFA8E19C64787D8E9C3A75DBF3B8674BFAB29B5DBFC15A63D10FAE66CD1A6E6D2452D557967EAAD89A4C98449787B0B3164CA5B717A93F24EB0B506CEB70CBBCB8D72B2A72993F909AAD92F044E0B5A2C9AC9CB16A0CA2F81F49"), SHEX("1C2F8D418FF6718B18DD4C756DCC8ED0F4755E8C22497A6CC19F8D7AE7FD2DA7")); test_hash(&nettle_sha3_256, /* 98 octets */ SHEX("6D8C6E449BC13634F115749C248C17CD148B72157A2C37BF8969EA83B4D6BA8C0EE2711C28EE11495F43049596520CE436004B026B6C1F7292B9C436B055CBB72D530D860D1276A1502A5140E3C3F54A93663E4D20EDEC32D284E25564F624955B52"), SHEX("7EA8116E6434C1CAA049069DBBD9B6F0E9DC6CDFD6A889343D3B2652803078FC")); test_hash(&nettle_sha3_256, /* 99 octets */ SHEX("6EFCBCAF451C129DBE00B9CEF0C3749D3EE9D41C7BD500ADE40CDC65DEDBBBADB885A5B14B32A0C0D087825201E303288A733842FA7E599C0C514E078F05C821C7A4498B01C40032E9F1872A1C925FA17CE253E8935E4C3C71282242CB716B2089CCC1"), SHEX("736D888751FAAC4D8E78B45B95ABB15D40D98D8038C7225BE0F523D5439EA5B6")); test_hash(&nettle_sha3_256, /* 100 octets */ SHEX("433C5303131624C0021D868A30825475E8D0BD3052A022180398F4CA4423B98214B6BEAAC21C8807A2C33F8C93BD42B092CC1B06CEDF3224D5ED1EC29784444F22E08A55AA58542B524B02CD3D5D5F6907AFE71C5D7462224A3F9D9E53E7E0846DCBB4CE"), SHEX("90E10B1CA8D352794D7DBD7BAE410BEF25F0EC7D080E053F48674237E33EA45F")); test_hash(&nettle_sha3_256, /* 101 octets */ SHEX("A873E0C67CA639026B6683008F7AA6324D4979550E9BCE064CA1E1FB97A30B147A24F3F666C0A72D71348EDE701CF2D17E2253C34D1EC3B647DBCEF2F879F4EB881C4830B791378C901EB725EA5C172316C6D606E0AF7DF4DF7F76E490CD30B2BADF45685F"), SHEX("8A0A8D6D55CCCBE05EC74DC273B16D66C9B9006665EECB5B6023D2EA39C64554")); test_hash(&nettle_sha3_256, /* 102 octets */ SHEX("006917B64F9DCDF1D2D87C8A6173B64F6587168E80FAA80F82D84F60301E561E312D9FBCE62F39A6FB476E01E925F26BCC91DE621449BE6504C504830AAE394096C8FC7694651051365D4EE9070101EC9B68086F2EA8F8AB7B811EA8AD934D5C9B62C60A4771"), SHEX("122895D63AA6030FC8F23940C528E7A5D9C7FB170A79FE7BC42360CE50E25B7A")); test_hash(&nettle_sha3_256, /* 103 octets */ SHEX("F13C972C52CB3CC4A4DF28C97F2DF11CE089B815466BE88863243EB318C2ADB1A417CB1041308598541720197B9B1CB5BA2318BD5574D1DF2174AF14884149BA9B2F446D609DF240CE335599957B8EC80876D9A085AE084907BC5961B20BF5F6CA58D5DAB38ADB"), SHEX("3E04EE539505C52D814CAB3C5CDD7DF2D6EEE627EA44188153EA6B8C8BE5F6C2")); test_hash(&nettle_sha3_256, /* 104 octets */ SHEX("E35780EB9799AD4C77535D4DDB683CF33EF367715327CF4C4A58ED9CBDCDD486F669F80189D549A9364FA82A51A52654EC721BB3AAB95DCEB4A86A6AFA93826DB923517E928F33E3FBA850D45660EF83B9876ACCAFA2A9987A254B137C6E140A21691E1069413848"), SHEX("E360B424A5C06704D148352E04F4651F8D3B385C01F24FDA09D266D4ED7FF662")); test_hash(&nettle_sha3_256, /* 105 octets */ SHEX("64EC021C9585E01FFE6D31BB50D44C79B6993D72678163DB474947A053674619D158016ADB243F5C8D50AA92F50AB36E579FF2DABB780A2B529370DAA299207CFBCDD3A9A25006D19C4F1FE33E4B1EAEC315D8C6EE1E730623FD1941875B924EB57D6D0C2EDC4E78D6"), SHEX("0D3BECB9E1B4AE1F15C9EE98732B4796E99FD799F76ED7332A68AB36C77A1EF9")); test_hash(&nettle_sha3_256, /* 106 octets */ SHEX("5954BAB512CF327D66B5D9F296180080402624AD7628506B555EEA8382562324CF452FBA4A2130DE3E165D11831A270D9CB97CE8C2D32A96F50D71600BB4CA268CF98E90D6496B0A6619A5A8C63DB6D8A0634DFC6C7EC8EA9C006B6C456F1B20CD19E781AF20454AC880"), SHEX("3AADD7E2086D383832489AA3088E903F5C6FA8E38DF2CF876E0B4DCDDCA5C923")); test_hash(&nettle_sha3_256, /* 107 octets */ SHEX("03D9F92B2C565709A568724A0AFF90F8F347F43B02338F94A03ED32E6F33666FF5802DA4C81BDCE0D0E86C04AFD4EDC2FC8B4141C2975B6F07639B1994C973D9A9AFCE3D9D365862003498513BFA166D2629E314D97441667B007414E739D7FEBF0FE3C32C17AA188A8683"), SHEX("715CED5776A802EB8EE02C9D46543FF46FE7A9CD192FA7D4FFB6E81427FE1B71")); test_hash(&nettle_sha3_256, /* 108 octets */ SHEX("F31E8B4F9E0621D531D22A380BE5D9ABD56FAEC53CBD39B1FAB230EA67184440E5B1D15457BD25F56204FA917FA48E669016CB48C1FFC1E1E45274B3B47379E00A43843CF8601A5551411EC12503E5AAC43D8676A1B2297EC7A0800DBFEE04292E937F21C005F17411473041"), SHEX("DDE61F8BE25B8B23E1212C1C0B8A85A0D02D8548BB17D377133E3C06DDB58CA2")); test_hash(&nettle_sha3_256, /* 109 octets */ SHEX("758EA3FEA738973DB0B8BE7E599BBEF4519373D6E6DCD7195EA885FC991D896762992759C2A09002912FB08E0CB5B76F49162AEB8CF87B172CF3AD190253DF612F77B1F0C532E3B5FC99C2D31F8F65011695A087A35EE4EEE5E334C369D8EE5D29F695815D866DA99DF3F79403"), SHEX("059F2BEDF4A6EEFB95FC5C0AE17556CE8BDDC5E1880FAB2F688A03A46BB28C5F")); test_hash(&nettle_sha3_256, /* 110 octets */ SHEX("47C6E0C2B74948465921868804F0F7BD50DD323583DC784F998A93CD1CA4C6EF84D41DC81C2C40F34B5BEE6A93867B3BDBA0052C5F59E6F3657918C382E771D33109122CC8BB0E1E53C4E3D13B43CE44970F5E0C079D2AD7D7A3549CD75760C21BB15B447589E86E8D76B1E9CED2"), SHEX("125B0EE7870A6F7EB4FD965D9E0B90D79FFFBC54A2018F4C68224682F3603F3F")); test_hash(&nettle_sha3_256, /* 111 octets */ SHEX("F690A132AB46B28EDFA6479283D6444E371C6459108AFD9C35DBD235E0B6B6FF4C4EA58E7554BD002460433B2164CA51E868F7947D7D7A0D792E4ABF0BE5F450853CC40D85485B2B8857EA31B5EA6E4CCFA2F3A7EF3380066D7D8979FDAC618AAD3D7E886DEA4F005AE4AD05E5065F"), SHEX("9A78E0B5A34CBF1716F14CF7B67EFDC4540A75CC646538A11A8EFD9D7CD7529F")); test_hash(&nettle_sha3_256, /* 112 octets */ SHEX("58D6A99BC6458824B256916770A8417040721CCCFD4B79EACD8B65A3767CE5BA7E74104C985AC56B8CC9AEBD16FEBD4CDA5ADB130B0FF2329CC8D611EB14DAC268A2F9E633C99DE33997FEA41C52A7C5E1317D5B5DAED35EBA7D5A60E45D1FA7EAABC35F5C2B0A0F2379231953322C4E"), SHEX("42305A251A8009EDFD62C7D91910B96B9B5DD8FDA5B1326FE41EF6EEF978D1BE")); test_hash(&nettle_sha3_256, /* 113 octets */ SHEX("BEFAB574396D7F8B6705E2D5B58B2C1C820BB24E3F4BAE3E8FBCD36DBF734EE14E5D6AB972AEDD3540235466E825850EE4C512EA9795ABFD33F330D9FD7F79E62BBB63A6EA85DE15BEAEEA6F8D204A28956059E2632D11861DFB0E65BC07AC8A159388D5C3277E227286F65FF5E5B5AEC1"), SHEX("6B9E8F3E82EA174EBC88A53C5DED06271D38F79E9CEC571A9D195EF549102EB8")); test_hash(&nettle_sha3_256, /* 114 octets */ SHEX("8E58144FA9179D686478622CE450C748260C95D1BA43B8F9B59ABECA8D93488DA73463EF40198B4D16FB0B0707201347E0506FF19D01BEA0F42B8AF9E71A1F1BD168781069D4D338FDEF00BF419FBB003031DF671F4A37979564F69282DE9C65407847DD0DA505AB1641C02DEA4F0D834986"), SHEX("358DE4C1ED30F48B084F961F653FEBC69318F93883612D5A04B9139A14EC702E")); test_hash(&nettle_sha3_256, /* 115 octets */ SHEX("B55C10EAE0EC684C16D13463F29291BF26C82E2FA0422A99C71DB4AF14DD9C7F33EDA52FD73D017CC0F2DBE734D831F0D820D06D5F89DACC485739144F8CFD4799223B1AFF9031A105CB6A029BA71E6E5867D85A554991C38DF3C9EF8C1E1E9A7630BE61CAABCA69280C399C1FB7A12D12AEFC"), SHEX("4A7BD18AE10EB9458924AA5CA00D3F634AB9753628107F15FF2BF24CCD3B94F4")); test_hash(&nettle_sha3_256, /* 116 octets */ SHEX("2EEEA693F585F4ED6F6F8865BBAE47A6908AECD7C429E4BEC4F0DE1D0CA0183FA201A0CB14A529B7D7AC0E6FF6607A3243EE9FB11BCF3E2304FE75FFCDDD6C5C2E2A4CD45F63C962D010645058D36571404A6D2B4F44755434D76998E83409C3205AA1615DB44057DB991231D2CB42624574F545"), SHEX("9889E4B3B1294A01556FA9DE6A6A508A9A763D5133FDCD4937B6BB23CA3E1901")); test_hash(&nettle_sha3_256, /* 117 octets */ SHEX("DAB11DC0B047DB0420A585F56C42D93175562852428499F66A0DB811FCDDDAB2F7CDFFED1543E5FB72110B64686BC7B6887A538AD44C050F1E42631BC4EC8A9F2A047163D822A38989EE4AAB01B4C1F161B062D873B1CFA388FD301514F62224157B9BEF423C7783B7AAC8D30D65CD1BBA8D689C2D"), SHEX("3D02B41985BDD1835CB474FB364C25C2CCA9DA0ED2FBBAB75524B410903815B9")); test_hash(&nettle_sha3_256, /* 118 octets */ SHEX("42E99A2F80AEE0E001279A2434F731E01D34A44B1A8101726921C0590C30F3120EB83059F325E894A5AC959DCA71CE2214799916424E859D27D789437B9D27240BF8C35ADBAFCECC322B48AA205B293962D858652ABACBD588BCF6CBC388D0993BD622F96ED54614C25B6A9AA527589EAAFFCF17DDF7"), SHEX("1CD92039BE4580C686796D5900EED431EBAD6EA566E9244E76BA6873EFCB49AB")); test_hash(&nettle_sha3_256, /* 119 octets */ SHEX("3C9B46450C0F2CAE8E3823F8BDB4277F31B744CE2EB17054BDDC6DFF36AF7F49FB8A2320CC3BDF8E0A2EA29AD3A55DE1165D219ADEDDB5175253E2D1489E9B6FDD02E2C3D3A4B54D60E3A47334C37913C5695378A669E9B72DEC32AF5434F93F46176EBF044C4784467C700470D0C0B40C8A088C815816"), SHEX("680C70B243163BE6E58ED3B8E2D85E6894E5E89501C444C8C0A2D776ACAD8599")); test_hash(&nettle_sha3_256, /* 120 octets */ SHEX("D1E654B77CB155F5C77971A64DF9E5D34C26A3CAD6C7F6B300D39DEB1910094691ADAA095BE4BA5D86690A976428635D5526F3E946F7DC3BD4DBC78999E653441187A81F9ADCD5A3C5F254BC8256B0158F54673DCC1232F6E918EBFC6C51CE67EAEB042D9F57EEC4BFE910E169AF78B3DE48D137DF4F2840"), SHEX("D65E823D2CE4EFFB9B27DBBF6EFCDA738AD152FBB12D2108D2EC6D050A3FB295")); test_hash(&nettle_sha3_256, /* 121 octets */ SHEX("626F68C18A69A6590159A9C46BE03D5965698F2DAC3DE779B878B3D9C421E0F21B955A16C715C1EC1E22CE3EB645B8B4F263F60660EA3028981EEBD6C8C3A367285B691C8EE56944A7CD1217997E1D9C21620B536BDBD5DE8925FF71DEC6FBC06624AB6B21E329813DE90D1E572DFB89A18120C3F606355D25"), SHEX("CE6D2DD8D5441FC15B888FED72061E129125431BEDEA32E00EE0A7655C06C358")); test_hash(&nettle_sha3_256, /* 122 octets */ SHEX("651A6FB3C4B80C7C68C6011675E6094EB56ABF5FC3057324EBC6477825061F9F27E7A94633ABD1FA598A746E4A577CAF524C52EC1788471F92B8C37F23795CA19D559D446CAB16CBCDCE90B79FA1026CEE77BF4AB1B503C5B94C2256AD75B3EAC6FD5DCB96ACA4B03A834BFB4E9AF988CECBF2AE597CB9097940"), SHEX("280713C0FA7160289FBFEE5AA580AD82512839153DAE47DE0D154384A4D8B3ED")); test_hash(&nettle_sha3_256, /* 123 octets */ SHEX("8AAF072FCE8A2D96BC10B3C91C809EE93072FB205CA7F10ABD82ECD82CF040B1BC49EA13D1857815C0E99781DE3ADBB5443CE1C897E55188CEAF221AA9681638DE05AE1B322938F46BCE51543B57ECDB4C266272259D1798DE13BE90E10EFEC2D07484D9B21A3870E2AA9E06C21AA2D0C9CF420080A80A91DEE16F"), SHEX("721FD872696F21DEAA9595C0CEE7BC07249601927C96A65826B4887CDBA1AE96")); test_hash(&nettle_sha3_256, /* 124 octets */ SHEX("53F918FD00B1701BD504F8CDEA803ACCA21AC18C564AB90C2A17DA592C7D69688F6580575395551E8CD33E0FEF08CA6ED4588D4D140B3E44C032355DF1C531564D7F4835753344345A6781E11CD5E095B73DF5F82C8AE3AD00877936896671E947CC52E2B29DCD463D90A0C9929128DA222B5A211450BBC0E02448E2"), SHEX("B53AF8620B39CAD2D698A176A070AEAA9FB67BD0335C3485A3B6C73A71DC5C5C")); test_hash(&nettle_sha3_256, /* 125 octets */ SHEX("A64599B8A61B5CCEC9E67AED69447459C8DA3D1EC6C7C7C82A7428B9B584FA67E90F68E2C00FBBED4613666E5168DA4A16F395F7A3C3832B3B134BFC9CBAA95D2A0FE252F44AC6681EB6D40AB91C1D0282FED6701C57463D3C5F2BB8C6A7301FB4576AA3B5F15510DB8956FF77478C26A7C09BEA7B398CFC83503F538E"), SHEX("78A18BF0A52E6F77F15F7FFE4CA3C999E57E1C3F6BF10950581F403450EDB797")); test_hash(&nettle_sha3_256, /* 126 octets */ SHEX("0E3AB0E054739B00CDB6A87BD12CAE024B54CB5E550E6C425360C2E87E59401F5EC24EF0314855F0F56C47695D56A7FB1417693AF2A1ED5291F2FEE95F75EED54A1B1C2E81226FBFF6F63ADE584911C71967A8EB70933BC3F5D15BC91B5C2644D9516D3C3A8C154EE48E118BD1442C043C7A0DBA5AC5B1D5360AAE5B9065"), SHEX("A7F0151EEE6B21FE827E69256D560E1EA8D939B80962FC7FA8610AC189402AD2")); test_hash(&nettle_sha3_256, /* 127 octets */ SHEX("A62FC595B4096E6336E53FCDFC8D1CC175D71DAC9D750A6133D23199EAAC288207944CEA6B16D27631915B4619F743DA2E30A0C00BBDB1BBB35AB852EF3B9AEC6B0A8DCC6E9E1ABAA3AD62AC0A6C5DE765DE2C3711B769E3FDE44A74016FFF82AC46FA8F1797D3B2A726B696E3DEA5530439ACEE3A45C2A51BC32DD055650B"), SHEX("0A09C4B18F5117F0E45D43E235BB14E55B162E99EB3744165196D04A854229F9")); test_hash(&nettle_sha3_256, /* 128 octets */ SHEX("2B6DB7CED8665EBE9DEB080295218426BDAA7C6DA9ADD2088932CDFFBAA1C14129BCCDD70F369EFB149285858D2B1D155D14DE2FDB680A8B027284055182A0CAE275234CC9C92863C1B4AB66F304CF0621CD54565F5BFF461D3B461BD40DF28198E3732501B4860EADD503D26D6E69338F4E0456E9E9BAF3D827AE685FB1D817"), SHEX("B7D031AA69B7B4D26A35B896D761314F1D61EB12DCC1E72AAF61B9CD48003AF9")); test_hash(&nettle_sha3_256, /* 129 octets */ SHEX("10DB509B2CDCABA6C062AE33BE48116A29EB18E390E1BBADA5CA0A2718AFBCD23431440106594893043CC7F2625281BF7DE2655880966A23705F0C5155C2F5CCA9F2C2142E96D0A2E763B70686CD421B5DB812DACED0C6D65035FDE558E94F26B3E6DDE5BD13980CC80292B723013BD033284584BFF27657871B0CF07A849F4AE2"), SHEX("EC0858C9D017A2D3727CAADE7E4872684F17B822CAFECDA445A15CF30FAC8CF0")); test_hash(&nettle_sha3_256, /* 130 octets */ SHEX("9334DE60C997BDA6086101A6314F64E4458F5FF9450C509DF006E8C547983C651CA97879175AABA0C539E82D05C1E02C480975CBB30118121061B1EBAC4F8D9A3781E2DB6B18042E01ECF9017A64A0E57447EC7FCBE6A7F82585F7403EE2223D52D37B4BF426428613D6B4257980972A0ACAB508A7620C1CB28EB4E9D30FC41361EC"), SHEX("71E1D610B576063F2B12F691220BEADF506BEC0A3A086BBE5864FB54F93DB556")); test_hash(&nettle_sha3_256, /* 131 octets */ SHEX("E88AB086891693AA535CEB20E64C7AB97C7DD3548F3786339897A5F0C39031549CA870166E477743CCFBE016B4428D89738E426F5FFE81626137F17AECFF61B72DBEE2DC20961880CFE281DFAB5EE38B1921881450E16032DE5E4D55AD8D4FCA609721B0692BAC79BE5A06E177FE8C80C0C83519FB3347DE9F43D5561CB8107B9B5EDC"), SHEX("72A8A7493309080ACCCA2A2A21D641F2B9685B7362BE496DC7BC330659F8CFE1")); test_hash(&nettle_sha3_256, /* 132 octets */ SHEX("FD19E01A83EB6EC810B94582CB8FBFA2FCB992B53684FB748D2264F020D3B960CB1D6B8C348C2B54A9FCEA72330C2AAA9A24ECDB00C436ABC702361A82BB8828B85369B8C72ECE0082FE06557163899C2A0EFA466C33C04343A839417057399A63A3929BE1EE4805D6CE3E5D0D0967FE9004696A5663F4CAC9179006A2CEB75542D75D68"), SHEX("AF19E988D37E2577DA4F43463789B73625D354FCCCBD10CD2C61FBDC8BB01827")); test_hash(&nettle_sha3_256, /* 133 octets */ SHEX("59AE20B6F7E0B3C7A989AFB28324A40FCA25D8651CF1F46AE383EF6D8441587AA1C04C3E3BF88E8131CE6145CFB8973D961E8432B202FA5AF3E09D625FAAD825BC19DA9B5C6C20D02ABDA2FCC58B5BD3FE507BF201263F30543819510C12BC23E2DDB4F711D087A86EDB1B355313363A2DE996B891025E147036087401CCF3CA7815BF3C49"), SHEX("F1E9B9CEF2B37E4EC3A0FCD5EFF5BF7E3D49100AEBF018DC92FB6A40E4297704")); test_hash(&nettle_sha3_256, /* 134 octets */ SHEX("77EE804B9F3295AB2362798B72B0A1B2D3291DCEB8139896355830F34B3B328561531F8079B79A6E9980705150866402FDC176C05897E359A6CB1A7AB067383EB497182A7E5AEF7038E4C96D133B2782917417E391535B5E1B51F47D8ED7E4D4025FE98DC87B9C1622614BFF3D1029E68E372DE719803857CA52067CDDAAD958951CB2068CC6"), SHEX("DD3EBE0CCA0CAD3AF72AF73FB49D40DBDCC4B1F1FF465CCAEFE672F77992ACA0")); test_hash(&nettle_sha3_256, /* 135 octets */ SHEX("B771D5CEF5D1A41A93D15643D7181D2A2EF0A8E84D91812F20ED21F147BEF732BF3A60EF4067C3734B85BC8CD471780F10DC9E8291B58339A677B960218F71E793F2797AEA349406512829065D37BB55EA796FA4F56FD8896B49B2CD19B43215AD967C712B24E5032D065232E02C127409D2ED4146B9D75D763D52DB98D949D3B0FED6A8052FBB"), SHEX("A19EEE92BB2097B64E823D597798AA18BE9B7C736B8059ABFD6779AC35AC81B5")); test_hash(&nettle_sha3_256, /* 136 octets */ SHEX("B32D95B0B9AAD2A8816DE6D06D1F86008505BD8C14124F6E9A163B5A2ADE55F835D0EC3880EF50700D3B25E42CC0AF050CCD1BE5E555B23087E04D7BF9813622780C7313A1954F8740B6EE2D3F71F768DD417F520482BD3A08D4F222B4EE9DBD015447B33507DD50F3AB4247C5DE9A8ABD62A8DECEA01E3B87C8B927F5B08BEB37674C6F8E380C04"), SHEX("DF673F4105379FF6B755EEAB20CEB0DC77B5286364FE16C59CC8A907AFF07732")); test_hash(&nettle_sha3_256, /* 137 octets */ SHEX("04410E31082A47584B406F051398A6ABE74E4DA59BB6F85E6B49E8A1F7F2CA00DFBA5462C2CD2BFDE8B64FB21D70C083F11318B56A52D03B81CAC5EEC29EB31BD0078B6156786DA3D6D8C33098C5C47BB67AC64DB14165AF65B44544D806DDE5F487D5373C7F9792C299E9686B7E5821E7C8E2458315B996B5677D926DAC57B3F22DA873C601016A0D"), SHEX("D52432CF3B6B4B949AA848E058DCD62D735E0177279222E7AC0AF8504762FAA0")); test_hash(&nettle_sha3_256, /* 138 octets */ SHEX("8B81E9BADDE026F14D95C019977024C9E13DB7A5CD21F9E9FC491D716164BBACDC7060D882615D411438AEA056C340CDF977788F6E17D118DE55026855F93270472D1FD18B9E7E812BAE107E0DFDE7063301B71F6CFE4E225CAB3B232905A56E994F08EE2891BA922D49C3DAFEB75F7C69750CB67D822C96176C46BD8A29F1701373FB09A1A6E3C7158F"), SHEX("07E65754D62E01B9A049D15DEC0D09C02F479CA2AEB4B18E37070B20F85A1B26")); test_hash(&nettle_sha3_256, /* 139 octets */ SHEX("FA6EED24DA6666A22208146B19A532C2EC9BA94F09F1DEF1E7FC13C399A48E41ACC2A589D099276296348F396253B57CB0E40291BD282773656B6E0D8BEA1CDA084A3738816A840485FCF3FB307F777FA5FEAC48695C2AF4769720258C77943FB4556C362D9CBA8BF103AEB9034BAA8EA8BFB9C4F8E6742CE0D52C49EA8E974F339612E830E9E7A9C29065"), SHEX("17A461B8EE507ABCFED51A50EF14891309FE402C569D94394CA7A3031BEFCD50")); test_hash(&nettle_sha3_256, /* 140 octets */ SHEX("9BB4AF1B4F09C071CE3CAFA92E4EB73CE8A6F5D82A85733440368DEE4EB1CBC7B55AC150773B6FE47DBE036C45582ED67E23F4C74585DAB509DF1B83610564545642B2B1EC463E18048FC23477C6B2AA035594ECD33791AF6AF4CBC2A1166ABA8D628C57E707F0B0E8707CAF91CD44BDB915E0296E0190D56D33D8DDE10B5B60377838973C1D943C22ED335E"), SHEX("A03C6B5B51AE4AA00912AF1CFB6C7B960EF58036156497CC567B1369149A5949")); test_hash(&nettle_sha3_256, /* 141 octets */ SHEX("2167F02118CC62043E9091A647CADBED95611A521FE0D64E8518F16C808AB297725598AE296880A773607A798F7C3CFCE80D251EBEC6885015F9ABF7EAABAE46798F82CB5926DE5C23F44A3F9F9534B3C6F405B5364C2F8A8BDC5CA49C749BED8CE4BA48897062AE8424CA6DDE5F55C0E42A95D1E292CA54FB46A84FBC9CD87F2D0C9E7448DE3043AE22FDD229"), SHEX("14C69C5EABDEFC9E3A1461A379EC92C32BC6B69071029CB3655159DB1A5251A7")); test_hash(&nettle_sha3_256, /* 142 octets */ SHEX("94B7FA0BC1C44E949B1D7617D31B4720CBE7CA57C6FA4F4094D4761567E389ECC64F6968E4064DF70DF836A47D0C713336B5028B35930D29EB7A7F9A5AF9AD5CF441745BAEC9BB014CEEFF5A41BA5C1CE085FEB980BAB9CF79F2158E03EF7E63E29C38D7816A84D4F71E0F548B7FC316085AE38A060FF9B8DEC36F91AD9EBC0A5B6C338CBB8F6659D342A24368CF"), SHEX("3CBE06887C8AE360E957EB08CA577834C457FADF418D0CB73967FA827A22A4D7")); test_hash(&nettle_sha3_256, /* 143 octets */ SHEX("EA40E83CB18B3A242C1ECC6CCD0B7853A439DAB2C569CFC6DC38A19F5C90ACBF76AEF9EA3742FF3B54EF7D36EB7CE4FF1C9AB3BC119CFF6BE93C03E208783335C0AB8137BE5B10CDC66FF3F89A1BDDC6A1EED74F504CBE7290690BB295A872B9E3FE2CEE9E6C67C41DB8EFD7D863CF10F840FE618E7936DA3DCA5CA6DF933F24F6954BA0801A1294CD8D7E66DFAFEC"), SHEX("E58A947E98D6DD7E932D2FE02D9992E6118C0C2C606BDCDA06E7943D2C95E0E5")); test_hash(&nettle_sha3_256, /* 144 octets */ SHEX("157D5B7E4507F66D9A267476D33831E7BB768D4D04CC3438DA12F9010263EA5FCAFBDE2579DB2F6B58F911D593D5F79FB05FE3596E3FA80FF2F761D1B0E57080055C118C53E53CDB63055261D7C9B2B39BD90ACC32520CBBDBDA2C4FD8856DBCEE173132A2679198DAF83007A9B5C51511AE49766C792A29520388444EBEFE28256FB33D4260439CBA73A9479EE00C63"), SHEX("A936FB9AF87FB67857B3EAD5C76226AD84DA47678F3C2FFE5A39FDB5F7E63FFB")); test_hash(&nettle_sha3_256, /* 145 octets */ SHEX("836B34B515476F613FE447A4E0C3F3B8F20910AC89A3977055C960D2D5D2B72BD8ACC715A9035321B86703A411DDE0466D58A59769672AA60AD587B8481DE4BBA552A1645779789501EC53D540B904821F32B0BD1855B04E4848F9F8CFE9EBD8911BE95781A759D7AD9724A7102DBE576776B7C632BC39B9B5E19057E226552A5994C1DBB3B5C7871A11F5537011044C53"), SHEX("3A654B88F88086C2751EDAE6D39248143CF6235C6B0B7969342C45A35194B67E")); test_hash(&nettle_sha3_256, /* 146 octets */ SHEX("CC7784A4912A7AB5AD3620AAB29BA87077CD3CB83636ADC9F3DC94F51EDF521B2161EF108F21A0A298557981C0E53CE6CED45BDF782C1EF200D29BAB81DD6460586964EDAB7CEBDBBEC75FD7925060F7DA2B853B2B089588FA0F8C16EC6498B14C55DCEE335CB3A91D698E4D393AB8E8EAC0825F8ADEBEEE196DF41205C011674E53426CAA453F8DE1CBB57932B0B741D4C6"), SHEX("19A3CB3E8551F08FBBA5DB614E268F63D1F6A0C3689BBE973D59D35BB4F455D0")); test_hash(&nettle_sha3_256, /* 147 octets */ SHEX("7639B461FFF270B2455AC1D1AFCE782944AEA5E9087EB4A39EB96BB5C3BAAF0E868C8526D3404F9405E79E77BFAC5FFB89BF1957B523E17D341D7323C302EA7083872DD5E8705694ACDDA36D5A1B895AAA16ECA6104C82688532C8BFE1790B5DC9F4EC5FE95BAED37E1D287BE710431F1E5E8EE105BC42ED37D74B1E55984BF1C09FE6A1FA13EF3B96FAEAED6A2A1950A12153"), SHEX("CA8CFB13973FF8597D6AAA806BD32E82F4EA68BAC3FB543F26687DE4B9CBE8BD")); test_hash(&nettle_sha3_256, /* 148 octets */ SHEX("EB6513FC61B30CFBA58D4D7E80F94D14589090CF1D80B1DF2E68088DC6104959BA0D583D585E9578AB0AEC0CF36C48435EB52ED9AB4BBCE7A5ABE679C97AE2DBE35E8CC1D45B06DDA3CF418665C57CBEE4BBB47FA4CAF78F4EE656FEC237FE4EEBBAFA206E1EF2BD0EE4AE71BD0E9B2F54F91DAADF1FEBFD7032381D636B733DCB3BF76FB14E23AFF1F68ED3DBCF75C9B99C6F26"), SHEX("9AE670FA85AB5C6B3BC76797CF24CD385110708137B6F8EFD8D1A21C39881C18")); test_hash(&nettle_sha3_256, /* 149 octets */ SHEX("1594D74BF5DDE444265D4C04DAD9721FF3E34CBF622DAF341FE16B96431F6C4DF1F760D34F296EB97D98D560AD5286FEC4DCE1724F20B54FD7DF51D4BF137ADD656C80546FB1BF516D62EE82BAA992910EF4CC18B70F3F8698276FCFB44E0EC546C2C39CFD8EE91034FF9303058B4252462F86C823EB15BF481E6B79CC3A02218595B3658E8B37382BD5048EAED5FD02C37944E73B"), SHEX("E32DF6218BA75FD4788A7E5727A7D68C5829C49346683FC213E433AF3DBA5AB5")); test_hash(&nettle_sha3_256, /* 150 octets */ SHEX("4CFA1278903026F66FEDD41374558BE1B585D03C5C55DAC94361DF286D4BD39C7CB8037ED3B267B07C346626449D0CC5B0DD2CF221F7E4C3449A4BE99985D2D5E67BFF2923357DDEAB5ABCB4619F3A3A57B2CF928A022EB27676C6CF805689004FCA4D41EA6C2D0A4789C7605F7BB838DD883B3AD3E6027E775BCF262881428099C7FFF95B14C095EA130E0B9938A5E22FC52650F591"), SHEX("028173E3C6C392E5D13AF748F3788D43449BC5DD5953124EA5EDF3930275F665")); test_hash(&nettle_sha3_256, /* 151 octets */ SHEX("D3E65CB92CFA79662F6AF493D696A07CCF32AAADCCEFF06E73E8D9F6F909209E66715D6E978788C49EFB9087B170ECF3AA86D2D4D1A065AE0EFC8924F365D676B3CB9E2BEC918FD96D0B43DEE83727C9A93BF56CA2B2E59ADBA85696546A815067FC7A78039629D4948D157E7B0D826D1BF8E81237BAB7321312FDAA4D521744F988DB6FDF04549D0FDCA393D639C729AF716E9C8BBA48"), SHEX("97450FC46F2E5DF8F81623B1CCA43FA50F51EA735E4421D7DFF66314D8E211BC")); test_hash(&nettle_sha3_256, /* 152 octets */ SHEX("842CC583504539622D7F71E7E31863A2B885C56A0BA62DB4C2A3F2FD12E79660DC7205CA29A0DC0A87DB4DC62EE47A41DB36B9DDB3293B9AC4BAAE7DF5C6E7201E17F717AB56E12CAD476BE49608AD2D50309E7D48D2D8DE4FA58AC3CFEAFEEE48C0A9EEC88498E3EFC51F54D300D828DDDCCB9D0B06DD021A29CF5CB5B2506915BEB8A11998B8B886E0F9B7A80E97D91A7D01270F9A7717"), SHEX("AB4E5A70390577F8AE260D53CB0E70914F8B9398ABAA841F7807F1476046C64F")); test_hash(&nettle_sha3_256, /* 153 octets */ SHEX("6C4B0A0719573E57248661E98FEBE326571F9A1CA813D3638531AE28B4860F23C3A3A8AC1C250034A660E2D71E16D3ACC4BF9CE215C6F15B1C0FC7E77D3D27157E66DA9CEEC9258F8F2BF9E02B4AC93793DD6E29E307EDE3695A0DF63CBDC0FC66FB770813EB149CA2A916911BEE4902C47C7802E69E405FE3C04CEB5522792A5503FA829F707272226621F7C488A7698C0D69AA561BE9F378"), SHEX("8118F2C157DF1250DB43B31183F442F89B322E496918838C5B668F9647AC6D6B")); test_hash(&nettle_sha3_256, /* 154 octets */ SHEX("51B7DBB7CE2FFEB427A91CCFE5218FD40F9E0B7E24756D4C47CD55606008BDC27D16400933906FD9F30EFFDD4880022D081155342AF3FB6CD53672AB7FB5B3A3BCBE47BE1FD3A2278CAE8A5FD61C1433F7D350675DD21803746CADCA574130F01200024C6340AB0CC2CF74F2234669F34E9009EF2EB94823D62B31407F4BA46F1A1EEC41641E84D77727B59E746B8A671BEF936F05BE820759FA"), SHEX("736E30ACCC5559188412C797A1A5BE61D1F90F149401F631597944155A85FAF7")); test_hash(&nettle_sha3_256, /* 155 octets */ SHEX("83599D93F5561E821BD01A472386BC2FF4EFBD4AED60D5821E84AAE74D8071029810F5E286F8F17651CD27DA07B1EB4382F754CD1C95268783AD09220F5502840370D494BEB17124220F6AFCE91EC8A0F55231F9652433E5CE3489B727716CF4AEBA7DCDA20CD29AA9A859201253F948DD94395ABA9E3852BD1D60DDA7AE5DC045B283DA006E1CBAD83CC13292A315DB5553305C628DD091146597"), SHEX("9599DEECCC698A24A461A7419E91939C741613F4CE887DBA89DC7E327C51F5BF")); test_hash(&nettle_sha3_256, /* 156 octets */ SHEX("2BE9BF526C9D5A75D565DD11EF63B979D068659C7F026C08BEA4AF161D85A462D80E45040E91F4165C074C43AC661380311A8CBED59CC8E4C4518E80CD2C78AB1CABF66BFF83EAB3A80148550307310950D034A6286C93A1ECE8929E6385C5E3BB6EA8A7C0FB6D6332E320E71CC4EB462A2A62E2BFE08F0CCAD93E61BEDB5DD0B786A728AB666F07E0576D189C92BF9FB20DCA49AC2D3956D47385E2"), SHEX("BE0D871606A4C129CEF616F438600D5CBC0E9F49D2ADC8A86571C192361C3F4F")); test_hash(&nettle_sha3_256, /* 157 octets */ SHEX("CA76D3A12595A817682617006848675547D3E8F50C2210F9AF906C0E7CE50B4460186FE70457A9E879E79FD4D1A688C70A347361C847BA0DD6AA52936EAF8E58A1BE2F5C1C704E20146D366AEB3853BED9DE9BEFE9569AC8AAEA37A9FB7139A1A1A7D5C748605A8DEFB297869EBEDD71D615A5DA23496D11E11ABBB126B206FA0A7797EE7DE117986012D0362DCEF775C2FE145ADA6BDA1CCB326BF644"), SHEX("4D30600C60ED94A0D2BCC17571A19BD0170CDACAC78D0421E0BBAE2A36A48B6D")); test_hash(&nettle_sha3_256, /* 158 octets */ SHEX("F76B85DC67421025D64E93096D1D712B7BAF7FB001716F02D33B2160C2C882C310EF13A576B1C2D30EF8F78EF8D2F465007109AAD93F74CB9E7D7BEF7C9590E8AF3B267C89C15DB238138C45833C98CC4A471A7802723EF4C744A853CF80A0C2568DD4ED58A2C9644806F42104CEE53628E5BDF7B63B0B338E931E31B87C24B146C6D040605567CEEF5960DF9E022CB469D4C787F4CBA3C544A1AC91F95F"), SHEX("3BD6FB72764F7AD4391B7B40AEA424ABD5F5561AC56F9E072C753D6090FA4BFB")); test_hash(&nettle_sha3_256, /* 159 octets */ SHEX("25B8C9C032EA6BCD733FFC8718FBB2A503A4EA8F71DEA1176189F694304F0FF68E862A8197B839957549EF243A5279FC2646BD4C009B6D1EDEBF24738197ABB4C992F6B1DC9BA891F570879ACCD5A6B18691A93C7D0A8D38F95B639C1DAEB48C4C2F15CCF5B9D508F8333C32DE78781B41850F261B855C4BEBCC125A380C54D501C5D3BD07E6B52102116088E53D76583B0161E2A58D0778F091206AABD5A1"), SHEX("6689BB25BAEE0C582F8F1B0C87073BE366644DA859313BECF446435D2F6E899E")); test_hash(&nettle_sha3_256, /* 160 octets */ SHEX("21CFDC2A7CCB7F331B3D2EEFFF37E48AD9FA9C788C3F3C200E0173D99963E1CBCA93623B264E920394AE48BB4C3A5BB96FFBC8F0E53F30E22956ADABC2765F57FB761E147ECBF8567533DB6E50C8A1F894310A94EDF806DD8CA6A0E141C0FA7C9FAE6C6AE65F18C93A8529E6E5B553BF55F25BE2E80A9882BD37F145FECBEB3D447A3C4E46C21524CC55CDD62F521AB92A8BA72B897996C49BB273198B7B1C9E"), SHEX("2628DDC7758208AA9F1E49497224EB268C6D2BCDAAB4820DE9C16A65C6F6017A")); test_hash(&nettle_sha3_256, /* 161 octets */ SHEX("4E452BA42127DCC956EF4F8F35DD68CB225FB73B5BC7E1EC5A898BBA2931563E74FAFF3B67314F241EC49F4A7061E3BD0213AE826BAB380F1F14FAAB8B0EFDDD5FD1BB49373853A08F30553D5A55CCBBB8153DE4704F29CA2BDEEF0419468E05DD51557CCC80C0A96190BBCC4D77ECFF21C66BDF486459D427F986410F883A80A5BCC32C20F0478BB9A97A126FC5F95451E40F292A4614930D054C851ACD019CCF"), SHEX("DF448936EE72D9FE6CCFB37D183AAFDDC7908E016271AFA81EC083A10A144F5D")); test_hash(&nettle_sha3_256, /* 162 octets */ SHEX("FA85671DF7DADF99A6FFEE97A3AB9991671F5629195049880497487867A6C446B60087FAC9A0F2FCC8E3B24E97E42345B93B5F7D3691829D3F8CCD4BB36411B85FC2328EB0C51CB3151F70860AD3246CE0623A8DC8B3C49F958F8690F8E3860E71EB2B1479A5CEA0B3F8BEFD87ACAF5362435EAECCB52F38617BC6C5C2C6E269EAD1FBD69E941D4AD2012DA2C5B21BCFBF98E4A77AB2AF1F3FDA3233F046D38F1DC8"), SHEX("2BB4CEC22A4FECD83FBBBAD1E3835343E36C6CB66C26964A432EC4C70F3E17B4")); test_hash(&nettle_sha3_256, /* 163 octets */ SHEX("E90847AE6797FBC0B6B36D6E588C0A743D725788CA50B6D792352EA8294F5BA654A15366B8E1B288D84F5178240827975A763BC45C7B0430E8A559DF4488505E009C63DA994F1403F407958203CEBB6E37D89C94A5EACF6039A327F6C4DBBC7A2A307D976AA39E41AF6537243FC218DFA6AB4DD817B6A397DF5CA69107A9198799ED248641B63B42CB4C29BFDD7975AC96EDFC274AC562D0474C60347A078CE4C25E88"), SHEX("1462F2EA1C3580C0A2E8C0B30C27A608D82CD707F6D1A0AAD5CC7C3D1B8D6C30")); test_hash(&nettle_sha3_256, /* 164 octets */ SHEX("F6D5C2B6C93954FC627602C00C4CA9A7D3ED12B27173F0B2C9B0E4A5939398A665E67E69D0B12FB7E4CEB253E8083D1CEB724AC07F009F094E42F2D6F2129489E846EAFF0700A8D4453EF453A3EDDC18F408C77A83275617FABC4EA3A2833AA73406C0E966276079D38E8E38539A70E194CC5513AAA457C699383FD1900B1E72BDFB835D1FD321B37BA80549B078A49EA08152869A918CA57F5B54ED71E4FD3AC5C06729"), SHEX("617B412ED64F56D6DB36B7E52EAD618D95A091D65052C3F376A532D8BBDAF7C7")); test_hash(&nettle_sha3_256, /* 165 octets */ SHEX("CF8562B1BED89892D67DDAAF3DEEB28246456E972326DBCDB5CF3FB289ACA01E68DA5D59896E3A6165358B071B304D6AB3D018944BE5049D5E0E2BB819ACF67A6006111089E6767132D72DD85BEDDCBB2D64496DB0CC92955AB4C6234F1EEA24F2D51483F2E209E4589BF9519FAC51B4D061E801125E605F8093BB6997BC163D551596FE4AB7CFAE8FB9A90F6980480CE0C229FD1675409BD788354DAF316240CFE0AF93EB"), SHEX("82C541EA5CB15D1A4125F536825938C2358EEC2BDDC5D1CC4042DE3AF036CA55")); test_hash(&nettle_sha3_256, /* 166 octets */ SHEX("2ACE31ABB0A2E3267944D2F75E1559985DB7354C6E605F18DC8470423FCA30B7331D9B33C4A4326783D1CAAE1B4F07060EFF978E4746BF0C7E30CD61040BD5EC2746B29863EB7F103EBDA614C4291A805B6A4C8214230564A0557BC7102E0BD3ED23719252F7435D64D210EE2AAFC585BE903FA41E1968C50FD5D5367926DF7A05E3A42CF07E656FF92DE73B036CF8B19898C0CB34557C0C12C2D8B84E91181AF467BC75A9D1"), SHEX("684BB7932433218C616F0590B039CEFAC972828470647D1591CEAC889C893272")); test_hash(&nettle_sha3_256, /* 167 octets */ SHEX("0D8D09AED19F1013969CE5E7EB92F83A209AE76BE31C754844EA9116CEB39A22EBB6003017BBCF26555FA6624185187DB8F0CB3564B8B1C06BF685D47F3286EDA20B83358F599D2044BBF0583FAB8D78F854FE0A596183230C5EF8E54426750EAF2CC4E29D3BDD037E734D863C2BD9789B4C243096138F7672C232314EFFDFC6513427E2DA76916B5248933BE312EB5DDE4CF70804FB258AC5FB82D58D08177AC6F4756017FFF5"), SHEX("508B2AF376BA6467CF982C767C848D2BDA8D068A53416F074A0C98C473D02F6B")); test_hash(&nettle_sha3_256, /* 168 octets */ SHEX("C3236B73DEB7662BF3F3DAA58F137B358BA610560EF7455785A9BEFDB035A066E90704F929BD9689CEF0CE3BDA5ACF4480BCEB8D09D10B098AD8500D9B6071DFC3A14AF6C77511D81E3AA8844986C3BEA6F469F9E02194C92868CD5F51646256798FF0424954C1434BDFED9FACB390B07D342E992936E0F88BFD0E884A0DDB679D0547CCDEC6384285A45429D115AC7D235A717242021D1DC35641F5F0A48E8445DBA58E6CB2C8EA"), SHEX("55E228BCBDA7061642D004373D4E6407B72A37381D1BEFFCBFBF9F5F6EA093EA")); test_hash(&nettle_sha3_256, /* 169 octets */ SHEX("B39FEB8283EADC63E8184B51DF5AE3FD41AAC8A963BB0BE1CD08AA5867D8D910C669221E73243360646F6553D1CA05A84E8DC0DE05B6419EC349CA994480193D01C92525F3FB3DCEFB08AFC6D26947BDBBFD85193F53B50609C6140905C53A6686B58E53A319A57B962331EDE98149AF3DE3118A819DA4D76706A0424B4E1D2910B0ED26AF61D150EBCB46595D4266A0BD7F651BA47D0C7F179CA28545007D92E8419D48FDFBD744CE"), SHEX("0523C09BBCFFE418D3FCD22C6ABF95ABFB38F94CE5562B8BFCD2EEA9FB729041")); test_hash(&nettle_sha3_256, /* 170 octets */ SHEX("A983D54F503803E8C7999F4EDBBE82E9084F422143A932DDDDC47A17B0B7564A7F37A99D0786E99476428D29E29D3C197A72BFAB1342C12A0FC4787FD7017D7A6174049EA43B5779169EF7472BDBBD941DCB82FC73AAC45A8A94C9F2BD3477F61FD3B796F02A1B8264A214C6FEA74B7051B226C722099EC7883A462B83B6AFDD4009248B8A237F605FE5A08FE7D8B45321421EBBA67BD70A0B00DDBF94BAAB7F359D5D1EEA105F28DCFB"), SHEX("DCBC258241ADED3799996C2AD6ED0E3D74CFCC67749D3480B2A9A78E5F8AFF82")); test_hash(&nettle_sha3_256, /* 171 octets */ SHEX("E4D1C1897A0A866CE564635B74222F9696BF2C7F640DD78D7E2ACA66E1B61C642BB03EA7536AAE597811E9BF4A7B453EDE31F97B46A5F0EF51A071A2B3918DF16B152519AE3776F9F1EDAB4C2A377C3292E96408359D3613844D5EB393000283D5AD3401A318B12FD1474B8612F2BB50FB6A8B9E023A54D7DDE28C43D6D8854C8D9D1155935C199811DBFC87E9E0072E90EB88681CC7529714F8FB8A2C9D88567ADFB974EE205A9BF7B848"), SHEX("CBE8318E7B2FE72BFCD2530CCCECEA4018B1587F483B73F50CE5E84CED65E093")); test_hash(&nettle_sha3_256, /* 172 octets */ SHEX("B10C59723E3DCADD6D75DF87D0A1580E73133A9B7D00CB95EC19F5547027323BE75158B11F80B6E142C6A78531886D9047B08E551E75E6261E79785366D7024BD7CD9CF322D9BE7D57FB661069F2481C7BB759CD71B4B36CA2BC2DF6D3A328FAEBDB995A9794A8D72155ED551A1F87C80BF6059B43FC764900B18A1C2441F7487743CF84E565F61F8DD2ECE6B6CCC9444049197AAAF53E926FBEE3BFCA8BE588EC77F29D211BE89DE18B15F6"), SHEX("8CEA2960087048E6E6D47E31554F305FCC81E03E90BA8F8332DD86C6B6B38E03")); test_hash(&nettle_sha3_256, /* 173 octets */ SHEX("DB11F609BABA7B0CA634926B1DD539C8CBADA24967D7ADD4D9876F77C2D80C0F4DCEFBD7121548373582705CCA2495BD2A43716FE64ED26D059CFB566B3364BD49EE0717BDD9810DD14D8FAD80DBBDC4CAFB37CC60FB0FE2A80FB4541B8CA9D59DCE457738A9D3D8F641AF8C3FD6DA162DC16FC01AAC527A4A0255B4D231C0BE50F44F0DB0B713AF03D968FE7F0F61ED0824C55C4B5265548FEBD6AAD5C5EEDF63EFE793489C39B8FD29D104CE"), SHEX("44E276991E5382BD7EB5ADCF1F79362804D346BEDFC6916F4DCA4B57240E9C99")); test_hash(&nettle_sha3_256, /* 174 octets */ SHEX("BEBD4F1A84FC8B15E4452A54BD02D69E304B7F32616AADD90537937106AE4E28DE9D8AAB02D19BC3E2FDE1D651559E296453E4DBA94370A14DBBB2D1D4E2022302EE90E208321EFCD8528AD89E46DC839EA9DF618EA8394A6BFF308E7726BAE0C19BCD4BE52DA6258E2EF4E96AA21244429F49EF5CB486D7FF35CAC1BACB7E95711944BCCB2AB34700D42D1EB38B5D536B947348A458EDE3DC6BD6EC547B1B0CAE5B257BE36A7124E1060C170FFA"), SHEX("80891A086AF385025068799F192411C689CC4E0D9A59F3F41DBB02A343F1A759")); test_hash(&nettle_sha3_256, /* 175 octets */ SHEX("5ACA56A03A13784BDC3289D9364F79E2A85C12276B49B92DB0ADAA4F206D5028F213F678C3510E111F9DC4C1C1F8B6ACB17A6413AA227607C515C62A733817BA5E762CC6748E7E0D6872C984D723C9BB3B117EB8963185300A80BFA65CDE495D70A46C44858605FCCBED086C2B45CEF963D33294DBE9706B13AF22F1B7C4CD5A001CFEC251FBA18E722C6E1C4B1166918B4F6F48A98B64B3C07FC86A6B17A6D0480AB79D4E6415B520F1C484D675B1"), SHEX("77DDF034B7DFD6B292AA3B0C1E552F47B1D8C23078042CC58BB3DD4720B9EE4D")); test_hash(&nettle_sha3_256, /* 176 octets */ SHEX("A5AAD0E4646A32C85CFCAC73F02FC5300F1982FABB2F2179E28303E447854094CDFC854310E5C0F60993CEFF54D84D6B46323D930ADB07C17599B35B505F09E784BCA5985E0172257797FB53649E2E9723EFD16865C31B5C3D5113B58BB0BFC8920FABDDA086D7537E66D709D050BD14D0C960873F156FAD5B3D3840CDFCDC9BE6AF519DB262A27F40896AB25CC39F96984D650611C0D5A3080D5B3A1BF186ABD42956588B3B58CD948970D298776060"), SHEX("23D2688D867A18040E82F7876ACF04DC3A9C0140FEDD93EBE7ADF920B2F83DA4")); test_hash(&nettle_sha3_256, /* 177 octets */ SHEX("06CBBE67E94A978203EAD6C057A1A5B098478B4B4CBEF5A97E93C8E42F5572713575FC2A884531D7622F8F879387A859A80F10EF02708CD8F7413AB385AFC357678B9578C0EBF641EF076A1A30F1F75379E9DCB2A885BDD295905EE80C0168A62A9597D10CF12DD2D8CEE46645C7E5A141F6E0E23AA482ABE5661C16E69EF1E28371E2E236C359BA4E92C25626A7B7FF13F6EA4AE906E1CFE163E91719B1F750A96CBDE5FBC953D9E576CD216AFC90323A"), SHEX("2DF666FC5D4EAD1C3B10B9F8D4BB81AEA4F93D3873D5CE5CFBAC4B69435E1B7C")); test_hash(&nettle_sha3_256, /* 178 octets */ SHEX("F1C528CF7739874707D4D8AD5B98F7C77169DE0B57188DF233B2DC8A5B31EDA5DB4291DD9F68E6BAD37B8D7F6C9C0044B3BF74BBC3D7D1798E138709B0D75E7C593D3CCCDC1B20C7174B4E692ADD820ACE262D45CCFAE2077E878796347168060A162ECCA8C38C1A88350BD63BB539134F700FD4ADDD5959E255337DAA06BC86358FABCBEFDFB5BC889783D843C08AADC6C4F6C36F65F156E851C9A0F917E4A367B5AD93D874812A1DE6A7B93CD53AD97232"), SHEX("AF0C5474528032E2629B8FBB0E34405F7F251D41E73B5667BE3C07CCB2C1C953")); test_hash(&nettle_sha3_256, /* 179 octets */ SHEX("9D9F3A7ECD51B41F6572FD0D0881E30390DFB780991DAE7DB3B47619134718E6F987810E542619DFAA7B505C76B7350C6432D8BF1CFEBDF1069B90A35F0D04CBDF130B0DFC7875F4A4E62CDB8E525AADD7CE842520A482AC18F09442D78305FE85A74E39E760A4837482ED2F437DD13B2EC1042AFCF9DECDC3E877E50FF4106AD10A525230D11920324A81094DA31DEAB6476AA42F20C84843CFC1C58545EE80352BDD3740DD6A16792AE2D86F11641BB717C2"), SHEX("9BBEF7A75391354A388AAA7CA035DC62D3231B80091BB7748F76E52D8E9F20F0")); test_hash(&nettle_sha3_256, /* 180 octets */ SHEX("5179888724819FBAD3AFA927D3577796660E6A81C52D98E9303261D5A4A83232F6F758934D50AA83FF9E20A5926DFEBAAC49529D006EB923C5AE5048ED544EC471ED7191EDF46363383824F915769B3E688094C682B02151E5EE01E510B431C8865AFF8B6B6F2F59CB6D129DA79E97C6D2B8FA6C6DA3F603199D2D1BCAB547682A81CD6CF65F6551121391D78BCC23B5BD0E922EC6D8BF97C952E84DD28AEF909ABA31EDB903B28FBFC33B7703CD996215A11238"), SHEX("B108457A6BD331BE43C9FE1E2A02E8C744C2BCC927A9C3C486F110DCCF907F6B")); test_hash(&nettle_sha3_256, /* 181 octets */ SHEX("576EF3520D30B7A4899B8C0D5E359E45C5189ADD100E43BE429A02FB3DE5FF4F8FD0E79D9663ACCA72CD29C94582B19292A557C5B1315297D168FBB54E9E2ECD13809C2B5FCE998EDC6570545E1499DBE7FB74D47CD7F35823B212B05BF3F5A79CAA34224FDD670D335FCB106F5D92C3946F44D3AFCBAE2E41AC554D8E6759F332B76BE89A0324AA12C5482D1EA3EE89DED4936F3E3C080436F539FA137E74C6D3389BDF5A45074C47BC7B20B0948407A66D855E2F"), SHEX("A61109838DFA5B146DF4E6C3BDBC7A477BE36B6228EBD91025012AF4CC0EB409")); test_hash(&nettle_sha3_256, /* 182 octets */ SHEX("0DF2152FA4F4357C8741529DD77E783925D3D76E95BAFA2B542A2C33F3D1D117D159CF473F82310356FEE4C90A9E505E70F8F24859656368BA09381FA245EB6C3D763F3093F0C89B972E66B53D59406D9F01AEA07F8B3B615CAC4EE4D05F542E7D0DAB45D67CCCCD3A606CCBEB31EA1FA7005BA07176E60DAB7D78F6810EF086F42F08E595F0EC217372B98970CC6321576D92CE38F7C397A403BADA1548D205C343AC09DECA86325373C3B76D9F32028FEA8EB32515"), SHEX("4F0F30C890B0AB404961158573538FE9A2B234B94A0991F26D5EA04FDDC9C565")); test_hash(&nettle_sha3_256, /* 183 octets */ SHEX("3E15350D87D6EBB5C8AD99D42515CFE17980933C7A8F6B8BBBF0A63728CEFAAD2052623C0BD5931839112A48633FB3C2004E0749C87A41B26A8B48945539D1FF41A4B269462FD199BFECD45374756F55A9116E92093AC99451AEFB2AF9FD32D6D7F5FBC7F7A540D5097C096EBC3B3A721541DE073A1CC02F7FB0FB1B9327FB0B1218CA49C9487AB5396622A13AE546C97ABDEF6B56380DDA7012A8384091B6656D0AB272D363CEA78163FF765CDD13AB1738B940D16CAE"), SHEX("85459CFB0289599CDD67C473A0BA6DA616C608E367F58C50A03562424DCF1D06")); test_hash(&nettle_sha3_256, /* 184 octets */ SHEX("C38D6B0B757CB552BE40940ECE0009EF3B0B59307C1451686F1A22702922800D58BCE7A636C1727EE547C01B214779E898FC0E560F8AE7F61BEF4D75EAA696B921FD6B735D171535E9EDD267C192B99880C87997711002009095D8A7A437E258104A41A505E5EF71E5613DDD2008195F0C574E6BA3FE40099CFA116E5F1A2FA8A6DA04BADCB4E2D5D0DE31FDC4800891C45781A0AAC7C907B56D631FCA5CE8B2CDE620D11D1777ED9FA603541DE794DDC5758FCD5FAD78C0"), SHEX("5539D2E52A5A1BB3C246B0158356E2B2782FC13C10248937A0C4A40B091F6247")); test_hash(&nettle_sha3_256, /* 185 octets */ SHEX("8D2DE3F0B37A6385C90739805B170057F091CD0C7A0BC951540F26A5A75B3E694631BB64C7635EED316F51318E9D8DE13C70A2ABA04A14836855F35E480528B776D0A1E8A23B547C8B8D6A0D09B241D3BE9377160CCA4E6793D00A515DC2992CB7FC741DACA171431DA99CCE6F7789F129E2AC5CF65B40D703035CD2185BB936C82002DAF8CBC27A7A9E554B06196630446A6F0A14BA155ED26D95BD627B7205C072D02B60DB0FD7E49EA058C2E0BA202DAFF0DE91E845CF79"), SHEX("6D63419207B99D4DB1ADD795D852A8DAAC11B789AF0C7D6353036CB23F6428B4")); test_hash(&nettle_sha3_256, /* 186 octets */ SHEX("C464BBDAD275C50DCD983B65AD1019B9FF85A1E71C807F3204BB2C921DC31FBCD8C5FC45868AE9EF85B6C9B83BBA2A5A822201ED68586EC5EC27FB2857A5D1A2D09D09115F22DCC39FE61F5E1BA0FF6E8B4ACB4C6DA748BE7F3F0839739394FF7FA8E39F7F7E84A33C3866875C01BCB1263C9405D91908E9E0B50E7459FABB63D8C6BBB73D8E3483C099B55BC30FF092FF68B6ADEDFD477D63570C9F5515847F36E24BA0B705557130CEC57EBAD1D0B31A378E91894EE26E3A04"), SHEX("D2090DAE0FC201B2B9C03DD482A8EB1FFD3CF70C55F98D6F39A41B8BDAC27A17")); test_hash(&nettle_sha3_256, /* 187 octets */ SHEX("8B8D68BB8A75732FE272815A68A1C9C5AA31B41DEDC8493E76525D1D013D33CEBD9E21A5BB95DB2616976A8C07FCF411F5F6BC6F7E0B57ACA78CC2790A6F9B898858AC9C79B165FF24E66677531E39F572BE5D81EB3264524181115F32780257BFB9AEEC6AF12AF28E587CAC068A1A2953B59AD680F4C245B2E3EC36F59940D37E1D3DB38E13EDB29B5C0F404F6FF87F80FC8BE7A225FF22FBB9C8B6B1D7330C57840D24BC75B06B80D30DAD6806544D510AF6C4785E823AC3E0B8"), SHEX("C9E8F96BA75EAF371DCA35DC69138ECA8CB3F2823F3BE551D9DC8AA6A4ED4169")); test_hash(&nettle_sha3_256, /* 188 octets */ SHEX("6B018710446F368E7421F1BC0CCF562D9C1843846BC8D98D1C9BF7D9D6FCB48BFC3BF83B36D44C4FA93430AF75CD190BDE36A7F92F867F58A803900DF8018150384D85D82132F123006AC2AEBA58E02A037FE6AFBD65ECA7C44977DD3DC74F48B6E7A1BFD5CC4DCF24E4D52E92BD4455848E4928B0EAC8B7476FE3CC03E862AA4DFF4470DBFED6DE48E410F25096487ECFC32A27277F3F5023B2725ADE461B1355889554A8836C9CF53BD767F5737D55184EEA1AB3F53EDD0976C485"), SHEX("233B0BC28143C32A668B0AB5D76BE5712C0387056FB0E79F2C2F7F1C31E4A86A")); test_hash(&nettle_sha3_256, /* 189 octets */ SHEX("C9534A24714BD4BE37C88A3DA1082EDA7CABD154C309D7BD670DCCD95AA535594463058A29F79031D6ECAA9F675D1211E9359BE82669A79C855EA8D89DD38C2C761DDD0EC0CE9E97597432E9A1BEAE062CDD71EDFDFD464119BE9E69D18A7A7FD7CE0E2106F0C8B0ABF4715E2CA48EF9F454DC203C96656653B727083513F8EFB86E49C513BB758B3B052FE21F1C05BB33C37129D6CC81F1AEF6ADC45B0E8827A830FE545CF57D0955802C117D23CCB55EA28F95C0D8C2F9C5A242B33F"), SHEX("B79B5F8182D3FB4ABAB63E7CB26A8E0865AE8D79BD4C514AD8917D5ECB7FED8F")); test_hash(&nettle_sha3_256, /* 190 octets */ SHEX("07906C87297B867ABF4576E9F3CC7F82F22B154AFCBF293B9319F1B0584DA6A40C27B32E0B1B7F412C4F1B82480E70A9235B12EC27090A5A33175A2BB28D8ADC475CEFE33F7803F8CE27967217381F02E67A3B4F84A71F1C5228E0C2AD971373F6F672624FCEA8D1A9F85170FAD30FA0BBD25035C3B41A6175D467998BD1215F6F3866F53847F9CF68EF3E2FBB54BC994DE2302B829C5EEA68EC441FCBAFD7D16AE4FE9FFF98BF00E5BC2AD54DD91FF9FDA4DD77B6C754A91955D1FBAAD0"), SHEX("F680198DE2943D20E9D809FD8312D674C9A250DA22BA6E920E408F6F2C0E0739")); test_hash(&nettle_sha3_256, /* 191 octets */ SHEX("588E94B9054ABC2189DF69B8BA34341B77CDD528E7860E5DEFCAA79B0C9A452AD4B82AA306BE84536EB7CEDCBE058D7B84A6AEF826B028B8A0271B69AC3605A9635EA9F5EA0AA700F3EB7835BC54611B922964300C953EFE7491E3677C2CEBE0822E956CD16433B02C68C4A23252C3F9E151A416B4963257B783E038F6B4D5C9F110F871652C7A649A7BCEDCBCCC6F2D0725BB903CC196BA76C76AA9F10A190B1D1168993BAA9FFC96A1655216773458BEC72B0E39C9F2C121378FEAB4E76A"), SHEX("A190DD73556086EA70BC31022D6A4F95D89DC099E2030C19311CC8988281278F")); test_hash(&nettle_sha3_256, /* 192 octets */ SHEX("08959A7E4BAAE874928813364071194E2939772F20DB7C3157078987C557C2A6D5ABE68D520EEF3DC491692E1E21BCD880ADEBF63BB4213B50897FA005256ED41B5690F78F52855C8D9168A4B666FCE2DA2B456D7A7E7C17AB5F2FB1EE90B79E698712E963715983FD07641AE4B4E9DC73203FAC1AE11FA1F8C7941FCC82EAB247ADDB56E2638447E9D609E610B60CE086656AAEBF1DA3C8A231D7D94E2FD0AFE46B391FF14A72EAEB3F44AD4DF85866DEF43D4781A0B3578BC996C87970B132"), SHEX("21166064C52B588C1EC7EA6DF1905A2B59BAD499B470F308A26B6E354DDFE58F")); test_hash(&nettle_sha3_256, /* 193 octets */ SHEX("CB2A234F45E2ECD5863895A451D389A369AAB99CFEF0D5C9FFCA1E6E63F763B5C14FB9B478313C8E8C0EFEB3AC9500CF5FD93791B789E67EAC12FD038E2547CC8E0FC9DB591F33A1E4907C64A922DDA23EC9827310B306098554A4A78F050262DB5B545B159E1FF1DCA6EB734B872343B842C57EAFCFDA8405EEDBB48EF32E99696D135979235C3A05364E371C2D76F1902F1D83146DF9495C0A6C57D7BF9EE77E80F9787AEE27BE1FE126CDC9EF893A4A7DCBBC367E40FE4E1EE90B42EA25AF01"), SHEX("051E19906464EC7FDC3D37EE3BCEF63438EC5EDBEA5AA202A24B7F7190B689E0")); test_hash(&nettle_sha3_256, /* 194 octets */ SHEX("D16BEADF02AB1D4DC6F88B8C4554C51E866DF830B89C06E786A5F8757E8909310AF51C840EFE8D20B35331F4355D80F73295974653DDD620CDDE4730FB6C8D0D2DCB2B45D92D4FBDB567C0A3E86BD1A8A795AF26FBF29FC6C65941CDDB090FF7CD230AC5268AB4606FCCBA9EDED0A2B5D014EE0C34F0B2881AC036E24E151BE89EEB6CD9A7A790AFCCFF234D7CB11B99EBF58CD0C589F20BDAC4F9F0E28F75E3E04E5B3DEBCE607A496D848D67FA7B49132C71B878FD5557E082A18ECA1FBDA94D4B"), SHEX("18FE66C0CD095C9CC811F5410B5CFDC1B152AE3CAB0C3328974E7D4BBEB40053")); test_hash(&nettle_sha3_256, /* 195 octets */ SHEX("8F65F6BC59A85705016E2BAE7FE57980DE3127E5AB275F573D334F73F8603106EC3553016608EF2DD6E69B24BE0B7113BF6A760BA6E9CE1C48F9E186012CF96A1D4849D75DF5BB8315387FD78E9E153E76F8BA7EC6C8849810F59FB4BB9B004318210B37F1299526866F44059E017E22E96CBE418699D014C6EA01C9F0038B10299884DBEC3199BB05ADC94E955A1533219C1115FED0E5F21228B071F40DD57C4240D98D37B73E412FE0FA4703120D7C0C67972ED233E5DEB300A22605472FA3A3BA86"), SHEX("BDB42638921199D604294B5578CEBACCDF132E1D7AF7675B7768E50553FCB604")); test_hash(&nettle_sha3_256, /* 196 octets */ SHEX("84891E52E0D451813210C3FD635B39A03A6B7A7317B221A7ABC270DFA946C42669AACBBBDF801E1584F330E28C729847EA14152BD637B3D0F2B38B4BD5BF9C791C58806281103A3EABBAEDE5E711E539E6A8B2CF297CF351C078B4FA8F7F35CF61BEBF8814BF248A01D41E86C5715EA40C63F7375379A7EB1D78F27622FB468AB784AAABA4E534A6DFD1DF6FA15511341E725ED2E87F98737CCB7B6A6DFAE416477472B046BF1811187D151BFA9F7B2BF9ACDB23A3BE507CDF14CFDF517D2CB5FB9E4AB6"), SHEX("CBD88209B530018A856C5C2321D7E485511CA1513661F1FDE1FA06F4603DE117")); test_hash(&nettle_sha3_256, /* 197 octets */ SHEX("FDD7A9433A3B4AFABD7A3A5E3457E56DEBF78E84B7A0B0CA0E8C6D53BD0C2DAE31B2700C6128334F43981BE3B213B1D7A118D59C7E6B6493A86F866A1635C12859CFB9AD17460A77B4522A5C1883C3D6ACC86E6162667EC414E9A104AA892053A2B1D72165A855BACD8FAF8034A5DD9B716F47A0818C09BB6BAF22AA503C06B4CA261F557761989D2AFBD88B6A678AD128AF68672107D0F1FC73C5CA740459297B3292B281E93BCEB761BDE7221C3A55708E5EC84472CDDCAA84ECF23723CC0991355C6280"), SHEX("F0C4C1374F33A91DC657F8A3FA51763CBD0FBA1CAFDD2C595ED302AAB1AB75A9")); test_hash(&nettle_sha3_256, /* 198 octets */ SHEX("70A40BFBEF92277A1AAD72F6B79D0177197C4EBD432668CFEC05D099ACCB651062B5DFF156C0B27336687A94B26679CFDD9DAF7AD204338DD9C4D14114033A5C225BD11F217B5F4732DA167EE3F939262D4043FC9CBA92303B7B5E96AEA12ADDA64859DF4B86E9EE0B58E39091E6B188B408AC94E1294A8911245EE361E60E601EFF58D1D37639F3753BEC80EBB4EFDE25817436076623FC65415FE51D1B0280366D12C554D86743F3C3B6572E400361A60726131441BA493A83FBE9AFDA90F7AF1AE717238D"), SHEX("F2157C165EEBDFD04451E9E6CF0B112BB148EB9C40E8B2427EE8EA57E60D5DD6")); test_hash(&nettle_sha3_256, /* 199 octets */ SHEX("74356E449F4BF8644F77B14F4D67CB6BD9C1F5AE357621D5B8147E562B65C66585CAF2E491B48529A01A34D226D436959153815380D5689E30B35357CDAC6E08D3F2B0E88E200600D62BD9F5EAF488DF86A4470EA227006182E44809009868C4C280C43D7D64A5268FA719074960087B3A6ABC837882F882C837834535929389A12B2C78187E2EA07EF8B8EEF27DC85002C3AE35F1A50BEE6A1C48BA7E175F3316670B27983472AA6A61EED0A683A39EE323080620EA44A9F74411AE5CE99030528F9AB49C79F2"), SHEX("0836ABBF77EF78E162DE8FB664B9996D5A03919B741EB4A3F02E7B97826569FA")); test_hash(&nettle_sha3_256, /* 200 octets */ SHEX("8C3798E51BC68482D7337D3ABB75DC9FFE860714A9AD73551E120059860DDE24AB87327222B64CF774415A70F724CDF270DE3FE47DDA07B61C9EF2A3551F45A5584860248FABDE676E1CD75F6355AA3EAEABE3B51DC813D9FB2EAA4F0F1D9F834D7CAD9C7C695AE84B329385BC0BEF895B9F1EDF44A03D4B410CC23A79A6B62E4F346A5E8DD851C2857995DDBF5B2D717AEB847310E1F6A46AC3D26A7F9B44985AF656D2B7C9406E8A9E8F47DCB4EF6B83CAACF9AEFB6118BFCFF7E44BEF6937EBDDC89186839B77"), SHEX("84970C79316E89B70E2B186A69DB1A4C3E33C7A376B45C1B79BD346DD33EF4CE")); test_hash(&nettle_sha3_256, /* 201 octets */ SHEX("FA56BF730C4F8395875189C10C4FB251605757A8FECC31F9737E3C2503B02608E6731E85D7A38393C67DE516B85304824BFB135E33BF22B3A23B913BF6ACD2B7AB85198B8187B2BCD454D5E3318CACB32FD6261C31AE7F6C54EF6A7A2A4C9F3ECB81CE3555D4F0AD466DD4C108A90399D70041997C3B25345A9653F3C9A6711AB1B91D6A9D2216442DA2C973CBD685EE7643BFD77327A2F7AE9CB283620A08716DFB462E5C1D65432CA9D56A90E811443CD1ECB8F0DE179C9CB48BA4F6FEC360C66F252F6E64EDC96B"), SHEX("06ED2EBC419D053949E88CC9C040B1EBCE74375AD0CE09C0CD4D562C62F8497D")); test_hash(&nettle_sha3_256, /* 202 octets */ SHEX("B6134F9C3E91DD8000740D009DD806240811D51AB1546A974BCB18D344642BAA5CD5903AF84D58EC5BA17301D5EC0F10CCD0509CBB3FD3FFF9172D193AF0F782252FD1338C7244D40E0E42362275B22D01C4C3389F19DD69BDF958EBE28E31A4FFE2B5F18A87831CFB7095F58A87C9FA21DB72BA269379B2DC2384B3DA953C7925761FED324620ACEA435E52B424A7723F6A2357374157A34CD8252351C25A1B232826CEFE1BD3E70FFC15A31E7C0598219D7F00436294D11891B82497BC78AA5363892A2495DF8C1EEF"), SHEX("CF9060AF3E4ED47316ACF51E5B92123CDC4827BD4AEF991588DCD8078B9EEA40")); test_hash(&nettle_sha3_256, /* 203 octets */ SHEX("C941CDB9C28AB0A791F2E5C8E8BB52850626AA89205BEC3A7E22682313D198B1FA33FC7295381354858758AE6C8EC6FAC3245C6E454D16FA2F51C4166FAB51DF272858F2D603770C40987F64442D487AF49CD5C3991CE858EA2A60DAB6A65A34414965933973AC2457089E359160B7CDEDC42F29E10A91921785F6B7224EE0B349393CDCFF6151B50B377D609559923D0984CDA6000829B916AB6896693EF6A2199B3C22F7DC5500A15B8258420E314C222BC000BC4E5413E6DD82C993F8330F5C6D1BE4BC79F08A1A0A46"), SHEX("63E407300F99FF2360F02AAE0ADA35F6C1A90AED2C63282B23A7990BAE307254")); test_hash(&nettle_sha3_256, /* 204 octets */ SHEX("4499EFFFAC4BCEA52747EFD1E4F20B73E48758BE915C88A1FFE5299B0B005837A46B2F20A9CB3C6E64A9E3C564A27C0F1C6AD1960373036EC5BFE1A8FC6A435C2185ED0F114C50E8B3E4C7ED96B06A036819C9463E864A58D6286F785E32A804443A56AF0B4DF6ABC57ED5C2B185DDEE8489EA080DEEEE66AA33C2E6DAB36251C402682B6824821F998C32163164298E1FAFD31BABBCFFB594C91888C6219079D907FDB438ED89529D6D96212FD55ABE20399DBEFD342248507436931CDEAD496EB6E4A80358ACC78647D043"), SHEX("427741570D5E21590E5045A8450216365BA95C2E72455A3DBD694F13155DE1B7")); test_hash(&nettle_sha3_256, /* 205 octets */ SHEX("EECBB8FDFA4DA62170FD06727F697D81F83F601FF61E478105D3CB7502F2C89BF3E8F56EDD469D049807A38882A7EEFBC85FC9A950952E9FA84B8AFEBD3CE782D4DA598002827B1EB98882EA1F0A8F7AA9CE013A6E9BC462FB66C8D4A18DA21401E1B93356EB12F3725B6DB1684F2300A98B9A119E5D27FF704AFFB618E12708E77E6E5F34139A5A41131FD1D6336C272A8FC37080F041C71341BEE6AB550CB4A20A6DDB6A8E0299F2B14BC730C54B8B1C1C487B494BDCCFD3A53535AB2F231590BF2C4062FD2AD58F906A2D0D"), SHEX("B5E60A019E8414D470AE702738BC358F1C80BB6FF7BDE4F2DBB56C299C764B16")); test_hash(&nettle_sha3_256, /* 206 octets */ SHEX("E64F3E4ACE5C8418D65FEC2BC5D2A303DD458034736E3B0DF719098BE7A206DEAF52D6BA82316CAF330EF852375188CDE2B39CC94AA449578A7E2A8E3F5A9D68E816B8D16889FBC0EBF0939D04F63033AE9AE2BDAB73B88C26D6BD25EE460EE1EF58FB0AFA92CC539F8C76D3D097E7A6A63EBB9B5887EDF3CF076028C5BBD5B9DB3211371AD3FE121D4E9BF44229F4E1ECF5A0F9F0EBA4D5CEB72878AB22C3F0EB5A625323AC66F7061F4A81FAC834471E0C59553F108475FE290D43E6A055AE3EE46FB67422F814A68C4BE3E8C9"), SHEX("C986BDAE9B13FBC92793619E4970ABC33398F2B5A57A6CBB40A622592E2695DF")); test_hash(&nettle_sha3_256, /* 207 octets */ SHEX("D2CB2D733033F9E91395312808383CC4F0CA974E87EC68400D52E96B3FA6984AC58D9AD0938DDE5A973008D818C49607D9DE2284E7618F1B8AED8372FBD52ED54557AF4220FAC09DFA8443011699B97D743F8F2B1AEF3537EBB45DCC9E13DFB438428EE190A4EFDB3CAEB7F3933117BF63ABDC7E57BEB4171C7E1AD260AB0587806C4D137B6316B50ABC9CCE0DFF3ACADA47BBB86BE777E617BBE578FF4519844DB360E0A96C6701290E76BB95D26F0F804C8A4F2717EAC4E7DE9F2CFF3BBC55A17E776C0D02856032A6CD10AD2838"), SHEX("224C7FC8A0EC3895E8969CE7C7F7ECAA54FE2EEC9AB3120726106F22AA297541")); test_hash(&nettle_sha3_256, /* 208 octets */ SHEX("F2998955613DD414CC111DF5CE30A995BB792E260B0E37A5B1D942FE90171A4AC2F66D4928D7AD377F4D0554CBF4C523D21F6E5F379D6F4B028CDCB9B1758D3B39663242FF3CB6EDE6A36A6F05DB3BC41E0D861B384B6DEC58BB096D0A422FD542DF175E1BE1571FB52AE66F2D86A2F6824A8CFAACBAC4A7492AD0433EEB15454AF8F312B3B2A577750E3EFBD370E8A8CAC1582581971FBA3BA4BD0D76E718DACF8433D33A59D287F8CC92234E7A271041B526E389EFB0E40B6A18B3AAF658E82ED1C78631FD23B4C3EB27C3FAEC8685"), SHEX("FAF5E3B7A64629FFEEE07A67ED77A3A4F67F18C9381FE9B19F6EE601F5FB99AF")); test_hash(&nettle_sha3_256, /* 209 octets */ SHEX("447797E2899B72A356BA55BF4DF3ACCA6CDB1041EB477BD1834A9F9ACBC340A294D729F2F97DF3A610BE0FF15EDB9C6D5DB41644B9874360140FC64F52AA03F0286C8A640670067A84E017926A70438DB1BB361DEFEE7317021425F8821DEF26D1EFD77FC853B818545D055ADC9284796E583C76E6FE74C9AC2587AA46AA8F8804F2FEB5836CC4B3ABABAB8429A5783E17D5999F32242EB59EF30CD7ADABC16D72DBDB097623047C98989F88D14EAF02A7212BE16EC2D07981AAA99949DDF89ECD90333A77BC4E1988A82ABF7C7CAF3291"), SHEX("A8A98E6B3A005FCB319FEE58C5457D04B69D59F53873F6FCC6065D68F880833F")); test_hash(&nettle_sha3_256, /* 210 octets */ SHEX("9F2C18ADE9B380C784E170FB763E9AA205F64303067EB1BCEA93DF5DAC4BF5A2E00B78195F808DF24FC76E26CB7BE31DC35F0844CDED1567BBA29858CFFC97FB29010331B01D6A3FB3159CC1B973D255DA9843E34A0A4061CABDB9ED37F241BFABB3C20D32743F4026B59A4CCC385A2301F83C0B0A190B0F2D01ACB8F0D41111E10F2F4E149379275599A52DC089B35FDD5234B0CFB7B6D8AEBD563CA1FA653C5C021DFD6F5920E6F18BFAFDBECBF0AB00281333ED50B9A999549C1C8F8C63D7626C48322E9791D5FF72294049BDE91E73F8"), SHEX("C89F2B346127EAB9E28095DC44918C1A1AAEAE04861C1DD0144A1EE07F823C18")); test_hash(&nettle_sha3_256, /* 211 octets */ SHEX("AE159F3FA33619002AE6BCCE8CBBDD7D28E5ED9D61534595C4C9F43C402A9BB31F3B301CBFD4A43CE4C24CD5C9849CC6259ECA90E2A79E01FFBAC07BA0E147FA42676A1D668570E0396387B5BCD599E8E66AAED1B8A191C5A47547F61373021FA6DEADCB55363D233C24440F2C73DBB519F7C9FA5A8962EFD5F6252C0407F190DFEFAD707F3C7007D69FF36B8489A5B6B7C557E79DD4F50C06511F599F56C896B35C917B63BA35C6FF8092BAF7D1658E77FC95D8A6A43EEB4C01F33F03877F92774BE89C1114DD531C011E53A34DC248A2F0E6"), SHEX("E7A81ACBEF35D7B24B706549B41ABD82628CCFF9ACF41F2C8ADD28743688AE01")); test_hash(&nettle_sha3_256, /* 212 octets */ SHEX("3B8E97C5FFC2D6A40FA7DE7FCEFC90F3B12C940E7AB415321E29EE692DFAC799B009C99DCDDB708FCE5A178C5C35EE2B8617143EDC4C40B4D313661F49ABDD93CEA79D117518805496FE6ACF292C4C2A1F76B403A97D7C399DAF85B46AD84E16246C67D6836757BDE336C290D5D401E6C1386AB32797AF6BB251E9B2D8FE754C47482B72E0B394EAB76916126FD68EA7D65EB93D59F5B4C5AC40F7C3B37E7F3694F29424C24AF8C8F0EF59CD9DBF1D28E0E10F799A6F78CAD1D45B9DB3D7DEE4A7059ABE99182714983B9C9D44D7F5643596D4F3"), SHEX("D81249143A69EA1C9DC168B55FFE06D46D0FBC007065110353D76C6CCE4FFE66")); test_hash(&nettle_sha3_256, /* 213 octets */ SHEX("3434EC31B10FAFDBFEEC0DD6BD94E80F7BA9DCA19EF075F7EB017512AF66D6A4BCF7D16BA0819A1892A6372F9B35BCC7CA8155EE19E8428BC22D214856ED5FA9374C3C09BDE169602CC219679F65A1566FC7316F4CC3B631A18FB4449FA6AFA16A3DB2BC4212EFF539C67CF184680826535589C7111D73BFFCE431B4C40492E763D9279560AAA38EB2DC14A212D723F994A1FE656FF4DD14551CE4E7C621B2AA5604A10001B2878A897A28A08095C325E10A26D2FB1A75BFD64C250309BB55A44F23BBAC0D5516A1C687D3B41EF2FBBF9CC56D4739"), SHEX("AA8BBD4812142211212763BF8EE4D6E0AADAFE5E528AEA1FB1BE118806E49F66")); test_hash(&nettle_sha3_256, /* 214 octets */ SHEX("7C7953D81C8D208FD1C97681D48F49DD003456DE60475B84070EF4847C333B74575B1FC8D2A186964485A3B8634FEAA3595AAA1A2F4595A7D6B6153563DEE31BBAC443C8A33EED6D5D956A980A68366C2527B550EE950250DFB691EACBD5D56AE14B970668BE174C89DF2FEA43AE52F13142639C884FD62A3683C0C3792F0F24AB1318BCB27E21F4737FAB62C77EA38BC8FD1CF41F7DAB64C13FEBE7152BF5BB7AB5A78F5346D43CC741CB6F72B7B8980F268B68BF62ABDFB1577A52438FE14B591498CC95F071228460C7C5D5CEB4A7BDE588E7F21C"), SHEX("4089B181DF5ECA5F14DAB1057AAAEECABA15F200FDDA0DE49357D6196FAAB44B")); test_hash(&nettle_sha3_256, /* 215 octets */ SHEX("7A6A4F4FDC59A1D223381AE5AF498D74B7252ECF59E389E49130C7EAEE626E7BD9897EFFD92017F4CCDE66B0440462CDEDFD352D8153E6A4C8D7A0812F701CC737B5178C2556F07111200EB627DBC299CAA792DFA58F35935299FA3A3519E9B03166DFFA159103FFA35E8577F7C0A86C6B46FE13DB8E2CDD9DCFBA85BDDDCCE0A7A8E155F81F712D8E9FE646153D3D22C811BD39F830433B2213DD46301941B59293FD0A33E2B63ADBD95239BC01315C46FDB678875B3C81E053A40F581CFBEC24A1404B1671A1B88A6D06120229518FB13A74CA0AC5AE"), SHEX("DEBF59BB233D05549853804FC67840821BD5802F87FC8A915B710D3E82070950")); test_hash(&nettle_sha3_256, /* 216 octets */ SHEX("D9FAA14CEBE9B7DE551B6C0765409A33938562013B5E8E0E1E0A6418DF7399D0A6A771FB81C3CA9BD3BB8E2951B0BC792525A294EBD1083688806FE5E7F1E17FD4E3A41D00C89E8FCF4A363CAEDB1ACB558E3D562F1302B3D83BB886ED27B76033798131DAB05B4217381EAAA7BA15EC820BB5C13B516DD640EAEC5A27D05FDFCA0F35B3A5312146806B4C0275BCD0AAA3B2017F346975DB566F9B4D137F4EE10644C2A2DA66DEECA5342E236495C3C6280528BFD32E90AF4CD9BB908F34012B52B4BC56D48CC8A6B59BAB014988EABD12E1A0A1C2E170E7"), SHEX("0FDBA1C79F55F233A1217F522D6C81F777F330FADB565E1171F39E1788913342")); test_hash(&nettle_sha3_256, /* 217 octets */ SHEX("2D8427433D0C61F2D96CFE80CF1E932265A191365C3B61AAA3D6DCC039F6BA2AD52A6A8CC30FC10F705E6B7705105977FA496C1C708A277A124304F1FC40911E7441D1B5E77B951AAD7B01FD5DB1B377D165B05BBF898042E39660CAF8B279FE5229D1A8DB86C0999ED65E53D01CCBC4B43173CCF992B3A14586F6BA42F5FE30AFA8AE40C5DF29966F9346DA5F8B35F16A1DE3AB6DE0F477D8D8660918060E88B9B9E9CA6A4207033B87A812DBF5544D39E4882010F82B6CE005F8E8FF6FE3C3806BC2B73C2B83AFB704345629304F9F86358712E9FAE3CA3E"), SHEX("ED45A06E95A6539270B02290D71005F01C55BA077414C3BCDB379537E6DBEFC9")); test_hash(&nettle_sha3_256, /* 218 octets */ SHEX("5E19D97887FCAAC0387E22C6F803C34A3DACD2604172433F7A8A7A526CA4A2A1271ECFC5D5D7BE5AC0D85D921095350DFC65997D443C21C8094E0A3FEFD2961BCB94AED03291AE310CCDA75D8ACE4BC7D89E7D3E5D1650BDA5D668B8B50BFC8E608E184F4D3A9A2BADC4FF5F07E0C0BC8A9F2E0B2A26FD6D8C550008FAAAB75FD71AF2A424BEC9A7CD9D83FAD4C8E9319115656A8717D3B523A68FF8004258B9990ED362308461804BA3E3A7E92D8F2FFAE5C2FBA55BA5A3C27C0A2F71BD711D2FE1799C2ADB31B200035481E9EE5C4ADF2AB9C0FA50B23975CF"), SHEX("37E7CF6A9A31B0982B2479432B7838657741B0EE79ADDA1B287550EB325C78CC")); test_hash(&nettle_sha3_256, /* 219 octets */ SHEX("C8E976AB4638909387CE3B8D4E510C3230E5690E02C45093B1D297910ABC481E56EEA0F296F98379DFC9080AF69E73B2399D1C143BEE80AE1328162CE1BA7F6A8374679B20AACD380EB4E61382C99998704D62701AFA914F9A2705CDB065885F50D086C3EB5753700C387118BB142F3E6DA1E988DFB31AC75D7368931E45D1391A274B22F83CEB072F9BCABC0B216685BFD789F5023971024B1878A205442522F9EA7D8797A4102A3DF41703768251FD5E017C85D1200A464118AA35654E7CA39F3C375B8EF8CBE7534DBC64BC20BEFB417CF60EC92F63D9EE7397"), SHEX("373704F641FAF2B918E22E9142ABF6B4AC71B6883AC4D7A075F626E947837D3F")); test_hash(&nettle_sha3_256, /* 220 octets */ SHEX("7145FA124B7429A1FC2231237A949BA7201BCC1822D3272DE005B682398196C25F7E5CC2F289FBF44415F699CB7FE6757791B1443410234AE061EDF623359E2B4E32C19BF88450432DD01CAA5EB16A1DC378F391CA5E3C4E5F356728BDDD4975DB7C890DA8BBC84CC73FF244394D0D48954978765E4A00B593F70F2CA082673A261ED88DBCEF1127728D8CD89BC2C597E9102CED6010F65FA75A14EBE467FA57CE3BD4948B6867D74A9DF5C0EC6F530CBF2EE61CE6F06BC8F2864DFF5583776B31DF8C7FFCB61428A56BF7BD37188B4A5123BBF338393AF46EDA85E6"), SHEX("EE5994B3D32BDAE58E72566FC24B886461217FDD7273E1608F0B2926B7923546")); test_hash(&nettle_sha3_256, /* 221 octets */ SHEX("7FDFADCC9D29BAD23AE038C6C65CDA1AEF757221B8872ED3D75FF8DF7DA0627D266E224E812C39F7983E4558BFD0A1F2BEF3FEB56BA09120EF762917B9C093867948547AEE98600D10D87B20106878A8D22C64378BF634F7F75900C03986B077B0BF8B740A82447B61B99FEE5376C5EB6680EC9E3088F0BDD0C56883413D60C1357D3C811950E5890E7600103C916341B80C743C6A852B7B4FB60C3BA21F3BC15B8382437A68454779CF3CD7F9F90CCC8EF28D0B706535B1E4108EB5627BB45D719CB046839AEE311CA1ABDC8319E050D67972CB35A6B1601B25DBF487"), SHEX("6A584F9F4ACD8FC8E15DACD326291FE9311C20987225C51CF4251E52B47FA223")); test_hash(&nettle_sha3_256, /* 222 octets */ SHEX("988638219FD3095421F826F56E4F09E356296B628C3CE6930C9F2E758FD1A80C8273F2F61E4DAAE65C4F110D3E7CA0965AC7D24E34C0DC4BA2D6FF0BF5BBE93B3585F354D7543CB542A1AA54674D375077F2D360A8F4D42F3DB131C3B7AB7306267BA107659864A90C8C909460A73621D1F5D9D3FD95BEB19B23DB1CB6C0D0FBA91D36891529B8BD8263CAA1BAB56A4AFFAED44962DF096D8D5B1EB845EF31188B3E10F1AF811A13F156BEB7A288AAE593EBD1471B624AA1A7C6ADF01E2200B3D72D88A3AED3100C88231E41EFC376906F0B580DC895F080FDA5741DB1CB"), SHEX("4F92839CDDB0DF31D16A0DB53BBE07698A7C1912D5590D21155D45DB1B48CAB4")); test_hash(&nettle_sha3_256, /* 223 octets */ SHEX("5AAB62756D307A669D146ABA988D9074C5A159B3DE85151A819B117CA1FF6597F6156E80FDD28C9C3176835164D37DA7DA11D94E09ADD770B68A6E081CD22CA0C004BFE7CD283BF43A588DA91F509B27A6584C474A4A2F3EE0F1F56447379240A5AB1FB77FDCA49B305F07BA86B62756FB9EFB4FC225C86845F026EA542076B91A0BC2CDD136E122C659BE259D98E5841DF4C2F60330D4D8CDEE7BF1A0A244524EECC68FF2AEF5BF0069C9E87A11C6E519DE1A4062A10C83837388F7EF58598A3846F49D499682B683C4A062B421594FAFBC1383C943BA83BDEF515EFCF10D"), SHEX("EAFD661F343AE834C621E074AC6903A2E3E6324F365B3432DFFA732F477AC129")); test_hash(&nettle_sha3_256, /* 224 octets */ SHEX("47B8216AA0FBB5D67966F2E82C17C07AA2D6327E96FCD83E3DE7333689F3EE79994A1BF45082C4D725ED8D41205CB5BCDF5C341F77FACB1DA46A5B9B2CBC49EADF786BCD881F371A95FA17DF73F606519AEA0FF79D5A11427B98EE7F13A5C00637E2854134691059839121FEA9ABE2CD1BCBBBF27C74CAF3678E05BFB1C949897EA01F56FFA4DAFBE8644611685C617A3206C7A7036E4AC816799F693DAFE7F19F303CE4EBA09D21E03610201BFC665B72400A547A1E00FA9B7AD8D84F84B34AEF118515E74DEF11B9188BD1E1F97D9A12C30132EC2806339BDADACDA2FD8B78"), SHEX("3DCEC669C5D0176B1BDC002728D242C587DDA03B3ABFA6074523D3FAEF4820BE")); test_hash(&nettle_sha3_256, /* 225 octets */ SHEX("8CFF1F67FE53C098896D9136389BD8881816CCAB34862BB67A656E3D98896F3CE6FFD4DA73975809FCDF9666760D6E561C55238B205D8049C1CEDEEF374D1735DAA533147BFA960B2CCE4A4F254176BB4D1BD1E89654432B8DBE1A135C42115B394B024856A2A83DC85D6782BE4B444239567CCEC4B184D4548EAE3FF6A192F343292BA2E32A0F267F31CC26719EB85245D415FB897AC2DA433EE91A99424C9D7F1766A44171D1651001C38FC79294ACCC68CEB5665D36218454D3BA169AE058A831338C17743603F81EE173BFC0927464F9BD728DEE94C6AEAB7AAE6EE3A627E8"), SHEX("4BDF731BBB3D0E2AB0EB3D972123A7A0A085E8A98AC6AF8ADBD335B37275DDFF")); test_hash(&nettle_sha3_256, /* 226 octets */ SHEX("EACD07971CFF9B9939903F8C1D8CBB5D4DB1B548A85D04E037514A583604E787F32992BF2111B97AC5E8A938233552731321522AB5E8583561260B7D13EBEEF785B23A41FD8576A6DA764A8ED6D822D4957A545D5244756C18AA80E1AAD4D1F9C20D259DEE1711E2CC8FD013169FB7CC4CE38B362F8E0936AE9198B7E838DCEA4F7A5B9429BB3F6BBCF2DC92565E3676C1C5E6EB3DD2A0F86AA23EDD3D0891F197447692794B3DFA269611AD97F72B795602B4FDB198F3FD3EB41B415064256E345E8D8C51C555DC8A21904A9B0F1AD0EFFAB7786AAC2DA3B196507E9F33CA356427"), SHEX("47F904FEEA607225CAB2E3C52748878964BFEDCFE068727DE610F63421367BCF")); test_hash(&nettle_sha3_256, /* 227 octets */ SHEX("23AC4E9A42C6EF45C3336CE6DFC2FF7DE8884CD23DC912FEF0F7756C09D335C189F3AD3A23697ABDA851A81881A0C8CCAFC980AB2C702564C2BE15FE4C4B9F10DFB2248D0D0CB2E2887FD4598A1D4ACDA897944A2FFC580FF92719C95CF2AA42DC584674CB5A9BC5765B9D6DDF5789791D15F8DD925AA12BFFAFBCE60827B490BB7DF3DDA6F2A143C8BF96ABC903D83D59A791E2D62814A89B8080A28060568CF24A80AE61179FE84E0FFAD00388178CB6A617D37EFD54CC01970A4A41D1A8D3DDCE46EDBBA4AB7C90AD565398D376F431189CE8C1C33E132FEAE6A8CD17A61C630012"), SHEX("324937607D9F16AF815701749F0377B3281AF9C5BB565D6F2B9611532B6BF044")); test_hash(&nettle_sha3_256, /* 228 octets */ SHEX("0172DF732282C9D488669C358E3492260CBE91C95CFBC1E3FEA6C4B0EC129B45F242ACE09F152FC6234E1BEE8AAB8CD56E8B486E1DCBA9C05407C2F95DA8D8F1C0AF78EE2ED82A3A79EC0CB0709396EE62AADB84F8A4EE8A7CCCA3C1EE84E302A09EA802204AFECF04097E67D0F8E8A9D2651126C0A598A37081E42D168B0AE8A71951C524259E4E2054E535B779679BDADE566FE55700858618E626B4A0FAF895BCCE9011504A49E05FD56127EAE3D1F8917AFB548ECADABDA1020111FEC9314C413498A360B08640549A22CB23C731ACE743252A8227A0D2689D4C6001606678DFB921"), SHEX("B984C2D6B6FDC28574AAD551FC16B68F85BF6CC480A15C128AE5616561D46721")); test_hash(&nettle_sha3_256, /* 229 octets */ SHEX("3875B9240CF3E0A8B59C658540F26A701CF188496E2C2174788B126FD29402D6A75453BA0635284D08835F40051A2A9683DC92AFB9383719191231170379BA6F4ADC816FECBB0F9C446B785BF520796841E58878B73C58D3EBB097CE4761FDEABE15DE2F319DFBAF1742CDEB389559C788131A6793E193856661376C81CE9568DA19AA6925B47FFD77A43C7A0E758C37D69254909FF0FBD415EF8EB937BCD49F91468B49974C07DC819ABD67395DB0E05874FF83DDDAB895344ABD0E7111B2DF9E58D76D85AD98106B36295826BE04D435615595605E4B4BB824B33C4AFEB5E7BB0D19F909"), SHEX("91A5B9FC2DCC5FAEDA57D2E7A41E922DC32D572AEBDF6D54CB8C3AE4245E8565")); test_hash(&nettle_sha3_256, /* 230 octets */ SHEX("747CC1A59FEFBA94A9C75BA866C30DC5C1CB0C0F8E9361D98484956DD5D1A40F6184AFBE3DAC9F76028D1CAECCFBF69199C6CE2B4C092A3F4D2A56FE5A33A00757F4D7DEE5DFB0524311A97AE0668A47971B95766E2F6DD48C3F57841F91F04A00AD5EA70F2D479A2620DC5CD78EAAB3A3B011719B7E78D19DDF70D9423798AF77517EBC55392FCD01FC600D8D466B9E7A7A85BF33F9CC5419E9BD874DDFD60981150DDAF8D7FEBAA4374F0872A5628D318000311E2F5655365AD4D407C20E5C04DF17A222E7DEEC79C5AB1116D8572F91CD06E1CCC7CED53736FC867FD49ECEBE6BF8082E8A"), SHEX("97DCA1050A465B60E91EBE26E29ADB5A286A0582EEE2E89B8B901954293F6146")); test_hash(&nettle_sha3_256, /* 231 octets */ SHEX("57AF971FCCAEC97435DC2EC9EF0429BCEDC6B647729EA168858A6E49AC1071E706F4A5A645CA14E8C7746D65511620682C906C8B86EC901F3DDED4167B3F00B06CBFAC6AEE3728051B3E5FF10B4F9ED8BD0B8DA94303C833755B3CA3AEDDF0B54BC8D6632138B5D25BAB03D17B3458A9D782108006F5BB7DE75B5C0BA854B423D8BB801E701E99DC4FEAAD59BC1C7112453B04D33EA3635639FB802C73C2B71D58A56BBD671B18FE34ED2E3DCA38827D63FDB1D4FB3285405004B2B3E26081A8FF08CD6D2B08F8E7B7E90A2AB1ED7A41B1D0128522C2F8BFF56A7FE67969422CE839A9D4608F03"), SHEX("6D033D85DAED3366D5F7D5E4F03B3D05B65778EEEA074B0C683CFFCD6F51D5BD")); test_hash(&nettle_sha3_256, /* 232 octets */ SHEX("04E16DEDC1227902BAAF332D3D08923601BDD64F573FAA1BB7201918CFE16B1E10151DAE875DA0C0D63C59C3DD050C4C6A874011B018421AFC4623AB0381831B2DA2A8BA42C96E4F70864AC44E106F94311051E74C77C1291BF5DB9539E69567BF6A11CF6932BBBAD33F8946BF5814C066D851633D1A513510039B349939BFD42B858C21827C8FF05F1D09B1B0765DC78A135B5CA4DFBA0801BCADDFA175623C8B647EACFB4444B85A44F73890607D06D507A4F8393658788669F6EF4DEB58D08C50CA0756D5E2F49D1A7AD73E0F0B3D3B5F090ACF622B1878C59133E4A848E05153592EA81C6FBF"), SHEX("01EBBB73410EEBAC665C3B40063D001F43DBE9D1722EB323FE08763D7FF0616C")); test_hash(&nettle_sha3_256, /* 233 octets */ SHEX("7C815C384EEE0F288ECE27CCED52A01603127B079C007378BC5D1E6C5E9E6D1C735723ACBBD5801AC49854B2B569D4472D33F40BBB8882956245C366DC3582D71696A97A4E19557E41E54DEE482A14229005F93AFD2C4A7D8614D10A97A9DFA07F7CD946FA45263063DDD29DB8F9E34DB60DAA32684F0072EA2A9426ECEBFA5239FB67F29C18CBAA2AF6ED4BF4283936823AC1790164FEC5457A9CBA7C767CA59392D94CAB7448F50EB34E9A93A80027471CE59736F099C886DEA1AB4CBA4D89F5FC7AE2F21CCD27F611ECA4626B2D08DC22382E92C1EFB2F6AFDC8FDC3D2172604F5035C46B8197D3"), SHEX("8D3A49CB572AB99C9BF0231366BB017C9ADF25479D35443A971E45787E738CE5")); test_hash(&nettle_sha3_256, /* 234 octets */ SHEX("E29D505158DBDD937D9E3D2145658EE6F5992A2FC790F4F608D9CDB44A091D5B94B88E81FAC4FDF5C49442F13B911C55886469629551189EAFF62488F1A479B7DB11A1560E198DDCCCCF50159093425FF7F1CB8D1D1246D0978764087D6BAC257026B090EFAE8CEC5F22B6F21C59ACE1AC7386F5B8837CA6A12B6FBF5534DD0560EF05CA78104D3B943DDB220FEAEC89AA5E692A00F822A2AB9A2FE60350D75E7BE16FF2526DC643872502D01F42F188ABED0A6E9A6F5FD0D1CE7D5755C9FFA66B0AF0B20BD806F08E06156690D81AC811778CA3DAC2C249B96002017FCE93E507E3B953ACF99964B847"), SHEX("FBB5A0AB1A3B4C4FA56ADB1C9531EB9979C554903053013C20FEFD3F57B5CCDB")); test_hash(&nettle_sha3_256, /* 235 octets */ SHEX("D85588696F576E65ECA0155F395F0CFACD83F36A99111ED5768DF2D116D2121E32357BA4F54EDE927F189F297D3A97FAD4E9A0F5B41D8D89DD7FE20156799C2B7B6BF9C957BA0D6763F5C3BC5129747BBB53652B49290CFF1C87E2CDF2C4B95D8AAEE09BC8FBFA6883E62D237885810491BFC101F1D8C636E3D0EDE838AD05C207A3DF4FAD76452979EB99F29AFAECEDD1C63B8D36CF378454A1BB67A741C77AC6B6B3F95F4F02B64DABC15438613EA49750DF42EE90101F115AA9ABB9FF64324DDE9DABBB01054E1BD6B4BCDC7930A44C2300D87CA78C06924D0323AD7887E46C90E8C4D100ACD9EED21E"), SHEX("6B3DCC7AC6A5CB85B67FC71B4055D3798134DEEF26FD3EB03A042E0DAA35CC85")); test_hash(&nettle_sha3_256, /* 236 octets */ SHEX("3A12F8508B40C32C74492B66323375DCFE49184C78F73179F3314B79E63376B8AC683F5A51F1534BD729B02B04D002F55CBD8E8FC9B5EC1EA6BBE6A0D0E7431518E6BA45D124035F9D3DCE0A8BB7BF1430A9F657E0B4EA9F20EB20C786A58181A1E20A96F1628F8728A13BDF7A4B4B32FC8AA7054CC4881AE7FA19AFA65C6C3EE1B3ADE3192AF42054A8A911B8EC1826865D46D93F1E7C5E2B7813C92A506E53886F3D4701BB93D2A681AD109C845904BB861AF8AF0646B6E399B38B614051D34F6842563A0F37EC00CB3D865FC5D746C4987DE2A65071100883A2A9C7A2BFE1E2DD603D9EA24DC7C5FD06BE"), SHEX("5D1DBA8F1584AC3F36B3AC925EC13AC284013B9664965AB6265B942466B5D8EC")); test_hash(&nettle_sha3_256, /* 237 octets */ SHEX("1861EDCE46FA5AD17E1FF1DEAE084DEC580F97D0A67885DFE834B9DFAC1AE076742CE9E267512CA51F6DF5A455AF0C5FD6ABF94ACEA103A3370C354485A7846FB84F3AC7C2904B5B2FBF227002CE512133BB7E1C4E50057BFD1E44DB33C7CDB969A99E284B184F50A14B068A1FC5009D9B298DBE92239572A7627AAC02ABE8F3E3B473417F36D4D2505D16B7577F4526C9D94A270A2DFE450D06DA8F6FA956879A0A55CFE99E742EA555EA477BA3E9B44CCD508C375423611AF92E55345DC215779B2D5119EBA49C71D49B9FE3F1569FA24E5CA3E332D042422A8B8158D3EC66A80012976F31FFDF305F0C9C5E"), SHEX("89C6C86DB0A889AA67D8CB085F9F4312645972D977C5B952D9F6243D7D3BE4D5")); test_hash(&nettle_sha3_256, /* 238 octets */ SHEX("08D0FFDE3A6E4EF65608EA672E4830C12943D7187CCFF08F4941CFC13E545F3B9C7AD5EEBBE2B01642B486CAF855C2C73F58C1E4E3391DA8E2D63D96E15FD84953AE5C231911B00AD6050CD7AAFDAAC9B0F663AE6AAB45519D0F5391A541707D479034E73A6AD805AE3598096AF078F1393301493D663DD71F83869CA27BA508B7E91E81E128C1716DC3ACFE3084B2201E04CF8006617EECF1B640474A5D45CFDE9F4D3EF92D6D055B909892194D8A8218DB6D8203A84261D200D71473D7488F3427416B6896C137D455F231071CACBC86E0415AB88AEC841D96B7B8AF41E05BB461A40645BF176601F1E760DE5F"), SHEX("AC02432A5541C26238C6F99FADB2B23B5FFCAD8F04BD4C3B9A6620CAB1266E6B")); test_hash(&nettle_sha3_256, /* 239 octets */ SHEX("D782ABB72A5BE3392757BE02D3E45BE6E2099D6F000D042C8A543F50ED6EBC055A7F133B0DD8E9BC348536EDCAAE2E12EC18E8837DF7A1B3C87EC46D50C241DEE820FD586197552DC20BEEA50F445A07A38F1768A39E2B2FF05DDDEDF751F1DEF612D2E4D810DAA3A0CC904516F9A43AF660315385178A529E51F8AAE141808C8BC5D7B60CAC26BB984AC1890D0436EF780426C547E94A7B08F01ACBFC4A3825EAE04F520A9016F2FB8BF5165ED12736FC71E36A49A73614739EAA3EC834069B1B40F1350C2B3AB885C02C640B9F7686ED5F99527E41CFCD796FE4C256C9173186C226169FF257954EBDA81C0E5F99"), SHEX("F55AA01DEAB12148E35759DB818F1059351165E9E6F93D342F0ABFCA102E0801")); test_hash(&nettle_sha3_256, /* 240 octets */ SHEX("5FCE8109A358570E40983E1184E541833BB9091E280F258CFB144387B05D190E431CB19BAA67273BA0C58ABE91308E1844DCD0B3678BAA42F335F2FA05267A0240B3C718A5942B3B3E3BFA98A55C25A1466E8D7A603722CB2BBF03AFA54CD769A99F310735EE5A05DAE2C22D397BD95635F58C48A67F90E1B73AAFCD3F82117F0166657838691005B18DA6F341D6E90FC1CDB352B30FAE45D348294E501B63252DE14740F2B85AE5299DDEC3172DE8B6D0BA219A20A23BB5E10FF434D39DB3F583305E9F5C039D98569E377B75A70AB837D1DF269B8A4B566F40BB91B577455FD3C356C914FA06B9A7CE24C7317A172D"), SHEX("7C0BDA7CB42DADBD037F50A5F27E3AB5DA258D4670F1BEA90154C87C98136BA1")); test_hash(&nettle_sha3_256, /* 241 octets */ SHEX("6172F1971A6E1E4E6170AFBAD95D5FEC99BF69B24B674BC17DD78011615E502DE6F56B86B1A71D3F4348087218AC7B7D09302993BE272E4A591968AEF18A1262D665610D1070EE91CC8DA36E1F841A69A7A682C580E836941D21D909A3AFC1F0B963E1CA5AB193E124A1A53DF1C587470E5881FB54DAE1B0D840F0C8F9D1B04C645BA1041C7D8DBF22030A623AA15638B3D99A2C400FF76F3252079AF88D2B37F35EE66C1AD7801A28D3D388AC450B97D5F0F79E4541755356B3B1A5696B023F39AB7AB5F28DF4202936BC97393B93BC915CB159EA1BD7A0A414CB4B7A1AC3AF68F50D79F0C9C7314E750F7D02FAA58BFA"), SHEX("F60C53BA2132293B881F0513E7AB47FE9746ED4A6AC9CADE61E6D802D5872372")); test_hash(&nettle_sha3_256, /* 242 octets */ SHEX("5668ECD99DFBE215C4118398AC9C9EAF1A1433FAB4CCDD3968064752B625EA944731F75D48A27D047D67547F14DD0FFAA55FA5E29F7AF0D161D85EAFC4F2029B717C918EAB9D304543290BDBA7158B68020C0BA4E079BC95B5BC0FC044A992B94B4CCD3BD66D0EABB5DBBAB904D62E00752C4E3B0091D773BCF4C14B4377DA3EFFF824B1CB2FA01B32D1E46C909E626ED2DAE920F4C7DBEB635BC754FACBD8D49BEBA3F23C1C41CCBFCD0EE0C114E69737F5597C0BF1D859F0C767E18002AE8E39C26261FFDE2920D3D0BAF0E906138696CFE5B7E32B600F45DF3AAA39932F3A7DF95B60FA8712A2271FCAF3911CE7B511B1"), SHEX("1C66B9A7C50ED77D179A0C437D5890C9835A13F90A73A01332AB0731A41A115E")); test_hash(&nettle_sha3_256, /* 243 octets */ SHEX("03D625488354DF30E3F875A68EDFCF340E8366A8E1AB67F9D5C5486A96829DFAC0578289082B2A62117E1CF418B43B90E0ADC881FC6AE8105C888E9ECD21AEA1C9AE1A4038DFD17378FED71D02AE492087D7CDCD98F746855227967CB1AB4714261EE3BEAD3F4DB118329D3EBEF4BC48A875C19BA763966DA0EBEA800E01B2F50B00E9DD4CACA6DCB314D00184EF71EA2391D760C950710DB4A70F9212FFC54861F9DC752CE18867B8AD0C48DF8466EF7231E7AC567F0EB55099E622EBB86CB237520190A61C66AD34F1F4E289CB3282AE3EAAC6152ED24D2C92BAE5A7658252A53C49B7B02DFE54FDB2E90074B6CF310AC661"), SHEX("48A00BA224AC5558F41A79F52137DB9182A93F1045D43789E5913D7BE40408C2")); test_hash(&nettle_sha3_256, /* 244 octets */ SHEX("2EDC282FFB90B97118DD03AAA03B145F363905E3CBD2D50ECD692B37BF000185C651D3E9726C690D3773EC1E48510E42B17742B0B0377E7DE6B8F55E00A8A4DB4740CEE6DB0830529DD19617501DC1E9359AA3BCF147E0A76B3AB70C4984C13E339E6806BB35E683AF8527093670859F3D8A0FC7D493BCBA6BB12B5F65E71E705CA5D6C948D66ED3D730B26DB395B3447737C26FAD089AA0AD0E306CB28BF0ACF106F89AF3745F0EC72D534968CCA543CD2CA50C94B1456743254E358C1317C07A07BF2B0ECA438A709367FAFC89A57239028FC5FECFD53B8EF958EF10EE0608B7F5CB9923AD97058EC067700CC746C127A61EE3"), SHEX("240A85EAF7F3016C192AD5E17E5F93B643FE3EDBA719F423693A34DA3784827A")); test_hash(&nettle_sha3_256, /* 245 octets */ SHEX("90B28A6AA1FE533915BCB8E81ED6CACDC10962B7FF82474F845EEB86977600CF70B07BA8E3796141EE340E3FCE842A38A50AFBE90301A3BDCC591F2E7D9DE53E495525560B908C892439990A2CA2679C5539FFDF636777AD9C1CDEF809CDA9E8DCDB451ABB9E9C17EFA4379ABD24B182BD981CAFC792640A183B61694301D04C5B3EAAD694A6BD4CC06EF5DA8FA23B4FA2A64559C5A68397930079D250C51BCF00E2B16A6C49171433B0AADFD80231276560B80458DD77089B7A1BBCC9E7E4B9F881EACD6C92C4318348A13F4914EB27115A1CFC5D16D7FD94954C3532EFACA2CAB025103B2D02C6FD71DA3A77F417D7932685888A"), SHEX("2AA9D0A1D9B9B691B4B8641E68D454D2D9C34CE43A5B55DD57590716B8A46CF7")); test_hash(&nettle_sha3_256, /* 246 octets */ SHEX("2969447D175490F2AA9BB055014DBEF2E6854C95F8D60950BFE8C0BE8DE254C26B2D31B9E4DE9C68C9ADF49E4EE9B1C2850967F29F5D08738483B417BB96B2A56F0C8ACA632B552059C59AAC3F61F7B45C966B75F1D9931FF4E596406378CEE91AAA726A3A84C33F37E9CDBE626B5745A0B06064A8A8D56E53AAF102D23DD9DF0A3FDF7A638509A6761A33FA42FA8DDBD8E16159C93008B53765019C3F0E9F10B144CE2AC57F5D7297F9C9949E4FF68B70D339F87501CE8550B772F32C6DA8AD2CE2100A895D8B08FA1EEAD7C376B407709703C510B50F87E73E43F8E7348F87C3832A547EF2BBE5799ABEDCF5E1F372EA809233F006"), SHEX("58C469E1A76835CC1A897B885B1B2A33B0AABCE4CFBB65523D2E0D08D6D1A413")); test_hash(&nettle_sha3_256, /* 247 octets */ SHEX("721645633A44A2C78B19024EAECF58575AB23C27190833C26875DC0F0D50B46AEA9C343D82EA7D5B3E50EC700545C615DAEAEA64726A0F05607576DCD396D812B03FB6551C641087856D050B10E6A4D5577B82A98AFB89CEE8594C9DC19E79FEFF0382FCFD127F1B803A4B9946F4AC9A4378E1E6E041B1389A53E3450CD32D9D2941B0CBABDB50DA8EA2513145164C3AB6BCBD251C448D2D4B087AC57A59C2285D564F16DA4ED5E607ED979592146FFB0EF3F3DB308FB342DF5EB5924A48256FC763141A278814C82D6D6348577545870AE3A83C7230AC02A1540FE1798F7EF09E335A865A2AE0949B21E4F748FB8A51F44750E213A8FB"), SHEX("6C8DF81B1E1ED70A5413368018DB9628B0E0B4563423C051A54D000AADDE0C06")); test_hash(&nettle_sha3_256, /* 248 octets */ SHEX("6B860D39725A14B498BB714574B4D37CA787404768F64C648B1751B353AC92BAC2C3A28EA909FDF0423336401A02E63EC24325300D823B6864BB701F9D7C7A1F8EC9D0AE3584AA6DD62EA1997CD831B4BABD9A4DA50932D4EFDA745C61E4130890E156AEE6113716DAF95764222A91187DB2EFFEA49D5D0596102D619BD26A616BBFDA8335505FBB0D90B4C180D1A2335B91538E1668F9F9642790B4E55F9CAB0FE2BDD2935D001EE6419ABAB5457880D0DBFF20ED8758F4C20FE759EFB33141CF0E892587FE8187E5FBC57786B7E8B089612C936DFC03D27EFBBE7C8673F1606BD51D5FF386F4A7AB68EDF59F385EB1291F117BFE717399"), SHEX("108FFF41D5BCF654071B4414E666FDEBBE878C309D6DDC90AFAF5C61DF8559F0")); test_hash(&nettle_sha3_256, /* 249 octets */ SHEX("6A01830AF3889A25183244DECB508BD01253D5B508AB490D3124AFBF42626B2E70894E9B562B288D0A2450CFACF14A0DDAE5C04716E5A0082C33981F6037D23D5E045EE1EF2283FB8B6378A914C5D9441627A722C282FF452E25A7EA608D69CEE4393A0725D17963D0342684F255496D8A18C2961145315130549311FC07F0312FB78E6077334F87EAA873BEE8AA95698996EB21375EB2B4EF53C14401207DEB4568398E5DD9A7CF97E8C9663E23334B46912F8344C19EFCF8C2BA6F04325F1A27E062B62A58D0766FC6DB4D2C6A1928604B0175D872D16B7908EBC041761187CC785526C2A3873FEAC3A642BB39F5351550AF9770C328AF7B"), SHEX("751EAAAFA4AEC8ACD26606D6439C55B5C66EC7DB807579EDC68994B300F7A077")); test_hash(&nettle_sha3_256, /* 250 octets */ SHEX("B3C5E74B69933C2533106C563B4CA20238F2B6E675E8681E34A389894785BDADE59652D4A73D80A5C85BD454FD1E9FFDAD1C3815F5038E9EF432AAC5C3C4FE840CC370CF86580A6011778BBEDAF511A51B56D1A2EB68394AA299E26DA9ADA6A2F39B9FAFF7FBA457689B9C1A577B2A1E505FDF75C7A0A64B1DF81B3A356001BF0DF4E02A1FC59F651C9D585EC6224BB279C6BEBA2966E8882D68376081B987468E7AED1EF90EBD090AE825795CDCA1B4F09A979C8DFC21A48D8A53CDBB26C4DB547FC06EFE2F9850EDD2685A4661CB4911F165D4B63EF25B87D0A96D3DFF6AB0758999AAD214D07BD4F133A6734FDE445FE474711B69A98F7E2B"), SHEX("90C2D5F8E26B0BDDEA719064BB02A6242F2CC5A42936B14FE17F861B47B7E186")); test_hash(&nettle_sha3_256, /* 251 octets */ SHEX("83AF34279CCB5430FEBEC07A81950D30F4B66F484826AFEE7456F0071A51E1BBC55570B5CC7EC6F9309C17BF5BEFDD7C6BA6E968CF218A2B34BD5CF927AB846E38A40BBD81759E9E33381016A755F699DF35D660007B5EADF292FEEFB735207EBF70B5BD17834F7BFA0E16CB219AD4AF524AB1EA37334AA66435E5D397FC0A065C411EBBCE32C240B90476D307CE802EC82C1C49BC1BEC48C0675EC2A6C6F3ED3E5B741D13437095707C565E10D8A20B8C20468FF9514FCF31B4249CD82DCEE58C0A2AF538B291A87E3390D737191A07484A5D3F3FB8C8F15CE056E5E5F8FEBE5E1FB59D6740980AA06CA8A0C20F5712B4CDE5D032E92AB89F0AE1"), SHEX("3298A95CFE59B9D6CAB99C36DC1324194C09F97F08944A02D9574BBCA3186B41")); test_hash(&nettle_sha3_256, /* 252 octets */ SHEX("A7ED84749CCC56BB1DFBA57119D279D412B8A986886D810F067AF349E8749E9EA746A60B03742636C464FC1EE233ACC52C1983914692B64309EDFDF29F1AB912EC3E8DA074D3F1D231511F5756F0B6EEAD3E89A6A88FE330A10FACE267BFFBFC3E3090C7FD9A850561F363AD75EA881E7244F80FF55802D5EF7A1A4E7B89FCFA80F16DF54D1B056EE637E6964B9E0FFD15B6196BDD7DB270C56B47251485348E49813B4EB9ED122A01B3EA45AD5E1A929DF61D5C0F3E77E1FDC356B63883A60E9CBB9FC3E00C2F32DBD469659883F690C6772E335F617BC33F161D6F6984252EE12E62B6000AC5231E0C9BC65BE223D8DFD94C5004A101AF9FD6C0FB"), SHEX("1C4172928CB10E16AB3CDB33F815103B000A6C7D62376CAD29AF03F4B2B0E103")); test_hash(&nettle_sha3_256, /* 253 octets */ SHEX("A6FE30DCFCDA1A329E82AB50E32B5F50EB25C873C5D2305860A835AECEE6264AA36A47429922C4B8B3AFD00DA16035830EDB897831C4E7B00F2C23FC0B15FDC30D85FB70C30C431C638E1A25B51CAF1D7E8B050B7F89BFB30F59F0F20FECFF3D639ABC4255B3868FC45DD81E47EB12AB40F2AAC735DF5D1DC1AD997CEFC4D836B854CEE9AC02900036F3867FE0D84AFFF37BDE3308C2206C62C4743375094108877C73B87B2546FE05EA137BEDFC06A2796274099A0D554DA8F7D7223A48CBF31B7DECAA1EBC8B145763E3673168C1B1B715C1CD99ECD3DDB238B06049885ECAD9347C2436DFF32C771F34A38587A44A82C5D3D137A03CAA27E66C8FF6"), SHEX("F5CFB4DF3F7C5A778F38A3B43B26479A0E8A49030C59AC19FB0CFA806081CA4A")); test_hash(&nettle_sha3_256, /* 254 octets */ SHEX("83167FF53704C3AA19E9FB3303539759C46DD4091A52DDAE9AD86408B69335989E61414BC20AB4D01220E35241EFF5C9522B079FBA597674C8D716FE441E566110B6211531CECCF8FD06BC8E511D00785E57788ED9A1C5C73524F01830D2E1148C92D0EDC97113E3B7B5CD3049627ABDB8B39DD4D6890E0EE91993F92B03354A88F52251C546E64434D9C3D74544F23FB93E5A2D2F1FB15545B4E1367C97335B0291944C8B730AD3D4789273FA44FB98D78A36C3C3764ABEEAC7C569C1E43A352E5B770C3504F87090DEE075A1C4C85C0C39CF421BDCC615F9EFF6CB4FE6468004AECE5F30E1ECC6DB22AD9939BB2B0CCC96521DFBF4AE008B5B46BC006E"), SHEX("06AB8FDBE4DCE935E42003C17FF60BA236F43A843995B7FEF3A29DFE0C82F1D4")); test_hash(&nettle_sha3_256, /* 255 octets */ SHEX("3A3A819C48EFDE2AD914FBF00E18AB6BC4F14513AB27D0C178A188B61431E7F5623CB66B23346775D386B50E982C493ADBBFC54B9A3CD383382336A1A0B2150A15358F336D03AE18F666C7573D55C4FD181C29E6CCFDE63EA35F0ADF5885CFC0A3D84A2B2E4DD24496DB789E663170CEF74798AA1BBCD4574EA0BBA40489D764B2F83AADC66B148B4A0CD95246C127D5871C4F11418690A5DDF01246A0C80A43C70088B6183639DCFDA4125BD113A8F49EE23ED306FAAC576C3FB0C1E256671D817FC2534A52F5B439F72E424DE376F4C565CCA82307DD9EF76DA5B7C4EB7E085172E328807C02D011FFBF33785378D79DC266F6A5BE6BB0E4A92ECEEBAEB1"), SHEX("C11F3522A8FB7B3532D80B6D40023A92B489ADDAD93BF5D64B23F35E9663521C")); } nettle-3.10/testsuite/dlopen-test.c0000644000175000017500000000142214633602172016412 0ustar nissenisse#include "testutils.h" #include "version.h" #if HAVE_DLFCN_H #include #endif #ifdef __APPLE__ #define SO_EXT "dylib" #else #define SO_EXT "so" #endif int main (int argc UNUSED, char **argv UNUSED) { #if HAVE_LIBDL void *handle = dlopen ("../libnettle." SO_EXT, RTLD_NOW); int (*get_version)(void); if (!handle) { fprintf (stderr, "dlopen failed: %s\n", dlerror()); FAIL (); } get_version = (int(*)(void)) dlsym (handle, "nettle_version_minor"); if (!get_version) { fprintf (stderr, "dlsym failed: %s\n", dlerror()); FAIL (); } if (get_version() != NETTLE_VERSION_MINOR) { fprintf (stderr, "unexpected nettle version\n"); FAIL (); } dlclose (handle); return EXIT_SUCCESS; #else SKIP(); #endif } nettle-3.10/testsuite/eax-test.c0000644000175000017500000000603714633602172015715 0ustar nissenisse#include "testutils.h" #include "nettle-internal.h" void test_main(void) { /* From the EAX specification, http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf */ test_aead(&nettle_eax_aes128, NULL, SHEX("233952DEE4D5ED5F9B9C6D6FF80FF478"), /* key */ SHEX("6BFB914FD07EAE6B"), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("62EC67F9C3A4A407FCB2A8C49031A8B3"), /* nonce */ SHEX("E037830E8389F27B025A2D6527E79D01")); /* tag */ test_aead(&nettle_eax_aes128, NULL, SHEX("91945D3F4DCBEE0BF45EF52255F095A4"), SHEX("FA3BFD4806EB53FA"), SHEX("F7FB"), SHEX("19DD"), SHEX("BECAF043B0A23D843194BA972C66DEBD"), SHEX("5C4C9331049D0BDAB0277408F67967E5")); test_aead(&nettle_eax_aes128, NULL, SHEX("01F74AD64077F2E704C0F60ADA3DD523"), SHEX("234A3463C1264AC6"), SHEX("1A47CB4933"), SHEX("D851D5BAE0"), SHEX("70C3DB4F0D26368400A10ED05D2BFF5E"), SHEX("3A59F238A23E39199DC9266626C40F80")); test_aead(&nettle_eax_aes128, NULL, SHEX("D07CF6CBB7F313BDDE66B727AFD3C5E8"), SHEX("33CCE2EABFF5A79D"), SHEX("481C9E39B1"), SHEX("632A9D131A"), SHEX("8408DFFF3C1A2B1292DC199E46B7D617"), SHEX("D4C168A4225D8E1FF755939974A7BEDE")); test_aead(&nettle_eax_aes128, NULL, SHEX("35B6D0580005BBC12B0587124557D2C2"), SHEX("AEB96EAEBE2970E9"), SHEX("40D0C07DA5E4"), SHEX("071DFE16C675"), SHEX("FDB6B06676EEDC5C61D74276E1F8E816"), SHEX("CB0677E536F73AFE6A14B74EE49844DD")); test_aead(&nettle_eax_aes128, NULL, SHEX("BD8E6E11475E60B268784C38C62FEB22"), SHEX("D4482D1CA78DCE0F"), SHEX("4DE3B35C3FC039245BD1FB7D"), SHEX("835BB4F15D743E350E728414"), SHEX("6EAC5C93072D8E8513F750935E46DA1B"), SHEX("ABB8644FD6CCB86947C5E10590210A4F")); test_aead(&nettle_eax_aes128, NULL, SHEX("7C77D6E813BED5AC98BAA417477A2E7D"), SHEX("65D2017990D62528"), SHEX("8B0A79306C9CE7ED99DAE4F87F8DD61636"), SHEX("02083E3979DA014812F59F11D52630DA30"), SHEX("1A8C98DCD73D38393B2BF1569DEEFC19"), SHEX("137327D10649B0AA6E1C181DB617D7F2")); test_aead(&nettle_eax_aes128, NULL, SHEX("5FFF20CAFAB119CA2FC73549E20F5B0D"), SHEX("54B9F04E6A09189A"), SHEX("1BDA122BCE8A8DBAF1877D962B8592DD2D56"), SHEX("2EC47B2C4954A489AFC7BA4897EDCDAE8CC3"), SHEX("DDE59B97D722156D4D9AFF2BC7559826"), SHEX("3B60450599BD02C96382902AEF7F832A")); test_aead(&nettle_eax_aes128, NULL, SHEX("A4A4782BCFFD3EC5E7EF6D8C34A56123"), SHEX("899A175897561D7E"), SHEX("6CF36720872B8513F6EAB1A8A44438D5EF11"), SHEX("0DE18FD0FDD91E7AF19F1D8EE8733938B1E8"), SHEX("B781FCF2F75FA5A8DE97A9CA48E522EC"), SHEX("E7F6D2231618102FDB7FE55FF1991700")); test_aead(&nettle_eax_aes128, NULL, SHEX("8395FCF1E95BEBD697BD010BC766AAC3"), SHEX("126735FCC320D25A"), SHEX("CA40D7446E545FFAED3BD12A740A659FFBBB3CEAB7"), SHEX("CB8920F87A6C75CFF39627B56E3ED197C552D295A7"), SHEX("22E7ADD93CFC6393C57EC0B3C17D6B44"), SHEX("CFC46AFC253B4652B1AF3795B124AB6E")); } nettle-3.10/testsuite/rsa-sec-decrypt-test.c0000644000175000017500000001050014633602172020133 0ustar nissenisse#include "testutils.h" #include "rsa.h" #include "knuth-lfib.h" #define MARK_MPZ_LIMBS_UNDEFINED(x) \ mark_bytes_undefined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) #define MARK_MPZ_LIMBS_DEFINED(x) \ mark_bytes_defined (mpz_size (x) * sizeof (mp_limb_t), mpz_limbs_read (x)) static int rsa_decrypt_for_test(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t length, uint8_t *message, const mpz_t gibberish) { int ret; /* Makes valgrind trigger on any branches depending on the input data. Except that (i) we have to allow rsa_sec_compute_root_tr to check that p and q are odd, (ii) mpn_sec_div_r may leak information about the most significant bits of p and q, due to normalization check and table lookup in invert_limb, and (iii) mpn_sec_powm may leak information about the least significant bits of p and q, due to table lookup in binvert_limb. */ mark_bytes_undefined (length, message); MARK_MPZ_LIMBS_UNDEFINED(key->a); MARK_MPZ_LIMBS_UNDEFINED(key->b); MARK_MPZ_LIMBS_UNDEFINED(key->c); mark_bytes_undefined ((mpz_size (key->p) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->p) + 1); mark_bytes_undefined((mpz_size (key->q) - 3) * sizeof(mp_limb_t), mpz_limbs_read (key->q) + 1); ret = rsa_sec_decrypt (pub, key, random_ctx, random, length, message, gibberish); mark_bytes_defined (length, message); mark_bytes_defined (sizeof(ret), &ret); MARK_MPZ_LIMBS_DEFINED(key->a); MARK_MPZ_LIMBS_DEFINED(key->b); MARK_MPZ_LIMBS_DEFINED(key->c); MARK_MPZ_LIMBS_DEFINED(key->p); MARK_MPZ_LIMBS_DEFINED(key->q); return ret; } #define PAYLOAD_SIZE 50 #define DECRYPTED_SIZE 256 void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; struct knuth_lfib_ctx random_ctx; uint8_t plaintext[PAYLOAD_SIZE]; uint8_t decrypted[DECRYPTED_SIZE]; uint8_t verifybad[PAYLOAD_SIZE]; unsigned n_size = 1024; mpz_t gibberish; mpz_t garbage; unsigned count; #if NETTLE_USE_MINI_GMP if (test_side_channel) SKIP(); #endif rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init(gibberish); mpz_init(garbage); knuth_lfib_init (&random_ctx, 19); memset(verifybad, 'A', PAYLOAD_SIZE); for (count = 1; count < 20; count++) { ASSERT (rsa_generate_keypair(&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, NULL, NULL, n_size, 17)); /* the next key will be 19 bits larger */ n_size += 19; knuth_lfib_random (&random_ctx, PAYLOAD_SIZE, plaintext); ASSERT(rsa_encrypt(&pub, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, plaintext, gibberish)); /* good decryption */ ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, gibberish) == 1); ASSERT (MEMEQ (PAYLOAD_SIZE, plaintext, decrypted)); ASSERT (pub.size > 10); ASSERT (pub.size <= DECRYPTED_SIZE); /* Check that too large message length is rejected, largest valid size is pub.size - 11. */ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, pub.size - 10, decrypted, gibberish)); /* This case used to result in arithmetic underflow and a crash. */ ASSERT (!rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, pub.size, decrypted, gibberish)); /* bad one */ memcpy(decrypted, verifybad, PAYLOAD_SIZE); nettle_mpz_random_size(garbage, &random_ctx, (nettle_random_func *) knuth_lfib_random, mpz_sizeinbase(gibberish, 2)); ASSERT (rsa_decrypt_for_test (&pub, &key, &random_ctx, (nettle_random_func *) knuth_lfib_random, PAYLOAD_SIZE, decrypted, garbage) == 0); ASSERT (MEMEQ (PAYLOAD_SIZE, verifybad, decrypted)); } rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(gibberish); mpz_clear(garbage); } nettle-3.10/testsuite/rsa-sign-tr-test.c0000644000175000017500000001410214633602172017276 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" #define MSG1 "None so blind as those who will not see" #define MSG2 "Fortune knocks once at every man's door" static void test_rsa_sign_tr(struct rsa_public_key *pub, struct rsa_private_key *key, unsigned di_length, const uint8_t *di, mpz_t expected) { mpz_t signature; struct knuth_lfib_ctx lfib; knuth_lfib_init(&lfib, 1111); mpz_init(signature); mpz_set_ui (signature, 17); /* Try bad private key */ mpz_add_ui(key->p, key->p, 2); ASSERT(!rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); mpz_sub_ui(key->p, key->p, 2); ASSERT(!mpz_cmp_ui(signature, 17)); /* Try the good private key */ ASSERT(rsa_pkcs1_sign_tr(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, di_length, di, signature)); if (verbose) { fprintf(stderr, "rsa-pkcs1-tr signature: "); mpz_out_str(stderr, 16, signature); fprintf(stderr, "\nrsa-pkcs1-tr expected: "); mpz_out_str(stderr, 16, expected); fprintf(stderr, "\n"); } ASSERT (mpz_cmp(signature, expected) == 0); /* Try bad data */ ASSERT (!rsa_pkcs1_verify(pub, 16, (void*)"The magick words", signature)); /* Try correct data */ ASSERT (rsa_pkcs1_verify(pub, di_length, di, signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!rsa_pkcs1_verify(pub, di_length, di, signature)); mpz_clear(signature); } void test_main(void) { struct rsa_public_key pub; struct rsa_private_key key; mpz_t expected; mpz_init(expected); rsa_private_key_init(&key); rsa_public_key_init(&pub); test_rsa_set_key_1(&pub, &key); /* Test signatures */ mpz_set_str(expected, "23bd361a622bc35450a30ae332d8dad050c6bad5cae0b61c5bee29" "db876d7fe098472fc7933f2cc1121c0fc8a414c71a98189c66077b" "fe3d58d08dc242bbcfdf2c905b91de0e479a8b4b159a45fe1789db" "abdaf88aa704e7558f24f5a0be382619758061cde89e9c730ac6db" "ef005bfad5a936633e3dfccc37b2214e2", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); mpz_set_str(expected, "15bd817f53501f8eb6693283004546ba14f19dd4da742b1e30a7b2" "1db309cd3f36f821f565d31c1ed2df8b6648dd8bdb218f841f5506" "a437825999aaf3ef77dff9a1fc7631ce0e99f851f4166ae67caed9" "820a764e44274a898ddd72f4c7115ba49d332f4fa929ee6dce4d61" "39fef8d8d25d4c9ff857689846e5cac26d", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); /* 777-bit key, generated by * * lsh-keygen -a rsa -l 777 -f advanced-hex * * Interesting because the size of n doesn't equal the sum of the * sizes of p and q. * * (private-key (rsa-pkcs1 * (n #013b04440e3eef25 d51c738d508a7fa8 b3445180c342af0f * 4cb5a789047300e2 cfc5c5450974cfc2 448aeaaa7f43c374 * c9a3b038b181f2d1 0f1a2327fd2c087b a49bf1086969fd2c * d1df3fd69f81fa4b 162cc8bbb363fc95 b7b24b9c53d0c67e * f52b#) * (e #3f1a012d#) * (d #f9bae89dacca6cca c21e0412b4df8355 6fe7c5322bbae8ad * 3f11494fd12bc076 d4a7da3050fe109d 2074db09cc6a93b4 * 745479522558379e a0ddfa74f86c9e9e a22c3b0e93d51447 * 0feb38105dd35395 63b91ee32776f40c 67b2a175690f7abb * 25#) * (p #0b73c990eeda0a2a 2c26416052c85560 0c5c0f5ce86a8326 * 166acea91786237a 7ff884e66dbfdd3a ab9d9801414c1506 * 8b#) * (q #1b81c19a62802a41 9c99283331b0badb 08eb0c25ffce0fbf * 50017850036f32f3 2132a845b91a5236 61f7b451d587383f * e1#) * (a #0a912fc93a6cca6b 3521725a3065b3be 3c9745e29c93303d * 7d29316c6cafa4a2 89945f964fcdea59 1f9d248b0b6734be * c9#) * (b #1658eca933251813 1eb19c77aba13d73 e0b8f4ce986d7615 * 764c6b0b03c18146 46b7f332c43e05c5 351e09006979ca5b * 05#) * (c #0114720dace7b27f 2bf2850c1804869f 79a0aad0ec02e6b4 * 05e1831619db2f10 bb9b6a8fd5c95df2 eb78f303ea0c0cc8 * 06#))) */ mpz_set_str(pub.n, "013b04440e3eef25" "d51c738d508a7fa8" "b3445180c342af0f" "4cb5a789047300e2" "cfc5c5450974cfc2" "448aeaaa7f43c374" "c9a3b038b181f2d1" "0f1a2327fd2c087b" "a49bf1086969fd2c" "d1df3fd69f81fa4b" "162cc8bbb363fc95" "b7b24b9c53d0c67e" "f52b", 16); mpz_set_str(pub.e, "3f1a012d", 16); ASSERT (rsa_public_key_prepare(&pub)); mpz_set_str(key.p, "0b73c990eeda0a2a" "2c26416052c85560" "0c5c0f5ce86a8326" "166acea91786237a" "7ff884e66dbfdd3a" "ab9d9801414c1506" "8b", 16); mpz_set_str(key.q, "1b81c19a62802a41" "9c99283331b0badb" "08eb0c25ffce0fbf" "50017850036f32f3" "2132a845b91a5236" "61f7b451d587383f" "e1", 16); mpz_set_str(key.a, "0a912fc93a6cca6b" "3521725a3065b3be" "3c9745e29c93303d" "7d29316c6cafa4a2" "89945f964fcdea59" "1f9d248b0b6734be" "c9", 16); mpz_set_str(key.b, "1658eca933251813" "1eb19c77aba13d73" "e0b8f4ce986d7615" "764c6b0b03c18146" "46b7f332c43e05c5" "351e09006979ca5b" "05", 16); mpz_set_str(key.c, "0114720dace7b27f" "2bf2850c1804869f" "79a0aad0ec02e6b4" "05e1831619db2f10" "bb9b6a8fd5c95df2" "eb78f303ea0c0cc8" "06", 16); ASSERT (rsa_private_key_prepare(&key)); ASSERT (pub.size == key.size); /* Test signatures */ mpz_set_str(expected, "5493d4d774d03f54de2e9bef6818b74a8e22bbe9628b6dec3f178d" "cc0090dab933a0f24bc9ac8aec949558868ea4f8e29d0248e70717" "6c113e8fbd9f1428c45a120378e32febffd4e9aca8102081bb5b90" "0f2914395a220823b700dbd7bd32646e", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG1), expected); /* Test sha1 signature */ mpz_set_str(expected, "126bbd3d9e8649187069d8b6f0f43bd234a53249f765f616647049" "ca49b2c4cc8049440d5a9f1d10fcdf162b40afd9b761bcd30e2c60" "133b2c6f0504fe447038422b835d35448acb0881e894144e4ccaea" "59ce8dd16d3540fcbb84ebd1c5fb37510", 16); test_rsa_sign_tr(&pub, &key, LDATA(MSG2), expected); rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); } nettle-3.10/testsuite/rsa-compute-root-test.c0000644000175000017500000001050414633602172020352 0ustar nissenisse#include "testutils.h" #include #include "rsa.h" #define KEY_COUNT 10 #define COUNT 50 static void random_fn (void *ctx, size_t n, uint8_t *dst) { gmp_randstate_t *rands = (gmp_randstate_t *)ctx; mpz_t r; mpz_init (r); mpz_urandomb (r, *rands, n*8); nettle_mpz_get_str_256 (n, dst, r); mpz_clear (r); } static void test_one (gmp_randstate_t *rands, struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t plaintext) { mpz_t ciphertext; mpz_t decrypted; mpz_init (ciphertext); mpz_init (decrypted); mpz_powm (ciphertext, plaintext, pub->e, pub->n); rsa_compute_root_tr (pub, key, rands, random_fn, decrypted, ciphertext); if (mpz_cmp (plaintext, decrypted)) { fprintf (stderr, "rsa_compute_root_tr failed\n"); fprintf(stderr, "Public key: size=%u\n n:", (unsigned) pub->size); mpz_out_str (stderr, 10, pub->n); fprintf(stderr, "\n e:"); mpz_out_str (stderr, 10, pub->e); fprintf(stderr, "\nPrivate key: size=%u\n p:", (unsigned) key->size); mpz_out_str (stderr, 10, key->p); fprintf(stderr, "\n q:"); mpz_out_str (stderr, 10, key->q); fprintf(stderr, "\n a:"); mpz_out_str (stderr, 10, key->a); fprintf(stderr, "\n b:"); mpz_out_str (stderr, 10, key->b); fprintf(stderr, "\n c:"); mpz_out_str (stderr, 10, key->c); fprintf(stderr, "\n d:"); mpz_out_str (stderr, 10, key->d); fprintf(stderr, "\n"); fprintf (stderr, "plaintext(%u) = ", (unsigned) mpz_sizeinbase (plaintext, 2)); mpz_out_str (stderr, 10, plaintext); fprintf (stderr, "\n"); fprintf (stderr, "ciphertext(%u) = ", (unsigned) mpz_sizeinbase (ciphertext, 2)); mpz_out_str (stderr, 10, ciphertext); fprintf (stderr, "\n"); fprintf (stderr, "decrypted(%u) = ", (unsigned) mpz_sizeinbase (decrypted, 2)); mpz_out_str (stderr, 10, decrypted); fprintf (stderr, "\n"); abort(); } mpz_clear (ciphertext); mpz_clear (decrypted); } #if !NETTLE_USE_MINI_GMP /* We want to generate keypairs that are not "standard" but have more size * variance between q and p. */ static void generate_keypair (gmp_randstate_t rands, struct rsa_public_key *pub, struct rsa_private_key *key) { unsigned long int psize; unsigned long int qsize; mpz_t p1; mpz_t q1; mpz_t phi; mpz_t tmp; int res; mpz_init (p1); mpz_init (q1); mpz_init (phi); mpz_init (tmp); psize = 100 + gmp_urandomm_ui (rands, 400); qsize = 100 + gmp_urandomm_ui (rands, 400); mpz_set_ui (pub->e, 65537); for (;;) { for (;;) { mpz_rrandomb (key->p, rands, psize); mpz_nextprime (key->p, key->p); mpz_sub_ui (p1, key->p, 1); mpz_gcd (tmp, pub->e, p1); if (mpz_cmp_ui (tmp, 1) == 0) break; } for (;;) { mpz_rrandomb (key->q, rands, qsize); mpz_nextprime (key->q, key->q); mpz_sub_ui (q1, key->q, 1); mpz_gcd (tmp, pub->e, q1); if (mpz_cmp_ui (tmp, 1) == 0) break; } if (mpz_invert (key->c, key->q, key->p)) break; } mpz_mul(phi, p1, q1); res = mpz_invert(key->d, pub->e, phi); assert (res); mpz_fdiv_r (key->a, key->d, p1); mpz_fdiv_r (key->b, key->d, q1); mpz_mul (pub->n, key->p, key->q); pub->size = key->size = mpz_size(pub->n) * sizeof(mp_limb_t); mpz_clear (tmp); mpz_clear (phi); mpz_clear (q1); mpz_clear (p1); } #endif void test_main (void) { gmp_randstate_t rands; struct rsa_public_key pub; struct rsa_private_key key; mpz_t plaintext; unsigned i, j; rsa_private_key_init(&key); rsa_public_key_init(&pub); mpz_init (plaintext); gmp_randinit_default (rands); test_randomize(rands); for (j = 0; j < KEY_COUNT; j++) { #if !NETTLE_USE_MINI_GMP generate_keypair(rands, &pub, &key); #else rsa_generate_keypair(&pub, &key, &rands, random_fn, NULL, NULL, 512, 16); #endif /* !NETTLE_USE_MINI_GMP */ for (i = 0; i < COUNT; i++) { mpz_urandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } for (i = 0; i < COUNT; i++) { mpz_rrandomb(plaintext, rands, mpz_sizeinbase(pub.n, 2) - 1); test_one(&rands, &pub, &key, plaintext); } } mpz_clear (plaintext); rsa_public_key_clear (&pub); rsa_private_key_clear (&key); gmp_randclear (rands); } nettle-3.10/testsuite/aes-test.c0000644000175000017500000001760614633602172015714 0ustar nissenisse/* This file tests deprecated functions */ #define _NETTLE_ATTRIBUTE_DEPRECATED #include "testutils.h" #include "aes.h" #include "nettle-internal.h" static void test_invert(const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { struct aes_ctx encrypt; struct aes_ctx decrypt; uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; aes_set_encrypt_key (&encrypt, key->length, key->data); aes_encrypt (&encrypt, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "test_invert: Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } aes_invert_key (&decrypt, &encrypt); aes_decrypt (&decrypt, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "test_invert: Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free (data); } /* Old, unified, interface */ static nettle_set_key_func unified_aes128_set_encrypt_key; static nettle_set_key_func unified_aes128_set_encrypt_key; static nettle_set_key_func unified_aes192_set_encrypt_key; static nettle_set_key_func unified_aes192_set_encrypt_key; static nettle_set_key_func unified_aes256_set_encrypt_key; static nettle_set_key_func unified_aes256_set_encrypt_key; static void unified_aes128_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES128_KEY_SIZE, key); } static void unified_aes128_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES128_KEY_SIZE, key); } static void unified_aes192_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES192_KEY_SIZE, key); } static void unified_aes192_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES192_KEY_SIZE, key); } static void unified_aes256_set_encrypt_key (void *ctx, const uint8_t *key) { aes_set_encrypt_key (ctx, AES256_KEY_SIZE, key); } static void unified_aes256_set_decrypt_key (void *ctx, const uint8_t *key) { aes_set_decrypt_key (ctx, AES256_KEY_SIZE, key); } #define UNIFIED_AES(bits) { \ "unified-aes" #bits, sizeof(struct aes_ctx), \ AES_BLOCK_SIZE, AES ## bits ## _KEY_SIZE, \ unified_aes ## bits ##_set_encrypt_key, \ unified_aes ## bits ##_set_decrypt_key, \ (nettle_cipher_func *) aes_encrypt, \ (nettle_cipher_func *) aes_decrypt, \ } const struct nettle_cipher nettle_unified_aes128 = UNIFIED_AES(128); const struct nettle_cipher nettle_unified_aes192 = UNIFIED_AES(192); const struct nettle_cipher nettle_unified_aes256 = UNIFIED_AES(256); static void test_cipher2(const struct nettle_cipher *c1, const struct nettle_cipher *c2, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { test_cipher (c1, key, cleartext, ciphertext); test_cipher (c2, key, cleartext, ciphertext); } void test_main(void) { /* Test both the new interface and the older unified interface. */ /* 128 bit keys */ test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("14151617191A1B1C 1E1F202123242526"), SHEX("5C6D71CA30DE8B8B 00549984D2EC7D4B"), SHEX("59AB30F4D4EE6E4F F9907EF65B1FB68C")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("28292A2B2D2E2F30 323334353738393A"), SHEX("53F3F4C64F8616E4 E7C56199F48F21F6"), SHEX("BF1ED2FCB2AF3FD4 1443B56D85025CB1")); test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("A0A1A2A3A5A6A7A8 AAABACADAFB0B1B2"), SHEX("F5F4F7F684878689 A6A7A0A1D2CDCCCF"), SHEX("CE52AF650D088CA5 59425223F4D32694")); /* 192 bit keys */ test_cipher2(&nettle_aes192, &nettle_unified_aes192, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); /* 256 bit keys */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); /* This test case has been problematic with the CBC test case */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("8d ae 93 ff fc 78 c9 44" "2a bd 0c 1e 68 bc a6 c7" "05 c7 84 e3 5a a9 11 8b" "d3 16 aa 54 9b 44 08 9e"), SHEX("a5 ce 55 d4 21 15 a1 c6 4a a4 0c b2 ca a6 d1 37"), /* In the cbc test, I once got the bad value * "b2 a0 6c d2 2f df 7d 2c 26 d2 42 88 8f 20 74 a2" */ SHEX("1f 94 fc 85 f2 36 21 06" "4a ea e3 c9 cc 38 01 0e")); /* From draft NIST spec on AES modes. * * F.1 ECB Example Vectors * F.1.1 ECB-AES128-Encrypt */ test_cipher2(&nettle_aes128, &nettle_unified_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3ad77bb40d7a3660a89ecaf32466ef97" "f5d3d58503b9699de785895a96fdbaaf" "43b1cd7f598ece23881b00e3ed030688" "7b0c785e27e8ad3f8223207104725dd4")); /* F.1.3 ECB-AES192-Encrypt */ test_cipher2(&nettle_aes192, &nettle_unified_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e5 62f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("bd334f1d6e45f25ff712a214571fa5cc" "974104846d0ad3ad7734ecb3ecee4eef" "ef7afd2270e2e60adce0ba2face6444e" "9a4b41ba738d6c72fb16691603c18e0e")); /* F.1.5 ECB-AES256-Encrypt */ test_cipher2(&nettle_aes256, &nettle_unified_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("f3eed1bdb5d2a03c064b5a7e3db181f8" "591ccb10d410ed26dc5ba74a31362870" "b6ed21b99ca6f4f9f153e7b1beafed1d" "23304b7a39f9f3ff067d8d8f9e24ecc7")); /* Test aes_invert_key with src != dst */ test_invert(SHEX("0001020305060708 0A0B0C0D0F101112"), SHEX("506812A45F08C889 B97F5980038B8359"), SHEX("D8F532538289EF7D 06B506A4FD5BE9C9")); test_invert(SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C"), SHEX("2D33EEF2C0430A8A 9EBF45E809C40BB6"), SHEX("DFF4945E0336DF4C 1C56BC700EFF837F")); test_invert(SHEX("0001020305060708 0A0B0C0D0F101112" "14151617191A1B1C 1E1F202123242526"), SHEX("834EADFCCAC7E1B30664B1ABA44815AB"), SHEX("1946DABF6A03A2A2 C3D0B05080AED6FC")); } /* Internal state for the first test case: 0: a7106950 81cf0e5a 8d5574b3 4b929b0c 1: aa1e31c4 c19a8917 12282e4 b23e51eb 2: 14be6dac fede8fdc 8fb98878 a27dfb5c 3: e80a6f32 431515bb 72e8a651 7daf188b 4: c50438c0 d464b2b6 76b875e9 b2b5f574 5: d81ab740 746b4d89 ff033aac 44d5ffa2 6: 52e6bb4a edadc170 24867df4 6e2ad5d5 7: ab1c7365 64d09f00 7718d521 46a3df32 8: f1eaad16 1aefdfb 7ba5724d d8499631 9: 1020300 2030001 3000102 10203 99: 5332f5d8 7def8982 a406b506 c9e95bfd */ nettle-3.10/testsuite/gcm-test.c0000644000175000017500000010553714633602172015713 0ustar nissenisse/* This file tests deprecated functions */ #define _NETTLE_ATTRIBUTE_DEPRECATED #include "testutils.h" #include "nettle-internal.h" #include "gcm.h" #include "ghash-internal.h" static void test_gcm_hash (const struct tstring *msg, const struct tstring *ref) { struct gcm_aes128_ctx ctx; const uint8_t z16[16] = { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }; uint8_t digest[16]; ASSERT (ref->length == sizeof(digest)); gcm_aes128_set_key (&ctx, z16); gcm_aes128_set_iv (&ctx, 16, z16); gcm_aes128_update (&ctx, msg->length, msg->data); gcm_aes128_digest (&ctx, sizeof(digest), digest); if (!MEMEQ (ref->length, ref->data, digest)) { fprintf (stderr, "gcm_hash failed, msg: %s\nOutput: ", msg->data); print_hex (16, digest); fprintf(stderr, "Expected:"); tstring_print_hex(ref); fprintf(stderr, "\n"); FAIL(); } } static void test_ghash_internal (const struct tstring *key, const struct tstring *iv, const struct tstring *message, const struct tstring *digest) { ASSERT (key->length == GCM_BLOCK_SIZE); ASSERT (iv->length == GCM_BLOCK_SIZE); ASSERT (digest->length == GCM_BLOCK_SIZE); ASSERT (message->length % GCM_BLOCK_SIZE == 0); struct gcm_key gcm_key; union nettle_block16 state; /* Mark inputs as "undefined" to valgrind, to get warnings about any branches or memory accesses depending on secret data. */ memcpy (state.b, key->data, GCM_BLOCK_SIZE); mark_bytes_undefined (sizeof(state), &state); _ghash_set_key (&gcm_key, &state); memcpy (state.b, iv->data, GCM_BLOCK_SIZE); mark_bytes_undefined (sizeof(state), &state); mark_bytes_undefined (message->length, message->data); _ghash_update (&gcm_key, &state, message->length / GCM_BLOCK_SIZE, message->data); mark_bytes_defined (sizeof(state), &state); mark_bytes_defined (message->length, message->data); if (!MEMEQ(GCM_BLOCK_SIZE, state.b, digest->data)) { fprintf (stderr, "gcm_hash (internal) failed\n"); fprintf(stderr, "Key: "); tstring_print_hex(key); fprintf(stderr, "\nIV: "); tstring_print_hex(iv); fprintf(stderr, "\nMessage: "); tstring_print_hex(message); fprintf(stderr, "\nOutput: "); print_hex(GCM_BLOCK_SIZE, state.b); fprintf(stderr, "\nExpected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } } static nettle_set_key_func gcm_unified_aes128_set_key; static nettle_set_key_func gcm_unified_aes128_set_iv; static void gcm_unified_aes128_set_key (void *ctx, const uint8_t *key) { gcm_aes_set_key (ctx, AES128_KEY_SIZE, key); } static void gcm_unified_aes128_set_iv (void *ctx, const uint8_t *iv) { gcm_aes_set_iv (ctx, GCM_IV_SIZE, iv); } static const struct nettle_aead nettle_gcm_unified_aes128 = { "gcm-aes128", sizeof (struct gcm_aes_ctx), GCM_BLOCK_SIZE, AES128_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_unified_aes128_set_key, (nettle_set_key_func *) gcm_unified_aes128_set_key, (nettle_set_key_func *) gcm_unified_aes128_set_iv, (nettle_hash_update_func *) gcm_aes_update, (nettle_crypt_func *) gcm_aes_encrypt, (nettle_crypt_func *) gcm_aes_decrypt, (nettle_hash_digest_func *) gcm_aes_digest }; /* Hack that uses a 16-byte nonce, a 12-byte standard GCM nonce and an explicit initial value for the counter. */ static void gcm_aes128_set_iv_hack (struct gcm_aes128_ctx *ctx, size_t size, const uint8_t *iv) { assert (size == 16); gcm_aes128_set_iv (ctx, 12, iv); memcpy (ctx->gcm.ctr.b + 12, iv + 12, 4); } void test_main(void) { /* * GCM-AES Test Vectors from * http://www.cryptobarn.com/papers/gcm-spec.pdf */ /* Test case 1 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("58e2fccefa7e3061367f1d57a4e7455a")); /* tag */ /* Test case 2 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("0388dace60b6a392f328c2b971b2fe78"), SHEX("000000000000000000000000"), SHEX("ab6e47d42cec13bdf53a67b21257bddf")); /* Test case 3 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091473f5985"), SHEX("cafebabefacedbaddecaf888"), SHEX("4d5c2af327cd64a62cf35abd2ba6fab4")); /* Test case 4 */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091"), SHEX("cafebabefacedbaddecaf888"), SHEX("5bc94fbc3221a5db94fae95ae7121a47")); /* Regression test, same inputs but explicitly setting the counter value. */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091"), SHEX("cafebabefacedbaddecaf88800000002"), /* ctr == 2, same as the spec */ SHEX("5bc94fbc3221a5db94fae95ae7121a47")); test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("77ffd1ba63b141ba fb2efb329c9c25ee" "99e5e06e603dd5c6 8efe1cb2cefc0677" "2e7b14dea92760f7 6273dc0cce1d013d" "2ad8c11273fe9496 5448534b"), SHEX("cafebabefacedbaddecaf888ffffffff"), /* ctr == 2^31-1 */ SHEX("83cf46eb0407be56 72f756a4caebcda7")); /* Test case 5 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("61353b4c2806934a777ff51fa22a4755" "699b2a714fcdc6f83766e5f97b6c7423" "73806900e49f24b22b097544d4896b42" "4989b5e1ebac0f07c23f4598"), SHEX("cafebabefacedbad"), SHEX("3612d2e79e3b0785561be14aaca2fccb")); /* Test case 6 */ test_aead(&nettle_gcm_aes128, (nettle_hash_update_func *) gcm_aes128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("8ce24998625615b603a033aca13fb894" "be9112a5c3a211a8ba262a3cca7e2ca7" "01e4a9a4fba43c90ccdcb281d48c7c6f" "d62875d2aca417034c34aee5"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); /* Same test, but with old gcm_aes interface */ test_aead(&nettle_gcm_unified_aes128, (nettle_hash_update_func *) gcm_aes_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("8ce24998625615b603a033aca13fb894" "be9112a5c3a211a8ba262a3cca7e2ca7" "01e4a9a4fba43c90ccdcb281d48c7c6f" "d62875d2aca417034c34aee5"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("619cc5aefffe0bfa462af43c1699d050")); /* Test 128 bytes */ test_aead(&nettle_gcm_aes128, NULL, SHEX("feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255" "5ae376bc5e9f6a1b08e34db7a6ee0736" "9ba662ea12f6f197e6bc3ed69d2480f3" "ea5691347f2ba69113eb37910ebc18c8" "0f697234582016fa956ca8f63ae6b473"), SHEX("42831ec2217774244b7221b784d0d49c" "e3aa212f2c02a4e035c17e2329aca12e" "21d514b25466931c7d8f6a5aac84aa05" "1ba30b396a0aac973d58e091473f5985" "874b1178906ddbeab04ab2fe6cce8c57" "8d7e961bd13fd6a8c56b66ca5e576492" "1a48cd8bda04e66343e73055118b69b9" "ced486813846958a11e602c03cfc232b"), SHEX("cafebabefacedbaddecaf888"), SHEX("796836f1246c9d735c5e1be0a715ccc3")); /* Test 719 bytes */ test_aead(&nettle_gcm_aes256, NULL, SHEX("6235f895fca5ebf60e921204d3a13f2e" "8b32cfe744ed1359043877b0b9adb438"), SHEX(""), SHEX("42c1cc08486f413f2f11668b2a16f0e0" "5883f0c37014c05b3fec1d253c51d203" "cf59741fb285b407c66a63398a5bdecb" "af0844bd6f9115e1f57a6e18bddd6150" "59a997abbb0e745c00a4435404549b3b" "77ecfd5ca6e87b08aee6103f3265d1fc" "a41d2c31fb337ab33523f42041d4ad82" "8ba4ad961c2053be0ea6f4dc78493e72" "b1a9b583cb0854b7ad493aae98cea666" "1030908c5583d77c8be653ded26e1821" "0152d19f9dbb9c7357cc8909759b7870" "ed26974db4e40ca5fa700470c6961c7d" "544177a8e3b07e9682d9eca2876855f9" "8f9e7343476a08369367a82ddeac41a9" "5c4d73970f7068fa564d00c23b1fc8b9" "781f5107e39a134eed2b2ea3f744b2e7" "ab1937d9ba765ed2f25315174c6b169f" "026649ca7c9105f245361ef577ad1f46" "a813fb63b608996382a2edb3acdf4319" "45ea7873d9b73911a3137cf83ff7ad81" "482fa95c5fa0f079a4477d802026fd63" "0ac77e6d7547ff76662e8a6c8135af0b" "2e6a4960c110e1e15403a4090c377a15" "23275b8b4ba56497ae4a50731f661c5c" "03253c8d485871340eec4e551a036ae5" "b6192b842a20d1ea806f960e0562c778" "8779603846b425576e1663f8ad6ed742" "69e188ef6ed5b49a3c786c3be5a01d22" "865c743aeb2426c709fc919647874f1a" "d66b2c1847c0b824a85a4a9ecb03e72a" "09e64d9c6d8660f52f4869379ff2d2cb" "0e5add6e8afb6afe0b63de8742798a68" "51289b7aebafb82f9dd1c7459008c983" "e98384cb28690969ce99460054cbd838" "f9534abf31ce571533fa96043342e3c0" "b7544a657a7c02e61995d00e820763f9" "e12b2afc559252c9b59f232860e72051" "10d3ed6d9babb8e25d9a34b3be9c64cb" "78c69122409180bed7785c0e0adc08e9" "6710a483987923e792daa92216b1e778" "a31c6c8f357c4d372f6e0b505c34b9f9" "e63d910d3295aa3d481106bb2df26388" "3f7309e245563151fa5e4e62f790f9a9" "7d7b1bb1c8266e66f6909a7ff257cc23" "59fafaaa440401a7a478db743d8bb5"), SHEX("840bdbd5b7a8fe20bbb1127f41eab3c0" "a2b437191158b60b4c1d380554d11673" "8e1c2090a29ab77447e6d8fc183ab4ea" "d5165a2c530146b31833746c50f2e8c0" "73da6022ebe3e59b20936c4b3799b823" "3b4eace85be80fb7c38ffb4a37d93995" "34f1db8f71d9c70b02f163fc9bfcc5ab" "b9141321dfceaa8844301ece260192f8" "9f004b0c4bf75fe089ca9466112197ca" "3e83742ddb4d11eb97c214ff9e1ea06b" "08b4312b85c6856c90ec39c0ecb3b54e" "f39ce7833a770af456fece18336d0b2d" "33dac8055cb4092ade6b529801ef363d" "bdf98fa83eaacdd1012d4249c3b684bb" "4896e090936c4864d4fa7f932ca621c8" "7a237baa205612ae169d940f54a1ecca" "514ef239f4f85f045a0dbff583a115e1" "f53cd862a3ed4789854ce5dbac9e171d" "0c09e33e395b4d740ef534ee70114cfd" "db34b1b5103f73b7f5faedb01fa5cd3c" "8d3583d411446e6c5be00e69a539e5bb" "a9572437e61fddcf162a13f96a2d90a0" "03607aed69d5008b7e4fcbb9fa91b937" "c126ce9097226464c172431bf6acc154" "8a109cdd8dd58eb2e485dae0205ff4b4" "15b5a08d127449233adf4ad3f03b89eb" "f8cc627bfb9307416126945870a63ce4" "ff58c4133dcb366b32e5b26d03746f76" "9377de48c4fa304ada4980770f1cbe11" "c848b1e5bbf28ae1962f9fd18e8a5ce2" "f7d7d854f33fc491b8fb86dc46249160" "6c2fc94137514954098121f3039f2be3" "1f3963aff4d75360a7c754f9eeb1b17d" "75546593feb1686b5702f9bb0ef9f8bf" "011227b4fee4797a405b514bdf38ecb1" "6a56ff354d4233aa6f1be4dce0db8535" "6210d4ecebc57e451c6f17ca3b8e2d66" "4f4b3656cd1b59aad29b17b958df7b64" "8aff3b9ca6b5489eaae25d0971325fb6" "29bee7c7527e91826b6d33e134063621" "5ebe1e2f3ec1fbea492cb5caf7b037ea" "1fed1004d9480d1a1cfbe7840e835374" "c765e25ce5ba734c0ee1b51145614346" "aa258fbd8508fa4c15c1c0d8f5dc16bb" "7b1de38757a72a1d38589e8a43dc57"), SHEX("00ffffffff0000ffffff00ff"), SHEX("d1817d2be9ff993a4b24525855e14914")); /* Same input, but different initial counter value, to trigger wraparound. */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes128_set_iv_hack, SHEX("6235f895fca5ebf60e921204d3a13f2e" "8b32cfe744ed1359043877b0b9adb438"), SHEX(""), SHEX("42c1cc08486f413f2f11668b2a16f0e0" "5883f0c37014c05b3fec1d253c51d203" "cf59741fb285b407c66a63398a5bdecb" "af0844bd6f9115e1f57a6e18bddd6150" "59a997abbb0e745c00a4435404549b3b" "77ecfd5ca6e87b08aee6103f3265d1fc" "a41d2c31fb337ab33523f42041d4ad82" "8ba4ad961c2053be0ea6f4dc78493e72" "b1a9b583cb0854b7ad493aae98cea666" "1030908c5583d77c8be653ded26e1821" "0152d19f9dbb9c7357cc8909759b7870" "ed26974db4e40ca5fa700470c6961c7d" "544177a8e3b07e9682d9eca2876855f9" "8f9e7343476a08369367a82ddeac41a9" "5c4d73970f7068fa564d00c23b1fc8b9" "781f5107e39a134eed2b2ea3f744b2e7" "ab1937d9ba765ed2f25315174c6b169f" "026649ca7c9105f245361ef577ad1f46" "a813fb63b608996382a2edb3acdf4319" "45ea7873d9b73911a3137cf83ff7ad81" "482fa95c5fa0f079a4477d802026fd63" "0ac77e6d7547ff76662e8a6c8135af0b" "2e6a4960c110e1e15403a4090c377a15" "23275b8b4ba56497ae4a50731f661c5c" "03253c8d485871340eec4e551a036ae5" "b6192b842a20d1ea806f960e0562c778" "8779603846b425576e1663f8ad6ed742" "69e188ef6ed5b49a3c786c3be5a01d22" "865c743aeb2426c709fc919647874f1a" "d66b2c1847c0b824a85a4a9ecb03e72a" "09e64d9c6d8660f52f4869379ff2d2cb" "0e5add6e8afb6afe0b63de8742798a68" "51289b7aebafb82f9dd1c7459008c983" "e98384cb28690969ce99460054cbd838" "f9534abf31ce571533fa96043342e3c0" "b7544a657a7c02e61995d00e820763f9" "e12b2afc559252c9b59f232860e72051" "10d3ed6d9babb8e25d9a34b3be9c64cb" "78c69122409180bed7785c0e0adc08e9" "6710a483987923e792daa92216b1e778" "a31c6c8f357c4d372f6e0b505c34b9f9" "e63d910d3295aa3d481106bb2df26388" "3f7309e245563151fa5e4e62f790f9a9" "7d7b1bb1c8266e66f6909a7ff257cc23" "59fafaaa440401a7a478db743d8bb5"), SHEX("abdf2d43d5acea0e 037296441e544e8f" "d9b2fdfc434b3966 be04e88b226b9bbd" "ed6c798834bf5283 30d5a386d49b5a45" "2076bc49acf3d854 c15b52b15ab0008f" "b28069951f2baf3a d845ead585168f25" "b126ea81592fc417 3a4664cb599992dc" "5e2aebeb9a7f0ce3 46d2d100295469f2" "cae1f9190c3f50cd 8f2a4f19ea285453" "cbb7ab12f79807e5 400020da75e12ff6" "3a436705056e46bb abd17cc1e1a33b39" "4df0802b60bbe8cc 3aa5627c70279019" "7dca60f33e0eb11d cda293ac1cbe7454" "66f1c91f205e87a0 c84f06b0d920f973" "a1378dccc7950361 b7e406e557437005" "72fe973681beae6d 4a6947e3776f70f3" "71f9b1b3fbe70a51 2a0b9e6a6e6c7fd9" "b5a3471734e55883 5edddf7fb99001cf" "65fdf667c395724e 1984a0cff12a7c82" "9a740788cfc85c84 10e807d7b1c5860b" "5131eb7445ab198f 21a403a9284e44f0" "4a1383f19c6cf199 5ff1c72c83c3a34e" "f090bb8d3bc9fea0 ce70208e4effac75" "d930d8c81e6ca39a 94795f27d704724e" "873d43d6c4f6b080 221d892ec3a813b8" "9dfbf54b81d03b92 5805df1d3a510a58" "7303010c64c44fff 7fc8e5e7807ddfa0" "24e93a62d5ec07ee 1e12fa6d4676e8e9" "44ebbb62c61055f0 1634038b1306de00" "645de12137a32634 66c482feae4d9212" "5f5e8c48824d47a2 4233de2bf15f797b" "aa4ac69555d2f83c 95f8b5ea6aab9c58" "71efdf2d37dc48e8 045329279fb161ce" "c791d786b8b13ade 934c191376dcbbd7" "fca82eb907b71fe4 1d2c57e11c502933" "e770d742cdfc65d0 0d8f434b76cb5808" "4965dfade4c5a682 8e263fe55bd12052" "835e3ed3e8387163 b77ddc5c210181da" "5ec215b884d353ad 678ca70fc0251c35" "e411707a9649e1bc 4ee3e3b550ee286e" "9f51c98857530d88 e17b6e6dfacbe809" "7e1ed9df02427c7b 59e03f823ee85f35" "65066f1d8cc286b1 e1e13259769b6ebf" "60ebd2d913e6d019 755f6d6811d3e606" "8f42b10f2e02a646 8b0a9b7889b99b7c" "1754b9ee8e03b3c2 5dcf41b71f3c64"), SHEX("00ffffffff0000ff ffff00fffffffffd"), /* ctr == 2^31-3 */ SHEX("d64dd27c678a2827 859bd29e7ea4ae07")); /* Test case 7 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("cd33b28ac773f74ba00ed1f312572435")); /* Test case 8 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("00000000000000000000000000000000" "0000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("98e7247c07f0fe411c267e4384b0f600"), SHEX("000000000000000000000000"), SHEX("2ff58d80033927ab8ef4d4587514f0fb")); /* Test case 9 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710acade256"), SHEX("cafebabefacedbaddecaf888"), SHEX("9924a7c8587336bfb118024db8674a14")); /* Test case 10 */ test_aead(&nettle_gcm_aes192, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("3980ca0b3c00e841eb06fac4872a2757" "859e1ceaa6efd984628593b40ca1e19c" "7d773d00c144c525ac619d18c84a3f47" "18e2448b2fe324d9ccda2710"), SHEX("cafebabefacedbaddecaf888"), SHEX("2519498e80f1478f37ba55bd6d27618c")); /* Test case 11 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("0f10f599ae14a154ed24b36e25324db8" "c566632ef2bbb34f8347280fc4507057" "fddc29df9a471f75c66541d4d4dad1c9" "e93a19a58e8b473fa0f062f7"), SHEX("cafebabefacedbad"), SHEX("65dcc57fcf623a24094fcca40d3533f8")); /* Test case 12 */ test_aead(&nettle_gcm_aes192, (nettle_hash_update_func *) gcm_aes192_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("d27e88681ce3243c4830165a8fdcf9ff" "1de9a1d8e6b447ef6ef7b79828666e45" "81e79012af34ddd9e2f037589b292db3" "e67c036745fa22e7e9b7373b"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("dcf566ff291c25bbb8568fc3d376a6d9")); /* Test case 13 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX(""), SHEX(""), SHEX("000000000000000000000000"), SHEX("530f8afbc74536b9a963b4f1c4cb738b")); /* Test case 14 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("00000000000000000000000000000000" "00000000000000000000000000000000"), SHEX(""), SHEX("00000000000000000000000000000000"), SHEX("cea7403d4d606b6e074ec5d3baf39d18"), SHEX("000000000000000000000000"), SHEX("d0d1c8a799996bf0265b98b5d48ab919")); /* Test case 15 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX(""), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b391aafd255"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662898015ad"), SHEX("cafebabefacedbaddecaf888"), SHEX("b094dac5d93471bdec1a502270e3cc6c")); /* Test case 16 */ test_aead(&nettle_gcm_aes256, NULL, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("522dc1f099567d07f47f37a32a84427d" "643a8cdcbfe5c0c97598a2bd2555d1aa" "8cb08e48590dbb3da7b08b1056828838" "c5f61e6393ba7a0abcc9f662"), SHEX("cafebabefacedbaddecaf888"), SHEX("76fc6ece0f4e1768cddf8853bb2d551b")); /* Test case 17 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("c3762df1ca787d32ae47c13bf19844cb" "af1ae14d0b976afac52ff7d79bba9de0" "feb582d33934a4f0954cc2363bc73f78" "62ac430e64abe499f47c9b1f"), SHEX("cafebabefacedbad"), SHEX("3a337dbf46a792c45e454913fe2ea8f2")); /* Test case 18 */ test_aead(&nettle_gcm_aes256, (nettle_hash_update_func *) gcm_aes256_set_iv, SHEX("feffe9928665731c6d6a8f9467308308" "feffe9928665731c6d6a8f9467308308"), SHEX("feedfacedeadbeeffeedfacedeadbeef" "abaddad2"), SHEX("d9313225f88406e5a55909c5aff5269a" "86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525" "b16aedf5aa0de657ba637b39"), SHEX("5a8def2f0c9e53f1f75d7853659e2a20" "eeb2b22aafde6419a058ab4f6f746bf4" "0fc0c3b780f244452da3ebf1c5d82cde" "a2418997200ef82e44ae7e3f"), SHEX("9313225df88406e555909c5aff5269aa" "6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b5254" "16aedbf5a0de6a57a637b39b"), SHEX("a44a8266ee1c8eb0c8b5d4cf5ae9f19a")); /* * GCM-Camellia Test Vectors obtained from the authors */ /* Test case 1 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("00000000000000000000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext*/ SHEX("000000000000000000000000"), /* IV */ SHEX("f5574acc3148dfcb9015200631024df9")); /* tag */ /* Test case 3 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f8260614bab815"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("86e318012dd8329dc9dae6a170f61b24")); /* tag */ /* Test case 4 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("d0d94a13b632f337a0cc9955b94fa020c815f903aab12f1efaf2fe9d90f729a6" "cccbfa986ef2ff2c33de418d9a2529091cf18fe652c1cfde13f82606"), /* ciphertext*/ SHEX("cafebabefacedbaddecaf888"), /* IV */ SHEX("9f458869431576ea6a095456ec6b8101")); /* tag */ /* Test case 5 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("28fd7434d5cd424a5353818fc21a982460d20cf632eb1e6c4fbfca17d5abcf6a" "52111086162fe9570e7774c7a912aca3dfa10067ddaad40688645bdd"), /* ciphertext*/ SHEX("cafebabefacedbad"), /* IV */ SHEX("e86f8f2e730c49d536f00fb5225d28b1")); /* tag */ /* Test case 6 */ test_aead(&nettle_gcm_camellia128, (nettle_hash_update_func *) gcm_camellia128_set_iv, SHEX("feffe9928665731c6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeeffeedfacedeadbeefabaddad2"), /* auth data */ SHEX("d9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a72" "1c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b39"), /* plaintext */ SHEX("2e582b8417c93f2ff4f6f7ee3c361e4496e710ee12433baa964987d02f42953e" "402e6f4af407fe08cd2f35123696014c34db19128df4056faebcd647"), /* ciphertext*/ SHEX("9313225df88406e555909c5aff5269aa6a7a9538534f7da1e4c303d2a318a728" "c3c0c95156809539fcf0e2429a6b525416aedbf5a0de6a57a637b39b"), /* IV */ SHEX("ceae5569b2af8641572622731aed3e53")); /* tag */ /* gcm-camellia256 */ /* Test case 13 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX(""), /* plaintext */ SHEX(""), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("9cdb269b5d293bc5db9c55b057d9b591")); /* tag */ /* Test case 14 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("0000000000000000 0000000000000000" "0000000000000000 0000000000000000"), /* key */ SHEX(""), /* auth data */ SHEX("0000000000000000 0000000000000000"), /* plaintext */ SHEX("3d4b2cde666761ba 5dfb305178e667fb"), /* ciphertext */ SHEX("000000000000000000000000"), /* iv */ SHEX("284b63bb143c40ce100fb4dea6bb617b")); /* tag */ /* Test case 15 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX(""), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b391aafd255"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b776549e092"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("c912686270a2b9966415fca3be75c468")); /* tag */ /* Test case 16 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("ad142c11579dd95e 41f3c1f324dabc25" "5864d920f1b65759 d8f560d4948d4477" "58dfdcf77aa9f625 81c7ff572a037f81" "0cb1a9c4b3ca6ed6 38179b77"), /* ciphertext */ SHEX("cafebabefacedbaddecaf888"), /* iv */ SHEX("4e4b178d8fe26fdc95e2e7246dd94bec")); /* tag */ /* Test case 17 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("6ca95fbb7d16577a 9ef2fded94dc85b5" "d40c629f6bef2c64 9888e3cbb0ededc7" "810c04b12c2983bb bbc482e16e45c921" "5ae12c15c55f2f48 09d06652"), /* ciphertext */ SHEX("cafebabefacedbad"), /* iv */ SHEX("e6472b8ebd331bfcc7c0fa63ce094461")); /* tag */ /* Test case 18 */ test_aead(&nettle_gcm_camellia256, (nettle_hash_update_func *) gcm_camellia256_set_iv, SHEX("feffe9928665731c 6d6a8f9467308308" "feffe9928665731c 6d6a8f9467308308"), /* key */ SHEX("feedfacedeadbeef feedfacedeadbeef" "abaddad2"), /* auth data */ SHEX("d9313225f88406e5 a55909c5aff5269a" "86a7a9531534f7da 2e4c303d8a318a72" "1c3c0c9595680953 2fcf0e2449a6b525" "b16aedf5aa0de657 ba637b39"), /* plaintext */ SHEX("e0cddd7564d09c4d c522dd65949262bb" "f9dcdb07421cf67f 3032becb7253c284" "a16e5bf0f556a308 043f53fab9eebb52" "6be7f7ad33d697ac 77c67862"), /* ciphertext */ SHEX("9313225df88406e5 55909c5aff5269aa" "6a7a9538534f7da1 e4c303d2a318a728" "c3c0c95156809539 fcf0e2429a6b5254" "16aedbf5a0de6a57 a637b39b"), /* iv */ SHEX("5791883f822013f8bd136fc36fb9946b")); /* tag */ /* * GCM-SM4 Test Vectors from * https://datatracker.ietf.org/doc/html/rfc8998 */ test_aead(&nettle_gcm_sm4, NULL, SHEX("0123456789ABCDEFFEDCBA9876543210"), SHEX("FEEDFACEDEADBEEFFEEDFACEDEADBEEFABADDAD2"), SHEX("AAAAAAAAAAAAAAAABBBBBBBBBBBBBBBB" "CCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDD" "EEEEEEEEEEEEEEEEFFFFFFFFFFFFFFFF" "EEEEEEEEEEEEEEEEAAAAAAAAAAAAAAAA"), SHEX("17F399F08C67D5EE19D0DC9969C4BB7D" "5FD46FD3756489069157B282BB200735" "D82710CA5C22F0CCFA7CBF93D496AC15" "A56834CBCF98C397B4024A2691233B8D"), SHEX("00001234567800000000ABCD"), SHEX("83DE3541E4C2B58177E065A9BF7B62EC")); /* Test gcm_hash, with varying message size, keys and iv all zero. Not compared to any other implementation. */ test_gcm_hash (SDATA("a"), SHEX("1521c9a442bbf63b 2293a21d4874a5fd")); test_gcm_hash (SDATA("ab"), SHEX("afb4592d2c7c1687 37f27271ee30412a")); test_gcm_hash (SDATA("abc"), SHEX("9543ca3e1662ba03 9a921ec2a20769be")); test_gcm_hash (SDATA("abcd"), SHEX("8f041cc12bcb7e1b 0257a6da22ee1185")); test_gcm_hash (SDATA("abcde"), SHEX("0b2376e5fed58ffb 717b520c27cd5c35")); test_gcm_hash (SDATA("abcdef"), SHEX("9679497a1eafa161 4942963380c1a76f")); test_gcm_hash (SDATA("abcdefg"), SHEX("83862e40339536bc 723d9817f7df8282")); test_gcm_hash (SDATA("abcdefgh"), SHEX("b73bcc4d6815c4dc d7424a04e61b87c5")); test_gcm_hash (SDATA("abcdefghi"), SHEX("8e7846a383f0b3b2 07b01160a5ef993d")); test_gcm_hash (SDATA("abcdefghij"), SHEX("37651643b6f8ecac 4ea1b320e6ea308c")); test_gcm_hash (SDATA("abcdefghijk"), SHEX("c1ce10106ee23286 f00513f55e2226b0")); test_gcm_hash (SDATA("abcdefghijkl"), SHEX("c6a3e32a90196cdf b2c7a415d637e6ca")); test_gcm_hash (SDATA("abcdefghijklm"), SHEX("6cca29389d4444fa 3d20e65497088fd8")); test_gcm_hash (SDATA("abcdefghijklmn"), SHEX("19476a997ec0a824 2022db0f0e8455ce")); test_gcm_hash (SDATA("abcdefghijklmno"), SHEX("f66931cee7eadcbb d42753c3ac3c4c16")); test_gcm_hash (SDATA("abcdefghijklmnop"), SHEX("a79699ce8bed61f9 b8b1b4c5abb1712e")); test_gcm_hash (SDATA("abcdefghijklmnopq"), SHEX("65f8245330febf15 6fd95e324304c258")); test_gcm_hash (SDATA("abcdefghijklmnopqr"), SHEX("d07259e85d4fc998 5a662eed41c8ed1d")); /* Test internal ghash function. */ test_ghash_internal(SHEX("0000000000000000 0000000000000000"), SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("0000000000000000 0000000000000000")); test_ghash_internal(SHEX("8000000000000000 0000000000000000"), /* 1 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("0011223344556677 89abcdef01234567")); test_ghash_internal(SHEX("8000000000000000 0000000000000000"), SHEX("0123456789abcdef fedcba9876543210"), /* XOR:ed to the message */ SHEX("0011223344556677 89abcdef01234567"), SHEX("01326754cdfeab98 7777777777777777")); test_ghash_internal(SHEX("4000000000000000 0000000000000000"), /* x polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("e1089119a22ab33b c4d5e6f78091a2b3")); test_ghash_internal(SHEX("0800000000000000 0000000000000000"), /* x^4 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("54e1122334455667 789abcdef0123456")); test_ghash_internal(SHEX("0000000080000000 0000000000000000"), /* x^32 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("01f870078e112233 4455667789abcdef")); test_ghash_internal(SHEX("0000000000000001 0000000000000000"), /* x^63 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("1e0f1ff13ff0e00f 1c22446688aaccef")); test_ghash_internal(SHEX("0000000000000000 8000000000000000"), /* x^64 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("ee078ff89ff87007 8e11223344556677")); test_ghash_internal(SHEX("0000000000000000 0000000100000000"), /* x^95 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("efc44c3a800f1ff1 3ff0e00f1c224466")); test_ghash_internal(SHEX("0000000000000000 0000000080000000"), /* x^96 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("77e2261d40078ff8 9ff870078e112233")); test_ghash_internal(SHEX("0000000000000000 0000000000000001"), /* x^127 polynomial */ SHEX("0000000000000000 0000000000000000"), SHEX("0011223344556677 89abcdef01234567"), SHEX("1503b3c4a3c44c3a 800f1ff13ff0e00f")); } nettle-3.10/testsuite/des3-test.c0000644000175000017500000000067414633602172015777 0ustar nissenisse#include "testutils.h" #include "non-nettle.h" #include "des.h" void test_main(void) { /* Intermediate values: * After first DES encryption: "cd ea 2a 20 c2 e0 9e 48" * After second DES decryption: "69 52 6e 95 8b ea 49 bd" */ test_cipher(&nettle_des3, SHEX("3e 0b 10 b0 5d 49 c2 54" "6b 46 e0 75 8a 91 61 85" "cb 04 07 d3 20 16 cb a2"), SDATA("Now is t"), SHEX("0a 5d b5 2d 85 74 d1 c9")); } nettle-3.10/testsuite/ctr-test.c0000644000175000017500000002677414633602172015742 0ustar nissenisse#include "testutils.h" #include "non-nettle.h" void test_main(void) { /* From NIST spec 800-38a on AES modes, * * http://csrc.nist.gov/CryptoToolkit/modes/800-38_Series_Publications/SP800-38A.pdf * * F.5 CTR Example Vectors */ /* Zero-length data. Exposes bug reported by Tim Kosse, where ctr_crypt increment the ctr when it shouldn't. */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX(""), SHEX(""), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.1 CTR-AES128.Encrypt */ test_cipher_ctr(&nettle_aes128, SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("874d6191b620e3261bef6864990db6ce" "9806f66b7970fdff8617187bb9fffdff" "5ae4df3edbd5d35e5b4f09020db03eab" "1e031dda2fbe03d1792170a0f3009cee"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.3 CTR-AES192.Encrypt */ test_cipher_ctr(&nettle_aes192, SHEX("8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("1abc932417521ca24f2b0459fe7e6e0b" "090339ec0aa6faefd5ccc2c6f4ce8e94" "1e36b26bd1ebc670d1bd1d665620abf7" "4f78a7f6d29809585a97daec58c6b050"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* F.5.5 CTR-AES256.Encrypt */ test_cipher_ctr(&nettle_aes256, SHEX("603deb1015ca71be2b73aef0857d7781" "1f352c073b6108d72d9810a30914dff4"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("601ec313775789a5b7a7f504bbf3d228" "f443e3ca4d62b59aca84e990cacaf5c5" "2b0930daa23de94ce87017ba2d84988d" "dfc9c58db67aada613c2dd08457941a6"), SHEX("f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff")); /* Test carry propagation in the counter. Unofficial test vectors. */ test_cipher_ctr(&nettle_aes128, /* 2 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("fc5a51074aa08a8a 8fce0373557c8de7" "b2ddc0e45c6e15d3 7d7e2b238a7d200c" "d108ffc93fd4e2ef 0ee447dd77a891f4" "a12bf17ea1f0be04 75908308a585d9bd"), SHEX("0102030405060708090a0b0c0d0efffe")); test_cipher_ctr(&nettle_aes128, /* 7 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("afaf63875aae5fb4 49e39377c8b972ed" "f55c5da552429ba8 b30fa1b1edd18269" "d6cc0ca8a964504c 9519f11ab462985b" "16e3c7c12cf4a556 d28433500e07ab7b"), SHEX("010203040506070809fffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 8 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("b34ceeb036a0a71f eabd6bf64e2f70f8" "35eb1751c4989fa9 71d747e18a45c0c6" "2379e536ccfbdecd 0a26af9640a73e10" "19626834910ff917 eb05a8f1a33b6d4a"), SHEX("0102030405060708fffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 9 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("3891a1de2c0f71b9 b90a1f84a1d712bf" "0ca6339a5839385f 170784fb612f15a5" "6593433e1c21191c e042c7a695a7f65a" "f4334fafdb372b64 0862ebb1b6bbcc7a"), SHEX("01020304050607fffffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 15 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("91e64f693763258a aae861412d4250e2" "963b5b8d4ccea79e ac2558295268de85" "2f78de7d71554880 fb186a93378fb922" "8c05c84f8d4f3edd a40a43bcc1c474db"), SHEX("01fffffffffffffffffffffffffffffe")); test_cipher_ctr(&nettle_aes128, /* 16 */ SHEX("2b7e151628aed2a6abf7158809cf4f3c"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("ba76aa54d5b56067 c1a7903b3fddfa89" "24df0c565cf42a68 978713b67ad124fd" "4d3f774ab9e47da2 dbb9315ea3110680" "a18d5905ebfe25a8 03df27c2211e58d6"), SHEX("fffffffffffffffffffffffffffffffe")); /* Unofficial test vector for CTR mode with triple-des, to exercise block size different from 16. */ test_cipher_ctr(&nettle_des3, SHEX("3e 0b 10 b0 5d 49 c2 54" "6b 46 e0 75 8a 91 61 85" "cb 04 07 d3 20 16 cb a2"), SHEX("6bc1bee22e409f96e93d7e117393172a" "ae2d8a571e03ac9c9eb76fac45af8e51" "30c81c46a35ce411e5fbc1191a0a52ef" "f69f2445df4f9b17ad2b417be66c3710"), SHEX("bb41303df94d0bca b881fb57e7132271" "820f70c0d53b3f5a 686943680303b37d" "5bbcfbd4fb283ef3 8078d0660c60121f" "41e0f1e4c2a4fe12 a676ec05b7fc4d8f"), SHEX("f8f9fafbfcfdfeff")); } /* F.5.1 CTR-AES128.Encrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 874d6191b620e3261bef6864990db6ce Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 9806f66b7970fdff8617187bb9fffdff Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 1e031dda2fbe03d1792170a0f3009cee F.5.2 CTR-AES128.Decrypt Key 2b7e151628aed2a6abf7158809cf4f3c Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block ec8cdf7398607cb0f2d21675ea9ea1e4 Ciphertext 874d6191b620e3261bef6864990db6ce Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 362b7c3c6773516318a077d7fc5073ae Ciphertext 9806f66b7970fdff8617187bb9fffdff Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 6a2cc3787889374fbeb4c81b17ba6c44 Ciphertext 5ae4df3edbd5d35e5b4f09020db03eab Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block e89c399ff0f198c6d40a31db156cabfe Ciphertext 1e031dda2fbe03d1792170a0f3009cee Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.3 CTR-AES192.Encrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext 4f78a7f6d29809585a97daec58c6b050 F.5.4 CTR-AES192.Decrypt Key 8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 717d2dc639128334a6167a488ded7921 Ciphertext 1abc932417521ca24f2b0459fe7e6e0b Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block a72eb3bb14a556734b7bad6ab16100c5 Ciphertext 090339ec0aa6faefd5ccc2c6f4ce8e94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 2efeae2d72b722613446dc7f4c2af918 Ciphertext 1e36b26bd1ebc670d1bd1d665620abf7 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block b9e783b30dd7924ff7bc9b97beaa8740 Ciphertext 4f78a7f6d29809585a97daec58c6b050 Plaintext f69f2445df4f9b17ad2b417be66c3710 F.5.5 CTR-AES256.Encrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Plaintext 6bc1bee22e409f96e93d7e117393172a Ciphertext 601ec313775789a5b7a7f504bbf3d228 Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Ciphertext 2b0930daa23de94ce87017ba2d84988d Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Plaintext f69f2445df4f9b17ad2b417be66c3710 Ciphertext dfc9c58db67aada613c2dd08457941a6 F.5.6 CTR-AES256.Decrypt Key 603deb1015ca71be2b73aef0857d7781 1f352c073b6108d72d9810a30914dff4 Init. Counter f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Block #1 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff Output Block 0bdf7df1591716335e9a8b15c860c502 Ciphertext 601ec313775789a5b7a7f504bbf3d228 Plaintext 6bc1bee22e409f96e93d7e117393172a Block #2 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff00 Output Block 5a6e699d536119065433863c8f657b94 Ciphertext f443e3ca4d62b59aca84e990cacaf5c5 Plaintext ae2d8a571e03ac9c9eb76fac45af8e51 Block #3 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff01 Output Block 1bc12c9c01610d5d0d8bd6a3378eca62 Ciphertext 2b0930daa23de94ce87017ba2d84988d Plaintext 30c81c46a35ce411e5fbc1191a0a52ef Block #4 Input Block f0f1f2f3f4f5f6f7f8f9fafbfcfdff02 Output Block 2956e1c8693536b1bee99c73a31576b6 Ciphertext dfc9c58db67aada613c2dd08457941a6 Plaintext f69f2445df4f9b17ad2b417be66c3710 */ nettle-3.10/testsuite/random-prime-test.c0000644000175000017500000000102014633602172017515 0ustar nissenisse#include "testutils.h" #include "knuth-lfib.h" void test_main(void) { struct knuth_lfib_ctx lfib; mpz_t p; unsigned bits; knuth_lfib_init(&lfib, 17); mpz_init(p); for (bits = 6; bits < 1000; bits = bits + 1 + bits/10) { if (verbose) fprintf(stderr, "bits = %d\n", bits); nettle_random_prime(p, bits, 0, &lfib, (nettle_random_func *) knuth_lfib_random, NULL, NULL); ASSERT (mpz_sizeinbase (p, 2) == bits); ASSERT (mpz_probab_prime_p(p, 25)); } mpz_clear(p); } nettle-3.10/testsuite/sha512-224-test.c0000644000175000017500000000103314633602172016437 0ustar nissenisse#include "testutils.h" void test_main(void) { /* From http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/SHA_All.pdf */ test_hash(&nettle_sha512_224, SDATA("abc"), SHEX("4634270F 707B6A54 DAAE7530 460842E2" "0E37ED26 5CEEE9A4 3E8924AA")); test_hash(&nettle_sha512_224, SDATA("abcdefghbcdefghicdefghijdefghijk" "efghijklfghijklmghijklmnhijklmno" "ijklmnopjklmnopqklmnopqrlmnopqrs" "mnopqrstnopqrstu"), SHEX("23FEC5BB 94D60B23 30819264 0B0C4533" "35D66473 4FE40E72 68674AF9")); } nettle-3.10/testsuite/sha512-test.c0000644000175000017500000002022314633602172016134 0ustar nissenisse#include "testutils.h" void test_main(void) { test_hash(&nettle_sha512, SDATA("abc"), SHEX("ddaf35a193617aba cc417349ae204131" "12e6fa4e89a97ea2 0a9eeee64b55d39a" "2192992a274fc1a8 36ba3c23a3feebbd" "454d4423643ce80e 2a9ac94fa54ca49f")); test_hash(&nettle_sha512, SDATA("abcdefghbcdefghicdefghijdefg" "hijkefghijklfghijklmghijklmn" "hijklmnoijklmnopjklmnopqklmn" "opqrlmnopqrsmnopqrstnopqrstu"), SHEX("8e959b75dae313da 8cf4f72814fc143f" "8f7779c6eb9f7fa1 7299aeadb6889018" "501d289e4900f7e4 331b99dec4b5433a" "c7d329eeb6dd2654 5e96e55b874be909")); /* NESSIE, Set 1, vector #6 */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("1E07BE23C26A86EA37EA810C8EC78093" "52515A970E9253C26F536CFC7A9996C4" "5C8370583E0A78FA4A90041D71A4CEAB" "7423F19C71B9D5A3E01249F0BEBD5894")); /* NESSIE, Set 1, vector #7 */ test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890"), SHEX("72EC1EF1124A45B047E8B7C75A932195" "135BB61DE24EC0D1914042246E0AEC3A" "2354E093D76F3048B456764346900CB1" "30D2A4FD5DD16ABB5E30BCB850DEE843")); /* Variants longer than one block (128 bytes), to test varying alignment. */ test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"), SHEX("5338370f5655f4da14572d4fb471539b" "201485ecfb3d3204048dc6b83e61fab5" "05bcbbd73e644a1a5d159a32a0889cf3" "c9591b69b26d31be56c68838ce3cd63d")); test_hash(&nettle_sha512, SDATA("1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890" "1234567890123456789012345678901234567890") , SHEX("33f8901b053e4cc677d3cb4122d96ad9" "b96b13bf76194cf962488bb4de4998a7" "1455cb31582db527adf77a485b81cf5b" "722a5e8638eb6be487400f3aec006e7c")); /* Additional test vectors, from Daniel Kahn Gillmor */ test_hash(&nettle_sha512, SDATA(""), SHEX("cf83e1357eefb8bd f1542850d66d8007" "d620e4050b5715dc 83f4a921d36ce9ce" "47d0d13c5d85f2b0 ff8318d2877eec2f" "63b931bd47417a81 a538327af927da3e")); test_hash(&nettle_sha512, SDATA("a"), SHEX("1f40fc92da241694 750979ee6cf582f2" "d5d7d28e18335de0 5abc54d0560e0f53" "02860c652bf08d56 0252aa5e74210546" "f369fbbbce8c12cf c7957b2652fe9a75")); test_hash(&nettle_sha512, SDATA("38"), SHEX("caae34a5e8103126 8bcdaf6f1d8c04d3" "7b7f2c349afb705b 575966f63e2ebf0f" "d910c3b05160ba08 7ab7af35d40b7c71" "9c53cd8b947c9611 1f64105fd45cc1b2")); test_hash(&nettle_sha512, SDATA("message digest"), SHEX("107dbf389d9e9f71 a3a95f6c055b9251" "bc5268c2be16d6c1 3492ea45b0199f33" "09e16455ab1e9611 8e8a905d5597b720" "38ddb372a8982604 6de66687bb420e7c")); test_hash(&nettle_sha512, SDATA("abcdefghijklmnopqrstuvwxyz"), SHEX("4dbff86cc2ca1bae 1e16468a05cb9881" "c97f1753bce36190 34898faa1aabe429" "955a1bf8ec483d74 21fe3c1646613a59" "ed5441fb0f321389 f77f48a879c7b1f1")); test_hash(&nettle_sha512, SDATA("ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef" "ghijklmnopqrstuvwxyz0123456789"), SHEX("1e07be23c26a86ea 37ea810c8ec78093" "52515a970e9253c2 6f536cfc7a9996c4" "5c8370583e0a78fa 4a90041d71a4ceab" "7423f19c71b9d5a3 e01249f0bebd5894")); test_hash(&nettle_sha512, SDATA("12345678901234567890123456789012" "34567890123456789012345678901234" "5678901234567890"), SHEX("72ec1ef1124a45b0 47e8b7c75a932195" "135bb61de24ec0d1 914042246e0aec3a" "2354e093d76f3048 b456764346900cb1" "30d2a4fd5dd16abb 5e30bcb850dee843")); } /* For first test case. -1: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b a54ff53a5f1d36f1 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b 5be0cd19137e2179 0: 6a09e667f3bcc908 bb67ae8584caa73b 3c6ef372fe94f82b 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1f83d9abfb41bd6b f6afceb8bcfcddf5 1: 6a09e667f3bcc908 bb67ae8584caa73b c3d4ebfd48650ffa 58cb02347ab51f91 510e527fade682d1 9b05688c2b3e6c1f 1320f8c9fb872cc0 f6afceb8bcfcddf5 6: b47b4bb1928990e c4875b0c7abc076b af573b02403e89cd b680953951604860 5a83cb3e80050e82 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 7: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd b680953951604860 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba 745aca4a342ed2e2 8: 8093d195e0054fa3 c4875b0c7abc076b af573b02403e89cd d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 96f60209b6dc35ba f1eca5544cb89225 9: 8093d195e0054fa3 c4875b0c7abc076b 91f460be46c52 d0403c398fc40002 86f67263a0f0ec0a 5a6c781f54dcc00c 81782d4a5db48f03 f1eca5544cb89225 14: 475975b91a7a462c fa967eed85a08028 44249631255d2ca0 5e41214388186c14 db0a9963f80c2eaa 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 15: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 5e41214388186c14 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 cdf3bff2883fc9d9 16: ae07c86b1181c75 fa967eed85a08028 44249631255d2ca0 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 860acf9effba6f61 caf81a425d800537 17: ae07c86b1181c75 fa967eed85a08028 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 874bfe5f6aae9f2f 4725be249ad19e6b caf81a425d800537 18: ae07c86b1181c75 29695fd88d81dbd0 f47e8353f8047455 2deecc6b39d64d78 a77b7c035dd4c161 3c4b4104168e3edb 4725be249ad19e6b caf81a425d800537 30: 9068a4e255a0dac 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a eab4a9e5771b8d09 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 31: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e62349090f47d30a 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 fcdf99710f21584 32: ff4d3f1f0d46a736 4c4fbbb75f1873a6 74bf40f869094c63 e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 f0aec2fe1437f085 a0509015ca08c8d4 33: ff4d3f1f0d46a736 4c4fbbb75f1873a6 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 73e025d91b9efea3 60d4e6995ed91fe6 a0509015ca08c8d4 34: ff4d3f1f0d46a736 fbae670fa780fd3 efabbd8bf47c041a e1034573654a106f 3cd388e119e8162e 2c59ec7743632621 60d4e6995ed91fe6 a0509015ca08c8d4 46: cc5100997f5710f2 f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35d7e7f41defcbd5 c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 47: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 c47c9d5c7ea8a234 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 858d832ae0e8911c 48: 6b69fc1bb482feac f61e672694de2d67 21fbadbabab5ac6 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a e95c2a57572d64d9 571f323d96b3a047 49: 6b69fc1bb482feac f61e672694de2d67 dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad c6bc35740d8daa9a ca9bd862c5050918 571f323d96b3a047 50: 6b69fc1bb482feac 7a0d8ef821c5e1a dfe091dab182e645 271580ed6c3e5650 35264334c03ac8ad 813a43dd2c502043 ca9bd862c5050918 571f323d96b3a047 62: 4797cde4ed370692 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba 2c074484ef1eac8c 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 63: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 3857dfd2fc37d3ba cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 a6af4e9c9f807e51 64: ab44e86276478d85 a81dedbb9f19e643 cfcd928c5424e2b6 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa 9aee5bda1644de5 5a806d7e9821a501 65: ab44e86276478d85 a81dedbb9f19e643 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 84058865d60a05fa eeb9c21bb0102598 5a806d7e9821a501 66: ab44e86276478d85 29fab5a7bff53366 3b5fed0d6a1f96e1 aa84b086688a5c45 cd881ee59ca6bc53 46c4210ab2cc155d eeb9c21bb0102598 5a806d7e9821a501 78: 995019a6ff3ba3de 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 c8960e6be864b916 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 79: 73a54f399fa4b1b2 10d9c4c4295599f6 d67806db8b148677 654ef9abec389ca9 d08446aa79693ed7 9bb4d39778c07f9e 25c96a7768fb2aa3 ceb9fc3691ce8326 99: ddaf35a193617aba cc417349ae204131 12e6fa4e89a97ea2 a9eeee64b55d39a 2192992a274fc1a8 36ba3c23a3feebbd 454d4423643ce80e 2a9ac94fa54ca49f */ nettle-3.10/testsuite/testutils.c0000644000175000017500000021626714633602172016233 0ustar nissenisse/* testutils.c */ #include "testutils.h" #include "base16.h" #include "cbc.h" #include "cfb.h" #include "ctr.h" #include "knuth-lfib.h" #include "macros.h" #include "nettle-internal.h" #include #include #include #include #if HAVE_VALGRIND_MEMCHECK_H # include # include #endif void die(const char *format, ...) { va_list args; va_start(args, format); vfprintf(stderr, format, args); va_end(args); abort (); } void * xalloc(size_t size) { void *p = malloc(size); if (size && !p) { fprintf(stderr, "Virtual memory exhausted.\n"); abort(); } return p; } static struct tstring *tstring_first = NULL; struct tstring * tstring_alloc (size_t length) { struct tstring *s = xalloc(sizeof(struct tstring) + length); s->length = length; s->next = tstring_first; /* NUL-terminate, for convenience. */ s->data[length] = '\0'; tstring_first = s; return s; } void tstring_clear(void) { while (tstring_first) { struct tstring *s = tstring_first; tstring_first = s->next; free(s); } } struct tstring * tstring_data(size_t length, const uint8_t *data) { struct tstring *s = tstring_alloc (length); memcpy (s->data, data, length); return s; } struct tstring * tstring_hex(const char *hex) { struct base16_decode_ctx ctx; struct tstring *s; size_t length = strlen(hex); s = tstring_alloc(BASE16_DECODE_LENGTH (length)); base16_decode_init (&ctx); ASSERT (base16_decode_update (&ctx, &s->length, s->data, length, hex)); ASSERT (base16_decode_final (&ctx)); return s; } void tstring_print_hex(const struct tstring *s) { print_hex (s->length, s->data); } void print_hex(size_t length, const uint8_t *data) { size_t i; for (i = 0; i < length; i++) { switch (i % 16) { default: break; case 0: printf("\n"); break; case 8: printf(" "); break; } printf("%02x", data[i]); } printf("\n"); } int verbose = 0; int test_side_channel = 0; #if HAVE_VALGRIND_MEMCHECK_H void mark_bytes_undefined (size_t size, const void *p) { if (test_side_channel) VALGRIND_MAKE_MEM_UNDEFINED(p, size); } void mark_bytes_defined (size_t size, const void *p) { if (test_side_channel) VALGRIND_MAKE_MEM_DEFINED(p, size); } #else void mark_bytes_undefined (size_t size, const void *p) {} void mark_bytes_defined (size_t size, const void *p) {} #endif int main(int argc, char **argv) { if (argc > 1) { if (argc == 2 && !strcmp(argv[1], "-v")) verbose = 1; else { fprintf(stderr, "Invalid argument `%s', only accepted option is `-v'.\n", argv[1]); return 1; } } if (getenv("NETTLE_TEST_SIDE_CHANNEL")) { #if HAVE_VALGRIND_MEMCHECK_H if (RUNNING_ON_VALGRIND) test_side_channel = 1; else #endif SKIP(); } test_main(); tstring_clear(); return EXIT_SUCCESS; } void test_cipher(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { void *ctx = xalloc(cipher->context_size); uint8_t *data = xalloc(cleartext->length); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); cipher->set_encrypt_key(ctx, key->data); cipher->encrypt(ctx, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); cipher->decrypt(ctx, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); } void test_cipher_cbc(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CBC encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_decrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cbc_decrypt(ctx, cipher->decrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CBC decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(iv); } void test_cipher_cfb(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; uint8_t *iv = xalloc(cipher->block_size); size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length); data2 = xalloc(length); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } /* Repeat all tests with incomplete last block */ length -= 1; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB inplace encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB inplace decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(data2); free(iv); } void test_cipher_cfb8(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *iiv) { void *ctx = xalloc(cipher->context_size); uint8_t *data, *data2; uint8_t *iv = xalloc(cipher->block_size); size_t length; size_t block; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (iiv->length == cipher->block_size); data = xalloc(length + 1); data2 = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memset(data, 0x17, length + 1); for (i = 0; i + block <= length; i += block) { cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, block, data + i, cleartext->data + i); } cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length - i, data + i, cleartext->data + i); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 encrypt failed, block size %lu:\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } ASSERT (data[length] == 0x17); cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memset(data2, 0x17, length + 1); for (i = 0; i + block <= length; i += block) { cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, block, data2 + i, data + i); } cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length - i, data2 + i, data + i); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB8 decrypt failed, block size %lu:\nInput:", (unsigned long) block); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } ASSERT (data[length] == 0x17); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } /* Repeat all tests with incomplete last block */ length -= 1; cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, cleartext->data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data2, data); if (!MEMEQ(length, data2, cleartext->data)) { fprintf(stderr, "CFB8 decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data2); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); memcpy(data, cleartext->data, length); cfb8_encrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "CFB8 inplace encrypt failed:\nInput:"); print_hex(length, cleartext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, ciphertext->data); fprintf(stderr, "\n"); FAIL(); } cipher->set_encrypt_key(ctx, key->data); memcpy(iv, iiv->data, cipher->block_size); cfb8_decrypt(ctx, cipher->encrypt, cipher->block_size, iv, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CFB8 inplace decrypt failed:\nInput:"); print_hex(length, ciphertext->data); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); print_hex(length, cleartext->data); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); free(data2); free(iv); } void test_cipher_ctr(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *ictr) { void *ctx = xalloc(cipher->context_size); uint8_t *data; uint8_t *ctr = xalloc(cipher->block_size); uint8_t *octr = xalloc(cipher->block_size); size_t length, nblocks; unsigned low; size_t i; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; ASSERT (key->length == cipher->key_size); ASSERT (ictr->length == cipher->block_size); /* Compute expected counter value after the operation. */ nblocks = (length + cipher->block_size - 1) / cipher->block_size; ASSERT (nblocks < 0x100); memcpy (octr, ictr->data, cipher->block_size - 1); low = ictr->data[cipher->block_size - 1] + nblocks; octr[cipher->block_size - 1] = low; if (low >= 0x100) INCREMENT (cipher->block_size - 1, octr); data = xalloc(length); cipher->set_encrypt_key(ctx, key->data); for (i = 0; i <= length; i++) { memcpy(ctr, ictr->data, cipher->block_size); memset(data, 17, length); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, i, data, cleartext->data); if (!MEMEQ(i, data, ciphertext->data) || (i < length && data[i] != 17)) { fprintf(stderr, "CTR encrypt failed (length %d of %d):\nInput:", (int) i, (int) length); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); memcpy(ctr, ictr->data, cipher->block_size); ctr_crypt(ctx, cipher->encrypt, cipher->block_size, ctr, length, data, data); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "CTR decrypt failed:\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } ASSERT (MEMEQ (cipher->block_size, ctr, octr)); free(ctx); free(data); free(octr); free(ctr); } #if 0 void test_cipher_stream(const struct nettle_cipher *cipher, const struct tstring *key, const struct tstring *cleartext, const struct tstring *ciphertext) { size_t block; void *ctx = xalloc(cipher->context_size); uint8_t *data; size_t length; ASSERT (cleartext->length == ciphertext->length); length = cleartext->length; data = xalloc(length + 1); for (block = 1; block <= length; block++) { size_t i; memset(data, 0x17, length + 1); cipher->set_encrypt_key(ctx, key->length, key->data); for (i = 0; i + block < length; i += block) { cipher->encrypt(ctx, block, data + i, cleartext->data + i); ASSERT (data[i + block] == 0x17); } cipher->encrypt(ctx, length - i, data + i, cleartext->data + i); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, ciphertext->data)) { fprintf(stderr, "Encrypt failed, block size %lu\nInput:", (unsigned long) block); tstring_print_hex(cleartext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(ciphertext); fprintf(stderr, "\n"); FAIL(); } } cipher->set_decrypt_key(ctx, key->length, key->data); cipher->decrypt(ctx, length, data, data); ASSERT (data[length] == 0x17); if (!MEMEQ(length, data, cleartext->data)) { fprintf(stderr, "Decrypt failed\nInput:"); tstring_print_hex(ciphertext); fprintf(stderr, "\nOutput: "); print_hex(length, data); fprintf(stderr, "\nExpected:"); tstring_print_hex(cleartext); fprintf(stderr, "\n"); FAIL(); } free(ctx); free(data); } #endif void test_aead(const struct nettle_aead *aead, nettle_hash_update_func *set_nonce, const struct tstring *key, const struct tstring *authtext, const struct tstring *cleartext, const struct tstring *ciphertext, const struct tstring *nonce, const struct tstring *digest) { void *ctx = xalloc(aead->context_size); uint8_t *in, *out; uint8_t *buffer; unsigned in_align; ASSERT (cleartext->length == ciphertext->length); ASSERT (key->length == aead->key_size); ASSERT(aead->block_size > 0); buffer = xalloc(aead->digest_size); in = xalloc(cleartext->length + aead->block_size - 1); out = xalloc(cleartext->length + aead->block_size - 1); for (in_align = 0; in_align < aead->block_size; in_align++) { /* Different alignment, but don't try all combinations. */ unsigned out_align = 3*in_align % aead->block_size; size_t offset; memcpy (in + in_align, cleartext->data, cleartext->length); for (offset = 0; offset <= cleartext->length; offset += aead->block_size) { /* encryption */ aead->set_encrypt_key(ctx, key->data); if (set_nonce) set_nonce (ctx, nonce->length, nonce->data); else { assert (nonce->length == aead->nonce_size); aead->set_nonce(ctx, nonce->data); } if (aead->update) { size_t a_offset = (offset <= authtext->length) ? offset : 0; aead->update(ctx, a_offset, authtext->data); aead->update(ctx, 0, NULL); aead->update(ctx, authtext->length - a_offset, authtext->data + a_offset); } aead->encrypt(ctx, offset, out + out_align, in + in_align); aead->encrypt(ctx, 0, out + out_align, NULL); aead->encrypt(ctx, cleartext->length - offset, out + out_align + offset, in + in_align + offset); if (!MEMEQ(cleartext->length, out + out_align, ciphertext->data)) { fprintf(stderr, "aead->encrypt failed (offset = %u):\nclear: ", (unsigned) offset); tstring_print_hex(cleartext); fprintf(stderr, " got: "); print_hex(cleartext->length, out + out_align); fprintf(stderr, " exp: "); tstring_print_hex(ciphertext); FAIL(); } if (digest) { ASSERT (digest->length <= aead->digest_size); memset(buffer, 0, aead->digest_size); aead->digest(ctx, digest->length, buffer); if (!MEMEQ(digest->length, buffer, digest->data)) { fprintf(stderr, "aead->digest failed (offset = %u):\n got: ", (unsigned) offset); print_hex(digest->length, buffer); fprintf(stderr, " exp: "); tstring_print_hex(digest); FAIL(); } } else ASSERT(!aead->digest); /* decryption */ if (aead->set_decrypt_key) { aead->set_decrypt_key(ctx, key->data); if (set_nonce) set_nonce (ctx, nonce->length, nonce->data); else { assert (nonce->length == aead->nonce_size); aead->set_nonce(ctx, nonce->data); } if (aead->update && authtext->length) aead->update(ctx, authtext->length, authtext->data); aead->decrypt(ctx, offset, out + out_align, out + out_align); aead->decrypt(ctx, 0, out + out_align, NULL); aead->decrypt(ctx, cleartext->length - offset, out + out_align + offset, out + out_align + offset); ASSERT(MEMEQ(cleartext->length, out + out_align, cleartext->data)); if (digest) { memset(buffer, 0, aead->digest_size); aead->digest(ctx, digest->length, buffer); ASSERT(MEMEQ(digest->length, buffer, digest->data)); } } } } free(ctx); free(in); free(out); free(buffer); } void test_aead_message (const struct nettle_aead_message *aead, const struct tstring *key, const struct tstring *nonce, const struct tstring *adata, const struct tstring *clear, const struct tstring *cipher) { void *ctx = xalloc (aead->context_size); uint8_t *buf = xalloc (cipher->length + 1); uint8_t *copy = xalloc (cipher->length); static const uint8_t nul = 0; int res; ASSERT (key->length == aead->key_size); ASSERT (cipher->length > clear->length); ASSERT (cipher->length - clear->length == aead->digest_size); aead->set_encrypt_key (ctx, key->data); buf[cipher->length] = 0xae; aead->encrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, cipher->length, buf, clear->data); if (!MEMEQ (cipher->length, cipher->data, buf)) { fprintf(stderr, "aead->encrypt (message) failed:\n got: "); print_hex (cipher->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (cipher); FAIL(); } if (buf[cipher->length] != 0xae) { fprintf (stderr, "aead->encrypt (message) wrote too much.\n "); FAIL(); } aead->set_decrypt_key (ctx, key->data); memset (buf, 0xae, clear->length + 1); res = aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, cipher->data); if (!res) { fprintf (stderr, "decrypting valid ciphertext failed:\n "); tstring_print_hex (cipher); } if (!MEMEQ (clear->length, clear->data, buf)) { fprintf(stderr, "aead->decrypt (message) failed:\n got: "); print_hex (clear->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (clear); FAIL(); } /* Invalid messages */ if (clear->length > 0 && aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length - 1, buf, cipher->data)) { fprintf (stderr, "Invalid message (truncated) not rejected\n"); FAIL(); } memcpy (copy, cipher->data, cipher->length); copy[0] ^= 4; if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, copy)) { fprintf (stderr, "Invalid message (first byte modified) not rejected\n"); FAIL(); } memcpy (copy, cipher->data, cipher->length); copy[cipher->length - 1] ^= 4; if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, copy)) { fprintf (stderr, "Invalid message (last byte modified) not rejected\n"); FAIL(); } if (aead->decrypt (ctx, nonce->length, nonce->data, adata->length > 0 ? adata->length - 1 : 1, adata->length > 0 ? adata->data : &nul, clear->length, buf, cipher->data)) { fprintf (stderr, "Invalid adata not rejected\n"); FAIL(); } /* Test in-place operation. NOTE: Not supported for SIV-CMAC. */ if (aead->supports_inplace) { aead->set_encrypt_key (ctx, key->data); buf[cipher->length] = 0xae; memcpy (buf, clear->data, clear->length); aead->encrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, cipher->length, buf, buf); if (!MEMEQ (cipher->length, cipher->data, buf)) { fprintf(stderr, "aead->encrypt (in-place message) failed:\n got: "); print_hex (cipher->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (cipher); FAIL(); } if (buf[cipher->length] != 0xae) { fprintf (stderr, "aead->encrypt (in-place message) wrote too much.\n "); FAIL(); } res = aead->decrypt (ctx, nonce->length, nonce->data, adata->length, adata->data, clear->length, buf, buf); if (!res) { fprintf (stderr, "in-place decrypting valid ciphertext failed:\n "); tstring_print_hex (cipher); } if (!MEMEQ (clear->length, clear->data, buf)) { fprintf(stderr, "aead->decrypt (in-place message) failed:\n got: "); print_hex (clear->length, buf); fprintf (stderr, " exp: "); tstring_print_hex (clear); FAIL(); } } free (ctx); free (buf); free (copy); } void test_hash(const struct nettle_hash *hash, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(digest->length); uint8_t *input; unsigned offset; /* Here, hash->digest_size zero means arbitrary size. */ if (hash->digest_size) ASSERT (digest->length == hash->digest_size); hash->init(ctx); for (offset = 0; offset <= msg->length && offset < 40; offset++) { hash->update(ctx, offset, msg->data); hash->update(ctx, 0, NULL); hash->update(ctx, msg->length - offset, msg->data + offset); hash->digest(ctx, digest->length, buffer); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "Offset %u\nGot:\n", offset); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } } memset(buffer, 0, digest->length); hash->update(ctx, msg->length, msg->data); ASSERT(digest->length > 0); hash->digest(ctx, digest->length - 1, buffer); ASSERT(MEMEQ(digest->length - 1, digest->data, buffer)); ASSERT(buffer[digest->length - 1] == 0); input = xalloc (msg->length + 16); for (offset = 0; offset < 16; offset++) { memset (input, 0, msg->length + 16); memcpy (input + offset, msg->data, msg->length); hash->update (ctx, msg->length, input + offset); hash->digest (ctx, digest->length, buffer); if (MEMEQ(digest->length, digest->data, buffer) == 0) { fprintf(stdout, "hash input address: %p\nGot:\n", input + offset); print_hex(digest->length, buffer); fprintf(stdout, "\nExpected:\n"); print_hex(digest->length, digest->data); abort(); } } free(ctx); free(buffer); free(input); } void test_hash_large(const struct nettle_hash *hash, size_t count, size_t length, uint8_t c, const struct tstring *digest) { void *ctx = xalloc(hash->context_size); uint8_t *buffer = xalloc(hash->digest_size); uint8_t *data = xalloc(length); size_t i; ASSERT (digest->length == hash->digest_size); memset(data, c, length); hash->init(ctx); for (i = 0; i < count; i++) { hash->update(ctx, length, data); if (i % (count / 50) == 0) fprintf (stderr, "."); } fprintf (stderr, "\n"); hash->digest(ctx, hash->digest_size, buffer); print_hex(hash->digest_size, buffer); ASSERT (MEMEQ(hash->digest_size, digest->data, buffer)); free(ctx); free(buffer); free(data); } void test_mac(const struct nettle_mac *mac, const struct tstring *key, const struct tstring *msg, const struct tstring *digest) { void *ctx = xalloc(mac->context_size); uint8_t *hash = xalloc(mac->digest_size); unsigned i; ASSERT (digest->length <= mac->digest_size); ASSERT (key->length == mac->key_size); mac->set_key (ctx, key->data); mac->update (ctx, msg->length, msg->data); mac->digest (ctx, digest->length, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "test_mac failed, msg: "); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (mac->digest_size, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } /* attempt to re-use the structure */ mac->update (ctx, msg->length, msg->data); mac->digest (ctx, digest->length, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "test_mac: failed on re-use, msg: "); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (mac->digest_size, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } /* attempt byte-by-byte hashing */ mac->set_key (ctx, key->data); for (i=0;ilength;i++) mac->update (ctx, 1, msg->data+i); mac->digest (ctx, digest->length, hash); if (!MEMEQ (digest->length, digest->data, hash)) { fprintf (stderr, "cmac_hash failed on byte-by-byte, msg: "); print_hex (msg->length, msg->data); fprintf(stderr, "Output:"); print_hex (16, hash); fprintf(stderr, "Expected:"); tstring_print_hex(digest); fprintf(stderr, "\n"); FAIL(); } free (ctx); free (hash); } void test_armor(const struct nettle_armor *armor, size_t data_length, const uint8_t *data, const char *ascii) { size_t ascii_length = strlen(ascii); char *buffer = xalloc(1 + ascii_length); uint8_t *check = xalloc(1 + armor->decode_length(ascii_length)); void *encode = xalloc(armor->encode_context_size); void *decode = xalloc(armor->decode_context_size); size_t done; ASSERT(ascii_length <= (armor->encode_length(data_length) + armor->encode_final_length)); ASSERT(data_length <= armor->decode_length(ascii_length)); memset(buffer, 0x33, 1 + ascii_length); memset(check, 0x55, 1 + data_length); armor->encode_init(encode); done = armor->encode_update(encode, buffer, data_length, data); done += armor->encode_final(encode, buffer + done); ASSERT(done == ascii_length); ASSERT (MEMEQ(ascii_length, buffer, ascii)); ASSERT (0x33 == buffer[strlen(ascii)]); armor->decode_init(decode); done = armor->decode_length(ascii_length); ASSERT(armor->decode_update(decode, &done, check, ascii_length, buffer)); ASSERT(done == data_length); ASSERT(armor->decode_final(decode)); ASSERT (MEMEQ(data_length, check, data)); ASSERT (0x55 == check[data_length]); free(buffer); free(check); free(encode); free(decode); } #if WITH_HOGWEED void mpn_out_str (FILE *f, int base, const mp_limb_t *xp, mp_size_t xn) { mpz_t x; mpz_out_str (f, base, mpz_roinit_n (x, xp, xn)); } #if NETTLE_USE_MINI_GMP void gmp_randinit_default (struct knuth_lfib_ctx *ctx) { knuth_lfib_init (ctx, 17); } void mpz_urandomb (mpz_t r, struct knuth_lfib_ctx *ctx, mp_bitcnt_t bits) { size_t bytes = (bits+7)/8; uint8_t *buf = xalloc (bytes); knuth_lfib_random (ctx, bytes, buf); buf[0] &= 0xff >> (8*bytes - bits); nettle_mpz_set_str_256_u (r, bytes, buf); free (buf); } void mpz_urandomm (mpz_t r, struct knuth_lfib_ctx *ctx, const mpz_t n) { /* Add some extra bits, to make result almost unbiased. */ mpz_urandomb(r, ctx, mpz_sizeinbase(n, 2) + 30); mpz_mod(r, r, n); } #else /* !NETTLE_USE_MINI_GMP */ static void get_random_seed(mpz_t seed) { struct timeval tv; FILE *f; f = fopen ("/dev/urandom", "rb"); if (f) { uint8_t buf[8]; size_t res; setbuf (f, NULL); res = fread (&buf, sizeof(buf), 1, f); fclose(f); if (res == 1) { nettle_mpz_set_str_256_u (seed, sizeof(buf), buf); return; } fprintf (stderr, "Read of /dev/urandom failed: %s\n", strerror (errno)); } gettimeofday(&tv, NULL); mpz_set_ui (seed, tv.tv_sec); mpz_mul_ui (seed, seed, 1000000UL); mpz_add_ui (seed, seed, tv.tv_usec); } int test_randomize(gmp_randstate_t rands) { const char *nettle_test_seed; nettle_test_seed = getenv ("NETTLE_TEST_SEED"); if (nettle_test_seed && *nettle_test_seed) { mpz_t seed; mpz_init (seed); if (mpz_set_str (seed, nettle_test_seed, 0) < 0 || mpz_sgn (seed) < 0) die ("Invalid NETTLE_TEST_SEED: %s\n", nettle_test_seed); if (mpz_sgn (seed) == 0) get_random_seed (seed); fprintf (stderr, "Using NETTLE_TEST_SEED="); mpz_out_str (stderr, 10, seed); fprintf (stderr, "\n"); gmp_randseed (rands, seed); mpz_clear (seed); return 1; } else return 0; } #endif /* !NETTLE_USE_MINI_GMP */ mp_limb_t * xalloc_limbs (mp_size_t n) { return xalloc (n * sizeof (mp_limb_t)); } /* Expects local variables pub, key, rstate, digest, signature */ #define SIGN(hash, msg, expected) do { \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign(key, &hash, signature)); \ if (verbose) \ { \ fprintf(stderr, "rsa-%s signature: ", #hash); \ mpz_out_str(stderr, 16, signature); \ fprintf(stderr, "\n"); \ } \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ ASSERT(rsa_##hash##_sign_tr(pub, key, &rstate, \ (nettle_random_func *) knuth_lfib_random, \ &hash, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ hash##_update(&hash, LDATA(msg)); \ hash##_digest(&hash, sizeof(digest), digest); \ ASSERT(rsa_##hash##_sign_digest(key, digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ \ ASSERT(rsa_##hash##_sign_digest_tr(pub, key, &rstate, \ (nettle_random_func *)knuth_lfib_random, \ digest, signature)); \ ASSERT(mpz_cmp (signature, expected) == 0); \ } while(0) #define VERIFY(key, hash, msg, signature) ( \ hash##_update(&hash, LDATA(msg)), \ rsa_##hash##_verify(key, &hash, signature) \ ) void test_rsa_set_key_1(struct rsa_public_key *pub, struct rsa_private_key *key) { /* Initialize key pair for test programs */ /* 1000-bit key, generated by * * lsh-keygen -a rsa -l 1000 -f advanced-hex * * (private-key (rsa-pkcs1 * (n #69abd505285af665 36ddc7c8f027e6f0 ed435d6748b16088 * 4fd60842b3a8d7fb bd8a3c98f0cc50ae 4f6a9f7dd73122cc * ec8afa3f77134406 f53721973115fc2d 8cfbba23b145f28d * 84f81d3b6ae8ce1e 2850580c026e809b cfbb52566ea3a3b3 * df7edf52971872a7 e35c1451b8636d22 279a8fb299368238 * e545fbb4cf#) * (e #0db2ad57#) * (d #3240a56f4cd0dcc2 4a413eb4ea545259 5c83d771a1c2ba7b * ec47c5b43eb4b374 09bd2aa1e236dd86 481eb1768811412f * f8d91be3545912af b55c014cb55ceac6 54216af3b85d5c4f * 4a32894e3b5dfcde 5b2875aa4dc8d9a8 6afd0ca92ef50d35 * bd09f1c47efb4c8d c631e07698d362aa 4a83fd304e66d6c5 * 468863c307#) * (p #0a66399919be4b4d e5a78c5ea5c85bf9 aba8c013cb4a8732 * 14557a12bd67711e bb4073fd39ad9a86 f4e80253ad809e5b * f2fad3bc37f6f013 273c9552c9f489#) * (q #0a294f069f118625 f5eae2538db9338c 776a298eae953329 * 9fd1eed4eba04e82 b2593bc98ba8db27 de034da7daaea795 * 2d55b07b5f9a5875 d1ca5f6dcab897#) * (a #011b6c48eb592eee e85d1bb35cfb6e07 344ea0b5e5f03a28 * 5b405396cbc78c5c 868e961db160ba8d 4b984250930cf79a * 1bf8a9f28963de53 128aa7d690eb87#) * (b #0409ecf3d2557c88 214f1af5e1f17853 d8b2d63782fa5628 * 60cf579b0833b7ff 5c0529f2a97c6452 2fa1a8878a9635ab * ce56debf431bdec2 70b308fa5bf387#) * (c #04e103ee925cb5e6 6653949fa5e1a462 c9e65e1adcd60058 * e2df9607cee95fa8 daec7a389a7d9afc 8dd21fef9d83805a * 40d46f49676a2f6b 2926f70c572c00#))) */ mpz_set_str(pub->n, "69abd505285af665" "36ddc7c8f027e6f0" "ed435d6748b16088" "4fd60842b3a8d7fb" "bd8a3c98f0cc50ae" "4f6a9f7dd73122cc" "ec8afa3f77134406" "f53721973115fc2d" "8cfbba23b145f28d" "84f81d3b6ae8ce1e" "2850580c026e809b" "cfbb52566ea3a3b3" "df7edf52971872a7" "e35c1451b8636d22" "279a8fb299368238" "e545fbb4cf", 16); mpz_set_str(pub->e, "0db2ad57", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "3240a56f4cd0dcc2" "4a413eb4ea545259" "5c83d771a1c2ba7b" "ec47c5b43eb4b374" "09bd2aa1e236dd86" "481eb1768811412f" "f8d91be3545912af" "b55c014cb55ceac6" "54216af3b85d5c4f" "4a32894e3b5dfcde" "5b2875aa4dc8d9a8" "6afd0ca92ef50d35" "bd09f1c47efb4c8d" "c631e07698d362aa" "4a83fd304e66d6c5" "468863c307", 16); #endif mpz_set_str(key->p, "0a66399919be4b4d" "e5a78c5ea5c85bf9" "aba8c013cb4a8732" "14557a12bd67711e" "bb4073fd39ad9a86" "f4e80253ad809e5b" "f2fad3bc37f6f013" "273c9552c9f489", 16); mpz_set_str(key->q, "0a294f069f118625" "f5eae2538db9338c" "776a298eae953329" "9fd1eed4eba04e82" "b2593bc98ba8db27" "de034da7daaea795" "2d55b07b5f9a5875" "d1ca5f6dcab897", 16); mpz_set_str(key->a, "011b6c48eb592eee" "e85d1bb35cfb6e07" "344ea0b5e5f03a28" "5b405396cbc78c5c" "868e961db160ba8d" "4b984250930cf79a" "1bf8a9f28963de53" "128aa7d690eb87", 16); mpz_set_str(key->b, "0409ecf3d2557c88" "214f1af5e1f17853" "d8b2d63782fa5628" "60cf579b0833b7ff" "5c0529f2a97c6452" "2fa1a8878a9635ab" "ce56debf431bdec2" "70b308fa5bf387", 16); mpz_set_str(key->c, "04e103ee925cb5e6" "6653949fa5e1a462" "c9e65e1adcd60058" "e2df9607cee95fa8" "daec7a389a7d9afc" "8dd21fef9d83805a" "40d46f49676a2f6b" "2926f70c572c00", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } void test_rsa_set_key_2(struct rsa_public_key *pub, struct rsa_private_key *key) { /* Initialize key pair for test programs */ /* 2048-bit key, generated by * * certtool --generate-privkey --key-type=rsa --bits=2048 --outfile - * * Public Key Info: * Public Key Algorithm: RSA * Key Security Level: Medium (2048 bits) * * modulus: * 00:dd:ef:1d:66:d5:f0:b3:56:9b:da:2a:59:c7:96:e6 * 7a:c9:c8:13:61:89:da:f1:5a:01:65:61:ac:fb:53:1a * 09:49:41:dd:fd:db:6e:68:c4:3a:8a:61:46:c3:ea:8b * 34:5f:e1:f6:60:91:9b:09:ae:8e:8c:ad:fa:99:ef:2a * b5:7d:32:ad:cc:2d:4f:3f:df:21:42:b7:ce:6e:ab:ca * eb:a4:93:97:8f:55:c4:8f:19:de:dd:ea:0a:83:10:3c * 8c:5f:f5:ce:01:7f:32:3d:d6:f8:82:f2:2d:3f:8f:20 * 6a:02:68:a9:8b:0d:12:99:93:67:f9:1c:23:ae:5f:0d * df:ec:2b:5d:78:c8:14:ac:6b:e9:2a:f7:aa:3e:cd:a1 * c8:c8:3e:11:24:50:eb:68:34:4c:0c:c1:2a:be:13:95 * ee:a0:73:dd:09:f2:38:5c:58:a7:dc:60:30:90:c9:a4 * 1b:19:ed:51:5c:15:51:54:cd:8a:92:10:76:d4:19:88 * f8:93:ff:8d:08:a2:46:0f:59:af:c1:3d:4e:24:b5:e5 * 8a:8e:44:10:85:74:8d:06:64:72:b2:f7:c5:6c:75:09 * fa:bc:9d:73:5d:14:c5:a6:81:f5:2e:8a:2d:a9:aa:c1 * 43:b9:07:cf:77:90:7a:28:c5:41:53:51:d1:b3:6a:e2 * 7b: * * public exponent: * 01:00:01: * * private exponent: * 73:2e:6f:66:f8:af:d4:93:a5:8d:63:9f:76:cb:a5:50 * a2:ba:b8:fc:4d:4c:99:28:2a:43:50:9f:33:4c:9c:dd * a6:ec:8d:66:fb:e4:60:71:3f:24:a4:79:d2:a2:3e:9e * ef:08:5a:13:22:5e:81:76:db:ba:bd:6c:ab:49:8a:33 * e9:07:4d:56:03:49:f7:0f:39:b6:e3:a8:3a:9d:e4:51 * c9:f7:63:98:5b:5e:09:1a:d7:24:fb:1b:7b:8c:08:b0 * 9d:f8:f7:72:a5:6e:10:d4:29:e3:e4:06:81:cf:29:76 * 7b:4b:90:7a:7f:4d:60:f1:34:eb:ff:a3:b1:12:da:22 * 9e:87:c0:77:22:38:03:4b:80:ab:0c:8a:07:14:c3:c0 * 08:9e:2c:13:9f:74:f4:19:86:51:61:67:b0:ce:bc:7b * 8f:81:18:8e:3c:8e:e7:e5:d4:e9:ed:49:b8:0b:21:b1 * 2a:82:0f:7b:4d:8d:e4:f7:bc:8a:6c:c9:20:8c:4b:ba * 1e:67:43:9e:58:a4:e4:20:c6:4b:22:05:9d:33:d3:11 * 92:f2:94:88:d8:fb:c9:53:8f:9c:52:4e:d3:66:f3:2b * 8c:3b:56:a7:4c:25:10:44:a0:62:79:4d:44:fb:9d:0e * 35:8b:92:b0:49:af:5d:a4:00:36:44:3c:e7:31:9d:f9 * * * prime1: * 00:ed:6b:29:25:c1:4f:9c:df:08:4b:c1:43:e3:e6:f3 * d6:6e:1e:2d:46:d6:eb:97:aa:c7:c9:32:5e:0a:6b:39 * ac:be:2a:49:98:f6:c3:c8:d0:08:33:5b:75:62:f7:d9 * 7e:87:d6:90:2d:9d:ce:94:be:2b:ed:8e:aa:85:29:86 * d9:bc:c0:10:2e:95:30:cc:3f:72:75:81:d1:60:f6:89 * 86:f7:42:dc:29:8f:dc:d7:15:e8:99:1a:1d:12:92:89 * 88:95:47:3e:25:c5:f4:e5:c4:82:87:32:d3:d7:a8:ce * d9:77:2c:fc:87:bb:d9:f9:e6:a4:ec:1e:c8:a9:7b:0b * 35: * * prime2: * 00:ef:4d:b5:f6:53:12:9a:4e:3c:3f:56:ff:25:86:44 * 0e:b1:b7:81:c4:0e:31:40:90:e7:91:d7:e7:80:8e:8a * cc:99:1a:1b:0b:5d:9b:9b:00:81:fa:36:95:02:6a:44 * 16:6e:67:64:db:ba:35:9b:5b:1c:e7:96:ac:2a:e3:c8 * 7a:a9:de:1d:e4:75:54:cf:73:c9:76:92:2f:03:8b:ef * a4:dc:5c:4d:54:2a:cc:f6:c3:cd:a7:0e:84:ce:33:96 * 9b:99:68:e5:a9:cf:80:5b:df:2b:5a:a4:02:b2:d5:65 * a7:b8:d0:33:c8:23:ed:89:d1:44:7b:d1:94:99:9f:3c * ef: * * coefficient: * 5c:ba:5a:d7:98:43:ab:ac:a0:d2:9c:1f:ab:3d:5e:a0 * 54:c9:6e:54:19:9b:ff:9c:dc:05:75:93:97:3a:88:e9 * bb:1f:79:05:03:79:9b:b7:ac:07:71:bf:b0:a7:12:fc * 22:6c:38:04:40:2f:b9:0d:2d:0a:f3:b8:2e:88:3e:ab * d8:ee:30:5c:fb:dc:59:0e:d9:9f:96:cd:4a:4a:12:88 * aa:c9:f0:03:e2:01:df:5d:0e:ec:e6:ac:0b:f1:81:b8 * 85:9b:f7:69:b6:c8:e4:54:d8:02:5b:58:b4:c2:45:02 * b7:65:d4:5c:dc:aa:b6:47:6e:dd:1f:72:46:6c:27:22 * * * exp1: * 41:78:03:68:bd:dd:ce:4c:52:65:51:6d:ff:32:78:9a * f0:d2:b1:79:8f:5a:78:00:48:07:5b:34:43:7b:3d:f4 * 3c:9c:3c:9f:49:ac:c3:7b:5a:47:8f:38:d7:89:b1:18 * 0b:2d:47:a4:cc:97:62:bc:ee:30:1b:df:39:c9:31:be * 69:26:2d:50:2b:23:c1:ae:dd:49:39:fb:1a:d9:e1:22 * ae:9c:69:49:ac:ba:21:35:91:66:66:a5:0d:b2:0a:ea * f6:ff:26:4c:14:42:6b:f9:bc:64:bb:c7:5e:f8:d5:d1 * 71:e3:9d:df:70:15:b3:ab:be:5e:be:3e:67:3d:de:e1 * * * exp2: * 63:00:4a:5c:5a:e7:e2:50:a5:9a:2a:ba:a9:e2:8f:3b * 69:08:9b:35:ea:0d:34:41:fe:9b:96:af:de:be:99:eb * a5:17:68:c2:dd:fa:27:39:21:8c:cb:92:00:0a:c8:9a * 63:18:81:60:69:fc:0d:86:b7:41:94:53:2b:f7:4a:94 * 7c:bc:38:af:b0:5e:e2:e8:6b:1b:93:c4:c1:79:de:2d * dd:40:8e:79:58:af:ad:13:3a:7c:77:84:37:ee:9d:cb * 47:bf:5e:ec:4e:bd:32:c4:f4:21:ae:a2:b3:2b:97:bf * b8:b4:e2:07:55:dd:ca:db:79:b2:a3:f5:0f:4d:12:9f */ mpz_set_str(pub->n, "00ddef1d66d5f0b3" "569bda2a59c796e6" "7ac9c8136189daf1" "5a016561acfb531a" "094941ddfddb6e68" "c43a8a6146c3ea8b" "345fe1f660919b09" "ae8e8cadfa99ef2a" "b57d32adcc2d4f3f" "df2142b7ce6eabca" "eba493978f55c48f" "19deddea0a83103c" "8c5ff5ce017f323d" "d6f882f22d3f8f20" "6a0268a98b0d1299" "9367f91c23ae5f0d" "dfec2b5d78c814ac" "6be92af7aa3ecda1" "c8c83e112450eb68" "344c0cc12abe1395" "eea073dd09f2385c" "58a7dc603090c9a4" "1b19ed515c155154" "cd8a921076d41988" "f893ff8d08a2460f" "59afc13d4e24b5e5" "8a8e441085748d06" "6472b2f7c56c7509" "fabc9d735d14c5a6" "81f52e8a2da9aac1" "43b907cf77907a28" "c5415351d1b36ae2" "7b", 16); mpz_set_str(pub->e, "010001", 16); ASSERT (rsa_public_key_prepare(pub)); /* d is not used */ #if 0 mpz_set_str(key->d, "732e6f66f8afd493" "a58d639f76cba550" "a2bab8fc4d4c9928" "2a43509f334c9cdd" "a6ec8d66fbe46071" "3f24a479d2a23e9e" "ef085a13225e8176" "dbbabd6cab498a33" "e9074d560349f70f" "39b6e3a83a9de451" "c9f763985b5e091a" "d724fb1b7b8c08b0" "9df8f772a56e10d4" "29e3e40681cf2976" "7b4b907a7f4d60f1" "34ebffa3b112da22" "9e87c0772238034b" "80ab0c8a0714c3c0" "089e2c139f74f419" "86516167b0cebc7b" "8f81188e3c8ee7e5" "d4e9ed49b80b21b1" "2a820f7b4d8de4f7" "bc8a6cc9208c4bba" "1e67439e58a4e420" "c64b22059d33d311" "92f29488d8fbc953" "8f9c524ed366f32b" "8c3b56a74c251044" "a062794d44fb9d0e" "358b92b049af5da4" "0036443ce7319df9" , 16); #endif mpz_set_str(key->p, "00ed6b2925c14f9c" "df084bc143e3e6f3" "d66e1e2d46d6eb97" "aac7c9325e0a6b39" "acbe2a4998f6c3c8" "d008335b7562f7d9" "7e87d6902d9dce94" "be2bed8eaa852986" "d9bcc0102e9530cc" "3f727581d160f689" "86f742dc298fdcd7" "15e8991a1d129289" "8895473e25c5f4e5" "c4828732d3d7a8ce" "d9772cfc87bbd9f9" "e6a4ec1ec8a97b0b" "35", 16); mpz_set_str(key->q, "00ef4db5f653129a" "4e3c3f56ff258644" "0eb1b781c40e3140" "90e791d7e7808e8a" "cc991a1b0b5d9b9b" "0081fa3695026a44" "166e6764dbba359b" "5b1ce796ac2ae3c8" "7aa9de1de47554cf" "73c976922f038bef" "a4dc5c4d542accf6" "c3cda70e84ce3396" "9b9968e5a9cf805b" "df2b5aa402b2d565" "a7b8d033c823ed89" "d1447bd194999f3c" "ef", 16); mpz_set_str(key->a, "41780368bdddce4c" "5265516dff32789a" "f0d2b1798f5a7800" "48075b34437b3df4" "3c9c3c9f49acc37b" "5a478f38d789b118" "0b2d47a4cc9762bc" "ee301bdf39c931be" "69262d502b23c1ae" "dd4939fb1ad9e122" "ae9c6949acba2135" "916666a50db20aea" "f6ff264c14426bf9" "bc64bbc75ef8d5d1" "71e39ddf7015b3ab" "be5ebe3e673ddee1", 16); mpz_set_str(key->b, "63004a5c5ae7e250" "a59a2abaa9e28f3b" "69089b35ea0d3441" "fe9b96afdebe99eb" "a51768c2ddfa2739" "218ccb92000ac89a" "6318816069fc0d86" "b74194532bf74a94" "7cbc38afb05ee2e8" "6b1b93c4c179de2d" "dd408e7958afad13" "3a7c778437ee9dcb" "47bf5eec4ebd32c4" "f421aea2b32b97bf" "b8b4e20755ddcadb" "79b2a3f50f4d129f", 16); mpz_set_str(key->c, "5cba5ad79843abac" "a0d29c1fab3d5ea0" "54c96e54199bff9c" "dc057593973a88e9" "bb1f790503799bb7" "ac0771bfb0a712fc" "226c3804402fb90d" "2d0af3b82e883eab" "d8ee305cfbdc590e" "d99f96cd4a4a1288" "aac9f003e201df5d" "0eece6ac0bf181b8" "859bf769b6c8e454" "d8025b58b4c24502" "b765d45cdcaab647" "6edd1f72466c2722", 16); ASSERT (rsa_private_key_prepare(key)); ASSERT (pub->size == key->size); } void test_rsa_md5(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct md5_ctx md5; struct knuth_lfib_ctx rstate; uint8_t digest[MD5_DIGEST_SIZE]; mpz_t signature; md5_init(&md5); mpz_init(signature); knuth_lfib_init (&rstate, 15); SIGN(md5, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, md5, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, md5, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha1(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha1_ctx sha1; struct knuth_lfib_ctx rstate; uint8_t digest[SHA1_DIGEST_SIZE]; mpz_t signature; sha1_init(&sha1); mpz_init(signature); knuth_lfib_init (&rstate, 16); SIGN(sha1, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha1, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha1, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha256(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha256_ctx sha256; struct knuth_lfib_ctx rstate; uint8_t digest[SHA256_DIGEST_SIZE]; mpz_t signature; sha256_init(&sha256); mpz_init(signature); knuth_lfib_init (&rstate, 17); SIGN(sha256, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha256, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha256, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } void test_rsa_sha512(struct rsa_public_key *pub, struct rsa_private_key *key, mpz_t expected) { struct sha512_ctx sha512; struct knuth_lfib_ctx rstate; uint8_t digest[SHA512_DIGEST_SIZE]; mpz_t signature; sha512_init(&sha512); mpz_init(signature); knuth_lfib_init (&rstate, 18); SIGN(sha512, "The magic words are squeamish ossifrage", expected); /* Try bad data */ ASSERT (!VERIFY(pub, sha512, "The magick words are squeamish ossifrage", signature)); /* Try correct data */ ASSERT (VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); /* Try bad signature */ mpz_combit(signature, 17); ASSERT (!VERIFY(pub, sha512, "The magic words are squeamish ossifrage", signature)); mpz_clear(signature); } #undef SIGN #undef VERIFY void test_rsa_key(struct rsa_public_key *pub, struct rsa_private_key *key) { mpz_t tmp; mpz_t phi; mpz_init(tmp); mpz_init(phi); if (verbose) { fprintf(stderr, "Public key: n="); mpz_out_str(stderr, 16, pub->n); fprintf(stderr, "\n e="); mpz_out_str(stderr, 16, pub->e); fprintf(stderr, "\n\nPrivate key: d="); mpz_out_str(stderr, 16, key->d); fprintf(stderr, "\n p="); mpz_out_str(stderr, 16, key->p); fprintf(stderr, "\n q="); mpz_out_str(stderr, 16, key->q); fprintf(stderr, "\n a="); mpz_out_str(stderr, 16, key->a); fprintf(stderr, "\n b="); mpz_out_str(stderr, 16, key->b); fprintf(stderr, "\n c="); mpz_out_str(stderr, 16, key->c); fprintf(stderr, "\n\n"); } /* Check n = p q */ mpz_mul(tmp, key->p, key->q); ASSERT (mpz_cmp(tmp, pub->n)== 0); /* Check c q = 1 mod p */ mpz_mul(tmp, key->c, key->q); mpz_fdiv_r(tmp, tmp, key->p); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check ed = 1 (mod phi) */ mpz_sub_ui(phi, key->p, 1); mpz_sub_ui(tmp, key->q, 1); mpz_mul(phi, phi, tmp); mpz_mul(tmp, pub->e, key->d); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check a e = 1 (mod (p-1) ) */ mpz_sub_ui(phi, key->p, 1); mpz_mul(tmp, pub->e, key->a); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); /* Check b e = 1 (mod (q-1) ) */ mpz_sub_ui(phi, key->q, 1); mpz_mul(tmp, pub->e, key->b); mpz_fdiv_r(tmp, tmp, phi); ASSERT (mpz_cmp_ui(tmp, 1) == 0); mpz_clear(tmp); mpz_clear(phi); } /* Requires that the context is named like the hash algorithm. */ #define DSA_VERIFY(key, hash, msg, signature) \ (hash##_update(&hash, LDATA(msg)), \ dsa_##hash##_verify(key, &hash, signature)) void test_dsa160(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected) { struct sha1_ctx sha1; struct dsa_signature signature; struct knuth_lfib_ctx lfib; sha1_init(&sha1); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha1_update(&sha1, LDATA("The magic words are squeamish ossifrage")); ASSERT (dsa_sha1_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, &sha1, &signature)); if (verbose) { fprintf(stderr, "dsa160 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(pub, sha1, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(pub, sha1, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha1, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } void test_dsa256(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct dsa_signature *expected) { struct sha256_ctx sha256; struct dsa_signature signature; struct knuth_lfib_ctx lfib; sha256_init(&sha256); dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); sha256_update(&sha256, LDATA("The magic words are squeamish ossifrage")); ASSERT (dsa_sha256_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, &sha256, &signature)); if (verbose) { fprintf(stderr, "dsa256 signature: "); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try bad data */ ASSERT (!DSA_VERIFY(pub, sha256, "The magick words are squeamish ossifrage", &signature)); /* Try correct data */ ASSERT (DSA_VERIFY(pub, sha256, "The magic words are squeamish ossifrage", &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!DSA_VERIFY(pub, sha256, "The magic words are squeamish ossifrage", &signature)); dsa_signature_clear(&signature); } #if 0 void test_dsa_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, const struct nettle_hash *hash, const struct dsa_signature *expected) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); uint8_t *bad_digest = xalloc (hash->digest_size); struct dsa_signature signature; struct knuth_lfib_ctx lfib; dsa_signature_init(&signature); knuth_lfib_init(&lfib, 1111); hash->init(ctx); hash->update(ctx, LDATA("The magic words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, digest); ASSERT (dsa_sign(pub, key, &lfib, (nettle_random_func *) knuth_lfib_random, hash->digest_size, digest, &signature)); if (verbose) { fprintf(stderr, "dsa-%s signature: ", hash->name); mpz_out_str(stderr, 16, signature.r); fprintf(stderr, ", "); mpz_out_str(stderr, 16, signature.s); fprintf(stderr, "\n"); } if (expected) ASSERT (mpz_cmp (signature.r, expected->r) == 0 && mpz_cmp (signature.s, expected->s) == 0); /* Try correct data */ ASSERT (dsa_verify(pub, hash->digest_size, digest, &signature)); /* Try bad data */ hash->update(ctx, LDATA("The magick words are squeamish ossifrage")); hash->digest(ctx, hash->digest_size, bad_digest); ASSERT (!dsa_verify(pub, hash->digest_size, bad_digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify(pub, hash->digest_size, digest, &signature)); free (ctx); free (digest); free (bad_digest); dsa_signature_clear(&signature); } #endif void test_dsa_verify(const struct dsa_params *params, const mpz_t pub, const struct nettle_hash *hash, struct tstring *msg, const struct dsa_signature *ref) { void *ctx = xalloc (hash->context_size); uint8_t *digest = xalloc (hash->digest_size); struct dsa_signature signature; dsa_signature_init (&signature); hash->init(ctx); hash->update (ctx, msg->length, msg->data); hash->digest (ctx, hash->digest_size, digest); mpz_set (signature.r, ref->r); mpz_set (signature.s, ref->s); ASSERT (dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad signature */ mpz_combit(signature.r, 17); ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, &signature)); /* Try bad data */ digest[hash->digest_size / 2-1] ^= 8; ASSERT (!dsa_verify (params, pub, hash->digest_size, digest, ref)); free (ctx); free (digest); dsa_signature_clear(&signature); } void test_dsa_key(const struct dsa_params *params, const mpz_t pub, const mpz_t key, unsigned q_size) { mpz_t t; mpz_init(t); ASSERT(mpz_sizeinbase(params->q, 2) == q_size); ASSERT(mpz_sizeinbase(params->p, 2) >= DSA_SHA1_MIN_P_BITS); ASSERT(mpz_probab_prime_p(params->p, 10)); ASSERT(mpz_probab_prime_p(params->q, 10)); mpz_fdiv_r(t, params->p, params->q); ASSERT(0 == mpz_cmp_ui(t, 1)); ASSERT(mpz_cmp_ui(params->g, 1) > 0); mpz_powm(t, params->g, params->q, params->p); ASSERT(0 == mpz_cmp_ui(t, 1)); mpz_powm(t, params->g, key, params->p); ASSERT(0 == mpz_cmp(t, pub)); mpz_clear(t); } const struct ecc_curve * const ecc_curves[] = { &_nettle_secp_192r1, &_nettle_secp_224r1, &_nettle_secp_256r1, &_nettle_secp_384r1, &_nettle_secp_521r1, &_nettle_curve25519, &_nettle_curve448, &_nettle_gost_gc256b, &_nettle_gost_gc512a, NULL }; int test_ecc_point_valid_p (struct ecc_point *pub) { mpz_t t, x, y; mpz_t lhs, rhs; int res; mp_size_t size; size = pub->ecc->p.size; /* First check range */ if (mpn_cmp (pub->p, pub->ecc->p.m, size) >= 0 || mpn_cmp (pub->p + size, pub->ecc->p.m, size) >= 0) return 0; mpz_init (lhs); mpz_init (rhs); mpz_roinit_n (x, pub->p, size); mpz_roinit_n (y, pub->p + size, size); mpz_mul (lhs, y, y); if (pub->ecc->p.bit_size == 255) { /* Check that 121666 (1 + x^2 - y^2) = 121665 x^2 y^2 */ mpz_t x2; mpz_init (x2); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (rhs, x2, lhs); /* x^2 y^2 */ mpz_sub (lhs, x2, lhs); /* x^2 - y^2 */ mpz_add_ui (lhs, lhs, 1); /* 1 + x^2 - y^2 */ mpz_mul_ui (lhs, lhs, 121666); mpz_mul_ui (rhs, rhs, 121665); mpz_clear (x2); } else if (pub->ecc->p.bit_size == 448) { /* Check that x^2 + y^2 = 1 - 39081 x^2 y^2 */ mpz_t x2, d; mpz_init (x2); mpz_init_set_ui (d, 39081); mpz_mul (x2, x, x); /* x^2 */ mpz_mul (d, d, x2); /* 39081 x^2 */ mpz_set_ui (rhs, 1); mpz_submul (rhs, d, lhs); /* 1 - 39081 x^2 y^2 */ mpz_add (lhs, x2, lhs); /* x^2 + y^2 */ mpz_clear (d); mpz_clear (x2); } else { /* Check y^2 = x^3 - 3 x + b */ mpz_mul (rhs, x, x); mpz_sub_ui (rhs, rhs, 3); mpz_mul (rhs, rhs, x); mpz_add (rhs, rhs, mpz_roinit_n (t, pub->ecc->b, size)); } res = mpz_congruent_p (lhs, rhs, mpz_roinit_n (t, pub->ecc->p.m, size)); mpz_clear (lhs); mpz_clear (rhs); return res; } static int test_mpn (const char *ref, const mp_limb_t *xp, mp_size_t n) { mpz_t r, x; int res; mpz_init_set_str (r, ref, 16); res = (mpz_cmp (r, mpz_roinit_n (x, xp, n)) == 0); mpz_clear (r); return res; } void write_mpn (FILE *f, int base, const mp_limb_t *xp, mp_size_t n) { mpz_t t; mpz_out_str (f, base, mpz_roinit_n (t,xp, n)); } void test_ecc_point (const struct ecc_curve *ecc, const struct ecc_ref_point *ref, const mp_limb_t *p) { if (! (test_mpn (ref->x, p, ecc->p.size) && test_mpn (ref->y, p + ecc->p.size, ecc->p.size) )) { fprintf (stderr, "Incorrect point, curve bits %d!\n" "got: x = ", ecc->p.bit_size); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n" "ref: x = %s\n" " y = %s\n", ref->x, ref->y); abort(); } } /* For each curve, the points g, 2 g, 3 g and 4 g */ static const struct ecc_ref_point ecc_ref[9][4] = { { { "188da80eb03090f67cbf20eb43a18800f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd573f977a11e794811" }, { "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab" }, { "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd" }, { "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32" } }, { { "b70e0cbd6bb4bf7f321390b94a03c1d356c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a05a07476444d5819985007e34" }, { "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb" }, { "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925" }, { "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9" }, }, { { "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5" }, { "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1" }, { "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032" }, { "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6" }, }, { { "aa87ca22be8b05378eb1c71ef320ad746e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "3617de4a96262c6f5d9e98bf9292dc29f8f41dbd289a147ce9da3113b5f0b8c0" "0a60b1ce1d7e819d7a431d7c90ea0e5f" }, { "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e" "4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab425" "5ffd43e94d39e22d61501e700a940e80" }, { "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6" "b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eac" "c24abd6be4b5d298b65f28600a2f1df1" }, { "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d" "1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dc" "ed7387be37bba569549f1c02b270ed67" }, }, { { "c6" "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", "118" "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650" }, { "43" "3c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97" "b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4" "bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbb" "b3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02" }, { "1a7" "3d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1" "ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e" "9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec" "2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5" }, { "35" "b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac" "8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82" "096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f2" "79f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d" }, }, { { "216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a", "6666666666666666666666666666666666666666666666666666666666666658" }, { "36ab384c9f5a046c3d043b7d1833e7ac080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f5697390f51643851560e5f46ae6af8a3c9" }, { "67ae9c4a22928f491ff4ae743edac83a6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef79f16ec176724030402c3684878f5b4d4" }, { "203da8db56cff1468325d4b87a3520f91a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c4cf22832ea2f0ff0df38ab61ca32112f" }, }, { { "4f1970c66bed0ded221d15a622bf36da9e146570470f1767ea6de324a3d3a46412ae1af72ab66511433b80e18b00938e2626a82bc70cc05e", "693f46716eb6bc248876203756c9c7624bea73736ca3984087789c1e05a0c2d73ad3ff1ce67c39c4fdbd132c4ed7c8ad9808795bf230fa14" }, { "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa955555555555555555555555555555555555555555555555555555555", "ae05e9634ad7048db359d6205086c2b0036ed7a035884dd7b7e36d728ad8c4b80d6565833a2a3098bbbcb2bed1cda06bdaeafbcdea9386ed" }, { "865886b9108af6455bd64316cb6943332241b8b8cda82c7e2ba077a4a3fcfe8daa9cbf7f6271fd6e862b769465da8575728173286ff2f8f", "e005a8dbd5125cf706cbda7ad43aa6449a4a8d952356c3b9fce43c82ec4e1d58bb3a331bdb6767f0bffa9a68fed02dafb822ac13588ed6fc" }, { "49dcbc5c6c0cce2c1419a17226f929ea255a09cf4e0891c693fda4be70c74cc301b7bdf1515dd8ba21aee1798949e120e2ce42ac48ba7f30", "d49077e4accde527164b33a5de021b979cb7c02f0457d845c90dc3227b8a5bc1c0d8f97ea1ca9472b5d444285d0d4f5b32e236f86de51839" }, }, { { "0000000000000000000000000000000000000000000000000000000000000001", "8d91e471e0989cda27df505a453f2b7635294f2ddf23e3b122acc99c9e9f1e14" }, { "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83" }, { "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51" }, { "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741" }, }, { { "0000000000000000000000000000000000000000000000000000000000000000" "0000000000000000000000000000000000000000000000000000000000000003", "7503cfe87a836ae3a61b8816e25450e6ce5e1c93acf1abc1778064fdcbefa921" "df1626be4fd036e93d75e6a50e3a41e98028fe5fc235f5b889a589cb5215f2a4" }, { "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f" "4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92" "ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051" }, { "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba5" "43d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb3" "11d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6" }, { "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef25" "7452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850" "da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929" }, } }; void test_ecc_ga (unsigned curve, const mp_limb_t *p) { return test_ecc_point (ecc_curves[curve], &ecc_ref[curve][0], p); } void test_ecc_mul_a (unsigned curve, unsigned n, const mp_limb_t *p) { assert (curve < 9); assert (n <= 4); if (n == 0) { /* Makes sense for curve25519 only */ const struct ecc_curve *ecc = ecc_curves[curve]; assert (ecc->p.bit_size == 255 || ecc->p.bit_size == 448); if (!mpn_zero_p (p, ecc->p.size) || mpn_cmp (p + ecc->p.size, ecc->unit, ecc->p.size) != 0) { fprintf (stderr, "Incorrect point (expected (0, 1))!\n" "got: x = "); write_mpn (stderr, 16, p, ecc->p.size); fprintf (stderr, "\n" " y = "); write_mpn (stderr, 16, p + ecc->p.size, ecc->p.size); fprintf (stderr, "\n"); abort(); } } else test_ecc_point (ecc_curves[curve], &ecc_ref[curve][n-1], p); } void test_ecc_mul_h (unsigned curve, unsigned n, const mp_limb_t *p) { const struct ecc_curve *ecc = ecc_curves[curve]; mp_limb_t *np = xalloc_limbs (ecc_size_a (ecc)); mp_limb_t *scratch = xalloc_limbs (ecc->h_to_a_itch); ecc->h_to_a (ecc, 0, np, p, scratch); test_ecc_mul_a (curve, n, np); free (np); free (scratch); } void test_ecc_get_g (unsigned curve, mp_limb_t *rp) { const struct ecc_curve *ecc = ecc_curves[curve]; mpz_t x; mpz_t y; mpz_init_set_str (x, ecc_ref[curve][0].x, 16); mpz_init_set_str (y, ecc_ref[curve][0].y, 16); if (ecc->use_redc) { mpz_t t; mpz_mul_2exp (x, x, ecc->p.size * GMP_NUMB_BITS); mpz_mod (x, x, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); mpz_mul_2exp (y, y, ecc->p.size * GMP_NUMB_BITS); mpz_mod (y, y, mpz_roinit_n (t, ecc->p.m, ecc->p.size)); } mpz_limbs_copy (rp, x, ecc->p.size); mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); mpn_copyi (rp + 2*ecc->p.size, ecc->unit, ecc->p.size); mpz_clear (x); mpz_clear (y); } void test_ecc_get_ga (unsigned curve, mp_limb_t *rp) { const struct ecc_curve *ecc = ecc_curves[curve]; mpz_t x; mpz_t y; mpz_init_set_str (x, ecc_ref[curve][0].x, 16); mpz_init_set_str (y, ecc_ref[curve][0].y, 16); mpz_limbs_copy (rp, x, ecc->p.size); mpz_limbs_copy (rp + ecc->p.size, y, ecc->p.size); mpz_clear (x); mpz_clear (y); } #else /* !WITH_HOGWEED */ /* Make sure either gmp or mini-gmp is available for tests. */ #include "mini-gmp.c" #endif /* !WITH_HOGWEED */ nettle-3.10/testsuite/aes-keywrap-test.c0000644000175000017500000004005214633602172017363 0ustar nissenisse#include "testutils.h" #include "nist-keywrap.h" typedef void nettle_nist_keywrap_func(const void *ctx, const uint8_t * iv, size_t cleartext_length, uint8_t * cleartext, const uint8_t * ciphertext); typedef int nettle_nist_keyunwrap_func(const void *ctx, const uint8_t * iv, size_t cleartext_length, uint8_t * cleartext, const uint8_t * ciphertext); struct nettle_wrap { void *ctx; nettle_set_key_func *set_encrypt_key; nettle_cipher_func *encrypt; nettle_set_key_func *set_decrypt_key; nettle_cipher_func *decrypt; }; struct nettle_specific_wrap { void *ctx; nettle_set_key_func *set_encrypt_key; nettle_nist_keywrap_func *keywrap_func; nettle_set_key_func *set_decrypt_key; nettle_nist_keyunwrap_func *keyunwrap_func; }; static void test_wrap (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t data[40]; w->set_encrypt_key (w->ctx, key->data); nist_keywrap16 (w->ctx, w->encrypt, iv->data, cleartext->length + 8, data, cleartext->data); if (!MEMEQ (ciphertext->length, data, ciphertext->data)) { fprintf (stderr, "test_wrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (ciphertext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (ciphertext); fprintf (stderr, "\n"); FAIL (); } } static void test_unwrap (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *cleartext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); nist_keyunwrap16 (w->ctx, w->decrypt, iv->data, cleartext->length, data, ciphertext->data); if (!MEMEQ (cleartext->length, data, cleartext->data)) { fprintf (stderr, "test_unwrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (cleartext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (cleartext); fprintf (stderr, "\n"); FAIL (); } } static void test_unwrap_fail (struct nettle_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); if (nist_keyunwrap16 (w->ctx, w->decrypt, iv->data, ciphertext->length-8, data, ciphertext->data)) { FAIL (); } } static void test_specific_wrap (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *cleartext, const struct tstring *ciphertext) { uint8_t data[40]; w->set_encrypt_key (w->ctx, key->data); w->keywrap_func (w->ctx, iv->data, cleartext->length + 8, data, cleartext->data); if (!MEMEQ (ciphertext->length, data, ciphertext->data)) { fprintf (stderr, "test_specific_wrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (ciphertext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (ciphertext); fprintf (stderr, "\n"); FAIL (); } } static void test_specific_unwrap (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext, const struct tstring *cleartext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); w->keyunwrap_func (w->ctx, iv->data, cleartext->length, data, ciphertext->data); if (!MEMEQ (cleartext->length, data, cleartext->data)) { fprintf (stderr, "test_unwrap: Wrap failed:"); fprintf (stderr, "\nOutput: "); print_hex (cleartext->length, data); fprintf (stderr, "\nExpected:"); tstring_print_hex (cleartext); fprintf (stderr, "\n"); FAIL (); } } static void test_specific_unwrap_fail (struct nettle_specific_wrap *w, const struct tstring *key, const struct tstring *iv, const struct tstring *ciphertext) { uint8_t data[32]; w->set_decrypt_key (w->ctx, key->data); if (w->keyunwrap_func (w->ctx, iv->data, ciphertext->length-8, data, ciphertext->data)) { FAIL (); } } void test_main (void) { struct aes128_ctx ctx_128; struct aes192_ctx ctx_192; struct aes256_ctx ctx_256; struct nettle_wrap wrap128, wrap192, wrap256; struct nettle_wrap unwrap128, unwrap192, unwrap256; struct nettle_specific_wrap swrap128, swrap192, swrap256; struct nettle_specific_wrap sunwrap128, sunwrap192, sunwrap256; wrap128.ctx = &ctx_128; wrap128.set_encrypt_key = (nettle_set_key_func *) & aes128_set_encrypt_key; wrap128.encrypt = (nettle_cipher_func *) & aes128_encrypt; unwrap128.ctx = &ctx_128; unwrap128.set_decrypt_key = (nettle_set_key_func *) & aes128_set_decrypt_key; unwrap128.decrypt = (nettle_cipher_func *) & aes128_decrypt; wrap192.ctx = &ctx_192; wrap192.set_encrypt_key = (nettle_set_key_func *) & aes192_set_encrypt_key; wrap192.encrypt = (nettle_cipher_func *) & aes192_encrypt; unwrap192.ctx = &ctx_192; unwrap192.set_decrypt_key = (nettle_set_key_func *) & aes192_set_decrypt_key; unwrap192.decrypt = (nettle_cipher_func *) & aes192_decrypt; wrap256.ctx = &ctx_256; wrap256.set_encrypt_key = (nettle_set_key_func *) & aes256_set_encrypt_key; wrap256.encrypt = (nettle_cipher_func *) & aes256_encrypt; unwrap256.ctx = &ctx_256; unwrap256.set_decrypt_key = (nettle_set_key_func *) & aes256_set_decrypt_key; unwrap256.decrypt = (nettle_cipher_func *) & aes256_decrypt; swrap128.ctx = &ctx_128; swrap128.set_encrypt_key = (nettle_set_key_func *) & aes128_set_encrypt_key; swrap128.keywrap_func = (nettle_nist_keywrap_func *) & aes128_keywrap; swrap192.ctx = &ctx_192; swrap192.set_encrypt_key = (nettle_set_key_func *) & aes192_set_encrypt_key; swrap192.keywrap_func = (nettle_nist_keywrap_func *) & aes192_keywrap; swrap256.ctx = &ctx_256; swrap256.set_encrypt_key = (nettle_set_key_func *) & aes256_set_encrypt_key; swrap256.keywrap_func = (nettle_nist_keywrap_func *) & aes256_keywrap; sunwrap128.ctx = &ctx_128; sunwrap128.set_decrypt_key = (nettle_set_key_func *) & aes128_set_decrypt_key; sunwrap128.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes128_keyunwrap; sunwrap192.ctx = &ctx_192; sunwrap192.set_decrypt_key = (nettle_set_key_func *) & aes192_set_decrypt_key; sunwrap192.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes192_keyunwrap; sunwrap256.ctx = &ctx_256; sunwrap256.set_decrypt_key = (nettle_set_key_func *) & aes256_set_decrypt_key; sunwrap256.keyunwrap_func = (nettle_nist_keyunwrap_func *) & aes256_keyunwrap; test_wrap (&wrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_unwrap (&unwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1EA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_wrap (&wrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D")); test_unwrap (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5E")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE6")); test_wrap (&wrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2")); test_unwrap (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_unwrap_fail (&unwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725B93 6BA814915C6762D2")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E5 769C8B80A32CB895 8CD5D17D6B254DA1")); test_wrap (&wrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_unwrap (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F")); test_unwrap_fail (&unwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F816 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_specific_wrap (&swrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_specific_unwrap (&sunwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B447 AEF34BD8FB5A7B82 9D3E862371D2CFE5"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap128, SHEX ("0001020304050607 08090A0B0C0D0E0F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("1FA68B0A8112B446 AEF34BD8FB5A7B82 9D3E862371D2CFE5")); test_specific_wrap (&swrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D")); test_specific_unwrap (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 468AB8A17AD84E5D"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("96778B25AE6CA435 F92B5B97C050AED2 478AB8A17AD84E5D")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8191E7D6E8AE7"), SHEX ("0011223344556677 8899AABBCCDDEEFF")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("64E8C3F9CE0F5BA2 63E9777905818A2A 93C8101E7D6E8AE7")); test_specific_wrap (&swrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2")); test_specific_unwrap (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEE725A93 6BA814915C6762D2"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_specific_unwrap_fail (&sunwrap192, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("031D33264E15D332 68F24EC260743EDC E1C6C7DDEF725A93 6BA814915C6762D2")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68B3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("A8F9BC1612C68C3F F6E6F4FBE30E71E4 769C8B80A32CB895 8CD5D17D6B254DA1")); test_specific_wrap (&swrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21")); test_specific_unwrap (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED326 CBC7F0E71A99F43B FB988B9B7A02DD21"), SHEX ("0011223344556677 8899AABBCCDDEEFF 0001020304050607 08090A0B0C0D0E0F")); test_specific_unwrap_fail (&sunwrap256, SHEX ("0001020304050607 08090A0B0C0D0E0F 1011121314151617 18191A1B1C1D1E1F"), SHEX ("A6A6A6A6A6A6A6A6"), SHEX ("28C9F404C4B810F4 CBCCB35CFB87F826 3F5786E2D80ED426 CBC7F0E71A99F43B FB988B9B7A02DD21")); } nettle-3.10/bignum.h0000644000175000017500000000640314633602172013415 0ustar nissenisse/* bignum.h Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BIGNUM_H_INCLUDED #define NETTLE_BIGNUM_H_INCLUDED #include "nettle-types.h" /* For NETTLE_USE_MINI_GMP */ #include "version.h" #if NETTLE_USE_MINI_GMP # include "mini-gmp.h" # define GMP_NUMB_MASK (~(mp_limb_t) 0) /* Side-channel silent powm not available in mini-gmp. */ # define mpz_powm_sec mpz_powm #else # include #endif #ifdef __cplusplus extern "C" { #endif /* Size needed for signed encoding, including extra sign byte if * necessary. */ size_t nettle_mpz_sizeinbase_256_s(const mpz_t x); /* Size needed for unsigned encoding */ size_t nettle_mpz_sizeinbase_256_u(const mpz_t x); /* Writes an integer as length octets, using big endian byte order, * and two's complement for negative numbers. */ void nettle_mpz_get_str_256(size_t length, uint8_t *s, const mpz_t x); /* Reads a big endian, two's complement, integer. */ void nettle_mpz_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_s(mpz_t x, size_t length, const uint8_t *s); /* Similar, but for unsigned format. These function don't interpret * the most significant bit as the sign. */ void nettle_mpz_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); void nettle_mpz_init_set_str_256_u(mpz_t x, size_t length, const uint8_t *s); /* Returns a uniformly distributed random number 0 <= x < 2^n */ void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits); /* Returns a number x, almost uniformly random in the range * 0 <= x < n. */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n); void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress); /* sexp parsing */ struct sexp_iterator; /* If LIMIT is non-zero, the number must be at most LIMIT bits. * Implies sexp_iterator_next. */ int nettle_mpz_set_sexp(mpz_t x, unsigned limit, struct sexp_iterator *i); /* der parsing */ struct asn1_der_iterator; int nettle_asn1_der_get_bignum(struct asn1_der_iterator *iterator, mpz_t x, unsigned max_bits); #ifdef __cplusplus } #endif #endif /* NETTLE_BIGNUM_H_INCLUDED */ nettle-3.10/hkdf.c0000644000175000017500000000411614633602171013041 0ustar nissenisse/* hkdf.c Copyright (C) 2017 Red Hat, Inc. Author: Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Functions for the HKDF handling. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hkdf.h" /* hkdf_extract: Outputs a PRK of digest_size */ void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t secret_size, const uint8_t *secret, uint8_t *dst) { update(mac_ctx, secret_size, secret); digest(mac_ctx, digest_size, dst); } /* hkdf_expand: Outputs an arbitrary key of size specified by length */ void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) { uint8_t i = 1; if (!length) return; for (;; dst += digest_size, length -= digest_size, i++) { update(mac_ctx, info_size, info); update(mac_ctx, 1, &i); if (length <= digest_size) break; digest(mac_ctx, digest_size, dst); update(mac_ctx, digest_size, dst); } digest(mac_ctx, length, dst); } nettle-3.10/sm3.c0000644000175000017500000002071714633602171012634 0ustar nissenisse/* sm3.c The SM3 hash function. Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sm3.h" #include "macros.h" #include "nettle-write.h" static const uint32_t K[64] = { 0x79cc4519UL, 0xf3988a32UL, 0xe7311465UL, 0xce6228cbUL, 0x9cc45197UL, 0x3988a32fUL, 0x7311465eUL, 0xe6228cbcUL, 0xcc451979UL, 0x988a32f3UL, 0x311465e7UL, 0x6228cbceUL, 0xc451979cUL, 0x88a32f39UL, 0x11465e73UL, 0x228cbce6UL, 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL, 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL, 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL, 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL, 0x7a879d8aUL, 0xf50f3b14UL, 0xea1e7629UL, 0xd43cec53UL, 0xa879d8a7UL, 0x50f3b14fUL, 0xa1e7629eUL, 0x43cec53dUL, 0x879d8a7aUL, 0x0f3b14f5UL, 0x1e7629eaUL, 0x3cec53d4UL, 0x79d8a7a8UL, 0xf3b14f50UL, 0xe7629ea1UL, 0xcec53d43UL, 0x9d8a7a87UL, 0x3b14f50fUL, 0x7629ea1eUL, 0xec53d43cUL, 0xd8a7a879UL, 0xb14f50f3UL, 0x629ea1e7UL, 0xc53d43ceUL, 0x8a7a879dUL, 0x14f50f3bUL, 0x29ea1e76UL, 0x53d43cecUL, 0xa7a879d8UL, 0x4f50f3b1UL, 0x9ea1e762UL, 0x3d43cec5UL }; /* Transform the message X which consists of 16 32-bit-words. See GM/T 004-2012 for details. */ #define R(i, a, b, c, d, e, f, g, h, t, w1, w2) \ do { \ ss1 = ROTL32(7, (ROTL32(12, (a)) + (e) + (t))); \ ss2 = ss1 ^ ROTL32(12, (a)); \ d += FF ## i(a, b, c) + ss2 + ((w1) ^ (w2)); \ h += GG ## i(e, f, g) + ss1 + (w1); \ b = ROTL32(9, (b)); \ f = ROTL32(19, (f)); \ h = P0((h)); \ } while (0) #define R1(a,b,c,d,e,f,g,h,t,w1,w2) R(1,a,b,c,d,e,f,g,h,t,w1,w2) #define R2(a,b,c,d,e,f,g,h,t,w1,w2) R(2,a,b,c,d,e,f,g,h,t,w1,w2) #define FF1(x, y, z) (x ^ y ^ z) #define FF2(x, y, z) ((x & y) | (x & z) | (y & z)) #define GG1(x, y, z) (x ^ y ^ z) #define GG2(x, y, z) ((x & y) | ( ~x & z)) /* Message expansion */ #define P0(x) ((x) ^ ROTL32(9, (x)) ^ ROTL32(17, (x))) #define P1(x) ((x) ^ ROTL32(15, (x)) ^ ROTL32(23, (x))) #define I(i) (w[i] = READ_UINT32(input + i * 4)) #define W1(i) (w[i & 0x0f]) #define W2(i) (w[i & 0x0f] = \ P1(w[i & 0x0f] ^ w[(i-9) & 0x0f] ^ ROTL32(15, w[(i-3) & 0x0f])) \ ^ ROTL32(7, w[(i-13) & 0x0f]) \ ^ w[(i-6) & 0x0f]) static void sm3_compress(uint32_t *state, const uint8_t *input) { uint32_t a, b, c, d, e, f, g, h, ss1, ss2; uint32_t w[16]; a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; f = state[5]; g = state[6]; h = state[7]; R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4)); R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5)); R1(c, d, a, b, g, h, e, f, K[2], I(2), I(6)); R1(b, c, d, a, f, g, h, e, K[3], I(3), I(7)); R1(a, b, c, d, e, f, g, h, K[4], W1(4), I(8)); R1(d, a, b, c, h, e, f, g, K[5], W1(5), I(9)); R1(c, d, a, b, g, h, e, f, K[6], W1(6), I(10)); R1(b, c, d, a, f, g, h, e, K[7], W1(7), I(11)); R1(a, b, c, d, e, f, g, h, K[8], W1(8), I(12)); R1(d, a, b, c, h, e, f, g, K[9], W1(9), I(13)); R1(c, d, a, b, g, h, e, f, K[10], W1(10), I(14)); R1(b, c, d, a, f, g, h, e, K[11], W1(11), I(15)); R1(a, b, c, d, e, f, g, h, K[12], W1(12), W2(16)); R1(d, a, b, c, h, e, f, g, K[13], W1(13), W2(17)); R1(c, d, a, b, g, h, e, f, K[14], W1(14), W2(18)); R1(b, c, d, a, f, g, h, e, K[15], W1(15), W2(19)); R2(a, b, c, d, e, f, g, h, K[16], W1(16), W2(20)); R2(d, a, b, c, h, e, f, g, K[17], W1(17), W2(21)); R2(c, d, a, b, g, h, e, f, K[18], W1(18), W2(22)); R2(b, c, d, a, f, g, h, e, K[19], W1(19), W2(23)); R2(a, b, c, d, e, f, g, h, K[20], W1(20), W2(24)); R2(d, a, b, c, h, e, f, g, K[21], W1(21), W2(25)); R2(c, d, a, b, g, h, e, f, K[22], W1(22), W2(26)); R2(b, c, d, a, f, g, h, e, K[23], W1(23), W2(27)); R2(a, b, c, d, e, f, g, h, K[24], W1(24), W2(28)); R2(d, a, b, c, h, e, f, g, K[25], W1(25), W2(29)); R2(c, d, a, b, g, h, e, f, K[26], W1(26), W2(30)); R2(b, c, d, a, f, g, h, e, K[27], W1(27), W2(31)); R2(a, b, c, d, e, f, g, h, K[28], W1(28), W2(32)); R2(d, a, b, c, h, e, f, g, K[29], W1(29), W2(33)); R2(c, d, a, b, g, h, e, f, K[30], W1(30), W2(34)); R2(b, c, d, a, f, g, h, e, K[31], W1(31), W2(35)); R2(a, b, c, d, e, f, g, h, K[32], W1(32), W2(36)); R2(d, a, b, c, h, e, f, g, K[33], W1(33), W2(37)); R2(c, d, a, b, g, h, e, f, K[34], W1(34), W2(38)); R2(b, c, d, a, f, g, h, e, K[35], W1(35), W2(39)); R2(a, b, c, d, e, f, g, h, K[36], W1(36), W2(40)); R2(d, a, b, c, h, e, f, g, K[37], W1(37), W2(41)); R2(c, d, a, b, g, h, e, f, K[38], W1(38), W2(42)); R2(b, c, d, a, f, g, h, e, K[39], W1(39), W2(43)); R2(a, b, c, d, e, f, g, h, K[40], W1(40), W2(44)); R2(d, a, b, c, h, e, f, g, K[41], W1(41), W2(45)); R2(c, d, a, b, g, h, e, f, K[42], W1(42), W2(46)); R2(b, c, d, a, f, g, h, e, K[43], W1(43), W2(47)); R2(a, b, c, d, e, f, g, h, K[44], W1(44), W2(48)); R2(d, a, b, c, h, e, f, g, K[45], W1(45), W2(49)); R2(c, d, a, b, g, h, e, f, K[46], W1(46), W2(50)); R2(b, c, d, a, f, g, h, e, K[47], W1(47), W2(51)); R2(a, b, c, d, e, f, g, h, K[48], W1(48), W2(52)); R2(d, a, b, c, h, e, f, g, K[49], W1(49), W2(53)); R2(c, d, a, b, g, h, e, f, K[50], W1(50), W2(54)); R2(b, c, d, a, f, g, h, e, K[51], W1(51), W2(55)); R2(a, b, c, d, e, f, g, h, K[52], W1(52), W2(56)); R2(d, a, b, c, h, e, f, g, K[53], W1(53), W2(57)); R2(c, d, a, b, g, h, e, f, K[54], W1(54), W2(58)); R2(b, c, d, a, f, g, h, e, K[55], W1(55), W2(59)); R2(a, b, c, d, e, f, g, h, K[56], W1(56), W2(60)); R2(d, a, b, c, h, e, f, g, K[57], W1(57), W2(61)); R2(c, d, a, b, g, h, e, f, K[58], W1(58), W2(62)); R2(b, c, d, a, f, g, h, e, K[59], W1(59), W2(63)); R2(a, b, c, d, e, f, g, h, K[60], W1(60), W2(64)); R2(d, a, b, c, h, e, f, g, K[61], W1(61), W2(65)); R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66)); R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67)); state[0] ^= a; state[1] ^= b; state[2] ^= c; state[3] ^= d; state[4] ^= e; state[5] ^= f; state[6] ^= g; state[7] ^= h; } void sm3_init(struct sm3_ctx *ctx) { static const uint32_t H0[_SM3_DIGEST_LENGTH] = { 0x7380166fUL, 0x4914b2b9UL, 0x172442d7UL, 0xda8a0600UL, 0xa96f30bcUL, 0x163138aaUL, 0xe38dee4dUL, 0xb0fb0e4eUL }; memcpy(ctx->state, H0, sizeof(H0)); /* Initialize bit count */ ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } #define COMPRESS(ctx, data) (sm3_compress((ctx)->state, (data))) void sm3_update(struct sm3_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } static void sm3_write_digest(struct sm3_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SM3_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* This is slightly inefficient, as the numbers are converted to big-endian format, and will be converted back by the compression function. It's probably not worth the effort to fix this. */ WRITE_UINT64(ctx->block + (SM3_BLOCK_SIZE - 8), bit_count); COMPRESS(ctx, ctx->block); _nettle_write_be32(length, digest, ctx->state); } void sm3_digest(struct sm3_ctx *ctx, size_t length, uint8_t *digest) { sm3_write_digest(ctx, length, digest); sm3_init(ctx); } nettle-3.10/md4-meta.c0000644000175000017500000000222214633602171013531 0ustar nissenisse/* md4-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md4.h" const struct nettle_hash nettle_md4 = _NETTLE_HASH(md4, MD4); nettle-3.10/aes256-set-decrypt-key.c0000644000175000017500000000351514633602171016163 0ustar nissenisse/* aes256-set-decrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes256_invert_key void _nettle_aes256_invert_key_c(struct aes256_ctx *dst, const struct aes256_ctx *src); # define nettle_aes256_invert_key _nettle_aes256_invert_key_c #endif #if HAVE_NATIVE_aes256_set_decrypt_key void _nettle_aes256_set_decrypt_key_c(struct aes256_ctx *ctx, const uint8_t *key); # define nettle_aes256_set_decrypt_key _nettle_aes256_set_decrypt_key_c #endif void nettle_aes256_invert_key (struct aes256_ctx *dst, const struct aes256_ctx *src) { _nettle_aes_invert (_AES256_ROUNDS, dst->keys, src->keys); } void nettle_aes256_set_decrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key (ctx, key); aes256_invert_key (ctx, ctx); } nettle-3.10/sexp2rsa.c0000644000175000017500000000542714633602171013702 0ustar nissenisse/* sexp2rsa.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "bignum.h" #include "sexp.h" #define GET(x, l, v) \ do { \ if (!nettle_mpz_set_sexp((x), (l), (v)) \ || mpz_sgn(x) <= 0) \ return 0; \ } while(0) /* Iterator should point past the algorithm tag, e.g. * * (public-key (rsa (n |xxxx|) (e |xxxx|)) * ^ here */ int rsa_keypair_from_sexp_alist(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, struct sexp_iterator *i) { static const char * const names[8] = { "n", "e", "d", "p", "q", "a", "b", "c" }; struct sexp_iterator values[8]; unsigned nvalues = priv ? 8 : 2; if (!sexp_iterator_assoc(i, nvalues, names, values)) return 0; if (priv) { GET(priv->d, limit, &values[2]); GET(priv->p, limit, &values[3]); GET(priv->q, limit, &values[4]); GET(priv->a, limit, &values[5]); GET(priv->b, limit, &values[6]); GET(priv->c, limit, &values[7]); if (!rsa_private_key_prepare(priv)) return 0; } if (pub) { GET(pub->n, limit, &values[0]); GET(pub->e, limit, &values[1]); if (!rsa_public_key_prepare(pub)) return 0; } return 1; } int rsa_keypair_from_sexp(struct rsa_public_key *pub, struct rsa_private_key *priv, unsigned limit, size_t length, const uint8_t *expr) { struct sexp_iterator i; static const char * const names[3] = { "rsa", "rsa-pkcs1", "rsa-pkcs1-sha1" }; if (!sexp_iterator_first(&i, length, expr)) return 0; if (!sexp_iterator_check_type(&i, priv ? "private-key" : "public-key")) return 0; if (!sexp_iterator_check_types(&i, 3, names)) return 0; return rsa_keypair_from_sexp_alist(pub, priv, limit, &i); } nettle-3.10/yarrow256.c0000644000175000017500000002170714633602171013712 0ustar nissenisse/* yarrow256.c The yarrow pseudo-randomness generator. Copyright (C) 2001, 2008, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "yarrow.h" #include "macros.h" #ifndef YARROW_DEBUG #define YARROW_DEBUG 0 #endif #if YARROW_DEBUG #include #endif /* Parameters */ /* An upper limit on the entropy (in bits) in one octet of sample * data. */ #define YARROW_MULTIPLIER 4 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_FAST_THRESHOLD 100 /* Entropy threshold for reseeding from the fast pool */ #define YARROW_SLOW_THRESHOLD 160 /* Number of sources that must exceed the threshold for slow reseed */ #define YARROW_SLOW_K 2 /* The number of iterations when reseeding, P_t in the yarrow paper. * Should be chosen so that reseeding takes on the order of 0.1-1 * seconds. */ #define YARROW_RESEED_ITERATIONS 1500 /* Entropy estimates sticks to this value, it is treated as infinity * in calculations. It should fit comfortably in an uint32_t, to avoid * overflows. */ #define YARROW_MAX_ENTROPY 0x100000 /* Forward declarations */ static void yarrow_gate(struct yarrow256_ctx *ctx); void yarrow256_init(struct yarrow256_ctx *ctx, unsigned n, struct yarrow_source *s) { unsigned i; sha256_init(&ctx->pools[0]); sha256_init(&ctx->pools[1]); ctx->seeded = 0; /* Not strictly necessary, but it makes it easier to see if the * values are sane. */ memset(ctx->counter, 0, sizeof(ctx->counter)); ctx->nsources = n; ctx->sources = s; for (i = 0; isources[i].estimate[YARROW_FAST] = 0; ctx->sources[i].estimate[YARROW_SLOW] = 0; ctx->sources[i].next = YARROW_FAST; } } void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file) { assert(length > 0); sha256_update(&ctx->pools[YARROW_FAST], length, seed_file); yarrow256_fast_reseed(ctx); } /* FIXME: Generalize so that it generates a few more blocks at a * time. */ static void yarrow_generate_block(struct yarrow256_ctx *ctx, uint8_t *block) { unsigned i; aes256_encrypt(&ctx->key, sizeof(ctx->counter), block, ctx->counter); /* Increment counter, treating it as a big-endian number. This is * machine independent, and follows appendix B of the NIST * specification of cipher modes of operation. * * We could keep a representation of the counter as 4 32-bit values, * and write entire words (in big-endian byteorder) into the counter * block, whenever they change. */ for (i = sizeof(ctx->counter); i--; ) { if (++ctx->counter[i]) break; } } static void yarrow_iterate(uint8_t *digest) { uint8_t v0[SHA256_DIGEST_SIZE]; unsigned i; memcpy(v0, digest, SHA256_DIGEST_SIZE); /* When hashed inside the loop, i should run from 1 to * YARROW_RESEED_ITERATIONS */ for (i = 0; ++i < YARROW_RESEED_ITERATIONS; ) { uint8_t count[4]; struct sha256_ctx hash; sha256_init(&hash); /* Hash v_i | v_0 | i */ WRITE_UINT32(count, i); sha256_update(&hash, SHA256_DIGEST_SIZE, digest); sha256_update(&hash, sizeof(v0), v0); sha256_update(&hash, sizeof(count), count); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); } } /* NOTE: The SHA-256 digest size equals the AES key size, so we need * no "size adaptor". */ void yarrow256_fast_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_fast_reseed\n"); #endif /* We feed two block of output using the current key into the pool * before emptying it. */ if (ctx->seeded) { uint8_t blocks[AES_BLOCK_SIZE * 2]; yarrow_generate_block(ctx, blocks); yarrow_generate_block(ctx, blocks + AES_BLOCK_SIZE); sha256_update(&ctx->pools[YARROW_FAST], sizeof(blocks), blocks); } sha256_digest(&ctx->pools[YARROW_FAST], sizeof(digest), digest); /* Iterate */ yarrow_iterate(digest); aes256_set_encrypt_key(&ctx->key, digest); ctx->seeded = 1; /* Derive new counter value */ memset(ctx->counter, 0, sizeof(ctx->counter)); aes256_encrypt(&ctx->key, sizeof(ctx->counter), ctx->counter, ctx->counter); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_FAST] = 0; } void yarrow256_slow_reseed(struct yarrow256_ctx *ctx) { uint8_t digest[SHA256_DIGEST_SIZE]; unsigned i; #if YARROW_DEBUG fprintf(stderr, "yarrow256_slow_reseed\n"); #endif /* Get digest of the slow pool*/ sha256_digest(&ctx->pools[YARROW_SLOW], sizeof(digest), digest); /* Feed it into the fast pool */ sha256_update(&ctx->pools[YARROW_FAST], sizeof(digest), digest); yarrow256_fast_reseed(ctx); /* Reset estimates. */ for (i = 0; insources; i++) ctx->sources[i].estimate[YARROW_SLOW] = 0; } int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source_index, unsigned entropy, size_t length, const uint8_t *data) { enum yarrow_pool_id current; struct yarrow_source *source; assert(source_index < ctx->nsources); if (!length) /* Nothing happens */ return 0; source = &ctx->sources[source_index]; if (!ctx->seeded) /* While seeding, use the slow pool */ current = YARROW_SLOW; else { current = source->next; source->next = !source->next; } sha256_update(&ctx->pools[current], length, data); /* NOTE: We should be careful to avoid overflows in the estimates. */ if (source->estimate[current] < YARROW_MAX_ENTROPY) { if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; if ( (length < (YARROW_MAX_ENTROPY / YARROW_MULTIPLIER)) && (entropy > YARROW_MULTIPLIER * length) ) entropy = YARROW_MULTIPLIER * length; entropy += source->estimate[current]; if (entropy > YARROW_MAX_ENTROPY) entropy = YARROW_MAX_ENTROPY; source->estimate[current] = entropy; } /* Check for seed/reseed */ switch(current) { case YARROW_FAST: #if YARROW_DEBUG fprintf(stderr, "yarrow256_update: source_index = %d,\n" " fast pool estimate = %d\n", source_index, source->estimate[YARROW_FAST]); #endif if (source->estimate[YARROW_FAST] >= YARROW_FAST_THRESHOLD) { yarrow256_fast_reseed(ctx); return 1; } else return 0; case YARROW_SLOW: { if (!yarrow256_needed_sources(ctx)) { yarrow256_slow_reseed(ctx); return 1; } else return 0; } default: abort(); } } static void yarrow_gate(struct yarrow256_ctx *ctx) { uint8_t key[AES256_KEY_SIZE]; unsigned i; for (i = 0; i < sizeof(key); i+= AES_BLOCK_SIZE) yarrow_generate_block(ctx, key + i); aes256_set_encrypt_key(&ctx->key, key); } void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst) { assert(ctx->seeded); while (length >= AES_BLOCK_SIZE) { yarrow_generate_block(ctx, dst); dst += AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE; } if (length) { uint8_t buffer[AES_BLOCK_SIZE]; assert(length < AES_BLOCK_SIZE); yarrow_generate_block(ctx, buffer); memcpy(dst, buffer, length); } yarrow_gate(ctx); } int yarrow256_is_seeded(struct yarrow256_ctx *ctx) { return ctx->seeded; } unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx) { /* FIXME: This is somewhat inefficient. It would be better to * either maintain the count, or do this loop only if the * current source just crossed the threshold. */ unsigned k, i; for (i = k = 0; i < ctx->nsources; i++) if (ctx->sources[i].estimate[YARROW_SLOW] >= YARROW_SLOW_THRESHOLD) k++; #if YARROW_DEBUG fprintf(stderr, "yarrow256_needed_sources: source_index = %d,\n" " slow pool estimate = %d,\n" " number of sources above threshold = %d\n", source_index, source->estimate[YARROW_SLOW], k); #endif return (k < YARROW_SLOW_K) ? (YARROW_SLOW_K - k) : 0; } nettle-3.10/desdata.stamp0000644000175000017500000000000614633602172014427 0ustar nissenissestamp nettle-3.10/aesdata.c0000644000175000017500000001434614633602172013536 0ustar nissenisse#include #include #include #include #if 1 # define BYTE_FORMAT "0x%02x" # define BYTE_COLUMNS 8 #else # define BYTE_FORMAT "%3d" # define BYTE_COLUMNS 0x10 #endif #define WORD_FORMAT "0x%08lx" #define WORD_COLUMNS 4 unsigned char sbox[0x100]; unsigned char isbox[0x100]; unsigned char gf2_log[0x100]; unsigned char gf2_exp[0x100]; unsigned long dtable[4][0x100]; unsigned long itable[4][0x100]; unsigned long mtable[4][0x100]; static unsigned xtime(unsigned x) { assert (x < 0x100); x <<= 1; if (x & 0x100) x ^= 0x11b; assert (x < 0x100); return x; } /* Computes the exponentiatiom and logarithm tables for GF_2, to the * base x+1 (0x03). The unit element is 1 (0x01).*/ static void compute_log(void) { unsigned i = 0; unsigned x = 1; memset(gf2_log, 0, 0x100); for (i = 0; i < 0x100; i++, x = x ^ xtime(x)) { gf2_exp[i] = x; gf2_log[x] = i; } /* Invalid. */ gf2_log[0] = 0; /* The loop above sets gf2_log[1] = 0xff, which is correct, * but gf2_log[1] = 0 is nicer. */ gf2_log[1] = 0; } static unsigned mult(unsigned a, unsigned b) { return (a && b) ? gf2_exp[ (gf2_log[a] + gf2_log[b]) % 255] : 0; } static unsigned invert(unsigned x) { return x ? gf2_exp[0xff - gf2_log[x]] : 0; } static unsigned affine(unsigned x) { return 0xff & (0x63^x^(x>>4)^(x<<4)^(x>>5)^(x<<3)^(x>>6)^(x<<2)^(x>>7)^(x<<1)); } static void compute_sbox(void) { unsigned i; for (i = 0; i<0x100; i++) { sbox[i] = affine(invert(i)); isbox[sbox[i]] = i; } } /* Generate little endian tables, i.e. the first row of the AES state * arrays occupies the least significant byte of the words. * * The sbox values are multiplied with the column of GF2 coefficients * of the polynomial 03 x^3 + x^2 + x + 02. */ static void compute_dtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = sbox[i]; unsigned j; unsigned long t =( ( (s ^ xtime(s)) << 24) | (s << 16) | (s << 8) | xtime(s) ); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) dtable[j][i] = t; } } /* The inverse sbox values are multiplied with the column of GF2 coefficients * of the polynomial inverse 0b x^3 + 0d x^2 + 09 x + 0e. */ static void compute_itable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned s = isbox[i]; unsigned j; unsigned long t = ( (mult(s, 0xb) << 24) | (mult(s, 0xd) << 16) | (mult(s, 0x9) << 8) | (mult(s, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) itable[j][i] = t; } } /* Used for key inversion, inverse mix column. No sbox. */ static void compute_mtable(void) { unsigned i; for (i = 0; i<0x100; i++) { unsigned j; unsigned long t = ( (mult(i, 0xb) << 24) | (mult(i, 0xd) << 16) | (mult(i, 0x9) << 8) | (mult(i, 0xe) )); for (j = 0; j<4; j++, t = (t << 8) | (t >> 24)) mtable[j][i] = t; } } static void display_byte_table(const char *name, unsigned char *table) { unsigned i, j; printf("uint8_t %s[0x100] =\n{", name); for (i = 0; i<0x100; i+= BYTE_COLUMNS) { printf("\n "); for (j = 0; j #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "ghash-internal.h" #include "memxor.h" #include "fat-setup.h" void _nettle_cpuid (uint32_t input, uint32_t regs[4]); struct x86_features { enum x86_vendor { X86_OTHER, X86_INTEL, X86_AMD } vendor; int have_aesni; int have_sha_ni; int have_pclmul; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_x86_features (struct x86_features *features) { const char *s; features->vendor = X86_OTHER; features->have_aesni = 0; features->have_sha_ni = 0; features->have_pclmul = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "vendor:", 7)) { if (MATCH(s, length, "intel", 5)) features->vendor = X86_INTEL; else if (MATCH(s, length, "amd", 3)) features->vendor = X86_AMD; } else if (MATCH (s, length, "aesni", 5)) features->have_aesni = 1; else if (MATCH (s, length, "sha_ni", 6)) features->have_sha_ni = 1; else if (MATCH (s, length, "pclmul", 6)) features->have_pclmul = 1; if (!sep) break; s = sep + 1; } else { uint32_t cpuid_data[4]; _nettle_cpuid (0, cpuid_data); if (memcmp (cpuid_data + 1, "Genu" "ntel" "ineI", 12) == 0) features->vendor = X86_INTEL; else if (memcmp (cpuid_data + 1, "Auth" "cAMD" "enti", 12) == 0) features->vendor = X86_AMD; _nettle_cpuid (1, cpuid_data); if (cpuid_data[2] & 0x2) features->have_pclmul = 1; if (cpuid_data[2] & 0x02000000) features->have_aesni = 1; _nettle_cpuid (7, cpuid_data); if (cpuid_data[1] & 0x20000000) features->have_sha_ni = 1; } } DECLARE_FAT_FUNC(nettle_aes128_encrypt, aes128_crypt_func) DECLARE_FAT_FUNC(nettle_aes128_decrypt, aes128_crypt_func) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_encrypt, aes128_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes128_decrypt, aes128_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_aes192_encrypt, aes192_crypt_func) DECLARE_FAT_FUNC(nettle_aes192_decrypt, aes192_crypt_func) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_encrypt, aes192_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes192_decrypt, aes192_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_aes256_encrypt, aes256_crypt_func) DECLARE_FAT_FUNC(nettle_aes256_decrypt, aes256_crypt_func) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_encrypt, aes256_crypt_func, aesni) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, c) DECLARE_FAT_FUNC_VAR(aes256_decrypt, aes256_crypt_func, aesni) DECLARE_FAT_FUNC(nettle_cbc_aes128_encrypt, cbc_aes128_encrypt_func); DECLARE_FAT_FUNC_VAR(cbc_aes128_encrypt, cbc_aes128_encrypt_func, c); DECLARE_FAT_FUNC_VAR(cbc_aes128_encrypt, cbc_aes128_encrypt_func, aesni); DECLARE_FAT_FUNC(nettle_cbc_aes192_encrypt, cbc_aes192_encrypt_func); DECLARE_FAT_FUNC_VAR(cbc_aes192_encrypt, cbc_aes192_encrypt_func, c); DECLARE_FAT_FUNC_VAR(cbc_aes192_encrypt, cbc_aes192_encrypt_func, aesni); DECLARE_FAT_FUNC(nettle_cbc_aes256_encrypt, cbc_aes256_encrypt_func); DECLARE_FAT_FUNC_VAR(cbc_aes256_encrypt, cbc_aes256_encrypt_func, c); DECLARE_FAT_FUNC_VAR(cbc_aes256_encrypt, cbc_aes256_encrypt_func, aesni); DECLARE_FAT_FUNC(nettle_memxor, memxor_func) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, x86_64) DECLARE_FAT_FUNC_VAR(memxor, memxor_func, sse2) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, x86_64) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, sha_ni) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, x86_64) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, sha_ni) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, pclmul) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, table) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, pclmul) /* This function should usually be called only once, at startup. But it is idempotent, and on x86, pointer updates are atomic, so there's no danger if it is called simultaneously from multiple threads. */ static void CONSTRUCTOR fat_init (void) { struct x86_features features; int verbose; /* FIXME: Replace all getenv calls by getenv_secure? */ verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: fat library initialization.\n"); get_x86_features (&features); if (verbose) { const char * const vendor_names[3] = { "other", "intel", "amd" }; fprintf (stderr, "libnettle: cpu features: vendor:%s%s%s%s\n", vendor_names[features.vendor], features.have_aesni ? ",aesni" : "", features.have_sha_ni ? ",sha_ni" : "", features.have_pclmul ? ",pclmul" : ""); } if (features.have_aesni) { if (verbose) fprintf (stderr, "libnettle: using aes instructions.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_aesni; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_aesni; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_aesni; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_aesni; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_aesni; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_aesni; nettle_cbc_aes128_encrypt_vec = _nettle_cbc_aes128_encrypt_aesni; nettle_cbc_aes192_encrypt_vec = _nettle_cbc_aes192_encrypt_aesni; nettle_cbc_aes256_encrypt_vec = _nettle_cbc_aes256_encrypt_aesni; } else { if (verbose) fprintf (stderr, "libnettle: not using aes instructions.\n"); nettle_aes128_encrypt_vec = _nettle_aes128_encrypt_c; nettle_aes128_decrypt_vec = _nettle_aes128_decrypt_c; nettle_aes192_encrypt_vec = _nettle_aes192_encrypt_c; nettle_aes192_decrypt_vec = _nettle_aes192_decrypt_c; nettle_aes256_encrypt_vec = _nettle_aes256_encrypt_c; nettle_aes256_decrypt_vec = _nettle_aes256_decrypt_c; nettle_cbc_aes128_encrypt_vec = _nettle_cbc_aes128_encrypt_c; nettle_cbc_aes192_encrypt_vec = _nettle_cbc_aes192_encrypt_c; nettle_cbc_aes256_encrypt_vec = _nettle_cbc_aes256_encrypt_c; } if (features.have_sha_ni) { if (verbose) fprintf (stderr, "libnettle: using sha_ni instructions.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_sha_ni; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_sha_ni; } else { if (verbose) fprintf (stderr, "libnettle: not using sha_ni instructions.\n"); nettle_sha1_compress_vec = _nettle_sha1_compress_x86_64; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_x86_64; } if (features.have_pclmul) { if (verbose) fprintf (stderr, "libnettle: using pclmulqdq instructions.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_pclmul; _nettle_ghash_update_vec = _nettle_ghash_update_pclmul; } else { if (verbose) fprintf (stderr, "libnettle: not using pclmulqdq instructions.\n"); _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_table; } if (features.vendor == X86_INTEL) { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_sse2; } else { if (verbose) fprintf (stderr, "libnettle: intel SSE2 will not be used for memxor.\n"); nettle_memxor_vec = _nettle_memxor_x86_64; } } DEFINE_FAT_FUNC(nettle_aes128_encrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes128_decrypt, void, (const struct aes128_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_encrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes192_decrypt, void, (const struct aes192_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_encrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_aes256_decrypt, void, (const struct aes256_ctx *ctx, size_t length, uint8_t *dst,const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes128_encrypt, void, (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes192_encrypt, void, (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_cbc_aes256_encrypt, void, (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src), (ctx, iv, length, dst, src)) DEFINE_FAT_FUNC(nettle_memxor, void *, (void *dst, const void *src, size_t n), (dst, src, n)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) nettle-3.10/sha3.c0000644000175000017500000000510414633602171012761 0ustar nissenisse/* sha3.c The sha3 hash function. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "macros.h" #include "md-internal.h" #include "memxor.h" #if WORDS_BIGENDIAN static void sha3_xor_block (struct sha3_state *state, unsigned length, const uint8_t *data) { assert ( (length & 7) == 0); { uint64_t *p; for (p = state->a; length > 0; p++, length -= 8, data += 8) *p ^= LE_READ_UINT64 (data); } } #else /* !WORDS_BIGENDIAN */ #define sha3_xor_block(state, length, data) memxor (state->a, data, length) #endif static void sha3_absorb (struct sha3_state *state, unsigned length, const uint8_t *data) { sha3_xor_block (state, length, data); sha3_permute (state); } unsigned _nettle_sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, size_t length, const uint8_t *data) { assert (pos < block_size); if (!length) return pos; if (pos > 0) { MD_FILL_OR_RETURN_INDEX (block_size, block, pos, length, data); sha3_absorb (state, block_size, block); } for (; length >= block_size; length -= block_size, data += block_size) sha3_absorb (state, block_size, data); memcpy (block, data, length); return length; } void _nettle_sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic) { assert (pos < block_size); block[pos++] = magic; memset (block + pos, 0, block_size - pos); block[block_size - 1] |= 0x80; sha3_xor_block (state, block_size, block); } nettle-3.10/curve448-eh-to-x.c0000644000175000017500000000360614633602172014774 0ustar nissenisse/* curve448-eh-to-x.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Transform a point on the edwards448 Edwards curve to the curve448 Montgomery curve, and return the x coordinate. */ void curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) { #define up p #define vp (p + ecc->p.size) #define t0 scratch #define tp (scratch + ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve448; /* If u = U/W and v = V/W are the coordinates of the point on edwards448 we get the curve448 x coordinate as x = v^2 / u^2 = (V/W)^2 / (U/W)^2 = (V/U)^2 */ /* Needs a total of 5*size storage. */ ecc->p.invert (&ecc->p, t0, up, tp); ecc_mod_mul (&ecc->p, t0, t0, vp, tp); ecc_mod_sqr_canonical (&ecc->p, xp, t0, tp); #undef up #undef vp #undef t0 #undef tp } nettle-3.10/blowfish-internal.h0000644000175000017500000000302714633602172015562 0ustar nissenisse/* blowfish-internal.h Blowfish block cipher. Copyright (C) 2014 Niels Möller Copyright (C) 1998, 2001 FSF, Ray Dassen, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BLOWFISH_INTERNAL_H_INCLUDED #define NETTLE_BLOWFISH_INTERNAL_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif extern const struct blowfish_ctx _nettle_blowfish_initial_ctx; extern void _nettle_blowfish_encround (const struct blowfish_ctx *ctx, uint32_t * ret_xl, uint32_t * ret_xr); #ifdef __cplusplus } #endif #endif /* NETTLE_BLOWFISH_INTERNAL_H_INCLUDED */ nettle-3.10/bignum-random.c0000644000175000017500000000537714633602171014676 0ustar nissenisse/* bignum-random.c Generating big random numbers Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "bignum.h" #include "gmp-glue.h" void nettle_mpz_random_size(mpz_t x, void *ctx, nettle_random_func *random, unsigned bits) { unsigned length = (bits + 7) / 8; TMP_GMP_DECL(data, uint8_t); TMP_GMP_ALLOC(data, length); random(ctx, length, data); nettle_mpz_set_str_256_u(x, length, data); if (bits % 8) mpz_fdiv_r_2exp(x, x, bits); TMP_GMP_FREE(data); } /* Returns a random number x, 0 <= x < n */ void nettle_mpz_random(mpz_t x, void *ctx, nettle_random_func *random, const mpz_t n) { /* NOTE: This leaves some bias, which may be bad for DSA. A better * way might be to generate a random number of mpz_sizeinbase(n, 2) * bits, and loop until one smaller than n is found. */ /* From Daniel Bleichenbacher (via coderpunks): * * There is still a theoretical attack possible with 8 extra bits. * But, the attack would need about 2^66 signatures 2^66 memory and * 2^66 time (if I remember that correctly). Compare that to DSA, * where the attack requires 2^22 signatures 2^40 memory and 2^64 * time. And of course, the numbers above are not a real threat for * PGP. Using 16 extra bits (i.e. generating a 176 bit random number * and reducing it modulo q) will defeat even this theoretical * attack. * * More generally log_2(q)/8 extra bits are enough to defeat my * attack. NIST also plans to update the standard. */ /* Add a few bits extra, to decrease the bias from the final modulo * operation. NIST FIPS 186-3 specifies 64 extra bits, for use with * DSA. */ nettle_mpz_random_size(x, ctx, random, mpz_sizeinbase(n, 2) + 64); mpz_fdiv_r(x, x, n); } nettle-3.10/rsa-pkcs1-sign.c0000644000175000017500000000272214633602171014670 0ustar nissenisse/* rsa-pkcs1-sign.c PKCS#1 version 1.5 signatures. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_pkcs1_sign(const struct rsa_private_key *key, size_t length, const uint8_t *digest_info, mpz_t s) { if (pkcs1_rsa_digest_encode (s, key->size, length, digest_info)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.10/aes192-meta.c0000644000175000017500000000265514633602171014063 0ustar nissenisse/* aes192-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes192 = { "aes192", sizeof(struct aes192_ctx), AES_BLOCK_SIZE, AES192_KEY_SIZE, (nettle_set_key_func *) aes192_set_encrypt_key, (nettle_set_key_func *) aes192_set_decrypt_key, (nettle_cipher_func *) aes192_encrypt, (nettle_cipher_func *) aes192_decrypt }; nettle-3.10/eddsa-expand.c0000644000175000017500000000374614633602172014473 0ustar nissenisse/* eddsa-expand.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" /* Expands a private key, generating the secret scalar K2 and leaving the key K1 for nonce generation, at the end of the digest. */ void _eddsa_expand_key (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2) { size_t nbytes = 1 + ecc->p.bit_size / 8; eddsa->update (ctx, nbytes, key); eddsa->digest (ctx, 2*nbytes, digest); /* For ed448, ignores the most significant byte. */ mpn_set_base256_le (k2, ecc->p.size, digest, (ecc->p.bit_size + 7) / 8); /* Clear low c bits */ k2[0] &= eddsa->low_mask; /* Clear higher bits. */ k2[ecc->p.size - 1] &= eddsa->high_bit - 1; /* Set bit number bit_size - 1 (bit 254 for curve25519, bit 447 for curve448) */ k2[ecc->p.size - 1] |= eddsa->high_bit; } nettle-3.10/chacha-core-internal.c0000644000175000017500000000604414633602171016076 0ustar nissenisse/* chacha-core-internal.c Core functionality of the ChaCha stream cipher. Heavily based on the Salsa20 implementation in Nettle. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: chacha-ref.c version 2008.01.20. D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "chacha-internal.h" #include "bswap-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_chacha_core void _nettle_chacha_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); #define _nettle_chacha_core _nettle_chacha_core_c #endif #ifndef CHACHA_DEBUG # define CHACHA_DEBUG 0 #endif #if CHACHA_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #define QROUND(x0, x1, x2, x3) do { \ x0 = x0 + x1; x3 = ROTL32(16, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(12, (x1 ^ x2)); \ x0 = x0 + x1; x3 = ROTL32(8, (x0 ^ x3)); \ x2 = x2 + x3; x1 = ROTL32(7, (x1 ^ x2)); \ } while(0) void _nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_CHACHA_STATE_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[1], x[5], x[9], x[13]); QROUND(x[2], x[6], x[10], x[14]); QROUND(x[3], x[7], x[11], x[15]); DEBUG (i+1); QROUND(x[0], x[5], x[10], x[15]); QROUND(x[1], x[6], x[11], x[12]); QROUND(x[2], x[7], x[8], x[13]); QROUND(x[3], x[4], x[9], x[14]); } DEBUG (i); for (i = 0; i < _CHACHA_STATE_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = bswap32_if_be (t); } } nettle-3.10/salsa20-128-set-key.c0000644000175000017500000000335714633602171015267 0ustar nissenisse/* salsa20-128-set-key.c The Salsa20 stream cipher. Key setup for 256-bit keys. Copyright (C) 2012 Simon Josefsson Copyright (C) 2012-2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "salsa20.h" #include "macros.h" void salsa20_128_set_key(struct salsa20_ctx *ctx, const uint8_t *key) { ctx->input[11] = ctx->input[1] = LE_READ_UINT32(key + 0); ctx->input[12] = ctx->input[2] = LE_READ_UINT32(key + 4); ctx->input[13] = ctx->input[3] = LE_READ_UINT32(key + 8); ctx->input[14] = ctx->input[4] = LE_READ_UINT32(key + 12); /* "expand 16-byte k" */ ctx->input[0] = 0x61707865; ctx->input[5] = 0x3120646e; ctx->input[10] = 0x79622d36; ctx->input[15] = 0x6b206574; } nettle-3.10/base16-meta.c0000644000175000017500000000417714633602171014141 0ustar nissenisse/* base16-meta.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base16.h" /* Same as the macros with the same name */ static nettle_armor_length_func base16_encode_length; static size_t base16_encode_length(size_t length) { return BASE16_ENCODE_LENGTH(length); } static nettle_armor_length_func base16_decode_length; static size_t base16_decode_length(size_t length) { return BASE16_DECODE_LENGTH(length); } static nettle_armor_init_func base16_encode_init; static void base16_encode_init(void *ctx UNUSED) { } static nettle_armor_encode_update_func base16_encode_update_wrapper; static size_t base16_encode_update_wrapper(void *ctx UNUSED, char *dst, size_t length, const uint8_t *src) { base16_encode_update(dst, length, src); return BASE16_ENCODE_LENGTH(length); } #undef base16_encode_update #define base16_encode_update base16_encode_update_wrapper static nettle_armor_encode_final_func base16_encode_final; static size_t base16_encode_final(void *ctx UNUSED, char *dst UNUSED) { return 0; } #define BASE16_ENCODE_FINAL_LENGTH 0 const struct nettle_armor nettle_base16 = _NETTLE_ARMOR_0(base16, BASE16); nettle-3.10/gosthash94.h0000644000175000017500000000747114633602172014137 0ustar nissenisse/* gosthash94.h The GOST R 34.11-94 hash function, described in RFC 5831. Copyright (C) 2012 Nikos Mavrogiannopoulos, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on rhash gost.h. */ /* Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #ifndef NETTLE_GOSTHASH94_H_INCLUDED #define NETTLE_GOSTHASH94_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif #define gosthash94_init nettle_gosthash94_init #define gosthash94_update nettle_gosthash94_update #define gosthash94_digest nettle_gosthash94_digest #define gosthash94cp_update nettle_gosthash94cp_update #define gosthash94cp_digest nettle_gosthash94cp_digest #define GOSTHASH94_BLOCK_SIZE 32 #define GOSTHASH94_DIGEST_SIZE 32 /* For backwards compatibility */ #define GOSTHASH94_DATA_SIZE GOSTHASH94_BLOCK_SIZE #define GOSTHASH94CP_BLOCK_SIZE GOSTHASH94_BLOCK_SIZE #define GOSTHASH94CP_DIGEST_SIZE GOSTHASH94_DIGEST_SIZE struct gosthash94_ctx { uint32_t hash[8]; /* algorithm 256-bit state */ uint32_t sum[8]; /* sum of processed message blocks */ uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[GOSTHASH94_BLOCK_SIZE]; /* 256-bit buffer for leftovers */ }; #define gosthash94cp_ctx gosthash94_ctx void gosthash94_init(struct gosthash94_ctx *ctx); void gosthash94_update(struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg); void gosthash94_digest(struct gosthash94_ctx *ctx, size_t length, uint8_t *result); #define gosthash94cp_init gosthash94_init void gosthash94cp_update(struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg); void gosthash94cp_digest(struct gosthash94_ctx *ctx, size_t length, uint8_t *result); #ifdef __cplusplus } #endif #endif /* NETTLE_GOSTHASH94_H_INCLUDED */ nettle-3.10/camellia-internal.h0000644000175000017500000000765614633602172015530 0ustar nissenisse/* camellia-internal.h The camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #ifndef NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #define NETTLE_CAMELLIA_INTERNAL_H_INCLUDED #include "camellia.h" /* * macros */ /* Destructive rotation of 128 bit values. */ #define ROTL128(bits, xl, xr) do { \ uint64_t __rol128_t = (xl); \ (xl) = ((xl) << (bits)) | ((xr) >> (64 - (bits))); \ (xr) = ((xr) << (bits)) | (__rol128_t >> (64 - (bits))); \ } while (0) struct camellia_table { uint32_t sp1110[256]; uint32_t sp0222[256]; uint32_t sp3033[256]; uint32_t sp4404[256]; }; /* key constants */ #define SIGMA1 0xA09E667F3BCC908BULL #define SIGMA2 0xB67AE8584CAA73B2ULL #define SIGMA3 0xC6EF372FE94F82BEULL #define SIGMA4 0x54FF53A5F1D36F1CULL #define SIGMA5 0x10E527FADE682D1DULL #define SIGMA6 0xB05688C2B3E6C1FDULL #define CAMELLIA_SP1110(INDEX) (_nettle_camellia_table.sp1110[(int)(INDEX)]) #define CAMELLIA_SP0222(INDEX) (_nettle_camellia_table.sp0222[(int)(INDEX)]) #define CAMELLIA_SP3033(INDEX) (_nettle_camellia_table.sp3033[(int)(INDEX)]) #define CAMELLIA_SP4404(INDEX) (_nettle_camellia_table.sp4404[(int)(INDEX)]) #define CAMELLIA_F(x, k, y) do { \ uint32_t __yl, __yr; \ uint64_t __i = (x) ^ (k); \ __yl \ = CAMELLIA_SP1110( __i & 0xff) \ ^ CAMELLIA_SP0222((__i >> 24) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 16) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 8) & 0xff); \ __yr \ = CAMELLIA_SP1110( __i >> 56) \ ^ CAMELLIA_SP0222((__i >> 48) & 0xff) \ ^ CAMELLIA_SP3033((__i >> 40) & 0xff) \ ^ CAMELLIA_SP4404((__i >> 32) & 0xff); \ __yl ^= __yr; \ __yr = ROTL32(24, __yr); \ __yr ^= __yl; \ (y) = ((uint64_t) __yl << 32) | __yr; \ } while (0) #if ! HAVE_NATIVE_64_BIT #define CAMELLIA_F_HALF_INV(x) do { \ uint32_t __t, __w; \ __t = (x) >> 32; \ __w = __t ^(x); \ __w = ROTL32(8, __w); \ (x) = ((uint64_t) __w << 32) | (__t ^ __w); \ } while (0) #endif void _nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* The initial NKEYS + 2 subkeys in SUBKEY are reduced to the final NKEYS subkeys stored in DST. SUBKEY data is modified in the process. */ void _nettle_camellia_absorb(unsigned nkeys, uint64_t *dst, uint64_t *subkey); void _nettle_camellia_invert_key(unsigned nkeys, uint64_t *dst, const uint64_t *src); extern const struct camellia_table _nettle_camellia_table; #endif /* NETTLE_CAMELLIA_INTERNAL_H_INCLUDED */ nettle-3.10/cmac64.c0000644000175000017500000000705514633602171013207 0ustar nissenisse/* CMAC-64, NIST SP 800-38B Copyright (C) Stefan Metzmacher 2012 Copyright (C) Jeremy Allison 2012 Copyright (C) Michael Adam 2012 Copyright (C) 2017, Red Hat Inc. Copyright (C) 2019, Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cmac.h" #include "nettle-internal.h" #include "block-internal.h" #include "macros.h" void cmac64_set_key(struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt) { static const union nettle_block8 zero_block; union nettle_block8 L; /* step 1 - generate subkeys k1 and k2 */ encrypt(cipher, 8, L.b, zero_block.b); block8_mulx_be(&key->K1, &L); block8_mulx_be(&key->K2, &key->K1); } void cmac64_init(struct cmac64_ctx *ctx) { memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } #define MIN(x,y) ((x)<(y)?(x):(y)) void cmac64_update(struct cmac64_ctx *ctx, const void *cipher, nettle_cipher_func *encrypt, size_t msg_len, const uint8_t *msg) { union nettle_block8 Y; /* * check if we expand the block */ if (ctx->index < 8) { size_t len = MIN(8 - ctx->index, msg_len); memcpy(&ctx->block.b[ctx->index], msg, len); msg += len; msg_len -= len; ctx->index += len; } if (msg_len == 0) { /* if it is still the last block, we are done */ return; } /* * now checksum everything but the last block */ block8_xor3(&Y, &ctx->X, &ctx->block); encrypt(cipher, 8, ctx->X.b, Y.b); while (msg_len > 8) { block8_xor_bytes(&Y, &ctx->X, msg); encrypt(cipher, 8, ctx->X.b, Y.b); msg += 8; msg_len -= 8; } /* * copy the last block, it will be processed in * cmac64_digest(). */ memcpy(ctx->block.b, msg, msg_len); ctx->index = msg_len; } void cmac64_digest(struct cmac64_ctx *ctx, const struct cmac64_key *key, const void *cipher, nettle_cipher_func *encrypt, unsigned length, uint8_t *dst) { union nettle_block8 Y; memset(ctx->block.b+ctx->index, 0, sizeof(ctx->block.b)-ctx->index); /* re-use ctx->block for memxor output */ if (ctx->index < 8) { ctx->block.b[ctx->index] = 0x80; block8_xor(&ctx->block, &key->K2); } else { block8_xor(&ctx->block, &key->K1); } block8_xor3(&Y, &ctx->block, &ctx->X); assert(length <= 8); if (length == 8) { encrypt(cipher, 8, dst, Y.b); } else { encrypt(cipher, 8, ctx->block.b, Y.b); memcpy(dst, ctx->block.b, length); } /* reset state for re-use */ memset(&ctx->X, 0, sizeof(ctx->X)); ctx->index = 0; } nettle-3.10/aes192-encrypt.c0000644000175000017500000000323614633602171014615 0ustar nissenisse/* aes192-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes192_encrypt void _nettle_aes192_encrypt_c(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes192_encrypt _nettle_aes192_encrypt_c #endif void nettle_aes192_encrypt(const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES192_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-3.10/aes-decrypt.c0000644000175000017500000000313314633602171014343 0ustar nissenisse/* aes-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" void aes_decrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { switch (ctx->key_size) { default: abort(); case AES128_KEY_SIZE: aes128_decrypt(&ctx->u.ctx128, length, dst, src); break; case AES192_KEY_SIZE: aes192_decrypt(&ctx->u.ctx192, length, dst, src); break; case AES256_KEY_SIZE: aes256_decrypt(&ctx->u.ctx256, length, dst, src); break; } } nettle-3.10/aes128-decrypt.c0000644000175000017500000000325514633602171014603 0ustar nissenisse/* aes128-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_decrypt void _nettle_aes128_decrypt_c(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes128_decrypt _nettle_aes128_decrypt_c #endif void nettle_aes128_decrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES128_ROUNDS, ctx->keys + 4*_AES128_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-3.10/arm/0000755000175000017500000000000014633602172012537 5ustar nissenissenettle-3.10/arm/aes-decrypt-internal.asm0000644000175000017500000001034214633602172017273 0ustar nissenisseC arm/aes-decrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`arm/aes.m4') define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`PARAM_LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`MASK', `r0') C Overlaps inputs, except TABLE define(`X0', `r1') define(`X1', `r3') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers define(`FRAME_DST', `[sp, #+44]') define(`FRAME_SRC', `[sp, #+48]') define(`AES_DECRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $4, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $2, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] ldm $9, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 sub $9, $9, #16 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD_INCR(X0,KEY,W3, -28) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X3, X2, X1, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X0, X3, X2, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X1, X0, X3, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X2, X1, X0, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-3.10/arm/neon/0000755000175000017500000000000014633602172013476 5ustar nissenissenettle-3.10/arm/neon/salsa20-2core.asm0000644000175000017500000001226314633602172016461 0ustar nissenisseC arm/neon/salsa20-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "salsa20-2core.asm" .fpu neon define(`DST', `r0') define(`SRC', `r1') define(`ROUNDS', `r2') define(`SRCp32', `r3') C State, even elements in X, odd elements in Y define(`X0', `q0') define(`X1', `q1') define(`X2', `q2') define(`X3', `q3') define(`Y0', `q8') define(`Y1', `q9') define(`Y2', `q10') define(`Y3', `q11') define(`T0', `q12') define(`T1', `q13') define(`T2', `q14') define(`T3', `q15') .text .align 4 .Lcount1: .int 1,0,0,0 C _salsa20_2core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_salsa20_2core) C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] adr r12, .Lcount1 vmov Y3, X0 vld1.32 {Y1}, [r12] vmov Y0, X1 vadd.i64 Y1, Y1, X2 C Increment counter vmov Y2, X3 vtrn.32 X0, Y3 C X0: 0 0 2 2 Y3: 1 1 3 3 vtrn.32 X1, Y0 C X1: 4 4 6 6 Y0: 5 5 7 7 vtrn.32 X2, Y1 C X2: 8 8 10 10 Y1: 9 9 11 11 vtrn.32 X3, Y2 C X3: 12 12 14 14 Y2: 13 13 15 15 C Swap, to get C X0: 0 10 Y0: 5 15 C X1: 4 14 Y1: 9 3 C X2: 8 2 Y2: 13 7 C X3: 12 6 Y3: 1 11 vswp D1REG(X0), D1REG(X2) vswp D1REG(X1), D1REG(X3) vswp D1REG(Y0), D1REG(Y2) vswp D1REG(Y1), D1REG(Y3) .Loop: C Register layout (A is first block, B is second block) C C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C X1: A4 B4 A14 B14 Y1: A9 B9 A3 B3 C X2: A8 B8 A2 B2 Y2: A13 B13 A7 B7 C X3: A12 B12 A6 B6 Y3: A1 B1 A11 B11 vadd.i32 T0, X0, X3 vshl.i32 T1, T0, #7 vadd.i32 T2, Y0, Y3 vsri.u32 T1, T0, #25 vshl.i32 T3, T2, #7 veor X1, X1, T1 vsri.u32 T3, T2, #25 vadd.i32 T0, X1, X0 veor Y1, Y1, T3 vshl.i32 T1, T0, #9 vadd.i32 T2, Y1, Y0 vsri.u32 T1, T0, #23 vshl.i32 T3, T2, #9 veor X2, X2, T1 vsri.u32 T3, T2, #23 vadd.i32 T0, X2, X1 veor Y2, Y2, T3 vshl.i32 T1, T0, #13 vadd.i32 T2, Y2, Y1 vsri.u32 T1, T0, #19 vshl.i32 T3, T2, #13 veor X3, X3, T1 vsri.u32 T3, T2, #19 vadd.i32 T0, X3, X2 veor Y3, Y3, T3 vshl.i32 T1, T0, #18 vadd.i32 T2, Y3, Y2 vext.32 Y1, Y1, Y1, #2 vsri.u32 T1, T0, #14 vshl.i32 T3, T2, #18 vext.32 Y2, Y2, Y2, #2 veor X0, X0, T1 vsri.u32 T3, T2, #14 vext.32 X3, X3, X3, #2 veor Y0, Y0, T3 C Register layout: C X0: A0 B0 A10 B10 Y0: A5 A5 A15 B15 C Y1: A3 B3 A9 B9 X1: A4 B4 A14 B14 (Y1 swapped) C X2: A2 B2 A8 B8 Y2: A7 B7 A13 B13 (X2, Y2 swapped) C Y3: A1 B1 A11 B11 X3: A6 B6 A12 B12 (X3 swapped) vadd.i32 T0, X0, Y1 vext.32 X2, X2, X2, #2 vshl.i32 T1, T0, #7 vadd.i32 T2, Y0, X1 vsri.u32 T1, T0, #25 vshl.i32 T3, T2, #7 veor Y3, Y3, T1 vsri.u32 T3, T2, #25 vadd.i32 T0, Y3, X0 veor X3, X3, T3 vshl.i32 T1, T0, #9 vadd.i32 T2, X3, Y0 vsri.u32 T1, T0, #23 vshl.i32 T3, T2, #9 veor X2, X2, T1 vsri.u32 T3, T2, #23 vadd.i32 T0, X2, Y3 veor Y2, Y2, T3 vshl.i32 T1, T0, #13 vadd.i32 T2, Y2, X3 vsri.u32 T1, T0, #19 vshl.i32 T3, T2, #13 veor Y1, Y1, T1 vsri.u32 T3, T2, #19 vadd.i32 T0, Y1, X2 veor X1, X1, T3 vext.32 X2, X2, X2, #2 vshl.i32 T1, T0, #18 vadd.i32 T2, X1, Y2 vext.32 Y1, Y1, Y1, #2 vsri.u32 T1, T0, #14 subs ROUNDS, ROUNDS, #2 vshl.i32 T3, T2, #18 vext.32 X3, X3, X3, #2 veor X0, X0, T1 vsri.u32 T3, T2, #14 vext.32 Y2, Y2, Y2, #2 veor Y0, Y0, T3 bhi .Loop C Inverse swaps and transpositions vswp D1REG(X0), D1REG(X2) vswp D1REG(X1), D1REG(X3) vswp D1REG(Y0), D1REG(Y2) vswp D1REG(Y1), D1REG(Y3) vld1.32 {T0,T1}, [SRC] vld1.32 {T2,T3}, [SRCp32] vtrn.32 X0, Y3 vtrn.32 X1, Y0 vtrn.32 X2, Y1 vtrn.32 X3, Y2 C Add in the original context vadd.i32 X0, X0, T0 vadd.i32 X1, X1, T1 C vst1.8 because caller expects results little-endian C interleave loads, calculations and stores to save cycles on stores C use vstm when little-endian for some additional speedup IF_BE(` vst1.8 {X0,X1}, [DST]!') vadd.i32 X2, X2, T2 vadd.i32 X3, X3, T3 IF_BE(` vst1.8 {X2,X3}, [DST]!') IF_LE(` vstmia DST!, {X0,X1,X2,X3}') vld1.32 {X0}, [r12] vadd.i32 T0, T0, Y3 vadd.i64 T2, T2, X0 vadd.i32 T1, T1, Y0 IF_BE(` vst1.8 {T0,T1}, [DST]!') vadd.i32 T2, T2, Y1 vadd.i32 T3, T3, Y2 IF_BE(` vst1.8 {T2,T3}, [DST]') IF_LE(` vstm DST, {T0,T1,T2,T3}') bx lr EPILOGUE(_nettle_salsa20_2core) nettle-3.10/arm/neon/umac-nh-n.asm0000644000175000017500000002067214633602172015772 0ustar nissenisseC arm/neon/umac-nh-n.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "umac-nh.asm" .fpu neon define(`OUT', `r0') define(`ITERS', `r1') define(`KEY', `r2') define(`LENGTH', `r3') define(`MSG', `r12') define(`SHIFT', `r14') define(`QA', `q0') define(`QB', `q1') define(`QY0', `q3') C Accumulates for the first two operations. define(`DM', `d4') define(`QY1', `q4') C Used for 3 and 4 iterations. define(`QC', `q5') define(`QD', `q6') define(`QLEFT', `q8') define(`QRIGHT', `q9') define(`QT0', `q10') define(`QT1', `q11') define(`QT2', `q12') define(`QK0', `q13') define(`QK1', `q14') define(`QK2', `q15') C FIXME: Try permuting subkeys using vld4, vzip or similar. .text .align 3 PROLOGUE(_nettle_umac_nh_n) ldr MSG, [sp] str lr, [sp, #-4]! C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) cmp r1, #3 vmov.i64 QY0, #0 vshl.u64 DM, DM, D0REG(QRIGHT) bcc .Lnh2 beq .Lnh3 .Lnh4: C Permute key words, so we in each iteration have them in order C C P0: [0, 4,1, 5] P1: [ 2, 6, 3, 7] P2: [ 4, 8, 5, 9] P3: [ 6,10, 7,11] C P4: [8,12,9,13] P5: [10,14,11,15] P6: [12,16,13,17] P7: [14,18,15,19] C C Also arrange the message words, so we get them as C M0: [0,0,1,1] M1: [ 2, 2, 3, 3] M2: [ 4, 4, 5, 5] M3: [ 6, 6, 7, 7] C M4: [8,8,9,9] M5: [10,10,11,11] M6: [12,12,13,13] M7: [14,14,15,15] C C Then, accumulate Y0 (first two "iters") using C C Y0 += (M0+P0) * (M2+P2) + (M1+P1) * (M3+P3) C Y1 += (M0+P4) * (M2+P6) + (M1+P5) * (M3+P7) C C Next iteration is then C C Y0 += (M4+P4) * (M6+P6) + (M5+P5) * (M7 + P7) C Y1 += (M4+P6) * (M6+P8) + (M5+P7) * (M7 + P11) C C So we can reuse P4, P5, P6, P7 from the previous iteration. C How to for in registers? We need 4 Q regs for P0-P3, and one C more for the last read key. We need at least two regiters C for the message (QA and QB, more if we want to expand only C once). For the Y0 update, we can let the factors overwrite C P0-P3, and for the Y1 update, we can overwrite M0-M3. vpush {q4,q5,q6} vld1.32 {QK0,QK1}, [KEY]! vld1.32 {QK2}, [KEY]! vmov QT0, QK1 vmov QT1, QK2 C Permute keys. QK2 us untouched, permuted subkeys put in QK0,QK1,QT0,QT1 vtrn.32 QK0, QK1 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QK1) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vtrn.32 QT0, QT1 C Gives us [4,8,6,10] and [5 ,9,7,11] vswp D1REG(QT0), D0REG(QT1) C Gives us [4,8,5, 9] and [6,10,7,11] vmov.i64 QY1, #0 .Loop4: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QC, QA, QRIGHT vshl.u64 QD, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QC) veor D0REG(QB), D0REG(QB), D1REG(QC) veor D1REG(QB), D1REG(QB), D0REG(QD) vmov DM, D1REG(QD) C Explode message (too bad there's no vadd with scalar) vdup.32 D1REG(QD), D1REG(QB)[1] vdup.32 D0REG(QD), D1REG(QB)[0] vdup.32 D1REG(QC), D0REG(QB)[1] vdup.32 D0REG(QC), D0REG(QB)[0] vdup.32 D1REG(QB), D1REG(QA)[1] vdup.32 D0REG(QB), D1REG(QA)[0] vdup.32 D1REG(QA), D0REG(QA)[1] vdup.32 D0REG(QA), D0REG(QA)[0] vadd.i32 QK0, QK0, QA vadd.i32 QK1, QK1, QB vadd.i32 QT0, QT0, QC vadd.i32 QT1, QT1, QD vmlal.u32 QY0, D0REG(QK0), D0REG(QT0) vmlal.u32 QY0, D1REG(QK0), D1REG(QT0) vmlal.u32 QY0, D0REG(QK1), D0REG(QT1) vmlal.u32 QY0, D1REG(QK1), D1REG(QT1) C Next 4 subkeys vld1.32 {QT0,QT1}, [KEY]! vmov QK0, QK2 vmov QK1, QT0 vmov QK2, QT1 C Save vtrn.32 QK0, QK1 C Gives us [8,12,10,14] and [9,13,11,15] vswp D1REG(QK0), D0REG(QK1) C Gives us [8,12,9,13] and [10,14,11,15] vtrn.32 QT0, QT1 C Gives us [12,16,14,18] and [13,17,15,19] vswp D1REG(QT0), D0REG(QT1) C Gives us [12,16,13,17] and [14,18,15,19] vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 vadd.i32 QC, QC, QT0 vadd.i32 QD, QD, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QC) vmlal.u32 QY1, D1REG(QA), D1REG(QC) vmlal.u32 QY1, D0REG(QB), D0REG(QD) vmlal.u32 QY1, D1REG(QB), D1REG(QD) bhi .Loop4 vst1.64 {QY0, QY1}, [OUT] vpop {q4,q5,q6} ldr pc, [sp], #+4 .Lnh3: vpush {q4} vld1.32 {QK0,QK1}, [KEY]! vmov.i64 QY1, #0 .Loop3: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 2, 1] and [1, 5, 3, 7] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 1, 5] and [2, 1, 3, 7] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) vld1.32 {QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY1, D0REG(QA), D0REG(QB) vmlal.u32 QY1, D1REG(QA), D1REG(QB) bhi .Loop3 vadd.i64 D0REG(QY1), D0REG(QY1), D1REG(QY1) vst1.64 {D0REG(QY0), D1REG(QY0), D0REG(QY1)}, [OUT] vpop {q4} ldr pc, [sp], #+4 .Lnh2: vld1.32 {QK0}, [KEY]! .Loop2: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.32 {QK1,QK2}, [KEY]! C Construct factors, with low half corresponding to first iteration, C and high half corresponding to the second iteration. vmov QT0, QK1 vtrn.32 QK0, QT0 C Gives us [0, 4, 2, 6] and [1, 5, 3, 7] vswp D1REG(QK0), D0REG(QT0) C Gives us [0, 4, 1, 5] and [2, 6, 3, 7] vdup.32 D0REG(QT1), D0REG(QA)[0] vdup.32 D1REG(QT1), D0REG(QA)[1] vadd.i32 QT1, QT1, QK0 vmov QK0, QK2 C Save for next iteration vtrn.32 QK1, QK2 C Gives us [4, 8, 6, 10] and [5, 9, 7, 11] vswp D1REG(QK1), D0REG(QK2) C Gives us [4, 8, 5, 9] and [6, 10, 7, 11] vdup.32 D0REG(QT2), D0REG(QB)[0] vdup.32 D1REG(QT2), D0REG(QB)[1] vadd.i32 QK1, QK1, QT2 vmlal.u32 QY0, D0REG(QT1), D0REG(QK1) vmlal.u32 QY0, D1REG(QT1), D1REG(QK1) vdup.32 D0REG(QT1), D1REG(QA)[0] vdup.32 D1REG(QT1), D1REG(QA)[1] vadd.i32 QT0, QT0, QT1 vdup.32 D0REG(QT1), D1REG(QB)[0] vdup.32 D1REG(QT1), D1REG(QB)[1] vadd.i32 QK2, QK2, QT1 subs LENGTH, LENGTH, #32 vmlal.u32 QY0, D0REG(QT0), D0REG(QK2) vmlal.u32 QY0, D1REG(QT0), D1REG(QK2) bhi .Loop2 vst1.64 {QY0}, [OUT] .Lend: ldr pc, [sp], #+4 EPILOGUE(_nettle_umac_nh_n) nettle-3.10/arm/neon/sha3-permute.asm0000644000175000017500000001354414633602172016524 0ustar nissenisseC arm/neon/sha3-permute.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha3-permute.asm" .fpu neon define(`CTX', `r0') define(`COUNT', `r1') define(`RC', `r2') C First column define(`A0', `d0') define(`A5', `d2') define(`A10', `d3') define(`A15', `d4') define(`A20', `d5') define(`A1', `d6') define(`A2', `d7') define(`A3', `d8') define(`A4', `d9') define(`A6', `d16') define(`A7', `d17') define(`A8', `d18') define(`A9', `d19') define(`A11', `d20') define(`A12', `d21') define(`A13', `d22') define(`A14', `d23') define(`A16', `d24') define(`A17', `d25') define(`A18', `d26') define(`A19', `d27') define(`A21', `d28') define(`A22', `d29') define(`A23', `d30') define(`A24', `d31') define(`T0', `d10') define(`T1', `d11') define(`C0', `d1') define(`C1', `d12') define(`C2', `d13') define(`C3', `d14') define(`C4', `d15') C ROL(DST, SRC, COUNT) C Must have SRC != DST define(`ROL', ` vshr.u64 $1, $2, #eval(64-$3) vsli.i64 $1, $2, #$3 ') C sha3_permute(struct sha3_ctx *ctx) .text .align 3 .Lrc: .quad 0x0000000000000001 .quad 0x0000000000008082 .quad 0x800000000000808A .quad 0x8000000080008000 .quad 0x000000000000808B .quad 0x0000000080000001 .quad 0x8000000080008081 .quad 0x8000000000008009 .quad 0x000000000000008A .quad 0x0000000000000088 .quad 0x0000000080008009 .quad 0x000000008000000A .quad 0x000000008000808B .quad 0x800000000000008B .quad 0x8000000000008089 .quad 0x8000000000008003 .quad 0x8000000000008002 .quad 0x8000000000000080 .quad 0x000000000000800A .quad 0x800000008000000A .quad 0x8000000080008081 .quad 0x8000000000008080 .quad 0x0000000080000001 .quad 0x8000000080008008 PROLOGUE(nettle_sha3_permute) vpush {d8-d15} vld1.64 {A0}, [CTX]! vldm CTX!, {A1,A2,A3,A4} vld1.64 {A5}, [CTX]! vldm CTX!, {A6,A7,A8,A9} vld1.64 {A10}, [CTX]! vldm CTX!, {A11,A12,A13,A14} vld1.64 {A15}, [CTX]! vldm CTX!, {A16,A17,A18,A19} vld1.64 {A20}, [CTX]! vldm CTX, {A21,A22,A23,A24} sub CTX, CTX, #168 mov COUNT, #24 adr RC, .Lrc .align 3 .Loop: veor QREG(T0), QREG(A5), QREG(A15) veor C0, A0, T0 veor C0, C0, T1 veor QREG(C1), QREG(A1), QREG(A6) veor QREG(C1), QREG(C1), QREG(A11) veor QREG(C1), QREG(C1), QREG(A16) veor QREG(C1), QREG(C1), QREG(A21) veor QREG(C3), QREG(A3), QREG(A8) veor QREG(C3), QREG(C3), QREG(A13) veor QREG(C3), QREG(C3), QREG(A18) veor QREG(C3), QREG(C3), QREG(A23) C D0 = C4 ^ (C1 <<< 1) C NOTE: Using ROL macro (and vsli) is slightly slower. vshl.i64 T0, C1, #1 vshr.u64 T1, C1, #63 veor T0, T0, C4 veor T0, T0, T1 vmov T1, T0 veor A0, A0, T0 veor QREG(A5), QREG(A5), QREG(T0) veor QREG(A15), QREG(A15), QREG(T0) C D1 = C0 ^ (C2 <<< 1) C D2 = C1 ^ (C3 <<< 1) ROL(T0, C2, 1) ROL(T1, C3, 1) veor T0, T0, C0 veor T1, T1, C1 veor QREG(A1), QREG(A1), QREG(T0) veor QREG(A6), QREG(A6), QREG(T0) veor QREG(A11), QREG(A11), QREG(T0) veor QREG(A16), QREG(A16), QREG(T0) veor QREG(A21), QREG(A21), QREG(T0) C D3 = C2 ^ (C4 <<< 1) C D4 = C3 ^ (C0 <<< 1) ROL(T0, C4, 1) ROL(T1, C0, 1) veor T0, T0, C2 veor T1, T1, C3 veor QREG(A3), QREG(A3), QREG(T0) veor QREG(A8), QREG(A8), QREG(T0) veor QREG(A13), QREG(A13), QREG(T0) veor QREG(A18), QREG(A18), QREG(T0) veor QREG(A23), QREG(A23), QREG(T0) ROL( T0, A1, 1) ROL( A1, A6, 44) ROL( A6, A9, 20) ROL( A9, A22, 61) ROL(A22, A14, 39) ROL(A14, A20, 18) ROL(A20, A2, 62) ROL( A2, A12, 43) ROL(A12, A13, 25) ROL(A13, A19, 8) ROL(A19, A23, 56) ROL(A23, A15, 41) ROL(A15, A4, 27) ROL( A4, A24, 14) ROL(A24, A21, 2) ROL(A21, A8, 55) ROL( A8, A16, 45) ROL(A16, A5, 36) ROL( A5, A3, 28) ROL( A3, A18, 21) ROL(A18, A17, 15) ROL(A17, A11, 10) ROL(A11, A7, 6) ROL( A7, A10, 3) C New A10 value left in T0 vbic C0, A2, A1 vbic C1, A3, A2 vbic C2, A4, A3 vbic C3, A0, A4 vbic C4, A1, A0 veor A0, A0, C0 vld1.64 {C0}, [RC :64]! veor QREG(A1), QREG(A1), QREG(C1) veor QREG(A3), QREG(A3), QREG(C3) veor A0, A0, C0 vbic C0, A7, A6 vbic C1, A8, A7 vbic C2, A9, A8 vbic C3, A5, A9 vbic C4, A6, A5 veor A5, A5, C0 veor QREG(A6), QREG(A6), QREG(C1) veor QREG(A8), QREG(A8), QREG(C3) vbic C0, A12, A11 vbic C1, A13, A12 vbic C2, A14, A13 vbic C3, T0, A14 vbic C4, A11, T0 veor A10, T0, C0 veor QREG(A11), QREG(A11), QREG(C1) veor QREG(A13), QREG(A13), QREG(C3) vbic C0, A17, A16 vbic C1, A18, A17 vbic C2, A19, A18 vbic C3, A15, A19 vbic C4, A16, A15 veor A15, A15, C0 veor QREG(A16), QREG(A16), QREG(C1) veor QREG(A18), QREG(A18), QREG(C3) vbic C0, A22, A21 vbic C1, A23, A22 vbic C2, A24, A23 vbic C3, A20, A24 vbic C4, A21, A20 subs COUNT, COUNT, #1 veor A20, A20, C0 veor QREG(A21), QREG(A21), QREG(C1) veor QREG(A23), QREG(A23), QREG(C3) bne .Loop vst1.64 {A0}, [CTX]! vstm CTX!, {A1,A2,A3,A4} vst1.64 {A5}, [CTX]! vstm CTX!, {A6,A7,A8,A9} vst1.64 {A10}, [CTX]! vstm CTX!, {A11,A12,A13,A14} vst1.64 {A15}, [CTX]! vstm CTX!, {A16,A17,A18,A19} vst1.64 {A20}, [CTX]! vstm CTX, {A21,A22,A23,A24} vpop {d8-d15} bx lr EPILOGUE(nettle_sha3_permute) nettle-3.10/arm/neon/sha512-compress.asm0000644000175000017500000002005614633602172017037 0ustar nissenisseC arm/neon/sha512-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha512-compress.asm" .fpu neon define(`STATE', `r0') define(`INPUT', `r1') define(`K', `r2') define(`COUNT', `r3') define(`SHIFT', `r12') define(`SA', `d0') define(`SB', `d1') define(`SC', `d2') define(`SD', `d3') define(`SE', `d4') define(`SF', `d5') define(`SG', `d6') define(`SH', `d7') define(`QSAB', `q0') define(`QSCD', `q1') define(`QSEF', `q2') define(`QSGH', `q3') C d8-d15 are callee-save define(`DT0', `d8') define(`DT1', `d9') define(`QT01', `q4') define(`DT2', `d10') define(`DT3', `d11') define(`QT23', `q5') define(`DT4', `d12') define(`DT5', `d13') define(`QT45', `q6') C Used only when reading the input, can overlap with state define(`DT6', `d0') define(`DT7', `d1') define(`QT67', `q0') define(`DW0', `d16') define(`DW1', `d17') define(`DW2', `d18') define(`DW3', `d19') define(`DW4', `d20') define(`DW5', `d21') define(`DW6', `d22') define(`DW7', `d23') define(`DW8', `d24') define(`DW9', `d25') define(`DW10', `d26') define(`DW11', `d27') define(`DW12', `d28') define(`DW13', `d29') define(`DW14', `d30') define(`DW15', `d31') define(`QW0001', `q8') define(`QW0203', `q9') define(`QW0405', `q10') define(`QW0607', `q11') define(`QW0809', `q12') define(`QW1011', `q13') define(`QW1213', `q14') define(`QW1415', `q15') define(`EXPAND_ME', `$1') define(`W', `EXPAND_ME(`DW'eval(($1) % 16))') C If x = W(i+14), y = w(i+1), we xor in parallel C C x << 45 y << 63 C x >> 19 y >> 1 C x << 3 y << 56 C x >> 61 y >> 8 C xor x >> 6 y >> 7 C ----------------------------- C DT0 DT1 define(`EXPN', ` vshl.i64 DT0, W($1+14), #45 vshl.i64 DT1, W($1 + 1), #63 vshr.u64 DT2, W($1+14), #19 vshr.u64 DT3, W($1 + 1), #1 vshl.i64 DT4, W($1+14), #3 vshl.i64 DT5, W($1 + 1), #56 veor.i64 QT01, QT01, QT23 vshr.u64 DT2, W($1+14), #61 vshr.u64 DT3, W($1 + 1), #8 veor.i64 QT01, QT01, QT45 vshr.u64 DT4, W($1+14), #6 vshr.u64 DT5, W($1 + 1), #7 veor.i64 QT01, QT01, QT23 vadd.i64 W($1), W($1), W($1 + 9) veor.i64 QT01, QT01, QT45 vadd.i64 W($1), W($1), DT0 vadd.i64 W($1), W($1), DT1 ') C ROUND(A,B,C,D,E,F,G,H,i) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<50 ^ E<<<46 ^ E<<<23 C S0(A) = A<<<36 ^ A<<<30 ^ A<<<25 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) C Do S1 and S0 in parallel C C e << 50 a << 36 C e >> 14 a >> 28 C e << 46 a << 30 C e >> 18 a >> 34 C e << 23 a << 25 C xor e >> 41 a >> 39 C ---------------------------- C DT0 DT1 define(`ROUND', ` vshl.i64 DT0, $5, #50 vshl.i64 DT1, $1, #36 vshr.u64 DT2, $5, #14 vshr.u64 DT3, $1, #28 vshl.i64 DT4, $5, #46 vshl.i64 DT5, $1, #30 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #18 vshr.u64 DT3, $1, #34 veor QT01, QT01, QT45 vshl.i64 DT4, $5, #23 vshl.i64 DT5, $1, #25 veor QT01, QT01, QT23 vshr.u64 DT2, $5, #41 vshr.u64 DT3, $1, #39 veor QT01, QT01, QT45 veor DT4, $6, $7 veor DT5, $1, $2 vand DT4, DT4, $5 vand DT5, DT5, $3 veor DT4, DT4, $7 veor QT01, QT01, QT23 vand DT2, $1, $2 vldr DT3, [K,#eval(8*$9)] vadd.i64 $8, $8, W($9) vadd.i64 QT01, QT01, QT45 vadd.i64 $8, $8, DT3 vadd.i64 $8, $8, DT0 vadd.i64 DT1, DT1, DT2 vadd.i64 $4, $4, $8 vadd.i64 $8, $8, DT1 ') C void C _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) .text .align 2 PROLOGUE(_nettle_sha512_compress) vpush {d8,d9,d10,d11,d12,d13} ands SHIFT, INPUT, #7 and INPUT, INPUT, #-8 vld1.8 {DT5}, [INPUT :64] addne INPUT, INPUT, #8 addeq SHIFT, SHIFT, #8 lsl SHIFT, SHIFT, #3 C Put right shift in DT0 and DT1, aka QT01 neg SHIFT, SHIFT vmov.i32 DT0, #0 vmov.32 DT0[0], SHIFT vmov DT1, DT0 C Put left shift in DT2 and DT3, aka QT23 add SHIFT, SHIFT, #64 vmov.i32 DT2, #0 vmov.32 DT2[0], SHIFT vmov DT3, DT2 vshl.u64 DT5, DT5, DT0 C Set w[i] <-- w[i-1] >> RSHIFT + w[i] << LSHIFT vld1.8 {W(0),W(1),W(2),W(3)}, [INPUT :64]! vshl.u64 QT67, QW0001, QT01 C Right shift vshl.u64 QW0001, QW0001, QT23 C Left shift veor W(0), W(0), DT5 veor W(1), W(1), DT6 vrev64.8 QW0001, QW0001 vshl.u64 QT45, QW0203, QT01 C Right shift vshl.u64 QW0203, QW0203, QT23 C Left shift veor W(2), W(2), DT7 veor W(3), W(3), DT4 vrev64.8 QW0203, QW0203 vld1.8 {W(4),W(5),W(6),W(7)}, [INPUT :64]! vshl.u64 QT67, QW0405, QT01 C Right shift vshl.u64 QW0405, QW0405, QT23 C Left shift veor W(4), W(4), DT5 veor W(5), W(5), DT6 vrev64.8 QW0405, QW0405 vshl.u64 QT45, QW0607, QT01 C Right shift vshl.u64 QW0607, QW0607, QT23 C Left shift veor W(6), W(6), DT7 veor W(7), W(7), DT4 vrev64.8 QW0607, QW0607 vld1.8 {W(8),W(9),W(10),W(11)}, [INPUT :64]! vshl.u64 QT67, QW0809, QT01 C Right shift vshl.u64 QW0809, QW0809, QT23 C Left shift veor W(8), W(8), DT5 veor W(9), W(9), DT6 vrev64.8 QW0809, QW0809 vshl.u64 QT45, QW1011, QT01 C Right shift vshl.u64 QW1011, QW1011, QT23 C Left shift veor W(10), W(10), DT7 veor W(11), W(11), DT4 vrev64.8 QW1011, QW1011 vld1.8 {W(12),W(13),W(14),W(15)}, [INPUT :64]! vshl.u64 QT67, QW1213, QT01 C Right shift vshl.u64 QW1213, QW1213, QT23 C Left shift veor W(12), W(12), DT5 veor W(13), W(13), DT6 vrev64.8 QW1213, QW1213 vshl.u64 QT45, QW1415, QT01 C Right shift vshl.u64 QW1415, QW1415, QT23 C Left shift veor W(14), W(14), DT7 veor W(15), W(15), DT4 vrev64.8 QW1415, QW1415 vldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 mov COUNT, #4 .Loop: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 0) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 1) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 2) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 3) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 4) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 5) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 6) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 7) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH, 8) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG, 9) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF, 10) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE, 11) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD, 12) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC, 13) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB, 14) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA, 15) add K, K, #128 bne .Loop vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSAB, QSAB, QW0001 vadd.i64 QSCD, QSCD, QW0203 vst1.64 {SA,SB,SC,SD}, [STATE]! vld1.64 {DW0, DW1, DW2, DW3}, [STATE] vadd.i64 QSEF, QSEF, QW0001 vadd.i64 QSGH, QSGH, QW0203 vst1.64 {SE,SF,SG,SH}, [STATE]! vpop {d8,d9,d10,d11,d12,d13} bx lr EPILOGUE(_nettle_sha512_compress) divert(-1) define shastate p/x $d0.u64 p/x $d1.u64 p/x $d2.u64 p/x $d3.u64 p/x $d4.u64 p/x $d5.u64 p/x $d6.u64 p/x $d7.u64 end nettle-3.10/arm/neon/chacha-3core.asm0000644000175000017500000001350214633602172016421 0ustar nissenisseC arm/neon/chacha-3core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "chacha-3core.asm" .fpu neon define(`DST', `r0') define(`SRC', `r1') define(`ROUNDS', `r2') define(`SRCp32', `r3') C State, X, Y and Z representing consecutive blocks define(`X0', `q0') define(`X1', `q1') define(`X2', `q2') define(`X3', `q3') define(`Y0', `q8') define(`Y1', `q9') define(`Y2', `q10') define(`Y3', `q11') define(`Z0', `q12') define(`Z1', `q13') define(`Z2', `q14') define(`Z3', `q15') define(`T0', `q4') define(`T1', `q5') define(`T2', `q6') define(`T3', `q7') .text .align 4 .Lcount1: .int 1,0,0,0 C _chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds) PROLOGUE(_nettle_chacha_3core) C loads using vld1.32 to be endianness-neutral wrt consecutive 32-bit words add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] vpush {q4,q5,q6,q7} adr r12, .Lcount1 vld1.32 {Z3}, [r12] vadd.i64 Y3, X3, Z3 C Increment 64-bit counter vadd.i64 Z3, Y3, Z3 .Lshared_entry: vmov Y0, X0 vmov Z0, X0 vmov Y1, X1 vmov Z1, X1 vmov Y2, X2 vmov Z2, X2 C Save initial values for the words including the counters. vmov T2, Y3 vmov T3, Z3 .Loop: C Interleave three blocks. Note that with this scheduling, C only two temporaries, T0 and T1, are needed. vadd.i32 X0, X0, X1 veor X3, X3, X0 vadd.i32 Y0, Y0, Y1 vrev32.16 X3, X3 C lrot 16 veor Y3, Y3, Y0 vadd.i32 Z0, Z0, Z1 vadd.i32 X2, X2, X3 vrev32.16 Y3, Y3 C lrot 16 veor Z3, Z3, Z0 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vrev32.16 Z3, Z3 C lrot 16 vshl.i32 X1, T0, #12 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #20 vshl.i32 Y1, T1, #12 veor T0, Z1, Z2 vadd.i32 X0, X0, X1 vsri.u32 Y1, T1, #20 vshl.i32 Z1, T0, #12 veor T1, X3, X0 vadd.i32 Y0, Y0, Y1 vsri.u32 Z1, T0, #20 vshl.i32 X3, T1, #8 veor T0, Y3, Y0 vadd.i32 Z0, Z0, Z1 vsri.u32 X3, T1, #24 vshl.i32 Y3, T0, #8 veor T1, Z3, Z0 vadd.i32 X2, X2, X3 vsri.u32 Y3, T0, #24 vext.32 X3, X3, X3, #3 vshl.i32 Z3, T1, #8 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vsri.u32 Z3, T1, #24 vext.32 Y3, Y3, Y3, #3 vshl.i32 X1, T0, #7 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #25 vshl.i32 Y1, T1, #7 veor T0, Z1, Z2 vext.32 X1, X1, X1, #1 vsri.u32 Y1, T1, #25 vshl.i32 Z1, T0, #7 vext.32 Y2, Y2, Y2, #2 vext.32 Y1, Y1, Y1, #1 vsri.u32 Z1, T0, #25 vext.32 X2, X2, X2, #2 C Second QROUND vadd.i32 X0, X0, X1 vext.32 Z2, Z2, Z2, #2 vext.32 Z1, Z1, Z1, #1 veor X3, X3, X0 vadd.i32 Y0, Y0, Y1 vext.32 Z3, Z3, Z3, #3 vrev32.16 X3, X3 C lrot 16 veor Y3, Y3, Y0 vadd.i32 Z0, Z0, Z1 vadd.i32 X2, X2, X3 vrev32.16 Y3, Y3 C lrot 16 veor Z3, Z3, Z0 veor T0, X1, X2 vadd.i32 Y2, Y2, Y3 vrev32.16 Z3, Z3 C lrot 16 vshl.i32 X1, T0, #12 veor T1, Y1, Y2 vadd.i32 Z2, Z2, Z3 vsri.u32 X1, T0, #20 vshl.i32 Y1, T1, #12 veor T0, Z1, Z2 vadd.i32 X0, X0, X1 vsri.u32 Y1, T1, #20 vshl.i32 Z1, T0, #12 veor T1, X3, X0 vadd.i32 Y0, Y0, Y1 vsri.u32 Z1, T0, #20 vshl.i32 X3, T1, #8 veor T0, Y3, Y0 vadd.i32 Z0, Z0, Z1 vsri.u32 X3, T1, #24 vshl.i32 Y3, T0, #8 veor T1, Z3, Z0 vadd.i32 X2, X2, X3 vsri.u32 Y3, T0, #24 vext.32 X3, X3, X3, #1 vshl.i32 Z3, T1, #8 veor T0, X1, X2 vext.32 X2, X2, X2, #2 vadd.i32 Y2, Y2, Y3 vext.32 Y3, Y3, Y3, #1 vsri.u32 Z3, T1, #24 vshl.i32 X1, T0, #7 veor T1, Y1, Y2 vext.32 Y2, Y2, Y2, #2 vadd.i32 Z2, Z2, Z3 vext.32 Z3, Z3, Z3, #1 vsri.u32 X1, T0, #25 vshl.i32 Y1, T1, #7 veor T0, Z1, Z2 vext.32 Z2, Z2, Z2, #2 vext.32 X1, X1, X1, #3 vsri.u32 Y1, T1, #25 vshl.i32 Z1, T0, #7 vext.32 Y1, Y1, Y1, #3 vsri.u32 Z1, T0, #25 subs ROUNDS, ROUNDS, #2 vext.32 Z1, Z1, Z1, #3 bhi .Loop C Add updated counters vadd.i32 Y3, Y3, T2 vadd.i32 Z3, Z3, T3 vld1.32 {T0,T1}, [SRC] vadd.i32 X0, X0, T0 vadd.i32 X1, X1, T1 C vst1.8 because caller expects results little-endian C interleave loads, calculations and stores to save cycles on stores C use vstm when little-endian for some additional speedup IF_BE(` vst1.8 {X0,X1}, [DST]!') vld1.32 {T2,T3}, [SRCp32] vadd.i32 X2, X2, T2 vadd.i32 X3, X3, T3 IF_BE(` vst1.8 {X2,X3}, [DST]!') IF_LE(` vstmia DST!, {X0,X1,X2,X3}') vadd.i32 Y0, Y0, T0 vadd.i32 Y1, Y1, T1 IF_BE(` vst1.8 {Y0,Y1}, [DST]!') vadd.i32 Y2, Y2, T2 IF_BE(` vst1.8 {Y2,Y3}, [DST]!') IF_LE(` vstmia DST!, {Y0,Y1,Y2,Y3}') vadd.i32 Z0, Z0, T0 vadd.i32 Z1, Z1, T1 IF_BE(` vst1.8 {Z0,Z1}, [DST]!') vadd.i32 Z2, Z2, T2 vpop {q4,q5,q6,q7} IF_BE(` vst1.8 {Z2,Z3}, [DST]') IF_LE(` vstm DST, {Z0,Z1,Z2,Z3}') bx lr EPILOGUE(_nettle_chacha_3core) PROLOGUE(_nettle_chacha_3core32) add SRCp32, SRC, #32 vld1.32 {X0,X1}, [SRC] vld1.32 {X2,X3}, [SRCp32] vpush {q4,q5,q6,q7} adr r12, .Lcount1 vld1.32 {Z3}, [r12] vadd.i32 Y3, X3, Z3 C Increment 32-bit counter vadd.i32 Z3, Y3, Z3 b .Lshared_entry EPILOGUE(_nettle_chacha_3core32) nettle-3.10/arm/neon/umac-nh.asm0000644000175000017500000000507314633602172015535 0ustar nissenisseC arm/neon/umac-nh.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "umac-nh.asm" .fpu neon define(`KEY', `r0') define(`LENGTH', `r1') define(`MSG', `r2') define(`SHIFT', `r3') define(`QA', `q0') define(`QB', `q1') define(`DM', `d16') define(`QLEFT', `q9') define(`QRIGHT', `q10') define(`QY', `q11') define(`QT0', `q12') define(`QT1', `q13') define(`QK0', `q14') define(`QK1', `q15') .text .align 3 PROLOGUE(_nettle_umac_nh) C Setup for 64-bit aligned reads ands SHIFT, MSG, #7 and MSG, MSG, #-8 vld1.8 {DM}, [MSG :64] addne MSG, MSG, #8 addeq SHIFT, SHIFT, #8 C FIXME: Combine as rsb ? lsl SHIFT, SHIFT, #3 neg SHIFT, SHIFT C Right shift in QRIGHT (both halves) vmov.i32 D0REG(QRIGHT)[0], SHIFT vmov.32 D1REG(QRIGHT), D0REG(QRIGHT) add SHIFT, SHIFT, #64 vmov.i32 D0REG(QLEFT)[0], SHIFT vmov.32 D1REG(QLEFT), D0REG(QLEFT) vmov.i64 QY, #0 vshl.u64 DM, DM, D0REG(QRIGHT) .Loop: C Set m[i] <-- m[i-1] >> RSHIFT + m[i] << LSHIFT vld1.8 {QA, QB}, [MSG :64]! vshl.u64 QT0, QA, QRIGHT vshl.u64 QT1, QB, QRIGHT vshl.u64 QA, QA, QLEFT vshl.u64 QB, QB, QLEFT veor D0REG(QA), D0REG(QA), DM veor D1REG(QA), D1REG(QA), D0REG(QT0) veor D0REG(QB), D0REG(QB), D1REG(QT0) veor D1REG(QB), D1REG(QB), D0REG(QT1) vmov DM, D1REG(QT1) vld1.i32 {QK0, QK1}, [KEY]! vadd.i32 QA, QA, QK0 vadd.i32 QB, QB, QK1 subs LENGTH, LENGTH, #32 vmlal.u32 QY, D0REG(QA), D0REG(QB) vmlal.u32 QY, D1REG(QA), D1REG(QB) bhi .Loop vadd.i64 D0REG(QY), D0REG(QY), D1REG(QY) C return value needs to respect word order mandated by AAPCS IF_LE(` vmov r0, r1, D0REG(QY)') IF_BE(` vmov r1, r0, D0REG(QY)') bx lr EPILOGUE(_nettle_umac_nh) nettle-3.10/arm/aes.m40000644000175000017500000000260114633602172013550 0ustar nissenisseC Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG, INCR) define(`AES_LOAD_INCR', ` ldrb $3, [$1], #+1 ldrb T0, [$1], #+1 orr $3, T0, lsl #8 ldrb T0, [$1], #+1 orr $3, T0, lsl #16 ldrb T0, [$1], #+1 orr $3, T0, lsl #24 ldr T0, [$2], #$4 eor $3, T0 ') C Loads one word, and adds it to the subkey. Uses T0 C AES_LOAD(SRC, KEY, REG) define(`AES_LOAD', `AES_LOAD_INCR($1, $2, $3, +4)') C Stores one word. Destroys input. C AES_STORE(DST, X) define(`AES_STORE', ` strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ror $2, $2, #8 strb $2, [$1], #+1 ') C AES_FINAL_ROUND_V6(a,b,c,d,key,res) define(`AES_FINAL_ROUND_V6', ` uxtb T0, $1 ldrb $6, [TABLE, T0] uxtb T0, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 uxtb T0, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, $6, T0 ') C AES_FINAL_ROUND_V5(a,b,c,d,key,res,mask) C Avoids the uxtb instruction, introduced in ARMv6. C The mask argument should hold the constant 0xff define(`AES_FINAL_ROUND_V5', ` and T0, $7, $1 ldrb $6, [TABLE, T0] and T0, $7, $2, ror #8 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #8 and T0, $7, $3, ror #16 ldrb T0, [TABLE, T0] eor $6, $6, T0, lsl #16 ldrb T0, [TABLE, $4, lsr #24] eor $6, $6, T0, lsl #24 ldr T0, [$5], #+4 eor $6, T0 ') nettle-3.10/arm/ecc-secp224r1-modp.asm0000644000175000017500000000563614633602172016365 0ustar nissenisseC arm/ecc-secp224r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp224r1-modp.asm" .arm define(`RP', `r1') C Overlaps T0 define(`XP', `r2') define(`H', `r0') C Overlaps unused modulo argument define(`T0', `r1') define(`T1', `r3') define(`T2', `r4') define(`T3', `r5') define(`T4', `r6') define(`T5', `r7') define(`T6', `r8') define(`N3', `r10') define(`L0', `r11') define(`L1', `r12') define(`L2', `lr') C ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp224r1_modp) C Pushes RP last push {r1,r4,r5,r6,r7,r8,r10,r11,lr} add L2, XP, #28 ldm L2, {T0,T1,T2,T3,T4,T5,T6} mov H, #0 adds T0, T0, T4 adcs T1, T1, T5 adcs T2, T2, T6 adc H, H, #0 C This switch from adcs to sbcs takes carry into account with C correct sign, but it always subtracts 1 too much. We arrange C to also add B^7 + 1 below, so the effect is adding p. This C addition of p also ensures that the result never is C negative. sbcs N3, T3, T0 sbcs T4, T4, T1 sbcs T5, T5, T2 sbcs T6, T6, H mov H, #1 C This is the B^7 sbc H, #0 subs T6, T6, T3 sbc H, #0 C Now subtract from low half ldm XP!, {L0,L1,L2} C Clear carry, with the sbcs, this is the 1. adds XP, #0 sbcs T0, L0, T0 sbcs T1, L1, T1 sbcs T2, L2, T2 ldm XP!, {T3,L0,L1,L2} sbcs T3, T3, N3 sbcs T4, L0, T4 sbcs T5, L1, T5 sbcs T6, L2, T6 rsc H, H, #0 C Now -2 <= H <= 0 is the borrow, so subtract (B^3 - 1) |H| C Use (B^3 - 1) H = if -1 <=H <= 0, and C (B^3 - 1) H = <1,B-1, B-1, B-2> if H = -2 subs T0, T0, H asr L1, H, #1 sbcs T1, T1, L1 eor H, H, L1 sbcs T2, T2, L1 sbcs T3, T3, H sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 sbcs H, H, H pop {XP} C Original RP C Final borrow, subtract (B^3 - 1) |H| subs T0, T0, H sbcs T1, T1, H sbcs T2, T2, H sbcs T3, T3, #0 sbcs T4, T4, #0 sbcs T5, T5, #0 sbcs T6, T6, #0 stm XP, {T0,T1,T2,T3,T4,T5,T6} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp224r1_modp) nettle-3.10/arm/machine.m40000644000175000017500000000145614633602172014413 0ustar nissenissedefine(`QREG', `ifelse( $1, d0, q0, $1, d2, q1, $1, d4, q2, $1, d6, q3, $1, d8, q4, $1, d10, q5, $1, d12, q6, $1, d14, q7, $1, d16, q8, $1, d18, q9, $1, d20, q10, $1, d22, q11, $1, d24, q12, $1, d26, q13, $1, d28, q14, $1, d30, q15, `NO REGISTER')')dnl define(`D0REG', `ifelse( $1, q0, d0, $1, q1, d2, $1, q2, d4, $1, q3, d6, $1, q4, d8, $1, q5, d10, $1, q6, d12, $1, q7, d14, $1, q8, d16, $1, q9, d18, $1, q10, d20, $1, q11, d22, $1, q12, d24, $1, q13, d26, $1, q14, d28, $1, q15, d30, `NO REGISTER')')dnl define(`D1REG', `ifelse( $1, q0, d1, $1, q1, d3, $1, q2, d5, $1, q3, d7, $1, q4, d9, $1, q5, d11, $1, q6, d13, $1, q7, d15, $1, q8, d17, $1, q9, d19, $1, q10, d21, $1, q11, d23, $1, q12, d25, $1, q13, d27, $1, q14, d29, $1, q15, d31, `NO REGISTER')')dnl nettle-3.10/arm/README0000644000175000017500000001044314633602172013421 0ustar nissenisseCurrently, code in this directory is written for arm cortex-a9. For efficient loads and stores, use ldmia, stmia and friends. Can do two loads or stores per cycle with 8-byte aligned addresses, or three loads or stores in two cycles, regardless of alignment. 12 usable registers (if we exclude r9). ABI gnueabi(hf) (not depending on the floating point conventions) Registers May be Argument clobbered number r0 Y 1 r1 Y 2 r2 Y 3 r3 Y 4 r4 N r5 N r6 N r7 N r8 N r9 (sl) r10 N r11 N r12 (ip) Y r13 (sp) r14 (lr) N r15 (pc) q0 (d0, d1) Y 1 (for "hf" abi) q1 (d2, d3) Y 2 q2 (d4, d5) Y 3 q3 (d6, d7) Y 4 q4 (d8, d9) N q5 (d10, d11) N q6 (d12, d13) N q7 (d14, d15) N q8 (d16, d17) Y q9 (d18, d19) Y q10 (d20, d21) Y q11 (d22, d23) Y q12 (d24, d25) Y q13 (d26, d27) Y q14 (d28, d29) Y q15 (d30, d31) Y Endianness ARM supports big- and little-endian memory access modes. Representation in registers stays the same but loads and stores switch bytes. This has to be taken into account in various cases. Two m4 macros are provided to handle these special cases in assembly source: IF_LE(,) IF_BE(,) respectively expand to if the target system's endianness is little-endian or big-endian. Otherwise they expand to . 1. ldr/str Loading and storing 32-bit words will reverse the words' bytes in little-endian mode. If the handled data is actually a byte sequence or data in network byte order (big-endian), the loaded word needs to be reversed after load to get it back into correct sequence. See v6/sha1-compress.asm LOAD macro for example. 2. shifts If data is to be processed with bit operations only, endianness can be ignored because byte-swapping on load and store will cancel each other out. Shifts however have to be inverted. See arm/memxor.asm for an example. 3. v{ld,st}1.{8,32} NEON's vld instruction can be used to produce endianness-neutral code. vld1.8 will load a byte sequence into a register regardless of memory endianness. This can be used to process byte sequences. See arm/neon/umac-nh.asm for example. In the same fashion, vst1.8 can be used do a little-endian store. See arm/neon/salsa and chacha routines for examples. NOTE: vst1.x (at least on the Allwinner A20 Cortex-A7 implementation) seems to interfer with itself on subsequent calls, slowing it down. This can be avoided by putting calculcations or loads inbetween two vld1.x stores. Similarly, vld1.32 is used in chacha and salsa routines where 32-bit operands are stored in host-endianness in RAM but need to be loaded sequentially without the distortion introduced by vldm/vstm. Consecutive vld1.x instructions do not seem to suffer from slowdown similar to vst1.x. 4. vldm/vstm Care has to be taken when using vldm/vstm because they have two non-obvious characteristics: a. vldm/vstm do normal byte-swapping on each value they load. When loading into d (doubleword) registers, this means that bytes, halfwords and words of the doubleword get swapped. When the data loaded actually represents e.g. vectors of 32-bit words this will swap columns. a. vldm/vstm on q (quadword) registers get translated into lvdm/vstm on the equivalent number of d (doubleword) registers. Instead of a 128-bit load it does two 64-bit loads. When again handling vectors of 32-bit words this will still swap adjacent columns but will not reverse all four columns. memory adr0: w0 w1 w2 w3 register q0: w1 w0 w3 w2 See arm/neon/chacha-core-internal.asm for an example. 5. simple byte store Sometimes it is necessary to store remaining single bytes to memory. A simple logic will store the lowest byte from a register, then do a right shift and start over until all bytes are stored. Since this constitutes a least-significant-byte-first store, the data to be stored needs to be reversed first on a big-endian system. See arm/memxor.asm Lmemxor_leftover for an example. 6. Function parameters/return values AAPCS requires 64-bit parameters to be passed to and returned from functions "in two consecutive registers [...] as if the value had been loaded from memory representation with a single LDM instruction." Since loading a big-endian doubleword using ldm transposes its words, the same has to be done when e.g. returning a 64-bit value from an assembler routine. See arm/neon/umac-nh.asm for an example. nettle-3.10/arm/ecc-secp192r1-modp.asm0000644000175000017500000000457514633602172016372 0ustar nissenisseC arm/ecc-secp192r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp192r1-modp.asm" .arm define(`HP', `r0') C Overlaps unused modulo argument define(`RP', `r1') define(`XP', `r2') define(`T0', `r3') define(`T1', `r4') define(`T2', `r5') define(`T3', `r6') define(`T4', `r7') define(`T5', `r8') define(`T6', `r10') define(`T7', `r11') define(`H0', `T0') C Overlaps T0 and T1 define(`H1', `T1') define(`C2', `HP') define(`C4', `r12') C ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp192r1_modp) push {r4,r5,r6,r7,r8,r10,r11} C Reduce two words at a time add HP, XP, #48 add XP, XP, #8 ldmdb HP!, {H0,H1} ldm XP, {T2,T3,T4,T5,T6,T7} mov C4, #0 adds T4, T4, H0 adcs T5, T5, H1 adcs T6, T6, H0 adcs T7, T7, H1 C Need to add carry to T2 and T4, do T4 later. adc C4, C4, #0 ldmdb HP!, {H0,H1} mov C2, #0 adcs T2, T2, H0 adcs T3, T3, H1 adcs T4, T4, H0 adcs T5, T5, H1 C Need to add carry to T0 and T2, do T2 later adc C2, C2, #0 ldmdb XP!, {T0, T1} adcs T0, T0, T6 adcs T1, T1, T7 adcs T2, T2, T6 adcs T3, T3, T7 adc C4, C4, #0 adds T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, C4 adcs T5, T5, #0 mov C2, #0 adc C2, C2, #0 C Add in final carry adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, C2 adcs T3, T3, #0 adcs T4, T4, #0 adc T5, T5, #0 stm RP, {T0,T1,T2,T3,T4,T5} pop {r4,r5,r6,r7,r8,r10,r11} bx lr EPILOGUE(_nettle_ecc_secp192r1_modp) nettle-3.10/arm/memxor3.asm0000644000175000017500000001562414633602172014643 0ustar nissenisseC arm/memxor3.asm ifelse(` Copyright (C) 2013, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(`DST', `r0') define(`AP', `r1') define(`BP', `r2') define(`N', `r3') C Temporaries r4-r7 define(`ACNT', `r8') define(`ATNC', `r10') define(`BCNT', `r11') define(`BTNC', `r12') C little-endian and big-endian need to shift in different directions for C alignment correction define(`S0ADJ', IF_LE(`lsr', `lsl')) define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified .file "memxor3.asm" .text .arm C memxor3(void *dst, const void *a, const void *b, size_t n) .align 2 PROLOGUE(nettle_memxor3) cmp N, #0 beq .Lmemxor3_ret push {r4,r5,r6,r7,r8,r10,r11} cmp N, #7 add AP, N add BP, N add DST, N bcs .Lmemxor3_large C Simple byte loop .Lmemxor3_bytes: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r4, r5 strb r4, [DST, #-1]! subs N, #1 bne .Lmemxor3_bytes .Lmemxor3_done: pop {r4,r5,r6,r7,r8,r10,r11} .Lmemxor3_ret: bx lr .Lmemxor3_align_loop: ldrb r4, [AP, #-1]! ldrb r5, [BP, #-1]! eor r5, r4 strb r5, [DST, #-1]! sub N, #1 .Lmemxor3_large: tst DST, #3 bne .Lmemxor3_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands ACNT, AP, #3 lsl ACNT, #3 beq .Lmemxor3_a_aligned ands BCNT, BP, #3 lsl BCNT, #3 bne .Lmemxor3_uu C Swap mov r4, AP mov AP, BP mov BP, r4 .Lmemxor3_au: C NOTE: We have the relevant shift count in ACNT, not BCNT C AP is aligned, BP is not C v original SRC C +-------+------+ C |SRC-4 |SRC | C +---+---+------+ C |DST-4 | C +-------+ C C With little-endian, we need to do C DST[i-i] ^= (SRC[i-i] >> CNT) ^ (SRC[i] << TNC) C With big-endian, we need to do C DST[i-i] ^= (SRC[i-i] << CNT) ^ (SRC[i] >> TNC) rsb ATNC, ACNT, #32 bic BP, #3 ldr r4, [BP] tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_au_odd .Lmemxor3_au_loop: ldr r5, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r4, S1ADJ ATNC eor r6, r6, r5, S0ADJ ACNT str r6, [DST, #-4]! .Lmemxor3_au_odd: ldr r4, [BP, #-4]! ldr r6, [AP, #-4]! eor r6, r6, r5, S1ADJ ATNC eor r6, r6, r4, S0ADJ ACNT str r6, [DST, #-4]! subs N, #8 bcs .Lmemxor3_au_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in r4, low end on LE and high end on BE before C preparatory alignment correction ldr r5, [AP, #-4] eor r4, r5, r4, S1ADJ ATNC C now byte-aligned in high end on LE and low end on BE because we're C working downwards in saving the very first bytes of the buffer .Lmemxor3_au_leftover: C Store a byte at a time C bring uppermost byte down for saving while preserving lower ones IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 C bring down next byte, no need to preserve IF_BE(` lsr r4, #8') sub AP, #1 bne .Lmemxor3_au_leftover b .Lmemxor3_bytes .Lmemxor3_a_aligned: ands ACNT, BP, #3 lsl ACNT, #3 bne .Lmemxor3_au ; C a, b and dst all have the same alignment. subs N, #8 bcc .Lmemxor3_aligned_word_end C This loop runs at 8 cycles per iteration. It has been C observed running at only 7 cycles, for this speed, the loop C started at offset 0x2ac in the object file. C FIXME: consider software pipelining, similarly to the memxor C loop. .Lmemxor3_aligned_word_loop: ldmdb AP!, {r4,r5,r6} ldmdb BP!, {r7,r8,r10} subs N, #12 eor r4, r7 eor r5, r8 eor r6, r10 stmdb DST!, {r4, r5,r6} bcs .Lmemxor3_aligned_word_loop .Lmemxor3_aligned_word_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor3_aligned_lt_8 C Do 8 bytes more, leftover is in N ldmdb AP!, {r4, r5} ldmdb BP!, {r6, r7} eor r4, r6 eor r5, r7 stmdb DST!, {r4,r5} beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_8: adds N, #4 bcc .Lmemxor3_aligned_lt_4 ldr r4, [AP,#-4]! ldr r5, [BP,#-4]! eor r4, r5 str r4, [DST,#-4]! beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_aligned_lt_4: adds N, #4 beq .Lmemxor3_done b .Lmemxor3_bytes .Lmemxor3_uu: cmp ACNT, BCNT bic AP, #3 bic BP, #3 rsb ATNC, ACNT, #32 bne .Lmemxor3_uud C AP and BP are unaligned in the same way ldr r4, [AP] ldr r6, [BP] eor r4, r6 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor3_uu_odd .Lmemxor3_uu_loop: ldr r5, [AP, #-4]! ldr r6, [BP, #-4]! eor r5, r6 S1ADJ r4, ATNC eor r4, r4, r5, S0ADJ ACNT str r4, [DST, #-4]! .Lmemxor3_uu_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! eor r4, r6 S1ADJ r5, ATNC eor r5, r5, r4, S0ADJ ACNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uu_loop adds N, #8 beq .Lmemxor3_done C Leftover bytes in r4, low end on LE and high end on BE before C preparatory alignment correction IF_LE(` ror r4, ACNT') IF_BE(` ror r4, ATNC') C now byte-aligned in high end on LE and low end on BE because we're C working downwards in saving the very first bytes of the buffer .Lmemxor3_uu_leftover: C bring uppermost byte down for saving while preserving lower ones IF_LE(` ror r4, #24') strb r4, [DST, #-1]! subs N, #1 beq .Lmemxor3_done subs ACNT, #8 C bring down next byte, no need to preserve IF_BE(` lsr r4, #8') bne .Lmemxor3_uu_leftover b .Lmemxor3_bytes .Lmemxor3_uud: C Both AP and BP unaligned, and in different ways rsb BTNC, BCNT, #32 ldr r4, [AP] ldr r6, [BP] tst N, #4 ittet eq moveq r5, r4 moveq r7, r6 subne N, #4 beq .Lmemxor3_uud_odd .Lmemxor3_uud_loop: ldr r5, [AP, #-4]! ldr r7, [BP, #-4]! S1ADJ r4, ATNC eor r4, r4, r6, S1ADJ BTNC eor r4, r4, r5, S0ADJ ACNT eor r4, r4, r7, S0ADJ BCNT str r4, [DST, #-4]! .Lmemxor3_uud_odd: ldr r4, [AP, #-4]! ldr r6, [BP, #-4]! S1ADJ r5, ATNC eor r5, r5, r7, S1ADJ BTNC eor r5, r5, r4, S0ADJ ACNT eor r5, r5, r6, S0ADJ BCNT str r5, [DST, #-4]! subs N, #8 bcs .Lmemxor3_uud_loop adds N, #8 beq .Lmemxor3_done C FIXME: More clever left-over handling? For now, just adjust pointers. add AP, AP, ACNT, lsr #3 add BP, BP, BCNT, lsr #3 b .Lmemxor3_bytes EPILOGUE(nettle_memxor3) nettle-3.10/arm/fat/0000755000175000017500000000000014633602172013311 5ustar nissenissenettle-3.10/arm/fat/aes-encrypt-internal-2.asm0000644000175000017500000000215514633602172020221 0ustar nissenisseC arm/fat/aes-encrypt-internal-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_armv6') include_src(`arm/v6/aes-encrypt-internal.asm') nettle-3.10/arm/fat/aes-decrypt-internal.asm0000644000175000017500000000214614633602172020050 0ustar nissenisseC arm/fat/aes-decrypt-internal.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_arm') include_src(`arm/aes-decrypt-internal.asm') nettle-3.10/arm/fat/sha256-compress-n-2.asm0000644000175000017500000000224714633602172017253 0ustar nissenisseC arm/fat/sha256-compress-n-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha256_compress_n) picked up by configure define(`fat_transform', `$1_armv6') include_src(`arm/v6/sha256-compress-n.asm') nettle-3.10/arm/fat/aes-decrypt-internal-2.asm0000644000175000017500000000215514633602172020207 0ustar nissenisseC arm/fat/aes-decrypt-internal-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_armv6') include_src(`arm/v6/aes-decrypt-internal.asm') nettle-3.10/arm/fat/umac-nh-n-2.asm0000644000175000017500000000222014633602172015731 0ustar nissenisseC arm/fat/umac-nh-n-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_umac_nh_n) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/umac-nh-n.asm') nettle-3.10/arm/fat/umac-nh-2.asm0000644000175000017500000000221214633602172015477 0ustar nissenisseC arm/fat/umac-nh-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_umac_nh) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/umac-nh.asm') nettle-3.10/arm/fat/salsa20-2core.asm0000644000175000017500000000217314633602172016273 0ustar nissenisseC arm/fat/salsa20-2core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_salsa20_2core) picked up by configure include_src(`arm/neon/salsa20-2core.asm') nettle-3.10/arm/fat/aes-encrypt-internal.asm0000644000175000017500000000214614633602172020062 0ustar nissenisseC arm/fat/aes-encrypt-internal.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') define(`fat_transform', `$1_arm') include_src(`arm/aes-encrypt-internal.asm') nettle-3.10/arm/fat/sha512-compress-2.asm0000644000175000017500000000224014633602172017004 0ustar nissenisseC arm/fat/sha3-compress-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha512_compress) picked up by configure define(`fat_transform', `$1_neon') include_src(`arm/neon/sha512-compress.asm') nettle-3.10/arm/fat/sha3-permute-2.asm0000644000175000017500000000223214633602172016466 0ustar nissenisseC arm/fat/sha3-permute-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_sha3_permute) picked up by configure define(`fat_transform', `_$1_neon') include_src(`arm/neon/sha3-permute.asm') nettle-3.10/arm/fat/chacha-3core.asm0000644000175000017500000000217014633602172016233 0ustar nissenisseC arm/fat/chacha-3core.asm ifelse(` Copyright (C) 2020 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(_nettle_fat_chacha_3core) picked up by configure include_src(`arm/neon/chacha-3core.asm') nettle-3.10/arm/fat/sha1-compress-2.asm0000644000175000017500000000223314633602172016637 0ustar nissenisseC arm/fat/sha1-compress-2.asm ifelse(` Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') dnl PROLOGUE(nettle_sha1_compress) picked up by configure define(`fat_transform', `_$1_armv6') include_src(`arm/v6/sha1-compress.asm') nettle-3.10/arm/aes-encrypt-internal.asm0000644000175000017500000001075114633602172017311 0ustar nissenisseC arm/aes-encrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') include_src(`arm/aes.m4') C Benchmarked at at 725, 815, 990 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`PARAM_LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`MASK', `r0') C Overlaps inputs, except TABLE define(`X0', `r1') define(`X1', `r3') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') define(`FRAME_LENGTH', `[sp, #+8]') C 8 saved registers define(`FRAME_DST', `[sp, #+44]') define(`FRAME_SRC', `[sp, #+48]') C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) C MASK should hold the constant 0x3fc. define(`AES_ENCRYPT_ROUND', ` and T0, MASK, $1, lsl #2 ldr $5, [TABLE, T0] and T0, MASK, $2, lsl #2 ldr $6, [TABLE, T0] and T0, MASK, $3, lsl #2 ldr $7, [TABLE, T0] and T0, MASK, $4, lsl #2 ldr $8, [TABLE, T0] and T0, MASK, $2, ror #6 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $3, ror #6 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $4, ror #6 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $1, ror #6 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $3, ror #14 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $4, ror #14 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $1, ror #14 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $2, ror #14 ldr T0, [TABLE, T0] eor $8, $8, T0 and T0, MASK, $4, ror #22 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0] eor $5, $5, T0 and T0, MASK, $1, ror #22 ldr T0, [TABLE, T0] eor $6, $6, T0 and T0, MASK, $2, ror #22 ldr T0, [TABLE, T0] eor $7, $7, T0 and T0, MASK, $3, ror #22 ldr T0, [TABLE, T0] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq PARAM_LENGTH, #0 beq .Lend push {r0,r1,r3, r4,r5,r6,r7,r8,r10,r11,lr} mov MASK, #0x3fc ALIGN(16) .Lblock_loop: ldr X0, FRAME_SRC C Use X0 as SRC pointer ldm sp, {COUNT, KEY} AES_LOAD(X0,KEY,W0) AES_LOAD(X0,KEY,W1) AES_LOAD(X0,KEY,W2) AES_LOAD(X0,KEY,W3) str X0, FRAME_SRC add TABLE, TABLE, #AES_TABLE0 b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop lsr COUNT, MASK, #2 C Put the needed mask in the unused COUNT register sub TABLE, TABLE, #AES_TABLE0 C Final round AES_FINAL_ROUND_V5(X0, X1, X2, X3, KEY, W0, COUNT) AES_FINAL_ROUND_V5(X1, X2, X3, X0, KEY, W1, COUNT) AES_FINAL_ROUND_V5(X2, X3, X0, X1, KEY, W2, COUNT) AES_FINAL_ROUND_V5(X3, X0, X1, X2, KEY, W3, COUNT) ldr X0, FRAME_DST ldr X1, FRAME_LENGTH AES_STORE(X0,W0) AES_STORE(X0,W1) AES_STORE(X0,W2) AES_STORE(X0,W3) subs X1, X1, #16 str X0, FRAME_DST str X1, FRAME_LENGTH bhi .Lblock_loop add sp, sp, #12 C Drop saved r0, r1, r3 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-3.10/arm/v6/0000755000175000017500000000000014633602172013072 5ustar nissenissenettle-3.10/arm/v6/aes-decrypt-internal.asm0000644000175000017500000001026114633602172017626 0ustar nissenisseC arm/v6/aes-decrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .arch armv6 include_src(`arm/aes.m4') define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS define(`X1', `r1') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers define(`FRAME_DST', `[sp, #+40]') define(`FRAME_SRC', `[sp, #+44]') define(`SRC', `r12') C Overlap registers used in inner loop. define(`DST', `COUNT') C AES_DECRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(`AES_DECRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $4, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $2, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 sub $9, $9, #16 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-decrypt-internal.asm" C _aes_decrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_decrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD_INCR(SRC,KEY,W3, -28) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_DECRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_DECRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X3, X2, X1, KEY, W0) AES_FINAL_ROUND_V6(X1, X0, X3, X2, KEY, W1) AES_FINAL_ROUND_V6(X2, X1, X0, X3, KEY, W2) AES_FINAL_ROUND_V6(X3, X2, X1, X0, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_decrypt) nettle-3.10/arm/v6/sha1-compress.asm0000644000175000017500000001452214633602172016265 0ustar nissenisseC arm/v6/sha1-compress.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha1-compress.asm" .arch armv6 define(`STATE', `r0') define(`INPUT', `r1') define(`SA', `r2') define(`SB', `r3') define(`SC', `r4') define(`SD', `r5') define(`SE', `r6') define(`T0', `r7') define(`SHIFT', `r8') define(`WPREV', `r10') define(`W', `r12') define(`K', `lr') C FIXME: Could avoid a mov with even and odd variants. define(`LOAD', ` ldr T0, [INPUT], #+4 sel W, WPREV, T0 ror W, W, SHIFT mov WPREV, T0 IF_LE(` rev W, W') str W, [SP,#eval(4*$1)] ') define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 2) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 8) % 16))] eor W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 13) % 16))] eor W, W, T0 ror W, W, #31 str W, [sp, #+eval(4*$1)] ') C F1(B,C,D) = D^(B&(C^D)) C ROUND1(A,B,C,D,E) define(`ROUND1', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 eor T0, T0, $4 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ') C F2(B,C,D) = B^C^D define(`ROUND2', ` eor T0, $2, $4 add $5, $5, K eor T0, T0, $3 add $5, $5, $1, ror #27 add $5, $5, W ror $2, $2, #2 add $5, $5, T0 ') C F3(B,C,D) = (B&C) | (D & (B|C)) = (B & (C ^ D)) + (C & D) define(`ROUND3', ` eor T0, $3, $4 add $5, $5, K and T0, T0, $2 add $5, $5, $1, ror #27 add $5, $5, T0 add $5, $5, W and T0, $3, $4 ror $2, $2, #2 add $5, $5, T0 ') C void nettle_sha1_compress(uint32_t *state, const uint8_t *input) .text .align 2 .LK1: .int 0x5A827999 .LK2: .int 0x6ED9EBA1 .LK3: .int 0x8F1BBCDC PROLOGUE(nettle_sha1_compress) push {r4,r5,r6,r7,r8,r10,lr} sub sp, sp, #64 C Sets SHIFT to 8*low bits of input pointer. Sets up GE flags C as follows, corresponding to bytes to be used from WPREV C SHIFT 0 8 16 24 C CPSR.GE 0000 1110 1100 1000 ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr WPREV, [INPUT] addne INPUT, INPUT, #4 C Unaligned input lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 IF_LE(` lsl W, T0, SHIFT') IF_BE(` lsr W, T0, SHIFT') uadd8 T0, T0, W C Sets APSR.GE bits C on BE rotate right by 32-SHIFT bits C because there is no rotate left IF_BE(` rsb SHIFT, SHIFT, #32') ldr K, .LK1 ldm STATE, {SA,SB,SC,SD,SE} LOAD( 0) ROUND1(SA, SB, SC, SD, SE) LOAD( 1) ROUND1(SE, SA, SB, SC, SD) LOAD( 2) ROUND1(SD, SE, SA, SB, SC) LOAD( 3) ROUND1(SC, SD, SE, SA, SB) LOAD( 4) ROUND1(SB, SC, SD, SE, SA) LOAD( 5) ROUND1(SA, SB, SC, SD, SE) LOAD( 6) ROUND1(SE, SA, SB, SC, SD) LOAD( 7) ROUND1(SD, SE, SA, SB, SC) LOAD( 8) ROUND1(SC, SD, SE, SA, SB) LOAD( 9) ROUND1(SB, SC, SD, SE, SA) LOAD(10) ROUND1(SA, SB, SC, SD, SE) LOAD(11) ROUND1(SE, SA, SB, SC, SD) LOAD(12) ROUND1(SD, SE, SA, SB, SC) LOAD(13) ROUND1(SC, SD, SE, SA, SB) LOAD(14) ROUND1(SB, SC, SD, SE, SA) LOAD(15) ROUND1(SA, SB, SC, SD, SE) EXPN( 0) ROUND1(SE, SA, SB, SC, SD) EXPN( 1) ROUND1(SD, SE, SA, SB, SC) EXPN( 2) ROUND1(SC, SD, SE, SA, SB) EXPN( 3) ROUND1(SB, SC, SD, SE, SA) ldr K, .LK2 EXPN( 4) ROUND2(SA, SB, SC, SD, SE) EXPN( 5) ROUND2(SE, SA, SB, SC, SD) EXPN( 6) ROUND2(SD, SE, SA, SB, SC) EXPN( 7) ROUND2(SC, SD, SE, SA, SB) EXPN( 8) ROUND2(SB, SC, SD, SE, SA) EXPN( 9) ROUND2(SA, SB, SC, SD, SE) EXPN(10) ROUND2(SE, SA, SB, SC, SD) EXPN(11) ROUND2(SD, SE, SA, SB, SC) EXPN(12) ROUND2(SC, SD, SE, SA, SB) EXPN(13) ROUND2(SB, SC, SD, SE, SA) EXPN(14) ROUND2(SA, SB, SC, SD, SE) EXPN(15) ROUND2(SE, SA, SB, SC, SD) EXPN( 0) ROUND2(SD, SE, SA, SB, SC) EXPN( 1) ROUND2(SC, SD, SE, SA, SB) EXPN( 2) ROUND2(SB, SC, SD, SE, SA) EXPN( 3) ROUND2(SA, SB, SC, SD, SE) EXPN( 4) ROUND2(SE, SA, SB, SC, SD) EXPN( 5) ROUND2(SD, SE, SA, SB, SC) EXPN( 6) ROUND2(SC, SD, SE, SA, SB) EXPN( 7) ROUND2(SB, SC, SD, SE, SA) ldr K, .LK3 EXPN( 8) ROUND3(SA, SB, SC, SD, SE) EXPN( 9) ROUND3(SE, SA, SB, SC, SD) EXPN(10) ROUND3(SD, SE, SA, SB, SC) EXPN(11) ROUND3(SC, SD, SE, SA, SB) EXPN(12) ROUND3(SB, SC, SD, SE, SA) EXPN(13) ROUND3(SA, SB, SC, SD, SE) EXPN(14) ROUND3(SE, SA, SB, SC, SD) EXPN(15) ROUND3(SD, SE, SA, SB, SC) EXPN( 0) ROUND3(SC, SD, SE, SA, SB) EXPN( 1) ROUND3(SB, SC, SD, SE, SA) EXPN( 2) ROUND3(SA, SB, SC, SD, SE) EXPN( 3) ROUND3(SE, SA, SB, SC, SD) EXPN( 4) ROUND3(SD, SE, SA, SB, SC) EXPN( 5) ROUND3(SC, SD, SE, SA, SB) EXPN( 6) ROUND3(SB, SC, SD, SE, SA) EXPN( 7) ROUND3(SA, SB, SC, SD, SE) EXPN( 8) ROUND3(SE, SA, SB, SC, SD) EXPN( 9) ROUND3(SD, SE, SA, SB, SC) EXPN(10) ROUND3(SC, SD, SE, SA, SB) EXPN(11) ROUND3(SB, SC, SD, SE, SA) ldr K, .LK4 EXPN(12) ROUND2(SA, SB, SC, SD, SE) EXPN(13) ROUND2(SE, SA, SB, SC, SD) EXPN(14) ROUND2(SD, SE, SA, SB, SC) EXPN(15) ROUND2(SC, SD, SE, SA, SB) EXPN( 0) ROUND2(SB, SC, SD, SE, SA) EXPN( 1) ROUND2(SA, SB, SC, SD, SE) EXPN( 2) ROUND2(SE, SA, SB, SC, SD) EXPN( 3) ROUND2(SD, SE, SA, SB, SC) EXPN( 4) ROUND2(SC, SD, SE, SA, SB) EXPN( 5) ROUND2(SB, SC, SD, SE, SA) EXPN( 6) ROUND2(SA, SB, SC, SD, SE) EXPN( 7) ROUND2(SE, SA, SB, SC, SD) EXPN( 8) ROUND2(SD, SE, SA, SB, SC) EXPN( 9) ROUND2(SC, SD, SE, SA, SB) EXPN(10) ROUND2(SB, SC, SD, SE, SA) EXPN(11) ROUND2(SA, SB, SC, SD, SE) EXPN(12) ROUND2(SE, SA, SB, SC, SD) EXPN(13) ROUND2(SD, SE, SA, SB, SC) EXPN(14) ROUND2(SC, SD, SE, SA, SB) EXPN(15) ROUND2(SB, SC, SD, SE, SA) C Use registers we no longer need. ldm STATE, {INPUT,T0,SHIFT,W,K} add SA, SA, INPUT add SB, SB, T0 add SC, SC, SHIFT add SD, SD, W add SE, SE, K add sp, sp, #64 stm STATE, {SA,SB,SC,SD,SE} pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(nettle_sha1_compress) .LK4: .int 0xCA62C1D6 nettle-3.10/arm/v6/aes-encrypt-internal.asm0000644000175000017500000001065114633602172017643 0ustar nissenisseC arm/v6/aes-encrypt-internal.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .arch armv6 include_src(`arm/aes.m4') C Benchmarked at at 706, 870, 963 cycles/block on cortex A9, C for 128, 192 and 256 bit key sizes. C Possible improvements: More efficient load and store with C aligned accesses. Better scheduling. define(`PARAM_ROUNDS', `r0') define(`PARAM_KEYS', `r1') define(`TABLE', `r2') define(`LENGTH', `r3') C On stack: DST, SRC define(`W0', `r4') define(`W1', `r5') define(`W2', `r6') define(`W3', `r7') define(`T0', `r8') define(`COUNT', `r10') define(`KEY', `r11') define(`X0', `r0') C Overlaps PARAM_ROUNDS and PARAM_KEYS define(`X1', `r1') define(`X2', `r12') define(`X3', `r14') C lr define(`FRAME_ROUNDS', `[sp]') define(`FRAME_KEYS', `[sp, #+4]') C 8 saved registers define(`FRAME_DST', `[sp, #+40]') define(`FRAME_SRC', `[sp, #+44]') define(`SRC', `r12') C Overlap registers used in inner loop. define(`DST', `COUNT') C 53 instr. C It's tempting to use eor with rotation, but that's slower. C AES_ENCRYPT_ROUND(x0,x1,x2,x3,w0,w1,w2,w3,key) define(`AES_ENCRYPT_ROUND', ` uxtb T0, $1 ldr $5, [TABLE, T0, lsl #2] uxtb T0, $2 ldr $6, [TABLE, T0, lsl #2] uxtb T0, $3 ldr $7, [TABLE, T0, lsl #2] uxtb T0, $4 ldr $8, [TABLE, T0, lsl #2] uxtb T0, $2, ror #8 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $3, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $4, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $1, ror #8 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $3, ror #16 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $4, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $1, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $2, ror #16 ldr T0, [TABLE, T0, lsl #2] eor $8, $8, T0 uxtb T0, $4, ror #24 add TABLE, TABLE, #1024 ldr T0, [TABLE, T0, lsl #2] eor $5, $5, T0 uxtb T0, $1, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $6, $6, T0 uxtb T0, $2, ror #24 ldr T0, [TABLE, T0, lsl #2] eor $7, $7, T0 uxtb T0, $3, ror #24 ldr T0, [TABLE, T0, lsl #2] ldm $9!, {$1,$2,$3,$4} eor $8, $8, T0 sub TABLE, TABLE, #3072 eor $5, $5, $1 eor $6, $6, $2 eor $7, $7, $3 eor $8, $8, $4 ') .file "aes-encrypt-internal.asm" C _aes_encrypt(unsigned rounds, const uint32_t *keys, C const struct aes_table *T, C size_t length, uint8_t *dst, C uint8_t *src) .text ALIGN(4) PROLOGUE(_nettle_aes_encrypt) teq LENGTH, #0 beq .Lend ldr SRC, [sp, #+4] push {r0,r1, r4,r5,r6,r7,r8,r10,r11,lr} ALIGN(16) .Lblock_loop: ldm sp, {COUNT, KEY} add TABLE, TABLE, #AES_TABLE0 AES_LOAD(SRC,KEY,W0) AES_LOAD(SRC,KEY,W1) AES_LOAD(SRC,KEY,W2) AES_LOAD(SRC,KEY,W3) str SRC, FRAME_SRC b .Lentry ALIGN(16) .Lround_loop: C Transform X -> W AES_ENCRYPT_ROUND(X0, X1, X2, X3, W0, W1, W2, W3, KEY) .Lentry: subs COUNT, COUNT,#2 C Transform W -> X AES_ENCRYPT_ROUND(W0, W1, W2, W3, X0, X1, X2, X3, KEY) bne .Lround_loop sub TABLE, TABLE, #AES_TABLE0 C Final round ldr DST, FRAME_DST AES_FINAL_ROUND_V6(X0, X1, X2, X3, KEY, W0) AES_FINAL_ROUND_V6(X1, X2, X3, X0, KEY, W1) AES_FINAL_ROUND_V6(X2, X3, X0, X1, KEY, W2) AES_FINAL_ROUND_V6(X3, X0, X1, X2, KEY, W3) ldr SRC, FRAME_SRC AES_STORE(DST,W0) AES_STORE(DST,W1) AES_STORE(DST,W2) AES_STORE(DST,W3) str DST, FRAME_DST subs LENGTH, LENGTH, #16 bhi .Lblock_loop add sp, sp, #8 C Drop saved r0, r1 pop {r4,r5,r6,r7,r8,r10,r11,pc} .Lend: bx lr EPILOGUE(_nettle_aes_encrypt) nettle-3.10/arm/v6/sha256-compress-n.asm0000644000175000017500000001422014633602172016667 0ustar nissenisseC arm/v6/sha256-compress-n.asm ifelse(` Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "sha256-compress-n.asm" .arch armv6 define(`STATE', `r0') define(`K', `r1') define(`BLOCKS', `r2') define(`INPUT', `r3') define(`SA', `r2') C Overlap BLOCKS define(`SB', `r4') define(`SC', `r5') define(`SD', `r6') define(`SE', `r7') define(`SF', `r8') define(`SG', `r10') define(`SH', `r11') define(`T0', `r12') define(`T1', `r3') C Overlap INPUT define(`COUNT', `r0') C Overlap STATE define(`W', `r14') C Used for data load. Must not clobber STATE (r0), K (r1) or INPUT (r3) define(`I0', `r2') define(`I1', `r4') define(`I2', `r5') define(`I3', `r6') define(`I4', `r7') define(`DST', `r8') define(`SHIFT', `r10') define(`ILEFT', `r11') define(`EXPN', ` ldr W, [sp, #+eval(4*$1)] ldr T0, [sp, #+eval(4*(($1 + 14) % 16))] ror T1, T0, #17 eor T1, T1, T0, ror #19 eor T1, T1, T0, lsr #10 add W, W, T1 ldr T0, [sp, #+eval(4*(($1 + 9) % 16))] add W, W, T0 ldr T0, [sp, #+eval(4*(($1 + 1) % 16))] ror T1, T0, #7 eor T1, T1, T0, ror #18 eor T1, T1, T0, lsr #3 add W, W, T1 str W, [sp, #+eval(4*$1)] ') C ROUND(A,B,C,D,E,F,G,H) C C H += S1(E) + Choice(E,F,G) + K + W C D += H C H += S0(A) + Majority(A,B,C) C C Where C C S1(E) = E<<<26 ^ E<<<21 ^ E<<<7 C S0(A) = A<<<30 ^ A<<<19 ^ A<<<10 C Choice (E, F, G) = G^(E&(F^G)) C Majority (A,B,C) = (A&B) + (C&(A^B)) define(`ROUND', ` ror T0, $5, #6 eor T0, T0, $5, ror #11 eor T0, T0, $5, ror #25 add $8, $8, T0 eor T0, $6, $7 and T0, T0, $5 eor T0, T0, $7 add $8,$8, T0 ldr T0, [K], #+4 add $8, $8, W add $8, $8, T0 add $4, $4, $8 ror T0, $1, #2 eor T0, T0, $1, ror #13 eor T0, T0, $1, ror #22 add $8, $8, T0 and T0, $1, $2 add $8, $8, T0 eor T0, $1, $2 and T0, T0, $3 add $8, $8, T0 ') define(`NOEXPN', ` ldr W, [sp, + $1] add $1, $1, #4 ') .text .align 2 define(`SHIFT_OFFSET', 64) define(`INPUT_OFFSET', 68) define(`I0_OFFSET', 72) define(`STATE_OFFSET', 76) define(`K_OFFSET', 80) define(`BLOCKS_OFFSET', 84) C const uint8_t * C _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, C size_t blocks, const uint8_t *input) PROLOGUE(_nettle_sha256_compress_n) cmp BLOCKS, #0 bne .Lwork mov r0, INPUT bx lr .Lwork: C Also save STATE (r0), K (r1) and BLOCKS (r2) push {r0,r1,r2,r4,r5,r6,r7,r8,r10,r11,r12,r14} sub sp, sp, #STATE_OFFSET C Load data up front, since we don't have enough registers C to load and shift on-the-fly ands SHIFT, INPUT, #3 and INPUT, INPUT, $-4 ldr I0, [INPUT] addne INPUT, INPUT, #4 lsl SHIFT, SHIFT, #3 mov T0, #0 movne T0, #-1 IF_LE(` lsl I1, T0, SHIFT') IF_BE(` lsr I1, T0, SHIFT') uadd8 T0, T0, I1 C Sets APSR.GE bits C on BE rotate right by 32-SHIFT bits C because there is no rotate left IF_BE(` rsb SHIFT, SHIFT, #32') str SHIFT, [sp, #SHIFT_OFFSET] .Loop_block: mov DST, sp mov ILEFT, #4 .Lcopy: ldm INPUT!, {I1,I2,I3,I4} sel I0, I0, I1 ror I0, I0, SHIFT IF_LE(` rev I0, I0') sel I1, I1, I2 ror I1, I1, SHIFT IF_LE(` rev I1, I1') sel I2, I2, I3 ror I2, I2, SHIFT IF_LE(` rev I2, I2') sel I3, I3, I4 ror I3, I3, SHIFT IF_LE(` rev I3, I3') subs ILEFT, ILEFT, #1 stm DST!, {I0,I1,I2,I3} mov I0, I4 bne .Lcopy str INPUT, [sp, #INPUT_OFFSET] str I0, [sp, #I0_OFFSET] C Process block, with input at sp, expanded on the fly ldm STATE, {SA,SB,SC,SD,SE,SF,SG,SH} mov COUNT,#0 .Loop1: NOEXPN(COUNT) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) NOEXPN(COUNT) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) NOEXPN(COUNT) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) NOEXPN(COUNT) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) NOEXPN(COUNT) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) NOEXPN(COUNT) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) NOEXPN(COUNT) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) NOEXPN(COUNT) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) cmp COUNT,#64 bne .Loop1 mov COUNT, #3 .Loop2: EXPN( 0) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 1) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN( 2) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN( 3) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN( 4) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN( 5) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN( 6) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) EXPN( 7) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) EXPN( 8) ROUND(SA,SB,SC,SD,SE,SF,SG,SH) EXPN( 9) ROUND(SH,SA,SB,SC,SD,SE,SF,SG) EXPN(10) ROUND(SG,SH,SA,SB,SC,SD,SE,SF) EXPN(11) ROUND(SF,SG,SH,SA,SB,SC,SD,SE) EXPN(12) ROUND(SE,SF,SG,SH,SA,SB,SC,SD) EXPN(13) ROUND(SD,SE,SF,SG,SH,SA,SB,SC) EXPN(14) ROUND(SC,SD,SE,SF,SG,SH,SA,SB) subs COUNT, COUNT, #1 EXPN(15) ROUND(SB,SC,SD,SE,SF,SG,SH,SA) bne .Loop2 ldr STATE, [sp, #STATE_OFFSET] C No longer needed registers ldm STATE, {K, T1, T0, W} add SA, SA, K add SB, SB, T1 add SC, SC, T0 add SD, SD, W stm STATE!, {SA,SB,SC,SD} ldm STATE, {K, T1, T0, W} add SE, SE, K add SF, SF, T1 add SG, SG, T0 add SH, SH, W stm STATE, {SE,SF,SG,SH} sub STATE, STATE, #16 ldr BLOCKS, [sp, #BLOCKS_OFFSET] subs BLOCKS, BLOCKS, #1 str BLOCKS, [sp, #BLOCKS_OFFSET] ldr SHIFT, [sp, #SHIFT_OFFSET] ldr K, [sp, #K_OFFSET] ldr INPUT, [sp, #INPUT_OFFSET] ldr I0, [sp, #I0_OFFSET] bne .Loop_block C Restore input pointer adjustment IF_BE(` rsbs SHIFT, SHIFT, #32') IF_LE(` cmp SHIFT, #0') subne INPUT, INPUT, #4 orr r0, INPUT, SHIFT, lsr #3 C Discard saved STATE, K and BLOCKS. add sp, sp, #STATE_OFFSET + 12 pop {r4,r5,r6,r7,r8,r10,r11,r12,pc} EPILOGUE(_nettle_sha256_compress_n) nettle-3.10/arm/memxor.asm0000644000175000017500000001200414633602172014545 0ustar nissenisseC arm/memxor.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') C Possible speedups: C C The ldm instruction can do load two registers per cycle, C if the address is two-word aligned. Or three registers in two C cycles, regardless of alignment. C Register usage: define(`DST', `r0') define(`SRC', `r1') define(`N', `r2') define(`CNT', `r6') define(`TNC', `r12') C little-endian and big-endian need to shift in different directions for C alignment correction define(`S0ADJ', IF_LE(`lsr', `lsl')) define(`S1ADJ', IF_LE(`lsl', `lsr')) .syntax unified .file "memxor.asm" .text .arm C memxor(void *dst, const void *src, size_t n) .align 4 PROLOGUE(nettle_memxor) cmp N, #0 beq .Lmemxor_done cmp N, #7 bcs .Lmemxor_large C Simple byte loop .Lmemxor_bytes: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 subs N, #1 bne .Lmemxor_bytes .Lmemxor_done: bx lr .Lmemxor_align_loop: ldrb r3, [SRC], #+1 ldrb r12, [DST] eor r3, r12 strb r3, [DST], #+1 sub N, #1 .Lmemxor_large: tst DST, #3 bne .Lmemxor_align_loop C We have at least 4 bytes left to do here. sub N, #4 ands r3, SRC, #3 beq .Lmemxor_same C Different alignment case. C v original SRC C +-------+------+ C |SRC |SRC+4 | C +---+---+------+ C |DST | C +-------+ C C With little-endian, we need to do C DST[i] ^= (SRC[i] >> CNT) ^ (SRC[i+1] << TNC) C With big-endian, we need to do C DST[i] ^= (SRC[i] << CNT) ^ (SRC[i+1] >> TNC) push {r4,r5,r6} lsl CNT, r3, #3 bic SRC, #3 rsb TNC, CNT, #32 ldr r4, [SRC], #+4 tst N, #4 itet eq moveq r5, r4 subne N, #4 beq .Lmemxor_odd .Lmemxor_word_loop: ldr r5, [SRC], #+4 ldr r3, [DST] eor r3, r3, r4, S0ADJ CNT eor r3, r3, r5, S1ADJ TNC str r3, [DST], #+4 .Lmemxor_odd: ldr r4, [SRC], #+4 ldr r3, [DST] eor r3, r3, r5, S0ADJ CNT eor r3, r3, r4, S1ADJ TNC str r3, [DST], #+4 subs N, #8 bcs .Lmemxor_word_loop adds N, #8 beq .Lmemxor_odd_done C We have TNC/8 left-over bytes in r4, high end on LE and low end on C BE, excess bits to be discarded by alignment adjustment at the other S0ADJ r4, CNT C now byte-aligned at low end on LE and high end on BE ldr r3, [DST] eor r3, r4 pop {r4,r5,r6} C Store bytes, one by one. .Lmemxor_leftover: C bring uppermost byte down for saving while preserving lower ones IF_BE(` ror r3, #24') strb r3, [DST], #+1 subs N, #1 beq .Lmemxor_done subs TNC, #8 C bring down next byte, no need to preserve IF_LE(` lsr r3, #8') bne .Lmemxor_leftover b .Lmemxor_bytes .Lmemxor_odd_done: pop {r4,r5,r6} bx lr .Lmemxor_same: push {r4,r5,r6,r7,r8,r10,r11,r14} C lr is the link register subs N, #8 bcc .Lmemxor_same_end ldmia SRC!, {r3, r4, r5} C Keep address for loads in r14 mov r14, DST ldmia r14!, {r6, r7, r8} subs N, #12 eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 bcc .Lmemxor_same_final_store subs N, #12 ldmia r14!, {r6, r7, r8} bcc .Lmemxor_same_wind_down C 6 cycles per iteration, 0.50 cycles/byte. For this speed, C loop starts at offset 0x11c in the object file. .Lmemxor_same_loop: C r10-r12 contains values to be stored at DST C r6-r8 contains values read from r14, in advance ldmia SRC!, {r3, r4, r5} subs N, #12 stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 ldmia r14!, {r6, r7, r8} bcs .Lmemxor_same_loop .Lmemxor_same_wind_down: C Wind down code ldmia SRC!, {r3, r4, r5} stmia DST!, {r10, r11, r12} eor r10, r3, r6 eor r11, r4, r7 eor r12, r5, r8 .Lmemxor_same_final_store: stmia DST!, {r10, r11, r12} .Lmemxor_same_end: C We have 0-11 bytes left to do, and N holds number of bytes -12. adds N, #4 bcc .Lmemxor_same_lt_8 C Do 8 bytes more, leftover is in N ldmia SRC!, {r3, r4} ldmia DST, {r6, r7} eor r3, r6 eor r4, r7 stmia DST!, {r3, r4} pop {r4,r5,r6,r7,r8,r10,r11,r14} beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_8: pop {r4,r5,r6,r7,r8,r10,r11,r14} adds N, #4 bcc .Lmemxor_same_lt_4 ldr r3, [SRC], #+4 ldr r12, [DST] eor r3, r12 str r3, [DST], #+4 beq .Lmemxor_done b .Lmemxor_bytes .Lmemxor_same_lt_4: adds N, #4 beq .Lmemxor_done b .Lmemxor_bytes EPILOGUE(nettle_memxor) nettle-3.10/arm/ecc-secp384r1-modp.asm0000644000175000017500000001201014633602172016354 0ustar nissenisseC arm/ecc-secp384r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp384r1-modp.asm" .arm define(`RP', `r1') define(`XP', `r2') define(`T0', `r0') define(`T1', `r3') define(`T2', `r4') define(`T3', `r5') define(`F0', `r6') define(`F1', `r7') define(`F2', `r8') define(`F3', `r10') define(`F4', `r11') define(`N', `r12') define(`H', `lr') C ecc_secp384r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp384r1_modp) push {r4,r5,r6,r7,r8,r10,r11,lr} add XP, XP, #80 ldm XP, {T0, T1, T2, T3} C 20-23 C First get top 4 limbs, which need folding twice, as C C T3 T2 T1 T0 C T3 T2 T1 C -T3 C ---------------- C F4 F3 F2 F1 F0 C C Start with C C T3 T1 T0 C T1 C -T3 C ----------- C F2 F1 F0 Always fits adds F0, T0, T1 adcs F1, T1, #0 adcs F2, T3, #0 subs F0, F0, T3 sbcs F1, F1, #0 sbcs F2, F2, #0 C T3 T2 T2 0 C F2 F1 F0 C ---------------- C F4 F3 F2 F1 F0 mov F4, #0 adds F1, F1, T2 adcs F2, F2, T2 adcs F3, T3, #0 adcs F4, F4, #0 C Add in to high part sub XP, XP, #32 ldm XP, {T0, T1, T2, T3} C 12-15 mov H, #0 adds F0, T0, F0 adcs F1, T1, F1 adcs F2, T2, F2 adcs F3, T3, F3 adcs F4, F4, #0 C Do F4 later C Add to low part, keeping carry (positive or negative) in H sub XP, XP, #48 ldm XP, {T0, T1, T2, T3} C 0-3 mov H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbc H, H, #0 adds T3, T3, F0 adc H, H, #0 stm XP!, {T0,T1,T2,T3} C 0-3 mov N, #2 .Loop: ldm XP, {T0,T1,T2,T3} C 4-7 C First, propagate carry adds T0, T0, H asr H, #31 C Sign extend adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 C +B^4 term adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 C +B^3 terms ldr F0, [XP, #+48] C 16 adds T0, T0, F1 adcs T1, T1, F2 adcs T2, T2, F3 adcs T3, T3, F0 adc H, H, #0 C -B ldr F1, [XP, #+52] C 17-18 ldr F2, [XP, #+56] subs T0, T0, F3 sbcs T1, T1, F0 sbcs T2, T2, F1 sbcs T3, T3, F2 sbcs H, H, #0 C +1 ldr F3, [XP, #+60] C 19 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, #0 subs N, N, #1 stm XP!, {T0,T1,T2,T3} bne .Loop C Fold high limbs, we need to add in C C F4 F4 0 -F4 F4 H H 0 -H H C C We always have F4 >= 0, but we can have H < 0. C Sign extension gets tricky when F4 = 0 and H < 0. sub XP, XP, #48 ldm XP, {T0,T1,T2,T3} C 0-3 C H H 0 -H H C ---------------- C S H F3 F2 F1 F0 C C Define S = H >> 31 (asr), we then have C C F0 = H C F1 = S - H C F2 = - [H > 0] C F3 = H - [H > 0] C H = H + S C C And we get underflow in S - H iff H > 0 C H = 0 H > 0 H = -1 mov F0, H C 0 H -1 asr H, #31 subs F1, H, F0 C 0,C=1 -H,C=0 0,C=1 sbc F2, F2, F2 C 0 -1 0 sbc F3, F0, #0 C 0 H-1 -1 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 adc H, H, F0 C 0+cy H+cy -2+cy stm XP!, {T0,T1,T2,T3} C 0-3 ldm XP, {T0,T1,T2,T3} C 4-7 C F4 0 -F4 C --------- C F3 F2 F1 rsbs F1, F4, #0 sbc F2, F2, F2 sbc F3, F4, #0 C Sign extend H adds F0, F4, H asr H, H, #31 adcs F1, F1, H adcs F2, F2, H adcs F3, F3, H adcs F4, F4, H adc H, H, #0 adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm XP!, {T0,T1,T2,T3} C 4-7 ldm XP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H adc H, H, #0 stm XP, {T0,T1,T2,T3} C 8-11 C Final (unlikely) carry sub XP, XP, #32 ldm XP!, {T0,T1,T2,T3} C 0-3 C Fold H into F0-F4 mov F0, H asr H, #31 subs F1, H, F0 sbc F2, F2, F2 sbc F3, F0, #0 add F4, F0, H adds T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 adcs T3, T3, F3 stm RP!, {T0,T1,T2,T3} C 0-3 ldm XP!, {T0,T1,T2,T3} C 4-7 adcs T0, T0, F4 adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP!, {T0,T1,T2,T3} C 4-7 ldm XP, {T0,T1,T2,T3} C 8-11 adcs T0, T0, H adcs T1, T1, H adcs T2, T2, H adcs T3, T3, H stm RP, {T0,T1,T2,T3} C 8-11 pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp384r1_modp) nettle-3.10/arm/ecc-secp521r1-modp.asm0000644000175000017500000000570114633602172016356 0ustar nissenisseC arm/ecc-secp521r1-modp.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp521r1-modp.asm" .arm define(`HP', `r0') define(`RP', `r1') define(`XP', `r2') define(`T0', `r3') define(`T1', `r4') define(`T2', `r5') define(`F0', `r6') define(`F1', `r7') define(`F2', `r8') define(`F3', `r10') define(`H', `r12') define(`N', `lr') C ecc_secp521r1_modp (const struct ecc_modulo *m, mp_limb_t *rp) .text .Lc511: .int 511 .align 2 PROLOGUE(_nettle_ecc_secp521r1_modp) push {r4,r5,r6,r7,r8,r10,lr} C Use that B^17 = 2^23 (mod p) ldr F3, [XP, #+68] C 17 add HP, XP, #72 C 18 ldr T0, [XP] C 0 adds T0, T0, F3, lsl #23 str T0, [XP], #+4 mov N, #5 C 5 iterations, reading limbs 18-20, 21-23, 24-26, 27-29, 30-32 C and adding to limbs 1-3, 4-6, 7-9, 19-12, 13-15 .Loop: ldm XP, {T0,T1,T2} C 1+3*k -- 3+3*k lsr F0, F3, #9 ldm HP!, {F1,F2,F3} C 18+3*k -- 20+3*k orr F0, F0, F1, lsl #23 lsr F1, F1, #9 orr F1, F1, F2, lsl #23 lsr F2, F2, #9 orr F2, F2, F3, lsl #23 adcs T0, T0, F0 adcs T1, T1, F1 adcs T2, T2, F2 sub N, N, #1 stm XP!,{T0,T1,T2} teq N, #0 bne .Loop ldr F0, [XP], #-64 C 16 ldr F1, [HP] C 33 ldr T0, .Lc511 C Handling of high limbs C F0 = rp[16] + carry in + F3 >> 9 adcs F0, F0, F3, lsr #9 C Copy low 9 bits to H, then shift right including carry and H, F0, T0 mov F0, F0, rrx lsr F0, F0, #8 C Add in F1 = rp[33], with weight 2^1056 = 2^14 adds F0, F0, F1, lsl #14 lsr F1, F1, #18 adc F1, F1, #0 ldm XP!, {T0, T1} C 0-1 adds T0, T0, F0 adcs T1, T1, F1 stm RP!, {T0, T1} ldm XP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 stm RP!, {T0,T1,T2,F0,F1,F2,F3} C 2-8 ldm XP, {T0,T1,T2,F0,F1,F2,F3} C 9-15 adcs T0, T0, #0 adcs T1, T1, #0 adcs T2, T2, #0 adcs F0, F0, #0 adcs F1, F1, #0 adcs F2, F2, #0 adcs F3, F3, #0 adcs H, H, #0 stm RP, {T0,T1,T2,F0,F1,F2,F3,H} C 9-16 pop {r4,r5,r6,r7,r8,r10,pc} EPILOGUE(_nettle_ecc_secp521r1_modp) nettle-3.10/arm/ecc-secp256r1-redc.asm0000644000175000017500000000720314633602172016340 0ustar nissenisseC arm/ecc-secp256r1-redc.asm ifelse(` Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. ') .file "ecc-secp256r1-redc.asm" .arm define(`RP', `r1') C Overlaps T1 below define(`XP', `r2') define(`T0', `r0') C Overlaps unused modulo argument define(`T1', `r1') define(`T2', `r3') define(`T3', `r4') define(`T4', `r5') define(`T5', `r6') define(`T6', `r7') define(`T7', `r8') define(`F0', `r10') define(`F1', `r11') define(`F2', `r12') define(`F3', `lr') C ecc_secp256r1_redc (const struct ecc_modulo *m, mp_limb_t *rp) .text .align 2 PROLOGUE(_nettle_ecc_secp256r1_redc) C Pushes RP last push {r1, r4,r5,r6,r7,r8,r10,r11,lr} ldm XP!, {T0,T1,T2,T3,T4,T5,T6,T7} C Set to the high 4 limbs of (B^2-B+1) C T2 T1 C T2 T1 T0 C - T2 T1 T0 C ------------- C F3 F2 F1 F0 adds F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Add: C T10 T9 T8 T7 T6 T5 T4 T3 C + F3 F2 F1 F0 T0 T2 T1 T0 C -------------------------- C T7 T6 T5 T4 T3 T2 T1 T0 adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm XP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C New F3, F2, F1, F0, also adding in carry adcs F1, T0, T2 adcs F2, T1, #0 adc F3, T2, #0 subs F0, T1, T0 sbcs F1, F1, T1 C Could also be rsc ? sbcs F2, F2, T2 sbc F3, F3, #0 C Start adding adds T3, T3, T0 adcs T1, T4, T1 adcs T2, T5, T2 adcs T6, T6, T0 mov T0, T3 C FIXME: Be more clever? mov T3, T6 adcs T4, T7, F0 ldm XP!, {T5,T6,T7} adcs T5, T5, F1 adcs T6, T6, F2 adcs T7, T7, F3 C Final iteration, eliminate only T0, T1 C Set to the high 3 limbs of (B^2-B+1) C T1 T0 T1 C - T1 T0 C ------------- C F2 F1 F0 C First add in carry adcs F1, T0, #0 adcs F2, T1, #0 subs F0, T1, T0 sbcs F1, F1, T1 sbc F2, F2, #0 C Add: C T9 T8 T7 T6 T5 T4 T3 T2 C + F2 F1 F0 T0 0 T1 T0 0 C -------------------------- C F2 F1 T7 T6 T5 T4 T3 T2 adds T3, T3, T0 adcs T4, T4, T1 adcs T5, T5, #0 adcs T6, T6, T0 adcs T7, T7, F0 ldm XP!, {T0, T1} mov F3, #0 adcs F1, F1, T0 adcs F2, F2, T1 C Sum is < B^8 + p, so it's enough to fold carry once, C If carry, add in C B^7 - B^6 - B^3 + 1 = <0, B-2, B-1, B-1, B-1, 0, 0, 1> C Mask from carry flag, leaving carry intact adc F3, F3, #0 rsb F3, F3, #0 pop {XP} C Original RP adcs T0, T2, #0 adcs T1, T3, #0 adcs T2, T4, #0 adcs T3, T5, F3 adcs T4, T6, F3 adcs T5, T7, F3 and F3, F3, #-2 adcs T6, F1, F3 adcs T7, F2, #0 stm XP, {T0,T1,T2,T3,T4,T5,T6,T7} pop {r4,r5,r6,r7,r8,r10,r11,pc} EPILOGUE(_nettle_ecc_secp256r1_redc) nettle-3.10/getopt_int.h0000644000175000017500000001116314633602172014307 0ustar nissenisse/* Internal declarations for getopt. Copyright (C) 1989-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_INT_H #define _GETOPT_INT_H 1 extern int _getopt_internal (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, int posixly_correct); /* Reentrant versions which can handle parsing multiple argument vectors at the same time. */ /* Data type for reentrant functions. */ struct _getopt_data { /* These have exactly the same meaning as the corresponding global variables, except that they are used for the reentrant versions of getopt. */ int optind; int opterr; int optopt; char *optarg; /* Internal members. */ /* True if the internal members have been initialized. */ int __initialized; /* The next char to be scanned in the option-element in which the last option character we returned was found. This allows us to pick up the scan where we left off. If this is zero, or a null string, it means resume the scan by advancing to the next ARGV-element. */ char *__nextchar; /* Describe how to deal with options that follow non-option ARGV-elements. If the caller did not specify anything, the default is REQUIRE_ORDER if the environment variable POSIXLY_CORRECT is defined, PERMUTE otherwise. REQUIRE_ORDER means don't recognize them as options; stop option processing when the first non-option is seen. This is what Unix does. This mode of operation is selected by either setting the environment variable POSIXLY_CORRECT, or using `+' as the first character of the list of option characters. PERMUTE is the default. We permute the contents of ARGV as we scan, so that eventually all the non-options are at the end. This allows options to be given in any order, even with programs that were not written to expect this. RETURN_IN_ORDER is an option available to programs that were written to expect options and other ARGV-elements in any order and that care about the ordering of the two. We describe each non-option ARGV-element as if it were the argument of an option with character code 1. Using `-' as the first character of the list of option characters selects this mode of operation. The special argument `--' forces an end of option-scanning regardless of the value of `ordering'. In the case of RETURN_IN_ORDER, only `--' can cause `getopt' to return -1 with `optind' != ARGC. */ enum { REQUIRE_ORDER, PERMUTE, RETURN_IN_ORDER } __ordering; /* If the POSIXLY_CORRECT environment variable is set. */ int __posixly_correct; /* Handle permutation of arguments. */ /* Describe the part of ARGV that contains non-options that have been skipped. `first_nonopt' is the index in ARGV of the first of them; `last_nonopt' is the index after the last of them. */ int __first_nonopt; int __last_nonopt; #if defined _LIBC && defined USE_NONOPTION_FLAGS int __nonoption_flags_max_len; int __nonoption_flags_len; # endif }; /* The initializer is necessary to set OPTIND and OPTERR to their default values and to clear the initialization flag. */ #define _GETOPT_DATA_INITIALIZER { 1, 1 } extern int _getopt_internal_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, int __long_only, struct _getopt_data *__data, int posixly_correct); extern int _getopt_long_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); extern int _getopt_long_only_r (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind, struct _getopt_data *__data); #endif /* getopt_int.h */ nettle-3.10/ecc-mul-a-eh.c0000644000175000017500000001053414633602171014263 0ustar nissenisse/* ecc-mul-a-eh.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" /* Binary algorithm needs 6*ecc->p.size + scratch for ecc_add_ehh, total 10 ecc->p.size Window algorithm needs (3<p.size for the table, 3*ecc->p.size for a temporary point, and scratch for ecc_add_ehh. */ #if ECC_MUL_A_EH_WBITS == 0 void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define pe scratch #define tp (scratch + 3*ecc->p.size) #define scratch_out (scratch + 6*ecc->p.size) unsigned i; ecc_a_to_j (ecc, pe, p); /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = ecc->p.size; i-- > 0; ) { mp_limb_t w = np[i] << (GMP_LIMB_BITS - GMP_NUMB_BITS); unsigned j; for (j = 0; j < GMP_NUMB_BITS; j++, w <<= 1) { int bit; ecc->dup (ecc, r, r, scratch_out); ecc->add_hh (ecc, tp, r, pe, scratch_out); bit = w >> (GMP_LIMB_BITS - 1); /* If we had a one-bit, use the sum. */ cnd_copy (bit, r, tp, 3*ecc->p.size); } } } #else /* ECC_MUL_A_EH_WBITS > 1 */ #define TABLE_SIZE (1U << ECC_MUL_A_EH_WBITS) #define TABLE_MASK (TABLE_SIZE - 1) #define TABLE(j) (table + (j) * 3*ecc->p.size) static void table_init (const struct ecc_curve *ecc, mp_limb_t *table, unsigned bits, const mp_limb_t *p, mp_limb_t *scratch) { unsigned size = 1 << bits; unsigned j; mpn_zero (TABLE(0), 3*ecc->p.size); TABLE(0)[ecc->p.size] = TABLE(0)[2*ecc->p.size] = 1; ecc_a_to_j (ecc, TABLE(1), p); for (j = 2; j < size; j += 2) { ecc->dup (ecc, TABLE(j), TABLE(j/2), scratch); ecc->add_hh (ecc, TABLE(j+1), TABLE(j), TABLE(1), scratch); } } void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch) { #define tp scratch #define table (scratch + 3*ecc->p.size) mp_limb_t *scratch_out = table + (3*ecc->p.size << ECC_MUL_A_EH_WBITS); /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned blocks = (ecc->p.bit_size + ECC_MUL_A_EH_WBITS - 1) / ECC_MUL_A_EH_WBITS; unsigned bit_index = (blocks-1) * ECC_MUL_A_EH_WBITS; mp_size_t limb_index = bit_index / GMP_NUMB_BITS; unsigned shift = bit_index % GMP_NUMB_BITS; mp_limb_t w, bits; table_init (ecc, table, ECC_MUL_A_EH_WBITS, p, scratch_out); w = np[limb_index]; bits = w >> shift; if (limb_index < ecc->p.size - 1) bits |= np[limb_index + 1] << (GMP_NUMB_BITS - shift); assert (bits < TABLE_SIZE); mpn_sec_tabselect (r, table, 3*ecc->p.size, TABLE_SIZE, bits); for (;;) { unsigned j; if (shift >= ECC_MUL_A_EH_WBITS) { shift -= ECC_MUL_A_EH_WBITS; bits = w >> shift; } else { if (limb_index == 0) { assert (shift == 0); break; } bits = w << (ECC_MUL_A_EH_WBITS - shift); w = np[--limb_index]; shift = shift + GMP_NUMB_BITS - ECC_MUL_A_EH_WBITS; bits |= w >> shift; } for (j = 0; j < ECC_MUL_A_EH_WBITS; j++) ecc->dup (ecc, r, r, scratch_out); bits &= TABLE_MASK; mpn_sec_tabselect (tp, table, 3*ecc->p.size, TABLE_SIZE, bits); ecc->add_hhh (ecc, r, r, tp, scratch_out); } #undef table #undef tp } #endif /* ECC_MUL_A_EH_WBITS > 1 */ nettle-3.10/salsa20-set-key.c0000644000175000017500000000305414633602171014751 0ustar nissenisse/* salsa20-set-key.c The Salsa20 stream cipher. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "salsa20.h" #include "macros.h" void salsa20_set_key(struct salsa20_ctx *ctx, size_t length, const uint8_t *key) { switch (length) { case SALSA20_128_KEY_SIZE: salsa20_128_set_key (ctx, key); break; case SALSA20_256_KEY_SIZE: salsa20_256_set_key (ctx, key); break; default: abort(); } } nettle-3.10/hmac-sm3-meta.c0000644000175000017500000000247514633602171014467 0ustar nissenisse/* hmac-sm3-meta.c Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sm3_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sm3_set_key (ctx, SM3_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sm3 = _NETTLE_HMAC(hmac_sm3, SM3); nettle-3.10/base64url-decode.c0000644000175000017500000000470414633602171015160 0ustar nissenisse/* base64url-decode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64url_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, 63, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64url_decode_table; } nettle-3.10/hmac-sha384.c0000644000175000017500000000264114633602171014046 0ustar nissenisse/* hmac-sha384.c HMAC-SHA384 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha384_set_key(struct hmac_sha512_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha384, key_length, key); } void hmac_sha384_digest(struct hmac_sha512_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha384, length, digest); } nettle-3.10/pkcs1-sec-decrypt.c0000644000175000017500000001157014633602171015370 0ustar nissenisse/* pkcs1-sec-decrypt.c The RSA publickey algorithm. Side channel resistant PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "memops.h" #include "gmp-glue.h" #include "pkcs1-internal.h" #include "nettle-internal.h" /* Inputs are always cast to uint32_t values. But all values used in this * function should never exceed the maximum value of a uint32_t anyway. * these macros returns 1 on success, 0 on failure */ #define NOT_EQUAL(a, b) \ ((0U - ((uint32_t)(a) ^ (uint32_t)(b))) >> 31) #define EQUAL(a, b) (IS_ZERO_SMALL ((a) ^ (b))) #define GREATER_OR_EQUAL(a, b) \ (1U - (((uint32_t)(a) - (uint32_t)(b)) >> 31)) int _pkcs1_sec_decrypt (size_t length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int ok; size_t i, t; /* Message independent branch */ if (length + 11 > padded_message_length) return 0; t = padded_message_length - length - 1; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); /* ok if padded_message[0] == 0 */ ok &= EQUAL(padded_message[1], 2); /* ok if padded_message[1] == 2 */ for (i = 2; i < t; i++) /* check padding has no zeros */ { ok &= NOT_EQUAL(padded_message[i], 0); } ok &= EQUAL(padded_message[t], 0); /* ok if terminator == 0 */ /* fill destination buffer regardless of outcome */ cnd_memcpy(ok, message, padded_message + t + 1, length); return ok; } int _pkcs1_sec_decrypt_variable(size_t *length, uint8_t *message, size_t padded_message_length, const volatile uint8_t *padded_message) { volatile int not_found = 1; volatile int ok; volatile size_t offset; size_t buflen, msglen; size_t shift, i; /* Check format, padding, message_size */ ok = EQUAL(padded_message[0], 0); ok &= EQUAL(padded_message[1], 2); /* length is discovered in a side-channel silent way. * not_found goes to 0 when the terminator is found. * offset starts at 3 as it includes the terminator and * the format bytes already */ offset = 3; for (i = 2; i < padded_message_length; i++) { not_found &= NOT_EQUAL(padded_message[i], 0); offset += not_found; } /* check if we ran out of buffer */ ok &= NOT_EQUAL(not_found, 1); /* padding must be >= 11 (2 format bytes + 8 pad bytes min. + terminator) */ ok &= GREATER_OR_EQUAL(offset, 11); /* offset can vary between 3 and padded_message_length, due to the loop * above, therefore msglen can't underflow */ msglen = padded_message_length - offset; /* we always fill the whole buffer but only up to * padded_message_length length */ buflen = *length; if (buflen > padded_message_length) { /* input independent branch */ buflen = padded_message_length; } /* if the message length is larger than the buffer we must fail */ ok &= GREATER_OR_EQUAL(buflen, msglen); /* fill destination buffer fully regardless of outcome. Copies the message * in a memory access independent way. The destination message buffer will * be clobbered past the message length. */ shift = padded_message_length - buflen; cnd_memcpy(ok, message, padded_message + shift, buflen); offset -= shift; /* In this loop, the bits of the 'offset' variable are used as shifting * conditions, starting from the least significant bit. The end result is * that the buffer is shifted left exactly 'offset' bytes. */ for (shift = 1; shift < buflen; shift <<= 1, offset >>= 1) { /* 'ok' is both a least significant bit mask and a condition */ cnd_memcpy(offset & ok, message, message + shift, buflen - shift); } /* update length only if we succeeded, otherwise leave unchanged */ *length = (msglen & (-(size_t) ok)) + (*length & ((size_t) ok - 1)); return ok; } nettle-3.10/umac-nh-n.c0000644000175000017500000000444014633602171013710 0ustar nissenisse/* umac-nh-n.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_umac_nh_n void _nettle_umac_nh_n_c (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); #define _nettle_umac_nh_n _nettle_umac_nh_n_c #endif void _nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg) { assert (length > 0); assert (length <= 1024); assert (length % 32 == 0); memset(out, 0, n*sizeof(*out)); for (;length > 0; length -= 32, msg += 32, key += 8) { uint32_t a0, a1, b0, b1; unsigned i; a0 = LE_READ_UINT32 (msg); a1 = LE_READ_UINT32 (msg + 4); b0 = LE_READ_UINT32 (msg + 16); b1 = LE_READ_UINT32 (msg + 20); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[0+4*i]) * (b0 + key[4+4*i]) + (uint64_t) (a1 + key[1+4*i]) * (b1 + key[5+4*i]); a0 = LE_READ_UINT32 (msg + 8); a1 = LE_READ_UINT32 (msg + 12); b0 = LE_READ_UINT32 (msg + 24); b1 = LE_READ_UINT32 (msg + 28); for (i = 0; i < n; i++) out[i] += (uint64_t) (a0 + key[2+4*i]) * (b0 + key[6+4*i]) + (uint64_t) (a1 + key[3+4*i]) * (b1 + key[7+4*i]); } } nettle-3.10/hogweed.pc.in0000644000175000017500000000111614633602172014332 0ustar nissenisseprefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ # Uses Requires.private and Libs.private, under the assumption that # when using shared libraries, the ELF dependencies from libhogweed.so # to nettle and gmp work. Name: Hogweed Description: Nettle low-level cryptographic library (public-key algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Requires: @IF_NOT_SHARED@ nettle Requires.private: @IF_SHARED@ nettle Libs: -L${libdir} -lhogweed @IF_NOT_SHARED@ @LIBS@ Libs.private: @IF_SHARED@ @LIBS@ Cflags: -I${includedir} nettle-3.10/siv-ghash-update.c0000644000175000017500000000340414633602171015275 0ustar nissenisse/* siv-ghash-update.c POLYVAL implementation for AES-GCM-SIV, based on GHASH Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018, 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" #include "macros.h" const uint8_t * _siv_ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data) { for (; blocks-- > 0; data += GCM_BLOCK_SIZE) { union nettle_block16 b; #if WORDS_BIGENDIAN b.u64[1] = LE_READ_UINT64(data); b.u64[0] = LE_READ_UINT64(data + 8); #else b.u64[1] = READ_UINT64(data); b.u64[0] = READ_UINT64(data + 8); #endif _ghash_update (ctx, state, 1, b.b); } return data; } nettle-3.10/sec-add-1.c0000644000175000017500000000255114633602171013564 0ustar nissenisse/* sec-add-1.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b) { mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = ap[i] + b; b = (r < b); rp[i] = r; } return b; } nettle-3.10/poly1305-aes.c0000644000175000017500000000451314633602171014170 0ustar nissenisse/* poly1305-aes.c Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "poly1305-internal.h" #include "macros.h" void poly1305_aes_set_key (struct poly1305_aes_ctx *ctx, const uint8_t * key) { aes128_set_encrypt_key(&ctx->aes, (key)); _nettle_poly1305_set_key(&ctx->pctx, (key+16)); ctx->index = 0; } void poly1305_aes_set_nonce (struct poly1305_aes_ctx *ctx, const uint8_t * nonce) { memcpy (ctx->nonce, nonce, POLY1305_AES_NONCE_SIZE); } void poly1305_aes_update (struct poly1305_aes_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_poly1305_update (&(ctx)->pctx, ctx->block, ctx->index, length, data); } void poly1305_aes_digest (struct poly1305_aes_ctx *ctx, size_t length, uint8_t *digest) { union nettle_block16 s; /* final bytes */ if (ctx->index > 0) { assert (ctx->index < POLY1305_BLOCK_SIZE); ctx->block[ctx->index] = 1; memset (ctx->block + ctx->index + 1, 0, POLY1305_BLOCK_SIZE - 1 - ctx->index); _nettle_poly1305_block (&ctx->pctx, ctx->block, 0); } aes128_encrypt(&ctx->aes, POLY1305_BLOCK_SIZE, s.b, ctx->nonce); _nettle_poly1305_digest (&ctx->pctx, &s); memcpy (digest, s.b, length); INCREMENT (16, ctx->nonce); ctx->index = 0; } nettle-3.10/base64.h0000644000175000017500000001233614633602172013222 0ustar nissenisse/* base64.h Base-64 encoding and decoding. Copyright (C) 2002 Niels Möller, Dan Egnor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BASE64_H_INCLUDED #define NETTLE_BASE64_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define base64_encode_init nettle_base64_encode_init #define base64url_encode_init nettle_base64url_encode_init #define base64_encode_single nettle_base64_encode_single #define base64_encode_update nettle_base64_encode_update #define base64_encode_final nettle_base64_encode_final #define base64_encode_raw nettle_base64_encode_raw #define base64_encode_group nettle_base64_encode_group #define base64_decode_init nettle_base64_decode_init #define base64url_decode_init nettle_base64url_decode_init #define base64_decode_single nettle_base64_decode_single #define base64_decode_update nettle_base64_decode_update #define base64_decode_final nettle_base64_decode_final #define BASE64_BINARY_BLOCK_SIZE 3 #define BASE64_TEXT_BLOCK_SIZE 4 /* Base64 encoding */ /* Maximum length of output for base64_encode_update. NOTE: Doesn't * include any padding that base64_encode_final may add. */ /* We have at most 4 buffered bits, and a total of (4 + length * 8) bits. */ #define BASE64_ENCODE_LENGTH(length) (((length) * 8 + 4)/6) /* Maximum length of output generated by base64_encode_final. */ #define BASE64_ENCODE_FINAL_LENGTH 3 /* Exact length of output generated by base64_encode_raw, including * padding. */ #define BASE64_ENCODE_RAW_LENGTH(length) ((((length) + 2)/3)*4) struct base64_encode_ctx { const char *alphabet; /* Alphabet to use for encoding */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number of bits, always 0, 2, or 4. */ }; /* Initialize encoding context for base-64 */ void base64_encode_init(struct base64_encode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_encode_init(struct base64_encode_ctx *ctx); /* Encodes a single byte. Returns amount of output (always 1 or 2). */ size_t base64_encode_single(struct base64_encode_ctx *ctx, char *dst, uint8_t src); /* Returns the number of output characters. DST should point to an * area of size at least BASE64_ENCODE_LENGTH(length). */ size_t base64_encode_update(struct base64_encode_ctx *ctx, char *dst, size_t length, const uint8_t *src); /* DST should point to an area of size at least * BASE64_ENCODE_FINAL_LENGTH */ size_t base64_encode_final(struct base64_encode_ctx *ctx, char *dst); /* Lower level functions */ /* Encodes a string in one go, including any padding at the end. * Generates exactly BASE64_ENCODE_RAW_LENGTH(length) bytes of output. * Supports overlapped operation, if src <= dst. FIXME: Use of overlap * is deprecated, if needed there should be a separate public fucntion * to do that.*/ void base64_encode_raw(char *dst, size_t length, const uint8_t *src); void base64_encode_group(char *dst, uint32_t group); /* Base64 decoding */ /* Maximum length of output for base64_decode_update. */ /* We have at most 6 buffered bits, and a total of (length + 1) * 6 bits. */ #define BASE64_DECODE_LENGTH(length) ((((length) + 1) * 6) / 8) struct base64_decode_ctx { const signed char *table; /* Decoding table */ unsigned short word; /* Leftover bits */ unsigned char bits; /* Number buffered bits */ /* Number of padding characters encountered */ unsigned char padding; }; /* Initialize decoding context for base-64 */ void base64_decode_init(struct base64_decode_ctx *ctx); /* Initialize encoding context for URL safe alphabet, RFC 4648. */ void base64url_decode_init(struct base64_decode_ctx *ctx); /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src); /* Returns 1 on success, 0 on error. DST should point to an area of * size at least BASE64_DECODE_LENGTH(length). The amount of data * generated is returned in *DST_LENGTH. */ int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); /* Returns 1 on success. */ int base64_decode_final(struct base64_decode_ctx *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_BASE64_H_INCLUDED */ nettle-3.10/balloon-sha1.c0000644000175000017500000000317614633602171014412 0ustar nissenisse/* balloon-sha1.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha1.h" void balloon_sha1(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha1_ctx ctx; sha1_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha1_update, (nettle_hash_digest_func*)sha1_digest, SHA1_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-3.10/curve25519.h0000644000175000017500000000304114633602172013661 0ustar nissenisse/* curve25519.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CURVE25519_H #define NETTLE_CURVE25519_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define curve25519_mul_g nettle_curve25519_mul_g #define curve25519_mul nettle_curve25519_mul #define CURVE25519_SIZE 32 /* Indicates that curve25519_mul conforms to RFC 7748. */ #define NETTLE_CURVE25519_RFC7748 1 void curve25519_mul_g (uint8_t *q, const uint8_t *n); void curve25519_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); #ifdef __cplusplus } #endif #endif /* NETTLE_CURVE25519_H */ nettle-3.10/arctwo-meta.c0000644000175000017500000000372414633602171014354 0ustar nissenisse/* arctwo-meta.c Copyright (C) 2004 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "arctwo.h" #define ARCTWO(bits) { \ "arctwo" #bits, sizeof (struct arctwo_ctx), \ ARCTWO_BLOCK_SIZE, bits/8, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_set_key_func *) arctwo ## bits ## _set_key, \ (nettle_cipher_func *) arctwo_encrypt, \ (nettle_cipher_func *) arctwo_decrypt, \ } const struct nettle_cipher nettle_arctwo40 = ARCTWO(40); const struct nettle_cipher nettle_arctwo64 = ARCTWO(64); const struct nettle_cipher nettle_arctwo128 = ARCTWO(128); /* Gutmann variant. */ const struct nettle_cipher nettle_arctwo_gutmann128 = { "arctwo_gutmann128", sizeof (struct arctwo_ctx), ARCTWO_BLOCK_SIZE, 16, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_set_key_func *) arctwo128_set_key_gutmann, (nettle_cipher_func *) arctwo_encrypt, (nettle_cipher_func *) arctwo_decrypt, }; nettle-3.10/camellia128-set-decrypt-key.c0000644000175000017500000000276414633602171017165 0ustar nissenisse/* camellia128-set-decrypt-key.c Inverse key setup for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src) { _nettle_camellia_invert_key (_CAMELLIA128_NKEYS, dst->keys, src->keys); } void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key) { camellia128_set_encrypt_key(ctx, key); camellia128_invert_key(ctx, ctx); } nettle-3.10/aes128-set-decrypt-key.c0000644000175000017500000000357614633602171016170 0ustar nissenisse/* aes128-set-decrypt-key.c Key setup for the aes/rijndael block cipher. Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes128_invert_key void _nettle_aes128_invert_key_c(struct aes128_ctx *dst, const struct aes128_ctx *src); # define nettle_aes128_invert_key _nettle_aes128_invert_key_c #endif #if HAVE_NATIVE_aes128_set_decrypt_key void _nettle_aes128_set_decrypt_key_c(struct aes128_ctx *ctx, const uint8_t *key); # define nettle_aes128_set_decrypt_key _nettle_aes128_set_decrypt_key_c #endif void nettle_aes128_invert_key (struct aes128_ctx *dst, const struct aes128_ctx *src) { _nettle_aes_invert (_AES128_ROUNDS, dst->keys, src->keys); } void nettle_aes128_set_decrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key (ctx, key); aes128_invert_key (ctx, ctx); } nettle-3.10/bignum-random-prime.c0000644000175000017500000003553614633602171016010 0ustar nissenisse/* bignum-random-prime.c Generation of random provable primes. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef RANDOM_PRIME_VERBOSE #define RANDOM_PRIME_VERBOSE 0 #endif #include #include #if RANDOM_PRIME_VERBOSE #include #define VERBOSE(x) (fputs((x), stderr)) #else #define VERBOSE(x) #endif #include "bignum.h" #include "hogweed-internal.h" #include "macros.h" /* Use a table of p_2 = 3 to p_{172} = 1021, used for sieving numbers of up to 20 bits. */ #define NPRIMES 171 #define TRIAL_DIV_BITS 20 #define TRIAL_DIV_MASK ((1 << TRIAL_DIV_BITS) - 1) /* A 20-bit number x is divisible by p iff ((x * inverse) & TRIAL_DIV_MASK) <= limit */ struct trial_div_info { uint32_t inverse; /* p^{-1} (mod 2^20) */ uint32_t limit; /* floor( (2^20 - 1) / p) */ }; static const uint16_t primes[NPRIMES] = { 3,5,7,11,13,17,19,23, 29,31,37,41,43,47,53,59, 61,67,71,73,79,83,89,97, 101,103,107,109,113,127,131,137, 139,149,151,157,163,167,173,179, 181,191,193,197,199,211,223,227, 229,233,239,241,251,257,263,269, 271,277,281,283,293,307,311,313, 317,331,337,347,349,353,359,367, 373,379,383,389,397,401,409,419, 421,431,433,439,443,449,457,461, 463,467,479,487,491,499,503,509, 521,523,541,547,557,563,569,571, 577,587,593,599,601,607,613,617, 619,631,641,643,647,653,659,661, 673,677,683,691,701,709,719,727, 733,739,743,751,757,761,769,773, 787,797,809,811,821,823,827,829, 839,853,857,859,863,877,881,883, 887,907,911,919,929,937,941,947, 953,967,971,977,983,991,997,1009, 1013,1019,1021, }; static const uint32_t prime_square[NPRIMES+1] = { 9,25,49,121,169,289,361,529, 841,961,1369,1681,1849,2209,2809,3481, 3721,4489,5041,5329,6241,6889,7921,9409, 10201,10609,11449,11881,12769,16129,17161,18769, 19321,22201,22801,24649,26569,27889,29929,32041, 32761,36481,37249,38809,39601,44521,49729,51529, 52441,54289,57121,58081,63001,66049,69169,72361, 73441,76729,78961,80089,85849,94249,96721,97969, 100489,109561,113569,120409,121801,124609,128881,134689, 139129,143641,146689,151321,157609,160801,167281,175561, 177241,185761,187489,192721,196249,201601,208849,212521, 214369,218089,229441,237169,241081,249001,253009,259081, 271441,273529,292681,299209,310249,316969,323761,326041, 332929,344569,351649,358801,361201,368449,375769,380689, 383161,398161,410881,413449,418609,426409,434281,436921, 452929,458329,466489,477481,491401,502681,516961,528529, 537289,546121,552049,564001,573049,579121,591361,597529, 619369,635209,654481,657721,674041,677329,683929,687241, 703921,727609,734449,737881,744769,769129,776161,779689, 786769,822649,829921,844561,863041,877969,885481,896809, 908209,935089,942841,954529,966289,982081,994009,1018081, 1026169,1038361,1042441,1L<<20 }; static const struct trial_div_info trial_div_table[NPRIMES] = { {699051,349525},{838861,209715},{748983,149796},{953251,95325}, {806597,80659},{61681,61680},{772635,55188},{866215,45590}, {180789,36157},{1014751,33825},{793517,28339},{1023001,25575}, {48771,24385},{870095,22310},{217629,19784},{710899,17772}, {825109,17189},{281707,15650},{502135,14768},{258553,14364}, {464559,13273},{934875,12633},{1001449,11781},{172961,10810}, {176493,10381},{203607,10180},{568387,9799},{788837,9619}, {770193,9279},{1032063,8256},{544299,8004},{619961,7653}, {550691,7543},{182973,7037},{229159,6944},{427445,6678}, {701195,6432},{370455,6278},{90917,6061},{175739,5857}, {585117,5793},{225087,5489},{298817,5433},{228877,5322}, {442615,5269},{546651,4969},{244511,4702},{83147,4619}, {769261,4578},{841561,4500},{732687,4387},{978961,4350}, {133683,4177},{65281,4080},{629943,3986},{374213,3898}, {708079,3869},{280125,3785},{641833,3731},{618771,3705}, {930477,3578},{778747,3415},{623751,3371},{40201,3350}, {122389,3307},{950371,3167},{1042353,3111},{18131,3021}, {285429,3004},{549537,2970},{166487,2920},{294287,2857}, {919261,2811},{636339,2766},{900735,2737},{118605,2695}, {10565,2641},{188273,2614},{115369,2563},{735755,2502}, {458285,2490},{914767,2432},{370513,2421},{1027079,2388}, {629619,2366},{462401,2335},{649337,2294},{316165,2274}, {484655,2264},{65115,2245},{326175,2189},{1016279,2153}, {990915,2135},{556859,2101},{462791,2084},{844629,2060}, {404537,2012},{457123,2004},{577589,1938},{638347,1916}, {892325,1882},{182523,1862},{1002505,1842},{624371,1836}, {69057,1817},{210787,1786},{558769,1768},{395623,1750}, {992745,1744},{317855,1727},{384877,1710},{372185,1699}, {105027,1693},{423751,1661},{408961,1635},{908331,1630}, {74551,1620},{36933,1605},{617371,1591},{506045,1586}, {24929,1558},{529709,1548},{1042435,1535},{31867,1517}, {166037,1495},{928781,1478},{508975,1458},{4327,1442}, {779637,1430},{742091,1418},{258263,1411},{879631,1396}, {72029,1385},{728905,1377},{589057,1363},{348621,1356}, {671515,1332},{710453,1315},{84249,1296},{959363,1292}, {685853,1277},{467591,1274},{646643,1267},{683029,1264}, {439927,1249},{254461,1229},{660713,1223},{554195,1220}, {202911,1215},{753253,1195},{941457,1190},{776635,1187}, {509511,1182},{986147,1156},{768879,1151},{699431,1140}, {696417,1128},{86169,1119},{808997,1114},{25467,1107}, {201353,1100},{708087,1084},{1018339,1079},{341297,1073}, {434151,1066},{96287,1058},{950765,1051},{298257,1039}, {675933,1035},{167731,1029},{815445,1027}, }; /* Element j gives the index of the first prime of size 3+j bits */ static uint8_t prime_by_size[9] = { 1,3,5,10,17,30,53,96,171 }; /* Combined Miller-Rabin test to the base a, and checking the conditions from Pocklington's theorem, nm1dq holds (n-1)/q, with q prime. */ static int miller_rabin_pocklington(mpz_t n, mpz_t nm1, mpz_t nm1dq, mpz_t a) { mpz_t r; mpz_t y; int is_prime = 0; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned k; unsigned j; VERBOSE("."); if (mpz_even_p(n) || mpz_cmp_ui(n, 3) < 0) return 0; mpz_init(r); mpz_init(y); k = mpz_scan1(nm1, 0); assert(k > 0); mpz_fdiv_q_2exp (r, nm1, k); mpz_powm(y, a, r, n); if (mpz_cmp_ui(y, 1) == 0 || mpz_cmp(y, nm1) == 0) goto passed_miller_rabin; for (j = 1; j < k; j++) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp_ui (y, 1) == 0) break; if (mpz_cmp (y, nm1) == 0) { passed_miller_rabin: /* We know that a^{n-1} = 1 (mod n) Remains to check that gcd(a^{(n-1)/q} - 1, n) == 1 */ VERBOSE("x"); mpz_powm(y, a, nm1dq, n); mpz_sub_ui(y, y, 1); mpz_gcd(y, y, n); is_prime = mpz_cmp_ui (y, 1) == 0; VERBOSE(is_prime ? "\n" : ""); break; } } mpz_clear(r); mpz_clear(y); return is_prime; } /* The most basic variant of Pocklingtons theorem: Assume that q^e | (n-1), with q prime. If we can find an a such that a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 then any prime divisor p of n satisfies p = 1 (mod q^e). Proof (Cohen, 8.3.2): Assume p is a prime factor of n. The central idea of the proof is to consider the order, modulo p, of a. Denote this by d. a^{n-1} = 1 (mod n) implies a^{n-1} = 1 (mod p), hence d | (n-1). Next, the condition gcd(a^{(n-1)/q} - 1, n) = 1 implies that a^{(n-1)/q} != 1, hence d does not divide (n-1)/q. Since q is prime, this means that q^e | d. Finally, we have a^{p-1} = 1 (mod p), hence d | (p-1). So q^e | d | (p-1), which gives the desired result: p = 1 (mod q^e). * Variant, slightly stronger than Fact 4.59, HAC: Assume n = 1 + 2rq, q an odd prime, r <= 2q, and a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Then n is prime. Proof: By Pocklington's theorem, any prime factor p satisfies p = 1 (mod q). Neither 1 or q+1 are primes, hence p >= 1 + 2q. If n is composite, we have n >= (1+2q)^2. But the assumption r <= 2q implies n <= 1 + 4q^2, a contradiction. In bits, the requirement is that #n <= 2 #q, then r = (n-1)/2q < 2^{#n - #q} <= 2^#q = 2 2^{#q-1}< 2 q * Another variant with an extra test (Variant of Fact 4.42, HAC): Assume n = 1 + 2rq, n odd, q an odd prime, 8 q^3 >= n a^{n-1} = 1 (mod n) gcd(a^{(n-1)/q} - 1, n) = 1 Also let x = floor(r / 2q), y = r mod 2q, If y^2 - 4x is not a square, then n is prime. Proof (adapted from Maurer, Journal of Cryptology, 8 (1995)): Assume n is composite. There are at most two factors, both odd, n = (1+2m_1 q)(1+2m_2 q) = 1 + 4 m_1 m_2 q^2 + 2 (m_1 + m_2) q where we can assume m_1 >= m_2. Then the bound n <= 8 q^3 implies m_1 m_2 < 2q, restricting (m_1, m_2) to the domain 0 < m_2 < sqrt(2q), 0 < m_1 < 2q / m_2. We have the bound m_1 + m_2 < 2q / m_2 + m_2 <= 2q + 1 (maximum value for m_2 = 1) And the case m_1 = 2q, m_2 = 1 can be excluded, because it gives n > 8q^3. So in fact, m_1 + m_2 < 2q. Next, write r = (n-1)/2q = 2 m_1 m_2 q + m_1 + m_2. If follows that m_1 + m_2 = y and m_1 m_2 = x. m_1 and m_2 are thus the roots of the equation m^2 - y m + x = 0 which has integer roots iff y^2 - 4 x is the square of an integer. In bits, the requirement is that #n <= 3 #q, then n < 2^#n <= 2^{3 #q} = 8 2^{3 (#q-1)} < 8 q^3 */ /* Generate a prime number p of size bits with 2 p0q dividing (p-1). p0 must be of size >= ceil(bits/3). The extra factor q can be omitted (then p0 and p0q should be equal). If top_bits_set is one, the topmost two bits are set to one, suitable for RSA primes. Also returns r = (p-1)/p0q. */ void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q) { mpz_t r_min, r_range, pm1, a, e; int need_square_test; unsigned p0_bits; mpz_t x, y, p04; p0_bits = mpz_sizeinbase (p0, 2); assert (bits <= 3*p0_bits); assert (bits > p0_bits); need_square_test = (bits > 2 * p0_bits); mpz_init (r_min); mpz_init (r_range); mpz_init (pm1); mpz_init (a); if (need_square_test) { mpz_init (x); mpz_init (y); mpz_init (p04); mpz_mul_2exp (p04, p0, 2); } if (q) mpz_init (e); if (top_bits_set) { /* i = floor (2^{bits-3} / p0q), then 3I + 3 <= r <= 4I, with I - 2 possible values. */ mpz_set_ui (r_min, 1); mpz_mul_2exp (r_min, r_min, bits-3); mpz_fdiv_q (r_min, r_min, p0q); mpz_sub_ui (r_range, r_min, 2); mpz_mul_ui (r_min, r_min, 3); mpz_add_ui (r_min, r_min, 3); } else { /* i = floor (2^{bits-2} / p0q), I + 1 <= r <= 2I */ mpz_set_ui (r_range, 1); mpz_mul_2exp (r_range, r_range, bits-2); mpz_fdiv_q (r_range, r_range, p0q); mpz_add_ui (r_min, r_range, 1); } for (;;) { uint8_t buf[1]; nettle_mpz_random (r, ctx, random, r_range); mpz_add (r, r, r_min); /* Set p = 2*r*p0q + 1 */ mpz_mul_2exp(r, r, 1); mpz_mul (pm1, r, p0q); mpz_add_ui (p, pm1, 1); assert(mpz_sizeinbase(p, 2) == bits); /* Should use GMP trial division interface when that materializes, we don't need any testing beyond trial division. */ if (!mpz_probab_prime_p (p, 1)) continue; random(ctx, sizeof(buf), buf); mpz_set_ui (a, buf[0] + 2); if (q) { mpz_mul (e, r, q); if (!miller_rabin_pocklington(p, pm1, e, a)) continue; if (need_square_test) { /* Our e corresponds to 2r in the theorem */ mpz_tdiv_qr (x, y, e, p04); goto square_test; } } else { if (!miller_rabin_pocklington(p, pm1, r, a)) continue; if (need_square_test) { mpz_tdiv_qr (x, y, r, p04); square_test: /* We have r' = 2r, x = floor (r/2q) = floor(r'/2q), and y' = r' - x 4q = 2 (r - x 2q) = 2y. Then y^2 - 4x is a square iff y'^2 - 16 x is a square. */ mpz_mul (y, y, y); mpz_submul_ui (y, x, 16); if (mpz_perfect_square_p (y)) continue; } } /* If we passed all the tests, we have found a prime. */ break; } mpz_clear (r_min); mpz_clear (r_range); mpz_clear (pm1); mpz_clear (a); if (need_square_test) { mpz_clear (x); mpz_clear (y); mpz_clear (p04); } if (q) mpz_clear (e); } /* Generate random prime of a given size. Maurer's algorithm (Alg. 6.42 Handbook of applied cryptography), but with ratio = 1/2 (like the variant in fips186-3). */ void nettle_random_prime(mpz_t p, unsigned bits, int top_bits_set, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress) { assert (bits >= 3); if (bits <= 10) { unsigned first; unsigned choices; uint8_t buf; assert (!top_bits_set); random (random_ctx, sizeof(buf), &buf); first = prime_by_size[bits-3]; choices = prime_by_size[bits-2] - first; mpz_set_ui (p, primes[first + buf % choices]); } else if (bits <= 20) { unsigned long highbit; uint8_t buf[3]; unsigned long x; unsigned j; assert (!top_bits_set); highbit = 1L << (bits - 1); again: random (random_ctx, sizeof(buf), buf); x = READ_UINT24(buf); x &= (highbit - 1); x |= highbit | 1; for (j = 0; prime_square[j] <= x; j++) { unsigned q = x * trial_div_table[j].inverse & TRIAL_DIV_MASK; if (q <= trial_div_table[j].limit) goto again; } mpz_set_ui (p, x); } else { mpz_t q, r; mpz_init (q); mpz_init (r); /* Bit size ceil(k/2) + 1, slightly larger than used in Alg. 4.62 in Handbook of Applied Cryptography (which seems to be incorrect for odd k). */ nettle_random_prime (q, (bits+3)/2, 0, random_ctx, random, progress_ctx, progress); _nettle_generate_pocklington_prime (p, r, bits, top_bits_set, random_ctx, random, q, NULL, q); if (progress) progress (progress_ctx, 'x'); mpz_clear (q); mpz_clear (r); } } nettle-3.10/hmac-ripemd160-meta.c0000644000175000017500000000250214633602171015463 0ustar nissenisse/* hmac-ripemd160-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_ripemd160_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_ripemd160_set_key (ctx, RIPEMD160_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_ripemd160 = _NETTLE_HMAC(hmac_ripemd160, RIPEMD160); nettle-3.10/nettle-types.h0000644000175000017500000000706314633602172014574 0ustar nissenisse/* nettle-types.h Copyright (C) 2005, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_TYPES_H #define NETTLE_TYPES_H /* For size_t */ #include #include /* Attributes we want to use in installed header files, and hence can't rely on config.h. */ #ifdef __GNUC__ #define _NETTLE_ATTRIBUTE_PURE __attribute__((pure)) #ifndef _NETTLE_ATTRIBUTE_DEPRECATED /* Variant without message is supported since gcc-3.1 or so. */ #define _NETTLE_ATTRIBUTE_DEPRECATED __attribute__((deprecated)) #endif #else /* !__GNUC__ */ #define _NETTLE_ATTRIBUTE_PURE #define _NETTLE_ATTRIBUTE_DEPRECATED #endif /* !__GNUC__ */ #ifdef __cplusplus extern "C" { #endif /* An aligned 16-byte block. */ union nettle_block16 { uint8_t b[16]; unsigned long w[16 / sizeof(unsigned long)] _NETTLE_ATTRIBUTE_DEPRECATED; uint64_t u64[2]; }; union nettle_block8 { uint8_t b[8]; uint64_t u64; }; /* Randomness. Used by key generation and dsa signature creation. */ typedef void nettle_random_func(void *ctx, size_t length, uint8_t *dst); /* Progress report function, mainly for key generation. */ typedef void nettle_progress_func(void *ctx, int c); /* Realloc function, used by struct nettle_buffer. */ typedef void *nettle_realloc_func(void *ctx, void *p, size_t length); /* Ciphers */ typedef void nettle_set_key_func(void *ctx, const uint8_t *key); /* For block ciphers, const context. */ typedef void nettle_cipher_func(const void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Uses a void * for cipher contexts. Used for crypt operations where the internal state changes during the encryption. */ typedef void nettle_crypt_func(void *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* Hash algorithms */ typedef void nettle_hash_init_func(void *ctx); typedef void nettle_hash_update_func(void *ctx, size_t length, const uint8_t *src); typedef void nettle_hash_digest_func(void *ctx, size_t length, uint8_t *dst); /* ASCII armor codecs. NOTE: Experimental and subject to change. */ typedef size_t nettle_armor_length_func(size_t length); typedef void nettle_armor_init_func(void *ctx); typedef size_t nettle_armor_encode_update_func(void *ctx, char *dst, size_t src_length, const uint8_t *src); typedef size_t nettle_armor_encode_final_func(void *ctx, char *dst); typedef int nettle_armor_decode_update_func(void *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); typedef int nettle_armor_decode_final_func(void *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_TYPES_H */ nettle-3.10/pbkdf2.c0000644000175000017500000000451114633602171013274 0ustar nissenisse/* pbkdf2.c PKCS #5 password-based key derivation function PBKDF2, see RFC 2898. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "pbkdf2.h" #include "macros.h" #include "memxor.h" #include "nettle-internal.h" void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { TMP_DECL(U, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL(T, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); unsigned i; assert (iterations > 0); if (length == 0) return; TMP_ALLOC (U, digest_size); TMP_ALLOC (T, digest_size); for (i = 1;; i++, dst += digest_size, length -= digest_size) { uint8_t tmp[4]; uint8_t *prev; unsigned u; WRITE_UINT32 (tmp, i); update (mac_ctx, salt_length, salt); update (mac_ctx, sizeof(tmp), tmp); digest (mac_ctx, digest_size, T); prev = T; for (u = 1; u < iterations; u++, prev = U) { update (mac_ctx, digest_size, prev); digest (mac_ctx, digest_size, U); memxor (T, U, digest_size); } if (length <= digest_size) { memcpy (dst, T, length); return; } memcpy (dst, T, digest_size); } } nettle-3.10/write-be32.c0000644000175000017500000000330214633602171014004 0ustar nissenisse/* write-be32.c Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-write.h" #include "macros.h" void _nettle_write_be32(size_t length, uint8_t *dst, const uint32_t *src) { size_t i; size_t words; unsigned leftover; words = length / 4; leftover = length % 4; for (i = 0; i < words; i++, dst += 4) WRITE_UINT32(dst, src[i]); if (leftover) { uint32_t word; unsigned j = leftover; word = src[i]; switch (leftover) { default: abort(); case 3: dst[--j] = (word >> 8) & 0xff; /* Fall through */ case 2: dst[--j] = (word >> 16) & 0xff; /* Fall through */ case 1: dst[--j] = (word >> 24) & 0xff; } } } nettle-3.10/memeql-sec.c0000644000175000017500000000264314633602171014160 0ustar nissenisse/* memeql-sec.c Copyright (C) 2016 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" #include "nettle-internal.h" int memeql_sec (const void *a, const void *b, size_t n) { volatile const unsigned char *ap = (const unsigned char *) a; volatile const unsigned char *bp = (const unsigned char *) b; volatile unsigned char diff; size_t i; for (i = diff = 0; i < n; i++) diff |= (ap[i] ^ bp[i]); return IS_ZERO_SMALL (diff); } nettle-3.10/CONTRIBUTING.md0000644000175000017500000000114114633602172014206 0ustar nissenisse# nettle -- Information about our contribution rules # Test suite: New functionality should be accompanied by a test case which verifies its correctness, on successful use of the new functionality, as well as on failure cases. The nettle test suite is run on "make check". # Continuous Integration (CI) We utilize a continuous integration systems, using gitlab-ci. This is run on a repository mirror at: https://gitlab.com/gnutls/nettle # Sending patches Please do not utilize the gitlab web interfaces. They are not being followed on. Please send your patches to nettle-bugs@lists.lysator.liu.se nettle-3.10/siv-ghash-set-key.c0000644000175000017500000000273314633602171015400 0ustar nissenisse/* siv-ghash-set-key.c POLYVAL implementation for AES-GCM-SIV, based on GHASH Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018, 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" void _siv_ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) { union nettle_block16 h; block16_bswap (&h, key); block16_mulx_ghash (&h, &h); _ghash_set_key (ctx, &h); } nettle-3.10/ghash-set-key.c0000644000175000017500000000601314633602171014574 0ustar nissenisse/* ghash-set-key.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018, 2022 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ghash-internal.h" #include "block-internal.h" /* For fat builds */ #if HAVE_NATIVE_ghash_set_key void _nettle_ghash_set_key_c (struct gcm_key *ctx, const union nettle_block16 *key); #define _nettle_ghash_set_key _nettle_ghash_set_key_c #endif #if GCM_TABLE_BITS < 7 # error Unsupported table size. #endif /* Implements a lookup table for processors without carryless-mul instruction. */ void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key) { /* Table elements hold the key, premultiplied by all needed powers of x. Element ordering follows the order bits are processed in _ghash_update, alternating u64[0] and u64[1] bits, starting from the least significant end. In the gcm bit order, bits (left to right) correspond to x powers (the numbers) like |0...7|8...15|...|56...63|64...71|72...79|...|120...127| where | indicates the byte boundaries. On little endian, these bits are in u64 like u64[0]: | 56...63 48...55 40...47 32...39 24...31 16...23 8...15 0...7| u64[1]: |120...127 112...129 104...111 96...103 88...95 80...87 72...79 64...71| With big-endian, we instead get u64[0]: |0...63| u64[1]: |64...127| */ #if WORDS_BIGENDIAN # define INDEX_PERMUTE 63 #else # define INDEX_PERMUTE 7 #endif unsigned i; block16_set (&ctx->h[2*INDEX_PERMUTE], key); for (i = 1; i < 64; i++) block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)]); block16_mulx_ghash(&ctx->h[2*INDEX_PERMUTE + 1], &ctx->h[2*(63^INDEX_PERMUTE)]); for (i = 1; i < 64; i++) block16_mulx_ghash(&ctx->h[2*(i ^ INDEX_PERMUTE)+1], &ctx->h[2*((i-1) ^ INDEX_PERMUTE)+1]); } nettle-3.10/serpent-encrypt.c0000644000175000017500000003476714633602171015306 0ustar nissenisse/* serpent-encrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0: 3 8 15 1 10 6 5 11 14 13 4 2 7 0 9 12 */ /* Could easily let y0, y1 overlap with x0, x1, and possibly also x2 and y2 */ #define SBOX0(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x1 ^ x2; \ y0 = x0 | x3; \ y1 = x0 ^ x1; \ y3 ^= y0; \ y2 = x2 | y3; \ x0 ^= x3; \ y2 &= x3; \ x3 ^= x2; \ x2 |= x1; \ y0 = y1 & x2; \ y2 ^= y0; \ y0 &= y2; \ y0 ^= x2; \ x1 &= x0; \ y0 ^= x0; \ y0 = ~ y0; \ y1 = y0 ^ x1; \ y1 ^= x3; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S1: 15 12 2 7 9 0 5 10 1 11 14 8 6 13 3 4 */ /* Original single-assignment form: t01 = x0 | x3; t02 = x2 ^ x3; t03 = ~ x1; t04 = x0 ^ x2; t05 = x0 | t03; t06 = x3 & t04; t07 = t01 & t02; t08 = x1 | t06; y2 = t02 ^ t05; t10 = t07 ^ t08; t11 = t01 ^ t10; t12 = y2 ^ t11; t13 = x1 & x3; y3 = ~ t10; y1 = t13 ^ t12; t16 = t10 | y1; t17 = t05 & t16; y0 = x2 ^ t17; */ #define SBOX1(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 | x3; \ y2 = x2 ^ x3; \ y0 = ~ x1; \ y3 = x0 ^ x2; \ y0 |= x0; \ y3 &= x3; \ x0 = y1 & y2; \ y3 |= x1; \ y2 ^= y0; \ y3 ^= x0; \ x0 = y1 ^ y3; \ x0 ^= y2; \ y1 = x1 & x3; \ y1 ^= x0; \ x3 = y1 | y3; \ y3 = ~ y3; \ y0 &= x3; \ y0 ^= x2; \ } while (0) /* FIXME: Arrange for some overlap between inputs and outputs? */ /* S2: 8 6 7 9 3 12 10 15 13 1 14 4 0 11 5 2 */ #define SBOX2(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 | x2; \ y1 = x0 ^ x1; \ y3 = x3 ^ y2; \ y0 = y1 ^ y3; \ x3 |= x0; \ x2 ^= y0; \ x0 = x1 ^ x2; \ x2 |= x1; \ x0 &= y2; \ y3 ^= x2; \ y1 |= y3; \ y1 ^= x0; \ y2 = y3 ^ y1; \ y2 ^= x1; \ y3 = ~ y3; \ y2 ^= x3; \ } while (0) /* S3: 0 15 11 8 12 9 6 3 13 1 2 4 10 7 5 14 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = x0 | x3; t03 = x0 & x3; t04 = t01 & t02; t05 = x1 | t03; t06 = x0 & x1; t07 = x3 ^ t04; t08 = x2 | t06; t09 = x1 ^ t07; t10 = x3 & t05; t11 = t02 ^ t10; y3 = t08 ^ t09; t13 = x3 | y3; t14 = x0 | t07; t15 = x1 & t13; y2 = t08 ^ t11; y0 = t14 ^ t15; y1 = t05 ^ t04; */ #define SBOX3(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 ^ x2; \ y0 = x0 | x3; \ y3 = x0 & x3; \ y1 &= y0; \ y3 |= x1; \ y2 = x0 & x1; \ y2 |= x2; \ x2 = x3 ^ y1; \ y1 ^= y3; \ x0 |= x2; \ x2 ^= x1; \ y3 &= x3; \ y0 ^= y3; \ y3 = y2 ^ x2; \ y2 ^= y0; \ x3 |= y3; \ x1 &= x3; \ y0 = x0 ^ x1; \ } while (0) /* S4: 1 15 8 3 12 0 11 6 2 5 4 10 9 14 7 13 */ /* Original single-assignment form: t01 = x0 | x1; t02 = x1 | x2; t03 = x0 ^ t02; t04 = x1 ^ x3; t05 = x3 | t03; t06 = x3 & t01; y3 = t03 ^ t06; t08 = y3 & t04; t09 = t04 & t05; t10 = x2 ^ t06; t11 = x1 & x2; t12 = t04 ^ t08; t13 = t11 | t03; t14 = t10 ^ t09; t15 = x0 & t05; t16 = t11 | t12; y2 = t13 ^ t08; y1 = t15 ^ t16; y0 = ~ t14; */ #define SBOX4(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 | x1; \ y2 = x1 | x2; \ y2 ^= x0; \ y3 &= x3; \ y0 = x1 ^ x3; \ x3 |= y2; \ x0 &= x3; \ x1 &= x2; \ x2 ^= y3; \ y3 ^= y2; \ y2 |= x1; \ y1 = y3 & y0; \ y2 ^= y1; \ y1 ^= y0; \ y1 |= x1; \ y1 ^= x0; \ y0 &= x3; \ y0 ^= x2; \ y0 = ~y0; \ } while (0) /* S5: 15 5 2 11 4 10 9 12 0 3 14 8 13 6 7 1 */ /* Original single-assignment form: t01 = x1 ^ x3; t02 = x1 | x3; t03 = x0 & t01; t04 = x2 ^ t02; t05 = t03 ^ t04; y0 = ~ t05; t07 = x0 ^ t01; t08 = x3 | y0; t09 = x1 | t05; t10 = x3 ^ t08; t11 = x1 | t07; t12 = t03 | y0; t13 = t07 | t10; t14 = t01 ^ t11; y2 = t09 ^ t13; y1 = t07 ^ t08; y3 = t12 ^ t14; */ #define SBOX5(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x1 | x3; \ y0 ^= x2; \ x2 = x1 ^ x3; \ y2 = x0 ^ x2; \ x0 &= x2; \ y0 ^= x0; \ y3 = x1 | y2; \ x1 |= y0; \ y0 = ~y0; \ x0 |= y0; \ y3 ^= x2; \ y3 ^= x0; \ y1 = x3 | y0; \ x3 ^= y1; \ y1 ^= y2; \ y2 |= x3; \ y2 ^= x1; \ } while (0) /* S6: 7 2 12 5 8 4 6 11 14 9 1 15 13 3 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x1 ^ x2; t03 = x0 ^ x3; t04 = t01 ^ t02; t05 = x1 | x2; y1 = ~ t04; t07 = t03 & t05; t08 = x1 & y1; t09 = x0 | x2; t10 = t07 ^ t08; t11 = x1 | x3; t12 = x2 ^ t11; t13 = t09 ^ t10; y2 = ~ t13; t15 = y1 & t03; y3 = t12 ^ t07; t17 = x0 ^ x1; t18 = y2 ^ t15; y0 = t17 ^ t18; */ #define SBOX6(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y1 = x0 & x3; \ y2 = x0 | x2; \ x3 |= x1; \ x3 ^= x2; \ x0 ^= x1; \ y3 = x1 | x2; \ x2 ^= x1; \ y3 &= y0; \ y1 ^= x2; \ y1 = ~y1; \ y0 &= y1; \ x1 &= y1; \ x1 ^= y3; \ y3 ^= x3; \ y2 ^= x1; \ y2 = ~y2; \ y0 ^= y2; \ y0 ^= x0; \ } while (0) /* S7: 1 13 15 0 14 8 2 11 7 4 12 10 9 3 5 6 */ /* Original single-assignment form: t01 = x0 & x2; t02 = ~ x3; t03 = x0 & t02; t04 = x1 | t01; t05 = x0 & x1; t06 = x2 ^ t04; y3 = t03 ^ t06; t08 = x2 | y3; t09 = x3 | t05; t10 = x0 ^ t08; t11 = t04 & y3; y1 = t09 ^ t10; t13 = x1 ^ y1; t14 = t01 ^ y1; t15 = x2 ^ t05; t16 = t11 | t13; t17 = t02 | t14; y0 = t15 ^ t17; y2 = x0 ^ t16; */ /* It appears impossible to do this with only 8 registers. We recompute t02, and t04 (if we have spare registers, hopefully the compiler can recognize them as common subexpressions). */ #define SBOX7(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 & x2; \ y3 = x1 | y0; /* t04 */ \ y3 ^= x2; \ y1 = ~x3; /* t02 */ \ y1 &= x0; \ y3 ^= y1; \ y1 = x2 | y3; \ y1 ^= x0; \ y2 = x0 & x1; \ x2 ^= y2; \ y2 |= x3; \ y1 ^= y2; \ y2 = x1 | y0; /* t04 */ \ y2 &= y3; \ x1 ^= y1; \ y2 |= x1; \ y2 ^= x0; \ y0 ^= y1; \ x3 = ~x3; /* t02 */ \ y0 |= x3; \ y0 ^= x2; \ } while (0) /* In-place linear transformation. */ #define LINEAR_TRANSFORMATION(x0,x1,x2,x3) \ do { \ x0 = ROTL32 (13, x0); \ x2 = ROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = ROTL32 (1, x1); \ x3 = ROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = ROTL32 (5, x0); \ x2 = ROTL32 (22, x2); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION(y0,y1,y2,y3); \ } while (0) #if HAVE_NATIVE_64_BIT #define LINEAR_TRANSFORMATION64(x0,x1,x2,x3) \ do { \ x0 = DROTL32 (13, x0); \ x2 = DROTL32 (3, x2); \ x1 = x1 ^ x0 ^ x2; \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = DROTL32 (1, x1); \ x3 = DROTL32 (7, x3); \ x0 = x0 ^ x1 ^ x3; \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = DROTL32 (5, x0); \ x2 = DROTL32 (22, x2); \ } while (0) #define ROUND64(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ KEYXOR64(x0,x1,x2,x3, subkey); \ SBOX##which(x0,x1,x2,x3, y0,y1,y2,y3); \ LINEAR_TRANSFORMATION64(y0,y1,y2,y3); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_encrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); for (k = 0; ; k += 8) { ROUND (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); for (k = 0; ; k += 8) { ROUND64 (0, ctx->keys[k+0], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (1, ctx->keys[k+1], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (2, ctx->keys[k+2], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (3, ctx->keys[k+3], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (4, ctx->keys[k+4], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64 (5, ctx->keys[k+5], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64 (6, ctx->keys[k+6], x0,x1,x2,x3, y0,y1,y2,y3); if (k == 24) break; ROUND64 (7, ctx->keys[k+7], y0,y1,y2,y3, x0,x1,x2,x3); } /* Special final round, using two subkeys. */ KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); SBOX7 (y0,y1,y2,y3, x0,x1,x2,x3); KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-3.10/balloon-sha384.c0000644000175000017500000000322214633602171014560 0ustar nissenisse/* balloon-sha384.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha384(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha384_ctx ctx; sha384_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha384_update, (nettle_hash_digest_func*)sha384_digest, SHA384_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-3.10/hmac-sha224.c0000644000175000017500000000264114633602171014037 0ustar nissenisse/* hmac-sha224.c HMAC-SHA224 message authentication code. Copyright (C) 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha224_set_key(struct hmac_sha224_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha224, key_length, key); } void hmac_sha224_digest(struct hmac_sha224_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha224, length, digest); } nettle-3.10/nettle-meta-hashes.c0000644000175000017500000000320214633602171015610 0ustar nissenisse/* nettle-meta-hashes.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_hash * const _nettle_hashes[] = { &nettle_gosthash94, &nettle_gosthash94cp, &nettle_md2, &nettle_md4, &nettle_md5, &nettle_ripemd160, &nettle_sha1, &nettle_sha224, &nettle_sha256, &nettle_sha384, &nettle_sha512, &nettle_sha512_224, &nettle_sha512_256, &nettle_sha3_224, &nettle_sha3_256, &nettle_sha3_384, &nettle_sha3_512, &nettle_streebog256, &nettle_streebog512, &nettle_sm3, NULL }; const struct nettle_hash * const * nettle_get_hashes (void) { return _nettle_hashes; } nettle-3.10/ecc-dup-eh.c0000644000175000017500000000507614633602171014045 0ustar nissenisse/* ecc-dup-eh.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Double a point on an Edwards curve, in homogeneous coordinates */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-edwards-projective.html#doubling-dbl-2007-bl): Computation Operation Live variables b = (x+y)^2 sqr b c = x^2 sqr b, c d = y^2 sqr b, c, d e = c+d b, c, d, e h = z^2 sqr b, c, d, e, h j = e-2*h b, c, d, e, j x' = (b-e)*j mul c, d, e, j y' = e*(c-d) mul e, j z' = e*j mul */ #define C scratch #define D (scratch + 1*ecc->p.size) #define B (scratch + 2*ecc->p.size) #define E C ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ ecc_mod_add (&ecc->p, B, x1, y1); ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ /* c-d stored at y' */ ecc_mod_sub (&ecc->p, y2, C, D); ecc_mod_add (&ecc->p, E, C, D); /* B, E */ /* b-e stored at x' */ ecc_mod_sub (&ecc->p, x2, B, E); /* E */ /* Use D as scratch for the following multiplies. */ ecc_mod_mul (&ecc->p, y2, y2, E, D); /* h and j stored at z' */ ecc_mod_sqr (&ecc->p, z2, z1, D); ecc_mod_add (&ecc->p, z2, z2, z2); ecc_mod_sub (&ecc->p, z2, E, z2); ecc_mod_mul (&ecc->p, x2, x2, z2, D); ecc_mod_mul (&ecc->p, z2, z2, E, D); } nettle-3.10/nettle-meta-macs.c0000644000175000017500000000303414633602171015263 0ustar nissenisse/* nettle-meta-macs.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_mac * const _nettle_macs[] = { &nettle_cmac_aes128, &nettle_cmac_aes256, &nettle_cmac_des3, &nettle_hmac_md5, &nettle_hmac_ripemd160, &nettle_hmac_sha1, &nettle_hmac_sha224, &nettle_hmac_sha256, &nettle_hmac_sha384, &nettle_hmac_sha512, &nettle_hmac_streebog256, &nettle_hmac_streebog512, &nettle_hmac_sm3, NULL }; const struct nettle_mac * const * nettle_get_macs (void) { return _nettle_macs; } nettle-3.10/aes-set-key-internal.c0000644000175000017500000000366214633602171016073 0ustar nissenisse/* aes-set-key-internal.c Key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Originally written by Rafael R. Sevilla */ #if HAVE_CONFIG_H # include "config.h" #endif #include "aes-internal.h" #include #include "macros.h" void _nettle_aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key) { static const uint8_t rcon[10] = { 0x01,0x02,0x04,0x08,0x10,0x20,0x40,0x80,0x1b,0x36, }; const uint8_t *rp; unsigned lastkey, i; uint32_t t; assert(nk != 0); lastkey = (AES_BLOCK_SIZE/4) * (nr + 1); for (i=0, rp = rcon; i 6 && (i%nk) == 4) t = SUBBYTE(t, aes_sbox); subkeys[i] = subkeys[i-nk] ^ t; } } nettle-3.10/hmac-sha1-meta.c0000644000175000017500000000243714633602171014617 0ustar nissenisse/* hmac-sha1-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha1_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha1_set_key (ctx, SHA1_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha1 = _NETTLE_HMAC(hmac_sha1, SHA1); nettle-3.10/dsa2sexp.c0000644000175000017500000000327414633602171013662 0ustar nissenisse/* dsa2sexp.c Copyright (C) 2002, 2009, 2014 Niels Möller, Magnus Holmgren This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "sexp.h" int dsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct dsa_params *params, const mpz_t pub, const mpz_t priv) { if (!algorithm_name) algorithm_name = "dsa"; if (priv) return sexp_format(buffer, "(private-key(%0s(p%b)(q%b)" "(g%b)(y%b)(x%b)))", algorithm_name, params->p, params->q, params->g, pub, priv); else return sexp_format(buffer, "(public-key(%0s(p%b)(q%b)" "(g%b)(y%b)))", algorithm_name, params->p, params->q, params->g, pub); } nettle-3.10/sha3-384.c0000644000175000017500000000337714633602171013307 0ustar nissenisse/* sha3-384.c The sha3 hash function, 384 bit output. Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "nettle-write.h" void sha3_384_init (struct sha3_384_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_384_ctx, block)); } void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_sha3_update (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_384_digest(struct sha3_384_ctx *ctx, size_t length, uint8_t *digest) { _sha3_pad_hash (&ctx->state, SHA3_384_BLOCK_SIZE, ctx->block, ctx->index); _nettle_write_le64 (length, digest, ctx->state.a); sha3_384_init (ctx); } nettle-3.10/rsa-md5-verify.c0000644000175000017500000000337414633602171014704 0ustar nissenisse/* rsa-md5-verify.c Verifying signatures created with RSA and MD5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_md5_verify(const struct rsa_public_key *key, struct md5_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_md5_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_md5_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.10/sha3-shake.c0000644000175000017500000000561514633602171014061 0ustar nissenisse/* sha3-shake.c Copyright (C) 2017, 2024 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. Copyright (C) 2024 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sha3.h" #include "sha3-internal.h" #include "nettle-write.h" void _nettle_sha3_shake (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned index, size_t length, uint8_t *dst) { _sha3_pad_shake (state, block_size, block, index); while (length > block_size) { sha3_permute (state); _nettle_write_le64 (block_size, dst, state->a); length -= block_size; dst += block_size; } sha3_permute (state); _nettle_write_le64 (length, dst, state->a); } unsigned _nettle_sha3_shake_output (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned index, size_t length, uint8_t *dst) { unsigned left; /* We use one's complement of the index value to indicate SHAKE is initialized. */ if (index < block_size) { /* This is the first call of _shake_output. */ _sha3_pad_shake (state, block_size, block, index); /* Point at the end of block to trigger fill in of the buffer. */ index = block_size; } else index = ~index; assert (index <= block_size); /* Write remaining data from the buffer. */ left = block_size - index; if (length <= left) { memcpy (dst, block + index, length); return ~(index + length); } else { memcpy (dst, block + index, left); length -= left; dst += left; } /* Write full blocks. */ while (length > block_size) { sha3_permute (state); _nettle_write_le64 (block_size, dst, state->a); length -= block_size; dst += block_size; } sha3_permute (state); /* Fill in the buffer for next call. */ _nettle_write_le64 (block_size, block, state->a); memcpy (dst, block, length); return ~length; } nettle-3.10/INSTALL0000644000175000017500000002231014633602172013007 0ustar nissenisseInstallation Instructions ************************* Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, 2006 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf bug. Until the bug is fixed you can use this workaround: CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of the options to `configure', and exit. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. nettle-3.10/ecc-secp192r1.c0000644000175000017500000002077414633602171014316 0ustar nissenisse/* ecc-secp192r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014, 2019, 2021 Niels Möller Copyright (C) 2019 Wim Lewis This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-secp192r1.h" #if HAVE_NATIVE_ecc_secp192r1_modp #define ecc_secp192r1_modp _nettle_ecc_secp192r1_modp void ecc_secp192r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); /* Use that p = 2^{192} - 2^64 - 1, to eliminate 128 bits at a time. */ #elif GMP_NUMB_BITS == 32 /* p is 6 limbs, p = B^6 - B^2 - 1 */ static void ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy; /* Reduce from 12 to 9 limbs (top limb small)*/ cy = mpn_add_n (xp + 2, xp + 2, xp + 8, 4); cy = sec_add_1 (xp + 6, xp + 6, 2, cy); cy += mpn_add_n (xp + 4, xp + 4, xp + 8, 4); assert (cy <= 2); xp[8] = cy; /* Reduce from 9 to 6 limbs */ cy = mpn_add_n (xp, xp, xp + 6, 3); cy = sec_add_1 (xp + 3, xp + 3, 2, cy); cy += mpn_add_n (xp + 2, xp + 2, xp + 6, 3); cy = sec_add_1 (xp + 5, xp + 5, 1, cy); assert (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 6); assert (cy == 0); } #elif GMP_NUMB_BITS == 64 /* p is 3 limbs, p = B^3 - B - 1 */ static void ecc_secp192r1_modp (const struct ecc_modulo *m UNUSED, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t cy; /* Reduce from 6 to 5 limbs (top limb small)*/ cy = mpn_add_n (xp + 1, xp + 1, xp + 4, 2); cy = sec_add_1 (xp + 3, xp + 3, 1, cy); cy += mpn_add_n (xp + 2, xp + 2, xp + 4, 2); assert_maybe (cy <= 2); xp[4] = cy; /* Reduce from 5 to 4 limbs (high limb small) */ cy = mpn_add_n (xp, xp, xp + 3, 2); cy = sec_add_1 (xp + 2, xp + 2, 1, cy); cy += mpn_add_n (xp + 1, xp + 1, xp + 3, 2); assert_maybe (cy <= 1); cy = mpn_cnd_add_n (cy, rp, xp, ecc_Bmodp, 3); assert_maybe (cy == 0); } #else #define ecc_secp192r1_modp ecc_mod #endif #define ECC_SECP192R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp192r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a62m1 scratch #define t0 (scratch + ECC_LIMB_SIZE) #define tp (scratch + 2*ECC_LIMB_SIZE) /* Addition chain p - 2 = 2^{192} - 2^{64} - 3 = 1 + 2^{192} - 2^{64} - 4 = 1 + 2^2 (2^{190} - 2^{62} - 1) = 1 + 2^2 (2^{62} - 1 + 2^{190} - 2^63) = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{126} - 1))) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(2^{63} - 1))) = 1 + 2^2 (2^{62} - 1 + 2^{63}(1 + 2 (2^{63} + 1)(1 + 2(2^{62} - 1)))) 2^{62} - 1 = (2^{31}+1)(2^{31}-1) = (2^{31}+1)(1 + 2(2^{30} - 1)) = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(1 + 2 (2+1)))))) This addition chain needs 191 squarings and 14 multiplies. Could be improved sligthly as: a^7 = 1 + 2 * (2 + 1) 2^{62} - 1 = (2^{31}+1)(2^{31}-1) = (2^{31}+1)(1 + 2(2^{30} - 1)) = (2^{31}+1)(1 + 2(2^{15}+1)(2^15-1)) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^{14}-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(2^7-1)))) = (2^{31}+1)(1 + 2(2^{15}+1)(1 + 2(1 + (2^7+1)(1+2(2^3+1)(2^3-1))))) 2^{65} - 1 = 2^3 (2^{62} - 1) + 2^3 - 1 2^{127} - 1 = 2^{62} (2^{65} - 1) + 2^{62} - 1 p - 2 = 1 + 2^2 (2^{62} - 1 + 2^{63}(2^{127} - 1)) This needs 191 squarings and 13 multiplies, i.e., saving one multiply, at the cost of additional temporary storage for a^7. */ ecc_mod_sqr (p, rp, ap, tp); /* a^2 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^3 */ ecc_mod_sqr (p, rp, rp, tp); /* a^6 */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^3-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 3, tp); /* a^{2^6-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^7-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^7-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 7, tp); /* a^{2^14-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^15-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^15-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 15, tp); /* a^{2^30-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^31-2} */ ecc_mod_mul (p, rp, ap, rp, tp); /* a^{2^31-1} */ ecc_mod_pow_2kp1 (p, a62m1, rp, 31, tp); /* a^{2^62-1} Overlaps t0 */ ecc_mod_sqr (p, rp, a62m1, tp); /* a^{2^63-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^63-1} */ ecc_mod_pow_2kp1 (p, t0, rp, 63, tp); /* a^{2^126-1} */ ecc_mod_sqr (p, rp, t0, tp); /* a^{2^127-2} */ ecc_mod_mul (p, rp, rp, ap, tp); /* a^{2^127-1} Clobbers t1 */ ecc_mod_pow_2k_mul (p, rp, rp, 63, a62m1, tp); /* a^{2^190 - 2^62 - 1} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^191 - 2^63 - 2} */ ecc_mod_sqr (p, rp, rp, tp); /* a^{2^192 - 2^64 - 4} */ ecc_mod_mul (p, rp, rp, ap, tp); #undef a62m1 #undef t0 #undef tp } /* To guarantee that inputs to ecc_mod_zero_p are in the required range. */ #if ECC_LIMB_SIZE * GMP_NUMB_BITS != 192 #error Unsupported limb size #endif #define ECC_SECP192R1_SQRT_ITCH (3*ECC_LIMB_SIZE) static int ecc_secp192r1_sqrt (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *cp, mp_limb_t *scratch) { /* This computes the square root modulo p192 using the identity: sqrt(c) = c^(2^190 - 2^62) (mod P-192) which can be seen as a special case of Tonelli-Shanks with e=1. */ /* We need one t0 (and use clobbering rp) and scratch space for mul and sqr. */ #define t0 scratch #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr(p, rp, cp, tp); /* c^2 */ ecc_mod_mul(p, rp, rp, cp, tp); /* c^3 */ ecc_mod_pow_2kp1(p, t0, rp, 2, tp); /* c^(2^4 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 4, tp); /* c^(2^8 - 1) */ ecc_mod_pow_2kp1(p, t0, rp, 8, tp); /* c^(2^16 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 16, tp); /* c^(2^32 - 1) */ ecc_mod_pow_2kp1(p, t0, rp, 32, tp); /* c^(2^64 - 1) */ ecc_mod_pow_2kp1(p, rp, t0, 64, tp); /* c^(2^128 - 1) */ ecc_mod_pow_2k (p, rp, rp, 62, tp); /* c^(2^190 - 2^62) */ /* Check that input was a square, R^2 = C, for non-squares we'd get R^2 = -C. */ ecc_mod_sqr(p, t0, rp, tp); ecc_mod_sub(p, t0, t0, cp); return ecc_mod_zero_p (p, t0); #undef t0 #undef tp } const struct ecc_curve _nettle_secp_192r1 = { { 192, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_SECP192R1_INV_ITCH, ECC_SECP192R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp192r1_modp, ecc_secp192r1_modp, ecc_secp192r1_inv, ecc_secp192r1_sqrt, NULL, }, { 192, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP192R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_192r1(void) { return &_nettle_secp_192r1; } nettle-3.10/gcm-camellia256.c0000644000175000017500000000402014633602171014667 0ustar nissenisse/* gcm-camellia256.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia256_set_encrypt_key, camellia256_crypt, key); } void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia256_update (struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia256_crypt, length, dst, src); } void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, camellia256_crypt, length, digest); } nettle-3.10/md5.h0000644000175000017500000000442514633602172012623 0ustar nissenisse/* md5.h The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD5_H_INCLUDED #define NETTLE_MD5_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md5_init nettle_md5_init #define md5_update nettle_md5_update #define md5_digest nettle_md5_digest #define md5_compress nettle_md5_compress #define MD5_DIGEST_SIZE 16 #define MD5_BLOCK_SIZE 64 /* For backwards compatibility */ #define MD5_DATA_SIZE MD5_BLOCK_SIZE /* Digest is kept internally as 4 32-bit words. */ #define _MD5_DIGEST_LENGTH 4 struct md5_ctx { uint32_t state[_MD5_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[MD5_BLOCK_SIZE]; /* Block buffer */ }; void md5_init(struct md5_ctx *ctx); void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data); void md5_digest(struct md5_ctx *ctx, size_t length, uint8_t *digest); /* MD5 compression function. STATE points to 4 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void md5_compress(uint32_t *state, const uint8_t *data); /* Old name, for backwards compatibility. */ #define _nettle_md5_compress nettle_md5_compress #ifdef __cplusplus } #endif #endif /* NETTLE_MD5_H_INCLUDED */ nettle-3.10/umac-poly64.c0000644000175000017500000000365614633602171014215 0ustar nissenisse/* umac-poly64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" static uint64_t poly64_mul (uint32_t kh, uint32_t kl, uint64_t y) { uint64_t yl, yh, pl, ph, ml, mh; yl = y & 0xffffffff; yh = y >> 32; pl = yl * kl; ph = yh * kh; ml = yh * kl + yl * kh; /* No overflow, thanks to special form */ mh = ml >> 32; ml <<= 32; pl += ml; ph += mh + (pl < ml); /* Reduce, using 2^64 = UMAC_P64_OFFSET (mod p) */ assert (ph < ((uint64_t) 1 << 57)); ph *= UMAC_P64_OFFSET; pl += ph; if (pl < ph) pl += UMAC_P64_OFFSET; return pl; } uint64_t _nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m) { if ( (m >> 32) == 0xffffffff) { y = poly64_mul (kh, kl, y); if (y == 0) y = UMAC_P64 - 1; else y--; m -= UMAC_P64_OFFSET; } y = poly64_mul (kh, kl, y); y += m; if (y < m) y += UMAC_P64_OFFSET; return y; } nettle-3.10/serpent-meta.c0000644000175000017500000000320214633602171014524 0ustar nissenisse/* serpent-meta.c Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "serpent.h" #define SERPENT(bits) { \ "serpent" #bits, \ sizeof(struct serpent_ctx), \ SERPENT_BLOCK_SIZE, \ SERPENT ## bits ##_KEY_SIZE, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_set_key_func *) serpent ## bits ## _set_key, \ (nettle_cipher_func *) serpent_encrypt, \ (nettle_cipher_func *) serpent_decrypt \ } const struct nettle_cipher nettle_serpent128 = SERPENT(128); const struct nettle_cipher nettle_serpent192 = SERPENT(192); const struct nettle_cipher nettle_serpent256 = SERPENT(256); nettle-3.10/configure0000755000175000017500000103612614633602172013700 0ustar nissenisse#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.71 for nettle 3.10. # # Report bugs to . # # # Copyright (C) 1992-1996, 1998-2017, 2020-2021 Free Software Foundation, # Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh as_nop=: if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else $as_nop case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Use a proper internal environment variable to ensure we don't fall # into an infinite loop, continuously re-executing ourselves. if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then _as_can_reexec=no; export _as_can_reexec; # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi # We don't want this to propagate to other subprocesses. { _as_can_reexec=; unset _as_can_reexec;} if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="as_nop=: if test \${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else \$as_nop case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ) then : else \$as_nop exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1 blah=\$(echo \$(echo blah)) test x\"\$blah\" = xblah || exit 1 test -x / || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 test \$(( 1 + 1 )) = 2 || exit 1" if (eval "$as_required") 2>/dev/null then : as_have_required=yes else $as_nop as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null then : else $as_nop as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && as_run=a "$as_shell" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$as_shell as_have_required=yes if as_run=a "$as_shell" -c "$as_bourne_compatible""$as_suggested" 2>/dev/null then : break 2 fi fi done;; esac as_found=false done IFS=$as_save_IFS if $as_found then : else $as_nop if { test -f "$SHELL" || test -f "$SHELL.exe"; } && as_run=a "$SHELL" -c "$as_bourne_compatible""$as_required" 2>/dev/null then : CONFIG_SHELL=$SHELL as_have_required=yes fi fi if test "x$CONFIG_SHELL" != x then : export CONFIG_SHELL # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} # Admittedly, this is quite paranoid, since all the known shells bail # out after a failed `exec'. printf "%s\n" "$0: could not re-execute with $CONFIG_SHELL" >&2 exit 255 fi if test x$as_have_required = xno then : printf "%s\n" "$0: This script requires a shell more modern than all" printf "%s\n" "$0: the shells that I found on your system." if test ${ZSH_VERSION+y} ; then printf "%s\n" "$0: In particular, zsh $ZSH_VERSION has bugs and should" printf "%s\n" "$0: be upgraded to zsh 4.3.4 or later." else printf "%s\n" "$0: Please tell bug-autoconf@gnu.org and $0: nettle-bugs@lists.lysator.liu.se about your system, $0: including any error possibly output before this $0: message. Then install a modern shell, or manually run $0: the script under such a shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_nop # --------- # Do nothing but, unlike ":", preserve the value of $?. as_fn_nop () { return $? } as_nop=as_fn_nop # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else $as_nop as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else $as_nop as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_nop # --------- # Do nothing but, unlike ":", preserve the value of $?. as_fn_nop () { return $? } as_nop=as_fn_nop # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { printf "%s\n" "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # If we had to re-execute with $CONFIG_SHELL, we're ensured to have # already done that, so ensure we don't try to do so again and fall # in an infinite loop. This has already happened in practice. _as_can_reexec=no; export _as_can_reexec # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nettle' PACKAGE_TARNAME='nettle' PACKAGE_VERSION='3.10' PACKAGE_STRING='nettle 3.10' PACKAGE_BUGREPORT='nettle-bugs@lists.lysator.liu.se' PACKAGE_URL='' ac_unique_file="nettle-types.h" # Factoring default headers for most tests. ac_includes_default="\ #include #ifdef HAVE_STDIO_H # include #endif #ifdef HAVE_STDLIB_H # include #endif #ifdef HAVE_STRING_H # include #endif #ifdef HAVE_INTTYPES_H # include #endif #ifdef HAVE_STDINT_H # include #endif #ifdef HAVE_STRINGS_H # include #endif #ifdef HAVE_SYS_TYPES_H # include #endif #ifdef HAVE_SYS_STAT_H # include #endif #ifdef HAVE_UNISTD_H # include #endif" ac_header_c_list= ac_subst_vars='LTLIBOBJS LIBOBJS BENCH_LIBS OPENSSL_LIBFLAGS IF_MINI_GMP IF_DLL IF_DOCUMENTATION IF_DLOPEN_TEST IF_NOT_SHARED IF_SHARED IF_STATIC IF_HOGWEED MAKEINFO M4 LIBHOGWEED_LIBS LIBHOGWEED_LINK LIBHOGWEED_FILE_SRC LIBHOGWEED_FILE LIBHOGWEED_SONAME LIBHOGWEED_FORLINK LIBHOGWEED_MINOR LIBHOGWEED_MAJOR LIBNETTLE_LIBS LIBNETTLE_LINK LIBNETTLE_FILE_SRC LIBNETTLE_FILE LIBNETTLE_SONAME LIBNETTLE_FORLINK LIBNETTLE_MINOR LIBNETTLE_MAJOR ASM_X86_MARK_CET_ALIGN ASM_X86_MARK_CET ASM_X86_ENDBR EMULATOR ASM_WORDS_BIGENDIAN W64_ABI ELFV2_ABI ASM_ALIGN_LOG ASM_MARK_NOEXEC_STACK ASM_TYPE_PROGBITS ASM_TYPE_FUNCTION ASM_COFF_STYLE ASM_ELF_STYLE ASM_SYMBOL_PREFIX CCPIC ASM_PPC_WANT_R_REGISTERS IF_ASM ASM_RODATA FAT_TEST_LIST OPT_NETTLE_SOURCES OPT_HOGWEED_OBJS OPT_NETTLE_OBJS GMP_NUMB_BITS NUMB_BITS ALLOCA EGREP GREP CPP DEP_PROCESS DEP_FLAGS IF_VALGRIND EXEEXT_FOR_BUILD CC_FOR_BUILD LN_S MKDIR_P INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM AR OBJDUMP NM RANLIB SET_MAKE EXTRA_HOGWEED_LINKER_FLAGS EXTRA_LINKER_FLAGS IF_CXX ac_ct_CXX CXXFLAGS CXX OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC HOGWEED_EXTRA_SYMBOLS NETTLE_USE_MINI_GMP ASM_FLAGS host_os host_vendor host_cpu host build_os build_vendor build_cpu build MINOR_VERSION MAJOR_VERSION target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir runstatedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking with_include_path with_lib_path enable_public_key enable_assembler enable_static enable_shared enable_pic enable_openssl enable_gcov enable_documentation enable_fat enable_arm_neon enable_arm64_crypto enable_x86_aesni enable_x86_sha_ni enable_x86_pclmul enable_power_crypto_ext enable_power_altivec enable_power9 enable_s390x_vf enable_s390x_msa enable_extra_asserts enable_mini_gmp enable_ld_version_script enable_dependency_tracking ' ac_precious_vars='build_alias host_alias target_alias ASM_FLAGS CC CFLAGS LDFLAGS LIBS CPPFLAGS CXX CXXFLAGS CCC CC_FOR_BUILD CPP' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' runstatedir='${localstatedir}/run' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: \`$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: \`$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -runstatedir | --runstatedir | --runstatedi | --runstated \ | --runstate | --runstat | --runsta | --runst | --runs \ | --run | --ru | --r) ac_prev=runstatedir ;; -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ | --run=* | --ru=* | --r=*) runstatedir=$ac_optarg ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: \`$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: \`$ac_useropt'" ac_useropt_orig=$ac_useropt ac_useropt=`printf "%s\n" "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. printf "%s\n" "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && printf "%s\n" "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir runstatedir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures nettle 3.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/nettle] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of nettle 3.10:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-public-key Disable public key algorithms --disable-assembler Disable assembler code --disable-static Do not build any static library --disable-shared Do not build any shared library --disable-pic Do not try to compile library files as position independent code --disable-openssl Do not include openssl glue in the benchmark program --enable-gcov Instrument for gcov (requires a modern gcc) --disable-documentation Omit building and installing the documentation. (default=auto) --disable-fat Disable fat library build --enable-arm-neon Enable ARM Neon assembly. (default=auto) --enable-arm64-crypto Enable Arm64 crypto extension. (default=no) --enable-x86-aesni Enable x86_64 aes instructions. (default=no) --enable-x86-sha-ni Enable x86_64 sha_ni instructions. (default=no) --enable-x86-pclmul Enable x86_64 pclmulqdq instructions. (default=no) --enable-power-crypto-ext Enable POWER crypto extensions. (default=no) --enable-power-altivec Enable POWER altivec and vsx extensions. (default=no) --enable-power9 Enable POWER ISA v3.0. (default=no) --enable-s390x-vf Enable vector facility on z/Architecture. (default=no) --enable-s390x-msa Enable message-security assist extensions on z/Architecture. (default=no) --enable-extra-asserts Enable additional asserts in ECC code (incompatible side-channel tests) --enable-mini-gmp Enable mini-gmp, used instead of libgmp. --enable-ld-version-script enable linker version script (default is enabled when possible) --disable-dependency-tracking Disable dependency tracking. Dependency tracking doesn't work with BSD make Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-include-path A colon-separated list of directories to search for include files --with-lib-path A colon-separated list of directories to search for libraries Some influential environment variables: ASM_FLAGS Extra flags for processing assembly source files CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CXX C++ compiler command CXXFLAGS C++ compiler flags CC_FOR_BUILD build system C compiler CPP C preprocessor Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for configure.gnu first; this name is used for a wrapper for # Metaconfig's "Configure" on case-insensitive file systems. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else printf "%s\n" "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF nettle configure 3.10 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 else $as_nop printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || test -x conftest$ac_exeext } then : ac_retval=0 else $as_nop printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link # ac_fn_cxx_try_compile LINENO # ---------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_cxx_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest.beam if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_cxx_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext then : ac_retval=0 else $as_nop printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_cxx_try_compile # ac_fn_c_try_cpp LINENO # ---------------------- # Try to preprocess conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_cpp () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_cpp conftest.$ac_ext" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } > conftest.i && { test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || test ! -s conftest.err } then : ac_retval=0 else $as_nop printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_cpp # ac_fn_c_check_type LINENO TYPE VAR INCLUDES # ------------------------------------------- # Tests whether TYPE exists after having included INCLUDES, setting cache # variable VAR accordingly. ac_fn_c_check_type () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else $as_nop eval "$3=no" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof ($2)) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { if (sizeof (($2))) return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else $as_nop eval "$3=yes" fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_type # ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES # ------------------------------------------------------- # Tests whether HEADER exists and can be compiled using the include files in # INCLUDES, setting the cache variable VAR accordingly. ac_fn_c_check_header_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 #include <$2> _ACEOF if ac_fn_c_try_compile "$LINENO" then : eval "$3=yes" else $as_nop eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_header_compile # ac_fn_c_try_run LINENO # ---------------------- # Try to run conftest.$ac_ext, and return whether this succeeded. Assumes that # executables *can* be run. ac_fn_c_try_run () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; } then : ac_retval=0 else $as_nop printf "%s\n" "$as_me: program exited with status $ac_status" >&5 printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=$ac_status fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_run # ac_fn_c_compute_int LINENO EXPR VAR INCLUDES # -------------------------------------------- # Tries to find the compile-time value of EXPR in a program that includes # INCLUDES, setting VAR accordingly. Returns whether the value could be # computed ac_fn_c_compute_int () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) >= 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_lo=0 ac_mid=0 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=$ac_mid; break else $as_nop as_fn_arith $ac_mid + 1 && ac_lo=$as_val if test $ac_lo -le $ac_mid; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid + 1 && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) < 0)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=-1 ac_mid=-1 while :; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) >= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_lo=$ac_mid; break else $as_nop as_fn_arith '(' $ac_mid ')' - 1 && ac_hi=$as_val if test $ac_mid -le $ac_hi; then ac_lo= ac_hi= break fi as_fn_arith 2 '*' $ac_mid && ac_mid=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done else $as_nop ac_lo= ac_hi= fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext # Binary search between lo and hi bounds. while test "x$ac_lo" != "x$ac_hi"; do as_fn_arith '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo && ac_mid=$as_val cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 int main (void) { static int test_array [1 - 2 * !(($2) <= $ac_mid)]; test_array [0] = 0; return test_array [0]; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_hi=$ac_mid else $as_nop as_fn_arith '(' $ac_mid ')' + 1 && ac_lo=$as_val fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext done case $ac_lo in #(( ?*) eval "$3=\$ac_lo"; ac_retval=0 ;; '') ac_retval=1 ;; esac else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $4 static long int longval (void) { return $2; } static unsigned long int ulongval (void) { return $2; } #include #include int main (void) { FILE *f = fopen ("conftest.val", "w"); if (! f) return 1; if (($2) < 0) { long int i = longval (); if (i != ($2)) return 1; fprintf (f, "%ld", i); } else { unsigned long int i = ulongval (); if (i != ($2)) return 1; fprintf (f, "%lu", i); } /* Do not output a trailing newline, as this causes \r\n confusion on some platforms. */ return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : echo >>conftest.val; read $3 &5 printf %s "checking for $2... " >&6; } if eval test \${$3+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Define $2 to an innocuous variant, in case declares $2. For example, HP-UX 11i declares gettimeofday. */ #define $2 innocuous_$2 /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $2 (); below. */ #include #undef $2 /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char $2 (); /* The GNU C library defines this for functions which it implements to always fail with ENOSYS. Some functions are actually named something starting with __ and the normal name is an alias. */ #if defined __stub_$2 || defined __stub___$2 choke me #endif int main (void) { return $2 (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : eval "$3=yes" else $as_nop eval "$3=no" fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi eval ac_res=\$$3 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 printf "%s\n" "$ac_res" >&6; } eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno } # ac_fn_c_check_func ac_configure_args_raw= for ac_arg do case $ac_arg in *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append ac_configure_args_raw " '$ac_arg'" done case $ac_configure_args_raw in *$as_nl*) ac_safe_unquote= ;; *) ac_unsafe_z='|&;<>()$`\\"*?[ '' ' # This string ends in space, tab. ac_unsafe_a="$ac_unsafe_z#~" ac_safe_unquote="s/ '\\([^$ac_unsafe_a][^$ac_unsafe_z]*\\)'/ \\1/g" ac_configure_args_raw=` printf "%s\n" "$ac_configure_args_raw" | sed "$ac_safe_unquote"`;; esac cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by nettle $as_me 3.10, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac printf "%s\n" "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`printf "%s\n" "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Sanitize IFS. IFS=" "" $as_nl" # Save into config.log some information that might help in debugging. { echo printf "%s\n" "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo printf "%s\n" "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then printf "%s\n" "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`printf "%s\n" "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac printf "%s\n" "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then printf "%s\n" "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && printf "%s\n" "$as_me: caught signal $ac_signal" printf "%s\n" "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h printf "%s\n" "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. printf "%s\n" "#define PACKAGE_NAME \"$PACKAGE_NAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_TARNAME \"$PACKAGE_TARNAME\"" >>confdefs.h printf "%s\n" "#define PACKAGE_VERSION \"$PACKAGE_VERSION\"" >>confdefs.h printf "%s\n" "#define PACKAGE_STRING \"$PACKAGE_STRING\"" >>confdefs.h printf "%s\n" "#define PACKAGE_BUGREPORT \"$PACKAGE_BUGREPORT\"" >>confdefs.h printf "%s\n" "#define PACKAGE_URL \"$PACKAGE_URL\"" >>confdefs.h # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. if test -n "$CONFIG_SITE"; then ac_site_files="$CONFIG_SITE" elif test "x$prefix" != xNONE; then ac_site_files="$prefix/share/config.site $prefix/etc/config.site" else ac_site_files="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site" fi for ac_site_file in $ac_site_files do case $ac_site_file in #( */*) : ;; #( *) : ac_site_file=./$ac_site_file ;; esac if test -f "$ac_site_file" && test -r "$ac_site_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 printf "%s\n" "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 printf "%s\n" "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 printf "%s\n" "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Test code for whether the C compiler supports C89 (global declarations) ac_c_conftest_c89_globals=' /* Does the compiler advertise C89 conformance? Do not test the value of __STDC__, because some compilers set it to 0 while being otherwise adequately conformant. */ #if !defined __STDC__ # error "Compiler does not advertise C89 conformance" #endif #include #include struct stat; /* Most of the following tests are stolen from RCS 5.7 src/conf.sh. */ struct buf { int x; }; struct buf * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not \xHH hex character constants. These do not provoke an error unfortunately, instead are silently treated as an "x". The following induces an error, until -std is added to get proper ANSI mode. Curiously \x00 != x always comes out true, for an array size at least. It is necessary to write \x00 == 0 to get something that is true only with -std. */ int osf4_cc_array ['\''\x00'\'' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) '\''x'\'' int xlc6_cc_array[FOO(a) == '\''x'\'' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, int *(*)(struct buf *, struct stat *, int), int, int);' # Test code for whether the C compiler supports C89 (body of main). ac_c_conftest_c89_main=' ok |= (argc == 0 || f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]); ' # Test code for whether the C compiler supports C99 (global declarations) ac_c_conftest_c99_globals=' // Does the compiler advertise C99 conformance? #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 199901L # error "Compiler does not advertise C99 conformance" #endif #include extern int puts (const char *); extern int printf (const char *, ...); extern int dprintf (int, const char *, ...); extern void *malloc (size_t); // Check varargs macros. These examples are taken from C99 6.10.3.5. // dprintf is used instead of fprintf to avoid needing to declare // FILE and stderr. #define debug(...) dprintf (2, __VA_ARGS__) #define showlist(...) puts (#__VA_ARGS__) #define report(test,...) ((test) ? puts (#test) : printf (__VA_ARGS__)) static void test_varargs_macros (void) { int x = 1234; int y = 5678; debug ("Flag"); debug ("X = %d\n", x); showlist (The first, second, and third items.); report (x>y, "x is %d but y is %d", x, y); } // Check long long types. #define BIG64 18446744073709551615ull #define BIG32 4294967295ul #define BIG_OK (BIG64 / BIG32 == 4294967297ull && BIG64 % BIG32 == 0) #if !BIG_OK #error "your preprocessor is broken" #endif #if BIG_OK #else #error "your preprocessor is broken" #endif static long long int bignum = -9223372036854775807LL; static unsigned long long int ubignum = BIG64; struct incomplete_array { int datasize; double data[]; }; struct named_init { int number; const wchar_t *name; double average; }; typedef const char *ccp; static inline int test_restrict (ccp restrict text) { // See if C++-style comments work. // Iterate through items via the restricted pointer. // Also check for declarations in for loops. for (unsigned int i = 0; *(text+i) != '\''\0'\''; ++i) continue; return 0; } // Check varargs and va_copy. static bool test_varargs (const char *format, ...) { va_list args; va_start (args, format); va_list args_copy; va_copy (args_copy, args); const char *str = ""; int number = 0; float fnumber = 0; while (*format) { switch (*format++) { case '\''s'\'': // string str = va_arg (args_copy, const char *); break; case '\''d'\'': // int number = va_arg (args_copy, int); break; case '\''f'\'': // float fnumber = va_arg (args_copy, double); break; default: break; } } va_end (args_copy); va_end (args); return *str && number && fnumber; } ' # Test code for whether the C compiler supports C99 (body of main). ac_c_conftest_c99_main=' // Check bool. _Bool success = false; success |= (argc != 0); // Check restrict. if (test_restrict ("String literal") == 0) success = true; char *restrict newvar = "Another string"; // Check varargs. success &= test_varargs ("s, d'\'' f .", "string", 65, 34.234); test_varargs_macros (); // Check flexible array members. struct incomplete_array *ia = malloc (sizeof (struct incomplete_array) + (sizeof (double) * 10)); ia->datasize = 10; for (int i = 0; i < ia->datasize; ++i) ia->data[i] = i * 1.234; // Check named initializers. struct named_init ni = { .number = 34, .name = L"Test wide string", .average = 543.34343, }; ni.number = 58; int dynamic_array[ni.number]; dynamic_array[0] = argv[0][0]; dynamic_array[ni.number - 1] = 543; // work around unused variable warnings ok |= (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == '\''x'\'' || dynamic_array[ni.number - 1] != 543); ' # Test code for whether the C compiler supports C11 (global declarations) ac_c_conftest_c11_globals=' // Does the compiler advertise C11 conformance? #if !defined __STDC_VERSION__ || __STDC_VERSION__ < 201112L # error "Compiler does not advertise C11 conformance" #endif // Check _Alignas. char _Alignas (double) aligned_as_double; char _Alignas (0) no_special_alignment; extern char aligned_as_int; char _Alignas (0) _Alignas (int) aligned_as_int; // Check _Alignof. enum { int_alignment = _Alignof (int), int_array_alignment = _Alignof (int[100]), char_alignment = _Alignof (char) }; _Static_assert (0 < -_Alignof (int), "_Alignof is signed"); // Check _Noreturn. int _Noreturn does_not_return (void) { for (;;) continue; } // Check _Static_assert. struct test_static_assert { int x; _Static_assert (sizeof (int) <= sizeof (long int), "_Static_assert does not work in struct"); long int y; }; // Check UTF-8 literals. #define u8 syntax error! char const utf8_literal[] = u8"happens to be ASCII" "another string"; // Check duplicate typedefs. typedef long *long_ptr; typedef long int *long_ptr; typedef long_ptr long_ptr; // Anonymous structures and unions -- taken from C11 6.7.2.1 Example 1. struct anonymous { union { struct { int i; int j; }; struct { int k; long int l; } w; }; int m; } v1; ' # Test code for whether the C compiler supports C11 (body of main). ac_c_conftest_c11_main=' _Static_assert ((offsetof (struct anonymous, i) == offsetof (struct anonymous, w.k)), "Anonymous union alignment botch"); v1.i = 2; v1.w.k = 5; ok |= v1.i != 5; ' # Test code for whether the C compiler supports C11 (complete). ac_c_conftest_c11_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} ${ac_c_conftest_c11_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} ${ac_c_conftest_c11_main} return ok; } " # Test code for whether the C compiler supports C99 (complete). ac_c_conftest_c99_program="${ac_c_conftest_c89_globals} ${ac_c_conftest_c99_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} ${ac_c_conftest_c99_main} return ok; } " # Test code for whether the C compiler supports C89 (complete). ac_c_conftest_c89_program="${ac_c_conftest_c89_globals} int main (int argc, char **argv) { int ok = 0; ${ac_c_conftest_c89_main} return ok; } " # Test code for whether the C++ compiler supports C++98 (global declarations) ac_cxx_conftest_cxx98_globals=' // Does the compiler advertise C++98 conformance? #if !defined __cplusplus || __cplusplus < 199711L # error "Compiler does not advertise C++98 conformance" #endif // These inclusions are to reject old compilers that // lack the unsuffixed header files. #include #include // and are *not* freestanding headers in C++98. extern void assert (int); namespace std { extern int strcmp (const char *, const char *); } // Namespaces, exceptions, and templates were all added after "C++ 2.0". using std::exception; using std::strcmp; namespace { void test_exception_syntax() { try { throw "test"; } catch (const char *s) { // Extra parentheses suppress a warning when building autoconf itself, // due to lint rules shared with more typical C programs. assert (!(strcmp) (s, "test")); } } template struct test_template { T const val; explicit test_template(T t) : val(t) {} template T add(U u) { return static_cast(u) + val; } }; } // anonymous namespace ' # Test code for whether the C++ compiler supports C++98 (body of main) ac_cxx_conftest_cxx98_main=' assert (argc); assert (! argv[0]); { test_exception_syntax (); test_template tt (2.0); assert (tt.add (4) == 6.0); assert (true && !false); } ' # Test code for whether the C++ compiler supports C++11 (global declarations) ac_cxx_conftest_cxx11_globals=' // Does the compiler advertise C++ 2011 conformance? #if !defined __cplusplus || __cplusplus < 201103L # error "Compiler does not advertise C++11 conformance" #endif namespace cxx11test { constexpr int get_val() { return 20; } struct testinit { int i; double d; }; class delegate { public: delegate(int n) : n(n) {} delegate(): delegate(2354) {} virtual int getval() { return this->n; }; protected: int n; }; class overridden : public delegate { public: overridden(int n): delegate(n) {} virtual int getval() override final { return this->n * 2; } }; class nocopy { public: nocopy(int i): i(i) {} nocopy() = default; nocopy(const nocopy&) = delete; nocopy & operator=(const nocopy&) = delete; private: int i; }; // for testing lambda expressions template Ret eval(Fn f, Ret v) { return f(v); } // for testing variadic templates and trailing return types template auto sum(V first) -> V { return first; } template auto sum(V first, Args... rest) -> V { return first + sum(rest...); } } ' # Test code for whether the C++ compiler supports C++11 (body of main) ac_cxx_conftest_cxx11_main=' { // Test auto and decltype auto a1 = 6538; auto a2 = 48573953.4; auto a3 = "String literal"; int total = 0; for (auto i = a3; *i; ++i) { total += *i; } decltype(a2) a4 = 34895.034; } { // Test constexpr short sa[cxx11test::get_val()] = { 0 }; } { // Test initializer lists cxx11test::testinit il = { 4323, 435234.23544 }; } { // Test range-based for int array[] = {9, 7, 13, 15, 4, 18, 12, 10, 5, 3, 14, 19, 17, 8, 6, 20, 16, 2, 11, 1}; for (auto &x : array) { x += 23; } } { // Test lambda expressions using cxx11test::eval; assert (eval ([](int x) { return x*2; }, 21) == 42); double d = 2.0; assert (eval ([&](double x) { return d += x; }, 3.0) == 5.0); assert (d == 5.0); assert (eval ([=](double x) mutable { return d += x; }, 4.0) == 9.0); assert (d == 5.0); } { // Test use of variadic templates using cxx11test::sum; auto a = sum(1); auto b = sum(1, 2); auto c = sum(1.0, 2.0, 3.0); } { // Test constructor delegation cxx11test::delegate d1; cxx11test::delegate d2(); cxx11test::delegate d3(45); } { // Test override and final cxx11test::overridden o1(55464); } { // Test nullptr char *c = nullptr; } { // Test template brackets test_template<::test_template> v(test_template(12)); } { // Unicode literals char const *utf8 = u8"UTF-8 string \u2500"; char16_t const *utf16 = u"UTF-8 string \u2500"; char32_t const *utf32 = U"UTF-32 string \u2500"; } ' # Test code for whether the C compiler supports C++11 (complete). ac_cxx_conftest_cxx11_program="${ac_cxx_conftest_cxx98_globals} ${ac_cxx_conftest_cxx11_globals} int main (int argc, char **argv) { int ok = 0; ${ac_cxx_conftest_cxx98_main} ${ac_cxx_conftest_cxx11_main} return ok; } " # Test code for whether the C compiler supports C++98 (complete). ac_cxx_conftest_cxx98_program="${ac_cxx_conftest_cxx98_globals} int main (int argc, char **argv) { int ok = 0; ${ac_cxx_conftest_cxx98_main} return ok; } " as_fn_append ac_header_c_list " stdio.h stdio_h HAVE_STDIO_H" as_fn_append ac_header_c_list " stdlib.h stdlib_h HAVE_STDLIB_H" as_fn_append ac_header_c_list " string.h string_h HAVE_STRING_H" as_fn_append ac_header_c_list " inttypes.h inttypes_h HAVE_INTTYPES_H" as_fn_append ac_header_c_list " stdint.h stdint_h HAVE_STDINT_H" as_fn_append ac_header_c_list " strings.h strings_h HAVE_STRINGS_H" as_fn_append ac_header_c_list " sys/stat.h sys_stat_h HAVE_SYS_STAT_H" as_fn_append ac_header_c_list " sys/types.h sys_types_h HAVE_SYS_TYPES_H" as_fn_append ac_header_c_list " unistd.h unistd_h HAVE_UNISTD_H" # Auxiliary files required by this configure script. ac_aux_files="install-sh config.guess config.sub" # Locations in which to look for auxiliary files. ac_aux_dir_candidates="${srcdir}/." # Search for a directory containing all of the required auxiliary files, # $ac_aux_files, from the $PATH-style list $ac_aux_dir_candidates. # If we don't find one directory that contains all the files we need, # we report the set of missing files from the *first* directory in # $ac_aux_dir_candidates and give up. ac_missing_aux_files="" ac_first_candidate=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: looking for aux files: $ac_aux_files" >&5 as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in $ac_aux_dir_candidates do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac as_found=: printf "%s\n" "$as_me:${as_lineno-$LINENO}: trying $as_dir" >&5 ac_aux_dir_found=yes ac_install_sh= for ac_aux in $ac_aux_files do # As a special case, if "install-sh" is required, that requirement # can be satisfied by any of "install-sh", "install.sh", or "shtool", # and $ac_install_sh is set appropriately for whichever one is found. if test x"$ac_aux" = x"install-sh" then if test -f "${as_dir}install-sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install-sh found" >&5 ac_install_sh="${as_dir}install-sh -c" elif test -f "${as_dir}install.sh"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}install.sh found" >&5 ac_install_sh="${as_dir}install.sh -c" elif test -f "${as_dir}shtool"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}shtool found" >&5 ac_install_sh="${as_dir}shtool install -c" else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} install-sh" else break fi fi else if test -f "${as_dir}${ac_aux}"; then printf "%s\n" "$as_me:${as_lineno-$LINENO}: ${as_dir}${ac_aux} found" >&5 else ac_aux_dir_found=no if $ac_first_candidate; then ac_missing_aux_files="${ac_missing_aux_files} ${ac_aux}" else break fi fi fi done if test "$ac_aux_dir_found" = yes; then ac_aux_dir="$as_dir" break fi ac_first_candidate=false as_found=false done IFS=$as_save_IFS if $as_found then : else $as_nop as_fn_error $? "cannot find required auxiliary files:$ac_missing_aux_files" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. if test -f "${ac_aux_dir}config.guess"; then ac_config_guess="$SHELL ${ac_aux_dir}config.guess" fi if test -f "${ac_aux_dir}config.sub"; then ac_config_sub="$SHELL ${ac_aux_dir}config.sub" fi if test -f "$ac_aux_dir/configure"; then ac_configure="$SHELL ${ac_aux_dir}configure" fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 printf "%s\n" "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 printf "%s\n" "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 printf "%s\n" "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 printf "%s\n" "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 printf "%s\n" "$as_me: former value: \`$ac_old_val'" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 printf "%s\n" "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`printf "%s\n" "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 printf "%s\n" "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`${MAKE-make} distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Needed to stop autoconf from looking for files in parent directories. ac_config_headers="$ac_config_headers config.h" LIBNETTLE_MAJOR=8 LIBNETTLE_MINOR=9 LIBHOGWEED_MAJOR=6 LIBHOGWEED_MINOR=9 MAJOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^\([^.]*\)\..*/\1/'` MINOR_VERSION=`echo $PACKAGE_VERSION | sed 's/^[^.]*\.\([0-9]*\).*/\1/'` # Make sure we can run config.sub. $SHELL "${ac_aux_dir}config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL ${ac_aux_dir}config.sub" "$LINENO" 5 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 printf %s "checking build system type... " >&6; } if test ${ac_cv_build+y} then : printf %s "(cached) " >&6 else $as_nop ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "${ac_aux_dir}config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "${ac_aux_dir}config.sub" $ac_build_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $ac_build_alias failed" "$LINENO" 5 fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 printf "%s\n" "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 printf %s "checking host system type... " >&6; } if test ${ac_cv_host+y} then : printf %s "(cached) " >&6 else $as_nop if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "${ac_aux_dir}config.sub" $host_alias` || as_fn_error $? "$SHELL ${ac_aux_dir}config.sub $host_alias failed" "$LINENO" 5 fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 printf "%s\n" "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac # Command line options # Check whether --with-include-path was given. if test ${with_include_path+y} then : withval=$with_include_path; else $as_nop with_include_path='' fi if test x$with_include_path != x ; then CPPFLAGS="$CPPFLAGS -I`echo $with_include_path | sed 's/:/ -I/g'`" fi # Check whether --with-lib-path was given. if test ${with_lib_path+y} then : withval=$with_lib_path; else $as_nop with_lib_path='' fi if test x$with_lib_path != x ; then LDFLAGS="$LDFLAGS -L`echo $with_lib_path | sed 's/:/ -L/g'`" fi # Check whether --enable-public-key was given. if test ${enable_public_key+y} then : enableval=$enable_public_key; else $as_nop enable_public_key=yes fi # Check whether --enable-assembler was given. if test ${enable_assembler+y} then : enableval=$enable_assembler; else $as_nop enable_assembler=yes fi # Check whether --enable-static was given. if test ${enable_static+y} then : enableval=$enable_static; else $as_nop enable_static=yes fi # Check whether --enable-shared was given. if test ${enable_shared+y} then : enableval=$enable_shared; else $as_nop enable_shared=yes fi # Check whether --enable-pic was given. if test ${enable_pic+y} then : enableval=$enable_pic; else $as_nop enable_pic=yes fi # Check whether --enable-openssl was given. if test ${enable_openssl+y} then : enableval=$enable_openssl; else $as_nop enable_openssl=yes fi # Check whether --enable-gcov was given. if test ${enable_gcov+y} then : enableval=$enable_gcov; else $as_nop enable_gcov=no fi # Check whether --enable-documentation was given. if test ${enable_documentation+y} then : enableval=$enable_documentation; else $as_nop enable_documentation=auto fi # Check whether --enable-fat was given. if test ${enable_fat+y} then : enableval=$enable_fat; else $as_nop enable_fat=yes fi # Check whether --enable-arm-neon was given. if test ${enable_arm_neon+y} then : enableval=$enable_arm_neon; else $as_nop enable_arm_neon=auto fi # Check whether --enable-arm64-crypto was given. if test ${enable_arm64_crypto+y} then : enableval=$enable_arm64_crypto; else $as_nop enable_arm64_crypto=no fi # Check whether --enable-x86-aesni was given. if test ${enable_x86_aesni+y} then : enableval=$enable_x86_aesni; else $as_nop enable_x86_aesni=no fi # Check whether --enable-x86-sha-ni was given. if test ${enable_x86_sha_ni+y} then : enableval=$enable_x86_sha_ni; else $as_nop enable_x86_sha_ni=no fi # Check whether --enable-x86-pclmul was given. if test ${enable_x86_pclmul+y} then : enableval=$enable_x86_pclmul; else $as_nop enable_x86_pclmul=no fi # Check whether --enable-power-crypto-ext was given. if test ${enable_power_crypto_ext+y} then : enableval=$enable_power_crypto_ext; else $as_nop enable_power_crypto_ext=no fi # Check whether --enable-power-altivec was given. if test ${enable_power_altivec+y} then : enableval=$enable_power_altivec; else $as_nop enable_altivec=no fi # Check whether --enable-power9 was given. if test ${enable_power9+y} then : enableval=$enable_power9; else $as_nop enable_power9=no fi # Check whether --enable-s390x-vf was given. if test ${enable_s390x_vf+y} then : enableval=$enable_s390x_vf; else $as_nop enable_s390x_vf=no fi # Check whether --enable-s390x-msa was given. if test ${enable_s390x_msa+y} then : enableval=$enable_s390x_msa; else $as_nop enable_s390x_msa=no fi # Check whether --enable-extra-asserts was given. if test ${enable_extra_asserts+y} then : enableval=$enable_extra_asserts; else $as_nop enable_extra_asserts=no fi # Check whether --enable-mini-gmp was given. if test ${enable_mini_gmp+y} then : enableval=$enable_mini_gmp; else $as_nop enable_mini_gmp=no fi if test "x$enable_mini_gmp" = xyes ; then NETTLE_USE_MINI_GMP=1 HOGWEED_EXTRA_SYMBOLS="mpz_*;gmp_*;mpn_*;mp_*;" else NETTLE_USE_MINI_GMP=0 HOGWEED_EXTRA_SYMBOLS="" fi if test "$enable_extra_asserts" = yes ; then printf "%s\n" "#define WITH_EXTRA_ASSERTS 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for -R flag" >&5 printf %s "checking for -R flag... " >&6; } RPATHFLAG='' case "$host_os" in osf1*) RPATHFLAG="-rpath " ;; irix6.*|irix5.*) RPATHFLAG="-rpath " ;; solaris*) if test "$TCC" = "yes"; then # tcc doesn't know about -R RPATHFLAG="-Wl,-R," else RPATHFLAG=-R fi ;; linux*|freebsd*) RPATHFLAG="-Wl,-rpath," ;; *) RPATHFLAG="" ;; esac if test x$RPATHFLAG = x ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none" >&5 printf "%s\n" "none" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: using $RPATHFLAG" >&5 printf "%s\n" "using $RPATHFLAG" >&6; } fi RPATH_CANDIDATE_REAL_DIRS='' RPATH_CANDIDATE_DIRS='' { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: Searching for libraries" >&5 printf "%s\n" "Searching for libraries" >&6; } for d in `echo $with_lib_path | sed 's/:/ /g'` \ `echo $exec_prefix | sed "s@^NONE@$prefix/lib@g" | sed "s@^NONE@$ac_default_prefix/lib@g"` \ /usr/local/lib /sw/local/lib /sw/lib \ /usr/gnu/lib /opt/gnu/lib /sw/gnu/lib /usr/freeware/lib /usr/pkg/lib ; do { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking $d" >&5 printf %s "checking $d... " >&6; } ac_exists=no if test -d "$d/." ; then ac_real_dir=`cd $d && pwd` if test -n "$ac_real_dir" ; then ac_exists=yes for old in RPATH_CANDIDATE_REAL_DIRS ; do ac_found=no if test x$ac_real_dir = x$old ; then ac_found=yes; break; fi done if test $ac_found = yes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: already added" >&5 printf "%s\n" "already added" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: added" >&5 printf "%s\n" "added" >&6; } # LDFLAGS="$LDFLAGS -L $d" RPATH_CANDIDATE_REAL_DIRS="$ac_real_dir $RPATH_CANDIDATE_REAL_DIRS" RPATH_CANDIDATE_DIRS="$d $RPATH_CANDIDATE_DIRS" fi fi fi if test $ac_exists = no ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: not found" >&5 printf "%s\n" "not found" >&6; } fi done # Checks for programs. ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="gcc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then if test "$as_dir$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}clang", so it can be a program name with args. set dummy ${ac_tool_prefix}clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CC="${ac_tool_prefix}clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 printf "%s\n" "$CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "clang", so it can be a program name with args. set dummy clang; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CC+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CC="clang" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 printf "%s\n" "$ac_ct_CC" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi fi test -z "$CC" && { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion -version; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 printf %s "checking whether the C compiler works... " >&6; } ac_link_default=`printf "%s\n" "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test ${ac_cv_exeext+y} && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else $as_nop ac_file='' fi if test -z "$ac_file" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 printf %s "checking for C compiler default output file name... " >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 printf "%s\n" "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 printf %s "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else $as_nop { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 printf "%s\n" "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 printf %s "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 printf "%s\n" "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 printf %s "checking for suffix of object files... " >&6; } if test ${ac_cv_objext+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_nop printf "%s\n" "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 printf "%s\n" "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C" >&5 printf %s "checking whether the compiler supports GNU C... " >&6; } if test ${ac_cv_c_compiler_gnu+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_compiler_gnu=yes else $as_nop ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 printf "%s\n" "$ac_cv_c_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_c_compiler_gnu if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+y} ac_save_CFLAGS=$CFLAGS { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 printf %s "checking whether $CC accepts -g... " >&6; } if test ${ac_cv_prog_cc_g+y} then : printf %s "(cached) " >&6 else $as_nop ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes else $as_nop CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else $as_nop ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 printf "%s\n" "$ac_cv_prog_cc_g" >&6; } if test $ac_test_CFLAGS; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi ac_prog_cc_stdc=no if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C11 features" >&5 printf %s "checking for $CC option to enable C11 features... " >&6; } if test ${ac_cv_prog_cc_c11+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_prog_cc_c11=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c11_program _ACEOF for ac_arg in '' -std=gnu11 do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c11=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c11" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi if test "x$ac_cv_prog_cc_c11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else $as_nop if test "x$ac_cv_prog_cc_c11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c11" >&5 printf "%s\n" "$ac_cv_prog_cc_c11" >&6; } CC="$CC $ac_cv_prog_cc_c11" fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c11 ac_prog_cc_stdc=c11 fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C99 features" >&5 printf %s "checking for $CC option to enable C99 features... " >&6; } if test ${ac_cv_prog_cc_c99+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_prog_cc_c99=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c99_program _ACEOF for ac_arg in '' -std=gnu99 -std=c99 -c99 -qlanglvl=extc1x -qlanglvl=extc99 -AC99 -D_STDC_C99= do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c99=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c99" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi if test "x$ac_cv_prog_cc_c99" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else $as_nop if test "x$ac_cv_prog_cc_c99" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c99" >&5 printf "%s\n" "$ac_cv_prog_cc_c99" >&6; } CC="$CC $ac_cv_prog_cc_c99" fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c99 ac_prog_cc_stdc=c99 fi fi if test x$ac_prog_cc_stdc = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CC option to enable C89 features" >&5 printf %s "checking for $CC option to enable C89 features... " >&6; } if test ${ac_cv_prog_cc_c89+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_c_conftest_c89_program _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO" then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi if test "x$ac_cv_prog_cc_c89" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else $as_nop if test "x$ac_cv_prog_cc_c89" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 printf "%s\n" "$ac_cv_prog_cc_c89" >&6; } CC="$CC $ac_cv_prog_cc_c89" fi ac_cv_prog_cc_stdc=$ac_cv_prog_cc_c89 ac_prog_cc_stdc=c89 fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ifunc support" >&5 printf %s "checking for ifunc support... " >&6; } if test ${nettle_cv_link_ifunc+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ static int foo_imp(int x) { return 1; } typedef void void_func (void); static void_func * foo_resolv(void) { return (void_func *) foo_imp; } int foo (int x) __attribute__ ((ifunc("foo_resolv"))); int main (void) { return foo(0); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : nettle_cv_link_ifunc=yes else $as_nop nettle_cv_link_ifunc=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_link_ifunc" >&5 printf "%s\n" "$nettle_cv_link_ifunc" >&6; } if test "x$nettle_cv_link_ifunc" = xyes ; then printf "%s\n" "#define HAVE_LINK_IFUNC 1" >>confdefs.h fi # Used by the testsuite only ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu if test -z "$CXX"; then if test -n "$CCC"; then CXX=$CCC else if test -n "$ac_tool_prefix"; then for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC clang++ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_CXX+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$CXX"; then ac_cv_prog_CXX="$CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CXX=$ac_cv_prog_CXX if test -n "$CXX"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CXX" >&5 printf "%s\n" "$CXX" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$CXX" && break done fi if test -z "$CXX"; then ac_ct_CXX=$CXX for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC clang++ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_CXX+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_CXX"; then ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_CXX="$ac_prog" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CXX=$ac_cv_prog_ac_ct_CXX if test -n "$ac_ct_CXX"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CXX" >&5 printf "%s\n" "$ac_ct_CXX" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi test -n "$ac_ct_CXX" && break done if test "x$ac_ct_CXX" = x; then CXX="g++" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CXX=$ac_ct_CXX fi fi fi fi # Provide some information about the compiler. printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for C++ compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" printf "%s\n" "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether the compiler supports GNU C++" >&5 printf %s "checking whether the compiler supports GNU C++... " >&6; } if test ${ac_cv_cxx_compiler_gnu+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_compiler_gnu=yes else $as_nop ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cv_cxx_compiler_gnu=$ac_compiler_gnu fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cxx_compiler_gnu" >&5 printf "%s\n" "$ac_cv_cxx_compiler_gnu" >&6; } ac_compiler_gnu=$ac_cv_cxx_compiler_gnu if test $ac_compiler_gnu = yes; then GXX=yes else GXX= fi ac_test_CXXFLAGS=${CXXFLAGS+y} ac_save_CXXFLAGS=$CXXFLAGS { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether $CXX accepts -g" >&5 printf %s "checking whether $CXX accepts -g... " >&6; } if test ${ac_cv_prog_cxx_g+y} then : printf %s "(cached) " >&6 else $as_nop ac_save_cxx_werror_flag=$ac_cxx_werror_flag ac_cxx_werror_flag=yes ac_cv_prog_cxx_g=no CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_g=yes else $as_nop CXXFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : else $as_nop ac_cxx_werror_flag=$ac_save_cxx_werror_flag CXXFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_cxx_werror_flag=$ac_save_cxx_werror_flag fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_g" >&5 printf "%s\n" "$ac_cv_prog_cxx_g" >&6; } if test $ac_test_CXXFLAGS; then CXXFLAGS=$ac_save_CXXFLAGS elif test $ac_cv_prog_cxx_g = yes; then if test "$GXX" = yes; then CXXFLAGS="-g -O2" else CXXFLAGS="-g" fi else if test "$GXX" = yes; then CXXFLAGS="-O2" else CXXFLAGS= fi fi ac_prog_cxx_stdcxx=no if test x$ac_prog_cxx_stdcxx = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CXX option to enable C++11 features" >&5 printf %s "checking for $CXX option to enable C++11 features... " >&6; } if test ${ac_cv_prog_cxx_cxx11+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_prog_cxx_cxx11=no ac_save_CXX=$CXX cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_cxx_conftest_cxx11_program _ACEOF for ac_arg in '' -std=gnu++11 -std=gnu++0x -std=c++11 -std=c++0x -qlanglvl=extended0x -AA do CXX="$ac_save_CXX $ac_arg" if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_cxx11=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cxx_cxx11" != "xno" && break done rm -f conftest.$ac_ext CXX=$ac_save_CXX fi if test "x$ac_cv_prog_cxx_cxx11" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else $as_nop if test "x$ac_cv_prog_cxx_cxx11" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_cxx11" >&5 printf "%s\n" "$ac_cv_prog_cxx_cxx11" >&6; } CXX="$CXX $ac_cv_prog_cxx_cxx11" fi ac_cv_prog_cxx_stdcxx=$ac_cv_prog_cxx_cxx11 ac_prog_cxx_stdcxx=cxx11 fi fi if test x$ac_prog_cxx_stdcxx = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $CXX option to enable C++98 features" >&5 printf %s "checking for $CXX option to enable C++98 features... " >&6; } if test ${ac_cv_prog_cxx_cxx98+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_prog_cxx_cxx98=no ac_save_CXX=$CXX cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_cxx_conftest_cxx98_program _ACEOF for ac_arg in '' -std=gnu++98 -std=c++98 -qlanglvl=extended -AA do CXX="$ac_save_CXX $ac_arg" if ac_fn_cxx_try_compile "$LINENO" then : ac_cv_prog_cxx_cxx98=$ac_arg fi rm -f core conftest.err conftest.$ac_objext conftest.beam test "x$ac_cv_prog_cxx_cxx98" != "xno" && break done rm -f conftest.$ac_ext CXX=$ac_save_CXX fi if test "x$ac_cv_prog_cxx_cxx98" = xno then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 printf "%s\n" "unsupported" >&6; } else $as_nop if test "x$ac_cv_prog_cxx_cxx98" = x then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 printf "%s\n" "none needed" >&6; } else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_cxx98" >&5 printf "%s\n" "$ac_cv_prog_cxx_cxx98" >&6; } CXX="$CXX $ac_cv_prog_cxx_cxx98" fi ac_cv_prog_cxx_stdcxx=$ac_cv_prog_cxx_cxx98 ac_prog_cxx_stdcxx=cxx98 fi fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_ext=cpp ac_cpp='$CXXCPP $CPPFLAGS' ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_cxx_compiler_gnu cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return 0; ; return 0; } _ACEOF if ac_fn_cxx_try_compile "$LINENO" then : IF_CXX='' else $as_nop IF_CXX='#' fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu # Check whether --enable-ld-version-script was given. if test ${enable_ld_version_script+y} then : enableval=$enable_ld_version_script; have_ld_version_script=$enableval fi if test -z "$have_ld_version_script"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if LD -Wl,--version-script works" >&5 printf %s "checking if LD -Wl,--version-script works... " >&6; } save_LDFLAGS="$LDFLAGS" LDFLAGS="$LDFLAGS -Wl,--version-script=conftest.map" cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : accepts_syntax_errors=yes else $as_nop accepts_syntax_errors=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext if test "$accepts_syntax_errors" = no; then cat > conftest.map <conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : have_ld_version_script=yes else $as_nop have_ld_version_script=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext else have_ld_version_script=no fi rm -f conftest.map LDFLAGS="$save_LDFLAGS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $have_ld_version_script" >&5 printf "%s\n" "$have_ld_version_script" >&6; } fi if test "$have_ld_version_script" = "yes";then EXTRA_LINKER_FLAGS="-Wl,--version-script=libnettle.map" EXTRA_HOGWEED_LINKER_FLAGS="-Wl,--version-script=libhogweed.map" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 printf %s "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`printf "%s\n" "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval test \${ac_cv_prog_make_${ac_make}_set+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } SET_MAKE= else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_RANLIB+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 printf "%s\n" "$RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_RANLIB+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_RANLIB="ranlib" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 printf "%s\n" "$ac_ct_RANLIB" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}nm", so it can be a program name with args. set dummy ${ac_tool_prefix}nm; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_NM+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$NM"; then ac_cv_prog_NM="$NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_NM="${ac_tool_prefix}nm" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi NM=$ac_cv_prog_NM if test -n "$NM"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $NM" >&5 printf "%s\n" "$NM" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_NM"; then ac_ct_NM=$NM # Extract the first word of "nm", so it can be a program name with args. set dummy nm; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_NM+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_NM"; then ac_cv_prog_ac_ct_NM="$ac_ct_NM" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_NM="nm" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_NM=$ac_cv_prog_ac_ct_NM if test -n "$ac_ct_NM"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_NM" >&5 printf "%s\n" "$ac_ct_NM" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_NM" = x; then NM="strings" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac NM=$ac_ct_NM fi else NM="$ac_cv_prog_NM" fi # Used only for the GNU-stack configure test. if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}objdump", so it can be a program name with args. set dummy ${ac_tool_prefix}objdump; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_OBJDUMP+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$OBJDUMP"; then ac_cv_prog_OBJDUMP="$OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_OBJDUMP="${ac_tool_prefix}objdump" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi OBJDUMP=$ac_cv_prog_OBJDUMP if test -n "$OBJDUMP"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $OBJDUMP" >&5 printf "%s\n" "$OBJDUMP" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_OBJDUMP"; then ac_ct_OBJDUMP=$OBJDUMP # Extract the first word of "objdump", so it can be a program name with args. set dummy objdump; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_OBJDUMP+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_OBJDUMP"; then ac_cv_prog_ac_ct_OBJDUMP="$ac_ct_OBJDUMP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_OBJDUMP="objdump" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_OBJDUMP=$ac_cv_prog_ac_ct_OBJDUMP if test -n "$ac_ct_OBJDUMP"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_OBJDUMP" >&5 printf "%s\n" "$ac_ct_OBJDUMP" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_OBJDUMP" = x; then OBJDUMP="false" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac OBJDUMP=$ac_ct_OBJDUMP fi else OBJDUMP="$ac_cv_prog_OBJDUMP" fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ar", so it can be a program name with args. set dummy ${ac_tool_prefix}ar; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_AR+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$AR"; then ac_cv_prog_AR="$AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_AR="${ac_tool_prefix}ar" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AR=$ac_cv_prog_AR if test -n "$AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 printf "%s\n" "$AR" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi fi if test -z "$ac_cv_prog_AR"; then ac_ct_AR=$AR # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_prog_ac_ct_AR+y} then : printf %s "(cached) " >&6 else $as_nop if test -n "$ac_ct_AR"; then ac_cv_prog_ac_ct_AR="$ac_ct_AR" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_prog_ac_ct_AR="ar" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_AR=$ac_cv_prog_ac_ct_AR if test -n "$ac_ct_AR"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_ct_AR" >&5 printf "%s\n" "$ac_ct_AR" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$ac_ct_AR" = x; then AR="false" else case $cross_compiling:$ac_tool_warned in yes:) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 printf "%s\n" "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac AR=$ac_ct_AR fi else AR="$ac_cv_prog_AR" fi # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 printf %s "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if test ${ac_cv_path_install+y} then : printf %s "(cached) " >&6 else $as_nop as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac # Account for fact that we put trailing slashes in our PATH walk. case $as_dir in #(( ./ | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext"; then if test $ac_prog = install && grep dspmsg "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir/" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test ${ac_cv_path_install+y}; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 printf "%s\n" "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' # According to the autoconf manual, needs install-sh from # autoconf-2.60 or automake-1.10 to avoid races. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for a race-free mkdir -p" >&5 printf %s "checking for a race-free mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if test ${ac_cv_path_mkdir+y} then : printf %s "(cached) " >&6 else $as_nop as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do as_fn_executable_p "$as_dir$ac_prog$ac_exec_ext" || continue case `"$as_dir$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir ('*'coreutils) '* | \ 'BusyBox '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test ${ac_cv_path_mkdir+y}; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 printf "%s\n" "$MKDIR_P" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 printf %s "checking whether ln -s works... " >&6; } LN_S=$as_ln_s if test "$LN_S" = "ln -s"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 printf "%s\n" "no, using $LN_S" >&6; } fi # Compiler tests for the build system if test -n "$CC_FOR_BUILD"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $CC_FOR_BUILD" >&5 printf %s "checking build system compiler $CC_FOR_BUILD... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then : else as_fn_error $? "Specified CC_FOR_BUILD doesn't seem to work" "$LINENO" 5 fi elif test -n "$HOST_CC"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $HOST_CC" >&5 printf %s "checking build system compiler $HOST_CC... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$HOST_CC else as_fn_error $? "Specified HOST_CC doesn't seem to work" "$LINENO" 5 fi else if test $cross_compiling = no ; then CC_FOR_BUILD="$CC" else for i in gcc cc c89 c99; do { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking build system compiler $i" >&5 printf %s "checking build system compiler $i... " >&6; } # remove anything that might look like compiler output to our "||" expression rm -f conftest* a.out b.out a.exe a_out.exe cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./a.out || ./b.out || ./a.exe || ./a_out.exe || ./conftest) >&5 2>&1; then cc_for_build_works=yes fi fi rm -f conftest* a.out b.out a.exe a_out.exe { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $cc_for_build_works" >&5 printf "%s\n" "$cc_for_build_works" >&6; } if test "$cc_for_build_works" = yes; then CC_FOR_BUILD=$i break else : fi done if test -z "$CC_FOR_BUILD"; then as_fn_error $? "Cannot find a build system compiler" "$LINENO" 5 fi fi if test "$CC_FOR_BUILD" = gcc ; then CC_FOR_BUILD="$CC_FOR_BUILD -O -g" fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for build system executable suffix" >&5 printf %s "checking for build system executable suffix... " >&6; } if test ${gmp_cv_prog_exeext_for_build+y} then : printf %s "(cached) " >&6 else $as_nop if test $cross_compiling = no ; then gmp_cv_prog_exeext_for_build="$EXEEXT" else cat >conftest.c <&5 (eval $gmp_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then if (./conftest) 2>&5; then gmp_cv_prog_exeext_for_build=$i break fi fi done rm -f conftest* if test "${gmp_cv_prog_exeext_for_build+set}" != set; then as_fn_error $? "Cannot determine executable suffix" "$LINENO" 5 fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_prog_exeext_for_build" >&5 printf "%s\n" "$gmp_cv_prog_exeext_for_build" >&6; } EXEEXT_FOR_BUILD=$gmp_cv_prog_exeext_for_build # Check if valgrind is working; expected to fail in cross builds. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if valgrind is working" >&5 printf %s "checking if valgrind is working... " >&6; } if test ${nettle_cv_prog_valgrind+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : if valgrind -q ./conftest$EXEEXT 2>&5; then nettle_cv_prog_valgrind=yes else nettle_cv_prog_valgrind=no fi else $as_nop nettle_cv_prog_valgrind=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_prog_valgrind" >&5 printf "%s\n" "$nettle_cv_prog_valgrind" >&6; } if test "$nettle_cv_prog_valgrind" = yes ; then IF_VALGRIND='' else IF_VALGRIND='#' fi # Check whether --enable-dependency_tracking was given. if test ${enable_dependency_tracking+y} then : enableval=$enable_dependency_tracking; else $as_nop enable_dependency_tracking=yes fi DEP_FLAGS='' DEP_PROCESS='true' if test x$enable_dependency_tracking = xyes ; then if test x$GCC = xyes ; then gcc_version=`gcc --version | head -1` case "$gcc_version" in 2.*|*[!0-9.]2.*) enable_dependency_tracking=no { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&5 printf "%s\n" "$as_me: WARNING: Dependency tracking disabled, gcc-3.x is needed" >&2;} ;; *) DEP_FLAGS='-MT $@ -MD -MP -MF $@.d' DEP_PROCESS='true' ;; esac else enable_dependency_tracking=no { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Dependency tracking disabled" >&5 printf "%s\n" "$as_me: WARNING: Dependency tracking disabled" >&2;} fi fi if test "x$enable_gcov" = "xyes"; then CFLAGS="$CFLAGS -ftest-coverage -fprofile-arcs" fi # Checks for typedefs, structures, and compiler characteristics. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 printf %s "checking for an ANSI C-conforming const... " >&6; } if test ${ac_cv_c_const+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { #ifndef __cplusplus /* Ultrix mips cc rejects this sort of thing. */ typedef int charset[2]; const charset cs = { 0, 0 }; /* SunOS 4.1.1 cc rejects this. */ char const *const *pcpcc; char **ppc; /* NEC SVR4.0.2 mips cc rejects this. */ struct point {int x, y;}; static struct point const zero = {0,0}; /* IBM XL C 1.02.0.0 rejects this. It does not let you subtract one const X* pointer from another in an arm of an if-expression whose if-part is not a constant expression */ const char *g = "string"; pcpcc = &g + (g ? g-g : 0); /* HPUX 7.0 cc rejects these. */ ++pcpcc; ppc = (char**) pcpcc; pcpcc = (char const *const *) ppc; { /* SCO 3.2v4 cc rejects this sort of thing. */ char tx; char *t = &tx; char const *s = 0 ? (char *) 0 : (char const *) 0; *t++ = 0; if (s) return 0; } { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ int x[] = {25, 17}; const int *foo = &x[0]; ++foo; } { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ typedef const int *iptr; iptr p = 0; ++p; } { /* IBM XL C 1.02.0.0 rejects this sort of thing, saying "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ struct s { int j; const int *ap[3]; } bx; struct s *b = &bx; b->j = 5; } { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ const int foo = 10; if (!foo) return 0; } return !cs[0] && !zero.x; #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_const=yes else $as_nop ac_cv_c_const=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 printf "%s\n" "$ac_cv_c_const" >&6; } if test $ac_cv_c_const = no; then printf "%s\n" "#define const /**/" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 printf %s "checking for inline... " >&6; } if test ${ac_cv_c_inline+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __cplusplus typedef int foo_t; static $ac_kw foo_t static_foo (void) {return 0; } $ac_kw foo_t foo (void) {return 0; } #endif _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_inline=$ac_kw fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext test "$ac_cv_c_inline" != no && break done fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 printf "%s\n" "$ac_cv_c_inline" >&6; } case $ac_cv_c_inline in inline | yes) ;; *) case $ac_cv_c_inline in no) ac_val=;; *) ac_val=$ac_cv_c_inline;; esac cat >>confdefs.h <<_ACEOF #ifndef __cplusplus #define inline $ac_val #endif _ACEOF ;; esac ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 printf %s "checking how to run the C preprocessor... " >&6; } # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then CPP= fi if test -z "$CPP"; then if test ${ac_cv_prog_CPP+y} then : printf %s "(cached) " >&6 else $as_nop # Double quotes because $CC needs to be expanded for CPP in "$CC -E" "$CC -E -traditional-cpp" cpp /lib/cpp do ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : else $as_nop # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue else $as_nop # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : break fi done ac_cv_prog_CPP=$CPP fi CPP=$ac_cv_prog_CPP else ac_cv_prog_CPP=$CPP fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 printf "%s\n" "$CPP" >&6; } ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes do # Use a header file that comes with gcc, so configuring glibc # with a fresh cross-compiler works. # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include Syntax error _ACEOF if ac_fn_c_try_cpp "$LINENO" then : else $as_nop # Broken: fails on valid input. continue fi rm -f conftest.err conftest.i conftest.$ac_ext # OK, works on sane cases. Now check whether nonexistent headers # can be detected and how. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if ac_fn_c_try_cpp "$LINENO" then : # Broken: success on invalid input. continue else $as_nop # Passes both tests. ac_preproc_ok=: break fi rm -f conftest.err conftest.i conftest.$ac_ext done # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. rm -f conftest.i conftest.err conftest.$ac_ext if $ac_preproc_ok then : else $as_nop { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "C preprocessor \"$CPP\" fails sanity check See \`config.log' for more details" "$LINENO" 5; } fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 printf %s "checking for grep that handles long lines and -e... " >&6; } if test ${ac_cv_path_GREP+y} then : printf %s "(cached) " >&6 else $as_nop if test -z "$GREP"; then ac_path_GREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in grep ggrep do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_GREP="$as_dir$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_GREP" || continue # Check for GNU ac_path_GREP and select it if it is found. # Check for GNU $ac_path_GREP case `"$ac_path_GREP" --version 2>&1` in *GNU*) ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" printf "%s\n" 'GREP' >> "conftest.nl" "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_GREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_GREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_GREP"; then as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_GREP=$GREP fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 printf "%s\n" "$ac_cv_path_GREP" >&6; } GREP="$ac_cv_path_GREP" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 printf %s "checking for egrep... " >&6; } if test ${ac_cv_path_EGREP+y} then : printf %s "(cached) " >&6 else $as_nop if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 then ac_cv_path_EGREP="$GREP -E" else if test -z "$EGREP"; then ac_path_EGREP_found=false # Loop through the user's path and test for each of PROGNAME-LIST as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_prog in egrep do for ac_exec_ext in '' $ac_executable_extensions; do ac_path_EGREP="$as_dir$ac_prog$ac_exec_ext" as_fn_executable_p "$ac_path_EGREP" || continue # Check for GNU ac_path_EGREP and select it if it is found. # Check for GNU $ac_path_EGREP case `"$ac_path_EGREP" --version 2>&1` in *GNU*) ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; *) ac_count=0 printf %s 0123456789 >"conftest.in" while : do cat "conftest.in" "conftest.in" >"conftest.tmp" mv "conftest.tmp" "conftest.in" cp "conftest.in" "conftest.nl" printf "%s\n" 'EGREP' >> "conftest.nl" "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break as_fn_arith $ac_count + 1 && ac_count=$as_val if test $ac_count -gt ${ac_path_EGREP_max-0}; then # Best one so far, save it but keep looking for a better one ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_max=$ac_count fi # 10*(2^10) chars as input seems more than enough test $ac_count -gt 10 && break done rm -f conftest.in conftest.tmp conftest.nl conftest.out;; esac $ac_path_EGREP_found && break 3 done done done IFS=$as_save_IFS if test -z "$ac_cv_path_EGREP"; then as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 fi else ac_cv_path_EGREP=$EGREP fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 printf "%s\n" "$ac_cv_path_EGREP" >&6; } EGREP="$ac_cv_path_EGREP" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 printf %s "checking for uid_t in sys/types.h... " >&6; } if test ${ac_cv_type_uid_t+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include _ACEOF if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | $EGREP "uid_t" >/dev/null 2>&1 then : ac_cv_type_uid_t=yes else $as_nop ac_cv_type_uid_t=no fi rm -rf conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 printf "%s\n" "$ac_cv_type_uid_t" >&6; } if test $ac_cv_type_uid_t = no; then printf "%s\n" "#define uid_t int" >>confdefs.h printf "%s\n" "#define gid_t int" >>confdefs.h fi ac_header= ac_cache= for ac_item in $ac_header_c_list do if test $ac_cache; then ac_fn_c_check_header_compile "$LINENO" $ac_header ac_cv_header_$ac_cache "$ac_includes_default" if eval test \"x\$ac_cv_header_$ac_cache\" = xyes; then printf "%s\n" "#define $ac_item 1" >> confdefs.h fi ac_header= ac_cache= elif test $ac_header; then ac_cache=$ac_item else ac_header=$ac_item fi done if test $ac_cv_header_stdlib_h = yes && test $ac_cv_header_string_h = yes then : printf "%s\n" "#define STDC_HEADERS 1" >>confdefs.h fi ac_fn_c_check_type "$LINENO" "size_t" "ac_cv_type_size_t" "$ac_includes_default" if test "x$ac_cv_type_size_t" = xyes then : else $as_nop printf "%s\n" "#define size_t unsigned int" >>confdefs.h fi # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking size of long" >&5 printf %s "checking size of long... " >&6; } if test ${ac_cv_sizeof_long+y} then : printf %s "(cached) " >&6 else $as_nop if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (long))" "ac_cv_sizeof_long" "$ac_includes_default" then : else $as_nop if test "$ac_cv_type_long" = yes; then { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (long) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_long=0 fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_long" >&5 printf "%s\n" "$ac_cv_sizeof_long" >&6; } printf "%s\n" "#define SIZEOF_LONG $ac_cv_sizeof_long" >>confdefs.h # The cast to long int works around a bug in the HP C Compiler # version HP92453-01 B.11.11.23709.GP, which incorrectly rejects # declarations like `int a3[[(sizeof (unsigned char)) >= 0]];'. # This bug is HP SR number 8606223364. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking size of size_t" >&5 printf %s "checking size of size_t... " >&6; } if test ${ac_cv_sizeof_size_t+y} then : printf %s "(cached) " >&6 else $as_nop if ac_fn_c_compute_int "$LINENO" "(long int) (sizeof (size_t))" "ac_cv_sizeof_size_t" "$ac_includes_default" then : else $as_nop if test "$ac_cv_type_size_t" = yes; then { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "cannot compute sizeof (size_t) See \`config.log' for more details" "$LINENO" 5; } else ac_cv_sizeof_size_t=0 fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_sizeof_size_t" >&5 printf "%s\n" "$ac_cv_sizeof_size_t" >&6; } printf "%s\n" "#define SIZEOF_SIZE_T $ac_cv_sizeof_size_t" >>confdefs.h for ac_header in openssl/evp.h openssl/ec.h openssl/rsa.h do : as_ac_Header=`printf "%s\n" "ac_cv_header_$ac_header" | $as_tr_sh` ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" if eval test \"x\$"$as_ac_Header"\" = x"yes" then : cat >>confdefs.h <<_ACEOF #define `printf "%s\n" "HAVE_$ac_header" | $as_tr_cpp` 1 _ACEOF else $as_nop enable_openssl=no break fi done # For use by the testsuite ac_fn_c_check_header_compile "$LINENO" "valgrind/memcheck.h" "ac_cv_header_valgrind_memcheck_h" "$ac_includes_default" if test "x$ac_cv_header_valgrind_memcheck_h" = xyes then : printf "%s\n" "#define HAVE_VALGRIND_MEMCHECK_H 1" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "dlfcn.h" "ac_cv_header_dlfcn_h" "$ac_includes_default" if test "x$ac_cv_header_dlfcn_h" = xyes then : printf "%s\n" "#define HAVE_DLFCN_H 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for dlopen in -ldl" >&5 printf %s "checking for dlopen in -ldl... " >&6; } if test ${ac_cv_lib_dl_dlopen+y} then : printf %s "(cached) " >&6 else $as_nop ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ char dlopen (); int main (void) { return dlopen (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_dl_dlopen=yes else $as_nop ac_cv_lib_dl_dlopen=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_dl_dlopen" >&5 printf "%s\n" "$ac_cv_lib_dl_dlopen" >&6; } if test "x$ac_cv_lib_dl_dlopen" = xyes then : printf "%s\n" "#define HAVE_LIBDL 1" >>confdefs.h fi # The Ultrix 4.2 mips builtin alloca declared by alloca.h only works # for constant arguments. Useless! { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for working alloca.h" >&5 printf %s "checking for working alloca.h... " >&6; } if test ${ac_cv_working_alloca_h+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { char *p = (char *) alloca (2 * sizeof (int)); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_working_alloca_h=yes else $as_nop ac_cv_working_alloca_h=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_working_alloca_h" >&5 printf "%s\n" "$ac_cv_working_alloca_h" >&6; } if test $ac_cv_working_alloca_h = yes; then printf "%s\n" "#define HAVE_ALLOCA_H 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for alloca" >&5 printf %s "checking for alloca... " >&6; } if test ${ac_cv_func_alloca_works+y} then : printf %s "(cached) " >&6 else $as_nop if test $ac_cv_working_alloca_h = yes; then ac_cv_func_alloca_works=yes else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #ifndef alloca # ifdef __GNUC__ # define alloca __builtin_alloca # elif defined _MSC_VER # include # define alloca _alloca # else # ifdef __cplusplus extern "C" # endif void *alloca (size_t); # endif #endif int main (void) { char *p = (char *) alloca (1); if (p) return 0; ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_func_alloca_works=yes else $as_nop ac_cv_func_alloca_works=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_alloca_works" >&5 printf "%s\n" "$ac_cv_func_alloca_works" >&6; } fi if test $ac_cv_func_alloca_works = yes; then printf "%s\n" "#define HAVE_ALLOCA 1" >>confdefs.h else # The SVR3 libPW and SVR4 libucb both contain incompatible functions # that cause trouble. Some versions do not even contain alloca or # contain a buggy version. If you still want to use their alloca, # use ar to extract alloca.o from them instead of compiling alloca.c. ALLOCA=\${LIBOBJDIR}alloca.$ac_objext printf "%s\n" "#define C_ALLOCA 1" >>confdefs.h { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking stack direction for C alloca" >&5 printf %s "checking stack direction for C alloca... " >&6; } if test ${ac_cv_c_stack_direction+y} then : printf %s "(cached) " >&6 else $as_nop if test "$cross_compiling" = yes then : ac_cv_c_stack_direction=0 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int find_stack_direction (int *addr, int depth) { int dir, dummy = 0; if (! addr) addr = &dummy; *addr = addr < &dummy ? 1 : addr == &dummy ? 0 : -1; dir = depth ? find_stack_direction (addr, depth - 1) : 0; return dir + dummy; } int main (int argc, char **argv) { return find_stack_direction (0, argc + !argv + 20) < 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_stack_direction=1 else $as_nop ac_cv_c_stack_direction=-1 fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_stack_direction" >&5 printf "%s\n" "$ac_cv_c_stack_direction" >&6; } printf "%s\n" "#define STACK_DIRECTION $ac_cv_c_stack_direction" >>confdefs.h fi ac_fn_c_check_header_compile "$LINENO" "malloc.h" "ac_cv_header_malloc_h" "$ac_includes_default" if test "x$ac_cv_header_malloc_h" = xyes then : printf "%s\n" "#define HAVE_MALLOC_H 1" >>confdefs.h fi # getenv_secure is used for fat overrides, # getline is used in the testsuite ac_fn_c_check_func "$LINENO" "secure_getenv" "ac_cv_func_secure_getenv" if test "x$ac_cv_func_secure_getenv" = xyes then : printf "%s\n" "#define HAVE_SECURE_GETENV 1" >>confdefs.h fi ac_fn_c_check_func "$LINENO" "getline" "ac_cv_func_getline" if test "x$ac_cv_func_getline" = xyes then : printf "%s\n" "#define HAVE_GETLINE 1" >>confdefs.h fi ASM_WORDS_BIGENDIAN=unknown { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 printf %s "checking whether byte ordering is bigendian... " >&6; } if test ${ac_cv_c_bigendian+y} then : printf %s "(cached) " >&6 else $as_nop ac_cv_c_bigendian=unknown # See if we're dealing with a universal compiler. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __APPLE_CC__ not a universal capable compiler #endif typedef int dummy; _ACEOF if ac_fn_c_try_compile "$LINENO" then : # Check for potential -arch flags. It is not universal unless # there are at least two -arch flags with different values. ac_arch= ac_prev= for ac_word in $CC $CFLAGS $CPPFLAGS $LDFLAGS; do if test -n "$ac_prev"; then case $ac_word in i?86 | x86_64 | ppc | ppc64) if test -z "$ac_arch" || test "$ac_arch" = "$ac_word"; then ac_arch=$ac_word else ac_cv_c_bigendian=universal break fi ;; esac ac_prev= elif test "x$ac_word" = "x-arch"; then ac_prev=arch fi done fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if test $ac_cv_c_bigendian = unknown; then # See if sys/param.h defines the BYTE_ORDER macro. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { #if ! (defined BYTE_ORDER && defined BIG_ENDIAN \ && defined LITTLE_ENDIAN && BYTE_ORDER && BIG_ENDIAN \ && LITTLE_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : # It does; now see whether it defined to BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include int main (void) { #if BYTE_ORDER != BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes else $as_nop ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # See if defines _LITTLE_ENDIAN or _BIG_ENDIAN (e.g., Solaris). cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { #if ! (defined _LITTLE_ENDIAN || defined _BIG_ENDIAN) bogus endian macros #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : # It does; now see whether it defined to _BIG_ENDIAN or not. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { #ifndef _BIG_ENDIAN not big endian #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ac_cv_c_bigendian=yes else $as_nop ac_cv_c_bigendian=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_cv_c_bigendian = unknown; then # Compile a test program. if test "$cross_compiling" = yes then : # Try to guess by grepping values from an object file. cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ unsigned short int ascii_mm[] = { 0x4249, 0x4765, 0x6E44, 0x6961, 0x6E53, 0x7953, 0 }; unsigned short int ascii_ii[] = { 0x694C, 0x5454, 0x656C, 0x6E45, 0x6944, 0x6E61, 0 }; int use_ascii (int i) { return ascii_mm[i] + ascii_ii[i]; } unsigned short int ebcdic_ii[] = { 0x89D3, 0xE3E3, 0x8593, 0x95C5, 0x89C4, 0x9581, 0 }; unsigned short int ebcdic_mm[] = { 0xC2C9, 0xC785, 0x95C4, 0x8981, 0x95E2, 0xA8E2, 0 }; int use_ebcdic (int i) { return ebcdic_mm[i] + ebcdic_ii[i]; } extern int foo; int main (void) { return use_ascii (foo) == use_ebcdic (foo); ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : if grep BIGenDianSyS conftest.$ac_objext >/dev/null; then ac_cv_c_bigendian=yes fi if grep LiTTleEnDian conftest.$ac_objext >/dev/null ; then if test "$ac_cv_c_bigendian" = unknown; then ac_cv_c_bigendian=no else # finding both strings is unlikely to happen, but who knows? ac_cv_c_bigendian=unknown fi fi fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ $ac_includes_default int main (void) { /* Are we little or big endian? From Harbison&Steele. */ union { long int l; char c[sizeof (long int)]; } u; u.l = 1; return u.c[sizeof (long int) - 1] == 1; ; return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_cv_c_bigendian=no else $as_nop ac_cv_c_bigendian=yes fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_bigendian" >&5 printf "%s\n" "$ac_cv_c_bigendian" >&6; } case $ac_cv_c_bigendian in #( yes) printf "%s\n" "#define WORDS_BIGENDIAN 1" >>confdefs.h ASM_WORDS_BIGENDIAN=yes;; #( no) ASM_WORDS_BIGENDIAN=no ;; #( universal) printf "%s\n" "#define AC_APPLE_UNIVERSAL_BUILD 1" >>confdefs.h ;; #( *) as_fn_error $? "unknown endianness presetting ac_cv_c_bigendian=no (or yes) will help" "$LINENO" 5 ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __builtin_bswap64" >&5 printf %s "checking for __builtin_bswap64... " >&6; } if test ${nettle_cv_c_builtin_bswap64+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main (void) { uint64_t x = 17; uint64_t y = __builtin_bswap64(x); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : nettle_cv_c_builtin_bswap64=yes else $as_nop nettle_cv_c_builtin_bswap64=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_c_builtin_bswap64" >&5 printf "%s\n" "$nettle_cv_c_builtin_bswap64" >&6; } if test "x$nettle_cv_c_builtin_bswap64" = "xyes" ; then printf "%s\n" "#define HAVE_BUILTIN_BSWAP64 1" >>confdefs.h fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __attribute__" >&5 printf %s "checking for __attribute__... " >&6; } if test ${lsh_cv_c_attribute+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include static void foo(void) __attribute__ ((noreturn)); static void __attribute__ ((noreturn)) foo(void) { exit(1); } int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : lsh_cv_c_attribute=yes else $as_nop lsh_cv_c_attribute=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $lsh_cv_c_attribute" >&5 printf "%s\n" "$lsh_cv_c_attribute" >&6; } if test "x$lsh_cv_c_attribute" = "xyes"; then printf "%s\n" "#define HAVE_GCC_ATTRIBUTE 1" >>confdefs.h fi # Check for file locking. We (AC_PROG_CC?) have already checked for # sys/types.h and unistd.h. { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for fcntl file locking" >&5 printf %s "checking for fcntl file locking... " >&6; } if test ${nettle_cv_fcntl_locking+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if HAVE_SYS_TYPES_H # include #endif #if HAVE_UNISTD_H # include #endif #include int main (void) { int op = F_SETLKW; struct flock fl; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_fcntl_locking=yes else $as_nop nettle_cv_fcntl_locking=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_fcntl_locking" >&5 printf "%s\n" "$nettle_cv_fcntl_locking" >&6; } if test "x$nettle_cv_fcntl_locking" = "xyes" ; then printf "%s\n" "#define HAVE_FCNTL_LOCKING 1" >>confdefs.h fi # Checks for libraries if test "x$enable_public_key" = "xyes" ; then if test "x$enable_mini_gmp" = "xno" ; then # mpn_zero_p was added in GMP-6.1.0 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for __gmpn_zero_p in -lgmp" >&5 printf %s "checking for __gmpn_zero_p in -lgmp... " >&6; } if test ${ac_cv_lib_gmp___gmpn_zero_p+y} then : printf %s "(cached) " >&6 else $as_nop ac_check_lib_save_LIBS=$LIBS LIBS="-lgmp $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ char __gmpn_zero_p (); int main (void) { return __gmpn_zero_p (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_gmp___gmpn_zero_p=yes else $as_nop ac_cv_lib_gmp___gmpn_zero_p=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpn_zero_p" >&5 printf "%s\n" "$ac_cv_lib_gmp___gmpn_zero_p" >&6; } if test "x$ac_cv_lib_gmp___gmpn_zero_p" = xyes then : printf "%s\n" "#define HAVE_LIBGMP 1" >>confdefs.h LIBS="-lgmp $LIBS" else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&5 printf "%s\n" "$as_me: WARNING: GNU MP not found, or too old. GMP-6.1.0 or later is needed, see https://gmplib.org/. Support for public key algorithms will be unavailable." >&2;} enable_public_key=no fi # Add -R flags needed to run programs linked with gmp if test $cross_compiling = no -a "x$RPATHFLAG" != x ; then ac_success=no if test "$cross_compiling" = yes then : : else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main(int argc, char **argv) { return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_success=yes else $as_nop ac_success=no fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi if test $ac_success = no ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking Running simple test program failed. Trying -R flags" >&5 printf %s "checking Running simple test program failed. Trying -R flags... " >&6; } ac_remaining_dirs='' ac_rpath_save_LDFLAGS="$LDFLAGS" for d in $RPATH_CANDIDATE_DIRS ; do if test $ac_success = yes ; then ac_remaining_dirs="$ac_remaining_dirs $d" else LDFLAGS="$RPATHFLAG$d $LDFLAGS" if test "$cross_compiling" = yes then : : else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main(int argc, char **argv) { return 0; } _ACEOF if ac_fn_c_try_run "$LINENO" then : ac_success=yes ac_rpath_save_LDFLAGS="$LDFLAGS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: adding $RPATHFLAG$d" >&5 printf "%s\n" "adding $RPATHFLAG$d" >&6; } else $as_nop ac_remaining_dirs="$ac_remaining_dirs $d" fi rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ conftest.$ac_objext conftest.beam conftest.$ac_ext fi LDFLAGS="$ac_rpath_save_LDFLAGS" fi done RPATH_CANDIDATE_DIRS=$ac_remaining_dirs fi if test $ac_success = no ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: failed" >&5 printf "%s\n" "failed" >&6; } fi fi fi fi nettle_cv_gmp_numb_bits=0 if test "x$enable_public_key" = "xyes" ; then # Check for gmp limb size if test "x$enable_mini_gmp" = "xyes" ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for mini-gmp limb size" >&5 printf %s "checking for mini-gmp limb size... " >&6; } # With mini-gmp, mp_limb_t is always unsigned long. if ac_fn_c_compute_int "$LINENO" "(sizeof(unsigned long) * CHAR_BIT)" "nettle_cv_gmp_numb_bits" "#include " then : else $as_nop { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 printf "%s\n" "$nettle_cv_gmp_numb_bits bits" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for GMP limb size" >&5 printf %s "checking for GMP limb size... " >&6; } if ac_fn_c_compute_int "$LINENO" "GMP_NUMB_BITS" "nettle_cv_gmp_numb_bits" "#include " then : else $as_nop { { printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 printf "%s\n" "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot find value of GMP_NUMB_BITS See \`config.log' for more details" "$LINENO" 5; } fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_gmp_numb_bits bits" >&5 printf "%s\n" "$nettle_cv_gmp_numb_bits bits" >&6; } fi fi # Substituted in Makefile, passed on to the eccdata command. NUMB_BITS="$nettle_cv_gmp_numb_bits" # Substituted in version.h, used only with mini-gmp. if test "x$enable_mini_gmp" = "xyes" ; then GMP_NUMB_BITS="$NUMB_BITS" else GMP_NUMB_BITS="n/a" fi # Figure out ABI. Currently, configurable only by setting CFLAGS. ABI=standard ELFV2_ABI=no # For powerpc64 W64_ABI=no # For x86_64 windows case "$host_cpu" in x86_64 | amd64) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__x86_64__) || defined(__arch64__) #error 64-bit x86 #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *sparc*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__sparcv9) || defined(__arch64__) #error 64-bit sparc #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *mips64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__mips64) || defined(__mips64__) || (defined(__sgi) && defined(__LP64__)) #error 64-bit mips #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *powerpc64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__PPC64__) #error 64-bit powerpc #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext if test "$ABI" = 64 ; then cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if _CALL_ELF == 2 #error ELFv2 ABI #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : else $as_nop ELFV2_ABI=yes fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi ;; aarch64*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__aarch64__) #error 64-bit arm #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; *s390x*) cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if defined(__s390x__) #error 64-bit s390x #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : ABI=32 else $as_nop ABI=64 fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext ;; esac if test "x$ABI" != xstandard ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: Compiler uses $ABI-bit ABI. To change, set CC." >&5 printf "%s\n" "$as_me: Compiler uses $ABI-bit ABI. To change, set CC." >&6;} if test "$libdir" = '${exec_prefix}/lib' ; then # Try setting a better default case "$host_cpu:$host_os:$ABI" in *:solaris*:32|*:sunos*:32) libdir='${exec_prefix}/lib' ;; *:solaris*:64|*:sunos*:64) libdir='${exec_prefix}/lib/64' ;; # Linux conventions are a mess... According to the Linux File # Hierarchy Standard, all architectures except IA64 puts 32-bit # libraries in lib, and 64-bit in lib64. Some distributions, # e.g., Fedora and Gentoo, adhere to this standard, while at # least Debian has decided to put 64-bit libraries in lib and # 32-bit libraries in lib32. # We try to figure out the convention, except if we're cross # compiling. We use lib${ABI} if /usr/lib${ABI} exists and # appears to not be a symlink to a different name. *:linux*:32|*:linux*:64) if test "$cross_compiling" = yes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&5 printf "%s\n" "$as_me: WARNING: Cross compiling for linux. Can't guess if libraries go in lib${ABI} or lib." >&2;}; else # The dash builtin pwd tries to be "helpful" and remember # symlink names. Use -P option, and hope it's portable enough. test -d /usr/lib${ABI} \ && (cd /usr/lib${ABI} && pwd -P | grep >/dev/null "/lib${ABI}"'$') \ && libdir='${exec_prefix}/'"lib${ABI}" fi ;; # On freebsd, it seems 32-bit libraries are in lib32, # and 64-bit in lib. Don't know about "kfreebsd", does # it follow the Linux fhs conventions? *:freebsd*:32) libdir='${exec_prefix}/lib32' ;; *:freebsd*:64) libdir='${exec_prefix}/lib' ;; *:irix*:32) libdir='${exec_prefix}/lib32' ;; *:irix*:64) libdir='${exec_prefix}/lib64' ;; *) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: Don't know where to install $ABI-bit libraries on this system." >&5 printf "%s\n" "$as_me: WARNING: Don't know where to install $ABI-bit libraries on this system." >&2;}; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: Libraries to be installed in $libdir." >&5 printf "%s\n" "$as_me: Libraries to be installed in $libdir." >&6;} fi fi OPT_NETTLE_SOURCES="" FAT_TEST_LIST="" ASM_PPC_WANT_R_REGISTERS="n/a" # Select assembler code asm_path= if test "x$enable_assembler" = xyes ; then case "$host_cpu" in x86 | i?86* | k[5-8]* | pentium* | athlon) asm_path=x86 ;; x86_64 | amd64) if test "$ABI" = 64 ; then asm_path=x86_64 if test "x$enable_fat" = xyes ; then asm_path="x86_64/fat $asm_path" OPT_NETTLE_SOURCES="fat-x86_64.c $OPT_NETTLE_SOURCES" # For now, not enabling aesni or sha_ni, since at least # the latter appears unavailable on the gitlab test machines. FAT_TEST_LIST="vendor:intel vendor:amd" else if test "x$enable_x86_aesni" = xyes ; then asm_path="x86_64/aesni $asm_path" fi if test "x$enable_x86_sha_ni" = xyes ; then asm_path="x86_64/sha_ni $asm_path" fi if test "x$enable_x86_pclmul" = xyes ; then asm_path="x86_64/pclmul $asm_path" fi fi else asm_path=x86 fi ;; *sparc*) if test "$ABI" = 64 ; then asm_path=sparc64 fi ;; arm*) asm_path=arm if test "x$enable_fat" = xyes ; then asm_path="arm/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="arch:5 arch:6,neon" else case "$host_cpu" in armv6* | armv7*) if test "$enable_arm_neon" = auto ; then if test "$cross_compiling" = yes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if assembler accepts Neon instructions" >&5 printf %s "checking if assembler accepts Neon instructions... " >&6; } if test ${nettle_cv_asm_arm_neon+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_arm_neon=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_arm_neon=no fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_arm_neon" >&5 printf "%s\n" "$nettle_cv_asm_arm_neon" >&6; } enable_arm_neon="$nettle_cv_asm_arm_neon" else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if /proc/cpuinfo claims neon support" >&5 printf %s "checking if /proc/cpuinfo claims neon support... " >&6; } if grep '^Features.*:.* neon' /proc/cpuinfo >/dev/null ; then enable_arm_neon=yes else enable_arm_neon=no fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_arm_neon" >&5 printf "%s\n" "$enable_arm_neon" >&6; } fi fi asm_path="arm/v6 arm" ;; esac if test "x$enable_arm_neon" = xyes ; then asm_path="arm/neon $asm_path" fi fi ;; aarch64*) if test "$ABI" = 64 ; then asm_path=arm64 if test "x$enable_fat" = xyes ; then asm_path="arm64/fat $asm_path" OPT_NETTLE_SOURCES="fat-arm64.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none aes pmull sha1 sha2" else if test "$enable_arm64_crypto" = yes ; then asm_path="arm64/crypto $asm_path" fi fi else # As far as I understand, Neon instructions are unlikely to be # missing. It may be omitted "only for implementations # targeting specialized markets", to quote the Armv8 reference # manual. asm_path="arm/neon arm/v6 arm" fi ;; *powerpc64*) if test "$ABI" = 64 ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if the assembler needs r on registers" >&5 printf %s "checking if the assembler needs r on registers... " >&6; } if test ${gmp_cv_asm_powerpc_r_registers+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 gmp_cv_asm_powerpc_r_registers=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 gmp_cv_asm_powerpc_r_registers=no else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 as_fn_error $? "neither \"mtctr 6\" nor \"mtctr r6\" works" "$LINENO" 5 fi rm -f conftest* fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $gmp_cv_asm_powerpc_r_registers" >&5 printf "%s\n" "$gmp_cv_asm_powerpc_r_registers" >&6; } ASM_PPC_WANT_R_REGISTERS="$gmp_cv_asm_powerpc_r_registers" asm_path="powerpc64" if test "x$enable_fat" = xyes ; then asm_path="powerpc64/fat $asm_path" OPT_NETTLE_SOURCES="fat-ppc.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none crypto_ext altivec power9" else if test "$enable_power9" = yes ; then asm_path="powerpc64/p9 $asm_path" fi if test "$enable_power_crypto_ext" = yes ; then asm_path="powerpc64/p8 $asm_path" fi if test "$enable_power_altivec" = yes ; then asm_path="powerpc64/p7 $asm_path" fi fi fi ;; *s390x*) if test "$ABI" = 64 ; then asm_path="s390x" if test "x$enable_fat" = xyes ; then asm_path="s390x/fat $asm_path" OPT_NETTLE_SOURCES="fat-s390x.c $OPT_NETTLE_SOURCES" FAT_TEST_LIST="none vf msa msa_x1 msa_x2 msa_x4" else if test "$enable_s390x_vf" = yes ; then asm_path="s390x/vf $asm_path" fi if test "$enable_s390x_msa" = yes ; then asm_path="s390x/msa s390x/msa_x1 s390x/msa_x2 s390x/msa_x4 $asm_path" fi fi fi ;; *) enable_assembler=no ;; esac fi # Files which replace a C source file (or otherwise don't correspond # to a new object file). asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \ aes-invert-internal.asm \ aes128-set-encrypt-key.asm aes128-set-decrypt-key.asm \ aes128-encrypt.asm aes128-decrypt.asm \ aes192-set-encrypt-key.asm aes192-set-decrypt-key.asm \ aes192-encrypt.asm aes192-decrypt.asm \ aes256-set-encrypt-key.asm aes256-set-decrypt-key.asm \ aes256-encrypt.asm aes256-decrypt.asm \ cbc-aes128-encrypt.asm cbc-aes192-encrypt.asm \ cbc-aes256-encrypt.asm \ camellia-crypt-internal.asm \ memxor.asm memxor3.asm \ ghash-set-key.asm ghash-update.asm \ poly1305-internal.asm \ chacha-core-internal.asm \ salsa20-crypt.asm salsa20-core-internal.asm \ serpent-encrypt.asm serpent-decrypt.asm \ sha1-compress.asm sha256-compress-n.asm sha512-compress.asm \ sha3-permute.asm umac-nh.asm umac-nh-n.asm machine.m4" # Assembler files which generate additional object files if they are used. asm_nettle_optional_list="cpuid.asm cpu-facility.asm \ memxor-2.asm memxor3-2.asm \ aes-encrypt-internal-2.asm aes-decrypt-internal-2.asm aes-invert-internal-2.asm \ aes128-set-encrypt-key-2.asm aes128-set-decrypt-key-2.asm \ aes128-encrypt-2.asm aes128-decrypt-2.asm \ aes192-set-encrypt-key-2.asm aes192-set-decrypt-key-2.asm \ aes192-encrypt-2.asm aes192-decrypt-2.asm \ aes256-set-encrypt-key-2.asm aes256-set-decrypt-key-2.asm \ aes256-encrypt-2.asm aes256-decrypt-2.asm \ cbc-aes128-encrypt-2.asm cbc-aes192-encrypt-2.asm cbc-aes256-encrypt-2.asm \ chacha-2core.asm chacha-3core.asm chacha-4core.asm chacha-core-internal-2.asm \ poly1305-blocks.asm poly1305-internal-2.asm \ ghash-set-key-2.asm ghash-update-2.asm \ gcm-aes-encrypt.asm gcm-aes-encrypt-2.asm \ gcm-aes-decrypt.asm gcm-aes-decrypt-2.asm\ salsa20-2core.asm salsa20-core-internal-2.asm \ sha1-compress-2.asm sha256-compress-n-2.asm \ sha3-permute-2.asm sha512-compress-2.asm \ umac-nh-n-2.asm umac-nh-2.asm" asm_hogweed_optional_list="" if test "x$enable_public_key" = "xyes" ; then asm_hogweed_optional_list="ecc-secp192r1-modp.asm ecc-secp224r1-modp.asm \ ecc-secp256r1-redc.asm ecc-secp384r1-modp.asm ecc-secp521r1-modp.asm \ ecc-curve25519-modp.asm ecc-curve448-modp.asm" fi OPT_NETTLE_OBJS="" OPT_HOGWEED_OBJS="" asm_file_list="" if test "x$enable_assembler" = xyes ; then if test -n "$asm_path"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: Looking for assembler files in $asm_path." >&5 printf "%s\n" "$as_me: Looking for assembler files in $asm_path." >&6;} for tmp_f in $asm_replace_list ; do for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_f"; then asm_file_list="$asm_file_list $tmp_f" ac_config_links="$ac_config_links $tmp_f:$asm_dir/$tmp_f" break fi done done for tmp_n in $asm_nettle_optional_list ; do tmp_b=`echo "$tmp_n" | sed 's/\.[^.]*$//'` for asm_dir in $asm_path ; do if test -f "$srcdir/$asm_dir/$tmp_n"; then asm_file_list="$asm_file_list $tmp_n" ac_config_links="$ac_config_links $tmp_n:$asm_dir/$tmp_n" while read tmp_func ; do printf "%s\n" "#define HAVE_NATIVE_$tmp_func 1" >>confdefs.h eval HAVE_NATIVE_$tmp_func=yes done <&5 printf "%s\n" "$as_me: WARNING: skipping $tmp_h, because GMP_NUMB_BITS != $tmp_bits" >&2;} continue fi asm_file_list="$asm_file_list $tmp_h" ac_config_links="$ac_config_links $tmp_h:$asm_dir/$tmp_h" while read tmp_func ; do printf "%s\n" "#define HAVE_NATIVE_$tmp_func 1" >>confdefs.h eval HAVE_NATIVE_$tmp_func=yes done <&5 printf "%s\n" "$as_me: WARNING: No assembler files found." >&2;} fi fi case "$host_os" in darwin*) ASM_RODATA='.section __TEXT,__const' ;; *) ASM_RODATA='.section .rodata' ;; esac fi if test "x$enable_assembler" = xyes ; then IF_ASM='' else IF_ASM='#' fi if test "x$enable_pic" = xyes; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking CCPIC" >&5 printf %s "checking CCPIC... " >&6; } if test ${lsh_cv_sys_ccpic+y} then : printf %s "(cached) " >&6 else $as_nop if test -z "$CCPIC" ; then if test "$GCC" = yes ; then case "$host_os" in bsdi4.*) CCPIC="-fPIC" ;; bsdi*) CCPIC="" ;; darwin*) CCPIC="-fPIC" ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; # Could also use -fpic, depending on the number of symbol references solaris*) CCPIC="-fPIC" ;; cygwin*) CCPIC="" ;; mingw32*) CCPIC="" ;; *) CCPIC="-fpic" ;; esac else case "$host_os" in darwin*) CCPIC="-fPIC" ;; irix*) CCPIC="-share" ;; hpux*) CCPIC="+z"; ;; freebsd*|netbsd*|openbsd*) CCPIC="-fPIC" ;; sco*|sysv4.*) CCPIC="-KPIC -dy -Bdynamic" ;; solaris*) CCPIC="-KPIC -Bdynamic" ;; winnt*) CCPIC="-shared" ;; *) CCPIC="" ;; esac fi fi OLD_CFLAGS="$CFLAGS" CFLAGS="$CFLAGS $CCPIC" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main (void) { return 0; ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : lsh_cv_sys_ccpic="$CCPIC" else $as_nop lsh_cv_sys_ccpic='' fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext CFLAGS="$OLD_CFLAGS" fi CCPIC="$lsh_cv_sys_ccpic" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $CCPIC" >&5 printf "%s\n" "$CCPIC" >&6; } else CCPIC='' fi IF_DLL='#' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FORLINK)' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FORLINK)' EMULATOR='' case "$host_os" in mingw32*|cygwin*) # The actual DLLs, e.g. libnettle-$major-$minor.dll, are normally # installed into the bin dir (or more exactly $libdir/../bin, for # automake), while libnettle.dll.a, which is a stub file for # linking to the DLL, is installed into the lib dir. case "$host_os" in mingw32*) LIBNETTLE_FORLINK='libnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='libhogweed-$(LIBHOGWEED_MAJOR).dll' ;; cygwin*) LIBNETTLE_FORLINK='cygnettle-$(LIBNETTLE_MAJOR).dll' LIBHOGWEED_FORLINK='cyghogweed-$(LIBHOGWEED_MAJOR).dll' ;; esac if test "x$cross_compiling" = xyes ; then EMULATOR=wine fi if test "x$ABI" = x64 ; then W64_ABI=yes fi LIBNETTLE_SONAME='' LIBNETTLE_FILE='libnettle.dll.a' LIBNETTLE_FILE_SRC='$(LIBNETTLE_FILE)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBNETTLE_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBNETTLE_LIBS='-Wl,--no-whole-archive $(LIBS)' LIBHOGWEED_SONAME='' LIBHOGWEED_FILE='libhogweed.dll.a' LIBHOGWEED_FILE_SRC='$(LIBHOGWEED_FILE)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-implib=$(LIBHOGWEED_FILE) -Wl,--export-all-symbols -Wl,--enable-auto-import -Wl,--whole-archive' LIBHOGWEED_LIBS='-Wl,--no-whole-archive $(LIBS) libnettle.dll.a' IF_DLL='' ;; midipix*) if test "x$ABI" = x64 ; then W64_ABI=yes fi LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-dsolib=libnettle.lib.a -Wl,-soname=$(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,--out-dsolib=libhogweed.lib.a -Wl,-soname=$(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='$(LIBS) .lib/libnettle.so.8' ;; darwin*) LIBNETTLE_FORLINK=libnettle.dylib LIBNETTLE_SONAME='libnettle.$(LIBNETTLE_MAJOR).dylib' LIBNETTLE_FILE='libnettle.$(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR).dylib' LIBNETTLE_LINK='$(CC) $(CFLAGS) -dynamiclib $(LDFLAGS) -install_name ${libdir}/$(LIBNETTLE_SONAME) -compatibility_version $(LIBNETTLE_MAJOR) -current_version $(LIBNETTLE_MAJOR).$(LIBNETTLE_MINOR)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.dylib LIBHOGWEED_SONAME='libhogweed.$(LIBHOGWEED_MAJOR).dylib' LIBHOGWEED_FILE='libhogweed.$(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR).dylib' LIBHOGWEED_LINK='$(CC) $(CFLAGS) -dynamiclib -L. $(LDFLAGS) -install_name ${libdir}/$(LIBHOGWEED_SONAME) -compatibility_version $(LIBHOGWEED_MAJOR) -current_version $(LIBHOGWEED_MAJOR).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LIBS='-lnettle $(LIBS)' ;; solaris*) # Sun's ld uses -h to set the soname, and this option is passed # through by both Sun's compiler and gcc. Might not work with GNU # ld, but it's unusual to use GNU ld on Solaris. LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -h $(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) --shared -h $(LIBHOGWEED_SONAME)' LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; *) LIBNETTLE_FORLINK=libnettle.so LIBNETTLE_SONAME='$(LIBNETTLE_FORLINK).$(LIBNETTLE_MAJOR)' LIBNETTLE_FILE='$(LIBNETTLE_SONAME).$(LIBNETTLE_MINOR)' LIBNETTLE_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBNETTLE_SONAME)' LIBNETTLE_LIBS='' LIBHOGWEED_FORLINK=libhogweed.so LIBHOGWEED_SONAME='$(LIBHOGWEED_FORLINK).$(LIBHOGWEED_MAJOR)' LIBHOGWEED_FILE='$(LIBHOGWEED_SONAME).$(LIBHOGWEED_MINOR)' LIBHOGWEED_LINK='$(CC) $(CFLAGS) $(LDFLAGS) -shared -Wl,-soname=$(LIBHOGWEED_SONAME)' # Requested by debian, to make linking with only -lhogweed work # (does not work in general, e.g., with static linking all of # -lhogweed -lgmp -lnettle are still required). Also makes dlopen # of libhogweed.so work, without having to use RTLD_GLOBAL. LIBHOGWEED_LIBS='libnettle.so $(LIBS)' ;; esac ASM_SYMBOL_PREFIX='' ASM_ELF_STYLE='no' ASM_COFF_STYLE='no' # GNU as default is to use @ ASM_TYPE_FUNCTION='@function' ASM_TYPE_PROGBITS='@progbits' ASM_MARK_NOEXEC_STACK='' ASM_ALIGN_LOG='' if test x$enable_assembler = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if globals are prefixed by underscore" >&5 printf %s "checking if globals are prefixed by underscore... " >&6; } if test ${nettle_cv_asm_underscore+y} then : printf %s "(cached) " >&6 else $as_nop # Default is no underscore nettle_cv_asm_underscore=no cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int a_global_symbol; _ACEOF if ac_fn_c_try_compile "$LINENO" then : $NM conftest.$OBJEXT >conftest.out if grep _a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=yes elif grep a_global_symbol conftest.out >/dev/null ; then nettle_cv_asm_underscore=no else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: nm does not list a_global_symbol at all" >&5 printf "%s\n" "$as_me: WARNING: nm does not list a_global_symbol at all" >&2;} fi else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: test program with a single global could not be compiled!?" >&5 printf "%s\n" "$as_me: WARNING: test program with a single global could not be compiled!?" >&2;} fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_underscore" >&5 printf "%s\n" "$nettle_cv_asm_underscore" >&6; } if test x$nettle_cv_asm_underscore = xyes ; then ASM_SYMBOL_PREFIX='_' fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,%function pseudo-ops" >&5 printf %s "checking for ELF-style .type,%function pseudo-ops... " >&6; } if test ${nettle_cv_asm_type_percent_function+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_percent_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_percent_function=no fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_percent_function" >&5 printf "%s\n" "$nettle_cv_asm_type_percent_function" >&6; } { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for ELF-style .type,#function pseudo-ops" >&5 printf %s "checking for ELF-style .type,#function pseudo-ops... " >&6; } if test ${nettle_cv_asm_type_hash_function+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_type_hash_function=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_type_hash_function=no fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_type_hash_function" >&5 printf "%s\n" "$nettle_cv_asm_type_hash_function" >&6; } if test x$nettle_cv_asm_type_percent_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='%function' ASM_TYPE_PROGBITS='%progbits' else if test x$nettle_cv_asm_type_hash_function = xyes ; then ASM_ELF_STYLE='yes' ASM_TYPE_FUNCTION='#function' ASM_TYPE_PROGBITS='#progbits' fi fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for COFF-style .type directive" >&5 printf %s "checking for COFF-style .type directive... " >&6; } if test ${nettle_cv_asm_coff_type+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_coff_type=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_coff_type=no fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_coff_type" >&5 printf "%s\n" "$nettle_cv_asm_coff_type" >&6; } if test "x$nettle_cv_asm_coff_type" = "xyes" ; then ASM_COFF_STYLE=yes fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if we should use a .note.GNU-stack section" >&5 printf %s "checking if we should use a .note.GNU-stack section... " >&6; } if test ${nettle_cv_asm_gnu_stack+y} then : printf %s "(cached) " >&6 else $as_nop # Default nettle_cv_asm_gnu_stack=no cat >conftest.c <&5 (eval $nettle_compile) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 $OBJDUMP -x conftest.o | grep '\.note\.GNU-stack' > /dev/null \ && nettle_cv_asm_gnu_stack=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 fi rm -f conftest.* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_gnu_stack" >&5 printf "%s\n" "$nettle_cv_asm_gnu_stack" >&6; } if test x$nettle_cv_asm_gnu_stack = xyes ; then ASM_MARK_NOEXEC_STACK='.section .note.GNU-stack,"",TYPE_PROGBITS' fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if .align assembly directive is logarithmic" >&5 printf %s "checking if .align assembly directive is logarithmic... " >&6; } if test ${nettle_cv_asm_align_log+y} then : printf %s "(cached) " >&6 else $as_nop cat >conftest.s <&5 (eval $gmp_assemble) 2>&5 ac_status=$? printf "%s\n" "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then cat conftest.out >&5 nettle_cv_asm_align_log=yes else cat conftest.out >&5 echo "configure: failed program was:" >&5 cat conftest.s >&5 nettle_cv_asm_align_log=no fi rm -f conftest* fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_align_log" >&5 printf "%s\n" "$nettle_cv_asm_align_log" >&6; } ASM_ALIGN_LOG="$nettle_cv_asm_align_log" fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if Intel CET is enabled" >&5 printf %s "checking if Intel CET is enabled... " >&6; } if test ${nettle_cv_asm_x86_intel_cet+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #ifndef __CET__ #error Intel CET is not enabled #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_asm_x86_intel_cet=yes else $as_nop nettle_cv_asm_x86_intel_cet=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_intel_cet" >&5 printf "%s\n" "$nettle_cv_asm_x86_intel_cet" >&6; } if test "$nettle_cv_asm_x86_intel_cet" = yes; then case $ABI in 32|standard) ASM_X86_ENDBR=endbr32 ASM_X86_MARK_CET_ALIGN=2 ;; 64) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=3 ;; x32) ASM_X86_ENDBR=endbr64 ASM_X86_MARK_CET_ALIGN=2 ;; esac { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if .note.gnu.property section is needed" >&5 printf %s "checking if .note.gnu.property section is needed... " >&6; } if test ${nettle_cv_asm_x86_gnu_property+y} then : printf %s "(cached) " >&6 else $as_nop cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #if !defined __ELF__ || !defined __CET__ #error GNU property is not needed #endif int main (void) { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO" then : nettle_cv_asm_x86_gnu_property=yes else $as_nop nettle_cv_asm_x86_gnu_property=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $nettle_cv_asm_x86_gnu_property" >&5 printf "%s\n" "$nettle_cv_asm_x86_gnu_property" >&6; } else nettle_cv_asm_x86_gnu_property=no fi if test "$nettle_cv_asm_x86_gnu_property" = yes; then ASM_X86_MARK_CET=' .pushsection ".note.gnu.property", "a" .p2align ASM_X86_MARK_CET_ALIGN .long 1f - 0f .long 4f - 1f .long 5 0: .asciz "GNU" 1: .p2align ASM_X86_MARK_CET_ALIGN .long 0xc0000002 .long 3f - 2f 2: .long 3 3: .p2align ASM_X86_MARK_CET_ALIGN 4: .popsection' fi # Extract the first word of "m4", so it can be a program name with args. set dummy m4; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_M4+y} then : printf %s "(cached) " >&6 else $as_nop case $M4 in [\\/]* | ?:[\\/]*) ac_cv_path_M4="$M4" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_M4="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_M4" && ac_cv_path_M4="m4" ;; esac fi M4=$ac_cv_path_M4 if test -n "$M4"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $M4" >&5 printf "%s\n" "$M4" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$enable_public_key" = xyes ; then printf "%s\n" "#define WITH_HOGWEED 1" >>confdefs.h IF_HOGWEED='' else IF_HOGWEED='#' fi if test "x$enable_static" = xyes ; then IF_STATIC='' else IF_STATIC='#' fi IF_DLOPEN_TEST='#' if test "x$enable_shared" = xyes ; then IF_SHARED='' IF_NOT_SHARED='#' if test "x$ac_cv_lib_dl_dlopen" = xyes ; then IF_DLOPEN_TEST='' fi else IF_SHARED='#' IF_NOT_SHARED='' fi # Documentation tools if test "x$enable_documentation" != "xno"; then # Extract the first word of "makeinfo", so it can be a program name with args. set dummy makeinfo; ac_word=$2 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 printf %s "checking for $ac_word... " >&6; } if test ${ac_cv_path_MAKEINFO+y} then : printf %s "(cached) " >&6 else $as_nop case $MAKEINFO in [\\/]* | ?:[\\/]*) ac_cv_path_MAKEINFO="$MAKEINFO" # Let the user override the test with a path. ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac for ac_exec_ext in '' $ac_executable_extensions; do if as_fn_executable_p "$as_dir$ac_word$ac_exec_ext"; then ac_cv_path_MAKEINFO="$as_dir$ac_word$ac_exec_ext" printf "%s\n" "$as_me:${as_lineno-$LINENO}: found $as_dir$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS test -z "$ac_cv_path_MAKEINFO" && ac_cv_path_MAKEINFO="not-found" ;; esac fi MAKEINFO=$ac_cv_path_MAKEINFO if test -n "$MAKEINFO"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $MAKEINFO" >&5 printf "%s\n" "$MAKEINFO" >&6; } else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } fi if test "x$MAKEINFO" != "xnot-found"; then enable_documentation=yes else if test "x$enable_documentation" == "xauto" ; then enable_documentation=no else as_fn_error $? "Cannot find 'makeinfo', required for documentation." "$LINENO" 5 fi fi fi if test "x$enable_documentation" = "xyes" ; then IF_DOCUMENTATION='' else IF_DOCUMENTATION='#' fi if test "x$enable_mini_gmp" = "xyes" ; then IF_MINI_GMP='' else IF_MINI_GMP='#' fi OPENSSL_LIBFLAGS='' # Check for openssl's libcrypto (used only for benchmarking) if test x$enable_openssl = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 printf %s "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } if test ${ac_cv_lib_crypto_EVP_CIPHER_CTX_new+y} then : printf %s "(cached) " >&6 else $as_nop ac_check_lib_save_LIBS=$LIBS LIBS="-lcrypto $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ char EVP_CIPHER_CTX_new (); int main (void) { return EVP_CIPHER_CTX_new (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : ac_cv_lib_crypto_EVP_CIPHER_CTX_new=yes else $as_nop ac_cv_lib_crypto_EVP_CIPHER_CTX_new=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&5 printf "%s\n" "$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" >&6; } if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" = xyes then : OPENSSL_LIBFLAGS='-lcrypto' else $as_nop enable_openssl=no fi fi if test x$enable_openssl = xyes ; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking if openssl supports the functions used by nettle benchmark programs" >&5 printf %s "checking if openssl supports the functions used by nettle benchmark programs... " >&6; } save_LIBS="$LIBS" LIBS="$LIBS $OPENSSL_LIBFLAGS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include int main (void) { EVP_MD_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); EVP_MD_CTX *md_ctx = EVP_MD_CTX_new(); EVP_PKEY *rsa_key = EVP_RSA_gen(2048); EVP_PKEY *ec_key = EVP_EC_gen("P-256"); int res = EVP_DigestSignFinal (md_ctx, NULL, NULL); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO" then : { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: yes" >&5 printf "%s\n" "yes" >&6; } printf "%s\n" "#define WITH_OPENSSL 1" >>confdefs.h else $as_nop { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: no" >&5 printf "%s\n" "no" >&6; } enable_openssl=no fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext conftest.$ac_ext LIBS=$save_LIBS fi # clock_gettime is in librt on *-*-osf5.1 and on glibc, so add -lrt to # BENCH_LIBS if needed. On linux (tested on x86_32, 2.6.26), # clock_getres reports ns accuracy, while in a quick test on osf # clock_getres said only 1 millisecond. old_LIBS="$LIBS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for library containing clock_gettime" >&5 printf %s "checking for library containing clock_gettime... " >&6; } if test ${ac_cv_search_clock_gettime+y} then : printf %s "(cached) " >&6 else $as_nop ac_func_search_save_LIBS=$LIBS cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ char clock_gettime (); int main (void) { return clock_gettime (); ; return 0; } _ACEOF for ac_lib in '' rt do if test -z "$ac_lib"; then ac_res="none required" else ac_res=-l$ac_lib LIBS="-l$ac_lib $ac_func_search_save_LIBS" fi if ac_fn_c_try_link "$LINENO" then : ac_cv_search_clock_gettime=$ac_res fi rm -f core conftest.err conftest.$ac_objext conftest.beam \ conftest$ac_exeext if test ${ac_cv_search_clock_gettime+y} then : break fi done if test ${ac_cv_search_clock_gettime+y} then : else $as_nop ac_cv_search_clock_gettime=no fi rm conftest.$ac_ext LIBS=$ac_func_search_save_LIBS fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_clock_gettime" >&5 printf "%s\n" "$ac_cv_search_clock_gettime" >&6; } ac_res=$ac_cv_search_clock_gettime if test "$ac_res" != no then : test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" printf "%s\n" "#define HAVE_CLOCK_GETTIME 1" >>confdefs.h fi BENCH_LIBS="$LIBS" LIBS="$old_LIBS" # Set these flags *last*, or else the test programs won't compile if test x$GCC = xyes ; then CFLAGS="$CFLAGS -ggdb3 -Wall -W -Wno-sign-compare \ -Wmissing-prototypes -Wmissing-declarations -Wstrict-prototypes \ -Wpointer-arith -Wbad-function-cast -Wnested-externs" # Don't enable -Wcast-align as it results in tons of warnings in the # DES code. And when using stdio. # Don't enable -Waggregate-return, as that causes warnings for glibc # inttypes.h. fi ac_config_files="$ac_config_files config.make config.m4 Makefile version.h" ac_config_files="$ac_config_files tools/Makefile testsuite/Makefile examples/Makefile" ac_config_files="$ac_config_files nettle.pc hogweed.pc libnettle.map libhogweed.map" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 printf "%s\n" "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test ${\1+y} || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 printf "%s\n" "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { printf "%s\n" "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 printf "%s\n" "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`printf "%s\n" "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 printf "%s\n" "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh as_nop=: if test ${ZSH_VERSION+y} && (emulate sh) >/dev/null 2>&1 then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else $as_nop case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi # Reset variables that may have inherited troublesome values from # the environment. # IFS needs to be set, to space, tab, and newline, in precisely that order. # (If _AS_PATH_WALK were called with IFS unset, it would have the # side effect of setting IFS to empty, thus disabling word splitting.) # Quoting is to prevent editors from complaining about space-tab. as_nl=' ' export as_nl IFS=" "" $as_nl" PS1='$ ' PS2='> ' PS4='+ ' # Ensure predictable behavior from utilities with locale-dependent output. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # We cannot yet rely on "unset" to work, but we need these variables # to be unset--not just set to an empty or harmless value--now, to # avoid bugs in old shells (e.g. pre-3.0 UWIN ksh). This construct # also avoids known problems related to "unset" and subshell syntax # in other old shells (e.g. bash 2.01 and pdksh 5.2.14). for as_var in BASH_ENV ENV MAIL MAILPATH CDPATH do eval test \${$as_var+y} \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done # Ensure that fds 0, 1, and 2 are open. if (exec 3>&0) 2>/dev/null; then :; else exec 0&1) 2>/dev/null; then :; else exec 1>/dev/null; fi if (exec 3>&2) ; then :; else exec 2>/dev/null; fi # The user is always right. if ${PATH_SEPARATOR+false} :; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS case $as_dir in #((( '') as_dir=./ ;; */) ;; *) as_dir=$as_dir/ ;; esac test -r "$as_dir$0" && as_myself=$as_dir$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then printf "%s\n" "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack printf "%s\n" "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi printf "%s\n" "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null then : eval 'as_fn_append () { eval $1+=\$2 }' else $as_nop as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null then : eval 'as_fn_arith () { as_val=$(( $* )) }' else $as_nop as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits # Determine whether it's possible to make 'echo' print without a newline. # These variables are no longer used directly by Autoconf, but are AC_SUBSTed # for compatibility with existing Makefiles. ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac # For backward compatibility with old third-party macros, we provide # the shell variables $as_echo and $as_echo_n. New code should use # AS_ECHO(["message"]) and AS_ECHO_N(["message"]), respectively. as_echo='printf %s\n' as_echo_n='printf %s' rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -pR'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -pR' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -pR' fi else as_ln_s='cp -pR' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`printf "%s\n" "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi # as_fn_executable_p FILE # ----------------------- # Test if FILE is an executable regular file. as_fn_executable_p () { test -f "$1" && test -x "$1" } # as_fn_executable_p as_test_x='test -x' as_executable_p=as_fn_executable_p # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by nettle $as_me 3.10, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac case $ac_config_headers in *" "*) set x $ac_config_headers; shift; ac_config_headers=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_headers="$ac_config_headers" config_links="$ac_config_links" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE --header=FILE[:TEMPLATE] instantiate the configuration header FILE Configuration files: $config_files Configuration headers: $config_headers Configuration links: $config_links Report bugs to ." _ACEOF ac_cs_config=`printf "%s\n" "$ac_configure_args" | sed "$ac_safe_unquote"` ac_cs_config_escaped=`printf "%s\n" "$ac_cs_config" | sed "s/^ //; s/'/'\\\\\\\\''/g"` cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ nettle config.status 3.10 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" Copyright (C) 2021 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) printf "%s\n" "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) printf "%s\n" "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --header | --heade | --head | --hea ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`printf "%s\n" "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; esac as_fn_append CONFIG_HEADERS " '$ac_optarg'" ac_need_defaults=false;; --he | --h) # Conflict between --help and --header as_fn_error $? "ambiguous option: \`$1' Try \`$0 --help' for more information.";; --help | --hel | -h ) printf "%s\n" "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \printf "%s\n" "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX printf "%s\n" "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; "$tmp_f") CONFIG_LINKS="$CONFIG_LINKS $tmp_f:$asm_dir/$tmp_f" ;; "$tmp_n") CONFIG_LINKS="$CONFIG_LINKS $tmp_n:$asm_dir/$tmp_n" ;; "$tmp_h") CONFIG_LINKS="$CONFIG_LINKS $tmp_h:$asm_dir/$tmp_h" ;; "config.make") CONFIG_FILES="$CONFIG_FILES config.make" ;; "config.m4") CONFIG_FILES="$CONFIG_FILES config.m4" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "version.h") CONFIG_FILES="$CONFIG_FILES version.h" ;; "tools/Makefile") CONFIG_FILES="$CONFIG_FILES tools/Makefile" ;; "testsuite/Makefile") CONFIG_FILES="$CONFIG_FILES testsuite/Makefile" ;; "examples/Makefile") CONFIG_FILES="$CONFIG_FILES examples/Makefile" ;; "nettle.pc") CONFIG_FILES="$CONFIG_FILES nettle.pc" ;; "hogweed.pc") CONFIG_FILES="$CONFIG_FILES hogweed.pc" ;; "libnettle.map") CONFIG_FILES="$CONFIG_FILES libnettle.map" ;; "libhogweed.map") CONFIG_FILES="$CONFIG_FILES libhogweed.map" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test ${CONFIG_FILES+y} || CONFIG_FILES=$config_files test ${CONFIG_HEADERS+y} || CONFIG_HEADERS=$config_headers test ${CONFIG_LINKS+y} || CONFIG_LINKS=$config_links fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" # Set up the scripts for CONFIG_HEADERS section. # No need to generate them if there are no CONFIG_HEADERS. # This happens for instance with `./config.status Makefile'. if test -n "$CONFIG_HEADERS"; then cat >"$ac_tmp/defines.awk" <<\_ACAWK || BEGIN { _ACEOF # Transform confdefs.h into an awk script `defines.awk', embedded as # here-document in config.status, that substitutes the proper values into # config.h.in to produce config.h. # Create a delimiter string that does not exist in confdefs.h, to ease # handling of long lines. ac_delim='%!_!# ' for ac_last_try in false false :; do ac_tt=`sed -n "/$ac_delim/p" confdefs.h` if test -z "$ac_tt"; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done # For the awk script, D is an array of macro values keyed by name, # likewise P contains macro parameters if any. Preserve backslash # newline sequences. ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* sed -n ' s/.\{148\}/&'"$ac_delim"'/g t rset :rset s/^[ ]*#[ ]*define[ ][ ]*/ / t def d :def s/\\$// t bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3"/p s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p d :bsnl s/["\\]/\\&/g s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ D["\1"]=" \3\\\\\\n"\\/p t cont s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p t cont d :cont n s/.\{148\}/&'"$ac_delim"'/g t clear :clear s/\\$// t bsnlc s/["\\]/\\&/g; s/^/"/; s/$/"/p d :bsnlc s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p b cont ' >$CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 for (key in D) D_is_set[key] = 1 FS = "" } /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { line = \$ 0 split(line, arg, " ") if (arg[1] == "#") { defundef = arg[2] mac1 = arg[3] } else { defundef = substr(arg[1], 2) mac1 = arg[2] } split(mac1, mac2, "(") #) macro = mac2[1] prefix = substr(line, 1, index(line, defundef) - 1) if (D_is_set[macro]) { # Preserve the white space surrounding the "#". print prefix "define", macro P[macro] D[macro] next } else { # Replace #undef with comments. This is necessary, for example, # in the case of _POSIX_SOURCE, which is predefined and required # on some systems where configure will not decide to define it. if (defundef == "undef") { print "/*", prefix defundef, macro, "*/" next } } } { print } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 fi # test -n "$CONFIG_HEADERS" eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :L $CONFIG_LINKS " shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`printf "%s\n" "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` printf "%s\n" "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 printf "%s\n" "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`printf "%s\n" "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || printf "%s\n" X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`printf "%s\n" "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`printf "%s\n" "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 printf "%s\n" "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 printf "%s\n" "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :H) # # CONFIG_HEADER # if test x"$ac_file" != x-; then { printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" } >"$ac_tmp/config.h" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 printf "%s\n" "$as_me: $ac_file is unchanged" >&6;} else rm -f "$ac_file" mv "$ac_tmp/config.h" "$ac_file" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 fi else printf "%s\n" "/* $configure_input */" >&1 \ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ || as_fn_error $? "could not create -" "$LINENO" 5 fi ;; :L) # # CONFIG_LINK # if test "$ac_source" = "$ac_file" && test "$srcdir" = '.'; then : else # Prefer the file from the source tree if names are identical. if test "$ac_source" = "$ac_file" || test ! -r "$ac_source"; then ac_source=$srcdir/$ac_source fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: linking $ac_source to $ac_file" >&5 printf "%s\n" "$as_me: linking $ac_source to $ac_file" >&6;} if test ! -r "$ac_source"; then as_fn_error $? "$ac_source: file not found" "$LINENO" 5 fi rm -f "$ac_file" # Try a relative symlink, then a hard link, then a copy. case $ac_source in [\\/$]* | ?:[\\/]* ) ac_rel_source=$ac_source ;; *) ac_rel_source=$ac_top_build_prefix$ac_source ;; esac ln -s "$ac_rel_source" "$ac_file" 2>/dev/null || ln "$ac_source" "$ac_file" 2>/dev/null || cp -p "$ac_source" "$ac_file" || as_fn_error $? "cannot link or copy $ac_source to $ac_file" "$LINENO" 5 fi ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { printf "%s\n" "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 printf "%s\n" "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi { printf "%s\n" "$as_me:${as_lineno-$LINENO}: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&5 printf "%s\n" "$as_me: summary of build options: Version: ${PACKAGE_STRING} Host type: ${host} ABI: ${ABI} Assembly files: ${asm_path:-none} Install prefix: ${prefix} Library directory: ${libdir} Compiler: ${CC} Static libraries: ${enable_static} Shared libraries: ${enable_shared} Public key crypto: ${enable_public_key} Using mini-gmp: ${enable_mini_gmp} Documentation: ${enable_documentation} " >&6;} nettle-3.10/config.m4.in0000644000175000017500000000131114633602172014070 0ustar nissenissedefine(`srcdir', ``@srcdir@'')dnl define(`SYMBOL_PREFIX', `@ASM_SYMBOL_PREFIX@'`$1')dnl define(`ELF_STYLE', `@ASM_ELF_STYLE@')dnl define(`COFF_STYLE', `@ASM_COFF_STYLE@')dnl define(`TYPE_FUNCTION', `@ASM_TYPE_FUNCTION@')dnl define(`TYPE_PROGBITS', `@ASM_TYPE_PROGBITS@')dnl define(`ALIGN_LOG', `@ASM_ALIGN_LOG@')dnl define(`ELFV2_ABI', `@ELFV2_ABI@')dnl define(`W64_ABI', `@W64_ABI@')dnl define(`RODATA', `@ASM_RODATA@')dnl define(`WORDS_BIGENDIAN', `@ASM_WORDS_BIGENDIAN@')dnl define(`ASM_X86_ENDBR',`@ASM_X86_ENDBR@')dnl define(`ASM_X86_MARK_CET_ALIGN',`@ASM_X86_MARK_CET_ALIGN@')dnl define(`ASM_PPC_WANT_R_REGISTERS',`@ASM_PPC_WANT_R_REGISTERS@')dnl divert(1) @ASM_X86_MARK_CET@ @ASM_MARK_NOEXEC_STACK@ divert nettle-3.10/ecc-nonsec-add-jjj.c0000644000175000017500000001152614633602171015446 0ustar nissenisse/* ecc-non-sec-add-jjj.c Copyright (C) 2013, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Similar to ecc_add_jjj, but checks if x coordinates are equal (H = 0) below, and if so, performs doubling if also y coordinates are equal, or returns 0 (failure) indicating that the result is the infinity point. */ int ecc_nonsec_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: Computation Operation Live variables Z1Z1 = Z1^2 sqr Z1Z1 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2 H = U2-U1 Z1Z1, Z2Z2, U1, H Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2 W = 2*(S2-S1) (djb: r) U1, H, S1, W I = (2*H)^2 sqr U1, H, S1, W, I J = H*I mul U1, S1, W, J, V V = U1*I mul S1, W, J, V X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ #define h scratch #define z1z1 (scratch + ecc->p.size) #define z2z2 z1z1 #define z1z2 (scratch + 2*ecc->p.size) #define w (scratch + ecc->p.size) #define i (scratch + 2*ecc->p.size) #define j h #define v i #define tp (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, z2z2, z2, tp); /* z2z2 */ /* Store u1 at x3 */ ecc_mod_mul (&ecc->p, x3, x1, z2z2, tp); /* z2z2 */ ecc_mod_add (&ecc->p, z1z2, z1, z2); /* z2z2, z1z2 */ ecc_mod_sqr (&ecc->p, z1z2, z1z2, tp); ecc_mod_sub (&ecc->p, z1z2, z1z2, z2z2); /* z2z2, z1z2 */ /* Do s1 early, store at y3 */ ecc_mod_mul (&ecc->p, z2z2, z2z2, z2, tp); /* z2z2, z1z2 */ ecc_mod_mul (&ecc->p, y3, z2z2, y1, tp); /* z1z2 */ ecc_mod_sqr (&ecc->p, z1z1, z1, tp); /* z1z1, z1z2 */ ecc_mod_sub (&ecc->p, z1z2, z1z2, z1z1); ecc_mod_mul (&ecc->p, h, x2, z1z1, tp); /* z1z1, z1z2, h */ ecc_mod_sub (&ecc->p, h, h, x3); /* z1^3 */ ecc_mod_mul (&ecc->p, z1z1, z1z1, z1, tp); /* z3 <-- h z1 z2 delayed until now, since that may clobber z1. */ ecc_mod_mul (&ecc->p, z3, z1z2, h, tp); /* z1z1, h */ /* w = 2 (s2 - s1) */ ecc_mod_mul (&ecc->p, w, z1z1, y2, tp); /* h, w */ ecc_mod_sub (&ecc->p, w, w, y3); /* Note that use of ecc_mod_zero_p depends 0 <= h,w < 2p. */ if (ecc_mod_zero_p (&ecc->p, h)) { /* X1 == X2 */ if (ecc_mod_zero_p (&ecc->p, w)) { /* Y1 == Y2. Do point duplication. Note that q input is unclobbered, and that scratch need is smaller. Implies some unnecessary recomputation, but performance it not so important for this very unlikely corner case. */ ecc_dup_jj (ecc, r, q, scratch); return 1; } /* We must have Y1 == -Y2, and then the result is the infinity point, */ mpn_zero (r, 3*ecc->p.size); return 0; } ecc_mod_add (&ecc->p, w, w, w); /* i = (2h)^2 */ ecc_mod_add (&ecc->p, i, h, h); /* h, w, i */ ecc_mod_sqr (&ecc->p, i, i, tp); /* j and h can overlap */ ecc_mod_mul (&ecc->p, j, h, i, tp); /* j, w, i */ /* v and i can overlap */ ecc_mod_mul (&ecc->p, v, x3, i, tp); /* j, w, v */ /* x3 <-- w^2 - j - 2v */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y3 <-- w (v - x3) - 2 s1 j */ ecc_mod_mul (&ecc->p, j, j, y3, tp); ecc_mod_sub (&ecc->p, v, v, x3); ecc_mod_mul (&ecc->p, y3, v, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); return 1; } nettle-3.10/pkcs1.c0000644000175000017500000000344414633602171013151 0ustar nissenisse/* pkcs1.c PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pkcs1.h" #include "hogweed-internal.h" /* Formats the PKCS#1 padding, of the form * * 0x00 0x01 0xff ... 0xff 0x00 id ...digest... * * where the 0xff ... 0xff part consists of at least 8 octets. The * total size equals the octet size of n. */ uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size) { unsigned j; if (key_size < 11 + id_size + digest_size) return NULL; j = key_size - digest_size - id_size; memcpy (buffer + j, id, id_size); buffer[0] = 0; buffer[1] = 1; buffer[j-1] = 0; assert(j >= 11); memset(buffer + 2, 0xff, j - 3); return buffer + j + id_size; } nettle-3.10/ed448-shake256.c0000644000175000017500000000311114633602172014276 0ustar nissenisse/* ed448-shake256.c Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa-internal.h" #include "nettle-types.h" #include "sha3.h" #define DOM_SIZE 10 static nettle_eddsa_dom_func ed448_dom; static void ed448_dom(void *ctx) { static const uint8_t dom[DOM_SIZE] = { 'S', 'i', 'g', 'E', 'd', '4', '4', '8', 0, 0}; sha3_256_update (ctx, DOM_SIZE, dom); } const struct ecc_eddsa _nettle_ed448_shake256 = { (nettle_hash_update_func *) sha3_256_update, (nettle_hash_digest_func *) sha3_256_shake, ed448_dom, ~(mp_limb_t) 3, (mp_limb_t) 1 << (447 % GMP_NUMB_BITS), }; nettle-3.10/memxor-internal.h0000644000175000017500000000422714633602172015257 0ustar nissenisse/* memxor-internal.h Copyright (C) 2010, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MEMXOR_INTERNAL_H_INCLUDED #define NETTLE_MEMXOR_INTERNAL_H_INCLUDED #include "nettle-types.h" /* The word_t type is intended to be the native word size. */ #if defined(__x86_64__) || defined(__arch64__) /* Including on M$ windows, where unsigned long is only 32 bits */ typedef uint64_t word_t; #else typedef unsigned long int word_t; #endif #define ALIGN_OFFSET(p) ((uintptr_t) (p) % sizeof(word_t)) #ifndef WORDS_BIGENDIAN #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) >> (sh_1)) | ((w1) << (sh_2))) #else #define MERGE(w0, sh_1, w1, sh_2) \ (((w0) << (sh_1)) | ((w1) >> (sh_2))) #endif #ifndef WORDS_BIGENDIAN #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_i = (n), _rp_x = (p)[--_rp_i]; _rp_i > 0;) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[--_rp_i]; \ (r) = _rp_x; \ } while (0) #else #define READ_PARTIAL(r,p,n) do { \ word_t _rp_x; \ unsigned _rp_i; \ for (_rp_x = (p)[0], _rp_i = 1; _rp_i < (n); _rp_i++) \ _rp_x = (_rp_x << CHAR_BIT) | (p)[_rp_i]; \ (r) = _rp_x; \ } while (0) #endif #endif /* NETTLE_MEMXOR_INTERNAL_H_INCLUDED */ nettle-3.10/eddsa-pubkey.c0000644000175000017500000000314414633602172014503 0ustar nissenisse/* eddsa-pubkey.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc) { assert (ecc->mul_g_itch <= _eddsa_compress_itch (ecc)); return 3*ecc->p.size + _eddsa_compress_itch (ecc); } void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch) { #define P scratch #define scratch_out (scratch + 3*ecc->p.size) ecc->mul_g (ecc, P, k, scratch_out); _eddsa_compress (ecc, pub, P, scratch_out); #undef P #undef scratch_out } nettle-3.10/rsa-sha512-sign.c0000644000175000017500000000341414633602171014651 0ustar nissenisse/* rsa-sha512-sign.c Signatures using RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_sign(const struct rsa_private_key *key, struct sha512_ctx *hash, mpz_t s) { if (pkcs1_rsa_sha512_encode(s, key->size, hash)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } int rsa_sha512_sign_digest(const struct rsa_private_key *key, const uint8_t *digest, mpz_t s) { if (pkcs1_rsa_sha512_encode_digest(s, key->size, digest)) { rsa_compute_root(key, s, s); return 1; } else { mpz_set_ui(s, 0); return 0; } } nettle-3.10/umac32.c0000644000175000017500000000712414633602171013221 0ustar nissenisse/* umac32.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 1); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 3; ctx->nonce[nonce_length - 1] &= ~3; ctx->nonce_length = nonce_length; } #define UMAC32_BLOCK(ctx, block) do { \ uint64_t __umac32_y \ = _nettle_umac_nh (ctx->l1_key, UMAC_BLOCK_SIZE, block) \ + 8*UMAC_BLOCK_SIZE ; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &__umac32_y); \ } while (0) void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC32_BLOCK, (void)0); } void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest) { uint32_t pad; assert (length > 0); assert (length <= 4); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); y = _nettle_umac_nh (ctx->l1_key, ctx->index + pad, ctx->block) + 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 1, ctx->count++, &y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache[ctx->nonce_low & 3]; /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 3)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 4; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 1, ctx->count); pad ^= ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, ctx->l2_state); memcpy (digest, &pad, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.10/balloon.c0000644000175000017500000001015414633602171013552 0ustar nissenisse/* balloon.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* For a description of the algorithm, see: * Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: * A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. * Retrieved Sep 1, 2022, from https://eprint.iacr.org/2016/027.pdf */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "balloon.h" #include "macros.h" #define DELTA 3 static void hash(void *ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, uint64_t cnt, size_t a_len, const uint8_t *a, size_t b_len, const uint8_t *b, uint8_t *dst) { uint8_t tmp[8]; LE_WRITE_UINT64(tmp, cnt); update(ctx, sizeof(tmp), tmp); if (a && a_len) update(ctx, a_len, a); if (b && b_len) update(ctx, b_len, b); digest(ctx, digest_size, dst); } static void hash_ints(void *ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, uint64_t i, uint64_t j, uint64_t k, uint8_t *dst) { uint8_t tmp[24]; LE_WRITE_UINT64(tmp, i); LE_WRITE_UINT64(tmp + 8, j); LE_WRITE_UINT64(tmp + 16, k); update(ctx, sizeof(tmp), tmp); digest(ctx, digest_size, dst); } /* Takes length bytes long big number stored * in little endian format and computes modulus */ static size_t block_to_int(size_t length, const uint8_t *block, size_t mod) { size_t i = length, r = 0; while (i--) { r = (r << 8) + block[i]; r %= mod; } return r; } void balloon(void *hash_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { const size_t BS = digest_size; uint8_t *block = scratch; uint8_t *buf = scratch + BS; size_t i, j, k, cnt = 0; hash(hash_ctx, update, digest, digest_size, cnt++, passwd_length, passwd, salt_length, salt, buf); for (i = 1; i < s_cost; ++i) hash(hash_ctx, update, digest, digest_size, cnt++, BS, buf + (i - 1) * BS, 0, NULL, buf + i * BS); for (i = 0; i < t_cost; ++i) { for (j = 0; j < s_cost; ++j) { hash(hash_ctx, update, digest, digest_size, cnt++, BS, buf + (j ? j - 1 : s_cost - 1) * BS, BS, buf + j * BS, buf + j * BS); for (k = 0; k < DELTA; ++k) { hash_ints(hash_ctx, update, digest, digest_size, i, j, k, block); hash(hash_ctx, update, digest, digest_size, cnt++, salt_length, salt, BS, block, block); hash(hash_ctx, update, digest, digest_size, cnt++, BS, buf + j * BS, BS, buf + block_to_int(BS, block, s_cost) * BS, buf + j * BS); } } } memcpy(dst, buf + (s_cost - 1) * BS, BS); } size_t balloon_itch(size_t digest_size, size_t s_cost) { return (s_cost + 1) * digest_size; } nettle-3.10/getopt.h0000644000175000017500000001476414633602172013447 0ustar nissenisse/* Declarations for getopt. Copyright (C) 1989-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ #ifndef _GETOPT_H #ifndef __need_getopt # define _GETOPT_H 1 #endif /* If __GNU_LIBRARY__ is not already defined, either we are being used standalone, or this is the first header included in the source file. If we are being used with glibc, we need to include , but that does not exist if we are standalone. So: if __GNU_LIBRARY__ is not defined, include , which will pull in for us if it's from glibc. (Why ctype.h? It's guaranteed to exist and it doesn't flood the namespace with stuff the way some other headers do.) */ #if !defined __GNU_LIBRARY__ # include #endif #ifndef __THROW # ifndef __GNUC_PREREQ # define __GNUC_PREREQ(maj, min) (0) # endif # if defined __cplusplus && __GNUC_PREREQ (2,8) # define __THROW throw () # else # define __THROW # endif #endif #ifdef __cplusplus extern "C" { #endif /* For communication from `getopt' to the caller. When `getopt' finds an option that takes an argument, the argument value is returned here. Also, when `ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ extern char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to `getopt'. On entry to `getopt', zero means this is the first call; initialize. When `getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, `optind' communicates from one call to the next how much of ARGV has been scanned so far. */ extern int optind; /* Callers store zero here to inhibit the error message `getopt' prints for unrecognized options. */ extern int opterr; /* Set to an option character which was unrecognized. */ extern int optopt; #ifndef __need_getopt /* Describe the long-named options requested by the application. The LONG_OPTIONS argument to getopt_long or getopt_long_only is a vector of `struct option' terminated by an element containing a name which is zero. The field `has_arg' is: no_argument (or 0) if the option does not take an argument, required_argument (or 1) if the option requires an argument, optional_argument (or 2) if the option takes an optional argument. If the field `flag' is not NULL, it points to a variable that is set to the value given in the field `val' when the option is found, but left unchanged if the option is not found. To have a long-named option do something other than set an `int' to a compiled-in constant, such as set a value from `optarg', set the option's `flag' field to zero and its `val' field to a nonzero value (the equivalent single-letter option character, if there is one). For long options that have a zero `flag' field, `getopt' returns the contents of the `val' field. */ struct option { const char *name; /* has_arg can't be an enum because some compilers complain about type mismatches in all the code that assumes it is an int. */ int has_arg; int *flag; int val; }; /* Names for the values of the `has_arg' field of `struct option'. */ # define no_argument 0 # define required_argument 1 # define optional_argument 2 #endif /* need getopt */ /* Get definitions and prototypes for functions to process the arguments in ARGV (ARGC of them, minus the program name) for options given in OPTS. Return the option character from OPTS just read. Return -1 when there are no more options. For unrecognized options, or options missing arguments, `optopt' is set to the option letter, and '?' is returned. The OPTS string is a list of characters which are recognized option letters, optionally followed by colons, specifying that that letter takes an argument, to be placed in `optarg'. If a letter in OPTS is followed by two colons, its argument is optional. This behavior is specific to the GNU `getopt'. The argument `--' causes premature termination of argument scanning, explicitly telling `getopt' that there are no more options. If OPTS begins with `--', then non-option arguments are treated as arguments to the option '\0'. This behavior is specific to the GNU `getopt'. */ #ifdef __GNU_LIBRARY__ /* Many other libraries have conflicting prototypes for getopt, with differences in the consts, in stdlib.h. To avoid compilation errors, only prototype getopt for the GNU C library. */ extern int getopt (int ___argc, char *const *___argv, const char *__shortopts) __THROW; # if defined __need_getopt && defined __USE_POSIX2 \ && !defined __USE_POSIX_IMPLICITLY && !defined __USE_GNU /* The GNU getopt has more functionality than the standard version. The additional functionality can be disable at runtime. This redirection helps to also do this at runtime. */ # ifdef __REDIRECT extern int __REDIRECT_NTH (getopt, (int ___argc, char *const *___argv, const char *__shortopts), __posix_getopt); # else extern int __posix_getopt (int ___argc, char *const *___argv, const char *__shortopts) __THROW; # define getopt __posix_getopt # endif # endif #else /* not __GNU_LIBRARY__ */ extern int getopt (); #endif /* __GNU_LIBRARY__ */ #ifndef __need_getopt extern int getopt_long (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW; extern int getopt_long_only (int ___argc, char *const *___argv, const char *__shortopts, const struct option *__longopts, int *__longind) __THROW; #endif #ifdef __cplusplus } #endif /* Make sure we later can get all the definitions and declarations. */ #undef __need_getopt #endif /* getopt.h */ nettle-3.10/aes-decrypt-table.c0000644000175000017500000003462114633602171015436 0ustar nissenisse/* aes-decrypt-table.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" const struct aes_table _nettle_aes_decrypt_table = { /* isbox */ { 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38, 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb, 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87, 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb, 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d, 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e, 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2, 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25, 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16, 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92, 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda, 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84, 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a, 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06, 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02, 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b, 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea, 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73, 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85, 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e, 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89, 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b, 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20, 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4, 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31, 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f, 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d, 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef, 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0, 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61, 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26, 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d, }, { /* itable */ { 0x50a7f451,0x5365417e,0xc3a4171a,0x965e273a, 0xcb6bab3b,0xf1459d1f,0xab58faac,0x9303e34b, 0x55fa3020,0xf66d76ad,0x9176cc88,0x254c02f5, 0xfcd7e54f,0xd7cb2ac5,0x80443526,0x8fa362b5, 0x495ab1de,0x671bba25,0x980eea45,0xe1c0fe5d, 0x02752fc3,0x12f04c81,0xa397468d,0xc6f9d36b, 0xe75f8f03,0x959c9215,0xeb7a6dbf,0xda595295, 0x2d83bed4,0xd3217458,0x2969e049,0x44c8c98e, 0x6a89c275,0x78798ef4,0x6b3e5899,0xdd71b927, 0xb64fe1be,0x17ad88f0,0x66ac20c9,0xb43ace7d, 0x184adf63,0x82311ae5,0x60335197,0x457f5362, 0xe07764b1,0x84ae6bbb,0x1ca081fe,0x942b08f9, 0x58684870,0x19fd458f,0x876cde94,0xb7f87b52, 0x23d373ab,0xe2024b72,0x578f1fe3,0x2aab5566, 0x0728ebb2,0x03c2b52f,0x9a7bc586,0xa50837d3, 0xf2872830,0xb2a5bf23,0xba6a0302,0x5c8216ed, 0x2b1ccf8a,0x92b479a7,0xf0f207f3,0xa1e2694e, 0xcdf4da65,0xd5be0506,0x1f6234d1,0x8afea6c4, 0x9d532e34,0xa055f3a2,0x32e18a05,0x75ebf6a4, 0x39ec830b,0xaaef6040,0x069f715e,0x51106ebd, 0xf98a213e,0x3d06dd96,0xae053edd,0x46bde64d, 0xb58d5491,0x055dc471,0x6fd40604,0xff155060, 0x24fb9819,0x97e9bdd6,0xcc434089,0x779ed967, 0xbd42e8b0,0x888b8907,0x385b19e7,0xdbeec879, 0x470a7ca1,0xe90f427c,0xc91e84f8,0x00000000, 0x83868009,0x48ed2b32,0xac70111e,0x4e725a6c, 0xfbff0efd,0x5638850f,0x1ed5ae3d,0x27392d36, 0x64d90f0a,0x21a65c68,0xd1545b9b,0x3a2e3624, 0xb1670a0c,0x0fe75793,0xd296eeb4,0x9e919b1b, 0x4fc5c080,0xa220dc61,0x694b775a,0x161a121c, 0x0aba93e2,0xe52aa0c0,0x43e0223c,0x1d171b12, 0x0b0d090e,0xadc78bf2,0xb9a8b62d,0xc8a91e14, 0x8519f157,0x4c0775af,0xbbdd99ee,0xfd607fa3, 0x9f2601f7,0xbcf5725c,0xc53b6644,0x347efb5b, 0x7629438b,0xdcc623cb,0x68fcedb6,0x63f1e4b8, 0xcadc31d7,0x10856342,0x40229713,0x2011c684, 0x7d244a85,0xf83dbbd2,0x1132f9ae,0x6da129c7, 0x4b2f9e1d,0xf330b2dc,0xec52860d,0xd0e3c177, 0x6c16b32b,0x99b970a9,0xfa489411,0x2264e947, 0xc48cfca8,0x1a3ff0a0,0xd82c7d56,0xef903322, 0xc74e4987,0xc1d138d9,0xfea2ca8c,0x360bd498, 0xcf81f5a6,0x28de7aa5,0x268eb7da,0xa4bfad3f, 0xe49d3a2c,0x0d927850,0x9bcc5f6a,0x62467e54, 0xc2138df6,0xe8b8d890,0x5ef7392e,0xf5afc382, 0xbe805d9f,0x7c93d069,0xa92dd56f,0xb31225cf, 0x3b99acc8,0xa77d1810,0x6e639ce8,0x7bbb3bdb, 0x097826cd,0xf418596e,0x01b79aec,0xa89a4f83, 0x656e95e6,0x7ee6ffaa,0x08cfbc21,0xe6e815ef, 0xd99be7ba,0xce366f4a,0xd4099fea,0xd67cb029, 0xafb2a431,0x31233f2a,0x3094a5c6,0xc066a235, 0x37bc4e74,0xa6ca82fc,0xb0d090e0,0x15d8a733, 0x4a9804f1,0xf7daec41,0x0e50cd7f,0x2ff69117, 0x8dd64d76,0x4db0ef43,0x544daacc,0xdf0496e4, 0xe3b5d19e,0x1b886a4c,0xb81f2cc1,0x7f516546, 0x04ea5e9d,0x5d358c01,0x737487fa,0x2e410bfb, 0x5a1d67b3,0x52d2db92,0x335610e9,0x1347d66d, 0x8c61d79a,0x7a0ca137,0x8e14f859,0x893c13eb, 0xee27a9ce,0x35c961b7,0xede51ce1,0x3cb1477a, 0x59dfd29c,0x3f73f255,0x79ce1418,0xbf37c773, 0xeacdf753,0x5baafd5f,0x146f3ddf,0x86db4478, 0x81f3afca,0x3ec468b9,0x2c342438,0x5f40a3c2, 0x72c31d16,0x0c25e2bc,0x8b493c28,0x41950dff, 0x7101a839,0xdeb30c08,0x9ce4b4d8,0x90c15664, 0x6184cb7b,0x70b632d5,0x745c6c48,0x4257b8d0, }, #if !AES_SMALL { /* Before: itable[1] */ 0xa7f45150,0x65417e53,0xa4171ac3,0x5e273a96, 0x6bab3bcb,0x459d1ff1,0x58faacab,0x03e34b93, 0xfa302055,0x6d76adf6,0x76cc8891,0x4c02f525, 0xd7e54ffc,0xcb2ac5d7,0x44352680,0xa362b58f, 0x5ab1de49,0x1bba2567,0x0eea4598,0xc0fe5de1, 0x752fc302,0xf04c8112,0x97468da3,0xf9d36bc6, 0x5f8f03e7,0x9c921595,0x7a6dbfeb,0x595295da, 0x83bed42d,0x217458d3,0x69e04929,0xc8c98e44, 0x89c2756a,0x798ef478,0x3e58996b,0x71b927dd, 0x4fe1beb6,0xad88f017,0xac20c966,0x3ace7db4, 0x4adf6318,0x311ae582,0x33519760,0x7f536245, 0x7764b1e0,0xae6bbb84,0xa081fe1c,0x2b08f994, 0x68487058,0xfd458f19,0x6cde9487,0xf87b52b7, 0xd373ab23,0x024b72e2,0x8f1fe357,0xab55662a, 0x28ebb207,0xc2b52f03,0x7bc5869a,0x0837d3a5, 0x872830f2,0xa5bf23b2,0x6a0302ba,0x8216ed5c, 0x1ccf8a2b,0xb479a792,0xf207f3f0,0xe2694ea1, 0xf4da65cd,0xbe0506d5,0x6234d11f,0xfea6c48a, 0x532e349d,0x55f3a2a0,0xe18a0532,0xebf6a475, 0xec830b39,0xef6040aa,0x9f715e06,0x106ebd51, 0x8a213ef9,0x06dd963d,0x053eddae,0xbde64d46, 0x8d5491b5,0x5dc47105,0xd406046f,0x155060ff, 0xfb981924,0xe9bdd697,0x434089cc,0x9ed96777, 0x42e8b0bd,0x8b890788,0x5b19e738,0xeec879db, 0x0a7ca147,0x0f427ce9,0x1e84f8c9,0x00000000, 0x86800983,0xed2b3248,0x70111eac,0x725a6c4e, 0xff0efdfb,0x38850f56,0xd5ae3d1e,0x392d3627, 0xd90f0a64,0xa65c6821,0x545b9bd1,0x2e36243a, 0x670a0cb1,0xe757930f,0x96eeb4d2,0x919b1b9e, 0xc5c0804f,0x20dc61a2,0x4b775a69,0x1a121c16, 0xba93e20a,0x2aa0c0e5,0xe0223c43,0x171b121d, 0x0d090e0b,0xc78bf2ad,0xa8b62db9,0xa91e14c8, 0x19f15785,0x0775af4c,0xdd99eebb,0x607fa3fd, 0x2601f79f,0xf5725cbc,0x3b6644c5,0x7efb5b34, 0x29438b76,0xc623cbdc,0xfcedb668,0xf1e4b863, 0xdc31d7ca,0x85634210,0x22971340,0x11c68420, 0x244a857d,0x3dbbd2f8,0x32f9ae11,0xa129c76d, 0x2f9e1d4b,0x30b2dcf3,0x52860dec,0xe3c177d0, 0x16b32b6c,0xb970a999,0x489411fa,0x64e94722, 0x8cfca8c4,0x3ff0a01a,0x2c7d56d8,0x903322ef, 0x4e4987c7,0xd138d9c1,0xa2ca8cfe,0x0bd49836, 0x81f5a6cf,0xde7aa528,0x8eb7da26,0xbfad3fa4, 0x9d3a2ce4,0x9278500d,0xcc5f6a9b,0x467e5462, 0x138df6c2,0xb8d890e8,0xf7392e5e,0xafc382f5, 0x805d9fbe,0x93d0697c,0x2dd56fa9,0x1225cfb3, 0x99acc83b,0x7d1810a7,0x639ce86e,0xbb3bdb7b, 0x7826cd09,0x18596ef4,0xb79aec01,0x9a4f83a8, 0x6e95e665,0xe6ffaa7e,0xcfbc2108,0xe815efe6, 0x9be7bad9,0x366f4ace,0x099fead4,0x7cb029d6, 0xb2a431af,0x233f2a31,0x94a5c630,0x66a235c0, 0xbc4e7437,0xca82fca6,0xd090e0b0,0xd8a73315, 0x9804f14a,0xdaec41f7,0x50cd7f0e,0xf691172f, 0xd64d768d,0xb0ef434d,0x4daacc54,0x0496e4df, 0xb5d19ee3,0x886a4c1b,0x1f2cc1b8,0x5165467f, 0xea5e9d04,0x358c015d,0x7487fa73,0x410bfb2e, 0x1d67b35a,0xd2db9252,0x5610e933,0x47d66d13, 0x61d79a8c,0x0ca1377a,0x14f8598e,0x3c13eb89, 0x27a9ceee,0xc961b735,0xe51ce1ed,0xb1477a3c, 0xdfd29c59,0x73f2553f,0xce141879,0x37c773bf, 0xcdf753ea,0xaafd5f5b,0x6f3ddf14,0xdb447886, 0xf3afca81,0xc468b93e,0x3424382c,0x40a3c25f, 0xc31d1672,0x25e2bc0c,0x493c288b,0x950dff41, 0x01a83971,0xb30c08de,0xe4b4d89c,0xc1566490, 0x84cb7b61,0xb632d570,0x5c6c4874,0x57b8d042, },{ /* Before: itable[2] */ 0xf45150a7,0x417e5365,0x171ac3a4,0x273a965e, 0xab3bcb6b,0x9d1ff145,0xfaacab58,0xe34b9303, 0x302055fa,0x76adf66d,0xcc889176,0x02f5254c, 0xe54ffcd7,0x2ac5d7cb,0x35268044,0x62b58fa3, 0xb1de495a,0xba25671b,0xea45980e,0xfe5de1c0, 0x2fc30275,0x4c8112f0,0x468da397,0xd36bc6f9, 0x8f03e75f,0x9215959c,0x6dbfeb7a,0x5295da59, 0xbed42d83,0x7458d321,0xe0492969,0xc98e44c8, 0xc2756a89,0x8ef47879,0x58996b3e,0xb927dd71, 0xe1beb64f,0x88f017ad,0x20c966ac,0xce7db43a, 0xdf63184a,0x1ae58231,0x51976033,0x5362457f, 0x64b1e077,0x6bbb84ae,0x81fe1ca0,0x08f9942b, 0x48705868,0x458f19fd,0xde94876c,0x7b52b7f8, 0x73ab23d3,0x4b72e202,0x1fe3578f,0x55662aab, 0xebb20728,0xb52f03c2,0xc5869a7b,0x37d3a508, 0x2830f287,0xbf23b2a5,0x0302ba6a,0x16ed5c82, 0xcf8a2b1c,0x79a792b4,0x07f3f0f2,0x694ea1e2, 0xda65cdf4,0x0506d5be,0x34d11f62,0xa6c48afe, 0x2e349d53,0xf3a2a055,0x8a0532e1,0xf6a475eb, 0x830b39ec,0x6040aaef,0x715e069f,0x6ebd5110, 0x213ef98a,0xdd963d06,0x3eddae05,0xe64d46bd, 0x5491b58d,0xc471055d,0x06046fd4,0x5060ff15, 0x981924fb,0xbdd697e9,0x4089cc43,0xd967779e, 0xe8b0bd42,0x8907888b,0x19e7385b,0xc879dbee, 0x7ca1470a,0x427ce90f,0x84f8c91e,0x00000000, 0x80098386,0x2b3248ed,0x111eac70,0x5a6c4e72, 0x0efdfbff,0x850f5638,0xae3d1ed5,0x2d362739, 0x0f0a64d9,0x5c6821a6,0x5b9bd154,0x36243a2e, 0x0a0cb167,0x57930fe7,0xeeb4d296,0x9b1b9e91, 0xc0804fc5,0xdc61a220,0x775a694b,0x121c161a, 0x93e20aba,0xa0c0e52a,0x223c43e0,0x1b121d17, 0x090e0b0d,0x8bf2adc7,0xb62db9a8,0x1e14c8a9, 0xf1578519,0x75af4c07,0x99eebbdd,0x7fa3fd60, 0x01f79f26,0x725cbcf5,0x6644c53b,0xfb5b347e, 0x438b7629,0x23cbdcc6,0xedb668fc,0xe4b863f1, 0x31d7cadc,0x63421085,0x97134022,0xc6842011, 0x4a857d24,0xbbd2f83d,0xf9ae1132,0x29c76da1, 0x9e1d4b2f,0xb2dcf330,0x860dec52,0xc177d0e3, 0xb32b6c16,0x70a999b9,0x9411fa48,0xe9472264, 0xfca8c48c,0xf0a01a3f,0x7d56d82c,0x3322ef90, 0x4987c74e,0x38d9c1d1,0xca8cfea2,0xd498360b, 0xf5a6cf81,0x7aa528de,0xb7da268e,0xad3fa4bf, 0x3a2ce49d,0x78500d92,0x5f6a9bcc,0x7e546246, 0x8df6c213,0xd890e8b8,0x392e5ef7,0xc382f5af, 0x5d9fbe80,0xd0697c93,0xd56fa92d,0x25cfb312, 0xacc83b99,0x1810a77d,0x9ce86e63,0x3bdb7bbb, 0x26cd0978,0x596ef418,0x9aec01b7,0x4f83a89a, 0x95e6656e,0xffaa7ee6,0xbc2108cf,0x15efe6e8, 0xe7bad99b,0x6f4ace36,0x9fead409,0xb029d67c, 0xa431afb2,0x3f2a3123,0xa5c63094,0xa235c066, 0x4e7437bc,0x82fca6ca,0x90e0b0d0,0xa73315d8, 0x04f14a98,0xec41f7da,0xcd7f0e50,0x91172ff6, 0x4d768dd6,0xef434db0,0xaacc544d,0x96e4df04, 0xd19ee3b5,0x6a4c1b88,0x2cc1b81f,0x65467f51, 0x5e9d04ea,0x8c015d35,0x87fa7374,0x0bfb2e41, 0x67b35a1d,0xdb9252d2,0x10e93356,0xd66d1347, 0xd79a8c61,0xa1377a0c,0xf8598e14,0x13eb893c, 0xa9ceee27,0x61b735c9,0x1ce1ede5,0x477a3cb1, 0xd29c59df,0xf2553f73,0x141879ce,0xc773bf37, 0xf753eacd,0xfd5f5baa,0x3ddf146f,0x447886db, 0xafca81f3,0x68b93ec4,0x24382c34,0xa3c25f40, 0x1d1672c3,0xe2bc0c25,0x3c288b49,0x0dff4195, 0xa8397101,0x0c08deb3,0xb4d89ce4,0x566490c1, 0xcb7b6184,0x32d570b6,0x6c48745c,0xb8d04257, },{ /* Before: itable[3] */ 0x5150a7f4,0x7e536541,0x1ac3a417,0x3a965e27, 0x3bcb6bab,0x1ff1459d,0xacab58fa,0x4b9303e3, 0x2055fa30,0xadf66d76,0x889176cc,0xf5254c02, 0x4ffcd7e5,0xc5d7cb2a,0x26804435,0xb58fa362, 0xde495ab1,0x25671bba,0x45980eea,0x5de1c0fe, 0xc302752f,0x8112f04c,0x8da39746,0x6bc6f9d3, 0x03e75f8f,0x15959c92,0xbfeb7a6d,0x95da5952, 0xd42d83be,0x58d32174,0x492969e0,0x8e44c8c9, 0x756a89c2,0xf478798e,0x996b3e58,0x27dd71b9, 0xbeb64fe1,0xf017ad88,0xc966ac20,0x7db43ace, 0x63184adf,0xe582311a,0x97603351,0x62457f53, 0xb1e07764,0xbb84ae6b,0xfe1ca081,0xf9942b08, 0x70586848,0x8f19fd45,0x94876cde,0x52b7f87b, 0xab23d373,0x72e2024b,0xe3578f1f,0x662aab55, 0xb20728eb,0x2f03c2b5,0x869a7bc5,0xd3a50837, 0x30f28728,0x23b2a5bf,0x02ba6a03,0xed5c8216, 0x8a2b1ccf,0xa792b479,0xf3f0f207,0x4ea1e269, 0x65cdf4da,0x06d5be05,0xd11f6234,0xc48afea6, 0x349d532e,0xa2a055f3,0x0532e18a,0xa475ebf6, 0x0b39ec83,0x40aaef60,0x5e069f71,0xbd51106e, 0x3ef98a21,0x963d06dd,0xddae053e,0x4d46bde6, 0x91b58d54,0x71055dc4,0x046fd406,0x60ff1550, 0x1924fb98,0xd697e9bd,0x89cc4340,0x67779ed9, 0xb0bd42e8,0x07888b89,0xe7385b19,0x79dbeec8, 0xa1470a7c,0x7ce90f42,0xf8c91e84,0x00000000, 0x09838680,0x3248ed2b,0x1eac7011,0x6c4e725a, 0xfdfbff0e,0x0f563885,0x3d1ed5ae,0x3627392d, 0x0a64d90f,0x6821a65c,0x9bd1545b,0x243a2e36, 0x0cb1670a,0x930fe757,0xb4d296ee,0x1b9e919b, 0x804fc5c0,0x61a220dc,0x5a694b77,0x1c161a12, 0xe20aba93,0xc0e52aa0,0x3c43e022,0x121d171b, 0x0e0b0d09,0xf2adc78b,0x2db9a8b6,0x14c8a91e, 0x578519f1,0xaf4c0775,0xeebbdd99,0xa3fd607f, 0xf79f2601,0x5cbcf572,0x44c53b66,0x5b347efb, 0x8b762943,0xcbdcc623,0xb668fced,0xb863f1e4, 0xd7cadc31,0x42108563,0x13402297,0x842011c6, 0x857d244a,0xd2f83dbb,0xae1132f9,0xc76da129, 0x1d4b2f9e,0xdcf330b2,0x0dec5286,0x77d0e3c1, 0x2b6c16b3,0xa999b970,0x11fa4894,0x472264e9, 0xa8c48cfc,0xa01a3ff0,0x56d82c7d,0x22ef9033, 0x87c74e49,0xd9c1d138,0x8cfea2ca,0x98360bd4, 0xa6cf81f5,0xa528de7a,0xda268eb7,0x3fa4bfad, 0x2ce49d3a,0x500d9278,0x6a9bcc5f,0x5462467e, 0xf6c2138d,0x90e8b8d8,0x2e5ef739,0x82f5afc3, 0x9fbe805d,0x697c93d0,0x6fa92dd5,0xcfb31225, 0xc83b99ac,0x10a77d18,0xe86e639c,0xdb7bbb3b, 0xcd097826,0x6ef41859,0xec01b79a,0x83a89a4f, 0xe6656e95,0xaa7ee6ff,0x2108cfbc,0xefe6e815, 0xbad99be7,0x4ace366f,0xead4099f,0x29d67cb0, 0x31afb2a4,0x2a31233f,0xc63094a5,0x35c066a2, 0x7437bc4e,0xfca6ca82,0xe0b0d090,0x3315d8a7, 0xf14a9804,0x41f7daec,0x7f0e50cd,0x172ff691, 0x768dd64d,0x434db0ef,0xcc544daa,0xe4df0496, 0x9ee3b5d1,0x4c1b886a,0xc1b81f2c,0x467f5165, 0x9d04ea5e,0x015d358c,0xfa737487,0xfb2e410b, 0xb35a1d67,0x9252d2db,0xe9335610,0x6d1347d6, 0x9a8c61d7,0x377a0ca1,0x598e14f8,0xeb893c13, 0xceee27a9,0xb735c961,0xe1ede51c,0x7a3cb147, 0x9c59dfd2,0x553f73f2,0x1879ce14,0x73bf37c7, 0x53eacdf7,0x5f5baafd,0xdf146f3d,0x7886db44, 0xca81f3af,0xb93ec468,0x382c3424,0xc25f40a3, 0x1672c31d,0xbc0c25e2,0x288b493c,0xff41950d, 0x397101a8,0x08deb30c,0xd89ce4b4,0x6490c156, 0x7b6184cb,0xd570b632,0x48745c6c,0xd04257b8, }, #endif /* !AES_SMALL */ } }; nettle-3.10/ctr16.c0000644000175000017500000000561214633602171013066 0ustar nissenisse/* ctr16.c Cipher counter mode, optimized for 16-byte blocks. Copyright (C) 2005-2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ctr.h" #include "ctr-internal.h" #include "memxor.h" #include "nettle-internal.h" #define MIN(a,b) (((a) < (b)) ? (a) : (b)) void _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, nettle_fill16_func *fill, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src) { if (dst != src && !((uintptr_t) dst % sizeof(uint64_t))) { size_t blocks = length / 16u; size_t done; fill (ctr, blocks, (union nettle_block16 *) dst); done = blocks * 16; f(ctx, done, dst, dst); memxor (dst, src, done); length -= done; if (length > 0) { /* Left-over partial block */ union nettle_block16 block; dst += done; src += done; assert (length < 16); /* Use fill, to update ctr value in the same way in all cases. */ fill (ctr, 1, &block); f (ctx, 16, block.b, block.b); memxor3 (dst, src, block.b, length); } } else { /* Construct an aligned buffer of consecutive counter values, of size at most CTR_BUFFER_LIMIT. */ TMP_DECL(buffer, union nettle_block16, CTR_BUFFER_LIMIT / 16); size_t blocks = (length + 15) / 16u; size_t i; TMP_ALLOC(buffer, MIN(blocks, CTR_BUFFER_LIMIT / 16)); for (i = 0; blocks >= CTR_BUFFER_LIMIT / 16; i += CTR_BUFFER_LIMIT, blocks -= CTR_BUFFER_LIMIT / 16) { fill (ctr, CTR_BUFFER_LIMIT / 16, buffer); f(ctx, CTR_BUFFER_LIMIT, buffer->b, buffer->b); if (length - i < CTR_BUFFER_LIMIT) goto done; memxor3 (dst + i, src + i, buffer->b, CTR_BUFFER_LIMIT); } if (blocks > 0) { assert (length - i < CTR_BUFFER_LIMIT); fill (ctr, blocks, buffer); f(ctx, blocks * 16, buffer->b, buffer->b); done: memxor3 (dst + i, src + i, buffer->b, length - i); } } } nettle-3.10/chacha-set-key.c0000644000175000017500000000331714633602171014715 0ustar nissenisse/* chacha-set-key.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "chacha.h" #include "macros.h" void chacha_set_key(struct chacha_ctx *ctx, const uint8_t *key) { static const uint32_t sigma[4] = { /* "expand 32-byte k" */ 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 }; ctx->state[4] = LE_READ_UINT32(key + 0); ctx->state[5] = LE_READ_UINT32(key + 4); ctx->state[6] = LE_READ_UINT32(key + 8); ctx->state[7] = LE_READ_UINT32(key + 12); ctx->state[8] = LE_READ_UINT32(key + 16); ctx->state[9] = LE_READ_UINT32(key + 20); ctx->state[10] = LE_READ_UINT32(key + 24); ctx->state[11] = LE_READ_UINT32(key + 28); memcpy (ctx->state, sigma, sizeof(sigma)); } nettle-3.10/gcm-aes192-meta.c0000644000175000017500000000342614633602171014624 0ustar nissenisse/* gcm-aes192-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes192_set_nonce_wrapper; static void gcm_aes192_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes192_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes192 = { "gcm_aes192", sizeof(struct gcm_aes192_ctx), GCM_BLOCK_SIZE, AES192_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes192_set_key, (nettle_set_key_func *) gcm_aes192_set_key, gcm_aes192_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes192_update, (nettle_crypt_func *) gcm_aes192_encrypt, (nettle_crypt_func *) gcm_aes192_decrypt, (nettle_hash_digest_func *) gcm_aes192_digest, }; nettle-3.10/nettle.pc.in0000644000175000017500000000044614633602172014210 0ustar nissenisseprefix=@prefix@ exec_prefix=@exec_prefix@ libdir=@libdir@ includedir=@includedir@ Name: Nettle Description: Nettle low-level cryptographic library (symmetric algorithms) URL: http://www.lysator.liu.se/~nisse/nettle Version: @PACKAGE_VERSION@ Libs: -L${libdir} -lnettle Cflags: -I${includedir} nettle-3.10/rsa-pss-sha256-sign-tr.c0000644000175000017500000000331014633602171016077 0ustar nissenisse/* rsa-pss-sha256-sign-tr.c Signatures using RSA and SHA-256, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, size_t salt_length, const uint8_t *salt, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pss_encode_mgf1(m, mpz_sizeinbase(pub->n, 2) - 1, &nettle_sha256, salt_length, salt, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/aes-encrypt-internal.c0000644000175000017500000000660314633602171016174 0ustar nissenisse/* aes-encrypt-internal.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_aes_encrypt void _nettle_aes_encrypt_c(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); #define _nettle_aes_encrypt _nettle_aes_encrypt_c #endif void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, AES_BLOCK_SIZE) { uint32_t w0, w1, w2, w3; /* working ciphertext */ uint32_t t0, t1, t2, t3; unsigned i; /* Get clear text, using little-endian byte order. * Also XOR with the first subkey. */ w0 = LE_READ_UINT32(src) ^ keys[0]; w1 = LE_READ_UINT32(src + 4) ^ keys[1]; w2 = LE_READ_UINT32(src + 8) ^ keys[2]; w3 = LE_READ_UINT32(src + 12) ^ keys[3]; for (i = 1; i < rounds; i++) { t0 = AES_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); /* We could unroll the loop twice, to avoid these assignments. If all eight variables fit in registers, that should give a slight speedup. */ w0 = t0; w1 = t1; w2 = t2; w3 = t3; } /* Final round */ t0 = AES_FINAL_ROUND(T, w0, w1, w2, w3, keys[4*i]); t1 = AES_FINAL_ROUND(T, w1, w2, w3, w0, keys[4*i + 1]); t2 = AES_FINAL_ROUND(T, w2, w3, w0, w1, keys[4*i + 2]); t3 = AES_FINAL_ROUND(T, w3, w0, w1, w2, keys[4*i + 3]); LE_WRITE_UINT32(dst, t0); LE_WRITE_UINT32(dst + 4, t1); LE_WRITE_UINT32(dst + 8, t2); LE_WRITE_UINT32(dst + 12, t3); } } /* Some stats, all for AES 128: A. Table-driven indexing (the approach of the old unified _aes_crypt function). B. Unrolling the j-loop. C. Eliminated the use of IDXk(j) in the main loop. D. Put wtxt in four scalar variables. E. Also put t in four scalar variables. P4 2.2 GHz AMD Duron 1.4GHz MB/s code size A 35.9 0x202 17 MB/s B 37.3 0x334 C 33.0 0x2a7 D 40.7 0x3f9 E 42.9 0x44a 26 MB/s */ nettle-3.10/non-nettle.c0000644000175000017500000002020714633602172014210 0ustar nissenisse/* non-nettle.c Things that are used only by the testsuite and benchmark, and not included in the library. Copyright (C) 2002, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "non-nettle.h" #include "arcfour.h" #include "blowfish.h" #include "cbc.h" #include "chacha.h" #include "des.h" #include "salsa20.h" /* Wrapper functions discarding the return value. Needed for the ciphers with weak keys. */ static void des_set_key_wrapper (void *ctx, const uint8_t *key) { des_set_key (ctx, key); } static void des3_set_key_wrapper (void *ctx, const uint8_t *key) { des3_set_key (ctx, key); } static void blowfish128_set_key_wrapper (void *ctx, const uint8_t *key) { blowfish128_set_key (ctx, key); } const struct nettle_cipher nettle_des = { "des", sizeof(struct des_ctx), DES_BLOCK_SIZE, DES_KEY_SIZE, des_set_key_wrapper, des_set_key_wrapper, (nettle_cipher_func *) des_encrypt, (nettle_cipher_func *) des_decrypt }; const struct nettle_cipher nettle_des3 = { "des3", sizeof(struct des3_ctx), DES3_BLOCK_SIZE, DES3_KEY_SIZE, des3_set_key_wrapper, des3_set_key_wrapper, (nettle_cipher_func *) des3_encrypt, (nettle_cipher_func *) des3_decrypt }; const struct nettle_cipher nettle_blowfish128 = { "blowfish128", sizeof(struct blowfish_ctx), BLOWFISH_BLOCK_SIZE, BLOWFISH128_KEY_SIZE, blowfish128_set_key_wrapper, blowfish128_set_key_wrapper, (nettle_cipher_func *) blowfish_encrypt, (nettle_cipher_func *) blowfish_decrypt }; const struct nettle_aead nettle_arcfour128 = { "arcfour128", sizeof(struct arcfour_ctx), 1, ARCFOUR128_KEY_SIZE, 0, 0, (nettle_set_key_func *) arcfour128_set_key, (nettle_set_key_func *) arcfour128_set_key, NULL, NULL, (nettle_crypt_func *) arcfour_crypt, (nettle_crypt_func *) arcfour_crypt, NULL, }; const struct nettle_aead nettle_chacha = { "chacha", sizeof(struct chacha_ctx), CHACHA_BLOCK_SIZE, CHACHA_KEY_SIZE, CHACHA_NONCE_SIZE, 0, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_key, (nettle_set_key_func *) chacha_set_nonce, NULL, (nettle_crypt_func *) chacha_crypt, (nettle_crypt_func *) chacha_crypt, NULL, }; const struct nettle_aead nettle_salsa20 = { "salsa20", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_256_set_key, (nettle_set_key_func *) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20_crypt, (nettle_crypt_func *) salsa20_crypt, NULL, }; const struct nettle_aead nettle_salsa20r12 = { "salsa20r12", sizeof(struct salsa20_ctx), SALSA20_BLOCK_SIZE, SALSA20_256_KEY_SIZE, SALSA20_NONCE_SIZE, 0, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_256_set_key, (nettle_set_key_func*) salsa20_set_nonce, NULL, (nettle_crypt_func *) salsa20r12_crypt, (nettle_crypt_func *) salsa20r12_crypt, NULL, }; struct cbc_aes128_ctx CBC_CTX(struct aes128_ctx, AES_BLOCK_SIZE); static void cbc_aes128_set_encrypt_key(struct cbc_aes128_ctx *ctx, const uint8_t *key) { aes128_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes128_set_iv(struct cbc_aes128_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes128_encrypt_wrapper(struct cbc_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes128_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes128 = { "cbc_aes128", sizeof(struct cbc_aes128_ctx), AES_BLOCK_SIZE, AES128_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes128_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes128_set_iv, NULL, (nettle_crypt_func *) cbc_aes128_encrypt_wrapper, NULL, NULL, }; struct cbc_aes192_ctx CBC_CTX(struct aes192_ctx, AES_BLOCK_SIZE); static void cbc_aes192_set_encrypt_key(struct cbc_aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes192_set_iv(struct cbc_aes192_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes192_encrypt_wrapper(struct cbc_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes192_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes192 = { "cbc_aes192", sizeof(struct cbc_aes192_ctx), AES_BLOCK_SIZE, AES192_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes192_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes192_set_iv, NULL, (nettle_crypt_func *) cbc_aes192_encrypt_wrapper, NULL, NULL, }; struct cbc_aes256_ctx CBC_CTX(struct aes256_ctx, AES_BLOCK_SIZE); static void cbc_aes256_set_encrypt_key(struct cbc_aes256_ctx *ctx, const uint8_t *key) { aes256_set_encrypt_key(&ctx->ctx, key); } static void cbc_aes256_set_iv(struct cbc_aes256_ctx *ctx, const uint8_t *iv) { CBC_SET_IV(ctx, iv); } static void cbc_aes256_encrypt_wrapper(struct cbc_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { cbc_aes256_encrypt(&ctx->ctx, ctx->iv, length, dst, src); } const struct nettle_aead nettle_cbc_aes256 = { "cbc_aes256", sizeof(struct cbc_aes256_ctx), AES_BLOCK_SIZE, AES256_KEY_SIZE, AES_BLOCK_SIZE, 0, (nettle_set_key_func*) cbc_aes256_set_encrypt_key, NULL, (nettle_set_key_func*) cbc_aes256_set_iv, NULL, (nettle_crypt_func *) cbc_aes256_encrypt_wrapper, NULL, NULL, }; static void ocb_aes128_set_encrypt_key_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *key) { ocb_aes128_set_encrypt_key(&ctx->key, key); } static void ocb_aes128_set_decrypt_key_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *key) { ocb_aes128_set_decrypt_key(&ctx->key, &ctx->decrypt, key); } static void ocb_aes128_set_nonce_wrapper (struct ocb_aes128_ctx *ctx, const uint8_t *nonce) { ocb_aes128_set_nonce (&ctx->ocb, &ctx->key, OCB_DIGEST_SIZE, OCB_NONCE_SIZE, nonce); } static void ocb_aes128_update_wrapper (struct ocb_aes128_ctx *ctx, size_t length, const uint8_t *data) { ocb_aes128_update (&ctx->ocb, &ctx->key, length, data); } static void ocb_aes128_encrypt_wrapper (struct ocb_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ocb_aes128_encrypt (&ctx->ocb, &ctx->key, length, dst, src); } static void ocb_aes128_decrypt_wrapper (struct ocb_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ocb_aes128_decrypt (&ctx->ocb, &ctx->key, &ctx->decrypt, length, dst, src); } static void ocb_aes128_digest_wrapper (struct ocb_aes128_ctx *ctx, size_t length, uint8_t *digest) { ocb_aes128_digest (&ctx->ocb, &ctx->key, length, digest); } const struct nettle_aead nettle_ocb_aes128 = { "ocb_aes128", sizeof(struct ocb_aes128_ctx), OCB_BLOCK_SIZE, AES128_KEY_SIZE, OCB_NONCE_SIZE, OCB_DIGEST_SIZE, (nettle_set_key_func *) ocb_aes128_set_encrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_set_decrypt_key_wrapper, (nettle_set_key_func *) ocb_aes128_set_nonce_wrapper, (nettle_hash_update_func *) ocb_aes128_update_wrapper, (nettle_crypt_func *) ocb_aes128_encrypt_wrapper, (nettle_crypt_func *) ocb_aes128_decrypt_wrapper, (nettle_hash_digest_func *) ocb_aes128_digest_wrapper }; nettle-3.10/camellia.h0000644000175000017500000001023414633602172013700 0ustar nissenisse/* camellia.h Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAMELLIA_H_INCLUDED #define NETTLE_CAMELLIA_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define camellia128_set_encrypt_key nettle_camellia128_set_encrypt_key #define camellia128_set_decrypt_key nettle_camellia_set_decrypt_key #define camellia128_invert_key nettle_camellia128_invert_key #define camellia128_crypt nettle_camellia128_crypt #define camellia192_set_encrypt_key nettle_camellia192_set_encrypt_key #define camellia192_set_decrypt_key nettle_camellia192_set_decrypt_key #define camellia256_set_encrypt_key nettle_camellia256_set_encrypt_key #define camellia256_set_decrypt_key nettle_camellia256_set_decrypt_key #define camellia256_invert_key nettle_camellia256_invert_key #define camellia256_crypt nettle_camellia256_crypt #define CAMELLIA_BLOCK_SIZE 16 /* Valid key sizes are 128, 192 or 256 bits (16, 24 or 32 bytes) */ #define CAMELLIA128_KEY_SIZE 16 #define CAMELLIA192_KEY_SIZE 24 #define CAMELLIA256_KEY_SIZE 32 /* For 128-bit keys, there are 18 regular rounds, pre- and post-whitening, and two FL and FLINV rounds, using a total of 26 subkeys, each of 64 bit. For 192- and 256-bit keys, there are 6 additional regular rounds and one additional FL and FLINV, using a total of 34 subkeys. */ /* The clever combination of subkeys imply one of the pre- and post-whitening keys is folded with the round keys, so that subkey #1 and the last one (#25 or #33) is not used. The result is that we have only 24 or 32 subkeys at the end of key setup. */ #define _CAMELLIA128_NKEYS 24 #define _CAMELLIA256_NKEYS 32 struct camellia128_ctx { uint64_t keys[_CAMELLIA128_NKEYS]; }; void camellia128_set_encrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_set_decrypt_key(struct camellia128_ctx *ctx, const uint8_t *key); void camellia128_invert_key(struct camellia128_ctx *dst, const struct camellia128_ctx *src); void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct camellia256_ctx { uint64_t keys[_CAMELLIA256_NKEYS]; }; void camellia256_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia256_invert_key(struct camellia256_ctx *dst, const struct camellia256_ctx *src); void camellia256_crypt(const struct camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); /* camellia192 is the same as camellia256, except for the key schedule. */ /* Slightly ugly with a #define on a struct tag, since it might cause surprises if also used as a name of a variable. */ #define camellia192_ctx camellia256_ctx void camellia192_set_encrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); void camellia192_set_decrypt_key(struct camellia256_ctx *ctx, const uint8_t *key); #define camellia192_invert_key camellia256_invert_key #define camellia192_crypt camellia256_crypt #ifdef __cplusplus } #endif #endif /* NETTLE_CAMELLIA_H_INCLUDED */ nettle-3.10/eddsa-internal.h0000644000175000017500000000721114633602172015024 0ustar nissenisse/* eddsa.h Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EDDSA_INTERNAL_H #define NETTLE_EDDSA_INTERNAL_H #include "nettle-types.h" #include "bignum.h" #define _eddsa_compress _nettle_eddsa_compress #define _eddsa_compress_itch _nettle_eddsa_compress_itch #define _eddsa_decompress _nettle_eddsa_decompress #define _eddsa_decompress_itch _nettle_eddsa_decompress_itch #define _eddsa_hash _nettle_eddsa_hash #define _eddsa_expand_key _nettle_eddsa_expand_key #define _eddsa_sign _nettle_eddsa_sign #define _eddsa_sign_itch _nettle_eddsa_sign_itch #define _eddsa_verify _nettle_eddsa_verify #define _eddsa_verify_itch _nettle_eddsa_verify_itch #define _eddsa_public_key_itch _nettle_eddsa_public_key_itch #define _eddsa_public_key _nettle_eddsa_public_key /* Low-level internal functions */ struct ecc_curve; struct ecc_modulo; typedef void nettle_eddsa_dom_func(void *ctx); struct ecc_eddsa { /* Hash function to use */ nettle_hash_update_func *update; nettle_hash_digest_func *digest; nettle_eddsa_dom_func *dom; /* For generating the secret scalar */ mp_limb_t low_mask; mp_limb_t high_bit; }; extern const struct ecc_eddsa _nettle_ed25519_sha512; extern const struct ecc_eddsa _nettle_ed448_shake256; mp_size_t _eddsa_compress_itch (const struct ecc_curve *ecc); void _eddsa_compress (const struct ecc_curve *ecc, uint8_t *r, mp_limb_t *p, mp_limb_t *scratch); mp_size_t _eddsa_decompress_itch (const struct ecc_curve *ecc); int _eddsa_decompress (const struct ecc_curve *ecc, mp_limb_t *p, const uint8_t *cp, mp_limb_t *scratch); void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, size_t digest_size, const uint8_t *digest); mp_size_t _eddsa_sign_itch (const struct ecc_curve *ecc); void _eddsa_sign (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *pub, const uint8_t *k1, const mp_limb_t *k2, size_t length, const uint8_t *msg, uint8_t *signature, mp_limb_t *scratch); mp_size_t _eddsa_verify_itch (const struct ecc_curve *ecc); int _eddsa_verify (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, const uint8_t *pub, const mp_limb_t *A, void *ctx, size_t length, const uint8_t *msg, const uint8_t *signature, mp_limb_t *scratch); void _eddsa_expand_key (const struct ecc_curve *ecc, const struct ecc_eddsa *eddsa, void *ctx, const uint8_t *key, uint8_t *digest, mp_limb_t *k2); mp_size_t _eddsa_public_key_itch (const struct ecc_curve *ecc); void _eddsa_public_key (const struct ecc_curve *ecc, const mp_limb_t *k, uint8_t *pub, mp_limb_t *scratch); #endif /* NETTLE_EDDSA_INTERNAL_H */ nettle-3.10/sm4.c0000644000175000017500000001402714633602171012632 0ustar nissenisse/* sm4.c Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "sm4.h" #include "macros.h" static const uint32_t fk[4] = { 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc }; static const uint32_t ck[32] = { 0x00070e15, 0x1c232a31, 0x383f464d, 0x545b6269, 0x70777e85, 0x8c939aa1, 0xa8afb6bd, 0xc4cbd2d9, 0xe0e7eef5, 0xfc030a11, 0x181f262d, 0x343b4249, 0x50575e65, 0x6c737a81, 0x888f969d, 0xa4abb2b9, 0xc0c7ced5, 0xdce3eaf1, 0xf8ff060d, 0x141b2229, 0x30373e45, 0x4c535a61, 0x686f767d, 0x848b9299, 0xa0a7aeb5, 0xbcc3cad1, 0xd8dfe6ed, 0xf4fb0209, 0x10171e25, 0x2c333a41, 0x484f565d, 0x646b7279 }; static const uint8_t sbox[256] = { 0xd6, 0x90, 0xe9, 0xfe, 0xcc, 0xe1, 0x3d, 0xb7, 0x16, 0xb6, 0x14, 0xc2, 0x28, 0xfb, 0x2c, 0x05, 0x2b, 0x67, 0x9a, 0x76, 0x2a, 0xbe, 0x04, 0xc3, 0xaa, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9c, 0x42, 0x50, 0xf4, 0x91, 0xef, 0x98, 0x7a, 0x33, 0x54, 0x0b, 0x43, 0xed, 0xcf, 0xac, 0x62, 0xe4, 0xb3, 0x1c, 0xa9, 0xc9, 0x08, 0xe8, 0x95, 0x80, 0xdf, 0x94, 0xfa, 0x75, 0x8f, 0x3f, 0xa6, 0x47, 0x07, 0xa7, 0xfc, 0xf3, 0x73, 0x17, 0xba, 0x83, 0x59, 0x3c, 0x19, 0xe6, 0x85, 0x4f, 0xa8, 0x68, 0x6b, 0x81, 0xb2, 0x71, 0x64, 0xda, 0x8b, 0xf8, 0xeb, 0x0f, 0x4b, 0x70, 0x56, 0x9d, 0x35, 0x1e, 0x24, 0x0e, 0x5e, 0x63, 0x58, 0xd1, 0xa2, 0x25, 0x22, 0x7c, 0x3b, 0x01, 0x21, 0x78, 0x87, 0xd4, 0x00, 0x46, 0x57, 0x9f, 0xd3, 0x27, 0x52, 0x4c, 0x36, 0x02, 0xe7, 0xa0, 0xc4, 0xc8, 0x9e, 0xea, 0xbf, 0x8a, 0xd2, 0x40, 0xc7, 0x38, 0xb5, 0xa3, 0xf7, 0xf2, 0xce, 0xf9, 0x61, 0x15, 0xa1, 0xe0, 0xae, 0x5d, 0xa4, 0x9b, 0x34, 0x1a, 0x55, 0xad, 0x93, 0x32, 0x30, 0xf5, 0x8c, 0xb1, 0xe3, 0x1d, 0xf6, 0xe2, 0x2e, 0x82, 0x66, 0xca, 0x60, 0xc0, 0x29, 0x23, 0xab, 0x0d, 0x53, 0x4e, 0x6f, 0xd5, 0xdb, 0x37, 0x45, 0xde, 0xfd, 0x8e, 0x2f, 0x03, 0xff, 0x6a, 0x72, 0x6d, 0x6c, 0x5b, 0x51, 0x8d, 0x1b, 0xaf, 0x92, 0xbb, 0xdd, 0xbc, 0x7f, 0x11, 0xd9, 0x5c, 0x41, 0x1f, 0x10, 0x5a, 0xd8, 0x0a, 0xc1, 0x31, 0x88, 0xa5, 0xcd, 0x7b, 0xbd, 0x2d, 0x74, 0xd0, 0x12, 0xb8, 0xe5, 0xb4, 0xb0, 0x89, 0x69, 0x97, 0x4a, 0x0c, 0x96, 0x77, 0x7e, 0x65, 0xb9, 0xf1, 0x09, 0xc5, 0x6e, 0xc6, 0x84, 0x18, 0xf0, 0x7d, 0xec, 0x3a, 0xdc, 0x4d, 0x20, 0x79, 0xee, 0x5f, 0x3e, 0xd7, 0xcb, 0x39, 0x48 }; static uint32_t sm4_t_non_lin_sub(uint32_t x) { uint32_t out; out = (uint32_t)sbox[x & 0xff]; out |= (uint32_t)sbox[(x >> 8) & 0xff] << 8; out |= (uint32_t)sbox[(x >> 16) & 0xff] << 16; out |= (uint32_t)sbox[(x >> 24) & 0xff] << 24; return out; } static uint32_t sm4_key_lin_sub(uint32_t x) { return x ^ ROTL32(13, x) ^ ROTL32(23, x); } static uint32_t sm4_enc_lin_sub(uint32_t x) { return x ^ ROTL32(2, x) ^ ROTL32(10, x) ^ ROTL32(18, x) ^ ROTL32(24, x); } static uint32_t sm4_key_sub(uint32_t x) { return sm4_key_lin_sub(sm4_t_non_lin_sub(x)); } static uint32_t sm4_enc_sub(uint32_t x) { return sm4_enc_lin_sub(sm4_t_non_lin_sub(x)); } static uint32_t sm4_round(uint32_t x0, uint32_t x1, uint32_t x2, uint32_t x3, uint32_t rk) { return x0 ^ sm4_enc_sub(x1 ^ x2 ^ x3 ^ rk); } static void sm4_set_key(struct sm4_ctx *ctx, const uint8_t *key, int encrypt) { uint32_t rk0, rk1, rk2, rk3; unsigned i; rk0 = READ_UINT32(key + 0) ^ fk[0]; rk1 = READ_UINT32(key + 4) ^ fk[1]; rk2 = READ_UINT32(key + 8) ^ fk[2]; rk3 = READ_UINT32(key + 12) ^ fk[3]; for (i = 0; i < 32; i += 4) { rk0 ^= sm4_key_sub(rk1 ^ rk2 ^ rk3 ^ ck[i + 0]); rk1 ^= sm4_key_sub(rk2 ^ rk3 ^ rk0 ^ ck[i + 1]); rk2 ^= sm4_key_sub(rk3 ^ rk0 ^ rk1 ^ ck[i + 2]); rk3 ^= sm4_key_sub(rk0 ^ rk1 ^ rk2 ^ ck[i + 3]); if (encrypt) { ctx->rkey[i + 0] = rk0; ctx->rkey[i + 1] = rk1; ctx->rkey[i + 2] = rk2; ctx->rkey[i + 3] = rk3; } else { ctx->rkey[31 - 0 - i] = rk0; ctx->rkey[31 - 1 - i] = rk1; ctx->rkey[31 - 2 - i] = rk2; ctx->rkey[31 - 3 - i] = rk3; } } } void sm4_set_encrypt_key(struct sm4_ctx *ctx, const uint8_t *key) { sm4_set_key(ctx, key, 1); } void sm4_set_decrypt_key(struct sm4_ctx *ctx, const uint8_t *key) { sm4_set_key(ctx, key, 0); } void sm4_crypt(const struct sm4_ctx *context, size_t length, uint8_t *dst, const uint8_t *src) { const uint32_t *rk = context->rkey; assert( !(length % SM4_BLOCK_SIZE) ); for ( ; length; length -= SM4_BLOCK_SIZE) { uint32_t x0, x1, x2, x3; unsigned i; x0 = READ_UINT32(src + 0 * 4); x1 = READ_UINT32(src + 1 * 4); x2 = READ_UINT32(src + 2 * 4); x3 = READ_UINT32(src + 3 * 4); for (i = 0; i < 32; i += 4) { x0 = sm4_round(x0, x1, x2, x3, rk[i + 0]); x1 = sm4_round(x1, x2, x3, x0, rk[i + 1]); x2 = sm4_round(x2, x3, x0, x1, rk[i + 2]); x3 = sm4_round(x3, x0, x1, x2, rk[i + 3]); } WRITE_UINT32(dst + 0 * 4, x3); WRITE_UINT32(dst + 1 * 4, x2); WRITE_UINT32(dst + 2 * 4, x1); WRITE_UINT32(dst + 3 * 4, x0); src += SM4_BLOCK_SIZE; dst += SM4_BLOCK_SIZE; } } nettle-3.10/eax-aes128.c0000644000175000017500000000373114633602171013705 0ustar nissenisse/* eax-aes128.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key) { EAX_SET_KEY(ctx, aes128_set_encrypt_key, aes128_encrypt, key); } void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv) { EAX_SET_NONCE(ctx, aes128_encrypt, length, iv); } void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data) { EAX_UPDATE(ctx, aes128_encrypt, length, data); } void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_ENCRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { EAX_DECRYPT(ctx, aes128_encrypt, length, dst, src); } void eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest) { EAX_DIGEST(ctx, aes128_encrypt, length, digest); } nettle-3.10/umac-set-key.c0000644000175000017500000000504214633602171014430 0ustar nissenisse/* umac-set-key.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #include "macros.h" #include "bswap-internal.h" static void umac_kdf (struct aes128_ctx *aes, unsigned index, unsigned length, uint8_t *dst) { uint8_t block[AES_BLOCK_SIZE]; uint64_t count; WRITE_UINT64 (block, (uint64_t) index); for (count = 1; length >= AES_BLOCK_SIZE; length -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE, count++) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, dst, block); } if (length > 0) { WRITE_UINT64 (block + 8, count); aes128_encrypt (aes, AES_BLOCK_SIZE, block, block); memcpy (dst, block, length); } } void _nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *aes, const uint8_t *key, unsigned n) { unsigned size; uint8_t buffer[UMAC_KEY_SIZE]; aes128_set_encrypt_key (aes, key); size = UMAC_BLOCK_SIZE / 4 + 4*(n-1); umac_kdf (aes, 1, size * sizeof(uint32_t), (uint8_t *) l1_key); bswap32_n_if_le (size, l1_key); size = 6*n; umac_kdf (aes, 2, size * sizeof(uint32_t), (uint8_t *) l2_key); _nettle_umac_l2_init (size, l2_key); size = 8*n; umac_kdf (aes, 3, size * sizeof(uint64_t), (uint8_t *) l3_key1); _nettle_umac_l3_init (size, l3_key1); /* No need to byteswap these subkeys. */ umac_kdf (aes, 4, n * sizeof(uint32_t), (uint8_t *) l3_key2); umac_kdf (aes, 0, UMAC_KEY_SIZE, buffer); aes128_set_encrypt_key (aes, buffer); } nettle-3.10/chacha-internal.h0000644000175000017500000000523314633602172015155 0ustar nissenisse/* chacha-internal.h The ChaCha stream cipher. Copyright (C) 2013 Joachim Strömbergson Copyright (C) 2012 Simon Josefsson Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CHACHA_INTERNAL_H_INCLUDED #define NETTLE_CHACHA_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "chacha.h" void _nettle_chacha_core(uint32_t *dst, const uint32_t *src, unsigned rounds); /* Functions available only in some configurations */ void _nettle_chacha_2core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_2core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_3core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_3core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_4core(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_4core32(uint32_t *dst, const uint32_t *src, unsigned rounds); void _nettle_chacha_crypt_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_1core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_3core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_CHACHA_INTERNAL_H_INCLUDED */ nettle-3.10/dsa-compat.c0000644000175000017500000000302214633602171014150 0ustar nissenisse/* dsa-compat.c The DSA publickey algorithm, old interface. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" void dsa_public_key_init(struct dsa_public_key *key) { dsa_params_init ((struct dsa_params *) key); mpz_init(key->y); } void dsa_public_key_clear(struct dsa_public_key *key) { dsa_params_clear ((struct dsa_params *) key); mpz_clear(key->y); } void dsa_private_key_init(struct dsa_private_key *key) { mpz_init(key->x); } void dsa_private_key_clear(struct dsa_private_key *key) { mpz_clear(key->x); } nettle-3.10/salsa20-core-internal.c0000644000175000017500000000562014633602171016133 0ustar nissenisse/* salsa20-core-internal.c Internal interface to the Salsa20 core function. Copyright (C) 2012 Simon Josefsson, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on: salsa20-ref.c version 20051118 D. J. Bernstein Public domain. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "salsa20.h" #include "salsa20-internal.h" #include "bswap-internal.h" #include "macros.h" /* For fat builds */ #if HAVE_NATIVE_salsa20_core void _nettle_salsa20_core_c(uint32_t *dst, const uint32_t *src, unsigned rounds); #define _nettle_salsa20_core _nettle_salsa20_core_c #endif #ifndef SALSA20_DEBUG # define SALSA20_DEBUG 0 #endif #if SALSA20_DEBUG # include # define DEBUG(i) do { \ unsigned debug_j; \ for (debug_j = 0; debug_j < 16; debug_j++) \ { \ if (debug_j == 0) \ fprintf(stderr, "%2d:", (i)); \ else if (debug_j % 4 == 0) \ fprintf(stderr, "\n "); \ fprintf(stderr, " %8x", x[debug_j]); \ } \ fprintf(stderr, "\n"); \ } while (0) #else # define DEBUG(i) #endif #define QROUND(x0, x1, x2, x3) do { \ x1 ^= ROTL32(7, x0 + x3); \ x2 ^= ROTL32(9, x1 + x0); \ x3 ^= ROTL32(13, x2 + x1); \ x0 ^= ROTL32(18, x3 + x2); \ } while(0) void _nettle_salsa20_core(uint32_t *dst, const uint32_t *src, unsigned rounds) { uint32_t x[_SALSA20_INPUT_LENGTH]; unsigned i; assert ( (rounds & 1) == 0); memcpy (x, src, sizeof(x)); for (i = 0; i < rounds;i += 2) { DEBUG (i); QROUND(x[0], x[4], x[8], x[12]); QROUND(x[5], x[9], x[13], x[1]); QROUND(x[10], x[14], x[2], x[6]); QROUND(x[15], x[3], x[7], x[11]); DEBUG (i+1); QROUND(x[0], x[1], x[2], x[3]); QROUND(x[5], x[6], x[7], x[4]); QROUND(x[10], x[11], x[8], x[9]); QROUND(x[15], x[12], x[13], x[14]); } DEBUG (i); for (i = 0; i < _SALSA20_INPUT_LENGTH; i++) { uint32_t t = x[i] + src[i]; dst[i] = bswap32_if_be (t); } } nettle-3.10/hmac-sha256.c0000644000175000017500000000305214633602171014041 0ustar nissenisse/* hmac-sha256.c HMAC-SHA256 message authentication code. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha256_set_key(struct hmac_sha256_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha256, key_length, key); } void hmac_sha256_update(struct hmac_sha256_ctx *ctx, size_t length, const uint8_t *data) { sha256_update(&ctx->state, length, data); } void hmac_sha256_digest(struct hmac_sha256_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha256, length, digest); } nettle-3.10/COPYING.LESSERv30000644000175000017500000001672714633602172014275 0ustar nissenisse GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. nettle-3.10/hmac-sha1.c0000644000175000017500000000301614633602171013665 0ustar nissenisse/* hmac-sha1.c HMAC-SHA1 message authentication code. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "hmac.h" void hmac_sha1_set_key(struct hmac_sha1_ctx *ctx, size_t key_length, const uint8_t *key) { HMAC_SET_KEY(ctx, &nettle_sha1, key_length, key); } void hmac_sha1_update(struct hmac_sha1_ctx *ctx, size_t length, const uint8_t *data) { sha1_update(&ctx->state, length, data); } void hmac_sha1_digest(struct hmac_sha1_ctx *ctx, size_t length, uint8_t *digest) { HMAC_DIGEST(ctx, &nettle_sha1, length, digest); } nettle-3.10/ccm-aes192.c0000644000175000017500000000623414633602171013674 0ustar nissenisse/* ccm-aes192.c Counter with CBC-MAC mode using AES192 as the underlying cipher. Copyright (C) 2014 Exegin Technologies Limited Copyright (C) 2014 Owen Kirby This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "ccm.h" void ccm_aes192_set_key(struct ccm_aes192_ctx *ctx, const uint8_t *key) { aes192_set_encrypt_key(&ctx->cipher, key); } void ccm_aes192_set_nonce(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *nonce, size_t authlen, size_t msglen, size_t taglen) { ccm_set_nonce(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, nonce, authlen, msglen, taglen); } void ccm_aes192_update(struct ccm_aes192_ctx *ctx, size_t length, const uint8_t *data) { ccm_update(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, data); } void ccm_aes192_encrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_encrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_decrypt(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { ccm_decrypt(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, dst, src); } void ccm_aes192_digest(struct ccm_aes192_ctx *ctx, size_t length, uint8_t *digest) { ccm_digest(&ctx->ccm, &ctx->cipher, (nettle_cipher_func *) aes192_encrypt, length, digest); } void ccm_aes192_encrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ccm_encrypt_message(&ctx->cipher, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ccm_aes192_decrypt_message(struct ccm_aes192_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ccm_decrypt_message(&ctx->cipher, (nettle_cipher_func *) aes192_encrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.10/sexp-transport-format.c0000644000175000017500000000426514633602171016431 0ustar nissenisse/* sexp-transport-format.c Writing s-expressions in transport format. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sexp.h" #include "base64.h" #include "buffer.h" static inline void base64_encode_in_place (size_t length, uint8_t *data) { base64_encode_raw ((char *) data, length, data); } size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args) { size_t start = 0; size_t length; size_t base64_length; if (buffer) { if (!NETTLE_BUFFER_PUTC(buffer, '{')) return 0; start = buffer->size; } length = sexp_vformat(buffer, format, args); if (!length) return 0; base64_length = BASE64_ENCODE_RAW_LENGTH(length); if (buffer) { if (!nettle_buffer_space(buffer, base64_length - length)) return 0; base64_encode_in_place(length, buffer->contents + start); if (!NETTLE_BUFFER_PUTC(buffer, '}')) return 0; } return base64_length + 2; } size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...) { size_t done; va_list args; va_start(args, format); done = sexp_transport_vformat(buffer, format, args); va_end(args); return done; } nettle-3.10/umac64.c0000644000175000017500000000754514633602171013235 0ustar nissenisse/* umac64.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 2); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_low = 0; ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_low = ctx->nonce[nonce_length - 1] & 1; ctx->nonce[nonce_length - 1] &= ~1; ctx->nonce_length = nonce_length; } #define UMAC64_BLOCK(ctx, block) do { \ uint64_t __umac64_y[2]; \ _nettle_umac_nh_n (__umac64_y, 2, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac64_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac64_y[1] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, __umac64_y); \ } while (0) void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC64_BLOCK, (void)0); } void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[2]; uint32_t *pad; assert (length > 0); assert (length <= 8); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[2]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 2, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 2, ctx->count++, y); } assert (ctx->count > 0); if ( !(ctx->nonce_low & _UMAC_NONCE_CACHED)) { aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) ctx->pad_cache, ctx->nonce); ctx->nonce_low |= _UMAC_NONCE_CACHED; } pad = ctx->pad_cache + 2*(ctx->nonce_low & 1); /* Increment nonce */ ctx->nonce_low++; if ( !(ctx->nonce_low & 1)) { unsigned i = ctx->nonce_length - 1; ctx->nonce_low = 0; ctx->nonce[i] += 2; if (ctx->nonce[i] == 0 && i > 0) INCREMENT (i, ctx->nonce); } _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 2, ctx->count); tag[0] = pad[0] ^ ctx->l3_key2[0] ^ _nettle_umac_l3 (ctx->l3_key1, ctx->l2_state); tag[1] = pad[1] ^ ctx->l3_key2[1] ^ _nettle_umac_l3 (ctx->l3_key1 + 8, ctx->l2_state + 2); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.10/write-le64.c0000644000175000017500000000300714633602171014025 0ustar nissenisse/* write-le64.c Copyright (C) 2001, 2011, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-write.h" #include "macros.h" void _nettle_write_le64(size_t length, uint8_t *dst, const uint64_t *src) { size_t i; size_t words; unsigned leftover; words = length / 8; leftover = length % 8; for (i = 0; i < words; i++, dst += 8) LE_WRITE_UINT64(dst, src[i]); if (leftover) { uint64_t word; word = src[i]; do { *dst++ = word & 0xff; word >>= 8; } while (--leftover); } } nettle-3.10/cnd-memcpy.c0000644000175000017500000000265314633602171014165 0ustar nissenisse/* cnd-memcpy.c Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "memops.h" void cnd_memcpy(int cnd, volatile void *dst, const volatile void *src, size_t n) { const volatile unsigned char *sp = src; volatile unsigned char *dp = dst; volatile unsigned char c; volatile unsigned char m; size_t i; m = -(unsigned char) cnd; for (i = 0; i < n; i++) { c = (sp[i] & m); c |= (dp[i] & ~m); dp[i] = c; } } nettle-3.10/eddsa-hash.c0000644000175000017500000000447414633602172014136 0ustar nissenisse/* eddsa-hash.c Copyright (C) 2014, 2019 Niels Möller Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "eddsa.h" #include "eddsa-internal.h" #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" /* Convert hash digest to integer, and reduce canonically modulo q. Needs space for 2*m->size + 1 at rp. */ void _eddsa_hash (const struct ecc_modulo *m, mp_limb_t *rp, size_t digest_size, const uint8_t *digest) { mp_size_t nlimbs = NETTLE_OCTET_SIZE_TO_LIMB_SIZE (digest_size); mp_limb_t cy; mpn_set_base256_le (rp, nlimbs, digest, digest_size); if (nlimbs > 2*m->size) { /* Special case for Ed448: reduce rp to 2*m->size limbs. After decoding rp from a hash of size 2*rn: rp = r2 || r1 || r0 where r0 and r1 have m->size limbs. Reduce this to: rp = r1' || r0 where r1' has m->size limbs. */ mp_limb_t hi = rp[2*m->size]; assert (nlimbs == 2*m->size + 1); hi = mpn_addmul_1 (rp + m->size, m->B, m->size, hi); assert_maybe (hi <= 1); hi = mpn_cnd_add_n (hi, rp + m->size, rp + m->size, m->B, m->size); assert_maybe (hi == 0); } m->mod (m, rp + m->size , rp); /* Ensure canonical reduction. */ cy = mpn_sub_n (rp, rp + m->size, m->m, m->size); cnd_copy (cy, rp, rp + m->size, m->size); } nettle-3.10/ghash-internal.h0000644000175000017500000000472214633602172015042 0ustar nissenisse/* ghash-internal.h Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GHASH_INTERNAL_H_INCLUDED #define NETTLE_GHASH_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "gcm.h" /* Name mangling */ #define _ghash_set_key _nettle_ghash_set_key #define _ghash_update _nettle_ghash_update #define _siv_ghash_set_key _nettle_siv_ghash_set_key #define _siv_ghash_update _nettle_siv_ghash_update #ifdef __cplusplus extern "C" { #endif /* The CTX a struct gcm_key (even if struct ghash_key might be a more * appropriate name). An array of blocks, exact contents depends on * the implementation. STATE is only a single block. */ /* Expands KEY as needed, for corresponding _ghash_update */ void _ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key); /* Updates STATE by hashing DATA, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. */ const uint8_t * _ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); /* Expands KEY as needed, for corresponding _siv_ghash_update */ void _siv_ghash_set_key (struct gcm_key *ctx, const union nettle_block16 *key); /* Updates STATE by hashing DATA, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. */ const uint8_t * _siv_ghash_update (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); #ifdef __cplusplus } #endif #endif /* NETTLE_GHASH_INTERNAL_H_INCLUDED */ nettle-3.10/curve448.h0000644000175000017500000000271514633602172013522 0ustar nissenisse/* curve448.h Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CURVE448_H #define NETTLE_CURVE448_H #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define curve448_mul_g nettle_curve448_mul_g #define curve448_mul nettle_curve448_mul #define CURVE448_SIZE 56 void curve448_mul_g (uint8_t *q, const uint8_t *n); void curve448_mul (uint8_t *q, const uint8_t *n, const uint8_t *p); #ifdef __cplusplus } #endif #endif /* NETTLE_CURVE448_H */ nettle-3.10/base64-meta.c0000644000175000017500000000300214633602171014126 0ustar nissenisse/* base64-meta.c Copyright (C) 2002 Dan Egnor, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "base64.h" /* Same as the macros with the same name */ static nettle_armor_length_func base64_encode_length; static size_t base64_encode_length(size_t length) { return BASE64_ENCODE_LENGTH(length); } static nettle_armor_length_func base64_decode_length; static size_t base64_decode_length(size_t length) { return BASE64_DECODE_LENGTH(length); } const struct nettle_armor nettle_base64 = _NETTLE_ARMOR(base64, BASE64); nettle-3.10/nist-keywrap.c0000644000175000017500000001131014633602171014554 0ustar nissenisse/* nist-keywrap.c AES Key Wrap function. implements RFC 3394 https://tools.ietf.org/html/rfc3394 Copyright (C) 2021 Nicolas Mora 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "nist-keywrap.h" #include "memops.h" #include "macros.h" #include "bswap-internal.h" void nist_keywrap16 (const void *ctx, nettle_cipher_func *encrypt, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { union nettle_block16 I, B; union nettle_block8 A; size_t i, j, n; uint8_t *R = ciphertext + 8; /* ciphertext_length must be at least 16 * and be divisible by 8 */ assert (ciphertext_length >= 16); assert (!(ciphertext_length % 8)); n = (ciphertext_length - 8) / 8; memcpy (R, cleartext, (ciphertext_length - 8)); memcpy (A.b, iv, 8); for (j = 0; j < 6; j++) { for (i = 0; i < n; i++) { /* I = A | R[1] */ I.u64[0] = A.u64; memcpy (I.b + 8, R + (i * 8), 8); /* B = AES(K, I) */ encrypt (ctx, 16, B.b, I.b); /* A = MSB(64, B) ^ t where t = (n*j)+i */ A.u64 = B.u64[0] ^ bswap64_if_le ((n * j) + (i + 1)); /* R[i] = LSB(64, B) */ memcpy (R + (i * 8), B.b + 8, 8); } } memcpy (ciphertext, A.b, 8); } int nist_keyunwrap16 (const void *ctx, nettle_cipher_func *decrypt, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { union nettle_block16 I, B; union nettle_block8 A; int i, j; size_t n; uint8_t *R = cleartext; /* cleartext_length must be at least 8 * and be divisible by 8 */ assert (cleartext_length >= 8); assert (!(cleartext_length % 8)); n = (cleartext_length / 8); memcpy (A.b, ciphertext, 8); memcpy (R, ciphertext + 8, cleartext_length); for (j = 5; j >= 0; j--) { for (i = n - 1; i >= 0; i--) { /* B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i */ I.u64[0] = A.u64 ^ bswap64_if_le ((n * j) + (i + 1)); memcpy (I.b + 8, R + (i * 8), 8); decrypt (ctx, 16, B.b, I.b); /* A = MSB(64, B) */ A.u64 = B.u64[0]; /* R[i] = LSB(64, B) */ memcpy (R + (i * 8), B.b + 8, 8); } } return memeql_sec (A.b, iv, 8); } void aes128_keywrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes128_encrypt, iv, ciphertext_length, ciphertext, cleartext); } void aes192_keywrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes192_encrypt, iv, ciphertext_length, ciphertext, cleartext); } void aes256_keywrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext) { nist_keywrap16 (ctx, (nettle_cipher_func *) & aes256_encrypt, iv, ciphertext_length, ciphertext, cleartext); } int aes128_keyunwrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes128_decrypt, iv, cleartext_length, cleartext, ciphertext); } int aes192_keyunwrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes192_decrypt, iv, cleartext_length, cleartext, ciphertext); } int aes256_keyunwrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext) { return nist_keyunwrap16 (ctx, (nettle_cipher_func *) & aes256_decrypt, iv, cleartext_length, cleartext, ciphertext); } nettle-3.10/nist-keywrap.h0000644000175000017500000000566114633602172014576 0ustar nissenisse/* nist-keywrap.h AES Key Wrap function. implements RFC 3394 https://tools.ietf.org/html/rfc3394 Copyright (C) 2021 Nicolas Mora 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_NIST_KEYWRAP_H_INCLUDED #define NETTLE_NIST_KEYWRAP_H_INCLUDED #include "nettle-types.h" #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define nist_keywrap16 nettle_nist_keywrap16 #define nist_keyunwrap16 nettle_nist_keyunwrap16 #define aes128_keywrap nettle_aes128_keywrap #define aes192_keywrap nettle_aes192_keywrap #define aes256_keywrap nettle_aes256_keywrap #define aes128_keyunwrap nettle_aes128_keyunwrap #define aes192_keyunwrap nettle_aes192_keyunwrap #define aes256_keyunwrap nettle_aes256_keyunwrap void nist_keywrap16 (const void *ctx, nettle_cipher_func *encrypt, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); int nist_keyunwrap16 (const void *ctx, nettle_cipher_func *decrypt, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); void aes128_keywrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); void aes192_keywrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); void aes256_keywrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t ciphertext_length, uint8_t *ciphertext, const uint8_t *cleartext); int aes128_keyunwrap (struct aes128_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); int aes192_keyunwrap (struct aes192_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); int aes256_keyunwrap (struct aes256_ctx *ctx, const uint8_t *iv, size_t cleartext_length, uint8_t *cleartext, const uint8_t *ciphertext); #ifdef __cplusplus } #endif #endif /* NETTLE_NIST_KEYWRAP_H_INCLUDED */ nettle-3.10/umac-poly128.c0000644000175000017500000000617514633602171014275 0ustar nissenisse/* umac-poly128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "umac.h" #include "umac-internal.h" #define HI(x) (x >> 32) #define LO(x) (x & 0xffffffffUL) static void poly128_mul (const uint32_t *k, uint64_t *y) { uint64_t y0,y1,y2,y3,p0,p1,p2,p3,m0,m1,m2; y0 = LO (y[1]); y1 = HI (y[1]); y2 = LO (y[0]); y3 = HI (y[0]); p0 = y0 * k[3]; m0 = y0 * k[2] + y1 * k[3]; p1 = y0 * k[1] + y1 * k[2] + y2 * k[3]; m1 = y0 * k[0] + y1 * k[1] + y2 * k[2] + y3 * k[3]; p2 = y1 * k[0] + y2 * k[1] + y3 * k[2]; m2 = y2 * k[0] + y3 * k[1]; p3 = y3 * k[0]; /* Collaps to 4 64-bit words, +---+---+---+---+ | p3| p2| p1| p0| +-+-+-+-+-+-+-+-+ + | m2| m1| m0| -+-+-+-+-+-+-+-+-+ */ /* But it's convenient to reduce (p3,p2,p1,p0) and (m2,m1,m0) mod p first.*/ m1 += UMAC_P128_OFFSET * HI(p3); p1 += UMAC_P128_OFFSET * (LO(p3) + HI(m2)); m0 += UMAC_P128_OFFSET * (HI(p2) + LO(m2)); p0 += UMAC_P128_OFFSET * (LO(p2) + HI(m1)); /* Left to add +---+---+ | p1| p0| +-+-+-+-+ m1| m0| +-+---+ */ /* First add high parts, with no possibilities for carries */ p1 += m0 >> 32; m0 <<= 32; m1 <<= 32; /* Remains: +---+---+ | p1| p0| +-+-+---+ +| m1| m0| -+---+---+ */ p0 += m0; p1 += (p0 < m0); p1 += m1; if (p1 < m1) { p0 += UMAC_P128_OFFSET; p1 += (p0 < UMAC_P128_OFFSET); } y[0] = p1; y[1] = p0; } void _nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml) { uint64_t yh, yl, cy; if ( (mh >> 32) == 0xffffffff) { poly128_mul (k, y); if (y[1] > 0) y[1]--; else if (y[0] > 0) { y[0]--; y[1] = UMAC_P128_HI; } else { y[0] = UMAC_P128_HI; y[1] = UMAC_P128_LO-1; } mh -= (ml < UMAC_P128_OFFSET); ml -= UMAC_P128_OFFSET; } assert (mh < UMAC_P128_HI || ml < UMAC_P128_LO); poly128_mul (k, y); yl = y[1] + ml; cy = (yl < ml); yh = y[0] + cy; cy = (yh < cy); yh += mh; cy += (yh < mh); assert (cy <= 1); if (cy) { yl += UMAC_P128_OFFSET; yh += yl < UMAC_P128_OFFSET; } y[0] = yh; y[1] = yl; } nettle-3.10/aes-encrypt.c0000644000175000017500000000344414633602171014362 0ustar nissenisse/* aes-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_aes_encrypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void aes_encrypt(const struct aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { switch (ctx->key_size) { default: abort(); case AES128_KEY_SIZE: aes128_encrypt(&ctx->u.ctx128, length, dst, src); break; case AES192_KEY_SIZE: aes192_encrypt(&ctx->u.ctx192, length, dst, src); break; case AES256_KEY_SIZE: aes256_encrypt(&ctx->u.ctx256, length, dst, src); break; } } nettle-3.10/sm3-meta.c0000644000175000017500000000232414633602171013552 0ustar nissenisse/* sm3-meta.c Copyright (C) 2017 Jia Zhang Copyright (C) 2021 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sm3.h" const struct nettle_hash nettle_sm3 = _NETTLE_HASH(sm3, SM3); nettle-3.10/md5-compat.c0000644000175000017500000000257114633602171014076 0ustar nissenisse/* md5-compat.c The md5 hash function, RFC 1321-style interface. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "md5-compat.h" void MD5Init(MD5_CTX *ctx) { md5_init(ctx); } void MD5Update(MD5_CTX *ctx, const unsigned char *data, unsigned int length) { md5_update(ctx, length, data); } void MD5Final(unsigned char *out, MD5_CTX *ctx) { md5_digest(ctx, MD5_DIGEST_SIZE, out); } nettle-3.10/nettle.pdf0000644000175000017500000223634214633602172013762 0ustar nissenisse%PDF-1.5 % 1 0 obj << /Length 587 /Filter /FlateDecode >> stream xmTM@+z&?tBL$d4*.<_fW_wիrc;`GUOV&ʮ[v6W7TvbuYt/N.5=S> stream xmTM@+z&?tBL0d4*.<̿~UfW_uvc;Z̫MfG} I]/ޭmޯo⣩0^'^x]fkn{EK{*ʇupg6;ލ$4;gZ8, M[TPRJGeWxmE7 "/7j;{Yʋ"1tm|oirI ɑc׺>[TқEnn#bBSEV嶭mzsg)gR133w xAb;aGL6K&0+}&"?(Ҧa/ c,!-f3*Ix {asIC%hS7}H=ŤIY(jŧ Z4{SO5Z ekxvKǬ@2a> stream xmSn0+$z"aKU^CvF^p=!94gB˥0pދ s#P~k@hZ+vQڦ(A,Rf5Ħq8>K_X NH3$Ǟ{<0*5c~Pʯ5W42^!0^#rqxƘE3x z)cgl1BҰ?Xq!NAWA*d1)iȧΰО 9璆NVfkVaUJ?%͚5ػbTW=ј52f&p2pjV^cHMcVYxLS7E=1j g endstream endobj 6 0 obj << /Length 261 /Filter /FlateDecode >> stream xڍ?K1|Io+xl'wӅs`W7٬0yT4*e4>5wm9eΠ.#(TwڑMT+lWOց!ޱ4MCeWG`oہw#lݳ()9=i4k)(UJC$*ho \lzNXa.oG{x:xhd`$+Kh`PsK> %'NqR5!3!; h9 endstream endobj 13 0 obj << /Length 435 /Filter /FlateDecode >> stream x}RM0+Pmb7f9m)7EԼg ؼXUzofޏ=+E$>I%op-^O8Κ/MWG!%$(1MVV1|UsUYȏy¤Sj(Z{!y".&žfGaBAhj4y 2-Wp]>ǥ+z)Uzs16ټ Ag Ē!F)!Y}.e z<4 n7N NɘŪajI8LM͵1U.+AN{׭C}L^k-:&|&/vxj*(ޏ+e|S7&hmf> stream x[S7w>BCdu:lƘjZّ' t&s?jWQ9:2B'hvGëQ=|AV|/J%:6ę4tx׽IGq l*?K| L&NJ„l&N.¨bl_nߩJ!5ow*y;?`-Oog,Q&ƿD~h~[?}:طw.Fts]AVAcv%J*lt#qG-1̴\,:"98A/~PbB( aw*BlwE2戵v$ڊ+%~j< /G {dƄ9-C7l,LHbZQY mwZIu3tI0/!K}FރREzP?xvXޫ$Җw6\nf&mBrl|?`ajZvƋPqJs94֜hZlVZ_Q;D.7`36j[,N[h &a吶mܠ q'u60~;,>&| _HxY9o +l6=izx<޲//p~g4WnsO}x<0rF$0pf$mr9 w*@Ah4nb}ݶ XM}9)lE.7h3&%:њ*AӗjMj!Myg+pA4y'ܩ\[QR{n|[ؗCsL-rE03]@qK,xf~>}mw^25P{khƢ!4y+hp &0&sFzR'0A5vlb rbE\nf&4l,rE>X|<)j'iHB)r]Ef-nˢ@XGck!bVXrȐE83Y4*ܼ,޽÷/%ʯ>SV]_rX 0\nf&`/=ˁvilg62j c rHa.!sB03)nޝLݽb_x_{"@X`ڗCM0/nC憦M &{*=E['&EJͽ٬ogfs93ܿP|H սswK;?EsWH,T yzË;pA}$qNH|/i_'!q~xu ˭/q`f#Ʀ <}IqfЄ[5HwǪDPp}P{H}5 0̡B endstream endobj 130 0 obj << /Length 2861 /Filter /FlateDecode >> stream x]o+t)]o:E(&$DKir89:۱]kh^C,Ptb &ˏϨ{d||γ~yԄQRӚMMSuӮ/NH>r&c5jbkTANl(_P&ח -KEVѽO} _w}ߏ*ܢ@`B< /pQV.@H,)"2cH#ԌD F:)JHjݛt<,)0'B"8]G!)dUF!ófn8קWy˰p!t{fd\b/mgͧVexm7Ijs1e>oї T> mX^ˎ%),D,nq!]bn"YLEY<'k`">by}c L=CԌiED/ہ7oeAbn vY^v.[[f鮯F}.1r=s`tdv^( u<`+.uɛZÏ9s _ a)Ԍ961د{ah..jƦrS`?XzR8DOt=f+Hsz"?tnfys]aq ;&1<@~ܱpp P3[oLJ@>,^,|媕2NЦ'z@!C 5RׁjyH5\'"{Y=T euuȂ7HȲp-ː!u{`Y4dzŬӶxۤrguQЏOKO ɝ H]G1=aymn/,"M]zEm}/>ohƖ{ns9`Xon7m) ߌ &1Fgg%Wn]tp۝ ݶ)RGԔ0#3wb)joA~C.X5p?JlffwҚȦFiUcyo3¡|,L ugԌTIcޢ葌T=el"6i*wm ٙ)v3U,)3GeO C)L<2&ϛK]-M?1iZ|亼3L4Owx~lgE a0p|eq \5ca3q3>Md'KMg@Q&Xe1C,\Rױj I,~SV)NT"1Efw{P?c$y$pp$P3$ji+Bsٮ|fWYD۔A+8D+ ڲY7=ZfD,,7Y,߶ڷHbPWa8r>i>PĒ!3(dq7'0C&tEX6Sfuݭoҷ Pm[2J&}jo AyMjLٕ3Zo\*&6cS[p1ypp$P3绌 [clƲ!rUq+5#["Zo%fkR視woj*nRۉ2C\挨|H]%d(fr.w2>$$V6cfsEj1I1XR8R*ގu,%j9K;Ղ[F7<1`J[Ϫoulaȫp%N;=9]<__?\`z O!,a˔2HX3$n4Ze uؙjOIq0XR8Rn*"uHf?-dzݼo$JE@XR8DR* uIf$I"'IM.k;y]W{BN,)2gD7yKP3LB2.Ssw箾2AU"✰ZITx,A)"(wS;H]G vhJ9a]:FUv2nt5ߚpdTN_ /\ۼjm!rou uRɊtԓPIa+Xd+ Y{Hݞ-X3pfh }l7n5M:Ǭv<9=x) #-<kqF[ӅuB1uJ* M8aĤpA]1"u4fFb5'/B0(Jkmzpcw0 K_ I5$ma=aqVf'σ}]p ԌN0"io䏛 `cI5#t5fU-jpnE-9&6,)/gAw\?P3NTd)E5msQ-O(cus-HbH=فuHޚZcT> stream xKs7܍T54@v$?&Q쒔Ejj4E;)E%4VЗWV"[}D\M:i?:DsN0g0^|FnBٿ^H9 IY:br?;>O!=[SJ-1Lpݙj" mmjNswozura'T-gD(?O{W|'[Yi!r>_e-lvyR.lrV)jnS:=95R/c#u B0ϻ1m=cU3vUM4KCƂ8iLH#Kp8WƌrF=CtPte9DW/:]8_OrÔ=ĝbRҔ(?Ѕ De9DT/:Q8_O虈0#J䝈rHԗ *%*!z*Q8_O虈n>Â(uNxuz ,]g =2XS0v.S2.S|1Z,Y1(3 z&F?LŒrb4De4!F{*8_( ΆfFMm9\}.iK+/ļr>ҷK+DjC$OੀݏOS!],6ܛmڋ}ns]׸Ql^rwJXu%G L}rCI$Xzы:rRunvp޻l}1=1܇3SCu\RCmX eS ShlNmshuA0B85.bXLJH[= =zYlD P9)aqТX4BS ףzF4ǟA1S-Dhcmр= )Ac`)ZFChbhq+&hE~z[k-71=,YaC!cz& UCCy:GќHc4(NC9KgLФa%;)2X2Ұq}(;,*=@n|34PLS m&!hzh@ kf2kMhk,4YAS8 Cz&hMA#@6BS&5,)4H_ nueΐ ,+'G13uB #\4-/y oz`^zA&F'1HhZ,#Y1Reeg0c =F@u|80#w<Bp˸ҷ L\iE%KYָ? Qh{,DYATjϟ }=DgHa1&a5~B`"7hPհg9FAD+^)_ %F`r2j[]Az@ϸǸ"&L@u#׋je$f,slUQl{zZȫoMuiMcϘTl12}z\/~{|a arT7hA4!qJ3;:}rzx~Zv!,XYUfLG =XiXՄ Xb=/C\q2B@:q l349Nj5[/.o;pލNXrȐ6*걁5!Fc `>^ͶwrN>QDqp 퍥&!l{pn%ڳ]Ct:>1er|ߊb1k7T g7W61u5%O=VS-ZbGWZM8i8Bb̓zyk q.z}U5=:?Q&eNA> $| endstream endobj 9 0 obj << /Type /ObjStm /N 100 /First 836 /Length 2286 /Filter /FlateDecode >> stream xڵZQ ~_E+R%FA쇦{HC4 g :38qj)ߨ$͒5IDESL$ICMi#{%ʜ'0@/gb l-qŃ+C#1>'Q+DjWSzbLJ?qi:0S Z UNЧj$CA SyHLVt HkbJL:&570li0-=W IC;ذ &LhQx$q3)*Г*5i4 (ʧ(8{dϏ8#}|x)`/__͙ڟL +=wBM>3&trnlϲy.|*p RRإKa.]Ju)եTR]Ju)եTR]Ju)եK".E\q)Rĥ|bՋNtO9zx Xno8"26l*p aܗ}_?yH/W[C'Fֱk[oJd]Yg}d<&,BY0kYI])?4h/C~R`Qtr<R[bP*繣*8/p4G ?u6 Arin.͖|\љQ9*vm8*Ds+jnu3՚BMKFp3o Ep"GKz^)d([?Ӭٳ-Ӟ .Y$mdXBUÏ>B65UԎ+3x'ɋDRHFo-Ff&rlWL7͛?Qc]GԉVMF+:+ꙤJ\3gفpC g5p)åL2]t)ӥL2]t)ӥL2]ч~r\k\)`Jp0%H(QȣG!J\+stN:CAP0;s|OTr"RGNG΢D^I(ɷ7hc׎ux]}dE%U$E]5uzEvWdl0ޢ<tǨyޢDs';Ԩ]EeCpfI[ !f!ꢺn5}>/^x6emg*t ]Euqc%jͭtCZhĀԩb=6sӃa[GF,., ;9Bib))}cPidk!'݌[ s1JMEɢ=M;oX9wu "9yȎs"t[ֹ*N?5h`|pՠI\v~h8|jȅ{B[~ȅe-h[F#TVB[EvFkwڣex]sѠњ{glgnh`@׀CDxl-̸v,ӲŇ9dAxG 5G[4@'4'He_hL EN^OQٛ<;l*_GTex42GGvOLWwl!јe8yR|,?\ƙ=C{vӯA{=h4qܯ' C^y=䍐7B^4=OOAS04GC^l=]OS=eOS4gc=mAs=mAse#h'm'^͑wOv:6}Dkv,'yyAIo β endstream endobj 245 0 obj << /Length 225 /Filter /FlateDecode >> stream xڥN0<TeDJڪC]JoCZT!^`wu>dZ =AX%L<x 6C]d:26\u ûB+M\EqcRJ/M nQ[co58~ endstream endobj 219 0 obj << /Type /ObjStm /N 100 /First 889 /Length 1582 /Filter /FlateDecode >> stream xڵXMo9=Ǯrm ! Er& 6̠;)vU^1 .b$<1 ٥,NYb .3R!WBnu+&aN&.&AwAQt,i`FG<XO59bs ̫ܪّ 8XjxC,fq$t)ņ[㤰ı F&L8dKKQ #z(KC1$$F*.iD- 4,VdY!lL( |! wcFR12,WD07U  MD}Ƞ h(d2 Da L圐&r"Б! !$1ABRuB1c ruF )yI*.a@RBK!hX\-cvɇJ6uE\LRP0!9ԆZ!a4 a f,NP/f9!"6^46w6WZ7Zmro3{ޜ2<ëfv.e՘}-6C>D}w=wk7;rw2kx!:}QKI^qRGuDpY}6>) /r`tu]ڳSσ\m8o z R-PAqm,ᗾ78ڗf}v.׫Ω;W;J6˷ﶽM߈#^{O^~q'Bg> stream xڕV]O8}#~۩!+0ㄱRxE Vj ZYAh i m8'K`YV` $%A 1 8Ո4Ha `EL&B"l}/$pFa‘G ~.o)Ɛ)RIA{ªEP4!L݊`yMDBIp$2'!XE(R1c#L.fd $0ce$,XF79e p"6e9`4NY(Z,KPSp&*gx,vF@94MQ Ĺ *A(ݳ4WyU}yTó/Y.2|Vy`;1̈́0xZ"oBմLX 7̘Vhf09jqXb<7Z9YtV 'VesPAqk <㮩9g1 3 ,ѱ@[!= ?9Z,_Hiq~sx8YrY3qTĺ?in8UM:/chǬf<X-VEZc|ѢYnU2s)VynQ6&Mv)!nX*;X QsyS|,r<-!lWafxH7Ue )CT>D8oQ2D]R08]>4'#:NygH˻8vs:Fbr_,y?GZu~m$_ڟV1Wyv̗wp#// hu>_bM۔m\/I>ަUllO18ey}h{Sǿu1݌l"qn|noY9Uf<;X1ymȶ!{2,azVϮ[, Nw |EF[zW/.tSիh|<3YՑZT h5{ ?D{ P/nn:hL/gw*X71>VU3"􁪵rWk9`]O[$^VUl{Nh.hET8~ ŷ9} \}byM'1˦وkл>m wp;A;d endstream endobj 695 0 obj << /Length 1493 /Filter /FlateDecode >> stream xڍWo6 _9َvn]VlðۃbV,mnҦ@MQ$ERJ/^ѢHӰTEu;L~s W'?l>e8 ˨Eaަ^6\}̆$Q͑dag  TM< ne~+cmע#]uxPU`~@vbVc{OUPgwٌ5l# +tb2YGޮ:Zy08 ,P Z*~#]`{<n 5_u5bfFQh}Gg~$-ugȉ.%=Ceki; NeJdZqA"0U0ϐ?853tz++_vihMkʄ˕*r6L܏#&v+WrJ(amTkp^Uenvp~Bk!ɂ֐5\w0,y-*4W~2x݋}=.m18RCS[*2@7X,;84 ZBR {A$c Bd4]SARkT0(d[n !)YG j|\G{s& XN*8'8,O2BR ol1Z k %-%`EqmE{%0D#u-Ia5ccklVp6(iXcreBVv)Ǡ<:6DrJ/O1K=ڛmeL1Bb̈́@?pzoTʐB5=@qA[-W3PQw"V*l9ih/HםmwLҝb Tqu"U#H0{eH;?bPS v0:mk -q\Z_֠[LsQ]_i&zBp@xu~v  }ez)L?*"dW&a: 4#5:i? B{/WՄoqԎ endstream endobj 526 0 obj << /Type /ObjStm /N 100 /First 851 /Length 1228 /Filter /FlateDecode >> stream xڍWoHb]*{TU"@׫Nl&Cٙ Biaxx 2f+)JŸ!7@ %V cLXiLOˤx:&ṳZs&td*VL>0o68M̔ Ɓ7 ®!m4i;,rqaH[l̒qfS0q]L9 i;,11A.^H{<άb jԀ1!3`X!`kb NcP Υ JǹΑ]p%Bt`It%jkΥ#^sKA̠\I(CeHW8A)X#*ad6͊S4A繫C;M wND1u=7H{̒L= rck2 4Xb:c3!hlN!cxPH``1()Z,Lby*޾e˂ '7ݻdql<#>_>źW}͢CH b4Ͷxatd۴}z_ ׃ &~ z|\2T6ؗE7+elǏwЂ٢_)B=;jw%MQ];F;:ŨF6OۖfSU3yT)zUQepo>g2*4˖~6fYVGhp: VIkff!&+n}Y8\,EV,i'W;_77}@O>yza$M׽!PaۖٺŋXe` y2Z/.(cԳXMC;Y],KP=xuCցxGzJݦ;Z.dyy-ѹȷU^FpA?~/= \aS52?.6  B^m.F?bppr%,䴸g_c8 z-D .p! bo3&.˾*MI| endstream endobj 701 0 obj << /Length 802 /Filter /FlateDecode >> stream xڍUK0ё!ΣM jPB$.òmaP.Or͓]Yfm$t{9&$|o3W:y-O۬5߾O"v&?+_%"Ửu%Զ2^Vڦ>%gOF.S4Yކ{(M+X4ɞKC7Od41$a+gZ4LLt; '5M?N:/3^sK[0ax00$60tS9<șUil ,(i|z aQ%8sd GQ D=Kq٠i ͖ݐA>^fmBA՟)|@-( ax &…UJ'm0wղ >)k,.Ss r'f\OӲ}}ȀX"eb:jXʒq[FaFPyh֮@4}="PupOiYC5?i.EhnXoWnTfo[6 ?Z.ޏ{u kξp3}>#a.<z uWSGcv{ڬM-I.u]O6?0G#&KpDxXHCzΨzUyS-bпh&@L؁={GTl1Sc8> stream xڍnF_Rr )+@c@ DB.c+_߹m&( 3s&?ɃME~MF wWn~zyaďu8tሜԟ1PG c41etb0v<3r`ѳext՘: 8tyD`Z ǓA0Y3,#&q!#E#EUC*eaa\ ٜzkw((xT\sq wé㓴Z& sَ\v| K j񊯃4#=d`)?0q BSMxzH2!p5OXhLS}'aOf˺fHg~Cܯ>"GItE C5sԏpifT1X~|M4WLǪٽegh B jI&jfc+ *WvX 9$< TC} vЌH#V`k؝;tO'؄`q/ko]Nc JJ3L")$bdv͗BuӽӮDfta:$* 7bܪM ‘61u\<"G_zႥlWS1pXjfC5.p@m&sx M8Pp@(2Q|&@WU;neXTlƞK?yL endstream endobj 707 0 obj << /Length 784 /Filter /FlateDecode >> stream xڕV]o0}WD6CݤvӴBiBnal؁Bۉ{9'p}蹮|#Xb7jr{:V%j:FwD]yh7 &_ZAʊ2 г!@,)Hu}WVPöMxZ`y6,.fFbN6\UST'<\RLM wW"Di32YPP5V)DCQK6͘g>YRT\ % E)ǘѫ,vs^Ԕ,NޟӵD&*Dm ˃,$R7nV۾aA`#x,XEibF.c%vmiFe,`?脐DxcVq@NNh@9jbw U΂9;jSWs,@ R3Sl`{k'ux:ho%% tbV.ζTRA=p'oQI'Z2@ѱJ* Ľ!Zo2dSVhe\.vTl,yqes Aw~̣Ӳ k !O嵟} ǓZJBQ.v5`6l 鞊(QT;cF$xQ…|%:;s}qX:GIw,;ұGi"8[^> stream xڍQMO WpD 5O/&l%ҏ$ &4$ @@G)YJ B.IGAHw: *^ TS-z7]RbuEROfٱ6W*T %6$?#4Sp]*zh^n1C4&{%vim4w;TpO.z%r0DEOdBGn$Z[KV`"5 i8u :G߿ ƅ endstream endobj 714 0 obj << /Length 905 /Filter /FlateDecode >> stream xڍUK6Э2`"ERҵ@h0C,6kI4$: p(U`9q<̓xRIYU/yNDŽ|0{@{R Y<5SRTo~{uw7A| /JKJWB7ɔvrE 2呡7s3Dg7hAC6-aB*mnP<&;4 J.aj$ ?Ї{Uis 8FQbF|' tx G75L:w RI}Una[,N Uigr2 $⩙ZA{<u2z3wqe:_?\P.>`X, ^f%?R!=a9S9qQIY<7,UP"\2;c憲^`e4JGv0AEtd%d@jE3 Q+ꍃe]dEQQ7 pYcÆZP!g .S% 8v}ߠ]1~8FX0ZaΰeH>4Fh`Q\h%-w*R'wm!6e]Ӆ=&3)#px؟flP0z7КK*?p#, endstream endobj 717 0 obj << /Length 2958 /Filter /FlateDecode >> stream xڍYIoWf KrA0 #~&-+>57Q쮮ުk^|/2M:󻈨],|xx/*:㫻<.<ګݼP$?#rڲJ2L<-PEqnm^$/|}ucwx ejVRQ-+qmTlQsS' .Pʛ!É(уp]\*@v/|BmTan99+o#7vY &^wDb-jUŢ*/8Q8 c7{$r-f1@e/* !ۖmdEr6S8uӑoAg@ePa:Jl!Op oTͨ IY|T/YQ)|D{˒3Y>)$5W44N-#A("-0R836E ˤ7t]8thiFt!jը*fa2e@ "Y4qb.)'%n,Q- V4,MW- g["PqnV ok^5Hxl﵊ʝ`w)^Ub6 cHYEX/ʎ]3vrٝS)ĩQ`_cǁۓT0,ۙ'fF}d{bw "(\X#cqۿqܝ};ΑTk[I" .~`QqBLd5wC}¡EH tӷ`b+[yAȲd_n:иZ=]2AEC&4{8p;5:>TjuЅFkvg9BMJ3gn,J ýqae=&Wa ?=  6*%U}׮ =FW ݢ A8<%C u~‡E&x;~U3y+)r_[9C{kXIї?2l@p"%IjQ' 鏯boG Ui+$KoEң('/qq:/i[ GЌ868(7IOPRC.wl-L)(:IQ6 #mSVZ9ʤ*,jT5d6_l=)ˑ)ΎGW8{Ƕ= U1rVUS@ wpK97hAG[`迪w_y\Xkj.ļi NR,aw;d&b☸?5q%9՚',r,IfMGQTR"޾mx0R<>1b ^+̥v3$f RÆT+5F׎*:<` %[VJn9 ak$,ބ°` Qo~vGs[iz /}E̠H2i>k KEtpe#PsHN $ݪRw v ;/xo@0_޶UQ e_6 R瘂@ VFK[TpÓLnk;HkSB|!$*'N KqSCPs;+6~%5dx_ \^ՒZ eWKyÙ(PEiWRmpJ @&h3Q&wd.8 Ypqk֓sFT9Zs~2|d)5̕Shf(a,_zF(\wtAgB(eᑣ0P\7NTåy͇_Ui:s#)UAa?o6:(ZYr(蚕XO̓]J +ǫ\D(FK<2*I`'Ieݶv<.!}ZD%ֹ.k|(H+9(9Ij%?A觰nm5x+JHң^HV/2$GWzBAFY+M V(4f\"NX646"%eԒ"D6WI"4 <<`igzEFv!a7o葚YN\ أ6h¡B56_%D5Q(o_~,D t~C*1+I] endstream endobj 721 0 obj << /Length 2449 /Filter /FlateDecode >> stream xڭYmo6_[VH^$Mc]Zv\J @y33e\*KQ|U/bWa 6psw?(BnVFh3ɻٮDͿ.^LR_W~2W+ %F`Tk!eIUz##{g;T 87|QP9ysz$ITUʃ]ھz򢲮,tanh*ڦkxoλru# EHtFCs!3vO%:Xk@LfJVB*S上w;XhUڸ+];[Җf")=XQ>nI+=k0>~\4*;WbTqw k)1E ЏR u&rp{#! v( R[Axk;Ocն;ޤR`[agEԔ~n쪭k32P| (8J۷! }Bd8'YSۄopI~6L8\ *&ICw^?߰+;^ ?u-sA!8{;fWfk -R&?!(8̃dB8=ğ?N'TgI!"G;bĪ%CR"?-P@}VL~vr_,*N^eȿhH ĆT[8I}L bw\j~e4p}KÇ4>lq4@=R_`€,Wח$<80?x԰{Vtuj 5l:.*)~\g8 lJbnyu{k])J?j 8 ЂGXɛH?76Bki"9-f;CmH)rixA>pɼD~F|}EX%/̢X3ä + f 4v{cF 96XTC0Gɒ;,:1|8fYZpe@+!'FӢp4瑅̗UmdS&> uߎ K-)-x:okI5\ 'DXV\ƋQ/G/)Aww,!I6bʄ/t*Z2K:i(&zMx| Xos=Nz#ق0iaȖbt#uNpzJgC8(S21YƷ#Y&pXN|B2b|]Y,j0u䟮ohq*OJu!ޒm*OguYM;xgyX0BJ-"-&ڂU~6`Q&.V*[@%fu!#´y Xl&&0IMnb`^P҆ p4~H"D \݈czs7$zօVu1%s?ӯ+[K\2UF,3}J%v\s'u*Nhy2 ?7tɷG(Q`RxY uc1&}WE䊸vn, ow?\zy}/{(?#+42U{sNXp!.BqLҗſ_Woe03a.|qzn.^q_=NJ8ꙨR)r&A;j#Hr^&&b3"k> stream xY[s~ׯ#17vt&qX=VPɕ1 0hE9g 0%zN;|{n߹bYό,Uv]~]n \]|34NOj={dU22/UXB(UwW•I5*ƥ{vnet(VM^sd9Kq!ӞeÁ:7u~v&qH-SXǁ~ڧP]T7aՐ~+;nGqY@~߾gk~3/$o{pa r$U7+3ؒ0!u{a\;pn;_~}nNY r4SLXyغL! KqȋQc3vTRf ^"bcf .S`OM0T1H7Qi8⿡(\u]VZUm#U /&Z9` ʊ5*[5asqq:q4J7@a*o:2yGƬ5a9elaOPF`Fr(]R6Z#&wv둑#YqD.y5.{ %Ӿ co7jj*],we$7  3O:H(VœIVk&]^Uj C 5 %6! WU-m]x9<lfbv2Ca<Ŏ'1,MӁADDaF3Uۃ&~Z JjR0CuTya,EhҞV t㰞nָILZx'ic'4x: 26L.D[#|ζw?\JKP,L[c LF8Dɐ~󧿾ı""g9R* (%PѸ>r7o !a(>NPxM>׾D NІS8lqA; \6e:ںL.W &ȟ22Km둙e {ѭ*5>x)0 h}o! I0 6 \-[ 8D` (b&LXPUNXP1'g`Uv` i&<VLb?[> Cb1#^gg yS9l"T Kkz1l[ۭiW+)'k eNĄir(u~eq0^̇? *U̼3|Z'`;/ N<fL+ |4 n}N۝?Ӿ3g+S|b E_;x;F1&c -O;fS&+f<䑩Y .wwe>~x~v!2R|IG<7#𜃙}^:? ;/qe!s"u\|JC1h:OrnЄqΗ[8 |;/FC[|cD|4BloUPpÚLO)d0(THZERkkTu~S`_KBq'CceGql `? `I& $К>6iŒ݃, \1:}L~zCwڰyT _%Z endstream endobj 731 0 obj << /Length 2339 /Filter /FlateDecode >> stream xYY6~_GjBL*:n2}X+ő+BR3t7@˥ I?Ybdrl}lu]n \} X}\60'@ $6Q4E?ws`2Q\%ty,s-.qCx/z9Dsf3we4c:8f*Yi!-3ADw+7XCy-L4?o=n\c.  AEx]xΔ1*'agC8^$ V&>c^B6 \< $2eEtQ*GO?Q<,=* nۉMj =09AS ҺFx`;WɄ]x̦3oB@wU̚J)n\.|]PAm 95j#i.cc,|a66.H=H%6jE"C4 $¥ aY@^YQ vzlSxppuhAz܃K[N놾^P:|0Z `73eêEU $+_C>PWźe+ c]y8`>,C&Xk] h0vO` RQ#E,..\(cfDTDBP}4sӿhJe>RrۏJgS,gR=ȡ5௢+:;854L)6;p<OXydaQI)G}`h ^-4CI[XTXJup9U Ҟ 1Hwn:L6U\oJUV5|Evo_B2`R}43yͅd$%. 5L_2m ڒ-fuyۜ+pErrXn!cG-jxy"/!"i1Q`bjP~6qei+SEZ P\ZvrVP]T4>VqZY^kcxt*+mE}|0,@K5n˦V37:6LcᎢ[4FcM,\f,/or?Ba#& CJ>1vxѭî:2=ЍEKP#b5pOF(m>7ep* WiV>auxVa9z% `˿9;7n" ~s̙3 .hiʞ Pxm1Cx5[AR-W1X_qh~ jl}7Q%nB` fѻ\NX$,3\Ycn~L:= q'gޭ|*'>>J &ؠ;@x,]ìS$P]uEljKv:^iD,cU][6~H޶ABgt)%аbp/itkB >3a}a~uaQݗXp2>ǡpq ŋ@3 Q?)m1r endstream endobj 735 0 obj << /Length 2730 /Filter /FlateDecode >> stream xZKsW1 vllJq\.$IP!KzP Iv[U)4GY?9әZ&-֏л=qWd7yo泓GO^Z;\NN-Gsu8c˳r[֋hrm"ѻ8ٳJ}L4W;sRMݴE}}GͤuR^ǧVJ~߿9Njp[7ZH{_v};y~:K5ln4J*UnbE=29]m,YT.))%O,dXZf"n?Ra*\ϴP^yױXJT@eu:uOyR7J6~m'J%&>;'k`dygm420 2ؽ\T JEvh+4s&,mح?|!m-bH1(ɮT!Ma]GHZ4ENU]֥}IvLmY}F(I&k,>wʭ]k3sB灔ɣaXBix*bLGOє~Sz4wn-jWMUwPo&Ժ+IbHis: 0`@0Q(6tca}G"s>4@2h{dR}=1/K^\3Pweі9YM4XjM*sK;8umu_Kᥞv@n!]%#< 6&LS?66<4a;\; ^Yy{1@8wf#e籣Z{ 3F dv͞r_Xn(d$]u9V{e.ɝ&sA#o٥̝k}hen_/\=R ,f)kCꖬE==<0shdZtm`&F;CmF(Z;&%uRd ifңu4hǢ X4`oRFAK&Ͷ>'Yjx Uרlx8\7m`8 8;)4ΈLBZ9Lu掯|(F%WUx..N#cAIG~i/;yٴ(RN(B$\#p}D16Q v6A,mZi.RuO!iӂ_]nLR7>VKY4C$\c>HNMLف2Kgy'XeXdz5 'ZZShӁ6[{ e _ "AzY}aew"~yodr ngX-MZeyr%pc@b`^UKnmhil^1=jȒmTm\v_O-蕙QǞMc<H{86C׬ 'DѬqWP̀ߛɬ{"LWYx'p>A1,&2ԫOE1<Ԏ([}HKe|Ж.-Ω=x9;ݤӎ:py-k>06%H=YWWj6bFKMhxeKn~yU\?ٳsd]lLq r4FSؒ D^T*le<> 8u.݋6+u'yR6

y'm"͠4 bwS+~၏`ަ謚((0YejRBnhYG3 LVP0smO |U'E.\,9э,˦:?'گvr3dzrnꊨYZNt+{uY_C:xtcm(e[R=SPUR0ѿpc*y4L$*9ny| 1#҅iJζ5*GYe]VYlWUxp 8zR}b(hxɝANMerR: W K`Pje Ia|:}Q5R:0Ȟ@ΐ)m4!AWe,OM6Xv8u_JOF>t{;߅D1Lb? .a%d7PHz7?!~C1Gyo:A7(Dm{Xn*ٞ?^39 cA(,%^9X%{7{ޛ>rzHdaex~MKR]+ڮRZ_uЂwP]'|z(mWi:̭{ Ѝ1\teVmrMVJBКޠlA0uIpQpdPt4c)v %NK\K|A~|tY_ g Rǁ$vU4eT?5O-nqEA* `瘒2eMFOk8՘LҤ8 ''xOQ0&g?U AU@"d  Vΰ1<BnZ`? endstream endobj 739 0 obj << /Length 1665 /Filter /FlateDecode >> stream xYsF_Gu:)h(C)q_ LFr-LhNdd0Ƀ~v7,K-[|r)lvv>T(Բ`쒚-WU|Q%d**|,"d-*d|fxֲR_S&yPRs "# IaUM 7Ec*TwϏggg?$8c=nL Lsה,Y82dg։J2r{qh0/4;w/QQlgOb6a@PZ`O9%zv2![:)eCUp!/W 3 9$c/dbgr TVv~Ȑ*kp0gټz?$QS: G'OOgg'_wf+#_7{ &zjÂ3N(DD)c`zC||P"upYp-`N~"BI1\yRVh)I=Yrϭn߃g>KL,,&,agk᱖@B T 3F kPZE[}X BĈp+bPu<]};^2ChzK_޵W5@1F$PPRCLG)@`2zk81hdCVHqZ 6\1wZԽ#u6 mn6qijq6x:mJr4D\8J?;m/fPCk3GN ̶]V}ģEORps$EjѾljF֎BIӦRh:ΫՐBC욝u-)o{". Ed7s "iER66H"bA*0\+=~˕uy`M?{ p% װz>z4` M202>tXЃ0 JeoV0a,^3[>}M=UDʽ:e^lJMXwkXrcËWؾ1l!qW-"Wp]BMRy޶>&,Ҫ%%;LQ 43 !_CMIa$4ؑ^3O6Px$Gk썥)fR⿶t ̯ġʑ*T+'<.!^ 2 F-Zz0E;P^OUR֧SMz޳P.*$sW ʪ΢K=es8OBlٶ{  ԺRn8]E^i$*oņ?jEN)=7ir+8}?muk̺`x 8|9e- jqʱٖr{4 :W :mH+eJWzŨGE1.=@bQזGz]{nsñfYҍ#xwɬsiQf=HKg~Ey09]yPQ< ckI76i%y\M~΃n5y ՜I,qRK@뤀)nR4)3aB G -mUOzMzƙ`< s endstream endobj 742 0 obj << /Length 1551 /Filter /FlateDecode >> stream xXYoF~#U( 4i=b= F-twHvd40`ro XaV#s LZ'2J,ڢ$~>K/l=J8v!wYI6JeZGo^Umr'eXP* 7Jtm=Q`c sVN3q}=)ח VJVaǥ" CRΘStR~곈F!F{QނTZՋ?^cL ]B'S<_M2`bJk̥M˷%BGWe }E@jd%&yVOis'sa|b/g?{72J ^c›q¾ŚM kYH*AYcNU ơ&{÷'/GǗc-@|تt ߫t+9ME;ŋ /x{*iooL D}(A N8m$ALXG5vrb:YTMZ^jQ b֪o"7-1sm cpR,78;lpu`.eh溳`. G/XPX!¶ᐥCRҾJ> ᐉJiƾb }`ZCj{ lC'Kݡ nixZ@Ǜiս8P8j0d ev&o.7W>8Τs<[K\0j_sc.36X1-pYSi>II^2+<6>&ZQqej_1-J 9ňk #ԡ(' S,1¸ *_hR_ *Dm$|⬚yC&i/V"XZb3C]T xh@Rb6]q bde^~Ze>;^ev]aSշ(V^:+f%Z1A6bvZ$s-.\ Jl}dEkA?kqjvZ`M"܊!' d<_#[)b%z`vZ1]!-N{yl l c-NٖAKf[J?Pl LjQW!֫VGAVA VǛ=Z![I B8YzVEU ,.`Mhk=L›bX B8Yʶ|PٲVllqlW endstream endobj 746 0 obj << /Length 2263 /Filter /FlateDecode >> stream xZ[o~#]DSΕþmIw[@l0"m+.II}33Hݚ@4mE|ƫDJ*/b[߬?]pn?^]+4NzH*_fmQ_Q˵R:.)."|wW=+-eb%!UXŸT^q'CUh?}_^c#5ܚ'HO>Iey^enoZmlpɣXUXh]hʟomVyT|jC}[Rڭa7^^)X6 onݮȱV7 8_p{uh%%X`u[.6ʏ~$yhZr'Uޭ2}yє5L_v¨;"K~a^*R<.=Y1JWfͅ'C};\{K G  *vr7UEo#_hSve㯐ky[>)i̅(M2$ zxf$t lYwp+[([W(ݵJ!]gFƸEt4iw-aחD oY#R\RXg;v؈tbKh:6_Onx),щ;ڈoؓR1.i\hi8Ј-54b#/ӈ-N׈yJ#00.b'S?},F? endstream endobj 749 0 obj << /Length 1697 /Filter /FlateDecode >> stream xY_s6 ϧУXn4ۺlSe9MSIn}$H9^/E@^ԋCOsNby 4_KNOƠpz Iԛ3Hs_? y6ϪLIbOiwdlGp"QNB1"A()M(a@*濚 Ӭ(2[k`xZ$2mUY#pi$a}],/LJg'2y&e&`Ԍr´~iWs;6 o E[Wv˛P'gS4ER~'˼D'!P8mej8ʜ@TR+ljT~R3T-C#NM̭9[QŽ+$MZY]eoB*JKZuͩJCyJz$aD"SH(MK NRvѪM|uڼeXJfRU9v+X'~.m>q#Fh -uX&ݵw?_L]}];˼U8p aqw;ao-sя}1>tO%w5@-~z3Xm֥ljP»8ӽc68g$В1 ^su3W} @QS,33n<:A@;t|F~}5Fņ-lJxBG ֋wpE(ѐ iƤWjlcK+) Y0.xFw/':VLD@$jD#l2fPR(x_u]Uf-pHqG ”+/. wBF 8Q 9|F ȳ[?7(o> gO'Av7J'l'1L$Th/}$׶I꓌2JK]dSC.du$L)J%LoI > stream xY[o~X䥫;x)N즵ԗ:AqGyِ\+ίwf\rMI(Pas9͜#IdY(fo_<~ WO/=^X$|qq5&u^[m]grd^5W1UfNV"^_ S&yP*jcŸTNwߟr.|O`%Z :=3|}zv1F:ߘs`̗\t$c. 5l}9{9.0Rz#2h/gAj2b\/r!IbqJ1LLY^h|DLH݋N{g1EozU3_xĤD%8b1UG,V\2; Sm>2b>gW'pSG7)%xPe⊅9TJ!RW}H+[ MsU7eKH4@@ _}O/z?K% udikB]{f0^2e0`PP(WױwLN ;:SYAR$vXܓ(QnL;ef[ɫmZR`'Yv΁ُ $وL8 CDʚ3 I\5ޞ0iF0a4荜uߵw%̚ϻ4BNmvCʧڟ_xe;#ci4)n͆asQB!& vQ5ea% |lW)FLR"ۺmVd>.sx[ꭁ zǪ3KK.WsPgŎ#'3Y#D׽,`GP|)8d1ĸŬn ;ب]Fpۺo\Ah?⻹xh6Ύ S/]`!NMK`[΂eQ~#x[ !Ѱ~Z;4}9}&w.imgPIt`S.܁0[v5UԼɼ$H7U\jw'TNxـp{˸<C߶1iFc.1npKm_X<7$EGLH0\g~Ol$mnem+Ŵ aig4oﺱNlygкi I~. |y!|aW߭'i΀ RzD3Ǡqj&f>mÝf=IU ¬a|>/ ̖Ħv/OW\ A%Hc_:JDcx4X,eyU#L_Wgҟ9 K##Hvii3/ߜZZY5ёe;4_OQʙKqozG '--w3qԟAɻk0f}K>YFP-nM7Ì^Iv'j^$S7v14wBKK4hDB)jLq9wG)>Rb[ZMJI&RJz>2XRboAsh]:Hk;Q #*)B )s|u*WCSQ &aR俙Mce<o?AtQx+5 8 @xߙbJorr毒y{0 \N 6{3p`fHD 8m+ uɡF;yRw|Uȴ|WZxxP,_SMP^nSiGov{;j\N =sm5O\SXSR ~1X.?s=qӏΰö5mIm/9P!hBF]\ԏt@SbЪ3FxkG/:,6bh:<庘u,6r,@@k糩.H0ְ kACzF($oJ=}^n~ӉpEj1F.Lˢ8K6kOA{Oj܀δƔڦ~OCiץH7 j엧M^F"4L@ڏr)z@7Λ Z]' p}!u?s ߹ m _뺷,䦪3kMq?Le4 endstream endobj 755 0 obj << /Length 2468 /Filter /FlateDecode >> stream xY[۶~[w2t&qmҋC+Q+%R%)o_ Ernێ9|iRT%If뫅 t+\R:_%e4}qMDM~n]EdדfGR+.מ\CnKӒG(?P^ߝOYp$t#i,2L+ (u޸i޲[l}݋7߼ϋ$.ɨ)~ H:Nk:xrrZ2KlLw.z&<ITUÿhFE9К b85C𢥎n`!5G۠wt>1ý;f5`[)R,cb;cW^q;e".6aJ ˏU9[_Q#W,F dK+& ݥPȔIe DSF|.^l3 a!Nś' ys3B&-%Ov}Ȏ0LޢzaF"='b#+"$ 3HbU`2m揨q JCbԜ%iPx/&BXRg"u%uʎ F"T>7R fs1[<ͱ!At2BKnL 9K9nStuYio 5WgP `43E}|U6|D 1t 5O|nzr)I0ɇ`FAf`6aڈݭf:V3 4;?ܕ@:EkʦzDxZ ڵ@&`⚀DvK/}@Kos Ks' )NǞ}s].]#5蒈>I z+{t=AWmjmANmͶO[ڂۂڂ.mAB4C endstream endobj 758 0 obj << /Length 1932 /Filter /FlateDecode >> stream xXmoF_TQmPmӦ ĵE"j7HB{kI>,ǢF$&ZoϨ{D~q tK \(\}\QҔEWCVWy:~vmK!D|XJK{mSśoΞ]D)癐CɄ%U$LHOjMܽAMGT)ۖ}xq>߾}ugaH7DK&S~z /X,X\e%~ I^_ĘjA3YԒkx[jAPҔ(|=hM+ܠ$TTzo[7!%QC_^ضO YY%?b͠L~#efϿ%Dd 9.,(5 nb&ݝ1:VδӒ@K4mfLc lgM:ܤ mq jSeUCd.lv7nmf7ֿ''Gol`zbFNdwɞL'H$Y*Ffh |W ?۬,ݨ8( FʉgI 8V%8:17<7q֯ g Bg6,$%X J* ƃaNu$C%ңQ:U/ |][ t'h=u_SVa8Ak#0)lKG [N9' ׽g$ Y(KF)LF,SCɠ T0BYGZ )E ]cs ֍\AIĹmMqs瞢CW\>G>tRx`GK--_^8X#3uvX+j3C^PАՕZ}Aχ >~g1 q_ò$vVWL{Ay;v] z]7hQL=m.B 3Cӛ?a X8oUw~u*9W{p늭YXܯxH}.˺bU1^Lآ$]Y3, h_]@](?A#02 qwLɼI8Rh@& 󈆼} vi0 0:CvLBD;qj?fȌLy.y72#@bdY1aB3l|@hF}5 b!Iw9/#mC):rᙏ DPȋQ986jmeNo < B#g!1@x9~FX wΨ\"^xa52|m[Txo>au:WnW.l)q {JIݶl*/YM/ waĹscۆ.պ34S_u wxw}x8 Lh~*dUG:+ֿĀGʲC,!< A!\n7iGQB6߯=A0<a$k<)*=LӘO#h;X'$j@r-4"͡)vvV2YVŤ v$L endstream endobj 761 0 obj << /Length 1875 /Filter /FlateDecode >> stream xYmsF_rN3JR0J2!՝dɑ+:t{>{D6 4 GQ6 ݋# a1s)Y.FCx<$ 9q0B$Kd0diR;8zut2UIvƦPJ(#r1`&,nOyG HPJPK'"r(a^% Uѧq/n)d0P~g鋓ѧ?N1C (˥i,'½O-}I^[sp<>s^7P TŸH_h p}YMHiᖪ2AtF2lS LMC(ЩhWYd m' >F ""D˙i,8;ӨPZn/F~ts S5?6lhU,pi< [Le\k,jz:ar XҌ@JA"3 4purۦ~m8 Aa BaEY,]8J5!PvƕT6P @ g+@CR2jTEk \7r]|iŨnb,2Χ˹'|y‡礻;+'#8 'ƈԜly@NwPiHNl zؑmw6L$[DdlXOE21cȩ̈LIT..ݬx1qȔx\] IǗ{[g̚:[\[ aN`#%iK&Ni`h1 \|fXb n%:sv 5ӬB Ŕ)c=kY䌸ћN![JUAr3(*'q6]Hg@6mťG# yXΖ7$ADp*V3 w082ol/wï!`p9^@MbS^ٛ(f:IP[ vFQE64dsfaNQC7Mmhئ>K(MTq>; L|΀:PhF* $U'|=dv.Єшo ;w_(t~|E ;wVO(Hϓ_IץnDJCYT!rdG}^Y/fqV6 /_?Fn}nXN8n ,WC>,;gW(KTz$m͞3|k7ށ{۫bSi@*V0^gKYJ[@G& -Qlգ. nbaj DQɻ:T\[>=(xG7a)U , &nKM&)xBFa`}wj൦&v>-Nٺu p\{$RRunV:7pP|P8E5ݰA/JuG48YGF7YxmB08 endstream endobj 765 0 obj << /Length 2343 /Filter /FlateDecode >> stream xYmoܸ_HE;7owE/~h.]yW讴I|f8VZˉ; E>gbO<3ngof' dhS7R ݴYOS_^.iMTQtRe8Jro: *ht6ůQ^-!xG;iӹHvu#bA',IᏍҪ#iRjaE_~`k KyCh1WyF_bZ\yU v@Łnʟcf3i훢\MQS?i-PT&O +i.iC]L"vLYp@K#&2TL nhmtrIjߢ!øhHȦ|) %h>ⲞwwAuxFcP M=nc,pȤ0 (˼\÷Q5z߮G<ueݦXdZ9#U*9[:)&o\($1o:E Łc /SP_ok06#VE̒LrV_5Dcᛕda(=O0!!X5"g޶nW8vw!IX nAE]M-t .(Pm`w8.d6ΠqA`MR 2燏Q8/`f>20á*O9: IH#)}ua?QIW2aU5-J oSp$$CNV2%\ (؋Ut|Z:/[z23. EiJ(ߙl+p[#HntųF*ki:@XN-~*`8c U}5@0T톹iүV)wH+֘-نTT믢z @8MQP؍ܯ?Kj.A@Kݘ 2eRAg͑rb88^Ml;`pFm'p~[#55XXBJSS07C ,p.Y]ل,΄FXJ1֦R+oUxSWPKO˦?w%!O:vY!e eej62_LIz&^[mc6n:&(r|4S44wICi(q03 A> % WeRO@Y)a?L)) `ocn>ojp%s t>\mRy "P%٢5fQz^UmWM];(i7e*=IYfE86?r5m/ %u94l ǖ*lY׌PajnZ"kL" @dWx6N˰VoUt+ hNKw3i/"}+ Rg۳[7E&hm/UCLQo$yNc[9n4bw<;;{M[pNPIoB n$Ғita%NiA?y h)oJAd-(3M( w[9PlٍgZ@ kPo<}m@fksKӵ^BB2 E endstream endobj 770 0 obj << /Length 2501 /Filter /FlateDecode >> stream xk۶Xdqi뗺;q"*Iv}wKrN  '_XXbj}ۗOD[j3f!8x&w㣮7wɋm~h}\)Jkw/W2$R,_3iBE4Ja[:u[TR$ؘ.`17 ;9*6K@hiyp)} 2\&Lj5m}\$1NBYW0.dKe/6gFŇ_(f[\=Gфe2h~$:FxL|aM8z֞iM_΍V)~nfe6妝cаLP Pȝ/;ʲVr)]Һs@^VŔ)s=S/HhzDb/k)PRYJ4wQRB}}W9/tp%M rCu7[Oi{OD3.PmL}p[#ƀ3ݜI ޣcsGYfE I1\MQJ~"ʼnIw;t2Kȧf@萿W2⧛~};Gh3?P׀öX#a[!U*Ҋ[˦xR&xCUȺJb^{|@Тm}n 5;Om<=k*:MGȠA7KQ@4 ~-+ݡ ď,f2LD-i3gyfq aP* PR\ ƛS{ǥo۝A .Z 6ud\P@> ,w;nE,-ta Uumhi)\U8x8׺Z 숪Ѱ*=O(^FI"es3 +Y}׳*!end+:Jk4Ԏd&nv~Ip#L*Ӡ\>y9nz1GҌs;lO8vLI,Ge0^=[f. iCy@!ԝ-A?}%%RR5WR7,1k p!MM3f<3TL$?m=ޭhg56cj4L*}*_AR\vj3diE(AW~Y]1ɓng;Ǡ`\LCulF%"BzL~\!ՍugCI(#9vBZIG'n7i EP py %1L$]8 qLʪAN?QGqx{YG| 8 6%cAA_U |i5>.SuZq KL+l)&CciaEr߼>4վ{)ߌ^&4S:u,!QEqzzY) a}aFPBetMoPaMy{>$]ni?h$aCN%Jvy1> stream xڍێܶ_K*-}('E"- Xa'T1=brnlj__#mቨw0O=MĩGh׷6?0,Hf:_I50%kn𗈕:l;"sdA~Ԯߥ~֒U@*U6* wN@?dL Uȸ $wʻGs iJȤR_ޑp'Aȿr L<_Kdb^g+GOl5塣\'Nm!̢y0ʧp1M̋qImוeU@9 3vE%9=> %,_i~˦~t MnC d `ɕ' 4#O} {CI|Ų; nJQ#"40#]b $)G/"t8W}-'~7!_. ӵPyknp1藊(7Jk?Q*'ςaQJ?b)I ǼJRTd`(Ȩ,qo#ap墎qF$ /CS1P=CG7`2?MULlda_>TG|,T!ESVG$(ʪeɻK 0]ٲAˮh}Z,_MS\{Z>< yA@7<"OK{!є[;yPR)M䕻qU\ZM`GϷՅs6:R53R+Þ"YE3[qrbC֭|o(Iga]W@(Eja|y$!p'Fgr2#ܸ^ٻ&l^"Zo^aP七ʁ :4-I1&<N)I< t?;)3.NE)^cd2r|\I\~0%򥚖/')+{bK|V4rcB~ 3$-WyL]@ v9osSa3ifYTDhr|Ǭ\=Ȋ̂W"0bXW.ѭg cPa\Uxg|N~ˁߙ0m*,P#q|94{S=Əxs[ҽ)\[nea%myfjHr$6jLtBW h#.Ȧ7]WnN!D^Iq&Ӎ7yf.Z;kƷ|6$J?h endstream endobj 780 0 obj << /Length 1822 /Filter /FlateDecode >> stream xZmO6ί؏يůqwЊ{* I;;qv8zB"=g]>xHRe㋍֧jGs7,S>8-pb*8eb\*r*aHm G<9@7V0#%M)pGE8@F!;qqyM|Iҏq.a_S{o0l'e݅PΓIMl#GIн9ڴYg5 /ytx&לWI{|R*P﨣vUR{rBόK"m1G\P;wMqZAT |t^p3.2 ějYrov^oxq ƭ˩[ruۙ_R]4[VG*c? LŹGRRG1hHgkD @p(2BU㚠 }MOЃ O.l/Z2&"O03A%h nn(. }&c4q(#tWDIk2@.P]ֻXI"&Ƞd⭏1wq J S!^EYNf͗Ɖgh~d𵚴$ؓUp(Gfs D{m0+wXKN CP%3L t@<*Yvgc-!J]*6,hPTHX#Cj b>GܧF(htlyyFo k~w,|1 e@H.lCn4u*S --Ҹ*(u|pѸ,]i.R.yBAr;/cczt}>:uT1Eܓ |CX8.ʢO+NK(ɴE8HςY@#iXFuW۩Xv}ִL%{a\[%rt Iw BCaCURK(X%fWಂi550q//^qȣ 1ݑ@e{8|JH-y}KY7{izKwY#p@Np $;GStF`):kƓihetUG+aR q\*L<'pJS{w[RL(bi=Ii8#!F)P(}]U؟JB_||L">^$O:ftq#"{]G/L0i?]1OB1m?Y @G(wm#J>y0˓^؈4 #^<'+-ʘ^Tl!#p Gx m!>>|}2iT?|]> stream x[[۸~ϯ0r1fy}ɢE)bsȒ#əL}!)Yr45kS/;xxfYBgFxܼ__n \;f&lvyr5YV"2?R载-v 7*rWo/O [>b4t, <ѮX6YYY -zIq!bד>l5 UښsV|UޚeR%T#U4L'K6jl$gv5G$ADg+xی5g|: |l{ `~ ߣZ('m ?ܲ,jM8l&ֳLq=Ό$06 ƎLB(0,Y u]tXu4$ @H? *&8$TB)ٞc[VJ QhRP:'%DJ<'a8)1q2 'a,%Yqr|I@xRX"f1JrI P%pH"2>nM8,o!~&pI0J& ^p6P5 [I ykmraX='áM&#:ó"k4cW~SB]m6Z׾uu2W F:,ț I s$ ie2ʶ#Ѐ 5~+0dN7t3GwXF<ս>Z:YnӺFb*GzW`BG֏^gm B)>aIe&N<8k"Oʪqu_otihtB cZMV$^y oyL{o'[kO`MytWߡ]m`9`A`v-]2nZ8GaꍴtWLK<+{KZ3 w;:| Dg>m9`L~&GH9l`q0w0!`RkR{IɢMG#ezY|]N _ ~@|; c V3~0+Hu)t!PZ |'TZ޿LZ2b,8iqI!Vn,X$c8Lj8F~ _SpQ 4c 00䶸l8B6R}5&ht \CcQZdezH>AFLMyPh G1f4BL2BL}4/! $3M !F3 a@eĨ! | x0]x9R#_gEa0:L%{>DtS1Dx:K0~ 9 ![93C4S]"QSCj!CWr躸 bJH|q?R~!XL'"fO Q1Av//Db:Iij=J\pfѽLAa 4Lo45Sd<-mHyZb_;Zh'YTEIN6RסTj8E_:I}) B&Zډ^M;5_|a]Y2:!z X<ŻI]@f`ҼV>o_v;_ڠkZQBӜt+KXptm[lwNGCdZP:MF,xB mˈ@Ӧ4g NX*''\?%(pxHRK 0l/_&@L }4g xp$@XO\ L5jj"$BXLg)дb\Dw@W9>1.@<j?|]+JbNMhNMUj8N u5uuR87˶Ae:{í6HPJ BQg0tG07QF5W3kvq7k])l tl-K_}щ=EWl i'\Pܤᆦ2ܛ ѣWj4(GAPڹ*m"qCnlg aWCXJ^Befc hYna *yi7lsNkRW_9"S⪕9=l Np1ڪ:V,Ϛ n3_wXy:]ZB1VANeh~:jMw+Cm>~pȯ 8] tC;|Gz]oW QG\{l[µ> ki{fW6*+9]cŵ3^m0? 9O@p9M# YCaO-ݾ³;?Tz]9?ޏNC2n^!JS( {N_^ f&/"ۥ!(<{t:ם7P]+kWB yI{rh& endstream endobj 786 0 obj << /Length 2049 /Filter /FlateDecode >> stream xڵYoܸb?ˈGSp}N.-rm}C^+i+qEpZ:dI 9/ofH", EVks֭`jW'/_+>K/cVW;ߤ;JJE]@yz]ez'O.zQJg+R,8`\YULޮoI-Mj S7-ˋݾh7{[vԎaV9i0# XqRz%t.]{4ʫttGiIcԗ{=͊j]7ej` v1bvutR2*ɠz Jե6Ei hitVrkMMpx69MHܴ抋SvaL"/2!وy8@(1{b ѩ3)Fmj6 *3T<4yrΟ"6ٺ77 $lv}Aҭg'FEBM-o֭&Y]uݢ drN4L)cEiBhΫݴg"=/tkx{xje5kaSTB[*sjdݯ>sج u婕c/LZ3jsї5;3e1Ty}> Vs!_I1 u̟1[\c樺pv?[ᚢ<|L}br}eϩ}c"XqHJr} gRú1g`*@&,֤$@ t۟nts\S}g܈f[9J*"TWP߳?W_cSu~kH!!cl^}xte,JqДE4M"HDzۋH"&quEXBD4EDH[viLŨv䯮H !/& /]x Z!# 9E"NzjłsI9fΊiGj V`zX$n0Pv-&#8Q M HÀP+Ldgn<}=(h|A<:{PYL9~5|[; YŘ@q&xJX[q)ހ5N}6 dM(alYg';Mv, fgp^^Pr7i4‡dJ HF -t -mB $ -ĄݞÜ6}Ewї~CVF{"R>n=vaUIէ녽] wښ=.k[:n[Z@w]\]+t[&m\jm`{w齅YRY*SI7 Mp&5~5Үh&ih@LfXWd:t܅ H)CІ~hyhCUSyPm[Ʊ?(- w36g%$zN?Jd[1wA_݄ֆ}U#}wEE{&iC Hn>`G?O@K4Dow3_8.|!F@AYpTTvwRaQM|kMh_V{3bG/8ڦvm~!4vyLB.w `>.@'ZӺPJ:;("'\YStTXt-^91''/;Z]iWEtY> v؂}G[b_MVg:) endstream endobj 790 0 obj << /Length 2575 /Filter /FlateDecode >> stream xis۸{~>;7^3qt=2M<ٌhcԒT=ybu]ӓ&9}81VD$t 6~UWK zU|y5 i*Hy0D#MNMyEϲjiP ,yt -?l߰rȗA6ڬ-25\.}XAѡ뽪NW+R:,E ^ ̰9X4m> ߲jQF ^Y=o؀TjlJ{^Mǖ>oz=koE+Xj @DVpj)b~9ml΀۳pw  W?zśGP殧87&?%No߾~ſb\N쟿4;i_*ͯJfTM䢶r1L8Dװ.g@EryK\Tmb-#2/6Wnx<%ퟢrP)HRWu)oI੟h2wdz.'t,&o#X$'LŴ #D&E\iTnyz]Q,!0rRurR Cr1*P1YqǴQ7p[U_bc-$*HuleQMU=Rap<1ʦ̉-Jt̊M^C  Xne\ 1cOjEPR^rVZm[`Lq"ڽRö GM|emK<R!")BqtC >]K]i/DR^-k,QE9\' i:{>wc%b 5teX"U%MuۘQg{;qP?7dRGkսNS@C,;pKG,3%bگ0#eD~lC4-?ǜ0@Bǐ|+cm'c(0GN>g$m@XmfƂ:i&د47|F0ێg];Z8>j*5 ASsƷx6p>.J AZ9qBIQiTC 14gE7-Ki$StAX\߰v95vs1.1GX;7sS!./%gQxR}ORX 8cJ5ʺ<˺u`5o%Fה }h"ū|RlGH;78Y_ă;. X9]V5,{L'AI9O:bhWB&&iZx~J%9CP/ϙf Hmdc,x8 _M^׍(TrnxDYjף a8<"[mnb*/BhvcA-C`he(}0|}d,9FDXFx }un-=/;C & BAbT#9&ber !E;!hTONzylHSό{wc'"ܣƧj%*jyGV䬥s\{ nvѱቿx Gm3Bq& EZFMٶRॻMeR,iBTM~_-#vpH]K \(eo#@u*0*OS@wWEss)~:/' endstream endobj 793 0 obj << /Length 2760 /Filter /FlateDecode >> stream xZrܸ}W̃Iy\ plŎu[duJxnKrl)_n4xGwW0 4sM ?1I*&3{ 5>f0pٟ3%<󮨓StLwUVLgJ0imyVdy6DZI;|'RF;#oQJ #&L(M}:nEUvYz:*b?>* !c$J)C"8MSXDg\Ϋ0rm&3IdzY%üwoOq[M:`)O&NPTDohvEsˬᎡ2YT_ z??/w1fo5.__-|=әn1C?ތ MqLl̀.qGB,9;O`ju$ vS~3r8":>p[kog̪/BA۩zD]B3|xBo]rAGb~kHq 0eW#}' x3]O3YM>>{>[be0cvȘIlq G=BN&^c/Í SYX [ej9f9c ٹ錸ƊleI`eT\{x`\,v9Ȩ`'ؙ as&tD =}AϮJDEEVM~\] وxnї@O4`eM8V<@u0> Dx39tiNnBWXZEZlCBZ+Ys>~}@\3%(άH[hU@gOW):pQZ11If[ꉲX-o6  O2fSzti<,4bCeS2J)l \3wÅx2< >q5>и/7j{݇K¡ۻ\F3!WG/zL3L̸sJ=-↍P& DWLeX pq3( OK/B 0!L?Fh`cݵʃ}(qO,(؁3^S*lY]x8,|᥆u:@H%8 vYccllFlH,:,@ZH^Pj"4]f8ͭpH~m׻}:!e%c> ze>)S(@+ԒDqhuoK@%k5O7;lmQzX2{bAA^)xyfqj͆`6lP DqD S*աim!:q rr6g#-ނz-8cWO<{rJW4=s <*YZֺmќ6cf5LKeH[ ޤ `p8>i'2Q endstream endobj 698 0 obj << /Type /ObjStm /N 100 /First 859 /Length 1364 /Filter /FlateDecode >> stream xYMo6W^$9! #@ u}pm56k }ĩw2F[HμfH RNw82 ;)mAot1%BXb3BC Bid v 3h''(OBc V\J1?%IA]̃S hx -S!_4 6!I!+Ȋ J7 WqBkBDLGrFK͖6#}i-EVH!0!v 1T 57-"̑ciMla9"HX5{{M?ޞUJ;DScshm7ϟ7_׽~ʝ628{7K8g%hMo~9^a ~/^߻l)C| 7g ŸҍWϿVӇ5Mޤi{Q-8f܆ZhoǼj2lkǔs5RA8ӖӖ&-ʆh̿612^1dR3oqI O:1`ٟ4x亟>{vZ[~uۋU;_}ݏG6)5IRpp򚒶 ԐJTƩի)F&M |g~{]`jO[֔o˵xku²xqLZer_1M1=Fpߐx<ז﹵˹Z Klc XO/B; endstream endobj 799 0 obj << /Length 2142 /Filter /FlateDecode >> stream xڭXms۸_\g  N?8>9zz(xHIYq}Xi71A`bx@tbijmpڞX\O v&'W3 N!"EyjڶmxoOM㳈E)85Y<`dh]92&iBPğ>'<V9~sZd kcLWSQc&6oe=t|Ĥ:]mBȄj=7'=NR˱3C]X~G<ͪC"z/)u0GApXPK'lFh+ԕ53JE RMT}MϺΆѦԛ! Է]<;}( /MۇmAb4XGQ&"V \62v(8t 1o鷖wψ \UyIrāe+&/N'i~cK|SXm-!ziKEUaS#|6i0ʖ |[l4+ԒpN8/ju1iﲨdSg&!x%`i:/?%K?s6Yf7oҮ~7 2˱ [:s\T:\ɤ#*H`+|M?|*_lVyYUM{lEZ5J'IXE  ZRv̓a 6.C H$!<8|jS80~DVIQMxFhOhCRW%CnP> stream xZmo6_;Y , ka[[4BۓٯIrbZ8EfrwQ2G6hΉf^Ů<0oG/N"ƖNڢNƃy2r8Gp$fgYMl8bi1;xBdM8FX(#"X\fE'`5Ѽ* yO 6Q:0F7.p8^7ѻurIrRfaF*=BGj:Q }*X+FoW1-,/ш% *'SGԲU:b2X&H5] %L-d:~$X0 ^8g(c0љcהIJe_S70}6-zOX?\e|Pdu]ICL$ [ B^6/o q=KRrSXu͆a[@ ^nC3čM$~O'0hwTu9Ok?F8y `ȳ,r MDg 9æjMM؅#1Ǿ7_U> :& p:RIQ >VDRCΰ,@P $Gco .3hVwߋ9Et~sO~?.gR+ߝN/gIy{N.=bC{C!)JF I&…m`Y7H?M}}KyH#Dtsh=9#  cY2SЅ^Qvt@m$4MsJ>0A8iR:I$>dqg6-;vDwyݢAh:t ޫÃG^xwuCwҘHYhaZgp /hyV:ՆCpVYb }wM񟳳d^h,W0$H. !+3|־`d:1j U孳Sؔ׳prTJ H"*(me0*\.L,B*"joC?ƃ1 B9M$z9DR L11:YBcuf㋭]f6/*w͡t^PPIC֥/X m%H E= kxho?ZȼݛUۤ-\CB@Pf(22h)y̎8aLਥȃ> fC 6Di ?A`(i= endstream endobj 807 0 obj << /Length 2436 /Filter /FlateDecode >> stream xZmo8_ap@nopm{j+PJr쯿WN}A>&yÇP"''N)i̮P[]%Tx# 8I>=1,H/ɛloLRdI_EUfd*3L/C)iJav5JaoOJYSWE M`1;N=9.ФX.\{Q>Us!NL*~ǑHIvBuSmg 7G5;L"7oy2_Ό0 z(f\L*z^7cȄgES^p2d*s ?ΜK`l4z/P3Uq+@et$:gJpSI8' z"U9 7G1X /TY/qhN 凉iF.EamS|9eoJnñ\M/?9 qhH?M\0stM͢ eg:&S+U&>H-$4.ĊʀL0T`3m]p vbx’KLN ^h+eMBэX܈wϧfqK)3&96 *)ìcC^uL@wRf>-bR Ū Pb}Y"8狢.22jTW:/17s[e܅›ͲЧ h}b^rmD-x~p&a(Ę!~a`2."csVXSkAyؔF9fS_1^@{=xKAFv%8*Z8+;nWL@csČܕj`hۓE@M3"LfyYZ1k=@ے8kdB'p?\ "S.RP!>8NASR0! #+}\~#7`LNӰ{ snj aNC KNeaQ-_S-;bMp8 1@ditt$܀?9܎Ge[Xq\p8I4nn.2K3oǁA9ŤԧA`Iaf<;w8()j[kzݑYC]N Q d. Ȅc7#ET71륹n9Ti.j!W5+亗 ? L_y 1z u ;6 TYh9< 5g""|1dʗ0 ziٔeA5KOPnYzO1'eH(fְ =4b "ݫQ<+&*TrV#":`S*\Sy΄;RVޑ!g ޡ~Cv??9mC({RRy5jYeJKnL"昅@(]2s/Na ,8숡cYKLϞcl<7})Nqh651R.ӄE}CWvBF۹nw.̗uSpNG":KTͧaGMv.m y+vUԻqݐC]CpK1ox{G i[{xem"^7ߜc4*í0)TJ8(n𺉑{BxG8{vƏz_;4Ryr\*`4{9ms|e'KM6 \t7nOz;Z;Rg9,"8}jL;VGECF"psJ[pq,Oyy{< Q7Є8Yπ}2򳌁(q$a1uKQ УkRfŒ8/0,io@*nMa*P``Ɇؚ[ʶفCz'~le{oh-ґ6-i ۻ[*֗1->p(`w/)?' endstream endobj 811 0 obj << /Length 2520 /Filter /FlateDecode >> stream xZmo_t.Ek+4vqhsHk[0-9";/ISlKIp/ݙٙg5Qr:2B\QxǍa5_1JrE{]v|Uny8Bdñ*{.'psnT&W'gR-e‘% 5#m%aBzhEOb~Ȳ(|G\)_ͧlz lRT5X[Mۋ2Vo%pӠ^&u0V\"c1s­ꈜ^Q}CoF(җӃGtVTX4 _^ ׄ $ƱZ1K,ӠajWGRݨc)TuթD(_ՐZzј[MU1V!Y=_Ld>҆^g)` Qpn1I4kkZ[d1kqȈ(Ǎ&L*W-'qQEt brJ,qSY}b,r]D k+\:Ug-! 6AӮa6sᦈFeQ'ᣲݖq"Wr #8~UDsٵbXmA+  (u`ͳ%7UenljOMwVޢ~֜@/(`~?HME MqU)`pi|/.eqv 0WLq|YyˍRqAw;?ƉnŅoVG MHsQ R{r{̋rqXUC;Ȍ{Hj-1RGæ&yLγx W=hy,\qo!C O*8 7msPŒEJhJR{ҠX]=DdP.$ۊF? n&"4iR$P<"U˹& U^H?rK@+7W]׮KEN $]Ӳ:4*ېW§OBȍ5#>S"FRᆔ7V/k9_祮X|p@fѰvӗ;&M]Xak 0XT=aPm$9'Jz >~#>@ҋ b|Ov볓vX0Xenӻ!P_ކAVABܷ}DPL+ ƹh:ݮJT;NR@^U[q=^(Lсe'l ^G6[lJF6=ææ>)ilsQ#wƍý\ldjCIc+ˡ*كVHzL]E%"+t ê!(s-PMnmV7}3-߀BTx>?$ )aJ ?, 0 W^GW6^bwL=x{(A~X֯Et' `-tzLT*tvMPi=}$ge:pE.PApvϨ`X+EβsSϔdP\N=S΋wV [G#p}>4ÀYt8baeOm?\|[mϵlhMRˤh\RY&dpt|ɸ޽jj:N~晓eDYKNW3$-.vVPGW|{8c~[Ξ[V ϥ~i[FgXKR&=\tOsy/X|E(["(,Ĭ=!xB,6nc}/|΅qU>egc hW[@o9D(*_x:0>P5[6!\2ENƸDޞYT!Y ˮZ]yzf endstream endobj 816 0 obj << /Length 2697 /Filter /FlateDecode >> stream xZmoܸ_j /O_DErW$E&!d`Z,gᐜyE JXoĎ,?pϷՈ'=Wjcfc.śt]QJJ.r$UH.~|rv1leB{BdA*/6q!I%,e|R:WWef_/Hb -3 'QRN5i!hl J߸5mySYE]8F$QDbE( a0dD~"ۘ˺i۱B Tp~ #SWq&S͈싕Yc*qʼnJRVՂ^;M. F~.kr#vz_u7L<*&b" #>Wߟ,?/}$J$$MTw\ Yn6.)d O,/#Ո}Fw*ÚNgOv;Ao5!n#Goھ#OV#'Rti.e+HaoNq'K*+a NyS|՗/w6ɉa/=/6nI%w1O^\8T>HG~xeZ1N~D`a90y`'aY?\h.Y؅J8G~.^0"v~ޱn)zT'$,`-_%IKS1)(ADt2ItzWO ,IzG~6g0Aws. ^9^)v Љ!%' T(pxv嶄h4Y;HԵd&KX@)Zr ͝UQ wבkT+?#6 <gysBS8!oVTC09HGYC4n-?rH̄գ'e ̱z9DsVbG DFhUtU uKt`E'V DU?Vf3rc,Aj&bY;A/)}P%!mxU$bٙ HEH@A f^aۻ]ا>,K%1D-@YԭcT LByc?6"56f\7sj(9 )pdr3>\IPs(FC;d4:hiAqHgxаT]^#{ǹYyG<ʗX xɀ1HH- n\Gohv)(K!KAy< u<:^FC~ᔝ36PtXu~7A}$k#컄`H*=nCYs%;hHۨ+i-KFRf=U27倆1R8`:{z?ԮUrcUNgI{9y&|_o]bӯФw==M)@·7YK]ݑsBA.^)ti iN=nч_Siz?8uYEAɊ0_Bk7K%8i*'s7p  BFFShC?ьOlTd6V6R҉eNd|DN˩) 9pf % TS朲ʒj)-xjik~XHFNg x!;Ì`g{L|]B<vd㑴~˾̪WFÆe^6kn_# wr.OJ *jnrnn}?1 tgfUE~D7/4c8xP@vo$!rv Fn|#opW+U.j L!o;YM{K_]!p 0]1nVݦWygAw,hTYXУXۇ}RBl勢N1H`{dM# 9,'/EW|U̢{f<{8|/9pg{Y}ÏI *ݫuncυd3nژ ~gR_}KU!H?)۰0I.O85-}|ug/6Sx‹1$itBLf7~@> e=:=lž3E$:_+gJ'OBUT n-A(4g$ ,jHO 8O '/C^(!kIH,pmupOGw[ 2$җ@a$ Ƈs Db?rX k޸ĵ`KD""@$8f- endstream endobj 820 0 obj << /Length 3097 /Filter /FlateDecode >> stream xZݏF_a崇H*izH{hq;ܥEfmueɕ$ۿ!G^ 9h*?ʢUTt?h]Q<Lg+YݔMz<޶WkT|q:~w^e&8Po|♐ &+P(M{Uc˦xXhVBYK\V[њMY\qP >zZg"4Ϧu(D]7=) {:H*cJ*(럣U߮0#ݯT{z_26IӹJ6{,S2[bBbZ]Ha*3OtM7{.iEQJY*KRy>_em[C%8L>=F BA>񋁭̨\ u *BpBئ+2@g 8PT7f0H4 96ZeIp( ,l/H&Ga[4y[־ݶyE#CŴ;k4^2K/y#K: s=:CPjjotH"sj`c;-xx5ķȣeb纖Qy],Dd~si@}>az+VpĩW٠ACԂLW7hp-nc*? * `4;i.ՁJq(%x4zDQ/JW]&(24]@!M$Q7Ϗz {q%E^0O6ǎYMcB="Y|)ީx*~DnU0P Uj&డV[gЙ%Bz :3ceDsX8~{oo5cF`biuXGd#Ac[Pik޻`@仼MӶvӣ^8')O"Zmlk ]83* 7#(m^ȁ`R^g9WSN}%: Dt2x)g,4Qra0u0`'\8Dp ("."\R3'jQ7}B|3/sdž$&nˁ!}owū0E UCڽ%w"U#+%\J^ Rw4L`>;WPQ:ش6~T45u}Yoirtn Fımkh*kŦBSsn*)9 KHXN! Z?Gz=>03FRR|<+|taKW>y@XPf #3hBb$JF%܊~1Ryx}0 ٵLbc xb):<-0(4fJet;&I ׹h< o)nxkLraT#1}o;|W;-2[h jksd}kDӂm;qZBP_a0_M08<ͻǕ_@g7Gx3he.J8*2#Ad! ^9؊]|JimFjɕ ZO( VBEĈ@x4>Y03+OmE撨%rd jwǎ'5a{nWh%` !.1 akIk,ԇ?U,mXyhܗE  AiʳkXޡ:(JLq[:2ql}: 0/LС&  } aK=)66-lsgґ~Mxknn%U FXeMhz01k8\C3Zk3" SU@#CTy/xCc6ús{_74'-g +]#~ꚦX$⚟/CP Rc|{,\䀑ܥ~@&Z≉CUѥ&p']@ 6&23@?T@7lAf=|C`4~<9|bō wAUPwgt{QХDŽrQk:^ \Ʋ9PB i EZxX2eLM@wC>K^XwȄ1bԟqCs DߌS,h Fx|}>A',$(~ 0[?64&8m>8iq܉')ʺ-׏ƮMs1#+nrKw`TRS#Do{IbMF(K$hdLh`d*o|$[7GH sVq޶Gg l\:jsM D{ȀuP SÕtD4Y :zIwR%> stream xZo⾕*| I- ؊S8- JǚG^H-,'qb) {yfVb?ʓUTl?K<]Q=]^R0'qpg !M'X6xo&-t~JbݯTl2ܾZ]< _lki,k) % ΧR ׅcDpI26 t;ǒT"{(Ju$4u?"б]w|4e*@IH]1l.ubCy)qKQ"e ^l}D"~8j&j+Fm<*/̲,L E\ZiUvl8h:pyA}Sn'Q|] ©OBGD! g!Q)xaQ(`!ZJnB`utgB>8J`闤\} ^{AXǚDP c'E+P\/ȂN"sY-;' iiLlk7IDB֫iN'\#feNY"z?;oˇnۢ" MP憾p% q*%o\v-L(`ZSil7xؐ~`)`G([/Eکs$gIxCGرT"h%W޾a.{cQ=T䉝^Y8e Uq`SC kq!LA} X~pIc, @\+?c | qB 3%@XO59\_E6ǎ=V>1abAb.9'x䵏4%G@&h.+d f`JѬ0r %ڠ?o:] øbOS(':0F$u_:Y/] JL@HNcYf B&\w$F ջr8 vE֤DC nx‡o<'rZK9tO݄(!e}xnfO-? t" 08x4G9s#Cʋi[Jq&Bw"!p) ҡ*HiDڤؘH= } N԰ +m^txu%tC*N8lb;NyaBS z8IւUXbDoω|(ntrʗYl &}sa9!7TZү{ᄐFhÞsoI 4t* UD-h+H>Cם벀.(gPk hy}; BWw]@tJdf>@8:3 PI2%˱9-{S*M LQ A*\-{Ȗ!<>إr?lmЮ]W ȯy.X㓟qP' / FHB5<<]y FqX.˫e460./EN~2 9ƲB=dLgR=Ω!MG #C <5E9HL'vG6)rLy,1a(@=X\cŌ ܺa #!Q35NJMkP'2irgI,pʎ\l^D?CZЅh\Gz] Xd-?,xIZi!qMDǹLaTz,C8-C d$AwC9ZauQTh993+v.Bm?)XaȟR9]m:/=yi0*'w;gԻ<̑}I(_g&IH%T1 ϫ!1tiR1_,US q+ h"NY gXh(pq: B֭v7>!^^Ɗy/8?O{)iRhHW2s W**Ի4 6zf:"Lr8L=]G,O +ƉpT0-pXՏGHNY1|C˼rf|݀*{F!D A*#ݧƳ XH1!"B?2IO"{HGB2";"qZp8c7hb%%X!?خy3|^NXf~6j `@eOxVۍw4%&hWPGx x?'8,3 endstream endobj 828 0 obj << /Length 2636 /Filter /FlateDecode >> stream xZoBJњ.E$IkwhsA@K+D)$wfgI:uq>pϙyf(>Gi<2RTturD0o'Ώzc)ϻ[F׋lSr,KFTk&ҺV|wRğߞٛ5ev4qMNtZbf$/ca"wC/U{AM)n8Z2N瓉}',[VnFS< .ʼnzxADzN$֋QAU3nHqle-u.MT4z\)X{q Aχ`G&iٹ"}] ,(!hf@)a2}Ky}(g-0U@#YOE![ NlZ eRALuF^V؝Y8rU]bAPp 8xC/ǹb`/YH-VS[>EdVQ^ @&zu^_0]i#M3.u8lYfU#ezX>{D w͂@o6|8Y<Ġ+<[ :,CX `ؖnJW)?j[/Oa _Q/BQsC*1]bV2caVaWta|>Xx8.dT_*Bhpv" $1%ѷ1f-4ldvη`E;5'r^T?_]]1r-AѦl]^Npx`8yUEZLH(xXhfO:>*o4w(q.˛t_ڐ9%C  xX0 J%R:R@רOp ZPHl-~jf=IaaXi)9E}&+[GF lt*\]]d܁B >G,AißX,؆{AJ|P,XAAt9$ nh*7$ZF3%!7І4|,T| yI)G{"Vy+T} v n !Pa/ӊPHEmfhcPIaH/# Ùk \o:<ĕY$D_'ϱ* uBcNO/l<9}-])]_t 0GC~y1se.’eNEfO]VVCWryXR3_4ׅ4eyC Ms–@V*_f%k />an˶`@> stream xXYoF~ R6{ˢ(NNXmE"BH"%*Ul =h7s0yB!H$7Q3#a㸳sOQ;?E Aڐb`0P~p< \75= .GͦږFHFũ E8|yZ\׳!9DȁVwV_S+*7epuZpOQJXn%,`2t#cv 蘱hp Noـmė4[%+ynqG3UNUK%ܕ̽XY@ o 'RC$Ź@pi\ /yB6 tVơ0htΒ&$@8l<77ZNwl#[DWtLuC`Ф$f͌ t[zvl)k;8g1_cLR ӞK|)i1CP8* 7g_T&qw#?M+Sc7c;[IJS.(*[7<1DE.Mz4\~Wq℀{\mtUSE8<^$٦<\u 16/܏?kZw]½4(  )}H`O;N{gAr¢äA"v!k ;dtAQurz] rk e=| +RPpO̽B eaC8) ÙWF` ǶѷqɾJILܡ\i⎺cpu>ò7ɬa  /r)_52ϦQ(sYV`G#3Z2|e?2IW N_c+ N-cŬQ2ϊ "ql kb-hf?9s8eB oIQ?={83R>F2CBL\~7dMT4,c#ίeV܅&%V$"< eH+'!c(Y7y?j.!&as_9qLp7^s*N4ẁ뺳{zn{.Zq-P`M7s6Zu endstream endobj 835 0 obj << /Length 2447 /Filter /FlateDecode >> stream xZs6BJN3Iιm3}-'T䯿]H~7@>h:Nl<ќ+d>f?u3X8|yqk)'4&6trq%u^-M<_OgB:-|Ng2-#/?9h='\SBì(#3hȧ4zF5X)nqv~"[L@Ukq9/?ojK=p™h68ж]ڂ0E"j.s7xL?[upPw&DR9uKNAW`j'?tEe8bm3H}IQR5zL Coh7rLf 6˧DFӣ#% y_˘%)'@MޖSi_T/Hq Q% z-rI2@ hV޻- (k3gA=Q}Ҁ]n] ;v\Fͩw TLUnZ:-+CGQQޔO}:۬?exq*9.i`ѳ@>UrQ(0)^"_ۨSA`;BI.[$uGx>7%b?*]x:Y |=(-%;|)M,W{&:Q$bcruBׇ??pY|{+zն`{yGKU/ @Z5\̅XY%/l:s[9/š"PB޸A =뀀sYTÏa61y!3D[ OA Od5av.n#u0dI;hw{_A%\9LѯUVw-8Ygڸ~VMqKaѹ3efĆ)wtgTSZ[a"E3ˁ:dhJmz$Sq WSrlH*In!S(sgp3jRbwxU{ İ/xg].~?R9G}k34s| 2DB9(P NPޜto",)S/R)]S(|† UN(/]hЦpצ` 88Bgۦ\paצAӦHh,=ԟHI';?6'0!N,vmל^s…6l T0l8gD9qrv@~@xqB āqqEG HK2!\ pO _ɪ)!K1 Uڎ&˃^WR$FeRfcZFw s)Xu+؝x$`mێ c|]_xG,i~BqNBbkPlX.&31fJJ#b2#のm j<Gt c ޮb8H6U6wlW L@Σ?l^+҉*q*e32GhuSY\WdL\rJ|{gr]mZ1[urW;?A?}7)fB;z>UqPi;>cA{0+~nYE86'UPA5fY( Ui5՘ڂ!@V_i$f&R?PAM"*6>xs!gFWY tfNB4. 1+}Žáj' -ak g9k^Y9BIw_".3ۈ ЩUfC4Aegy}[Mg/( d endstream endobj 843 0 obj << /Length 2398 /Filter /FlateDecode >> stream xZ[oF~R98dl6@(hj,H-/u~ϙ Et@3~f]BqNR,YdV>|ut!#ʫR.hD(1>dN7ːsP|OU!KOw>DIީRQJЄ-Dʅ., :myxA)Id"׭!]tTJ{^6hh)-e7Qɳ )'T~_Rv\#]Ub2>-{EtR3:ZmVUVMTͩ,϶,dzOjZʳ;;:Z4tjZ^A?}*͉kub1tjCd3P&~[9*qoFzi]6Kh‰7YJhkݗY3븘D9 QAA4n+sm꾳Bf KZەd'9l('gCZp۳h-jl N6X.n~'Dax-ӄH?d2FS1rЈb\ž[*lM3 1gdr|ލkUb† kIк-a톇]_FOL.^:獮쓮eحv)s:ڳϺ`B䵱Ou\f=)Ӟ`-:\:22+*pLo>v JLX՛Gs)~{s}B /On.s'oZvƳLCs(Dr`$ I/PjAlq !gbi[m]*ÓeS Ntrgس0`̿)!fM]-k_jr/SƀsЇJjvP1rȬo3ve~'3\>]oC9%j՛x}uPA:[)SBn7*&4Y4kz4! ؏a5"gF !چsr%|, 4Rp)AR}YxikK~A;'$ʡ/ "5vѤh'͌PDyJdLVD`䐍7=2voIz ꀨX :+Cm.I:/n7$pE]=`PF@ć'h!#8#ypD>c!!d.M "Xdp P+tNsghp)la1;}oGwm/ Nzx=Xcf)m;vtɚrh+łru8"56n^C^G_V0I 'y2P vu3HrnpN)]]21F yx74 D1p;`j3pp80]86$$͙{t C}hB o0a!wb4ЌfF79AF7\ޜi$Nlć&vJd]|PU1tn dp?aKvSWx8K{7IU|t'WOk.]GeكO>pf34)@NytJ9pO=7,N ǯ? &k#'^Q [qp} m8`9P>OXWYg/*F׊y'ӑx3# endstream endobj 849 0 obj << /Length 2690 /Filter /FlateDecode >> stream xioA?i#R pt]7]twahg`44uGR5d E8t]BsNR,m>.՟^Pn W/^Itqy=uYn]7<,WBU~7yΗ+2-#._r8J2LpR [PNb!A()M8˕T,:+v7E-ӲKwsi(8PM?n h:ڷ)ISA1`eY&S$E[@%&?<H{EbId]f՘ !>*^LQ{Et-uٞEŵS'5U'D^ίnN$&ppC!z۩ It[j<1>37C1R#i'LD^-|# 8Q"5JYۡ %SB`UH1X҆NњH6+]L݃l|JU#5c/2Q7&^{&$eC[:(MHʞԠjSL.A g0L+_KdVBY*H?eL҄9IQF0wхRxFo^@! +1`S xl>W+?d4:c_+Q U䭝Mˌ cu%ݮ7!iӄ$Xp}Psd_ %b I'tD\~7=L$`PS}%ZP`GX1b1R6J-~ pQ@subOS1]K),E_۫ѣ9^CD+DhB=iS DQF]PdGYRb"{B 9-"ʼML/Cf!&Q fvC'(ĉz["Dj >ŀ6~(1mU=*.*I P'*, {^T:}TEҔ/ '*rQ Qɧ DcG_'aT:qCT:ԗJ+QyQݮ,UV_-SdRjKNܬ{էR!]ԻRh}\MEIHi(#=pg^{CpfZ1f.o͝a+aoz z:b<8y7WAn/~w,x/ uv:;,Re|t{sf_l׷մ8O3$޵c|Nde麀(U \}f1/}(>+!/#xl-OFFH9K*LkfstC5h+]W]S|HtI$ W3W?n1 }옇\$M3w~om&1"~«izN3ʃZ!q>ӎV Uߺ_5V--%̄S 1v `5)Y RW4c_-{WE2-mni=ee뺳mus`Oynj=&_/<᚞<֬#@U6M(IzXG) ֑|RGb w_KSmMmfd26U_E<|np]?z44ݳuɣܖoCWQEۑߺ;v;1Hץ/ =hUɠe_}Ur~֍nf΋nN^#fr5%aY.:%FNgy{R8oߝ:˳?_x+ s) { endstream endobj 852 0 obj << /Length 3220 /Filter /FlateDecode >> stream xZo8_{|yDjfCn{iP[Bm+Mp/[Na}8Er3ΐ|ȟi)Y,Y?mou3>n.#]< qE~gCRw7MVRJO0_(xuVeE":?{ӣӋn@\|`QWVBVVE5%*&?˨7o7uSm7Op0K8E2= 0E4I] /*Lq55~ot |'|yS0bTq?5DD8ʷ9@$I+zyzqyFzhX\4JW7Qz2EF3ؚp@çd0I24y^ ga"/nw=y2!؋Z3GJ;L|,~q7I„L1ԓ $ؓ,3 "r2ɥwGZ(hm&cCM3*;)ń{`-!)aEQlЊ{ ݃uL1Yk av|[)NJ #o—議o୰oѕ߫ۧx+[oeiŀ!oEKZ)‰AAPw'ˆ]z[$VZ8m^P/YӬ5E5##[Ÿ,u.xϝsc ʭ2sQzźV봲40HtݺBIJUv<9E*0TcFȭyK`ڽnUa Z(|̪E H%9O 8]d멕9lOC0!E`b!j\mj{/sNr.TYnꬂ@9BI얿kmY_EF&A̫,qhtK1ubqMV%lEދ 0 yNb<|Y9Y^) x5W>bDpW&lZe+$5fȌG- ([AwFa[Y#péh|y bbVx]WZfqH4qU)d](O"*DlKAѠUe7y qF툒'Q7YdLGJ6 EJB˶b_'5H,^)>( }8ڀӂv{.n@uqFC;82dL(%|O.'QJbZ!E4B.$:-k/o tbŔ탑$Rx݋qV`֙6A,pP|U,ms_5A[I"C6ZZ81V!kjVd`d`ԛ/vbZ;YpPD"דmevR6\bRҙ.dJ}H&-.|zM;sj8CueR".Bw &b>>O pHy4Y{K*K8S`&eB1?K nL 9Y^>=Z:0nENEȄ >1jm8ODĄ9 KpeaqюNr &@G"^~{D,Hi -` n >=Ve7GaFh@ )v9|p {'3|B0'1i$2wOJDeB3 `~JsR\o}_Q}Cfr p4vw fZaC1k3;#b¯}0AF1_GG?<5F,MW? a~@+ow~G`c]1N si704>"E{jDIjzSVP%V&B_ʯCcVF>tu?hukȜH줣󧰰NdƌvkMs'9!@7h65VYJ\.ױ.+Ig.fBgU $A|ܪ12YX Ltڅ\s Z;]ӶȀ́U/ z(/ȇ%*E(a&\n^bMW4֕1#\O SVS墊S&+`YVl0.7|H_m{8/Yq1N7(H·2u4Iw z~_L> stream xڭZ[s۸~ϯR%vxNvlUɦZm)R!)N{.@l%x$AY xәif͋Ԏ673ws[d?|SSg)z>9Ͷ]D0_0Ɠ:ojD?8_KqBNGt,>Ž~`oW1B**(uF `]rwU9sc]m561k]r!0_,0[q7Q I)~JUƓΚ^沭PB[ރ7٪{%IJkf>'ylk,Jpg]]vQ%9XU!=Z   a y}2_q,k eßb=!;u QER-š >_^wh9[)y’)QATOܴ螉^^Di&wˍy..F:6w<*U'2<U}Jſf n8"[N%~BBOj vNM pEM=LpWRxg|7E\IԶz&]"Dbiw$ ~RH.@pB`i\"9BY {l5{=4tPǙ).WJ@j`O;SW1l;WI31a[Ky w&15,歷{BSSi]cvE˳؎XxrJM-œP>B! A%F-g빆Z#__e9%B jEjX:HC p] iij0zgFX}InPCc(BN<WkmsW"Q+{(r rA_*,*+K0MEy7^ A{T|#8l0.kO鄘_BuDMݑ;HQ. kxm[N^L< (¡=s}ۏ*eBO{X*T9eVLE۽RdU .]XST@ΎDPņM瑄H> stream xYoݿBohʹg1 4EF[YDRv?FBs껯g)L3I)Lֻ֏37y-bp?|SSg!!}m^D~;_0Ɠ6jDFr}@ &s(1$ cL(0e%_yG7S%ui| "Mm. j14Eb/E=a0تKq1 `ՠT Txɪ\$7l='*hvyuv{PJ6;1DiAj L: W1rGc@m묚㤙/pɾ5dU:C{wͦl7JrJ*q 6g[ _ʶEo܉fߺy:uQ=-f'1_`c]m'RF;9D SNK!&ksV+w=Vnœf dG@W14bZ S،Q29ARsg <~VEUEV.YQ"Ӌ_2/Wφ|kc)`8O A U\s8ցqˬ=Jf f6;iL/'Ht8%*C"A'ڄ~^0LHoI`} Ed6$t=w9N"μN@4-'_hZ@ŃFh| .yq%/&߻ɷ;⻀២r%ُzsɾc_[QWɿv1o2Kuy~en$;g .PK fKy(Vibvϔ$&}0䌻K>H,ƅtƴOtDH]s)b 1 A,@󋽹i)[9jd#xD˫Ix HJA ۘ".Mw #T\F-F1 b$ظ<їg/B%a<~ c`ya`Q;!x^C稥h(**r^"L(Hr!y>0rrP(l$aF Zlb{9IhWai`J sB(@ iu4ʩj1BS&LI`iD$ S5v9iMRx 9i˛L^'%A8W2X i$k%R0]zzt`&(6$-I6p3C7`w'N4Mz}< ST7.k/pa%kYEj;ڟtAg*Heҙ%ɡ{yӘ3=]fMPqT;s.N%'} ͷ{x5=UQ=y3.fۧuUfO>a*AR棠>eb;f.m}3+qei {,t-N~ܷLԖ$$ !Ėܮ)^]cB 6L7KU>pUlFJ2f;HDG9WʡyK'_LYy"W0ё>#1&D۳31@T<5mkZhC,C 6(LJ )M/5P}Y,mnaݎ2az"2*sCG#D#c% CN&_tct_/D1cۊ.x5fB]/ endstream endobj 862 0 obj << /Length 1995 /Filter /FlateDecode >> stream xY[oD~">Ol"`*o4ֺvnΙ6]̹wI$?i9hV _"n"i As꠿^sM&b|꼣w0X )cc IqV ${7ǮMCE 2dS7S"GAY|x)0bL*ZyINr{MrcYm\v,vP ͳcp`Pz ǰo欹YvgS3O"^/T0nG5u8'k(bmNIh;9KKF5(:ݚK}_A3 'o-rNbb;# KI Z {C C+4t2Q2uiG>ݦ gR7fъ S[M=6^ Y۶!oߘcdV[ -P[% YmRPN3RGY ߲+'];="k$%yESg\7uV#|Gbli{% ! X'/_|,$CL}Pt;fq6+dW\{ ur/m Mg6lҗjΎ uX$Kmļpb؅'MZby0Ƽގ18&0I<bob 1b2N3aμ50AV8vYР˷c#qxI޼υ^8p$>\@'6VjVU7{v'[ZMhOَfhfAwDRy]JJ˶oGaUc?o_ C?u9B}(}GVqȊuߑ<,nfZڙu߱3-gv\בG0w:kak ]s-l5bĥH~~-:` ~dk7~ds endstream endobj 867 0 obj << /Length 2811 /Filter /FlateDecode >> stream xko6{~ˈqCKZnC3]WVړI|菿P5ݤEpEy7$$OREe'ݣBۛ#xK@\N0?z"Od(0')lk}.Z }XFQ)6E[ԫbTJ >z~>+)ɀ%6RF-dL_)tn_Y[T:PY`OsPiP&2a:n$J@7#eԂ,9 DuC=x F|oV oX@R\$Ko+8% t4 d.ָkOa hDf,#k:G1+k>ִ  K8a RlFzzsWvEl~MSU P7(0x]}U >;Щ- *C: mIڕ M]_.-̆kCw8jլ 9,h'I*$DV+~ ş1:!C1  1(&E*0-q  t Za\Iڎg8عMZ~(!٪o]w}a*ԄpP\z1) ''YK-~-Ov'pc <1wFBCܿ8w YزGX;&u nU%ɲDbٙO)( \K\cM6µ@A s]mW!Z޴}i*pv0ޗ)1no>fe1QE<ߩ-O$w`N U٢g8!aGkh!P}U2=qi"t>^</aaav ͎*Si66zNR\Wu !&&K޷e Rˠ]oI$bmzC3ÐxjiiA$~\ p%9]߸z]bDx2J kT|XJ[V:XqΪ (+[`{X.}:sSJ@?fcFd_U LfѾw; Nqo,-3iFFH!e9c9:^6/Ks8L_g`mC>B邽ҤsHG֞ V$%WVHQr"EXNǺXW}#kND`\u.b5G衩Pu-!ʱe%kUH! UGgֱ >f;HBfӡvBAƮti3r>) uz:XL H<0;;+hr/ B 3դYf3C֘qݣlEaV80J1N8 1i;.`zzQ /@! WmqFw1w;VE0 ԈTJ7n Bla 1;R$p To?,IXfb@%+<GZdc6Cx4Vk=Mi;ݢ~=w4U#`hÕH!@ /8?T} u  P# RE*NآV tdpW?wt%<-PX[Rť; bñM"K i9MOn[}t)Ν `AlfGM-F ɉB.PC} XFW{35X;dq0I4Bq7.V B9J#"FuW $< OT㋧ +=q3Y1^т)ʳ~\{ _Zǿd, wgEqEq /puP^;ޱBXO!*MQ(խPP>g$.&OB\ov-|DG?t38H!7?Hxuj6҃n ':x&U3;vn".㛹V3+9c<.[q`W=ڽI1ѱaֹ?,BGc]EfƟU𛟼 _ 3| ">JD*DGo=~y{ve;hvN^AI)ggsF-v'!V>  2bZ|>z/C=DP?-}X1¤dk益'ipk߁DvAXŘfp57?_Dk_`E~ඨ ЦRB!B_o)Q endstream endobj 871 0 obj << /Length 2382 /Filter /FlateDecode >> stream xZ[o~ϯܮZvMgbihl91[%%3)9$%6;c΍<߹0t?:*Œַ#7&pќyAGWl9{Wn۪O8a<BfyUWi5i 9ŇdDpP*RCHA(N>Ϳr'~?% &*^;On}(,R50 J"@1lmXdOa9ۊl,U[}kem<$!لPiH0¾4i*S^_BH4M;G;T[;9MAMɚ?HkWDGTUyy)!KOW?=LSfwMɣ|]wGrp8 !hZ9Rpt~U].qwZXN)@&KS%FjHSz^N+r}I5Q;i0@"|6niجد{(37U,: R(FFٞޱ Ynї%NQ{G}:ʽUN" FPx[uY]4lu  P^ ?[z`J ) Yܙ67l7i[oGA*ltwh LnG1әOtU-t3m%y"\v s${^yZ*lR l޿je%34ѰŜu>Kpw"Jڥ'-G?_gcC%%s/U ¥> *nSd\e}yH BCbBcgJUާpvkIsyKhO]uz,%_ŎBl D>CHhmIq^GM):+^wA =n(e֭IȎtr8Q%"gQ^CRD" ssN|2~QD<=2% A%*Y>Ŗ"Ǵٜ]z[>nVHM &UHQx|TX;+ەa22 - IH6GiA^3 _/< $T{Spɉ6* X [H@v0m+8q 01 @?)ҽ^&-;͢ve=G^دoV Iê%R3mDrrIRqR L2d'Ԓ9uQD[D>wMTQĈT 3,;M08#1A 6 ^B|=~ fK^CvQ\Jv,y8:yإI٤?w # D K]HɓI&I:8V&B.Yw,9Tz߱$=BD5Pn%m#S&q8'7c*! `} eb/st.0aJsb3av3AdK0zjS$rU4 ;+KT6Mr팇6; 3QEZ۴k1\܂ we[)0^@]#s`8 1I`xPi9L3,؏$cr'1 %XB݉{4%UB3gNl*~qM[z,e<5bRX90. fc4UФ4Y4m0m:Sp*&SbXao"QǠ2oEd5U;GD_ۧ2e**S|uc=CkjIR0+- B6Ǣtݥ. _FpoÐ@|w~uÓt(2ssL7,g^L7u]ٚ^gUX8~G㑶 ,l<"BˀS endstream endobj 874 0 obj << /Length 2744 /Filter /FlateDecode >> stream x[s_'6%'poK.f\FZ,kI==%!+*kfk̲U*V~,U{fEq囿Ԋ~luy=$u>zɾ5z#Ÿ)6)Sʓz7/{Ve‘C()[HLH㻪\k]IiC~FQ^1JqH4Kb6LI&!iUצكQB*P WEegk+ H>ʲJ,\mCPty PmF`#:G`԰S[g#4 Yۣ:)~EGS-r>bj^uGB*_22esݯW`[;rPbͿs -). @ b? v+ggp8Ҳ3TCҪl9Ì,>sw- $`Va'C.fPC16"PgBAhX@y<`ÐÓb!@h`B?G0ty!3 K?Ei"|], yAEA%bi0>_,@^8k(L %x|Z^Xq C?z0@-Z&lf0l (2ocp"Cy0JsU_}qՓxAڴpK- u[w*Lyn.a0 cgR>tN>Кj2spUzOn@o&ǽCgN=v`wan$6Tȭn0m$ ̨s ]io44! oc4y 8 _‡4) ^O3'tbl(٪vzyiƼ:2C[%Yf*eG_bk[tQmm^xPGާ)Ög^ wE1?]C!3BXp;'.Mcm^uХCݧˁu4ݞv/[4Ԯgm&uHCAxcA?{'į3yhDz'0 ̵]jSd ch EOh3BBAЁ?2t>pQ%%u4бnҏ@䴯"ѱx[ ۯ3xZB|Ώ߁\}=t`wH"E;HR<'@x3 c>vUCm| av5P@dA`́^K4.@r-֊a'<ZI5Mqxɜx:Ȼhy1s}MZp37%ۃmx:kT<ٻ$s[ԍfV*/ѤNahwjv:=svWpI" KeB a@7wROsm2pϡn+/GmRǚm f|=5&`0tf:S8Ԋ;m}$3UdSdi2TN6O;fXкc,u)#[ >Ydu+/-!nOLH t.`4mN54wbnx_Vm9-w7#:e4f c_|/d?X_sEFgxyۓ6+[`۫!8/q⢅T5,+h΍ѭ>Kcs,s{N:LkӶ 9OHJ,R;iu_m/(1B^ cfCM)<6}xYdHA$kWd3-َPy!#w_3tV iu_!)|G 4ڮ>FwG٧RkT!%MnPҚf 4(ڍE[Ǡ*;WZ"BCcx%ݵ8E k)a/Ҥ-E$C.c%!jJ.ഝ# pg2{O(޽ fK G#˯rJ vpCjF$ͪPwѢ? `^5c+&:lKT0|NkK6W.Еmi,W2a\OB)3*w+hڷTyfT6RʏxBJٺZ~ٱnE6r[Hh .yk Ŏ7 w2]i_"ߝ{xNE+|q0M'3-9b[Xpq-AybQuZ@-G?xX,[jSbB쓣 CfKkcZ@zց, ,-\ endstream endobj 881 0 obj << /Length 3097 /Filter /FlateDecode >> stream xڵk۸{~/+ZiQ Kr"٢E \[XYrd;JW>oQYD$5"*r4 Eeb"vE_HПA}~+<~fɻCo+? C/}uGQ}05ua|4^z&Ny)D6Z%Y$df;CX5C'[ qYK~,<_2iρL 8%X N)δ_Y=D^uyM3bJzET|5op}MgnʭzFe@Rח˦f7v ` oy>t4i(P5}+jvSRcvޚ RuU7C2#a-I?| KBf].z**P{%r8 mU-!ym ,op2C]L3T#ޘz,Aa--UŲ偈h5dywm5( :ӀbUg7)ٙtBe4 dWkP4tf64 Xhx5jr.' Ayoq;^K6CQ"C",.:Mzz7]&veThZvrW#mW5-;:D2z @ԁc2_pHTgyYjc:* ?ϫ9uhw` kn-9 VA7 8PK!' fԙ]2,:6RV`q{͊XNkA<.YSI=Hһ &KcsgZh7{溳KХ8 pTy[SVWG9zR\~J/,20㖃 $0 r#@J&slZ%n~lX*QG^ֆ\*wVKhLzyiSezkSjޯU_*ûN}Y {tݒv d O T 𢁆" tO{v¬$ U%C=7,/CQ%RAd*Don~^BHJ [vh|le!@Y $ B ,R17I%?[l z|,6RxOl ߶Kǩd Q"w׷PMSdw%@ ~WՂ=R-_wp6dt9%Jceqx ipUSvfpyT/ +q?\ ˓cyQ}ŭH(O>FP>E$ǪWW2 bL3*I="=#q Ph#7on E#O8ϯMv{FP':gT8g?1 }A5@XPc-)cH`SDiY[e'l6hVB`wͯױڟS-l'Z|v}^E.^l_۶oon~^obwӀK7>7ew]S+qܟҩ=JM)@g 5sDKJ8 k"K4-ԅsP~PV[ؙ gZ+vyMSMF,6+C lP"9;URrC)fpl'R1 Kt##}r ”\]-9$A*/,r҉Θ=c\?gdoIvw3D_< LU`J N,upwsMe5Ř܆(7:*Jʃ)ϾouaQ;AB7c~heZqPrxʡG(%zKb[]}/܏) d @(M@%BB85Q[tYJpR*d^V 2 %R੗$+-:?52L)uݕ^< Id!DQ.ngKmM,1Չhii*3;mg6bL˄LY(XgA_EPx (r y:p-H! PZ})Kq |I'*Wᬢ b7 OZGOWq =@488&_%ȆkxJ1xsm2sfbR/p{NQt~%?FؘP V1Gk !7s9grS!=ʗ_ @PIoz2,' eHUxqTcF0?xSA G%h2-]+.r_$();1 ry+ ԨlȎqz]oP$M+Jk:x 3 8X߱/#g+g !+?p/r [l*Ǒ{PZH8>,jnr>"4Ejg\MA_/7;)_X3\&C' endstream endobj 795 0 obj << /Type /ObjStm /N 100 /First 887 /Length 1942 /Filter /FlateDecode >> stream xZmo7_r, A.uQjϬԞd `[∜&BƙT!x}29r2,&$obXOF:|lrg2Y(;1IA3 Kс9c)*+ 2c)2CfT%b=@T,1DQ- DA 3DȔA0)ǒN;K349)N>@@`SV 822ATT| Ȇa >ԾA '!1a CW /N"}<`Ә  b/V $IݣOzɰv!N(c(* tbvҝu\sVX2Ą5`#H<%ZHP$D%6ǣ@A()le!#I}*`Vfκ}I vN 2$hE9dNA O &X&[yD偸Iuaʊ: W/ AeV>6Tm~JTA5"7L$\L 8w٨:oyTO-|$;-JRU/nkSToy3’sUg8KUUlVI.w֋j:~f^;!޿1> l~l *}9UϛUXoY`"t$R_nOOg S_iwU;o[;ioyaqTWC޴gQ OokYޔsy7;3_fo>m4h5 <ku;]VU.-B'esD}SAw‘V[Э1٨Y6ոqr(hK\6b<[۹Z<Xyx˅Mz~#>oih5MKtVPiZ!뻳1~}>Rp1pxPBubQicSa#6OdQH]0Ẽz]2y/ռ 6s ~sTz<{Z>2޶^fq]-E=~_dztX^l(uPK̓^  7O` CB[' NuxuyĉM1>OduFqxrc˦wb^XK35&y ]5h HpPjB?Moo6ѕb%3*hY'ZAf> stream x[_oܸϧRed)9&jBd!)(kכX(`)r34MlhΉ&_U~38ŋ?(eB3b3Ke"yZ7M9qS2Xg3f0g/~~q~M%;qME ͈2QFʅ_Wz3ia*X)qe~.x7yD31CL2PǼ)]xKi*X(z3RdgQ^;O!AӺ\eZwۢXq*믎fݍ{,}0Nf7 je jEdF2`6,YǟHzp" ^%o^=A43(%,ъ|0M;c6ٶSؕ9j qՑ7+8p!{Sn8g2ҽhx(S 3InP8ذ'4 UؑR>LM2U<|9# -TX01+SV^eSviATt*uLѶ#^IDy]Nau3nu3Ӧk \o|]kEqܗUrV5θp*Jam"3V9K@A<Ѵy)>ݶe'`O~0@es D׋1)2a.w9&BK2Eyit9WWwV!ySz9 >Uhi,`hPOʭةoswdpX=, ܑ5("{֎9Q%hvaQ<1RkHBdʩ$,c@ $"C iybb)n1H|$$@eK3.q*f5 T"hyt ޯK,Z208U*F@Çw #h熟!Q}^1-DzPvS?_w xƻ#Q!0pF'EތZ2:1 E,?I|Z* %ˎG@h'a[Fe1'Kv=ws|8B/2A \ h!3b<fɈI,D<)`3}qLH; 3\YbfYgrk#`@ĨyX6B>)0dQxb m- {>cNIB3([ph݆W%&v-U >[i-җU{|5BJUmyvh |׀sg%\uLGjxzv['(k7ruoՔ7U??$Pya׏uU~ Y ZUD.$n_atKĨA6e(2~8 D<*(V}ţl37nB@7% {_ O>8ac1 5U*4j rفzD jڼH"mìE >rRb;m ,aaҹp+RO#DF0E}y(dL<~u ttnh1mMH5!㾷&dnkBf_tByg: EsEK[(> stream x[[o~Dt[h٢in`$&+Rg. EYEb@LF̹}2\2hxFl5ver4d0nHc,R8:]i:QM~t6Ts(9|20N0fʜ NM=.zAdaŽ(3MjeLW!UQn!/֛NYLg!Q%sW1ºud9ƈJ 0Ib^ 5#Rb0" @ A7iiumrK.lt=Ȗ74MȒgZ F ?K*vT_v)X`K5rD9 CbZTP;>tQN*46)q8DlT7DjD4%4],1UpFH&Q O_`_4ws1`*ZsKJr0T)7pfQ\:$JsY-2R8U纰x:|8GOo/X|WW#kكRB\/)}q Z}'GwyP18Uc.oS:(18P˕ɒzb"vDZ`^0D.Ӣmhǭ߯ZmO߲hq&N""?II$NiIȽB4A>WSkYc$Rc:EX(ib?ˇo*;s 1ˋ>=_OWXHnCd+=Hbd %A-[i}r{`MZX \us@,ebVY@&U%' 8<{B?F [`5T#iUB IQH-h%MN:M{3$CM A%l9d$*uR-jwD,G$^+,%WMlq7O>cW|4ҒJ7P`0V!PMn:mR`:ZiC#JN8b@.VNJ7iZnҲ,Z"*4Jvc㜭Vv =z15w֔N*SJ #-aXϒhRb8ٖFiE+mLm\SaI jLI$mXY A1A؇k1cT-+ЙB[WSO8l2%"ȸ<g,-&#+Z}RBGCa3#Ҁ}nj铅;H[_V>G0x0~=RP])U̒z*%)5;jzhIO'O+Ne'0~Nq|'H|!I<3OFS﹉P|ʽ ~|roKwt?{O:9iH4r3&s 4-L\ݹ%a"<1cIuk`9w1o(ዩE77a ػ57r~ݿ]ŐmulGn hxݬf rWqQYuclbZ(R +ɚ endstream endobj 899 0 obj << /Length 2922 /Filter /FlateDecode >> stream xn_o \y Jԍcw˚ܐ\)9ë(K 3~Xp/"XE{nY7τ[r;c'bqq5Du^N顱R)Dߞ,6OVvٓLddO>\|EGHHS\8p c̈́T4'KMZy Yyܟ(+)E*DBgH+B$c6{m}8aI(C+dB~ȃىNY*P@/o71ߗ=~&oI΍3i?Ae\;aI;p4oM6GC/s u S,DŽ;Ep#|W4aemoW2m!\x'Z6ꕧ:KvX_#Xt9DJLꅉ끗NP:j&QB]ssW5A_{|,t`1mmoUcۖ'I1{:y w3 NCҬ*1 jag/\6_€>"è:Ӻ*g1iPoaς;[yJ5R #TuC`\֦dp.G r`gގ#hڧ-mO͒3㸰x6َmFGeV w"q􌷎i(UOy;[h-8ޣޟGQIC(H'ʇ)(#h''Ym79۬w`X3 l>i/\ܞ*x-ZAXTH~MzYX?d!eKSxw9k~{@d迗{^ ͵%YYU~M4 Qz>q-fD/QV/Z$=Œ/>\ߑ뾜~S,͖)dyuXZ|piJ:غi]K,# >_.ϏY?09]9L|~#dkdE=lV=qjR[J85i ‰kTX?\6} 8Gñ!zȪZN~̄$( -ۺb 02qb0X?oFe($TJy˶)/^h'j# E]t"C'R 3 E=2`IRS!@_SitvKzĘb]'!,!B$al>b%w-՜|e6qϛ<-\|vfKwfkn.eS&?ygIj&<\gU65ݗu.25ݶp Ԭozz~<:W?*{ǺmV>͞(n f>?B4Eg_fjyݧ~$k wI&pFKhp"@He*áMeTa*O"#DI<%F=ĨII{ךgv2nL*wπ<90Y>M-xF 'KƜE̱X{,]($)_4_Og Ox|78&K ~ậ sPޣ(VE'i3UPr&.jsS/r1A5Goiwo-v=ȯaL;F:6}@kIRe*ws"&fGB*0z_]I5Nt%Qxè`?a)y!R2%Q$B>M1\1jrud,c f:@x@7$] uUSNWZ$Dx߰ ήX5NZ ~KI'豇2M ):;?6@+ ̊J6dpDjmE8Mː'McLdž44ۨZ㏀oKox)4I;?h)|.dO4{-?m%M~(f.Ȥ ,ֆx endstream endobj 904 0 obj << /Length 2812 /Filter /FlateDecode >> stream xZ[ۺ~ϯ0RYN< 8=1IPl[Zr6ۢ3$%Z:t&@37Y4f>z~t \_>+)g4'E^*d\f/oۮL0_!_j_5j`2t~ӳ尕d3!#2P.޾UW9 `QJ ).\pcWnͧ]Æ2^m/Am֩<ܐ={ܳ/B0zVSAR&1‰ }YN$;Kq" y'hg(anxt0."mB j=smkZ+x\DS$="W$"㜙wI˩T#@B^8S/<>͙άձjߪIl5lTLT]f QJ͔+ifx1=g1,rD8at𮫔G'jl&ȍ$R R"ō.9A[L@NYZ <&*ev*E8$&P4C| B1(1~a|AZ<ঙ7JdB@>KN \cOpHciS!%/ii i,sӧPo ̐ba4FQ6;](8 ׫ghd]^ Oyh-olNEtw9Mʣi{<fn>-xy`seu!ͽ+ @Mě1+HZa .P@!FpG%|7 $ѝoo^"bXxm=4^Wt?`D^lgkL4WobNe!+*4Q˂#GLlz`j_vjt\C=kAn)-p`"B?1\f B ni>nV7uWv\mW!d X^>)ӈ4?SBڦ"V] #v׻C qPX.@Z:֧dr]%cFaBϛ]W9A> dVe :QW5гO6T9mz[2ǽ|KnjZ M,a^Y͔܃#A ![PЖ[_'v3QIceV8ܦAOܧwX!9SY p$1E *@qMg'fDbذ37M3@ܶ\wm1/ oS\x3G FJt,Rt5R;x(yiczK izHyغa;.Ru`oK8Տ!)z(2*;h4nrAwۡEUg} w0jHV''<ۤ& endstream endobj 907 0 obj << /Length 2221 /Filter /FlateDecode >> stream xZ[o~#UXӹ_:Nvk-AHM,${̐"eRmJ€Es\s?6rtd N(\|| ,4V}zwJ%:67IMOLD'Rczj'qǟ?NkV=+ؔ GJ„ ;l?#cXG 4,}_~fzVkڤ-^;U42MpɫE50K,)w1DP]X򲋒0DGPZYl\FUC6;a5^z&cn,)|\nL#Ga՗kd^X[떌']e1/nrw">XCyQ7vN\kc4QRFmLѵ afٓyeB#tj(<.(I@+^C ]n B#/ӳ~2.mE]7q*HV.2S2!C.LKy359qnmzi?9XjC.z ErԺʵv;kQ;ߦ(`;kc1 ʿx?b1Bh'JJj#<9Ka;ISw⛜.e." t$Q/߬~/32Y-|y.ƒyv}$lr46]5ю@ "`ZrM@]$e5Z'tYk flvן*((& 0^SErF୨D.ɮ\"`Xt ++ϊPRX}7UP-)p,1\S)\N8r 3y*HM@d"ܽ lY(I:QaI,77њ)ruY~o.S4M -[L$2n$8gu~S[E$b09K/\T' ;^G"ge5[feYQꢽ Ҽ*,OiY.SuXs-$BAi[xU%D EU[*{7Yң* h[g{@*]g k)VkgRbGg>0KF(_Ύ~vNP>y:C}b,fNKW=[CQ Ѫ=.!2ӆ(fBxȘ>^tgs:Y_Ѩh@(?'>A`HA;0 MƯ?|-m!0 8{ dA  B@w8I |MLZ[VY͖ٿӢkLJwer`n۳X^ !b[ƾ@7a-)|g{ZT %FfW<A 6PYuHcY#0mq.)l\Q"ٽh=eWpqxX??_ HK8gta{DI23ĺuq^-OS<e됡zB b4z‰e`cK/Y?'@v(vUp XR&*lqC\H\TRW̝5 PDFdtŵig$:G{* endstream endobj 910 0 obj << /Length 2489 /Filter /FlateDecode >> stream x\KsWr ZN-q.oV%kb\0IIu~}g @S$ LJ{g=n6rtd Nt~C(| &0pۛ?ԈQcۻcTD'RXi1pǍʔmJq~pIIwH[Iab[z\Ygc)IݍAOyQ1n?OkUˤ JTѨuH¥hUj=@Ir'#G;ӈ:vs/Gn̝%cY+Hm`3Mo/qW2K,~͑\s$Dr7eńI4Z&hbP?2Gն9DfbmVX-R8=҆bmi Lڶbh"o w+¨Eˬ&T0]e I]eb]`7]a79-v]jI Cb7!t҃AW0bK]o fn-tnsZv͹OI e/}N\6"Ti\K 捻,4HRPFsWBV }D,G6;0a-z>2`f ^9N|^6ʢH4 }cDÿ`N$Y^UK8l:HN%sA]/Õ~LY׏ElOPUqY6Qk;HӼ,͍ 8pu2IXFN$b1]}{w9Gk8Jw(Dq\wлYVG<.d-KXpƳk\y2p]RUROs򼨪fiٺe17nG-`}<88]GRY:Ѹ+#̞ GB-b"PQW@|  I')0!Ƶtq )eBp HKF⓰"gęAMR bޓI .@69?]s #v;+(nrؾ\6@=0UÓ 8xƝGJZNm}/%1C̹%6M82Dq%u%%0 zjs+z dJz.$%0 N3HCpHP?\(F=ðQk2Y3MKD'(]pщ] HQVD\;\(↌"l5gX6Rs:RXƮi]il.A‚J{vMY ,-'RlH]䏒XG]k&}$"R&}qד>Ja\>:Ѹ(i`U-uHGc㙯r"SoqT-r?9ůp'X C1 eRp%X B1\``7T)`<,I_rKt+`eJfEUxk@i&i @YאBo;Lc@ kƀ5 8",/9M,&~;YLz)9 &}^k p~n=^X!tǵP"x &0lלA1 kr| ;,fS ZEk hA[v洠sc0K.M6eMU>f}wx\}w(IX}D] M]O0wỈw=s.zw|eDMe2E=KHK^SHXݞ؏@%6_a"|C>?xb ngUxher~R˧ЉWT?=&?[T e-f~>jͫn?{;vLLX0be 6u c* 2Vp\QrfU~VNwq8uki<.i]̖=|6"57mlY8ZY] ZM?Qo2hzY]"l-kQ9yϋca>;jaӁUӝr~f˲ __p.͟b91jyW_hBʭx4l];-Ӫ U>==+0b endstream endobj 913 0 obj << /Length 2313 /Filter /FlateDecode >> stream x[m۸EK^p,Ipllm9ޯHɦOv1C֢pzXў8i{[=7W,ˡcW?TQcuQ޻*\s)Ukq_̋q2%nmU)ƠԄ)V&ٻ׳i۬*V8<-rX}c88Jȅ"wr= 'wnX} "A4r&6n `a~lYV,+cTLN\.j+ mmFwo5I  v1m %@ noAtX0\mq0ϳr=?T<{Fc0'謁A[W% |s) *'L˞ who7Q ]'=AE ƽW iB]6Gf\vgM]RavG&\W2KN@5D p6]_/K63iՇ̩ (2imb&fmTo 4ZN C1c$٠@qJPv@! ˅r͒@e)*O 1;7Ӳ*bT$EpѮV~U- $?ѻԷ/~V ޑ,EX6TSbA)A :%~+6v ڏSFq. :;`xE@f#'S˂k`a%ZxӇ8XvZ3UK7rp[J jîoMm P&0 a͑Ws "Oh~ o@t #hBnYD,e :]-cNYGxd<&x1x(TūMp@xR 0qkKHډW'0شm14 1O#0$R&a$u/1hk? #CHRÞI1fJ}®6ڗ0.@h3d9)mq.LK d(KdI7_N!x4YJ^F®Ա]ua25|.GLHNb1 f yj[>}r rO~nn,,`%o|ZagX/|W5zF\ +S 'm0WXוGV MFm+ Ыs_Ԍ\1AwtV妐4JaKCR-5}DQ96qͰ8 ?A^6/k/bS] pvk})R v D(b/b۽})`)vkkP,|5G$/8trSr^>qJmukqaH`L02lJlz}2s8a`eieǷC9H a;0 ,u2Y [ǶA`\cɥi` q/8D{H,LS"NdŹ=#B96 P{0 c~=CQS_Sb VvSyہfӇ񳿚C<?LJ_뫚w/ c-E0 S׿+q7o޽u>͉sQpBLXXK2{Ʋl/V|o?੺oWps,ٴmj3V7_t A✝.0UQ@W]>d$ ۺ4>|UULIOW endstream endobj 919 0 obj << /Length 3083 /Filter /FlateDecode >> stream xZmF_aܗy8m-Т] BdgI־4qb?hDCqϜR,l~n9?.x@͋ Rݐb*Xe&ߝJ}skm_|W,t&2͏/.o:QFg )șPê¢lPfy~7\N8pIDO5LԽ@7>N gp*EYdMYnd}8ETZySly Q4-yV[BR+_TL̡uJuA Q 򲰔NZ򾣜Uc8k =)q}u!A͛ ;Ho8e,"=7rv|%a \OF{7;0~0s/"ͅEPۣ[e/Jhp {{qEi#لI.B,A݇U=`ߵo2uܾ鷖`AD: u1)Y0bPzg x3#샧\3 .]W`Xt1ӱPK@ *!X(WonNˤªw_ؙ:: L6PNC@n5c$^QL 8:|ȷ@]\KLb6@6yUMoyqccv$Y:Zހ~ǀDӠH>e49w,D1 g$g3p̀T2.X±58݄6Vy mԁ) Ue^-Ք J 3Т dC҈AJ 2>b"yat}xۄfVtIaƨ'QE[` ]}⯳ek&k?z(W)=8ֵGv }}ypY"; *'D 8 :B$ itOcDlᗝ -9Pp'^ BTD͆fzeѰ]I>KA` .C/:x(x9uջ#8< (%(NJ˘` v4@)i!iF$lHRn$Ty ʵ}$"~jg.,SLbizz"-Qx %VP4@F̄BɚP”/Y/YGKV>GjVĸfSgT͇''?_>]˼n)@3SlAFRCC #m)s24x$ݙ缇^~lvQ;C?/+t߼xE :[W8ݬ~T_to,nt$ чUF]-X<sB=9>Uך#6ղ]2oZ\N|RАY9fLQ\QOpB9>=uϫ.on{9yF: ԅĕ@OttimFTx#g^,(u|<4/k[ZLZfΥ\㇃X bY20XH4$Q{FEuRBQLr}y Zx@>LU\%§E㾼rlFLQ@hR;`}@*9o2Fj66-Mlv>8xt>S)X' NQãp1.s^2 Eg~%Ba0(QdAIeݹ""sҔ%Hcdi`y`$)K:B.'f-{A GFN#A^y8lɏqС&b|!2e,,6_6A3= Q˶;1^]b:>Iav`W{j\4WF`o1iYC7z=cAd)?uk)Xi{UF>_UbO{ M)1BŔL âC39i%Nӗy'G^'xj1bbM }kY%[ 9E0 Ĭ~CG4]&Q;؍#FJ;,m^p 9pF7$ŢY<_Hzlf ̴m@eלOD~Rp[y2 endstream endobj 925 0 obj << /Length 2713 /Filter /FlateDecode >> stream xڵZrܸ}WR@Wx%kba+^;CIS;QHont7l+r @A_NR "4Enz"]o}ƛ'-ar0~veå7w꺸itq>>]c7eYպ<]\6.#D{EE'aa8 S&B!^z2ĉ&ΜK ;fgF=h;X`\p~)o{6ҁf3? @}v%2u\ W+UA&?ӥKTDmqV5CN0A.Hgi'њ '<#(>]Ŗ}5V)ac=)`gڶb Dg9_$#qY4uh]:#[简/x;<GKOecE< >}'3r0S䣋~EPv:B1d F Y~*3S Pqز7rVsQuHo$jF ػ5=ֱ0:JoaB5 E/B Ua".!fw3͎rх˸Le2{L܈talruLX-LO V '8Ii!g X*$[|,wPAQ3- vW|YBqUU|t hP$ԕMA\}] Wz`UnZ{e\y&44!:DK0eb8 Ae+qUF6NSNp9qrH!Z\C](A_DՆ"IwE rO;Ias s6ݱCw{ /4fm-N35i׃p lDEsӚd)@r(7(+^:Z(L://+!{V e.e-V$g0TM@v;jP5>O8Vk4E?~F 0/v?G$~7=.^ɨ (>Nh~ D8az-+:Vz8S(D,(9GJX,;d. <IQPjtwX͓ԲC?S3~ 5zgG>h98>4b:`5O;"J! GURMfvwK@ ;pn-(7/9GTRy#rMǦ8__h^ ,ӻa!ȲYZM9&66ZLqm|Iܺ{u]6_%BC]ojg¹XHP#* ;3e^<_o<2zYA,bOMg:qu~>_9 OGغTu ;bl(Svt}yWF~fOf!l;*83=fw' x S~Vr%:Ow)^exsBEtJCWj|/u}7Cj}D^tOKKvVLHKًQUf&t 颾rWx1Q/3.dosZI_}#>U*zaޅ'SQэ۳[:d+zDxH&Q4NXsoҝv'$JM|̜OR'y:׌AX ʬ' _@v'~u;Ru3u=E_Bf_8SSh]P;˕UI۝qvT hȶ?fq66l]yO;d<RF;𓃔H~BQ 7Fv`?ZS> stream x[Y8~ϯ0ɽ}؝$4nm,{,9"j٭N dꠚ-( #q.?=/~ \F?*`8v_n~ztB,?oVR&?:YqǍZ*son[RƀЇ8uvǨkP։(w LzB#LJWEU&}0Xk-,=NQ5l 6[hܟ컍1窩C"[*+;bMoY nw,+Mx$J%=kJA/-[D%`9zA#_':',)O d}?"E@e4C*""]jm7_SԨOSF)M/etDDߐ5PְvWI!2+$?Cz8fs:m7psA~=&_p_/ɗ5ih'ĠnT N<+VSfu|bjAvu!u-(:do1@"`MdgJ9oxq`E+BЙF0Mo;]~dkT=)B4Fp@idAn|M'@-Ɔ,vASyсw^^"6^76h0y~ L5@h'A d$V,f(m3fx*N*\caT|3 sMrL=҄u`GjX1E֘ך$@+PeљI>)ϧrQCc y =<\'Q+$x9QZpIS톛,D|IrԮ &z#Lp\-l8:H Ǐ.nM+8gb/q_ xy s j$T*\ Rl6oC"r`KRp)W, tNqCNr춧G2 ڎCnA0%S39 ,PGrkz HچGr-h -E.D2s9'[F^tL!RX CQq-T: !#q|^ w`C60 -vB,z,%3Ѕ%R@Qۮ_w9]B% VB&U;&Xj >JR(*$Ni2}\kϛƛ,u^JcZѮ M~0)MoY|V^~D!%M2e"ςzH3`W%#yp`A]ơiȱd{ 5PB%W*+IxrEW(VQj gڡbCm:~Gšo+d M(Njtʫ`8>?bs4i Im浭ON}8;*6HGſleD_I75"6n@"4~ewҧAչ_)Ĕu$wA _^ΐis $\]J&ʸ0@@L(-M پt')PSk4XO/PI $3㾺epP!T6%<{50UH+Jm%]hTO[>Ktɱ%*,qkE$HzٯUz/] ;qZgg1f,Ah%^ 1^)ծpqg[3?ck@ގkavO ~ 8SY?Qk0&|=4‚K =~ Ѩ '-zdЭ?z[]cV٧܂򶫊]e 7m۝tS&°1$HW2>t'V+1F=8UPdUn$mU =H8Ce [(wP!gXGwՓڜM$گ$Vs YEt%˟[Z]K4;d endstream endobj 931 0 obj << /Length 2580 /Filter /FlateDecode >> stream x[Y6~Уfk 0o7uRMqh3D5Yו*H}F a$#ɤgԿ^O=cq g?^>JM%Kr>y5}qVb&.fRU-Ey17j_tٰR?P&7P૙h+ 2 +uQ-6 6}$B=adJqp&_IÚź?5-՛yYl?VoVn_a]Lf2^/*d].pLzt-5kYXt!ZzuYU˲6_bDs$2,5 %?u5DYggN+M(v#1x+gdvƙ 0&gMN8 7#fL=c@Di<`Y2",k6 ӂW62ԲDQ\_W7$fPNU[&lŸ5"j{6&fM7MbayO}'E8_>pGI~>I3|$Iez@14XCo 0;NNgq{+RK$e1Vc}s1mDEMT~э„fZ[!{0}GT y {lW;.YȻ r1zFCu,e_Ua_H.૪ _;^ څ6&C6㊨!LH Jhk|JIj0HbUlV+Enz4L堌\6 pL|DTլ7WC%EN3ӗW !4 /{aBidὗB1'WʅyxLC0llo($ ʿmRj ?,Zj]1 ȫ:Ҋ,̻1U { #Uge)abWF$"p`BƨvCiA6>X8 *Tx4d!_u$ׄfl32Bxᐡ^E9j/Ή4A[}Rʊz4Yn7n/2 68|xapن/?FԘF06BxZyG i\*NVp ÉsGxN$/}X[X&; ϹK nro1MUaE|¦޼r]nH/_c0;Ď>ZPT&wlDdž)T(.Aj m:!PN\iWu(? uï>BK ' @2+<&Mxp]2ml(T%L˘"H3i[f}jhAp>w}ݸ R52ݻsYBԅn(0Fx^S'M!\_9C`%#zH6:P$槶M1n(f9@*w-J[o 3{7VHgH܄{elc,W٢u{ 3^n)2p:?*W؏t¯!' E1z"|=#"G# q=f探VBǫLٻ59I6 -쑃\"4)b u erZ'#T#FPRrz9g9nt9b u}1:M %;Yҧ7G#T#FPRrz9#fMڤMЁ< wY`\1/åE I}6}tRҎKl`${V*EM4pYGÙy%"vQI. `ױ;D͝xZ{xȵ2=hyi endstream endobj 934 0 obj << /Length 2079 /Filter /FlateDecode >> stream x[]o}ϯУS,9>[{], G1뤶eIٖ"1ligsx(R* 3(,]}6NUMiʟ~xgL2S;c~WSDZ|/831ow<4 6+4J;ekPoݽr^,j!nR")N=%4YV?<Ί|sJ0hFVIB;h]^Ŧ\._ ^(V%  GL LOy׌/~ [ EB2%FtBϋoUtZZkJꋾ߄[/eV(}ՁS BfSRW~ɗ!1ZwޤbX졕)W(WheJဣA0]8;笌jΨSI)I LNʌ^L_1?iɋ.]"8iI% gV'S6mMD4mIXiq1Ґ4AH"5D*G⚴iHfm^AڸP+vZ^ jQO=o c*x+@I +H?t$ .Ҋ.mWEZQ(ì:kO:\t{2Pcqb(=7,GtގÉ,'app+a@Sۛqt%{Àv7oqMsCKNܠA"s67a@Ә.07 sFM]ts彶7˸OkwÑ7Wq7cMp:bn(kÀ6T) ،+T飺G64,&N640*Ks 8,bIgvM7]D\T#U endstream endobj 939 0 obj << /Length 2707 /Filter /FlateDecode >> stream xZ[H~WmUjafaF0 2 TT'9u'm{14Zђ]S~f cKO~Q*&пX qXc1aLa(!|s8}#|3a4jxRLb7w4+) ĚG8SP'T@v,bm[L4\ZOY &2e/!Gα NQ/x$NQcSCaw`m2p9`/[E[f'BMՏXrC^Dc9SvIYzu9 XX }cc1[ qCq XjT[:,VL$jL~wS'9ue eYh>g CzY (6^SUs}f:iqYZZ"n=B)q_ߌ=@<1CK[Ԃ1WC?>_hVezȸCͷ6Z}4ϣ'm۶j ܝ <3K$WUcv$QU^6%?ʢ1-kZڎ: iiOmɈY[n4֗^\]T g_ҘI'Z.%pEp_@)fWٍ[x)1Pj[U[<R*u?"9RcM8`U9Rt_ ?3yibqaeW Ԓ> m0GyYڤw"ICk貂C5_uݓm$!/A)sp[wt[LX+d)sh(axӖK/jیL-tt| vu--d+:Q]*vEv۳p ] $XxwzQ^]Ix2Ԇ}7W`TXps ~K!~h 5ÝApǟHU(/Yz!WUPemv`@( NvwqBGq=B@FoB=v6p0Q몤Q(ƶqn-OCq3ィT-$P|RpKq! 7=sYY'A3{J$UY֟=b mIaZj2!uƻ׵ o.xn]Gi]iR5kvZSa,mxK"՜ ;Bw;A؅h F_ؒN5N 4q+4 .Ύϔv_.1ljK}sމ `a&0M&>r'qF 7E̟ǐ( sM.spaޜ,;@2 JlE&eD^Hnevi- oF7m[J8`1M׾iOAȘB鿶gQz*~~L,jqۭ^Ox9=?zwPJ'N } endstream endobj 942 0 obj << /Length 2454 /Filter /FlateDecode >> stream xZYsF~@K-sgv$EvMݵ]*%@_ꄣX%`0軿"ÁI)LȎx0qޛyx78B:88[I-Ur69c<|2lN4<xWg-+Ne2310ǁP aʜd|FTX'_k# .F  sȽ΀9W17EviWOb U X!Q/Û6_)=ݛEg\%urh+f O<+gadWGŌ]ō~k@1 H+뇏`  "1ة"2YտBP/PniI0zMGk`gAh ZKݛW_!8n&6Se5y M]:c )؜/3("v[ߡ0fH6 9<su61z8:Iՙ{C4&pJK@S:L7Mr7~monLF\c&L1 "k*14G `>c!dpLquгuϛdGEťz$/ d78 d#h%EMLg=wbKS$vP"x$h "x1Еa9 ٪YED g4Yz$9[7p3BMk(DrD"P8Bg -(kY]89C)d ZRPy[gtɷ\+,o6K0x*)zC+f M30 M&CQp.0!$|WGKLUQ:I"\U.urQ %6\EeC )"= րrdI5!keZ* k!i= D(Dɰ;vu4 mtKѦǾbF5h6Y/)0+?d옫a(0;Osl+&-/۩ͭ/J}9NH+4vk۬N7j/2_׾-!m'Z'ˤ_CfhN!3Bȣ:Iy/!3W52DE i2^&fP{q -Ї_2^d|)Z(7aRoÓmvIǗ3*ór/?Eoq [JJOj~J62t~$ׇ|ƎS64<ÄyE5žjPSHS =}Ap';I{nlyv?g5&.eGO:l.`~3/(uRWNǵ#~KuvUHGFPVGlښ^$ :=:Idœ5h @pie~1C2!@)-"Y.gW\ 9nv לּvf NFaf}\ ~EѝҬ]&~WI\oK&ඉKm6@+$KwQkW>"]xc&xxRg&*l0Oe.fk^^vpFtNAR &s8\GW@sbJN!Q&TWv͑ܘї|Y W&-6uE2E^xtn> stream x[KPIY rK;R37G̨V#MDz̊9@7al"sΖOrt0 hԌ]~Xq,N}аgJޏYθ=;fq[Em_u.6?*̡~, + Lw6%#DP3C]a4= 7Cf^u+d4];3KbYeXi,f63"-{[z<ĭۇ[t;::ؔp&BρZg`&Ow1NR_Q̲qPa_**JS`%%.)m? ekq+ˆ,4X /P/K=&4M}G%"Q+S"`2Q<ƨL03]Gw|uv4$f+u\b +QfdODCSDca٨\iԏ#JLp1%2t>tYU!q>/»m>\1>CIfiA>f&R&i@2%``fn(1ˈ(._wÍqz:4|W`@4g9LfG}G(K_᮪*<[oê\=^/5.{y#)h::=xۍmvSD[ϟ*c/j}'E 2CA[ʪӟ2XOۣb]ߝbQ+dҤFU4D{אj |*RS2y|*jzx^AwcH 9T"%_W~gy|_\Iy2IEЀ槐T8E^X/,XρK " 1\^=܀h=B]i;pԃʝ8MS@IH湖鸗p~ i;˾0GkvI0Oz ~rMc )WňTp 47Kb d90=Wg*{50}cݡMZ\/zm6ݡ!bSxV|Y4bI=ғ(Mr&!Zg:E.LX)%D&,C#y^?o׻ M5}9H؝")#$e&7Щ/TAT"Xƾi ]o6RBҧw;ŸMMwabM<>R#6rЪ#8)*9*WC\W@TZXe|V6ѯ߳b&.-"OE>77(qTKJN p+# u@澚C,I?z~Ƴ8ځH 9xy3ب8Yr5T6;\$E'wEr~sO/@׾FݶN/gJheZ @}S\Lb@VWb(0r)$mX"ccדoh)jgIs@tA<} ufCRHdO3b:E,Ir 6 T)]ٗWR4C8ы+խ]i`v0$'I"E {19D2gT&^@*j5" T3K2*ȴ)++BXUK8VNت x96~4Ǧ fLruQ[Lg]̜ c:(ybm9Pc]{e>7;H Es>y]G8OMTڴfqd VQ%׭(<hd;P;p|=\(E}/XjNfauAXS}/b$!M%qO40=߈d@#a xc3*Fm;xHPVǬ!EhEӪ$H3?Ό?{.Cl9d~輈i0~J9)B ~P)Rv­`n@%$}@~K"ֲ)q\n9yݑ"ok&[úxSְ:n\wD,$q2Nw^Ъi4VG%̱QJ)[kݡ1JXw0c|p$Ux&&E'*HaZA1?wׯ?o[.Ksi3R UpZAȆ ]-jU/~'À<=~)Zf{z5>\sCZ}p%Ĕb\? endstream endobj 950 0 obj << /Length 3355 /Filter /FlateDecode >> stream x[[۶~#l7$4m77J]"Rؿ@RZiEs?8Or"X)Yd&o0ox7ig7;'B0q)vNBNHYJ)hiY |BW͐<`ωa͹1Du`񕈆ڋG$T J%%fT5X8Cm+*v?t2oäC0$ s?m5ZLLJOڔB-^sTt~M+fY.VXaƤT@f+e]nIfj D%u@iMuoF.e"pB[ & orfrU0'pwÎY0p&+!YA=J7SO!* dd˾-VͫQ*;S(Mn<Bjv(+<?E !5u.RS'ь;uRk!ce@]\f"%jDSnݕ 29֠|4Z\{WD^ Zk*b7 .maQTfΈ&T{%F~wƯO/3B1=ǜγ/P_tC"#SvE\ < `캺_(K9bGc ^',/ki^\ZQµlt1 ppI+zFJQQE}.!@ nq] s]L _K{kUQZܢ/D`Hq0{ak[B[ŬŬ 5E(0RS\L9 ]¢%XɡB:`""ӁQ@n9V T3+'K-PUiڣHA[k[N-8X4[ͫbuM =RY^լ\v2l~YQd`Ŭ 48+E8N{_#sBtpX"_EYܶL{B ak  u*\PcoIKCDŽ#%. c'Q{]`:fT&v0goY_Π=. PN[%:}#LX.idAmW-rLz]ב{BXRw>WױuX1g:Fyn<Fi h;ZԃɋDu|Ch۪@L3f͏o~CjwvˍD.wM;Oc}vI$Qi [-SV5DHz?y 4) Ѐ(zEî&hIf׷gQ nT%XLˀZ&I_f8Y"3)Ȼgn33Խ~U!H='9tc X-|S56 / ~jݢj.'eh T(3xu< s!/U ?-U\ҨօkxHd?5nQHt;] tmF!aJ%tf l7_nPF*BR].q~Yps:i~~ᬪr/qP)_} @'!43:!nւ"?c~qUsP1LbiFH؎fh-K3ЍiK43ftO9L阮LV'o> AuD# KmWv@QDVs<Ie[ѵR&u]I9PI&"Ctq4=4J68;FO$*BK9/bGԄCrMޟQ(Y(Nw o? uGR[,c"1P>SQN?< 3B78R{l|&B;46pXFw3zaa};HD/?9*% ĭA ^iRR^46t9q鹆!"ݞ,eڃc fG",rtѝnc()K/1R;.%urP&q0Tzk͙w45(LYtrzBKpe9AWϩ䂂[:g._Ks{fI)0(x@h'>SmJlY Xh*mU=QO˚vKhGA~JhݾN!7ExB>uKl,7o6?\X>cVsh=D;^$6 ::+Iq]7 7oklJ>=={QU OOPdSEkֻ{ѴܴFVx6 7e]WqљI ^ +\P!LUZd ~C$B[dk_L)mې0ۯV_#6h6+$ctKkmo2#ԟ T+Ei4NKG-NuZ b<',Fh-j1XBZlʱK(Zl Z,Zx8u-h% eQR\:FD6˭CN)&00<Þ_-*ȗ!~޳D}MǨ4vׄA`,kʟ1/{ VV{O)Dw:]}awxu v?nMLI2uYlk"KeMplB endstream endobj 953 0 obj << /Length 3424 /Filter /FlateDecode >> stream x[s۸_KN`\~L/&CKűLH*_],H2%13D Xv3bSwxhnf^8n网|o Ru*6yu1WJ%/sM}~Wy/2$V_|ݫwRF3i‘ *ٕؔ")L#ùKN| X$,-+tʼ?q*iͤM[4$ 'V8t\1J%|fafaL1㑃ëG W\2)ijh~%sOeRd;–˴[l:p[N\rǴP h_^Rfщgq/bJ0웏֎,z&&ZX=e:p-iV֎)#+^ϴ5[{oCrԌ1Y損]Q2$h NCfF%vY76F?'x3@NQ=RlZg 7ʰw`zE3̵a%A0i4Y~]^M.VzMW`uVǦE֎Tg `H]ΤyKs5!(Fʢ5GFw$uSl9uaOrzZGÍCo&;0)''v%]1-4T1 Mq..sS:I~tw<49=uP行؃}05p82a(+ L=zf<#a‚0AXK:z3)e<W0`B~1spM! E+itBa,{0<0ZT q޼@ AaW_j(7Mp- <Ё7"R@wuQx#&M.[?`μNviT)b)b)h X,eNb)%F?!u)t\ iq6;p{,KPp#h N_M 8pHaPճY Sqe^M=M"ZN͙pj;8_q<5-by)8j^"13m^〙Gѐ.XiG0` Y]l3K\9@S ܖ}I? LB,Y04uv$ \w"\5}T!my'VNq9x2} O3SU>#M& QDm. e~Wz9:Ο\DvL)@SVSKC<ւ|:۬s$xOsˀvnD{su|,7x1¡ ؂JEd, $Zw;7m#(:MmpPmAd}sѣ|-[I) *?T`U8zC+!9g\s0K7jՅLDN# ԞԧXuu,}zsS0Ժ>C{K]ki6Jk]unpݷCq sGϟ;;'LʔB gS.eyze_e0tJL˜l9d\dwLʘIQgS'}g1gʚiw,g+u9z‚y$fI9D0863rjìR林q)*vM KD$\sK(.jsG CF0"ݰr9~<HA۬ɫDr]gE9842+y:RQ}[H-!\ִE\8[6Pbʫ=Y(p_ah4Qy>Qo`chQE1D0+`m d "j3t}//lMP8> IQLg(Gb4)́xҽP1E"1| PQ6nO?"ݓrK$@4Z8>\kh!$+hx ^{/wQ<KE'O/%* Xj\@WNDNu!ǩ e)o̼͌\ & }gw Pc%ZIȃH:8B~bTW&ͮF12]J7.iUl/VqB&/]׀&DC[30 u衲x@ÃhU_Vk+h+ދ^w" JGT[LyenQf@e65v!hő4I ,#}<+{Y= @. O@7&c T9Op]oS&שxoz $FXi<.`|R례בMz=TY͋OA-En;li2R!ki _)!pI *ovUIς~rUW҅46Njc .kd/SuzpQ7lE*n/W *˫M#0d+VyR4*@2zybQ&y_hEh7|{R+-lZ07t:%>yqG! TpRplɂƠ0sRE a..K˨y,ܲTx<>аSpx?庵s%d*A}~./x ^^?n3*NvVS ǐZU;xnqxXH.d pU]Qp.%N7~nH(Q%XNE[ha7u^j,79/]g!t2֟vϷP&Rm'-Vo}D`*zE81^.,VFbM{Bv([8 '{V!#jya{{7 w0߃;ZѠL   endstream endobj 956 0 obj << /Length 2413 /Filter /FlateDecode >> stream xYmsܶ_qJuLx#N3"JkL[ǣyy!yɏ.'*R5 ?"OFJlQ^-hbv~}~K:.6mc)edp+wҶ.a,ratWi!&L1.=+p̳h*PdQo?G8-:mz[vI۪]#xkhq\YO.ڪIo;SG׶‹ˢ 4qM/ZK]j< l1i4Lk+UW(xpW<Lf r5W'|1> M(RR)ţo.Yصɥ#mv *< 'N_{k*`/PQWŪRUS웖mix@/=IM$)Kܫ{lQww+[۶胂j:ҎMKvɣ.mmwx X<]Xu HT <6飡^2]-՚Ų_;e&:h!%|*dA]ڢߺ '.RkVWI'{ KօN=: uU7nLOQOBX4'l{};r[HGŊ {qXTuHw0wos+߽ MBj /+y+(I /( ZL_"gg7AyL1 xJY2K0SB1 $3kי`ZiGRIC$C` zƇ]}{̹@ K/O ,nJl45l}s|8g Cq& .q*kyy*mpyr%G OL [pku ox vyl d`QU G|dN'3 C{{ v1yVt8}TX;BDtSZpǕmMN<*_C g*7*gmq*#ibO ~BLB̘e~EÎ)hp/fqŹg#\-t Ԅ.uvISD.\ڍP!*>޴(8/ȏ؟9B b` J"3]l?I>A;2u;@ D^R, #|1(? & X}hQ},S{ѵm1*|>v-\PQ#^+r$?7aBU\ƭ~yczl@klh>C(ڨuI$c) [Q/jQյ-`X6mk}󠩗Nfܮknv <m@%L]5hpL-.hB`l2>y2dA9H9/JY@/2)n&IyVVf b yUdynM9b39s1DeL$afb '{lș6$˂$SĚ.;1ϑRO*TqX$gY9_hA V糭z>à?s=@ųJ~=ǭג4& =[^̡ice Ĥ4e0*Web7t['ڟv#1dfg;?vƖ;Sw^t7!#0v9\mSH ~T6L_Z ;͂  endstream endobj 959 0 obj << /Length 2533 /Filter /FlateDecode >> stream xZr6}WmVMj\we6lɸ0MueX/KӶ\0"eN *ӶJI* (b A q6aJ4#0'>^8DǟHebt~K\R"9&xqh5.hMQFU=}_1HDϪ|=5| MTq@PcFPN3QI2:h!®nٰ֫K9 7j L+$0 a 1I4 5x0CIA3(?NSk /  M *ĊY}c y`Zɦ4<2L_K,%`D0 rꡂs` Nt+佒0$m)&6Ґ=\ս w!"\bxD+DD(aAL$֚zWDP0ޣ0h&Fst&XDD"i8PE1q%"D<$<)2Qh,DPE,jLaLvzV(KJy~cݜl|]amD$lhtiQ0a0N0I3hV(1Ԍ;*UpԧVu9 11X'Sg #阪񦰛ɔqs:|9r¼ʳE%s=j]ko_,bg8zսXoA`0$ jA(]{&[d(5:>9 X6%#Tvn8+jaD?l0s#s-(Q{.Br}=7Ƽb[{qmZu~˳7/.jH,0씚+]f~qXq_矼yWpsn;Nyp ewP {@H;D1{.cb4;Vzw;2MH*usN<=,bwOn$IUR"3b_2 (.!L$D:j1k&{ &MD:hDbH1H 85.y""R!" }T"NMDhAD"ibǩRpR@GdMϘ!fz 1`'AMʓZk-ݮѨnL.w兝ev&S U2’:Edz lNރ-^HL:LNJdj]b~n>d ՜u}3) x|1Bp?YVXẌy~ Uj[A 1ҝ3PZCcjio>PmiBGC+>n}R]D=Um-^ŚXª g$)gX`{`% py-g74eNn!%% U#:}CzNrVً%G'ԹT7sktکH5iHTO.ix Qzw w#> ̗"+MSzD?5XaV^X׵(e?wܕ? l%0n`~֝l6> <|^n˺מ&"d2fW0N~4 Ffr?=S (9Ccclt4Ac87۫d3G?ܽo[G6[_BZ4=[4oJ^$ eWϛP819q+ V-@u~ p +?V G^Ves 3f+gs]SΕ& ~FZq  ˢTab"LAe5f[`*~23eDpלhiVRNR/:Вa Uf<s%/R_I0N-I]]f-mma9f$0 +)ߟ.H||W!}vb\V6wgVsƒ;X ;.ve WN\[ "51ISę7Nuh 1Nꞛʐ%m/c+>,ʁ@1s\ДDb jip V/M9`Xˍ3xz5d7e \q;X^xC n sRo 5w endstream endobj 962 0 obj << /Length 2955 /Filter /FlateDecode >> stream xZ[o~ϯУ\X,af/vc@`(&ےT;3ëiKuP~p8sssFlMp LՋ7 ͰpYI 8rr>y;}yl8 !_fRo"+ux#5ٻ˟_lH)VaJFxM13#uZ#0Jqp&2t|3T2xu Dy[]L3ęaeCzRq t.+*v:eVF"AhPĜ]8ϓ0PLMnDʐ<ɛ!"PۛڈBF=Y`FOtLBD朖L`hÌL`s(3M%nMOM`:M[3ݻg 7j@̿K:qZgG7UIb-\/uus AtIm+T*;`RŁP@7\FăZ sƍ`K12k0P%_xpa'1k'Ur:d,/Ј͑9N=vA4RixxqṒ12럫Np@bS-%8CpuJ}egNBANg^+=1c J~fvWe%89aӛ̍kaufجNXrF'Ifz>;A05I2༒94SJUK]&z3ҺU"Ph#(ǝ$PM[oѰ| a1O݂6/"j%]fW@^5"85uhe;  d,r78.xT`9ϔ&E_f.{H?wtdVhOо,ƽqo.we; !7z/^zsy?FqY41@!_Wa/"=fjcZY4{I=hO)PqcȓT ~U)`DpHѠa#8)K(N!X]4 {EavjԿ:}p iqyR?E@{ j*1k8]Jf&U1 оxPۣmѼ5FC~2U<zE&tL\dɃA}52Xq'RI^e0{)݂4[жVA4؂S(8":;7B;= _A^VyuFuHz+s^g3*sIdjμtrFEV  4 ܖOk7Ԕxgf=<2Vqhr@rw+n2;+ RբvqK[Ɋnp{2Wl757_;H|ԑ^eN8l] Wn<%W r ̶\'~ѭŇ?giU^_n,f?E6?:"Br݆e}]giZ4\VxENoLYIfzIwlJ[ 8%ITܘXLu.# Q~9w8@2=-f*xr S+! Az2f}v η[W~C < 8)޻&CR|][Mz~Bcq1%l|7Y˨y$ꎅ؊[=7@.*z-^tpɄTQ0("%RGcF#MqWΓizי ܷcX.YrM*^\&U衺ٔ~QIwesŇfz2jh$Sc#M|p.R$Ťn2_׫]K.t4᫅#GH22hF~y7,:o$p kOk(;&9uX[4Pp&r=fV ^B|z[4m-X_5)^-ci;kXیAë7k@ ̤Es~εIf,KAIri8(,#BQ@DeBޘ& i={Q)/۲p6 G9FN(BM1wMDM]/[ rJr2('?M,]1v./̄9~43K4!Bը8/B<- =dљ3**Oŝ z6@K7f7u2{q:3YlQB%aȵ<٧4VuOhp.NGOcn?Jqb1ZuYI** z-@YrU nZ0izs DbO֏n o9 >b:dK=NͶ4lp7Q\`:ΉqEIKd%搟q#vΎrDG!u `uS$8dhz]zæ=sM@ "f9+e>mŕy nO!@ld$A__<ԔbM䈏.O|[ Z:BmG^ʒ1x,u i Tx{X$ثXTO˓^=gA UcL?Ϳ,8$']&H~>\M~ ,qvz Gbn3_1|q9 iӌ kӄ;.? Mk(zG7o)"E endstream endobj 966 0 obj << /Length 2864 /Filter /FlateDecode >> stream xZY6~#ⱻUI$:OS_n4@=v>us"",W٢>l{=~ 6F;xZ/x8狋Qŋ|cvm+)emRJGmm]J"Q-_^觋<0RXMI{2Ѿ.Rc4(/ġ׏IbD6}-?3%Er<`8 ly92<{ue~3k:L}Y/E3\T%y8Hp$fF@;c ^$g223厅'v2snUꝛӶOʹ^9%h,O%LʻϬMoh< G(P%ީ83͒ $H,}[ۅ N8>\8HZ-\sYo*$=U0I+2W w,t3Dz dg8*{eg6i$;QZo$;@!;O*|7;}̑4Β y*'f31;@!;Oeg,NS;!7Eض{zlA# k NIA%H*Q8h*1YO*@u a3IKS4+UEߴ|8sqd1pa[cpNIG[XGO.]bExhĽĜhD :Iz*2+0S̙7 E컲h~8pҮHW4e%'^ S%wCum[:ɰ]Y? yG[mȘ8iL XS@n"[p,MuT۾,@b#Džby ~.&\Xh.79jvO~?'~lm|To;M9ݎV[)ۘnCKxk%9?,3c#&.CqYL?Hjk{6 #`v>-D,bS8e\OP$9X\Q2(_jY 3#,Gq 8DZjQ to %NŠ9Ӊ7a hisL7T J͙00m̚v/T1ծ>p9Ψfa406.6 FC*00`Og?*C2^;>n{{㣗i[|C&N<(T"ƽ̵|PcPDB!%kb[߮mfs7 ȃͶ!%nQ,m:š0!AAkjsrw<Φ-\*9v2%` 0!; 妐XXsNziZ !n_qJ+=dYPy={tdUD+b_P("_r=yg S4S A=lL)l ÷;sk'V'|'p7LOa#uW̛COS.5zS7C|WٵsGrwXq "FzA `kHx ¹S'B(+VXU9$4uH(u)<8VѴ3$N (G @e;xO`t9.He \+ܚt2[.`ֽ|-rɳƩ Uev>~\h^ER)̉lQ4=7[mY,MhrԂ^~KO> {_Rl+)@! /SY endstream endobj 969 0 obj << /Length 3705 /Filter /FlateDecode >> stream xڽko6{~u}ȲSdq(.!]omȻWJڤ)oCeE,E8Λ.ȥdNًYgۛ 3@~i}32/\Ozer-\_\ҫuٖ\ 'r27?<̀J q&M8Q*ƥ"ܔջKaWe _}\Q4c_v@G3 kƹ)M-*}UQSqyeH`tTqFauGعʎ_N}1Gm>b,O~Ptu",T@Ku8jxz= OCla.v2; g vp}1l0}M+1˿I Ck{B< dۈ2xUGQ z%W!*TnfR !wM>TzWMmL6~!2Mu> Ivqg$*+@,Yy}APH&Ö r |Gsfr}5_IU}QcXm)ZnNGpԴ۪.?iپ=IRWn8M:tC\Ç; 0qbU?؇qK2=m :چ:c>L%Sv]0!-M[:|38OJaTq;`2sJ7KÀc=_ (p>5 5S\[&ܐ(LY.$tz_au{g={g՘">1'U5Aѵw0s-Qѝ9gvX +aNά8hHRA_z/rf3hsy"wךIHCI;fglʱXA!(mzB.)>diod,zIB [ jGZv+ug}Y\9!+1iP1T-O-ӞR\k'(6`r!mΧ+CT7 ӛqj~t]_vvCPUS!/~WI%_Wu9M2)[1(UȵLnpFԢ^ =TcEߢi >Erh/\R!UPB؈ݙs2"q;g1װpLdrCW<'"C8]$Q,0ۭo|b"Bt T=8@O=`״{AI+YG496P-L 3qY2ۢE݇rJPfl9f *_hF#${l*a)wV{ɇ>-26 g[b6櫴^@# ֞wbv_[2;O1 |Xizү^k > >Q5Gň%bP9C Dvx|-69e,vI[A}XRz2;qK);s0,+8{A*HKY?< Fsj˒|[IGOP$ۀ74X q-Iw%iLG%"gS=}rbĽ<7:& pW{} 7%h>_H1Dc*=|1H"mJ J4NuL_‡j껪)#LD_ @| DzLZ6$_6gNkA $sB+mwL,=`[㇘^>x\54o('𘦏_bUc=|Oc;H?~yC֜`FOs1)8$ v=yp}ҕkPCǬxo^p1 =\@_wFQ;&4rJn.2bX𒃝 4X( DxSXfI|%iAr}ē%bP/:AP;eP}S"~i"}_W}UaG1Jژ9X7-B+ކ؀"&SHy{}ȱݹ[&.)\kb޺x'YGB2z0KWy'IC ;AI4, tzҜ|d sJZIQJ2930p45*Arg|n'qeL\X,HY)3;uvYġw1Y>ֿdVqOlϲm-694X⨯eG/?.Чå .^G8lP̼}#xs 2 |DwJ0"aSԕs̪X[oCU_M] E8::g &h|kLs/i…#M7R  gf>bWQQz(U$w:=pz^OыSICU<5>#!d7]mK(•&qmt␧E8\S*Ei̤ SZ!M> stream xZmo_tQmӝh -"Tk["2P.\UwSEW[]5dI[vZ%ݪDQCp(2.z@YOVKf91r Ꝼ){7FZWnKR^r|[ޢh9Up9I)6.D[*S-RErh{m񤟬{x9'Fٜ*srtLSh!adoϢfDIb5~%7jZESvW]rЯo]yhݓn(ԈiFRC}?C dR2`3:yoVcm%)8*=Q&XOoVL1Υ" ɷ˃F ^DK^5ՄW{Bti@Smب{.DU(X m紴~iʻ2e[JŶwWS0rtQ(N]+:eN$Μ 8zDoXo p*j>fl,\WIM/Q=bL6yqeswՊ+%T"BOŤIWfC:`c#h& V.א"q i>yBF'3 `'9RXi  `ʭ|5nwDfnX {XXS<+x.Ej&F M?MTy >wZVץ B"5Q 'yIBY* >D  G$6)}!iLAHp9ͿRXl"ţmhإǸ(O@Ce4p݁ҎAwto$?ftT]Wnc h"gpѥ2l M)ч":_yҘŘN2 f3+߻.Ma|LgKx,[Kq" ʾ?_YA.^L.W)AuնԨb ڈ'6.AGT:"DpŴ: ZNݕ(5w|`" "&(u`b\|CAI*"\mEB/Ht~e2;)BmÓ;B E0VC!- |2H@@!LbXbՆmD9s8l%Q0|= yoPtA`7 ?QjíaG>;reT!x_&/uË=mx$ } 68]!VPĶ"(a?L x7Ik۩ZKAG< =6V/޿Gtap;uRa>Zm}8Vryޮ{`O&pɎ08>Sth>  p‘sۣ) OxwNjwהG$x̓I;دuXR3!ӗ3`iZH# endstream endobj 975 0 obj << /Length 2003 /Filter /FlateDecode >> stream xZ[SF}Wt/}K̤ `ڢ]ɲd$#5 /X}=}Gb KMI&{4ܝ_$7{\7amo{V*a8Xr|^u| ^^y6 !j1;tF tnR8i_y(&UQJ„,2DF M~鈿·_s;x9x+iLgA :rFœ'/gSh}ɽr7S)@' ^P(MK\N||MΠti5 !Ҕ?yof:ǰ :TOZ.svWдIDI2JI.ź*e*'DKHGhٓO49?%(۰tW^eC"Ү,'88TdM|*C~*jpMPxސ,Qg`[D("}rD0hC1I yJ6,؇(ӫlz_91Z ͦrK݌=f[G:c*b\w;q )f`i$[!簖f*|^!Œ2+1jb܎~4P/B =t8E4ZQ FuەS%rP,Kt=j"VPMviB.˭p(݁^B:aC&&H5"6Mڶi8+nBLJ,T([رMJ`Yqk~"l8_dA;"6(N,UĆ,n`CB ƐJ6!TB:LoD,M:1Y _y:RmI0Eė3QpQ .ѯL/ T4[%g<& kz qZGD1No$qI}+lŏ$ltRL\W\MegZr6Ы7GǧGهعzE̾e7J%ϦWG *p [x "VO !J]E\Xh֤"%?B<~ endstream endobj 979 0 obj << /Length 2624 /Filter /FlateDecode >> stream xZKsW0e" UM,ǥHXD hY(WJt 8t"1QFF8Uv4]>anw@7C'z8e)]~첺G٪DJ?'J]1r'"FGF?\e+J qNDyO)+F\ Zb.W:&tWiLO~l,l|r"l,Y2k^ɿ4dM6dyj-D$溕IǰKGe6Z3Ⱦ6_[XnF /hSN\3\Bys)̡6vL &QPr6 =_863JmqF3ib.Gp%',WB8zj)yk'x sf1t$Ro;_cE%z٭( 89J*V7Ɍ(ўs˛f>dS"b=Uy)|"6"a(H/[Wq۔=!80>nM&&8{7eZ4{dڇpmQ@'@L28d97HlV=8\+0T""#Q% pRvZ3a< "y=91 i$iϘa BA iA2ʢ:8Vz)uWdw|h|p\a)O* xlX=Xα3+D-}PȰ7 *b$5̈ "C$r8n>RG  )Y 3@PЕlk7n*uqrg ȏp3S& BGnF!Ж. $ N)b3<,byo@ S!n=5.gjT(ܰs4 fY FdbS3uKl={e1Mp.D]{uXZz_$N6}.q-3_Rg,ۦo^=?]/ZE]n ȏZC=c=^!t|>VɷMPaNT3? Ϡ j]0KTvOXfu _}0aճ1"QEx"|Y~'_\@?}$Љ A8>d\;j=n0pZPG-w/xJq;1WG^ i]E>--"ָhaOsxLDx#[i} !m7v mg$~ WXGً5׋`iiX'Hݢڬ[vIcNjW_oC5/|.EOnGۜ_7zȩ/]&%HBg:koF<P[fʜbtvzρ{@UuެS2Ys(P-)j7ntsR!ݐ. +X,B+iv azMzӴ2ٯUxSSʐcG6F1}E:}k᜾d^}U;hJ/]j'_2/v_UF8ECh\ y]MV ̐X FG?M@bj/CmGB 1XM۶PJ ]L~Zfԋ.w?n endstream endobj 982 0 obj << /Length 2162 /Filter /FlateDecode >> stream xY[oF~er.- ^HIڦAKcD䨉{.3)ѩh r|$&Ra|sl/τ7/>{ym_b&X[kL)δ̭iL57әeSKHpd:JQ5L?mLKsOy~.]s Vr*jsq`WǕCzk˺*t/z_gB"fjޘ2 ,7vC* *cqj;{kx3&%jJ'w d`~m]d}{}G9lXgAe n  ͼ %,h/ ~7,?sSQ)ּ`maV@ru$A?4bԳmXf"9.=nZ;C;)Ae[mr83C2 x\@5x2.2cB; |;` h  /zg;7n1H(-[e$˿)3y*A{G0γ8 CР 6ĤC1"r^3#BjyU!hXdMc- EI)pF&+\lոҎFgc04? `Kʫ|הt~ DQ}m\ $x c ,` nN,+Hc)\:<2tqA[lh$nmyhwbx!-"jYo>I$qbSURp:1DRk^-u>yyd$ed+DM\uǎSsU7e^WmZh y]G5mXh$:z2MBjOa:[ad UvmٺIdR\fCpEA:M$c7:*>Jv ʭZ\OWa-19[nxnGBb< ,\iˆE9i9CD\ύ(E 4a[Rsu7fplHBڟclfmv/8=:4P@7o]ڢ8vSNK) F*wf+ ps a]Hie2 RE$/JԚehM5FKSm z z"͠VIbp{-,5ᰶuù^[J(Uy(O+Q !gSdup }~'2W1D(Rڸz+ÄGqjC|֎q_f:$%jj Sّ*23cB30=⮕(L:^zsQ E}7?%8l9FL4F}?~ '՝~y׹ ]C%@p \u7y?wkj+_'F0noT&sח?^~5#Sp9?5*"0Wׯyuq>E?^MYT x+itU}3;}pH9y?JGŗ>!^u GXZw^;dNǀC';NɈPO_EHNO7x.ƽVaqw(7 5!t{]YŠi3|4͙Ө{o-NCנCajI~1 s8'* yMsC$^3}=y}@CY lȀ9 hzU}1+ rϻ޺s͎(KN❆78ُ!u}akpKpe( m%'7oĩEAF$'Z 1v<=Ї. endstream endobj 988 0 obj << /Length 2765 /Filter /FlateDecode >> stream x[o8_Gpfo`{wmrOݢPl%jˮ%'7CRnS䈜Ώ GlDᏍ!v4]vs7 w~"'-ׯ.(5b8l>*ی'B2HwmɊi6pǍJկPg_aJh5#m%aB޿[li1K> 1FR_ߤU>À*.)cU?e]Mۃ2e+w!\{I5QYm*(+Q+s#(? Q=xHeQ32XW5K`Q.~k…9F%蟡(p2ŘۤOrN!Ѣ+]C&jM ХoWZCSݑfEtp"Yg%@pF[,c^U.bs5ϚNqk?dox!)\ ȾT`zʐP.a|Xy$UP.3h麲mV y5ȊP VnWqHjM̀eT_Jf`.k=X6+"` ޏk Ӫ962\3sZDx* ha()T}2X摽hW=RjewbIBldcKsDҗ ) þXVGI9h"`+kY_(-O(-J9_ (`p|D0?"nT(ҜPl(D9}zD9}QrDA_3"jajD91!aPfS#J^vw Qۼ9#0:sxւžS@SD94lW!+7E|L \wc _ex@GK[;zn~o$r[fPuIMZB K2d:y[6,kF,v1 T8vja`3kt=z,ƥ6Y݆_$Y͖ oBOcxde'#ָg9Hi+M`|x& 0JGOD6sh9T"]'Z0 Uܼ:{8Ct y,{tֳ C&@Y=Th=FnazeA$t݀mgΣ/jf ۫q5}l0m&"6]Ҫk6 E]N|CFkè%6ڬmqK1xXC e wW;Fhd&Էpk8?E]4H_&,3P6sݰh> U_=4jN>qR0409AʜLHӀ- &Pb01t4dHh g4hb4Q|Y44 |?4=LFA})~0a80B bA~,-HߗP,2L #kgH@Km}I4yDj6H4F3"J=L7JZ߳պg+dҗjUMW,[]Y xuj9S\38uO[\sbWZsCHSq<| 80/˃ڕ) ̝Dǜ9A"#XYA44 0 X4ra_hH'(:q]<5d+ |ոyж܂ tp C+}㵧wMVjBq 2& u.oC#*~ }>U;X ctپ%L  QUUpt+mwv F>nr7C8Wd @MjF|]'k+vCXqQSEvo"Ƹ9%1=֡ (җx_?3('P@T Eo$#PYVN7yL#B2G0"mĩ+{`ST7S R!2\3bݙXlVH/E>ͫV"@Ny'SeJa94~VL &"rdaѬVI0㳪*8)#77vR-6XA>MFhB"M [O.__ q]ΓeXlVfUzk_dc6~ $I<|ʖegp@YNOy _mСŖn`eKRiyZyZCPY3}{'nO|g#a]g#ao+`OB gJM?N&H$kv&.L)ko<92'8)BkɎSǽ.=k}{uظj)`PfѠ+, k|mj7༪/b)I[_`k.֞#rL~'AHe[`*';u2 Ke%S uLomz[:0Ѓ7eIϒQRI endstream endobj 886 0 obj << /Type /ObjStm /N 100 /First 888 /Length 1663 /Filter /FlateDecode >> stream xZmO9_ᏽc>J-VR *RJ$%n*(c{Wo$kRJY2qY0Cޛ0Lc2lids& zgu"GLθ [``?iy㔰Ϙ!CaS aq0DA0  8 1"ˣ8|0MژoގN_6_;DD,Isxk7 Ͽfx<;=O^MML#̟|zxdZ]NquR2Ô)rl5>>ofgzw6irm} g_ack &͘ T9 ~-s;~ Œv==]g7Rꙿ0eeexXxVxp1. upgbw {x8WǣX{f'uWM77dmn< So+TyjciaӋw+2\5*g[fƺ{̩hdU[ .=eU ? ڰvyHlkƅ`414ވ{F~x֕.+o]QH} w A[T tŪ/>[mQU(ф(nr vsznK[]hLr ݎNG\a⧖Bq'XsR{&bWqd⇌b!!/!-~ad)`Z1T9GZb%kQSlc?Fb(owO^^|.3;y#ôtQ1]":WnWR}*qU-NRz KMKmD_4kWRsk\/ ^ endstream endobj 993 0 obj << /Length 1936 /Filter /FlateDecode >> stream xZmF~Y*Q8Z\>)$E. 3޵8Nqć<3γ%AVO׉xq}3F%MSq*}2.l !R[/J_fW2^;nTjT௳AJq~ϘpbT¯2V&쟬,M!g<.d\W٨¿t5_bԕ3GJClߏ{`IqیM1⸨G*'Yq m&9'z10y|1@lеqhmȤ/L-bʹ&fhLgEiYY,y(%PXg)3Ȅ%VnH[TBO|hb}Vht3mFƽĄ#B2yd>cdZը|rO)VBiXBVC{P\*`.Y|9*?" oD8V\XNT%mPCj>AO_Lƴ2w_.e>B=GlBd@-Pʣkxˬuz#vJ?)f?дVlQ%,!r Sc:>V W ue"Spĵ4fЊhHUau(te0x\Zhw/L; 3N?@`2 e~?Z,Cۚź;bxm6"ߓ|}R~8Ż et8J4T"8"}L=_jJD-2$;"ƴK:h?ᨬ]W tU{nCj &]Kh(y붩ށɥl]S0@4!ʔz5b03*V@Mn7gA|W4gHZt*_ce\_>Wnȏ7HKT:jY:.0e3.n>٦;U5D2+pFcU&!%ߑq`Pi_YQṶ2^ 7L[f>z9bssge3%ZBt X7w(+cxq21.,F lV vN19b[c%R;QwfsJ5qHãqSq!:]h /7w8͑]η!]'bMIO*ƑUNƹEQhKy?Vq`iX 85DpNƹq8B-N-jjr5 yY!Z[h=jRܾ HzD;l&8H#2pۍ[E> stream xڽ]sH_ẗpK^J)e4G$!-RXI $K'VJ)7ao<ngOzS]Q-&eE=I)tN~+.t&2aub'g)-yB[Rf8ŸT؇S']5妚r ̈́si-pL25_6b u2_EEyU4OK˄SFYbBnI[HU"LFf%),`$eCWO2 -22cAn3B3g#ui&n#9)k?q@rRɆ1)30[Օ_vctOKLa&3.pve5.X0`r/ 9Ȭ\`ܮnq lA]AxT{gD -\5kvjuM/qdAA-jcUQPlv~~ 6,)/i˶rQT)T$_Z*3)ԝ* n + `UsVMϡq(%X {C9\y]V-_Tl:%_*E<3'}|CMM qY]ѺV~+l~4|-A@q3P\OjM pAn@.$@p1ITd2c:C+"^(h2Im$MA6<@9& yM/?u :&yiE#/cB ѝڎ~eAAf]dMح6MT`%%x5n_:N&`^pAZ1$Lǝ )HUQð>W~Lt =PfD0ҡ gAN(>{&EDh*(} {!#Zkm^%6,H÷0HV 2_EteDWcO~yjΌ w L"{y jAIjS ,mTd& o9! *>Ds% E CY`T p 倒IV-E" D] CB҂29>Yԛ]Fbr`Q5IEsX"USΫ%O - ̆{/qA_(IE i+ĢVv ]Sks*ͬZ$lC6u'hM̒޺(ăWcD{W&ٯGN`X1 0O!$:32FA/k=vMT<9xP+, Cop@#lt'c24\܋V] ԆBg P(qp˺ b"*4U}$Rn{pj3˰ܶB0!Uzc,4cLyJ<`{lJ4&58DʃϮܳZ`Co(iA^Y3v$>wbLc:Er @'Tb>~%?$6f-: eŗ<ތR*M329qѠl@l#%`5*J3m%@ƀx"D7D)gԨ0rȀ}3(CuDz z֎[.4R[׋eYk<аX--ٱ 6STŢ%A zRAC9CS=ƝRL쇘 g R3 0 F;ضaBmH8vQ;7D'ٝĘæ}Q4cz%y!h =IKOϞkve~lϟm LD%!X@fޑ&Þ\c-*y^mZM< !1h҄R&Ey#=A8r<%:X47{ډtI~DY|pFqc³|WmiJ̠2鍫 0L,| } H6hDޯZbyGe{BOof ,uჍeI#gCǏXpơKhnhӪ3wo;>=9;8_<%5J+ Q /](x{p6˃V#3dMTaI?u#60Iٟ7oߜC7;ܣ, No?'pM p=WEs:& ͋Q>`PF6hH3uA:s ȍt! ЖsaJ dE\&RTM:cN!j@t`DK͐h,9p;\ boyAĥlvߋc6譠3UZ.,vc>Gxpᛃ>;v]7SCVi8<}"w $-XC 1oLQ qȒpF1:Q3A4 R']H9U{s|{םx0G7[Wv-1ieA YV޼:Jhv gGBwqm~LRw'?=š~# Nw1 @T[~TޏBGGIIwяf"'btzݛ^`Yff $n@LRc."5*(.Zwo&ڛ:VH? endstream endobj 1002 0 obj << /Length 3505 /Filter /FlateDecode >> stream xZIW4r'PӬEAYDƀ͙![H|^qmbsJЇ&zK+EX*:Y"7Z,τeo7ϾzeBDabqq_b)6;yyTJ볥&x_e[gKJkk~EKHHhLiv':J3c?:KTpܭb;/^B1^\Ľ; Mpo,.M^~ Q4ȓIdt(j&Uuy\լV+%CS$%ZEaB&!96u4A8r#7A`XC0~TWg^CL,;PLI/xw~*idqN&#%SRut* 7sn)y c3X`ur*ci' %E FfaI+;$t 0{s o/wD)?e+aLP|#%N=" Y{Xmƅ5G>uѣ{Ц_ۏp!|ÛOЍ6qw/x &P9?GB·bKZ8wQhUod%|G:xqӳ8(v2l]W6d2vkJp^U3.[}^^eUUZih)]g5ˆw8I|< _Bn0i[b _.绌g5_fG?'i/w8T`_RӒ_ ڳ h&X1iΤ(|P竚'd7Y*/k68Ɖ`o!mqV]g+b׊HE_A.lS7$5 71E^s)D$SIO~5GyyDmkt pZ5lB'ݷ91o#oC ZT\ͺti`897mq_nrV݆Gi;MLm o=`.~@:сoj֒O2; c]ģV%N`fjUW~f, ZGmUo~$eү'Mu>*T_XRGUصy`!-+z}0]yvo'{NX&嵭[۳QլŮ 04^U&=qXM/1@)Uy˸h^ҽAVKc{Rh_v=T}K_9U~\;9.cJ޿cg^> -E䒦HSMW:fߧ7í @Y͏T \TmެmlY$Aބ/+,ƶTM?Xr@%lTχ>U.R9jC(^y]oT΍Pӵ%;j(ؐz.kP:9x1[겢YO;W?OڔeY&җr['WU㔸#l80PI9Ҹ _[ ytm:yxpa:r/azW*`?B[rӇ"]7T7:!be_fk/I+ӝ@XG{mTEENQ.*T;/34Al%DD#[Ĺ%$Ԫ~Ҹm7ZQ&}S.Zƴ&ށ  -\Y8@ HJy"S=k9OORx@:{'X6ѡ?X{`k$v$RW<0''MZK!?޳7R4vB2ڡh#B }agd^02 *"G vx.mhP\'_#hE2mH:A2,rOSv6zSš0[K6;N!MhiHpD[[5Y%/dHi P! ƫ 8vH< gT9ok)B8O3WcQk@^[e3'てkr+ʬuJj/ +1Lo8UC_3R܁0ǜtd+;Lk`yk“7-PI-A7W.E+WwXaJk  c4Pc3;DOBnO8i[vED&cFEa5'8axNP$df" U)m{&:^.:JD^ĞCB6wtK OwQoko C^6J: C&Ӕ0RR.Ov]I2o" -ʔK-HN-)u &j5LNXx| LSuȡUjB=EJh%N$JB\J ǚ\zBCD^) û L@at  ]cBҽ¤@5&]B'<%T%p}u6|yʾM7-6-X%)Z|hğ9<cg'ԺT>EP ;a"Z;i\WЏ aW8\%FB6;ɾ[S؂ [@I$D}"`e&(Dj]؂ #9j:MT8B>EC'TOFEoAh-͏Af!€C,t=0 Ѕ9€ǡ sPoЅ^3}@#56 #i CJg})'" `̭)7_)P΀'4E |2 3:t2  AGoܦLqPsj~Ryࡈ(wZrtXQYWҟ=o3./n)paNbtQtǮ2iC)TBXsMCp=g;p@CY;D6> p2j>cUm!m;Ɍ>ݕVZ#xQL()HGd.jx?*o{ZUQz#{_im(dF&ZZ;Au]RMTRV>ih~/A;.uwPGЙb }G} x=[ endstream endobj 1005 0 obj << /Length 3142 /Filter /FlateDecode >> stream xڭZ[6~ϯ0)bVSb6lw-Mޒbؚ!{֒N~/1`Jύ|P|'y6R\Eno'a?_8o޽oJhP– l<SκPVpvS}&1=ilkSLр;IIdP '_D'W/`q!-rZ `q N3! CP"Jp݃m#Ca_fumF0C7=F^Ɣ v!p vh4>S/F-<{<>d\6m۲J:`w7nKϮH!?l7>-Mdg Jo4cԕ ڭW]E]5@JR{)?xm{ëȥ ^J^jI$S<(fJ\6Uܜ !=v1zFwpH(_5矉9xvu1:_—$_}Pw}EAOw=(TΔҸX&?k@UH}ъ>}!|<lZNQ_r}wm_%'GUcvo}W`}tηS[# ?H幙mDŢ#CV`JqG_M%q@ ɟ=hMD՞Hm!-4I *8}St?^s'\&',@=ISR=sG~v g*1O-ݦ^ endstream endobj 1009 0 obj << /Length 2641 /Filter /FlateDecode >> stream xZKsFWV88ldm $A%d*Ds]:p0wGJ8QGN)x4]=~DCcF'bt9ﲺ^FʳR*r?6lY12D.9{u˃.۫GʄBr$ Uƚ I(,SL ʯ+N<'rřGO/=,vh,5x+Ym1uq&WM;%H|sb5WY3PDl._/VuHۋ-^,@X?ᖤ{ H[*o֒*f@+k9B[|G38eęftIW# QŃ0ػNZ:#kHCA~ץˬC:XɜmiƥynC47qq4X_N=ݼ4RQhfw1eSH 4bΨYE_l&Cޥy|K`Apv+anj˜;:0tYZ_dH=rZI&D_cuRN&9S:!B1+RH-7IO;\$A+(q,>,er]}4"PPf*ىz Hmtr4Nh%2s&]ڑ";6kVL;M:?]tPfpΚ&?PՇ9uh} `VyqEE*WʷIX!ծ5.9]^ale2Q{qj8~S~j S ӎ礤:Ÿ/-f~A#zI0;領0"a8g!0Xdhն| datR ǽ{MoB lv;sO´iα`qt i$liZWC?ymyȧhݸ w.R||3K!+"G%.l?a}KgB̋@fhm>˼wJ̤|}Af(,vΈ <ÅWi`<|ͨQש5di=2(qgb) R%$t>0p%zĆ[cQכlSEtZuyu.lG&HXCI jubI߲^f4)EWypӒ7癰JYJՅwlkP[}h}C]GohIQxu'-@ЎS1~-$ЗJDPK/yx1A qܼI&XZ{BXQ + S9[:ʙHV;{6 z @&K9i^(nj&MUE01nL$iXVk";-:iɱTv<.f}P RCC7i1]V>ucmMP2jaXWTLDOXE*@["p>c[˼F Pnެsl=|gjrSI8劺G~{Й)Fg,ΈT!i~znZڤ")=>q&[dxziҲXUz`ͺLIRE^`ó/lwfAJ -.hƮ9FWYt.tM: GLW~ f]ÂJAPZ^ &mA[wMcYch3l8V>aj|3 8)maAJjA+ی1$/\sl-i uTt=3a :fKD2)׃ؓmjkVtFiYa)}~|ngCA9؇7ǔ$Wx |G|7O"ytGK,bU^*x endstream endobj 1013 0 obj << /Length 2948 /Filter /FlateDecode >> stream xZr7+LfƓJٙ;ǥj-k(R!v쯟sjQؖSZ ¹ |ⳉy&Yxċq3 uFɻw*3)b^\b=/.f .?/J qhË2N1.U\|ssܬOe^ѕUͶ7sZX۫4wr$c?Eh_i_wEt1*R `θd\oX-7*lrWMa-.74s7JX_`@iǧoۼӓeqG%5Aþa%baηqt2gD=8 SLfs0OD|*h>_;lWLny/ &0iY_⛨k}/OjZw."U 'q ܤNp97=*T! nwd$L8_/E2CzuW^mVBJVwY1=ԐYƯ^bQ;->k^c^aaa RhfT<߿ܘЇ6q$"Y|ڔHJH(~cJ?2h%+&TcOd $v[xkH0X&~EZwSxJWfg9Nֆvnx .p&eV)a޴Hny5RCev m{oUޕ͌!c2&yϸM1 ۘI1rziE}!Z3Xf]G]aA؁J1.B8f=ƳLdbƌE!eNE7[e]/.WK:.oֻ*}bn <*6lcS]ށwz ZyRЅ S̅G3/"_UG6'N )?'QLYMA5t@-eN92bHR`OʊA)p6y>JiyrouOCՔ6}n 5CLZ]HϡMOpXu8|(q;brϘf0:ǸjPճYFF%c+0:4u'Q4rVQ4PhaP&;#TNLB?PZ`eWM񦘂Oڴ3]N~nqh(5hIy:D~R1 "y=#abHwF ub=ڦmc{:sh|.r5,?~w}R__*be\j~->8i4---mA7Mwخ; 4qeq{CpZl.2_Qk" M-T?Wbӄ@f۪ꕉSze s}aަ6%<+|-3tU9 9 :B1&U H%-B*d5qZSeKF"5X-u߽*aᦾ>oENw^3QYD%3}pC>W֔s# $i> t5d{ܜzd 'F5Y n8FgiKqHR贕0u{S\-DT!vp݂dw+0&"ؔXrM94ҫ(-CCl}SϤӠ0:4Cцt> 6L8tkOANtU7AOvsb\_wv8v+ByI.@K$^fC]mbX%'$Պ^&to|MRG- !^*fo9/w˜n\@Or-DI}ޖ.3&Dn螲 >p$((0$=u*}bD. t|h 8f]o}2+cΝvAYd'r&Fƒyy0t 2^_g 7y+ՙ'ʸ!YʚQ;Y eEI2x*:RSzT;#7tp0 :G@"?ΒӰt ~Kҏ3JT+ ClC> stream xڭZY6~P%Ԗ%@Ǧٍrm<}HR)XD< <48@wnh*?ʣUanUyxh[qWϔmp3_ZRQGZMٮ~/Nkכ816ݹK\6כ}q3e~OS^8+a*LbLa:!"&7|w_J L86a櫍b^ucWq_eaR*̭ոpgrOzT5bۢ[/3hz&L/%OO06'98 WI8ѨV[zV=Vqh3^~qhDL{H4 2  oeKpM6tل刕]"G0?-G~rqhrq0W{ȱ6ڀ(Ttw~IL6*#h&8Wǵ΂>[, XZfw kc/'q%q =,_T#} QQO\Vfe5\US=q*ICȫ@w9"ir/ -\L$`cH-xl\E!#b؏!T Q%ٟj*eaI$SC< SÙ$6/e [ԻAU7%Z{'tǭk`_t{٘k06 i,7R~XoTprf]`G%q R|S0s݂,Q>ɫoX2јt~#Վ|m)kZ̅eQ$*d?ux{R)ڝۧ=r;B :򺦅`J@)P n%B Mܹ?c掿X*d9 v PE}w`C=7n;$iLY!;֌γ0MҹTՃɏ2<: s[',3#ly68D ژn}3bŞqM;t '!Kl"D037l)ҝz%:n0STL 0DY>Ail]&£877tUW68mݖo{UK,T;2]MBvBmՑ_i}vvW$; j3A}mg%²Εgb,׎;,xN f`/0W=@&/~Ahw߆Z8 XE``"Auk Uۘق;8ݔ>huB#4-K^xWWwN  (•[oLn 6 fG@Hzo 2Qst{\TȽO 0v0b pby`ԛAV EWB.)o\W͐`dr13=5( :}q}Wt (G߮-K}vK)hfn$N / 4C9 ]ga{( ESm;#!.GV, rP[(h<2|ʦ@F,)jxw˖-Z2doP4(>y?م\M1 ns>ӽ+ډ2:QclJI`Ň}'$Ix‰@|VЏT|K|DUJc߀=č8z70vDqHu-}'iFgcCHŢPqk>M7*By ֡,ςC~uxx0#\S1L"B%0 #iaZ$W?B$ ?'k:QfO"S}\IDPir8Ct{=xN-ASj+) !#}@iͩdΚ@TC[~GX6Ry63e&=HI -qt"P ;]e(89Bɥ GDU'\ʼnъ<\4-f(3! '`1[<6=PnyB`x{y`v%zپ.C~\z5* 87R︁SLAO;sf|iE%s:@_, 9C\HiC_4D:cƍ{ۂl/4Ui+;8!1TYD=RZim0 taPGዊtQVyphUpvrC3!ݗ3Ź#4񥺻$n +5Xĩ? ըi4[d 3Qt]s;m +1sԠ|YQB .qnU'œɰo![i.B m-/غS]@&>U&gyv`3? sU9=hZctQR4h+$f@a*sДcc|@c/ 0L y_uF8h'ñ_CEǧ-k$Fo'<W,xƒW-a!P \̧"ZuhYyk#hR2ع‘dk2vqꮩ0N0zYkEQ_ L;n"3}%iJ5cb?$Sq_1<6†ⱪ.W˴c*E&jK'gf;T)#/|US=JqKNDM Qi?,1O ,Ti endstream endobj 1019 0 obj << /Length 3747 /Filter /FlateDecode >> stream xڭZY~_!8#3lvbDDjI*3_#]]]ѭW P̘JQm]Ǜo ׳)NMe-es:.MD67P{%vU<=BŪ'7/d.Ir@gjAr`#T|"܆ z.n7})7|)U%s\o v _ΣԀ(S#gajds3tJ;u{s'^k>0oibHE]/2a&0nc8 $7QaH@ؕ` ", n<OV 0Mτ;"broZP&]d9ՄX0RSώ(Y:c07Xx; C2 /AZN@q6-j` 6a:5#M6=;2i ; |)0AA ]d;<5(] g&dU6 8.X Y35k2J*ͨ\>.|׿D=? Z84^b$B)D'I)k:ڧHfAeTf#[IEd}I' +|Jz/$Tu);1)?HmO9 < UG9\ؑ' J"xKBS^~ bN $:LaKK Q{ҡ2gY}99cQ@qQ#藯8 Nj z$yj(ZR|zc P-ve ]|GF:G4IK%%߱7x$`a43\kۡ PL9$H9[E_/F*qCj7ᅄU q !r  (_a`Ek6?}oټ&ycy/cKw:훋JǃZV6Xqk &:Nu,h]D 6$G!Y AS;qCWɄJ0yhhG*Rsę+KFVۊN.M3J#DC&G/r>ٮߤ CMǟ]9^8[9CLܻ W41[r>seaٕ|"м Ζ J_6  ?1c&#D]sɩ;Ń;5Rk2231!u+.GqyEgLl{ƄI^CskʙsyB%8]V@}\K}T6,bM`EaD1^Jr2T yI-LKKTәG&n[#dD?A">N :KDc1v ]P:g)rnfI_zw> lbAͅld*ؙ'eQ wq3ő$ >(S~ff)KfhR ? =zY,Dgg;cJDɼl[]-%O;N&zG,Ô7$~Z'MH ń$3k1j,4*8we`04@pϷO9š[k>I-SiVSBGyo)$!#=muE![fW3Er_Aa\-/7k~<%םtփIݯ0.S&J|W-/ ?5h<߯}HDgӮfNЊTEQ?y0 }W^/(^8se>fxMxh 2/$ D\ms;Ny.ͧLDž%e=6Ӎ{ܫEY+n<ʏo+Tp3Y3X4;G= . (qٱ',˵yNyah[Bqrn8&4AkqUqRU,Ac+eA-:ox>Ɣo0oxcIFxkE'ʹ"˯HzTN*b>KyE }"pQ) ?؁M8[g1][~ cm9dx0 2+GN_(NFzӷԱ=%+-}thڻCFΏUzv_p#];D5"U]33Ddβ!^on\'=6mG%8wR)^ތ|i{7/ DeLIJmJ*~2ϰ#4˙f*I+&,\20`vgnb&> stream xڽZݏܶ_h-nU[*hH`n{'d%%_/k}xcpKg8V Uq&ն|fEg?=b~&nF3x?*bI%[؏z[6"2XoT3v7*JEOJq@pLS:1j':QRQ?:YQWwkiN#&|2`2TiqiՎ-N̉&7L1cqza[RU84&`N&TB⠎Whx?42 *]YkgSMnO;4O& E^Lc%2{78{:uK8c#_*>n-S!0ٽ$-A&8KS.^o å'g1-ms3r9 ͥ?$M/ /ޙ4c?{q觐P BQ21M}dO/M\94ǖAK$q*I2Y?!Ug?@dR^VqjSw:V {VA$#$gGV2ATpuj)NpQ# :%u^J3ifJLnTJSh7U/7duK\@m!@~a{># !޿L7QbuF" KE4O͏2?.%`C{̏6袂U!efzȩ- 6\=>uoihDن%#pdx}38 58(8yghIy%ڢOBp0yFC= vGŔ3j>9o C?"؞;K~H+fd4uqeʘ^QI桎/a,$84X!:Y`UҌnf#E"QHk4؇ 3"uřF#=ӳ ˢKLjy2 ?+'fUԅ+*'WRmI?rG P2:Jh1k*LZLoCPFجI=[ߤ\hͱl6Mh|ZWblC!OC77opu ƥI| iG^D'̦h"R e13Z V V+ dE  ./C]ABdB/d?|~(؟ \bi2M[&?\a*5KԌCNk/VF]"Q/d2g,WLH4K[?H#J/*Sz% 6L'l8D|(zvq&k^O' T19}*U`zgK_ii򦰁K F߾DH&E 3璅 & ={Z‚.}-NOpiZK <go_H8|foF>I/Jn6Q~7b{`~SpkXov w5EKNJ扎 2uϾh¾狎3oIqŅwkm>|lB=yVN֧ԅ b\UO^2|E-l¾sf2/q-=1(kjeoBWlSElS i3V  <FU R|H̦di Px+3uw>B U3@{&lpm#ܩ]wXP*(%; pq3!N`Q7d®V`j2e&LrX endstream endobj 1030 0 obj << /Length 3267 /Filter /FlateDecode >> stream x[Ko a}8Arqvu lc$bgHX^|3Fjij)KFIXmߤZaq9&f~so)`iRCRo6΅Kٹj6\gqVt7Y)'ybS. 2žJEٴY =]:vl+z&6lnzV.,b{m\Pزuw &Z7X\$ݤ4ʆ,΅ajqD?Wŏ):OԖM߾ KJ/ιN6wgV,Ieh5xb]SWaݜe]|2k0V~:r%4 :j-MBG R`@yr|է%L}sq7U9s!u:¬\Ohsm=ŀ8RE Ed,[Kޕ]ƼURoY5 δߗ,0 s-&}2R_U@#8eoMFVB@\Z/Y={' M[VV{Z.ʅL8c 'ni9kwu>Q6<  `u}E2 O؉-MxX_坃 2!X:um-c!oUqN8sS=)~&v7avNLYp`ڻ#֚dkp'v<"bt`ū"MXh݄0rI(UvQ|~͹ ݌-l>0TF=eQH%?(M(cnL呝Թw˽|q߼z&FCL&j2J`!<2;MЎAx !q&zBc:Nʉ#iY o4Qk\We 2Zw}F 6I+/*I'?,0}i=w[.J|۵'|:%|07n鏩J#7P({=pJ[w_;)CBRp4?t ?Q8[?u$f-j Dޥ| YJː QfD)ҽv4ASs1spyb!KRe%;s0JAnAA2rěCLYxseޛG}=& 0R eٟQmP<P CNI=[ñ R fAafU*Vdv) he;F{)7ta;ϲN%.p ӊiLFWTu*D =8B 8<1Sx%T?~*>Gk*xZ' Ps&ƚ%ɐ@NJ>eEbcX3p!p3(NB;2~ewfJ^)43SlFW@4}ib^8R1?* +< Z;2]`"y@ 8׃Pq'Ap2" XH3AHg|rT]U( ].ʽ`ݱGn6A R<]kbV^Nդ1+}QFTbY/: yM*4ν~k\2JKAU,"]AP&UVƾ` W/9Q淡9-/|aY,0ݗ ,ql[@ }o*OÒC7O*$ag k8V`|V*-*00*8>]BVu |_|9 x`Kw+_l7Je(]PSǍ_ڗGXmᖗY?zvw}V %|˃0 }EY*bWBǨ2FBZFyZ_d\PrrPWbœ/K&HOȮXQ9Cm/p\7+iP[5Ma6r^QGdud}*89L"⓮t$?Y@P Di.)wrR*9đH{(gHEb !93/p$L"#T !+h)s -B zP4Ռ AK24{D!?)2dd\σŵ{ G! bC_ gCñ4g4KCCkph)2¿_XOE2O= c*z%AaSХO CKoD#p XhL9 9s! `C_g&X@/ endstream endobj 1034 0 obj << /Length 3349 /Filter /FlateDecode >> stream x[sB>DD(?ҧ4wI/vڳM2٦m6r.@Q||!bvb'&OR,h?{$5}J~3tz5f"8 )r>=3]vn<˛UyS* by?r3&ԪtY-uY^=\ƶ&ym"w*H?^~?3yM3&gTgz&JbQ^~LXs(57L.ݟO%%_Inj t`]P |Х$t'n ޥLـHW/'Nb:\+7u-b׍PF=$EˉtӪ]=2 L`V|yUݝ_"c%s۹BmWWb^ SwgS8͂ bU=uY/G!,%g.kط$a)K&JyH1LuӇrI;f:qXT3'M# ͬͼ_yZ1n(h UMf~XC޷\vL ,JG;Y065d?% mM44LW&HX+v^ߦIl+4$3_%5ַ*?cv_R⠡UיC-Hj0ڜ~ݛӳӷ~34?o:0E/_ n54QmotcĴZ .Թn O`'}`gcwQ-UQ+YFxaJOh_)/[=,x]l9bg6@{ Y&w~n3< rHFBfLOG~\?-"0R|(i:k5\u,FeQUCz^. E~>mC[n|e-|ށa,?'gȝ ->5_pY1g!l w ?퉜[n?a,+˭հEB1 a`[0HcqAQKe=|tz nv㨻0&vadm iq;Bp cs8@A3󟈛? @Ap,Y.vo|'ZKx1RNz?/ՠ6`G(i' `p}Vޕ9##8$SJmfk0>փ;dLRD"aݙoE<֩wԌ瑨KYiv_1fߜ^? _b'.5__厯߼*+L\ޤNtih4)"J 2,r}v<0?Es+PϺ rʍL.r&؋jJwp#+w y玆:Y;,n)5q,NM1+ ;ѡ~LeП`-*sA%89^Ig7|$6a1ؑFZ.;/ZDgH݊-|eB$l0O0e\.ŃG1E Uk ezHH՞)4pPjdjΌ4Bt٩fvO4:NShqVKOMGorGp700Zc{hƑQk/i Jgoʈ+ 8qpsi,m T9iqnh7"e ۆy*Ϫؿ.oKzm[(7+qc)Yu{n6ETkA{gcLZ΂Ikb#>Y0jȂIlp˂9&ܑ#wWY0ɂQ(N"eveQ`R]^lDEa/%eODbGnP' {#"ů E~SWv/)"s/)|BZ}zrW1}>)8a/e&"?1pe+4l)V8ř:5?~Z&RV9w"|J=2I_yŦZVST~]Gt rloslMDu$j/f=R&ڛw_`ɋn6f#2qe򈞏 ˓dSRCY8=\4{*=ǬukJ|%ɛPAeՁ5ih;2ڌ\7&U83K2{L1?މ `(A胃2mkϐ8gCG=Sd/ԏÓb{KKxPƃ\1X@:.ƬYN`jP =ǐѴbX{ą#' knA.jybu}tGK9[+ ?]^wQ#Ī~o17ݦbiN\cˍcVld%r"4`P`ڎovc_Qs#aӿBZ>Jc3nE"ꉤw=FĄs[j t7ڥ҇TZR.eMJ )e_.efkՔvIȶ ]XK].erT,e\Dխf/i7MU+uVmTgrnQv*}h/섩S7{;ىw-Vo<> stream x[s6_{8ꦂMo$murgn暌hTI*.RLJD9H.㷻XPlBM,B+d~joy38ً0J,lrv%u\&:-3!D;IweZ<θ届~8볖|5G%cxO S#M>"^ƈU3aܛԿ:S.K y=U4з]pɛI"j.7sw/WZPDܿ~=-@7cڎ[Unwp F;R?Erq=qx "1͕~"&\٣eoҠ4$`X*v[Qj Қ>'÷bs`NJX+e0-a׆r=dDBEԓi@ps@9d`((Z\ 16 :o!Fr"D< đ5c +ؓ1d}Kj^2dx5QL*%ljT4*J?N Ld:FGor?fIJft3Fu{Ky(SUƛ^&a$ yGE6U/+ӛiU%WiEO4Goe/2`UK ,:^G,;W_b?3d :vg ؕ bPGk#5ZX"I ("I盲/`v]X촏Wi~U/$<[]j ف?p$~y_C2jB^-${6p‚ݕ aso8ͮUIQBd䮘W&bQ3`zBwqG9<;G]nyHJ5|(g(1Rݤcex"ԍ e yQhuJI9HN׵7kOϏ_*ϨeLW7 o%?fw3X , >Ǜ™yW~+=LS`M[`q#^zP55f9Y9SLzձ9IXЇ#,!UQkt'˿^f{47Ν AH0ޚ6}EN#c5<> eAt^o_$$njұj!b s3 cԖ5qX/i]"8 '+<`ûuƨ7S Ve`_$x L #a\L.Fڨ-5Ijf>{&/z CYIol:_UZzflM,38S"p> stream x[Ks6ϯmT%@n$c6I4m"K^̯߯"8+N[>P$n_7`>'>X)Wnx|IW7Ygn^{'|rs%u2aT۫rj)o|Lxa٫n~zMJ qhI)vbb\8_rr[/bhL8g^kAΤ _fb]]nSYޖsmYܯo}^V62Yw iJ4uYEŕvnV 9AD߲/dLs=y>N$ӎ$ZM_V2 %Vzڽ]O+aXc0V2~0Ji8O-%0Z߶KJjQ$>luttQVЊeMHvSzp(}[f:^3(̽dʼQ|ŠeFG# iYHo3E #5j#ә]w뼪V\KXV{2UXR[H. kf#0"c<3);Da5 &L}XoNY! rQpMݚ Pa^J9v@MLHäLY"^pX7C|}<͗vD xsx(1*"{}VˆLX > VtD443cRWX}DO g D2\Cَg+?=7n->bR%! 1栺!+Z )`y_ߤ雞:hȆGQPL9W֫ ?nhv<#1ԧ;SM ҩ$ @v wyI*BBL@C&0ǓEiQkYmvi) ]0Ԑs kf E\ԘGZyp0WQz"oz47 b%fMvU[qИE!DYf]YxP,ɪV”|) |~7/V-"'B!"ט_d|[}кhX?}s:>C*FĠ'OmDp>x-Rn>uо۬f)NڐG.oo'u1H-_ឤ$ԡquwɂxy4]2zkL I;f;-7:K֏7dfs{dYahm -ŠJ:sF݋ͪnhPצľjq\h&F;U׋퇧z*c^Se@ys:N6P2tHr\-,%'X8a/ڗ@DKZJfƒ#֟wWvm$|Z e"RxDyEE+wD`G RlZ37V ZIzD_;q)qW ʊQI0׀\r.C; = G!%RiqNCEwDIy+`%s]A@BWtχMʍƈ4pKHL\]|G !|L}D=Bn1lD_a,/Vz\>_k=tQtBvo;{‡TB~C)%okbaGz-tEdщ6^im1[U!(5ݼUf2lu5S3ŔRI"thNe.ŷ#)Q_"khJeb- m䫡 4e_߅SD|o6xvǪq vVW;Hr 'p =%_W_řfh2ayr=W&>KU |-Tl<rZFm Ƨۧ8? 0%D+9L#\&<7H|Z:;8g(EFf)?Et{A`?C;U(~vHw̔0VKd36H;Q#B5/[DJj\N~X#$f AsCilcFx̺~Ӈ<.H.K_v.f endstream endobj 1048 0 obj << /Length 3197 /Filter /FlateDecode >> stream x\[o~_! \8<&4鮋MRJt$29s7JEj8sL6Kd4Ezogx a|0/eXIJrc*\R:E~642o^X)P,pWΔ1$ת(:Wa ~MTٜhq6gQ]@jGmE B6>|&Pr!X) :k41rWQfK(z+0QFٶ68]&:;|OڋƠ8z(̙)a,Œ(6S&K|3L|*g6j]䄊noh.w&T@lUnW.\#*s yAHhEӭ-E+pjꛦW4BK씦nZ`#)xh@ hrΙP$+?yP emYjj/ؤۢ^V~Xx!^ӂ B.&(;wJ v6&SyyMΐa./| L<D/ό8`d5c,i1Ir]vYenT]D$T2ʖta4YI\v$fQMv[,?Kb9-7$N|nz&Ԡ͋>Air\0G )D&c $>uf 2es /n-ȮFX' 5J<_cdQВp`Ky,`ɵxV*P 'b@'`,81N,c&R1Sg] [JTB%1>TV(>Y&cR( XA"h Pef!Nl{x$"h Zv!jHIrQNV$v_zN߹H4{ztn QcIOR75~jcOZQJZf&>^wY7|<Ѱ2OJc j `A,P: zZǁ|[0{FW+XAX̭G;0d!JzD0!6ICuZ0ViCZp>*zT>aÈ?H 2~@Z< ?`!TjHOdc y$|@Z̨AaO'!4/}LB>:)_> t?fgBᏥA5m'(Ni(mejDKP /<ʝf%o_뢮IDS sRЉs3f)c/lkq#"J919./'9}0M ֔vyM <߄~zjH__wwmyA,@t^G WÑ:{W~a.tzJ{$lz~ӹ}mM^5+MxP+?e2M_(E)6wzpi´ͧKk{)ڟRKVbC=tp?X]Y!ءQFsAbSf;7ͧt$uze.PWi h @s&K# ^fs$0h4e[ܰFޗE$*ۭus=^o{_|ի7o)5.x? G{ޅL-{p\pEWLpV勺<[]yi+ߕ`.e*p՗ayt%xzX T ]U8~1Q?Bq2C١ ;]Gt >CGOݡ*8D[v=fDe-no2S;HG@A-iyyg߰J=uAoBqNÝ0=ǘMw-iߎp: 9O`ƌy;"|;b\ X4lC$`DUss-v-\+i'Av7:ũߎގ$YYTmN|Kr߸Ņ- H` {RF Lvo!FPy%ȏtkD)dAbFׂ0xmqiAJ8`Nhm`d2 Xil ?=oՆ|=^ 5zPuH@԰0H hiR TNR!uHaN >Bsj0aJ ;`!OÑ [!-y R œڐ~uA[6btX-J-X,ZZv>Z{ sB!-ӃJ`4> X _ 0` E4RU)AD;4U nF)/骩R!\.階Hh}|ab]?X[3qe N€R_.<#pjo*3Ng&k8?{wؤyHe<.Zl`&捾VAV j'*,T(^^/[}>13/鹛mt[%q镆\J"|mhW6[ CgR DPņ>1-uR)8EQu9«>eaء̫WFT[jK-R=NU®fᝌYkn}K`̍-Qls0 m5n;o`)t tdcEij|]wqGlZMȝk8qV' endstream endobj 1053 0 obj << /Length 3832 /Filter /FlateDecode >> stream x[K۸Wfop>8GbY"eӍy5J94яH/dadrE{q+ş~z&)_܍,^/e6VRʥj^:/JKo7=)-#ٔ.SKE{㕓Sn7hTkW ) edoxjuUoۚdL9.&: T1ńiI\M[־b'=R1&Sܿ~,6E4׋{?L;c~ &LSObk$]wW-OWAvYr}:*f NMh7{D/$FfܲW6ƅcFW&:qVRpD]yN`2B  O"݊-Fı|OB0C &H^Fm#"56)je$ޞ겁YVe hNu4peUSy]Ѹz2zˊΩ(݅^c\؏ߣc7Z3n'`@+(c:",h0N0v+(n0^ vOFRH`p c(j*A{TL)Gc^G1O`NQ|6?8,|&[EYUO¾O-eF=oJɤ,&JWy@-1+6GS|| >Z^5SZ糯1\x7ܧ29mcVgS ̎K{M&$}[Jս|;[-anPE}NAiW+jޭдU%crRb:6J W+N v-eN-=4 = eoV:cRXH""Ώx1fN!i@ sD8Wiÿ0QˀEFlŕc'נ!C*jPތyaC3ƞK҉;OY'Z_VgAxUG[h"Bpܶ.}=efG0^ۜcMYh !ͯHR:2hgmTF̰i!@*Lπ|W|(9Өe 9<_.q`RᅂRG.ѫ%|@6bW^ q̶9 ݜW&Tz~яw> J\h̟\`Z+,0xy,NV}E|85;Cit-u`t5Ե9>DmÔ]XF954FNDu0̮JS$`,qWvZ'ow QX66 `tN矿 ۝<R[gŮ ?W$ /X8(s4up 4ƛsB XA"-cL*)jG)4mw{9w }ٜ:*hA"+]%KFI/ 8MEE?։1tlMCɅ[a߬BF(@ve[y*oQai l7kaȂfceY~w #s=b*B1$:ß1_3՘H|N9WYӜ|y'!-:ʽڻl)@Qly]#ojHniJr""jg_ TdFDee#)!ws(%pYTbԚ9ˇ=\Bf!,=>qM7€fV6Ѥ~0S `ʳL1$)yGCP| _}!ɖLD.OY%\&^wzۂ{D$bFC?ZDqğ1\̼_1:n})B3R`}eAr9M-\U.|&r_)^O[ P!> stream xڝZ[o~_ȈGER4AMHyHgkFfmܨ,- x("M*?uU&Wqiݛz7y+ݛ?`J2)ջRWEo:ʿ^cunWi6*?ލ[4}%M8Q*10jJ@N}_6uZD۸Galqkdbwig׸ӑk@G7pй"T<7NڸufuNxm-߼Z ةl\fryΓSt< [ܳ0FO:>28,.L ~z-/rsOö RY/K^aF357!Vp,X=vDj:WU g&x4un_<54 ;2ٍ[F2Oi&L׎T]=lwAqI"wiԂqebw-~Z,(?u|y\OZfj"N Eܺۻ@D".Fm.M:MLVu# ^-n}˨uy)vTA,WyI^>;P>G_=P *4hlm/(B)\5x-G5LC3бOTvwlg%B`.4xZ0 ;8)MwFF{Y%ILkw#S4sG)Zzz7o@ C_sM*6iz?-sл25W=ڪqK|Y !QamTyezp-yy|Tv=?k0CO|o+Ol7\PH<.mx&L=hƮ<]쥝xxdJ%طJ&f[S$"˲A-CveM4m7~:p3!j׬KaKojM}zW7,ˈ;9;37"։=o:OdD? 5 Umŧ(8D\C1?tbž#MONwmb` NnH%O"qkohncShI۰gDbkG%+ yX9'k9oBEu+b‡Z&~xbI@&G{؈܀4[hl%y2n@2G4;I@0~";{0sVHHcU*Ov] [&|=" R(Rt!&eL9P-jNƇwR~axT ά V$\}=xh5Fȩ^#c J (bS;aZ\/6\0v)*}f"C{2,~0Ƙƨ![Skspi{1HQ[f;m0>Vb6TR2+}j^3A u#0~|O:VH|b=FVɅ[q'(_)Fsң%<=wRz4(Onv"&[Z|٧-Xxo5-ccdž],!R% a[!.Ulݴ2O 3 ,ؕ_o4WC+s$eƻbTaRpjT`낝"oA ~cYPڏSyF=q҃`_M=/K)g.6OP }*24dj-پ'KG{ ]1W%k-q۝cIXǶw'+5ofkȒ lp$ H⭚RQ0<@Kzֵ; n5(z-nMdu [@HLdEę!|F`Q==a"ɢ#GO;f1K5>vq.$ʙp>NiIH@(E MNe_P7~{K]qFPm*Q /{XȤ_nkw[:&,kG=I)١mTifIsBˇo$P.0$сǾsTAD3+_3?~Ϙ`撨|;H t+nJBź<@ xXߏ4dvˆy;дx_^Kw87KF7\oL6s%,NK IEaŒ.spSqA_vXh $  A ᜋ2[g(N=F$k,Ot/ juY;^DD%3vD7VX =*5-C1Nt##"q<Ԅ*Y-Y%duBHdس:T\vP"Qx:u6TZ|JVL?K !@R>**E0Cbߤ\ |xbVޔKw ?.rШrA0E+cSM%{(a|": l2o *tI66^5yɉWv+ISMY@Y%NciἵIֽ=[E#fQ^=)Rݷ<=&btb Hn/4g#qD$/U(1w?8S endstream endobj 1063 0 obj << /Length 3806 /Filter /FlateDecode >> stream xڵk۶_k-x褝qm'ɤxh'q,2IbAw;7s"A`X{R+2)Sv9>Ih[Ox̿~Zx\M>?uEsR&ٟJeq]4E)‰L'_}'x=lx N8~UKEHurIݔ_3m+0gX(&'}6) 7QiI 'o-}NM}%S sț]i͹); cY=C<ɫ-dχ}Q_`F՚K5aYrmW>w4ջM#Ҳ txyX)l<'VKkPZuK[V;+\4ŧ +/N8O;nrӌ0Ks# PnOjӕmSt kEQW|.-5SBXefLK&c5D\mcH$=Š9@]` H1e9M,PsY3~*+pL%?h`sA<t a\^”Qp=^|B4e^*<N^qgx$&Lmb@j&EZ23rQ[;7tDv"3I{\y!^^Pjw{gVlr/7H=mUyynӹ-T3|os*#;kK:h{5&ų\q`[rIpcѶ@Ԉs`C! )aNMI$Y boKDԄ,5WsÙ< [kΛ^!j0ˊw8 ) GLUJDb-hAn9~{ A<[sV!aþ͹#f@چ4)r= JUQ,}u3@ZZfcϾJQ+/~e3?#Da+{f#ŏ?]ԙ鹹LUNg}߹ȹ@V /C^ȝe~s>&{W4&(oH(6#=L5mskl{{nt[3Vy<~ҮϧpN\GcP01}!K1B_ 8^1wm滠/A%oG*Zxu~Wg ;c;r8XEp7z.ɥc VLgD(](ߦhEgD$i a!v@ ݰ~J@'i{C묜1jm螂 y/`0kJj gH|WiV'lg",fJ= ff``nr 3o(B9p]w`ڨ1@6k0U#3x'n`?d$v5s X"pʜbcXb* a2$&(R0N1g$ s:ug~SNxhUVo* ]&\|eFfQ<'SLAXFir ~XR@zXMwsԼChb_k"TdVRF>BsBTƧƮ}Qc;ݑ3G$V%Z^HVzX{2 Zt$Ri<_ty4]J 3>l-rMN\B wy0اB%;}(< 5G23B\*SWw7BΓ{eDN60-q| :}t:As*Tcȿf#¾bGJC[l4t[38# Y0:jMH4 5xncvq~)W b`єvYXV`Eg_ŞhG PTn4ha-萴!o(iʌ"(!Nu=빧/$tܤ1w餓9lCj;=:KXQWzًQI*f- o0*|Ԣ+,KM<_E6F=Lj4{ tU&kO<1wդO 1 2xmR|;N(}_ꢠ~o·^+C[/> n/F# > stream x[[۸~ϯ[=Ř+ɾe(&E6(f,ĶPC8/Za$";琡 хsbYo27Z/û_0oW?޼g)4#6tqs7^fiۢZqΗ/W+!]qWa]\eZ.-x뛿[IΤ g@*B/y{>e]a8\1lԔ{nĦOk\n̲UA\P2X1N~?Uax Ю+%CW\*B%>4mӑ>&H"LoH,+i+ha.cD01XeY7#?lˀ8h?I/ÍfQQ6Sj A>a ompM󪤠D?_0ú-At9B֩T%d2my(1*Ahe2K].:R]:wf1/߁|-6㯋H*n~4HnͿ{E; SH(m(514V /ɀ) *ZNˌ9GGl ؀ d*DfE?BE%W@WTQuBt`i/nreIm2*EVB_塍s*iM+"C JKh&!QD1&:3Sukq1}LhzsrM9~OOC/.sצ8BkE9*c6&Mݡ8h _6/#z0 CѶ"a"6u!bIM T ./|?:9yqn?yA0CC48 cѬ>({b=r=B˩q;M/EUM ,HxOLS$ v{yW;gTkBumumBLHb %StlԖ  eu[$\ K/M . 6)#CIP:`{r]K8Kjil/i9$ njh>N§ $  VM@PѿErL e_`MO0]4 zht"l 1N.(Xy D0sr8W*ij f9M:Pr*JZ*(PRlI鼲IZ8ef3l3ދc!%ؐBAQ i'C2 =97FKx b\8V=^A>t-F|_@(3@u4*N }+w,3X~(g]#n\!so?e sĵ'dlUL!&ma'v+.śHy&Dh´|rGGR|륃+`~Ήm`#;ھ`w5S!" &<#Pݾ*衂 (i$6r% r`lrRIPY_ Hv G;ei܉';bʶ[z~sj:,P2I4$3d+E (Ti]zEk(k[J lZ"x5)ͤIKŸIhRi&`O;v.Q֙4.%mMJz)&%5)/J5)q7)ݯ&%R&%G&&[kRr%\2UPAd ݩFژVw> stream x[Ksϯ-ONI喙awőh%y| OS=d|0I |/\HdNU⟖wp柯xUoO^gGoZEtMx[?!BHDFҹ4ҙhR%0|ҾyR4a6+`%2?e'yiI:LaXA5*> Z{ӱOu튯u>\t%\ݎyv 2%p#`F!jN"׷b~< y -oA8ʉ&:2B| #:e5`{B2uɌq# ~y,6 iyL[n"X $e4h%Q31JUY+Y!3&tvJʞZl*ybeٓ>aF?' |1 2 (ym+h tL#!{=s$^:w|ѦǞ!9@̉sF&6#מ凄l[P\=>`S C{hhfKۜp֧PҪMgCblS?4r8Mi~_ƙ|Q]2 %s/u(M!zRp-gg f?QgaL9>330N! 9OxEakfX(I]h0NF{VA 3g\ߜ{fĨf;w(ӽ-Y},H-6^wkvbMplZ>RAu"/4 u+|(Gw{Ljǎ}NDu zPVA^^nJf'M$Wcu.K\(a8m}kPp\?Yq']% Ęb7QH81>I? z:@?.)(&S#rwMxpO`&AZ>ݬUu=b95ˍb4 R$A)=B)m6hp#|0$ ZU=]~ø1qMqbXLg:'ί^凛a_!,˰H>矶Y~??D(ZAwa7a) ʱtT 5[f]xja*.΄u}hpp損Qyyxmء BZ}3m}Ν9[ 2@RCPqZiHCΩ,5L 5X"f\Ð`!]f/BD-(GƤ9j,РĦ"/Q WϨ(e4F?xɾH?II6 YןXr5z7U#R2Zi+#Y+Ǣ?0&Ț4,*(ڎib Jޔo" rLkDKBj#x?c@KלM֙E4pUDڱ]P!h,gOV E}[΍7@|&k`-Lm^5i4[bά 1ʢpS,|Sd]d>ܯ)Q-K's48:ޭQѥ,QP>Dm= ~O Jo)k`𘢏BVqt)x$%3cd{ &R7 Tn \2.Jxsp nA?%?]< $ѳH&⻡hӳˎȹ] =E4;E:7%wQCLR{-3iuJgMPsޯdf΃ [ 1 jkq08{|+ OHs5pޑ-cihf3bPQ&Qo31 ȡ (T ۲/Ce0Ak_}NwJ8"+!h]B^qa=-sեD > w㠟!Q!64" '16@8)+-߈tQarv>NVX1 cA'+PpϽ&I9d̈́C.Qq)gMQpG5 cӨ s&Ob?G.sdjwCt-i¹\asn5]?j3[ߑP 6ԣEn$RLeh=6dž|4>]Cx_E[Ci:_[2*h;مOKB[o3A0Gˬ>lq?BUKc]n>H8.:,'iZj&wވo>ƃA05}B<;PS:ASA#3ߏ5Wߐ#y(LPGSѢ0͖7^_Ͼ<|>AH v 'DhH6Z.P*?C-qƼrex5/qYC4߆IOU]#@čCAO5 VBus;r3QT-C endstream endobj 1081 0 obj << /Length 3643 /Filter /FlateDecode >> stream x[ے}Wl,1W`8UvqlIɋ’%.IdszfpKŮ} .ӗ|aE&%*_ni}Ͼyø%.G#_k)oƤ^//7š-닥2zTJ'7e]VRXĪ/{Ջ2{[0b\*//ruC\Z%Mu+c]6r:)jmˢ)nr\n?z+@ܕu)]Y5XiؔŒ{q\2oU[wdQ2ǼRfDP˯ifaO^H,8gVkA*Y/SMk/ISԤm ŲtJu81ńݠ$oM[WZnWTX,ኖtƻ){7f!i '? ӌ)iI(r8^mUJyTOyR~SKPm6LdL^io1vNGhLz279qDjŧkɦh6 `naAAb0ڳRr4f27XK;|q0m &,2?_i6:P{`ꒋ-AZhZ 9WM_,4$aFſȮ9B>:67݆QA,sq85۲d(G]b hQ VRZx|Ϟ3eA1~z΄ë͡h/nKꘙ9U=W2fjres,"LY3NlAO!ab^ݫjtPrmeSʪޭ+myTʳpE/ 3&rZA>s}KJI#, "o+]ޔ@퇰u)af0՛58K]K,3Tf b$%)$|P;k`xsjPH=pͤPG($~d9ZꩴYa#fԪM s:x*;:n2XWU< O%tދ4N $;ɓMY44sExHJD=\R'mm', KsܶnGn{A.nHmo!q%eڪ"5~XįbilW.*sUviWIz4W[ 9Z2WE!Ed򶿌?UTmMx2_+5V4)=jߝrtp"dC8!S3 -8Զ].!A $sj=UK,H2&\_y gzsVmvJ9q ^mTGf($$.[YG}ZNj A}ϱg⽡6;$B4 'guն3\^Zv=.nf,cӈ+:\AfcBc+Fn;5 zyHqB7wl&L>k?xx-ou#Cc54FE}\r uDu"7Tp<6x}^,67Jf#L !FZȟtulIF"s2 (}cmLj|Irz[^#gn2dVloF}Ү},HCS`Vp;@M'7 M*öjCl$zBhL99x(dU UBձ+o~&11Il>KwɊ+x83rX0-)M[ d!< E#s0w5.uڇr̍nkJV8*HEB[bl'V-K;ЋЋnU6 :df̭C- R׀T`AbQu/굿qoTu5Tp~ MԌr=nhByH4R2 qShة=ro8@EMNnFJ2&D١x6Ѧ;49xˣo҆!wCۆ(1cJYv MA᧳|zf a ㆍ™&a-7ɒxcӌ~N@{OP.v}${'N> ?a\ @PW7e3~ޚ>v_N}l8l(PvhdX]g%&Үf˦\.65:W_.~ۇTkbp{l|X ̖(́'|@(r{o;ԟ_t*n;j# )O΁H0OZr4 %tg0Tňri*Pqi`7~Ph@O l~nz_jRkϽ:u3b̠ RQM.V骴nCjwoNFt/}hIK;)Z\/o9Z=h< 'zU?\ endstream endobj 1085 0 obj << /Length 3010 /Filter /FlateDecode >> stream xڽY۸*N"<5E[\{\p\,$y(K^qhP!9of*xUF\LUuxۭxmq3~HUeTƫVջvou$IMeU< to/^ߏGJ}LLBbF I넅Yñ۬U fpm=^˥{p3FфC\'84Obt=S3f#PVNV?"ǡu1 ԻigHNQp!GnFq߮2O*،PrH=yrC8kE"ʥi1WՂ=nY$q8"ͧ8Iỳ2%0+ _}ZSYյ=n8I㲑X_-lk:g{N 2[m˖$I׷ȐcZShqסo@%\<"35j aVt˱^!C?-x%O~:Y,`qR?u7M=pDPy'?Z0RH1o @*qM]kDWpŻ5Q}|p`&>Lߦo^h۹lR2AtEJPh7Q¼p/4wW[l%*T,Ww <=\z8 sz/zԏif^1YщTоFG|#@5anB2bxUBf{>(򤼠1w;rH؞ $מ<gOä(=BgY}-J_D7@ 'Gg.`0>-Hc%jr&R}UT]À BngXK V KER|ѐ \%ۑ/uAo&ICh!AޮPяC– N~phbmIG 4궗!9Xcޖ")Ϩ8C`xfKw {T(Qm#mҾuqOA:f QJNX`zâh ea 5d?h)z5&x0t 4by8TZnk@Iʁ0-%s /\y];[m{l Hd@ ~ B8/" u%IGVB(<+@RIˊ9c?=˘K8:KSKh Z.Ʃ_C*zT%Npy_kOUNGSwCuT9e-BOԺ핮ugݡ:FŪp9! UI)U廌AQM0cl޽V[ S0Gb=t(x{/i/f',2 `~^LQOW< ~\Z> stream xڽZYs6~ڗ<\$ڗsTRQFZc5Hpt7_$[%c,YBę4ֻk嫿~Ԋ%qdluy=^r5zsߵE}BDWk)U.).<㩊2}W^[)Ο)|B(J3!`~waDtL,56]YlDauZܶu[r^ޢ>{3pʦ%ItCHePWj 3)%Jf!?ͱz~o ,1Jt ;w@G0Vծ#_loܿlGڿr>hDI ,Wk}EKu]I(^cUn M,!4!^,A|bx,DzgYf®PK22KPrDƩLP] 2T__r<" 2\?P1 ܷuiPiԮFS-;$|=*>ѬA@%ttmQۻc6[qrtELd y{k5oOO*憇/9k6@o]*ßݴpUvU:{v0KGHT 9{pPpג`vqGz;PGv!g6?[FC ?YatT;* d JZ?[t% kWc={#wgA) מ6vo'0fMD߾yv/#~%hgA@Ŕ Gw:6{ aW 8l_Ea[A|w|-9UId. bxBMz̥x Rx/rOMz$fh>7`B>dYtݔPǞ;d$ =z;gO;)G*} !lj`Ulgc/XjBzrӟ5e'Kx L8 N@%c%(*,5gÍvH?+GpǦ<&A0v]hMKd?S #]_eWY ㌮Abb͉^?5>+чۤZM1>"$3RZѬ iZ7~ƽڸ1< iN8QrjRp<Z Zp ؤZ18Ua/3)aԩ#7gK[}-A5('ۚ+u!aٴjlo<'d̑lŁԉ~Q{I kdi&N eF|0Y1re~FLS*7+6(=#ޘe1l_ʸt+Oklw NKpIw[=ypo'. uZ9ZѼJ~uU{^M+|x$\nn;,W_"ăpNnqHTi-Kg9l;=tkEniqfzpCVWvK=8$|IePxhJ` BjO%<3ؐJ?smY6xlL#f"򜅱Vfr e,* b4n]ѴWkoWXG_43zΡ3oP;E@p1F9}$p{ԦshlJqL1J<#Zj 4?y 5'utu!K^D+wڹن,"A3k7MKe߁iT/LriRioH7;%ͦ,3ř]:KLnCطY+EUϒ*z$P CKʀ8l:67q D)I` RCMH#2peN"} H[9,\?7畡i4]~; H_u Ӎ{a7=H+%sE&|M&_QE{3&$hgH=F髉|T L}t0󦓣g咉M7 RQ.x?sgsH9`$iLsf;6^u>LH8X#:%Xz|pLƚ$: /f9Zh)8y <%K+/71C5(סuj3~GR%q6q2JVw,noND2E߈q!:^.$d,/0< Oq!b1B1\"^oǥ#9T`QdaJy2&]=E -ߕ|?||{ 3V endstream endobj 1095 0 obj << /Length 3547 /Filter /FlateDecode >> stream xڵZo߿oUNE5IчE[XIr E~D|8#6fy63Bݛ̍6]\y9G~JXYf׷cVues1B$ۋ*,o˦.ʋ9ϹQIn.>]05!EIOL[2!ia"o]Uo/X W/ciº73z羮0JŲ-nVlR>!:͌Ls6-S)$S.EOv~ёŢЂg2I$rb͖QrC|X|\,`2dljA`],aGb}m0S}j;e1C >z<L䄠ॖ`XIUIW,c XsSX׵P>0R9Ax4IE*`s4O~wXDXSΕdlγnT.;'qu PBڧx]IJGq!ut "[%+OWXĞ:LI߭9=^|x,џRy+Op4N1(_'*t2gUiO}bS.U5&3pնkQ3ܲEɸS-H/-xK!bKOͦu zuZz>%J2?QP<΂#CSu]P}ۂbϲ5W]O)pc[)(dא8A$bps{zCYcKa;^8[$Qa]e5jg\&_Ҏn+qU58p:kiޖ4v۸ Cv "# G(RuRu4Zpt&ɁAc#򴥟 8!,"ni zrAXtwo=,;;6{mOY~[GC\okW>40S gBPuk54@@}[\_ci'S욊_X 6Y62ٔr٦*Zqk <$NzqM[SbǠ5{/ R\f RӋ< >p 8Ȳ}[@/XD#]6C@WڬHbg($4xi*᫗ʢ{:9a5NCgƌp#Sk'Cx GqTUה%U\F![}LR Glֱ ]Kc(i^o%_+> 2Jx^"?5{fHL }nY6ΐuՔ`~.]OpjR-rQI8X7 j=Z@#a'Ľ?0$ &tAERo7@3(K!S PP ;I2SɻkZ9ZZqC+2MQs4 _U;_T{QjSyRbDf8'O % };#prd|2CɎ!l'HIQ㰙)eۘAE^p;LnOE(YB18M@ȳ8ؓI&A ZyܴzF!ӅHD<ҤݺbZ-UtH ۸od;)d_"$"85QY#N ߆>? }ĺ,AD˟m9LX``2Lj%jPWBP g"Һd3ܺB.Ra<E1mp> stream xZo~_!\ra@{<(u$Ao()'Dڕ̮Jƙ 3,D&8 =$&yw6u4ˠ1O Iti2~ADG&& E\\0>Rf+:d{&^edP]"씰 rpBegrK qHpcWLfR!`@6YD1T"rJEtWѝ)(.HXV8][BʃgͫiOՠy1[/^he~1["v g#G\߾YULF3\W?_˟ff~fiʾ}lt3|< o.oLFd6]6S/b~yņ5 ĬQNw%g2ͿQ gۛ_B=tUžKBch;e7 .h{Gw2"A6@^+ \.f1j˗y5ce^{rnO!3&>"*qe1l# /ujf'FU $Yk'j I8ҧ[tՊ[G$5]w  qw  =d韘 viakQj|lRP"֋"q<*te'C]CK吭yuS8gw:4wzP\bKB3"q(z#fn!ƻ{Ֆ rݲ\i_ni/YْC SF?CE$2՞ /uӅy|Eպ]f{~s3[7/j9RbZ|8/ B0===Z0G# ᾺLrO]Z]ǩ!8I Ѧ MT<)ʦ:ӟp1z?8nƷ|b&܌fٴ@ܢP7=FAYR?G={P{t: Űk6Rn}q5}{b;?8EScdTZ.yJ^У'bN.HKȡ!#˦ȕ"DDi@VvIߴI!-)9JJbT>i;냮RId ~ۖp Vg*^@6d@ pD`+G%@O`;R8ўfЉ3U"~uxn4n^%+s}}| Rx @tv|-/=OUrB2ةF9#_fw@5zrz(z[":L+lN&+=ɿ~~ߡv ;瞵-s:{fɏ`@U/- /o*zЩY,Ǘt&܇X fۉ-jh?q endstream endobj 1101 0 obj << /Length 3728 /Filter /FlateDecode >> stream xڭZY6~Prv-x'NX{ڪ$HeJTHo7Ks@ *\*Z&[mOb?Vx0q={X\KmWGԹfo{p;nZ*QxwVVHμ *1cJEj*Ɍe?2]'J$0ӬrnxXoSWmnT?ZϢ)/]'5y|:S/>7o"A&XYҬV2J~!J;8ڟTćzk@¦&a.~MqӕFF?nJJ[W}3{N;޳ \JHdT0{,u\}$)`w44D6ͰZN4cېZ*={Y骪\ =8rD(=M/톙tެs,IQBY+_= *3lH3R@/ޅ)3$h(yq™61 =;@"$>$ǯ. ^>Or$%F,kRd8W/-NzBLeMxf0 574F V%bKΛ,'?Ypx/&ɦB8FuJcv[Gl< EKURb4~^oHYf[)yS3Cw:Q>,7go5)0&|2tLs%{\)^) ֈ8N|O8@|(7|5J 7$@CУFQZOW 7SKIN񵔶 ML&5bQhp۶cq)@Z¼}QÍ2n5=/%{;3DO6cp"X4.얅9;1D.GBS)lїL? nj^a߃-Zzchl@i:&"jHEf_PDj~= z4b? 6J n C̆Kiшʂ>\-0pk0s@%xcls<-%mKP drIv8;[K1'w;`2`;_b;tɁsCӹ_g+d Jw&r\*] Nj<F4Ů/unç':M}h.:5 -[> stream xZsO`k;d4z$$DVG)_@_ Mw{{ bO >JDxb:^@7QNUd.:NWUV GJ~3im*+8d"dF{B;6dFA4J-e.E,1Fⲑrӊ7'?\zۉ4F$gGjwdJ`$VgЋlJUK|Aoe4i(merq,bf"S^pG -lbҖ*1YZr<| Q̂#)kYODE,6 Drlh\CcSPYGbRriȊZ4ڧ␯6%,fΘi()8 Fҁ!!l\U{[>U3W OG҆d' w&$xڎ4źcA6˱`\D&9 ';6Ϗcz2)L]nrn8r}IHeK$[*ۡ#(tx%лhY]+Mӭ dk3ظ9p#{}C-etUW xQ=*Q#ror#_g[bM4$9Z^Ya%.Ή]e[v[&=,,"/PciUꪎY db P“*tn`*qeQ ҃)8,^2. i"kbI7z\b\z< m4Kj? Sz?@ ; ud:!`56Tϵqh4 F fv?vʥN8ɀ##ݚ*e_m;1f/Gj]>bo|t3RuLJ{A"M$ȝEf, QEp}[GEI7.7!u""PN""4hăv0|*ќjIt.&$>`撀tׁdP3{4Z9Ň@ \`6 Vn.J@(JB7f&$QV@ _t6*c B4}Kr4]!i/{/XajDw`(%pEnC!=3e:ius  uJT'A;RV:[qo5vg&[ҶҕeB6S*ss{aڵ=J Qe 7U6"fiNctru oپea}_nJCmJ*- סp$"@|NkbPGMBA 6>F?%q}:Ǽp.4I. 'W=^=sg! Ӱmy4 |Oy(}EwCӏC'7*!4r|V:YH4!ܭl_+mQ! \A: >8eqԬLľycˇtM]s_u=r#5{J\k33oes=#70 Foy8㘛n?h޺塢S8¨S}sJ k)Kj"81:)`A WCh +D>PgMWCB3 i䱚=5.!}R4۽qCbzJ7LkA{ I(ހGf 7~WNbRi_,Cc@oѷ/+O&@7ҊV_| ^FԌ7Cu 3{~mA-h3 BB ~[|);]e<臟BNhdB-bR@H!?kXJHB/;݄ Ecs)w{?m %2ӑψ~>\'="fGV9q;϶;r'\!a{(B PbojqB\HgG'tEmX,L79q> stream xYn8}WQ^˾x ;=@d[,uI["eQzD@gkN,?>Y(%U4[/|ZogT0p9?k=>Ϯ6CQW~ܵY=_J)Rm:+|)0\g*#Z RKEZUeTڻг?"5vrkՆƬ+P=:ˤ͚4kKU4%- nwseTNf]g6v)wuuSd{˛%/]RK5aI?|@K%~3jaF W`0,[癭]m{5e |ڶ.L{w׵Tk+nҟ.Y5&eJMF:|+Kac@spUJIA&/-;2G7H0M*ydfAjg4;*6kZ~zK s:3$%g6_>e k\x7 :eԎT=1NC1MĖ:/$h`xr/נFBEniE}(9΀"9k,yI&-oarĹSDSwa1סkPz) ^&hO'mN `I yB(D8֡fTtp6M5t"MTy *! 뚌Z !VLKMk;%YՀ u+Xzep8Ӆ^mmSW{crA(9qCDYznQ+U9㹋 ˅}BgLEOs"VYe Cr8 lK*9`?]FJnlPdh#p- D]x o` :imZvsPKmdͮEAӊ h2QߝoOfut$ߌ'bth-ivr$f9 JEG."#ҳ1-=&DqW,Z}e4cК\+;#"ϕCZ,HN%iH0&1sV)lYtA:Rنm+Ԓ}Z~oWӘ*`sG5IhwXp)p] {`gtnvm.Ѽ?|b %ܠΞ?o/Ғk = ,Nf~&pbvy/{>ZS qY+b &^K= Zh, }14PL xfFy(` x1GvX{z|s|ᥤeP,rhbe ά3^kYHD%ynN>+Qca ,c9|v̴qgv #ts~}S:a)`cG9,ݠ7ڏ v) %j@{o AgON#paҘ>^8>,A fP'|Ȓ)C9ܶ12d~پIpS@:)l1 'T/txp :bD&Ó%nG5̗qHҊs@I^?Gw{z o Yw3STLqp\gu$ em'<ؤ]M/=}lφ>KG($DşJkHYJ dPzq!T8o3`B )$|\ H ?t)J$P@F 5uM-`/&I,FK{ixXz, Z$\ILfP^1/2"4 endstream endobj 1111 0 obj << /Length 3500 /Filter /FlateDecode >> stream xڭZ[۶~Tb 闎Ӊdx/JY^dܵ{nEu wGm`E_f_ jOnWJvq~/d ;Η;l>x;KovE8~6GcM7]gY@m?ꇻq$ PRf4},هw ?H#INUJ9y/ڙT3֕Yx{3~RԟNe~1e Thf;2?t0|h˿{m<[U<o<ۨ@]yjt?XIy>SH%0) DGVo43O'jud3tesf,m˃9e=/ 3\y`'$}(./I<0dAZn>AMFq/0) `z?ow ֍^ſ+w{ %Eþwຬ9hU^zuӮ=Y}9iKԎZ$HDp@i{4d'A#xs4ήGT NDi'I-kU?LKBD*/(jrXD~f߷v8@Fm.Wϣ8Ibi^~>>n׵2Ƥk~1Y8rIrhV6E*Sh/֬m?,8 AdY;y3,z|DϢE(Ő IeWv8 znsKIa/"H4@kl^L:؟2+칈6yFA"L:ҿ[kG 7(+Ի]AXG48 Q.Xt7l-.張HS4s <9Ie*_'AQҚɭ ,V;$4ܢLY80]nj1DAb逘;h0ܑ@\;d.&Ďr@t: 0iYV) F:$gYάHL9BcHּT9rƮiwA]!N `{r'0եPhs8MҢ,NP=l-rf|q2i48 `ʤGA4=GjWL_${wyL! Anm(y2y랛a^ XtIA0Eν" 9yȹUs3}_82/ 옻"P}M`V>IRS?oR}LDj?`=g$D{ԍ9UɀM6 XQ:c`utw+`Mb8hQ0KGmbCp5ߌmedasY:΁Jr3i{f?㎬6yG$ZX%-~B !S-Y{fi :1 ѹFdd(ra)XTr=UGf=/ uϐQҪvSJ=) dTodI)W$#ŸJ$ C*'G]n H'겧  R\yך-3B=$s&jC8\!Tx">\;sK -e?\Zm/ar_I0x@_Wg,[;m2;hs~"V&ded "̒j\A7=[F=^6FSQ@_ K\e쒯U OoT缾_wM3J~a@:~΀ν&3Nk5b"[LvO 2ZI)u䥫C"M;ඦx) T03O]Xaq|II*v/KP=(/QNvnbVN9Bk(y?W)?ѳF4h#gk޸_-I endstream endobj 1114 0 obj << /Length 2957 /Filter /FlateDecode >> stream xڍYo ߿"9f}9l+-pC}Ќ53B1gɥ}#)'DQER䏚&䦊o4T;}3u8H㗟%wGw οȐOy`ɰwۨѭuxҕwrێUrꥼ"nYQ?'\>uYhei\-K1˶$\j5/ìxyP Na>x5y3dS-џ(EudFV]9Dh_ X88 kV8:Ydgɫ#Gpf)[;jtU򬜢jVG÷5AZPOPS`m#_=DFu^-х5 zy;L^\4VbJ5*Rx·4c3~YYfzZ%X|>?Ŀ딃EKƖI}l|f UU #Le-s=%ճazs )+xbC!J8Ч9 ۙF{$5gjSI~fE6MvI jk3x` f~&s!n/Cu>IQj 3؃RbrGֺ󋅋9tD`RL2N{)w>瓻 9 H@ȁ #[Jc5|3} 1LcU8rE-ir["Ont$7,፶Ӡi+#}pN E5eֻcǑ)I"z8Yra8|Р|`8Hx-jjX  /σh'_LW*,Iה#\! *,Ed讽;NdVsEJR+,(<eVփ@CX%R+dg%2rQF|ȬRjd%r'Ak"=;O] 9(K| ?qa4S`C9sohbu-^؅&Y~alXRjKa=G^!`y(wǘPȳ%dPLNKhz)r_|qM!GZ6!drBq<3U%:5ΌoF }wdȕy =Inz$[{d&A*|;$$2៵h}yɳi!=FIt1!1#z~r; j99Got(RJOkk8M E?M.Ah* ( D%2Rkf5+I:]Bza5#3HtW33*?վQZN/_Dݻa??$RO xWq c<|ˆV2'g k%(0t6nxN>H endstream endobj 1121 0 obj << /Length 2881 /Filter /FlateDecode >> stream xڕَ]_֎Nl@<pzf1SWsH@²oDa<^GZG^%ᚈAAB 'duK*GKo? r"; *Sl普2 6#N*I"I\f#(dCYu'xUm JܯnM𬨴.;?pjg |Ѥ@7x:|̍?hM ũ̟-}\R@mۯH,l";6C#2.!D4hy-rvL6rω\>;-"BdE*A;]SaB.Z9!nzuyq%2 lK_M3Te65_*3@U]ӝx*W- 2El=1 dRǢoÔč-k: @+Q㥙keYdSY&y 4{Y sėÙ#E>%?΍MHsO9/'>9k୽+xJqBO['/8КX:>q8s & o!7"+T3 rZ>`q4 O̹^4pMxGS'8{2˖2Ma.vT;th8CN{zaNڻ5fa{s]B(IWNbx3ttT*|/gG#f%檾@M2WoǺxy:"LD#K*ctɕVV :e<)tTrHo*T"Q;~[;6 J8.8Vz˻Y_Nyz8BŊɊTpk <M'z­pd#g0Gbl. Q..RK6{$iW{mo&R,nMrdq}1aq8+?뾧 7uQ;r悱~A]Zc07VD9ZV$ެT(Hu!~tdA:ܾ; 2w$HX.\2=j,7/x]4?$u#?)?oX} $J |N]|8 |ABDB, ˘0$jC܍ #8]gt}UœiE>!N,e7TCt' gڎQ!fe7`ϔ$"ɥ񅙄UԜS՞/Ih? kVP Q1YdxaG7d-a8YX:6+f]=-ڹ+@?w 3 ds$xFs-fKs3 I]P x-ТP۰J]Z껙a KȓCG+,0BӉmeJ kZu7u,rZS /{ WdN&@1@%3Ol!#C#̩{ri KfWRO$. 췻ܺJ=ÖpИ;#tkU;FلmkyQa:FCܔ{u[ 1ƪG91WԬ^0Sjs-.FϛB $ ZgҌ"ɒt(3/nXr^m p9 | `p/JKs'H>f@"w> D{rvTj(283Xa,bc@ n0OwKiVL;K-^ Ǵ3rkƾ;K.4~Pȱ6 3-Z1&T%RP?r2R.GxBnbaj8O2"OalfT"hQ-Az!+1]IzPc6i/|؏#tٍ(ʜۨ Ztϑ l`'F`RJɹ8 cxW5aH礬?p99䘘,~0l}?==]pA{Uv2otC'/db_sHDme<8;t[)ZH1"|zZ*ET&}kPJ/I9 w9o1uKD)uU4q@6[b4M?SL2i$qD !Tƶ1hoGCegJ Qyq~[(ԇV*I5X 鹂E1 endstream endobj 1125 0 obj << /Length 3107 /Filter /FlateDecode >> stream xZmܶ_ "RHm4u n V{F+]wިvu ; X\r8gԩM&66̸Mq|lw?RB}MlTfQ6sVvׇv(mǁ֘$xQˮljI"smbLY {L]ܳVJ! X fOV,gcBI e( `> _Lm9 uIvdC~҉i1.ph~<<۷cWeRdp kOb|Qɍ؇2@J`w]5 9 ~ 4R@fNfY0b$7b+\1G: ~8`d`&,>p0 GdtwOEњRՀAVEҁ.FD"LB#yGđy'sY,>OrmTG%v=gT(,#n`ЎㄣP>()UUu %;E+,J^ |?RRl\U}p!Z9lʋLӾ@xU4C)u ]fAPbӗѬw:LMRĔr~}=ʛi$h}˶jo"%q*%EWbP@YXBԒňа͞wZ&\>^ajfUywo|=<0u%+DS RB8w;]j磚[ug K\ (KQA-nrT^]tm*W-{OQ"rĤIea8wM?#ʷk=Oxۤb:dbK+nIp- /U@԰|k99 9G̼~wJ:P< 0`/@8 Ay _&aNh"B8fz)_=n`$*̒D#W)G0Nh88ʛbx&  -(8Ύ*X "_?b>KgRk9kتq4ɥU!Xq:Lz|/>ۛo=?8]^@]LpoN9^*{7blS{V@jixmB~+Npzz ``@%PAtuM#|B ?G,PqC5G[FP hh[tx)a|U0WZʆsxn< B N4sC"^XQ.4taOu *CB}L).c@0fRj-ڀivP5u giO6fZ_2;sٲ0;L7tlBAW׵HJJSl T*xi QpF؅ֹUϝ 891%R,J.*m|!0l]/e>`o`LQ hI}C^ک]QKu5- uf 8q'=qpR>GQNRAZyPPC'),QAIlf_2t3~T1ޗ@Ӎ]Hp_,Zl! f 9h6v~;m,}&I~%J%e[ǁ$YErgpݪv]n,)|ۑh̯g2'"m0CW`.T [U&s@?B]V\(MzR"+/Aq |_e+rgm="\^B$6TRr7/ ЃG2"w kvU#&o zi.:"_d=e]!oytUsqoZqbcz@c{ _>PcSGkmP B#+xTFnX˯gMַ2k 5*+Fc#$if\ˢ`ږ endstream endobj 1129 0 obj << /Length 2604 /Filter /FlateDecode >> stream xZoܸbU. zC|@\`ZV Jk9>΋W1,^RLU~E?a&'3y^eqW7)S~:\QZ)}[تWkaTG/KWpiR$]7(MiT,@ ϒ>) 8StY@Iv $L2eXX[;Pڮ鋎?yK>Jk@p#EtlV:KX3OquS+ɴAA/`iƇeRxZI"J9HN q|xŨ`} ֈ !`8ݒrıV٘'e6g9┥y,!ORUWi2 y TzZA§K[ڙiҩ_*Ws.T/yFBg|f[tCWw ƃB<GKmG_w>*#hX9Zۺ 9GQZεޖ,m,[yB?6u<6b'0Ax߄-N]tYv*HU⣙"H)~yG\mq/jʭ"O}"lH^[JC@ó`܅V[-,Ăp {9.GB7t.C@VUW]yXR}H5uC$uHHBb1,k7u[ù s{Uedr-FY1W3s$N)'`{ OsW xJ,>+`Ƙħǀ';!iɴs:ILC^1dM̀E9RpM,u7|u}T^۶bzL[;F蕂;L 31hhi.p4S,lDA.ĭGp%˄C:E`8\fn~>\vuYd< G%0 Jܬ0~+m_+Wh=l3™BSY6o۳Li93JB"ˀU'LB.8xkd 𐉹1VJ%X HRVC0nfIo=ul~'~|"I3e^Xp8xjU{HK[qm iBj . [Al )LI#0 oe;/ %7ly38~LG]+?҃(K*&ijA>Ш@yo7˗T M1afy 6MfHJp&fI`i*q}eB;H=ב\HHGk[UG[SHZ=ՑW,,/8Y8٣sKŶa26ڶ*_a`Hr#x>~v:򲷡;6]+B#jzKV{۩=X# 5EʘlNz!a?:rȂb΅. 3ef;TF:ώ&n΋Ae!flZm{7d ]\ μTːPrMHrR+uI5`+_HA~:xb.j_/Vaq C؟R_hkES"fQ윥L'YCk]ݗhDž/W߰M!2L wFF}/y#8݅9~.DKp4XdXQlj UEGWnEV+{jwֿd]h N;7)xK5 YӴJo3.ԻxUVOpB#&ɮ󮻨p%iTw@$d3$;ȗ ׂ; t;ဿacxXp8oa3Uo%H+$z#ܤ\rizV"ۅfh endstream endobj 1134 0 obj << /Length 2946 /Filter /FlateDecode >> stream xڵY۸¸/+1W"ס-!6nQ`h[8Yr%6_H\.k><~CE"R"bvwO"[jD8^DL;ݷDi֭h R8sX_(]OP 43ґS$ p(-~xxq}`X My#(j8|hbI?t}ʆrmZHbF@T589bk85<8cu'J /0ҵIy4u1 .?՞emWk׊_MQ,JU$](%4㋆cUvOűD+l`FA[4? 2)brI䑝y]xJ𷠹[Jׯ^~Ws{J /AIY ?>ND`¾@O _Dj꯬%?(6GDӵ߽VS :cP:!dDKzlNg`?[/NA6?^に_)9nt]փpĠyu[jS!B^-gjKZqu gKA߼O#1O( `q=.]V) S n*nWu]_>K4SE^혔~*Wo>{H-SQ:LLuؙ{mILeT_>#9gRDb$㫑WDU%kk.2IDkdDgs1o(Jps TY׀|PREh\I .ƯK[1wm:fQI:r+_lS<8fKkrR$<2]ho(-_Vod#pVLoG<4*j,/4s% endstream endobj 1137 0 obj << /Length 2763 /Filter /FlateDecode >> stream xio{~."(:-,6~#QrEjwͣxeN`zoޜ3|Jzf3Fwfx3aἳǫg?zY糫U]:\Jؿ]̕|r_̅V'ًWzvyu8)\yV)U3Tʥ".H h|Kj,/x$,%*bYl 8?þ+q&[Fָn@4]0q8uM{lΉ9)Dv7ǬʹMt\~z.QMKZW_j)|Id/O^L.LvGۖ`HB`Y=E0vUMuY_dԁװ# nlQ FpU`εs XF3ˈGeȇe8AQtR o޿y]:JM͖XRal.Djw/[$z:"⹴NȧeaQCK:yxSݾ{"H1ON@r ,;nXO*:P|JC\(AKY̴Z{6[$pkaf&Sbߢ؅gL]t ]h 3 tS|:bETȃXn|y:;cradȻc.R`^AI[aб`evǶJF(븞~m `[s09 TuPJۂWس2 *i> ) y/r""Dp-nI$+nH:^yt| 9zo+i=QeCRd0R HʇQ;U 6|(h𨧩dj@YVsc)|()}(|j~MOɍM538::6Mx+TS`ZgcYP EB1඙" 7$hU;-k@kۀ6',zA9PPQ)xߕQdXF(t}}->ݬUY8*4Mpn{Bx6Lc.߼/|QIh 'GN/3..A@, q&`8@.t;ּe55WU-E0qUU4$-BBJASP!k5(%Ry!>oB=E7hW 6/7.B`10|%=hsz4X=`-tl3³ {RUXA#$ 4(5.cS#x&#-T\| @OB{h~= @8_0=]7yr"!o_:d1-7af%,dM:1^"+#31͜/&y ic\G嵻 . }̵\N6m :o&IYF{M'Ӧ=9S#j YO{ 7]'Ƽ"x TzĚ J㸈r5)8U@ΐ7!^nX;f,ehpJz&j1VMt|4U},mmh\4RP螗6a[N=J C-CC}p7E7PN>*MM\zR"*ro\l.HD1oNdBN$$L5T/cIj@OZŲw(F߫=z?I){D'C+IRl)ikw;gF_\=کHF)&}.T) 3i}C>g`<[NyVC$LYh˳xjvz|N{H~$C݄zTԍ F[^&lREZWl/,&_1e@߀/JʠrKb-ztt.GW*`Y{NFd ^*g#l$ЍN Z.'HUT VNC_Mu| r ~r @j PɀZ8* giQ }O*,~9TnYT3;DwUYE5 [fT|nx>^{eLC"[FT!V <`1hA9R_f4v0봑#^P endstream endobj 1141 0 obj << /Length 2484 /Filter /FlateDecode >> stream xko{~?*7(n|Ve3$%رE"Yf8M(IJ'FJ;Ψ{ZM/?o ?\}RFIJS6킺OCWS!Dbx>R%y|ʭ1*aԞ__|vqRx(̩Ux?V&?߳YU^#bد'T)"/P7.yw.nv˿4ah^*.xIͦe^CЄ!Z06eR HL{P4Yesn?(ι#?q,)7æ>uKyzQ܅pe b 1Z/}Xr+ۆMlp#O#@x!rlYH"U{l@qKaf2PTs+M1eqΒ=dA!V.砩9qz9Zr{*j3y/eʁV9`$Z9ЊPZD3ޡkAbCvrmG!E0N4l",[[Wce3+c|JLRQ"1h TQؗ hl} kBUD^-&CQEٮef[. pI!,EMJޯqn*s/a4I̲2]uGh#9{7=^d4Ո/Ki:F슲q g;*WC)xD *}8SI)r&߭ -`xX_CϜd< K*L~S=<[}8N $#3,߂lđ!`DZ6^lq7#ڧҧ4/<`ੈϷ_y >t] zӭ,$[F_OE9Z" cVyi =-Dz]r"9oP2=qRV*\C,&иfXֳbY #(g>v!UUV^2B)2F(53e֧>IE&Pij7v`RAǠ4w_9K3ŒI;X/S3Ɖ]9':TMW}ic>A-ocWmHO ~|ۉ"GB_u$mlž"vN<]u|'n紲aNx =Q>+G]CY6FE L1Qw!FؿL(Hp#曘Y0߅qR Ơz~i!B@]Ǐw 0Ũzxjo3mewx7>ݕr]I(f3]H;L endstream endobj 1146 0 obj << /Length 2109 /Filter /FlateDecode >> stream xڽYmo_q |+iQUAP"tyEV~}gv<EGJ-|yۙggV|?*YEgۻ  n&+3Y]rz׮7R(nQJGoֵz#$^T )J%L4~Netl5nPhV31)~ ttu˛½ߖuVvOreYŰXAJQLcޓH͒!$@oU߯b^{J2o΄K2 :sZ1+HזIeϥ'dE&܅KOY*<8,.B !5h6wYF\]L"3Z*;ɛuyOx%s|Jeu`+q5"{Ǵ ٹOL`;4 %8ٰː GW*2|q9Wgfm9'f =W8O(6-#Gֈh0^ńqخ~@o<]Uek6gtx!57B''MYPVC?{ԴKQ&,#Kl@KҔ_bzЯ]ϐLEϖӕ-JMXl`ZKT/Y2szt+dgb6; a.'kab;W$<JpInAFPv# qIW1bT7;wڬg^_yyEs?t\>8?Z-4I(&rlGpn-?wn+%ҵ쉣/ҀO4f̈́|i`ƔTy0p Y#*8ݍo1[&0 *IVOY6Po& ͙bz?A5[776UnIVCZL>" Vf茕wWZ|d}J#P2*55>C %/S᫬TiءFL2ZӒ,?}y[V^HڪtyVPv!iΡՒ5e(Ꮐ̀GޫjY@ֈеCPu i~:_>Y؅swtKo 2p6<7s$ǃz-(DǃdhJyıԎmH 3H Y EJCTS }C]wֻwAs)9b=ud:0Qo\ wtW{zleLDRWBO-ht*h{~܇K ,mg %|$>Ipiڴ //su۴3jpԥ*%aU A` ?4275U~뷯QK`?Lu9U(p7tY|q ĉ>݀ifdD4܉gIS֐Ձfq \QzCB>\P5N з( -!.l7nrVvQ/~^Y9YLCR8-o^L8t(u[%g Z<=grz endstream endobj 1151 0 obj << /Length 908 /Filter /FlateDecode >> stream xڍVK6PoP)^]I=)ɁkZ2(zrk 5ykEO$-OVe:xCOe-4u"xV$}R:ofv&Om?>ENt]$b<)լ\Ӭn MےYiA4+W5O9g7 ,9o }.h,&exKņ ܥŚ}? t'|JjOiuQLW̊MS4Uz8L!)D$hrAn 2)({~ N|5?[wSG8Tde%B>>@xOg9RSӯ\}AW9F|8|X׻7Qq1.=2Tw#iL0 uV Jv{Ϛ}\ABczE^D#&sywRYϓB>E71 ]$zJP -+듌 xci(D#]EQ{XWT i0rT0_ I!ܢS }NC^raL=ڠ Qf3XpApԃ:;t3=ч8T`P-8+!IW/CI8(pY<;KEҿʸ׼GzAS yr4Oõ.F-p- C"SQ^W D0L&%єr:$'E^ w.zgʋARݰ@ ZMcN๳* s}xC' =ZHxy  >r^]ws"j4f3۩q~jy J:^ZbyGf endstream endobj 1154 0 obj << /Length 1322 /Filter /FlateDecode >> stream xڕVK6 DDZQ^u'N:z$YmUAymGi  #{eI&z;3ͻoi(,{Fi%M}`s_78A"x< D,foTm[5:VL\QIcZIy3.|GdQf~vHÂfB b;AQ0e^9X~\'Z$iub=k1BBHP[Rg-/Γ.>?eAO(k$ORϙ!qI)@jnBF-?F\|y^aKoI߶C]FN=H.~3I+5߷GZiY]`3"J5 wG*ևh 2uؚvQL"͏T.~"5PГiμl*}x zz)ِ! mUh~D YƒUxJQ YzD6'q,'%26}jQ^ODžЌX\6s[tpn0L P0zv/R3,BG!X`3OQSa,+aqtUǜSk1tcͧ\Y넒4iPe9"yT\B"lDFVVOT t^%,x57jb?:eΦ8[ym1"]O~bΫ'`,3h7K$c۱` Ƕ*}Q,Xc/~m+tj/2S˰8t ÅuSz endstream endobj 1260 0 obj << /Length 3944 /Filter /FlateDecode >> stream xKsܸB7ɤvIJՖV-g}H/;IB|c HW]lҜ+ӫj߿^w 2四WN,]|XNU<M%,$Yt8Hppw7$tqƝ?q%na)1Mp͵ %Lp39w3 ܞφ$>!pXpI#G\sW8WtGLb%9 .p9++p2Yv,ո}JXI΃`qw\wRۧŝ0<8爻ppsK8'?Y`&9 7y.9-+>&p=YłKr\̘s ;֎V;YłKr\ 8sW8W:MM%&yT)aq'9;~9G܅sBfyT)!qgr$x79.+FmOB&XIcsp Vi=Rh/\18%ִRh/\g#灛)5VRK8Ǎ-$&'8S68X63CA /^ҋO/9!4L.pb=Ew<ה9'mڥ!]lpcՌqEʍer ]qb;bГ$t t }6͖0<8zy踌c@?ۋÀ (|ׯ/2X.Lce0VW}:ߐp39{<A:ܥsо_nwøgp#¹­)aTOpC)aq'9;~79.+ܪ#O7%؉CT}XIS󝡊sT 犪d/OnQoC{G88ܸ%ʆq_0ox[ΏvMڣD蛎E0}vEM$_ IrH sR8+՜h''vx\ɝPp,fNIs¹ tZ/kzV@s¹Ɉ& 9)aq'9;~79.+܂~WFq'6>%,$q9G܅sS9pq_3O ;ayqw\f0't/V?on?lwPvLz[L@8=fOq֑aa]1ьnw}b9ۈ} XI͓#ºu~-/5qV(@|8Gg%=cl ޗ&#%5.p7+|Kn|m[I盌 <n8pTJ ND1wul=*WCB VޥegĨS3;ic&9 0u 6@_RZx K3ayM8[GlӤ4-\8smƢKr]#gmti rAf,$1B}(֡+,,| -G Im#]ػn f4d!8[GlTbf,$1Bp]aF'QBA0.aty:CWX C3/Ϗ8_aъZ,eAPԯ͋k*{ 7K,ady3VX1MX\kn]?]?,mƢKr]#pu 6: K<,o3]!t8[l,Oi:f,$1Bp]aD'A uHtD7됶9H_n2o/饊ice>ghMRMe1i{U&!loLÈX "¦owӟFo6-]pE'RWQ CO5 tu0kAqbN0lώSEVSE/O.D.X++±=KN6?>}}y}?7l$9\9޾ysuEP86`خYT|F %`8No߼xo%41Tv۱f.8S s@ endstream endobj 1097 0 obj << /Type /ObjStm /N 100 /First 974 /Length 2176 /Filter /FlateDecode >> stream xZ[o[~ׯݹ08vhQrT:ApR#Ri$<}sߙC)@,!:+.Ԯ "تAk E9TV-q =g@/?)K$>2!3w@NR H5 .HT*F jh;]Woƕk%kn2K?R"[@()CZM28ds54&]f.cUKU0@:lwl\;i [`_WzJjfAw@ ,ER_4pIPKavFA/8 QCHB:K+X]j(T DD  Qc(E)b ⥴.0RPGxd_,J K UJ uiLQK3Y`,r͡x%6jQ1ުֶ*6(52hk aևFOCzXn( ]0NWw K!juHZq^RwH2sKiHIJ?zh0{|~~qu4;g9}wx3_W )^^O+"pyZ =q}"̞o?o=Ÿ> aO5?{S]oo|vq~58!r3b?AP^-կey;Hfshfϟ> ߮ ҈O~͞@եl./>,N7m介ߖ-'b{~ݶ,7\xT.Gd|kXn?~xQG׭]F^cTk>\=.K#kU_8rqő#WG\:ruՑ#WG9rs͑#7Gn9rwݑ#wG;rw~L۰Ⱦ _/ GΎ9;rvّ}%c);rvdrdrdrdrdrdrdrdrdrdrdvdvdvdvdvdvdvdvdvdvdqdqdqd?{IYYYYYYYyY9é1pꑑ kLRa3yϡSxTD9 mꞔj*Z cRDY82ʶ@Jc, r ِtCɚi)9ǶUĠeMO$i9sPƐͼBLӆqZ:iCH*ꞬBHpɤƗl7Ē BHJ9MB"Oř'!q]M'!*B,Q!KB$1ՉCSkKk͌⮑Z#2m1ڒpvG-ӆ:HmBl}NB~tÉDebT* %[o4 uɂkhL> stream xkoWT6C[A 8-lHoXupy9KPiXATqNռ;\';dV_uOޞ~xWםW_wv\?䟧/ΌP`TT W>M9R͔ #8uas~)r!;] ᨨtb5`Che 2cJWlnk1*T67Ҕ#LYf.nvsLT mP)GrNU[˄:"(#p>D'W.qm~_4.Aq_mP4H5S.u]_\mV?t*T3n6Ҕ#L`Lڲx{o9 Pr.1Ҕ#L혭lTG m%FDzO3ޣ@4M*@zJ Q9ɔ >R3ugƝc 7p͍Sf\U;1AqUr)TbRXRaQrtdNyv *TS6r)TONV>1:!(G3$*rp2s'T mƇ]r)pL: ϳu fPr*Af՞3 n*Bpin\(β? fPr*AfUձNZcOaQrtda}gI0J5T-M9R͔ ܌J'Щ S9`HS 3agxp 7p͍af9\9j1Y G(GspDDX!r3;"vLǛ 4@MT@33ك.M'0xaHx MSaȔ0 4?h/x9Hx Fh1rCٍ*T6Ҕ#L8U%BƠ{S9گ{:M9Bϔ K4dX'|aRÐ0@,P $w /ӗglz, K.~Rs\@DZ)\d 덎X߭^e&q w8㈡ٍrD);1NCӛ}r<hh1ra9S}}N {j4l@&[$t̨!FN2Qr?d$ʟ) :&r;.($&GM@*Y4@S h(OЖw/F`Wˤ^j(Pr<h(h1r1,T,&|r<TcР)|dE>aꔏeϚ;z9Hx Fh1r1!,3`Y/r 9D9)dEbpX._I>cpPr\19rS4XTSddcLp)$]ϴN)1\2hpfZ$xQHx $Ӑ)YRYefHd1‡ rHF\$h@J>\Jx Hx Дc2"b7 rIL7T'h$) 9`X%[wi-j9Qs@"rACyHW.ޭǿ _!*JMG*AItITȔQB _Cx^-/(_ߨc5h'FDz{) I[Iw:㬡UMT3O\vo;ˬBoR`Rr4OrD)8g2i>8Tp-l)Gpr똊re'揔,Ƞy d4,SΑ;ub?P"ThV&,q ,U 4PFAp@4(=$bv{嘰'חb&n۹"N5qԦ=Snǂ T ̕u$IGXDh:ǾH:^*A7ᣩ:~bLwX̮I`KT֩g GNUc)Y+ά6kd63w" o*B4U7S)|m?Voi*ǑBᙦ6#Q1޾͏ajP͕_Ԙj<%$I\.Fwrֳ OTG t)M!H(uSYG):2V(Iy,WǝHtqӧ|jz38S9:bX>H?e *T#"HiiXG*{Ã܆[f*iBk4UG3S 7,\oi*ǑB4U4S#) ^o%:z7J7VpC_eKthd;Ōs i.xOTS9ڌ4U6SUV1DNgtg|A9:_ķn f~tQy3rSsb^jFR9HlPՌT]F1#dB㌜oei݀e-z,r< BC1f;eW(qְL7T'AASuh(Dhx}fw~׻) 8H>G&v=P}+̏?Yii\qznnvۧ֨wa<യ>%#]ދ": xuC| q?OS3s231KeqfA]ohYXo>qzRLv᭤"぀tOU] !ZT]zp;8k$&8S։S"r!ga1+dex8Jj R9H>DU] 2z d\o oā>Zx[Hx8 )$4ULRf Ǵ,şW~=E?:#r*)C4UG!3M7К: ,uo#5 $cw. ŘՏ簮fA)SЫe =#`T]02W7ay176>||ۙxS9oULZh-`Xp7|_)rͺ|;3yYI7?! ?M;t௝ʽKT֩g GXTLшi+\ؚ1veB7mw>m0/n4_hÔ&?˟\zʋn9hT,q}r< AXU)M@d!QC@"Hh.b=bN'e/0?~otA$IXNL }Œ>5>jR9H Qe Sl\ˎ6/Gşq>ITu3*in lK#(#uD Xo?O8~OSuXgo,ձ/6W ̤r<3`}@Tui(icfd%4j0:e0TwDUL3<\3{v5=rrZ< Oc&>'l]}mCI)T%Gw]|/v.>0^@R9 z:^d͇̆~vܭiZw՟՗}8Зc+)y`A<áSr tg:4U0S3RWޮZPJ34#Q4 M 2_^P'{HMB*Ǔ I$d$5AX]߬f}CQ:[6>c~O6D|0eےcG endstream endobj 1262 0 obj << /Type /ObjStm /N 100 /First 1006 /Length 2248 /Filter /FlateDecode >> stream xڵZ]}_EWIfa7yI!’e&cRw;iHp ;uvTIZMRI⣹1pa$iYҁpBM VAR48H`h Ikuj'`xDll\lPFKĜ?%V׍ƞ#9RI)EuYyT(̑ 'UpHE9RiN'>f<>*HkjRD) ᏶z wOuw'cm (MA%C?_y!QphZ@ѵl5ƌ'lHV̭ 9yo<- G zi':'kӎ]u#ptMfPtS*OT|u^Qmb>ń\m<2! A?rb? }.uUlbkMbJrByb ;4lh=򠺘ud{ft ~CO&-&hw U2ń *bBBd4̋Sjh&jj[L)%zEk Q-hʪ:2IqO AJ|3sX@u~}%7zY?;_/CI|hiQE_.t9i>hć1NӯZֱ}7Xˇ6b)*^ǘ1dgk<׉=.'n4>gɾ>H?;Kú704km|3 K.yAr~4PlK?BKi|K6:޵#a2փ4eaɬi <ϵfš[ߣh!„BxRd+nկp- n׵ų\.VW\.ռ<($>.nQ[3¥6C!{λ|[S Nsk; i.Oe)gӕOa&kലO\n][$\]4Eեlwt7S^cKVR7O썟m.u?~?-}OW}&]~)}oy3cRE<~~^k۵?*5w~lx QgDB7zvjB @r#G @<y#G [ [ [ [ [ [ [ [ [ ێӻPC8 ACh!F\r 5k @\22222222222222222222rGZqGZqk k @n9r#9r#9r#9rgw2` VyIrv&qTK+c#%SFni{~'k9rgrנgy z=&c}CvgYEm-gs%tz:S{ۛh.kݩm--Pr8YƉԇlh:-Us{=VzREQTצ@[(ʒ˩N*C~̟͋S.qbwb%=˕7O,~ŕ.M1BR VcZQ-Sd )k3EA[Rӵw_fy[my5#y^XIh}(ziQ[;jЍ$-NΧ+vYo¾VVM4X+)VO7mJV-%?+B> stream x_o)(=oi4HT AQ[i eAg!nZ;<$vx';oOݛW29Pg_Z{"; O./uys/ϼ>xwt\k}9w/zvߗ{uqR̿lZx3Rqwupi/=G_e/R_ߧ:>/3 qT:'u܀|un{hiN KM;\4^V@ Xܶ>/hRҥs9 @V C`?nIy9I)%."qp3ʹmchlt."43ʹa0Ҡ YZ;n))."h3ʹ:;yx5R<?yVA Yܶ=܋iW7oǼlJW4@AsFX9 mU1epvs:Par,`(L t܀A(Qp e \^."3ʹ{႙S+)."A驘AW TZQre5M emds 3Ka?IqMp9MƼ03ʹkS\zHJ#j S5ra9 ƶaU ,턕py= Wpp@(rQPd3xιs eEͼD=eŅ^4tts^97ХF#ɇGd1ř4MLmf9mPvFx0Cb?TC1LMap9眡V5UU+jlae2d2̰e`:Oe:f\%5tJzxq(¬50nxOdݯWTfʦ3e7@N7 ib\& 9Tt{wU&k 7S&\ENÅ1/9gsWBھ[Map9M@眩V U鄓?tsTS\ENS.P9gsCssz7~x;]:a a yΙa\3af_ .pg1pڹȅբZo=(rdxιsӃTn2 e(r Bxι sS\ZoփENY9rnz0סXR|9Hd<܃ʹQwfbyMYq9 ƿ眡W t j-."V!&& E`m()^_| A~5Rn9]Hj<\ʹ釔bҏ/.^㷗FHq{Pt  <܃ʹA ]4hhs]97{#Џ۸SJ\EN/9gܕs{XsY;}Hz !m;z}8>+r0$8sW97GRBp^۳2 )Cn.IJ0yι sSq=,EV j@ ۀ"Y,4P97 rwua)J^Xnh1܁zA}K]GYg@uHI'bДOWeX4CCufXY7 e'(CjvC/Z+r9 &gU  b?by?gtY\@ENI-Yg@u ћsܓcp&&$|'|oMFᴘId0>I wB૥i7]CImY@2Oԋg /yQL%\io3N>ܟ)8 輐}s}SRy[%)%gQY7NariW7FjþIӷ}}<;f<R7Ά)wXv#Z=i$$&d;\ENSyrSvs;SJ\ENs75qV 60HF %\#GjP^Hv ǹq^Ɛ2-r, sd+GmUmAOap9K F#T)!}hR U ֔ lda*V8Y)3 %s) ."| <׈rđvRt4H=2-r,yl划5Hʠֹ `"r,_)uDZ;H}\x̃K iN$w NЅqaaJkY9H{my;e%[4Y36bF#NxGɮn;EZ4R/V8R=~%A6H׼ܝ2-r,yl刓UPnp:) ."| <׈rđJWaH׼Mp9MLF#NsBА]28EZ4R/V(xTt)&Y 'bLLבl툓_S\EN#Hyi#0隗S&\EN105qaz~\4ձ}rB˪iX0<5q^0wR+rs*GVqjȋeJ#x\#5$΋xɣ,]/Z`5kV9ԤhKeJ#x\#5I΋Exɣ,]/Z`5kV9D O `j29Im!N:Rqj}CvJ#x\#!x(K˥V45!AU85zQ+*r s*Gx@q2?].YV@~1e6y^h`GŸ˪iX0<5q^ ⼎p?]/Z`5kV9ԤZU0NCg%HqKPt n*t%P 6pۃk-`YGS(Km"@O1 dfD 0]Ԏx c+zHL@7!emBMX Ƙ #ބ¼ {%(rQk,A列`<ÃͶR.r2Z25Rq֦2WN)qY9OF֕#z> stream xڵM+xL.$ c(,:8"0bhY]3k`{r4Y}QExTDd^hГhHjHJI/P2o S' XTPPs6Skb"?4qDz W[$.zIs)`PEgiֳ.O@ROl47$/L c^x[ޖ5  %=HfHһӤ$G$|J}R*sD8&bSiI)D)cT&J?TeT%U=UMV=UK͞jÊ٢'+eɈQKx t'-UX(f`Ԛu[5HaZFR{j>"EcVRnDjs&Yw Q 71K3jzPwu:紡)@i/ 5_ûXtvGJeش[os |9>X)nEjÐ/#Not#+Hmzhg'&W.?O.o??ǟ?wBypO<&w>bId ~t:z.oO?˷L_}_l=Vpeve,bZϬtc60su`\ϘVs׃ELxcVͭs)-c1U35=ɖG7HF2%eoLbjC4j.ϐrs]faLwVS!oBd\IPʴ{?S %7&vFE -̈́~.SJl=/*$ù͞'EgmCĐ;{v*?fؑS ~4:s GX98: a 9@tOq+0>ۓ9xՒ+mh` O)&O[na; 9w6a;xȫWz}`|c bS+M6R)AՕmFqs^v<\ppIx]ψV2^*B\^hJ¨eg,.o zRͅ ā"^\ j;wtpnWJsS6T%`xMz,!heMPB$^NdZ꿽_ÙG%\[p%QYt8(<\LH9E9^ݹ ܷO&AȢl2Bav.sA 74M' $n$wأOݓTlOfmzZNƄ2.D VUC~!Ac2Llml\<~#G?>h?7Omcؼ#Z[+}8'W[6ޟ^(h^QG{TFB(P>j$:#z/9`<1$<1<1$=1y' )cNs!>{^t|*{e2B'˘%+<]Ŭ`$Vd)O~C W杜貙sW杼22F2ː{~􊼓#y'OI;e=WzeɗbF<Ι.Ce3 >_>St,bJ.t;Sb?DZ@ endstream endobj 1596 0 obj << /Length 4115 /Filter /FlateDecode >> stream x[s6+Q ,q! #qr[ʦTfl]"Mn~ .MM֩-k[Ig| Ah4^Jf^_=kܿ/q_w8/Ne.xLc=⇃K-~>\\/g׫_n׷_],EvώOt+w/)B3uVK`ưF[7ʤg{$8b@9 +Cr"Z3՘q~[]@j3.Qqr74~7M9Δ }0x3$r 9DFs@S9Ȕt=O9&F.?7ep!=M8\h3>#LvmxNht*AC'@Ӕ#LZlӣ{Bq 47S.ʖ arh6 |C6@qZ^#*GrT(QZo{qzOpS9e˚53=j8$]D:ϖf }<5lKc ^7[]l͒\o˥mn`j*ǡBwurʰۧe:zW[iCiص"TNw!K p3` }S AB쵦Àru={A>EDe@TvGL+3BtpNO_;x$r<  '꒐)֓0VaI 3_ 7o(5dĂb)c!)AIR$@,Hh. b= g"}Vj*$xIHx $ 4ULޥmml o(5dĂb)ca b1oCjR9IM%!S&ÆGۻ|{0G,x_OTs:~.g nCjR9IM%!S'.Kyi3`(5dĂb)caW7+b1 $r<  KBXO]-éjϧjW-F3ѽhCP^f mS Mօ @ &!2F4L7z#nwTAu$묍ᐕtL9"㩀Td]*&$c(Oe 'gۻϗz)̿Q]0l-h#瓨j+VGew&&aj~o*C~?\P*+N=XWblm-aKd6ҪwmG]f~~eB]2N8eh#)Y۷dwrz*{oᝡM8_h62dTL׾Z/z<. oi*ǑBCfua}o o:p.ؓ7Z/Z*ǩA M}@:jb4:Q~/(G,4cjuj}f7'T' m._8T  9lJ5 ΦF6Dk8BWqQA"Hh.zbtvLm(dF5F{E%q~8MוTLk?M|v_u94B_'k_Jgc vvOZT8BTL G S@݂p=D`vz^-G- LjR9MbB1&봫4\m,b,܏_lXy4B2 >! =MձP#a۷gʉ^<УbOCQVJTHTE!)g*N/ߣ[i>o5j3@u1LI$ endstream endobj 1495 0 obj << /Type /ObjStm /N 100 /First 1000 /Length 2204 /Filter /FlateDecode >> stream xڵA )tl/z"E`Hj0b>΢߾j} ؃vwDC h`THZ+],TdpQ1eLo/Z&@ a{Iٖ_U܎`BP!\ \2Ljn1i:d1٥Ⅵa*­T,T N: һ0btYRٝMs;s{/mѥ@)Dǜ("3ݰk.݋ LC|YBZ)1M!`,"E\whQmAQt qY,:%VF[{m֫\{OHerLcreXLEֽ`^l 㵓ɚ)\trHf:̵)k}kc5SkyԨr=rp4ʹk >GY^&=ނpGLl~C{&k65 H6 xݡAvuZRq<É0q4&;Hc:zqQ{/o?ߝw~T~hVg pu\myޕӟ?,|sdT8·" S<1me"dT٨2G%VMLӸFzbzL9 q:C,ybxe VS"evXo< rR:[كIνqa|vPڨȪ2}VxO>x/ҼƓZx 6fV.C* ,Z']cكވa>{B+䗙FLHJtu"+a&Ғw g.Di+<τ*l/;N ۋ^/AlV7DRA+d7b"-itIHܻLA[*.J(_dBԭZ{مPJ?[%5'(A}/t‚!1ice›L/^DY"͞B.( \I%d ny|eBE9dq&콺|>݈GGCxxB+oJO95B,<xi[:CF8KyC 8x7xx:hs/O`IO&6u_;UclP3ū+uέp2gvD3Cmo4f2G|b^[;dd CE5N{q:PLPi]&gidc/eh# &{Y4"h]d(ĭxс|D>ΎT"AkC.:z fG0])UnC.q~FP#>xp^R.G0& ݽEo>/7%׾o<bo/?\l !vz{̹޾~SN\>|?'0>?Vo>ޯ=~ f?~q bg}xxy0[ϼx/r@9H4#A*S*S*S*S*S*S*S*S*S*S*s*s*s*s*s*s*s*s*s*s*TSrO={*T,,,,,,,,,,> stream xowEzІcҺhR$~+ "]$iwc |C} yK(7] i-7w_uo6?W2݄PW߽v#;1tܼ]jxOw~ewWR~W}Rql~I6mz5~V!9{6^ }oƲN>vOUjVi?nQWoG}f][M.4͈qI 17??.)zӇ :5U߀-؄G&ypS79U7Z0K TC"z/mD'ow5,a)@a%aa1a ׏ۻï[َsB*w^cCpK9M @KUrC}+۷ފNܘRMખrZ */9VɍAEެ iIAsDYtxJ'AT+MrwQG.y߿Q[a0r^yy8zCqYGaaa&Oò<Ί,MoS~:!ɶScL Kj@RcRV KR%7GgMgrO>Kp{nwxiddM}r9A\!gDΟ(e6kXiCMדlX%7cq\ƹ0ߴ"v\.[@Xlې#:7 f/GSք]%gυSkatww ބ\Uz痧w3gzOrL]jrZ6KR5d]()Pi~>?}|UB*r3*Zn1PGʎf4+Ka7 eiJS&[? iafj90LQYrtxyt], G\F;:)@Ee%ѩ.V:?<>˾#W.q)a%yY؄mjB+sG ;u]inn^r殒n݇q57u>=:uK\ibb^r&be3\a=}|?=:%.41lyəJnjDz&}ٯ.h)Aak@yJn@;z 'ZtNuNAjwJ9=Pēo0T9jWcSܠ5f&OuruSw+ ;(0<Ur3N9Qew"}>iӹ6ݤ_™ٰJn {e1xoozSr"}JN@)'ZxB+39O@LUB顝ݶ2 ZiPP^rP#ӞEWe'|ô\RNz539U !p :; ).t)ayJnUΡ~|9_*6K\RNs{fr殒nمq07+;)WNr6rO C9Os}Kv7z|&Ȧ-erlƸk6^ {6S'\RN6/3nJeK]YISgĥ&ͦOəJn;F~K_^.=\\M+~{M"b<&Nzn?NjoV3@9i7k$L۽iӹ6\0%g*1t:~:>ԤN՜#gPoj15| ?띫in͊8:vCɉ`VMrZvF*JNрL˹I\M[*l^K^U"eǼϕ#u[i_l—}DWKaKަ0ݯ]LU.2lGLU":!]7ki2?Bq 'j̙=6+\ibrb-KU"lx*n9m/S jjQNgQ>oQAQ:Q)`U 35U n[{Or F*'Vfi^Z)` 5^jTq5/,4mרFaꅗDHZa4N\\M{Ȩ91;#UESOfm&9[%fVXNȔԬm3uϐ TfhOC3t_Og8Kq_lg|3pRNOR=3S$U>p]qFn RrWn}WӚ] 3Sfk*'usxoe\RNkԨY%⚲II꒵5+^iq~BūD\Esqr]߅?\RN+ÖʼԨ\%zȶCp5) IYqYf(['>WSpEWto)}a _^j]H̼F WVB_ά(?;+(G /5J ’! O*rZ\WbQJĕzzzؤL~ SʥV-'yQJĕ~xݤ|Yr)a e^jTq=*wAWmVdĞJAljsy?;(>;7/5@"l&Ƅy. Bj%w J9=P^j*q d_ qCE!!!PC':o(e^ Δ}X}E \UO}D jz >DզCЇP/cL>uK_i{B[/- -td0^苨2Lj׺ְ5/T!qbrS8?/T!8ɽ_^>u; Q*$ ??_^Yc8=+Qi8reQ`W~^1A9y?kDo{eF*lyfx|hI]Zr6F*{''vV3@9i7k$nLDSQ{uWʰ2/5*W3tuʩ?\RN+ÖK*Rr+RP+x)a q^jq]Yr$?\RN+ÖʼԨ\%F ;p mʩ?\RN+ÖʼԨ\%ZC\rFS⥜'yQJŕ N]Zr6XRu[Nxm1s>GN[͵+l$aKvU"n7>eeeIRʥV-'ƼԨ\%X \dl,&q&a%$^\š/¬Y Oܩ~Rx endstream endobj 1599 0 obj << /Type /ObjStm /N 100 /First 1001 /Length 2274 /Filter /FlateDecode >> stream xڵZ W\"E`,ù$C;Y}UͮY` 9uw=Q"GHH%Q+78UިIT!pK:Ú:͇- ߠGCk#aޢDo~P&oz=:tĥ8'RAXm9ΑsMls,;Ta oTky0i- _9JT8 (kg5QJҜ$d&>{X)GOcQz)IL^$]paCkւF漢 |"J@5Rlv20A+92đ&eIuZzRSGIy \\idT|,ؗiMV9<&s͵%krÒٴ\{prLliQ"pp]ZH]uY}*>Rw1%iF޷s2=4\#,P1urc f_XʜMXBRxFK0mG[iAwn04|Nc MǰիO}|twyO_~y?N ApwSzrNJaԹ`Z$w<}z*]ޥ˟zLk+'+Sk9eB8{9I2!oyP{IMrfk9q6H*k9k͌q ReN:9?c%WVS){yԁk9 qԧk9 粘2ߞ2儖-Ϫ@fE[B dLfxٟYZj:3 Tg 2~qWr*WÓ"ZNFz}&HğT 3N[^[ Ji< niHF'zB;y$PM:EgLiA[|SR僮d}|Q|ГBc-dzKBKKI t$icACM4>$k~]m\;Cfk7>F+YI¹^hl.Ҕ![ylevP6m\ 'Y|^p۲gERN0N{BcO>,4ii|ra'ZI|J|x=\5Gѡ"8CEGcKMK0\NO%3G`ӤslݕٶmykUJIi)i|2װHtʅD %h}-D(ObGP#pŅJX7Zv5`=wֽN祉oG%_?Co&ΛRߞ}s'%~d Ϗct˟yqM{&E dg!^3F|qk Gn ڠhp4nH4Z44+R S S S S S S S S S s s s s s s s s s s @\r 5k @,,,,,,,,,,r -[ @nr={ @rDF4iDF4iDޢi#G +E ZĠ]c÷aft{uK=/gݐ].Vrot1V_ @ʗ)OJFz~Y~5GCvg׳ΰad>(ZNw^G ] endstream endobj 1712 0 obj << /Type /ObjStm /N 100 /First 1001 /Length 1874 /Filter /FlateDecode >> stream xڵ=$  D#~S3 8q]ܿKU{hKbZ3#J$ThCWC WÚhTÛT#ŬF6Vْ45ohqXc:shC(5 ~ͨ<,*ScT7giRd`ZdkzxHV4ιdlBk2Wu^lV&1+XYɔh:c")hz(55r0kߤie44׺5k՛YW Ql&k0ڎ5̴hF cWL2kM6Ef X#7pk`jau͆V_lW_sYek 5{lE{ Y3hk10+,|f"gypQ!r$s%sZ [ yq#[V7๱f3L s#MΤ)ZԵmڣ6}xf5'c, DE,c]_}yI(KďŨ&iLc`#}뷷~Ƿ_?o>~ooI.3@ {?OO/_o̐n/qӥ3FOx"}tdLe'SgOLțLsKf23/a>5sՊP0N&b'_3&Yg?S+v5MLOK[#{'ṗɂ݌1סr2ĄO ;ϔ4`fޔ'`OvF䄝NOں= FC%oJ|b"}Pe =y*7%[٫0` >2 Rv^78N&ыw2{YOgh 59r)7_h#ߑ!̃\'!׍z_<乼*!Cj&J~ߠgFJ ^]J.V5^wѺԇ~]Ԯ]nZNCv9Uler{*['?E?HG-.m}!%%d¼TA]A(#֡;tkM.[&rK塘7. x2:[$&#G׋N{z`ߣ;8zpû $J-]B.\Gi].nyzkB{n6̎^ r'2 ]8q "H/DM4֞|Hκ,7B.I14DڑUh+&6l>\wAB_$^p-u1[o9]"BD "W764.C ;n26=xXҽ9Uq _<;W7K =,x0?” endstream endobj 1833 0 obj << /Length 4414 /Filter /FlateDecode >> stream xM+8sZ$'%^x#QR,j*^)Q"ҫ/?}+ۋ坞 }}U]BuE/>W;>>\][k/7v/WצR ]#? mS]uO{mٴj𥞣pWnt56QUNR>\$f2pF h['JE1T+)tNC@)t@7xu^S}>0} S>@IRYϯKcVR>.S|৿~kS}f6HLu%Dʔ__*]X藿6LM{`2UA8']R!TS56mwW><mi/lp\")jNU$j2Fflja~lGm{鴹O]6ʔtpaꚬLjZ*k?>}X2e=RNj_LiL͋Nu+]MṪP%SdH9AV]}:鐥t*0LjڛNU!KkڇU`j/S#|5TMṪ1CL!Y*Sh2-?E`:p)NkQ$2@ʘW_|BA8I EP3hk5UB@x49 TH9!&KuӁK p@X )+Ք]LJpYX<L!YU)mg[D6}R)2N# )2Fy V2-O?s\rU>=/l Zd*E|8"!\*C0C j -ro/Jc5mk%eia2e`y po0ef S fhrE ̀fFm!3v]}/. SA1!S@IgFA9t3L56!4L)f0V}_nmJe%J ;G B&;MaP6y]u eYI iai-yz 'RN62r <_ЩR>*STmyݏefakH\rKƇmdF m(mSv()O~X0onϙm҅jl.Ou41$2GuvloOc!Eu*oޅ@)'TMxP@x>Q,lBG!*#Eia5B rXК0d۱RM# X6YԪPiE!%ia}2e1U2xqN"M#*ψr?qx#\ )UNS P)UPmJ~ޝ}%33TY}tч M2G T^6Me~jk#ia2eȕUeg;nSm}8 9,7Y ryعÇҪ"hpPkHƲ ^k Ϗ7=쥺kmz 6UEևlBL trhUWeuSm}8 9,!W*)'VESǃ7a?oʾGZV1:ЊSNV!J.$* Uu\CJqpWX7]6Ҁ Ic\mן5Izx봦(IVaT2ݙŠF>=gt]S9W7M^LvFd#Vk4 VڨUs4kS`#PupDci䖕Aֈi~'("?*Oq)92UGs VP"s)O)92UGU[Y(Ak'UA#TȬ*"x<#"nʃen}fH2&ιC#:]:pg]{d rۣ,D.M/SwI:WrP72J>=mQ~e+LQ-yJN9:!OI(qO@)ry )H]4S 2N8+ISe TAι M ^'%y~MJI:x=<0he(oAGɃdpJLձ,fܳi|+D7&r1Y2UǝsaS̝83KNyN9Y2U[Rtel TJ7ЦhfmpiA~b)u|dOh9lbVfO3>t)ߟUF`is@8Ƚqܱb{荃g۲z" ϝ1()92Uǝ3&;Q}<=>&-E?M DD~D2㄄S.TLArd wۻ:}eG/cSx^BU3YRwz <Ȍm?e+\i#,ٺQ:veI"c̈́SVLQ,b˄!+;9%.I*m΄˾ىL!eL(rf㼻opNҗyMA,AQDF㩄Sd2cy)0R|ӓ.;NɼA:pg ;rYw2下 LRTf1>J8}AqI2Qߨk%3P|&etXv"Sx$d%/TrH0H:5ry/JH;"IǔC)Z_!+$e7)+tSo f3Bâ9J)gGeƼ)$nĚ l> stream xڵM)\za#K !A`bvjηwu3agHP,=oUS5 $([%L(0)2Z@e%WUҝ$a}ܫ Fh FЄC*Z Kt a4Z6^ RC90.:{55WiX]E1=ѐF%aà.MK{qbj *Vn,*-qѓ&n>zꉵ51 PaJBV)}1ջ|uP֡4?݀33mjCaHMGݍf7]=1E5uXa}U1t?=vi^oݗ>_yǧ҇btws y,JLfLvmrW'M^˻tcNs;ynz?۾4˯y|xv7vNuyMͱXŎr1I.o?1oY.1hӽ߃?ߗ5vlGmo?>Yos]}A?͵!Ѩhkg 36pg60APPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP\Cr 5k(P\Cr -[(PnBr e e e e e e e e e e ={(PCr}Ulm@40 DFECa6a6a6a6a6 /jcÛcoV.+ l=LGs%VJ=)%+S42jVter\w^0Y2 ^Tr? GtebH\frc) "ʴ0 >"զUH霩sڴxc*Yd2k7)+"x]Dεaym"󎥔IL<+!ѹLlY4mOai2YXgluB4n^dܻ9/ē͋Um/mIjkpk˦R$ZTߝd ~#Rqʒ>Y }=whm&X\&X7֜tes| {{Ruؼn,żKimhB1[~<>۱%ϕiVsr\Ie9xLjPeZ\biRANzX+}Mz.-)%_5deoy"QMkw&ZljN-zYGd eZXRo^dX%7slwӣ ^^[IL&Eϖ5D[zc*biݘ %z.7ْTMR, sjm 2ȒR@%K/'G8"X\--x2sd e2r†,$ ӥ7 [yxtpHF:7ti{aEnLųo4mSռf*,Ye;z Ĩ1 ^?*ak  nhm-9X4'q,LLE"D'^y|[04!N™(G D0wP xK1q&pXQh-rc.pT![?/WkbF>Ҩ(83 *,݂Cv1ht'HI{l(`B<]fy <}qY > stream x]o8 _:ζ]`nv2@ uh;mJ4ER$r7?0LҞC-y34 3[?jܟg/W-ERW?rFbKgӗ{y,8ůut8~]f4zN?^ ђ1W$3CRB8=?qCkk$?l,TtQGYPMa#~ k+3C?[;T/r^4(I'ʋdI,6WDZJ.  aش%F]X;תjC4':;,q^Fql+v{oN CXXKm%,VNbJu显XXcm%,@̋>`c9{5Ęa/W2Sk)ckõ!aB5KI ƱQwŹ~ֈAG֗naeL%PZmm{u%LA?t I# zd@'E$A\cXXӧ%,צ;ߩvm~ ~$FxzbvRȍ BPB$t'gJ7kaĴ%R*òsJB);c1뻂0ohA^\r͒ ^;/P.wa޴\E&,HQ嗽[%հp `TlLkuW]:,p,vO㒃q\ F֑ld,r,vO r\ 7XZn1ˏ]zŌ0fV3fc +Hmm[7lҷIAɴ\Ylh81m=~Y~ov{\,FMzXH+0o2:dqݺc(iOy-br3*mYtтCLv;[Ō0f)L\t̢OG?nk {RCQSKJW[{k߱/"ʠ/frx5(4Drh/T~avr<~‡w,L-XT ^D&%sRvt(GF g9\?HF&yrm$iC+0t h\rΒ h-M#}{_)_ :i'q:K!rn;9ÛRwv_!s>)3:hR _s\/ahd1jb)s_Q a729@gtz^cAd-҆jX6 ؜YE 3cOwC{=\KH5F&yrmܜ3'˽9s=i'q=K.е/w]rr;m<Cpէ2)?ø`ގ_IkGT7ԲD8A ϕwo\>꾭= /B'faqb9v|RNXi1Bot\g8s8~8I;RNXт(eF8'73l'8i\8e(lN|[ հL&\qu '.>rX&@Ku6YbG0"l7 aS.duN*<;Gٹ B}L[[~ĥ:,(iXrtXXk4qNs"1`ׯn?<ʧ%a^E(vP @(T'׊<5^>u%|J?loPjM!TWs_HK%Oaa=aY=>sl7'6ľ-!5XXpN-0RjX}ޝ\Z,BjXE՘%rXjL(s Er,ӎW>=)brYW-# -k;e-?qñ|K: Lg7ΫRD:}پvߧb>0P/H눲ȪQ< /j{P}K3Ձah R6)eG]dlY5(Yf.ozڃUrq`zD:,ewj O݅UZAh:,>ՠ[/⨋z|3N<88?()J endstream endobj 1835 0 obj << /Type /ObjStm /N 100 /First 1005 /Length 2387 /Filter /FlateDecode >> stream xZM1pH %K$y1vi8>(,жjUb& )4\\P PA)4rP^a{e $77g{R] q,+Eo5QrVx% %%G)Ji S2N%u*LJnxNix_JKa GoEPINp!Tt0.Pxރ9C[=4pJޣ:{TSNL(┐$H 9ĂPR=ZP*T50jJAku^R=$Xν mej~PYu]{P/a_7 {&pyaP ) o m);/ rt 9/^;X8`&浆j Nhá@=Sa%6r'&7&|w[b2fGU (":ObԺGZy ooNo>Ï9}񇻏]BDH7>O%Rk">ݥ ;>\9f|j|EAGѪemRJl\򕼈/qU"uu>L6L9"^[4<,q0t˰d0]ħC,#`9>">)^)"hTZO>r> <ŗ6W,"ʷ.v:z}-E0 5%, |V˱. Hۙ Vuwg[_2C<*> C™~^=?vW]m_yPL_-LJopz{cr;?~<?=|qw?"qlgN\wf**ifMz-|,'s89kr?>9e>DĈ}7lRGvcߪpKp[nGa_>Bߋ}8rw q7>)e:TB*{Hlb)6;ƞsOL+m ?!>,ay\ƇLš dc[n9~t@܅BҊ,Zv6/՘uC"R:>icIk☎A:E| Z]5Xv`^5<}z,$O|w>IW1L˓ ]lW@c~RE&;؝-e| n.XˇlƝS?fwaRBO|vYėQoXRF׊|BAmnԵy66T#mхX5Z Iմʄǧ{*5׃G#9Z|,_i(t„SvRu|B$ǚ6OFV߿Shv1<)Y`7 1OF 3sjG?k+hDmml ;WhYG{kҏ?+lnYL?{5X{86gv{h2H/˖ٶFr].ўs|q\ 3nӠΩ#W2 {{=@Ԇ3 q:#}W _~__( ݺd\k[眐-%ٛ _wXcM_,)BkNh._(Haۛ3"2 endstream endobj 1918 0 obj << /Length1 2024 /Length2 13792 /Length3 0 /Length 15021 /Filter /FlateDecode >> stream xڍP.=x``pwww %<];9{kfާսޡ$UQgp0J9ػ22XY,,L,,l W0_bDJ- ? ĝo2 S7;E{`cca3@dPd9])AV֮o41r3:M@7FsS0@t4֮|Lv.LVB 5@ tvZ*dj2&DJ53&́.on@g9@]VXz`ebwyd ` R L S{ M.o ٛߙDUo<sg Wy벤$@@{1s> { ˿psdִ9e%e&B#8YXXX@'ܚ^*qtpXY~}\L݁Wg7*!,@3O71v O>Xm,^>_fU99iQm*NL`dds=wSп_Y{K?پ2vk9hKmj?Cnb<M_QoCrVM@` (:6b`u5}[Q{+ry-T@?rͿv 8T,,KXo@SJڛ;X`l\SggS/ķ#~CַMz=f&{7[q~KgĿΓ,`Y0Kq V`̲Ʈ+AoJƧAf?]zctxr17|ә;ߎ$ؿEgh%i-IKxvps̭ 92rg o2v0r`6PKO:?Y߂ty*Sێ3Z;d\=-ou:c_nv}-@'qi?ئ6ZЃqgBprG;gɹ.[vhp/$͵2ɳaK=\XkjۣqNCѺ""NZP-]rNn<*XwҞuWBwTwq#=}aь6(,0GHOy6w}37J"@w^- 6n| |=<"ḵi*ߩr > qC?>9W0 f+taQtyg9'T$u>!ҖIU9@ɉu ,;zN4D/S4{$JVrs-y Ǡ]%lLH7~m1,y Vp;9Dlj nka&ށ1=_/!>7-0mڌ{fT|ʥQU\|۴ lv BMVڶ`x #g;3r ?D+Nvvp_;n>ڝ1mi-\f[SIoIDMQJ90gj%Gft! wBn)FJ'l4`xdީw$rk.a09=o:*zu\2,gih)5e4k~}&EOУyq3Իq \49xhnϑ 0AT-zҕD,Mn(n_>sdf|c1!Ǚst^KVtA]_/70\1ytw9/Qe*L(JXBT?ؕU5QMѝZ֞zV;j+\<䠚ӦayaVnSi2۰#^0سz<QBt#BiV?rK^g&4 t[xo2ב3 *?jE9Ž"TߵA-v3PL8F`#eOdV+Ч8"],<$|_Kt$T0xS_fͿ0vMØyYG, Bj)MHdEc{ZX!X2">+p67ngedsx^TȮ|Ee5"&bI&7CЫfqPpk萻J]'.-T.4eg"p<<4`թh2^/\2ʃp0JX^0OOx^u B<2[lB{wF*]s|&k(E,9SPRj5.b57R`4'3NnR7v5#v9>è[TDP` $);NP復A ]''VTH][ ,n0MEҾP_y+R(M;R 蕕i TF$vCA&[=9t0bVKkz Dc0 etIG VέCɻDfEcafDTfU3 h2|y,~hb ,BL2^Hۄ-<"BBw&PG27K>A(ĸkxV_\rSYԖW  =H)E<>a6-Qg͉aHy,iϣWD1=RWhY앚4}-Uii>ݤỉPߏ;N tOv+|/'q}k%ڤEt;FJ\ܨ~¹c.t%ƒH:qKyʚ=SGׅrl}dj)ཚ1}wzA10o[!m5҅@Ze]пr}fJ-[<`G)?_enT7Of7LVrcBqP(k)89r)ܲCPtN? +xfGZW)[3vxUO3ͺ-:-?S:s̼KZy8uO1g?2Tޠ# ]ߴÞ po)) 06!ݽ>|~m3PMJ/3) td4XtU+]a)0G +=#*UIuRmT%]+4T)2k2F~dT꽍O/ɭ*jiB S϶"QJ|iHyZ =!۷$Ƅk(_t [d{-&AaT-I8MZŝ72(NZQHzW=bA<".Bѷ.Ä(NK'HR#*ZNsOj ];oIJf줐 [Mks^Ei DPNlZ!Ȫ@d`ߖB6m>i)BXFH_qKE['ܓ6DÊ~rX8d%7%^ml(p]H<<Y(;s\9j]@\{T1z9" "gjHB Ѫ=2s?&'Gl:緙<ȠJ&#ż\ 兄AeT= .$y]Q]Sg{Nn]Mq}ʯD6efV_)C ҫ!ت\?F_b}y3KGlP釷=" p&vll6纼^Uۯg&0~D#cÌl9Ӆ,Yi58kݺ{pcݓr s5aA ![D-x_ _p\EkWm;3ţDYr;O|F1\ee8 ~R"n?ZڈRZ}:f͵RB99FE=>Y2 L4ҡϲ˷`ڒ]?i*0.O$>ҎA05pnk{ TLº@V|l+l'x2X0j a`!D|W"dd>w]m^LKij^ c,˩N9u9RbB]_Map@3_$`s-si4]-O1W{om?5l1K𳉂4((˗+;ӭ[&j 퐔2 3MNk/@lB\ ͔%bYz}[je$sz Emy|Qȿgt6e_FRDOͰ/c2 тetB5Gp4Bݑ -S?3ew]3kyX& S3\X48`q A깈o^R0/C Y>Q*m"CWIK:m Z{)!IDRY-uI'a3G4Q|L8>^A$TAKR Es{݄ijP,iIuau} |'9͊aSe]痳Hq5i= YV_qDW 2L5OeT2c] QacL/gR>զWVy22V!G-7U_rDѕGgr#hӖhTqxP<8qHd˫pOHZxSLncl# A!?\qXj$SiխO vi,[5,- c&䋞HR@NO|p>Z{$9)1ߜ{orWC?3 pLDo`T΍K~cZ䆗ѧkJӃ/Z t6e?˚>eC~88 P S1Y]l1k3"zox'nt"lB" ?\dߏ$FemӳvԢ|i!oAXAYWTP]Ц0ig忧obeD.lFF. dH.s7 f$Ss^&0#]2@Yq cťVE'UOd#K@:RUh:qu|H ZndFPU^8@mcܐLzG/R;bհώmVAnܚ7԰ KM(52y~]y"48oFɧ G3eyn !}gZnɗ v(G1R +ݮo ^P4&"5=]uwrQaJ2h5>\ԥ>CSMT਻-_lJ~d]c5Ccړ{n%TDzyR$3b)!K|c[Dž(wmJ=]$t1m/rvYQ8 Q 32O:ꍠP#Ru|o\6HJ3*07 7歾T/XDaR73%T ]7YS\ Leՙ.߈?Zqi:pvֹbm%a]OW+\IFSQ rz O:S54Q\S4)U>pu00/6U zWQA\fo3,@5 z;9jr;Hn٫gq7/rq} ^ _^vg.=WhT_3PIRէFTagҤ;A8h?/HhݻvUN;L%9[ .:^.1/R} 3L&nO/x6LLuv)LVz1 Gjh,7>E0v?˼b*F< ]S]f;HƽJ.L|"h;軣V[:&?u]. ?~k'rTpZg}Rjm4av8b~-"Xu dr=2l+'n bG6yIʴZ/8ȢG m vXث #jB|J4"I6Zlot#NGJbB$#g:c鑌)&}ʎj4!xI@0t5شX$Cz^q.%#,BJt p u<9ŌF!1Fp TA3g`Ð٣فpg9A]cc!o~W)3̯[nLtUՍ1-RM&5BSVd? !j;lPG~;wG߽g(#-fi5>YvE59vb`*AaX *;6)Zxw9u{$sl=|J?Ɔ3唛ʌzDtw*/r!6ȶb5Y9iSѮf_HȃtZ6ʏ[5OTor}[Ljj{Ӌ%?y͵-=~ ݄=<  G.Md|C"-=@=gLKˤv^(䒩=+7B`>=ty4ڭ}eyI{}˸@{bÂ|]-,xQϯј>BA?(]T=y-c?;:[tD8 OPX aK?j~K' %,^вp b1lb"iUʲ{bBn=eF ѪVh7 ykߧq9 u &`OM#<иSuvrT:.> bΩM%iӭ=j!I}K;Y_=I8cդϔ+UfԇzY 47Z2)q10A<+$6| <8/`x̤/ſW$C  ?mKe #!H,dR`Y]V:t^Y-|z(CbpӉIC>it'/5xEZGl㫚BIZ}! X CyWZ+[+)Aͬ 7:=+<–.{gW9Mؗ>LV)P& t;.s=%%9,E!TwcPjEHe<]BuPHN[׃4)'䴂RPU'`B.ug.iyPin+KjGA;+W_@a-3g9JCwƽby0X&I Rߙ ^K~f~}hcBsDK*e3]͉ʋ/\MP.uhUii(ipH?8>cDF՘N=-e58]W; xK{)*td)zACnQ~ aW-a5a <BB9(^ -%j*w7TVAL SB}|~0̜l#oLn>-@nbpF'pF4[ƩO,o%0>%mrY%\c\qϩh.!TZX?!>ԉ5闳M;8f/ s$~} HW I~p^׾@bmhԼl*6fB4CVWMApXPD y[TXyZفUZ4ܖD6ݻD&G!8,RK g}^pyrģәA؅+iLs=TYnI$MyujYh`oS)$G( S\^j^\N~/k3>’_HW/OUQ?4S;(0;"kµ`7[ٔ}d1*T'W2*BWzD!L uhmF%%lpXD-=7ObE&nLPa#/|[8LB|HH4/al0sXd\44 r;K;09Fz"C8y 9c$jeLs^IpJZrτ j;zO1/7 w{hVlj<ѐZ*T%147A?X#i_ 17J)X|ջBTKFs (<94u'#L$(Lm iɅ(԰7 3ēlӺu~h$K2a:x7ǩӿ8WJ~6Dpd梭aГ*0>djtf*{U&0g""BUzhًWV>wZ_=$h)ߥ\hhQ$ aFIg"xRu7j¢XTT[+D1)֔9"d/mK3EeOӏYjqDT 1`0mF#{6b;)xj/xW68|(rOgY~<1{ C^c!)#%>d Y 8όsݵJ+H&.!zԍŲxH(Z 3])upJ . ߙrc7zE SS+q=1*)el>rL*KBgfd4U,fPVǐS7=_Js,1F97L'Gmh΀R(,P,G ɐYKQJŶS3h1N CXsa_îExf-}la`}xPF+0B\E b:WMyخ/8ꜯNS÷%)4a[*JO{̔4|P3-7 h|m0 *9 )AM+R42_Ao6ҬqT 4'J^UV0MJb }RX]k?.kcaR;BC" :}?9@G[2w0 ]o{JzKJ-j&4nOn\m^ xRUwd[='<oX)M[|20^\kS$ጤsPO~_K>[߱-ؙ_ʲM8E#Y`~PA$4|:]P'Jm"Lu4p:"}hK Eaco cHeQ&)C}q7W{]$tT%1LrE'-ʨoE¶:U<kZczaҞ'5C~lGxLN8^-'~d<ԋ{уe!9dtb\6A!rzzjv+A vRJOiy2P1&A '{ը]IG'tӰ`O)$os_&$V>tW`mM+ ~Z[⯺R߽?|*5 Ujz#cXoB 7m^ J6^l_-p$z ݭMUxy]GjjwqA]9S#RvNU!KJg̦2S%uia!=IA6ywN8p%UAR8g)7Db3֩ut3ݣx 3ÏdX'l9*(w)dž[G2 J *gg,3\ԩ#{Hukz`Ȧn>D],mڋ`}9q8#J|EQC' >:52ܻo"AƏԗūXͧ^ pkMGr2@>Vd4L HwsI9$Y'h*QK gŽG)sʮ~ >Z2:>oTqN}2B=WvLj Ye 6R13#',baDI:LȚGw=%m&hwEmro 2ZVa'.FAefaN丰fAWOh'3S6>36>QZ-W(6I@Ny<+QlhEƁʳ؀yf Žb^)7{ iC.""lԌ۸ŔLbC5I`m%{zv,K?ek\MNX̫w:2չ!4I_sGqOP9IT!Tt}ۇTiEвIosdcb{4cka]s$K85wDY3_oz'TDJVz7]Di 4`Dw%Կ9}Q p1Ok܁} \ۍlF`oqΨ\T9^%~cHr4{.9l"ox5]Mu\ l0!pz~?| jQt΀dbN #fi!|ݝȶdJ8= /W5֡"z}/0qw&ݣ 5hH[}__!Q\V dmdqajqP 3tՌBH(KnN'OM"6K/z\%VoH8BC :I)0M;t]dz\ziҫ붴[ ?\=!k PkbGUtKd=ț[>JNu3T^ٝ7'Z,$\*O ]WD8 HWJ3LȐC=Az~(lKء%}Ƽ 'N-uW廅(uO GS=r`yn?ZeI{AlÊN%QE I_Kʋo\OX7 0[> 7N}z „;I[ h$i- ^5oG`OVoWSgtL+7,u,ObvphOr y%ɢ:'i8$H)N oYVy endstream endobj 1920 0 obj << /Length1 2384 /Length2 17558 /Length3 0 /Length 18950 /Filter /FlateDecode >> stream xڌPj <3\ 5[%Kpv9{v7gi QPf2581y"@33+#33 <?rx 5 ?,D@N2QCwCY[ r9y,1udR6 Gx [;w/fNy@mLrss d r076:3ZmANɎՕڑ ? = r9L 35Fx e[S'WC]`en q|wq19޳%ev e6p+Ϳ m mmLͭ@yqF'7'z_V.VF* .0|9;992:[#_ai189Uww?_m81ژ;$Em.#r333srp@_ T@Rigk0}omn zh898=_L̍F/6Aw0wh3O=1gM_NvfQ04w|%mLmJv P{AhK}rA?lN[ k 6T Z_.|/n s'co_fenRu4G]Ɩ}&/15kX9 _S `buzw7 0uE9LBF&?$qD n'3I$ ?$g޳Aer{v" {>?=`R޳A|{>" wK?]glk%׫3,MA +SП= 6MRqg #_z[g{7^ٟ&މ3s3]fޅ?;V,Ywbwy߻Q{Y oN/w A?ws=՟p7x<8S^?Xû3H S51vvx_r//Y?T 2M|SOa\vp DSp'4܋#F}+ByRښ4450D׋%d xE3B ҟc! {Uϥ3 Q_u(rqHah.PnfѲ'߈ExjmD?{8vjBޢMSz &Ka/zHD-4wڳՐt-NnL+nSY)gwqͼ;^<"+2,NXB⭈n`:C9p}f|Xr{< ݐN;!8.''%liߨhL Hya N TYDMCH[lHuy };1XD\WsZ2)MG[H@J?E(Uk'g  ˂rV~OϣkrSt@3Q?]2pdR%l5-Y:uY5LlD&*z*cUOgbX#KUEC[.0-q;,Iˢ,o.UյrcOlB})Bg{B>ngB;j9gOf%3C˹= szE8Ms ?X|v>bz)@ö#/l3&NcbऔQiEp,KKx(ё NYX1l%T)6֒ԐZK+6(&8@R:D,&-x.YT1ji*_ǛitFE7 8$/x>JiM 3SzJh n1xoj <3]v $Su_8K2WcuN<@8ji#`:i7v7 1ȗD{*Ws}T .Oꀘq$>ltj-U6ggG0} cՆy dat'=4s[F>m3enf"$˲k0P)s͓[}fEqڢptSn}~*o8%wKI{pl \ U8:)SG\ˏ|}*ʆU|>@qc'Kd3`M΅¤ukPdž=Rs`/kB\ jdTIEu6,jb&Wf.i}}-@k3I~a BB1߱8Awͪ LRZ8lhF#%w/DO:ro05EJVm@'o`O֎Q"3YwM |bSBOt53j.РR`>I pR[,=2Ç6bC}IkRU{߁}FScւ3j=ҽB\H gZ~" JӪCW9A3Hu$"N_k\&Fw;-[ۉq,j[/0Ξ=)[⽐ӱ &}E^&Chw\8\=P>Wxg(lFx9 -2WD%(<~!HKAQjwYMËHe4 cQA_i')7Yȳݐ5.wy@Uw^F$i$\izV5Ǿ,QY^F12_q:?/](Fg9H=밳&,`jkN``I*شUiE\`Hyzrvð7ek8j(1q MzP.w{*.)IۊT-m~~&czm*>T$6h:1o8N-|{Ӂ]ĔKwq2?x98{*>2(QEo$H 7샿q1uc(sWg, zRQ^oޘuݿȾYtg#.V z[ ri 0P<) 5ØZ:&EF 6oI@xin5{$Q_v\-h/-BMEoXWּ3!/ZS pUDzV7K27COa;dCO/IؑFyL ]ud :%:F[;w:ib 2lхUQO9+sKvpw$iu܆8j$;n_NS->%DU}>L7lUv7?jt=q'{1I=ApЁ=?RG]~F_] ۑ^'X3kUppSuF-´Fc{jI$8AY4٭./ 29-b3չkKU?qjк]_= FKoIzlaI~wtyapvg#5 `ţ} i8Q!^/ܷuS6 rxjσqUxu]TӒ^ҨfM#DonjoʵYN5c-W⬸_P #)d~fZDd;8o\ޛwcۊO[eE>vYĜaIOKNv8z\v]٨#rK ZKiO*i|H;J*+1Mx<,j{0܁ϵ}i d^?yaȨJ[`iSA2 y68VF؜^,X܊S_m;0+ )Ձmj 9&F`PH8U0{3s.f N?8Sy= @v o܍ZP^!i/4cFN!,%N`G`ѽ-04" ǚ`+^TrTʓ->N]\| A& vcvwNx5:Hըg\ߐ OoΡ\ىjG]^\VH$` tfŠbx'?J8g#a?S:S]ݸ!f (8o9oaR7,W/)lGMpz26@QO &rTlqi1d*=DYU}dgC11U6ҮB>rohN?Nִ?K&Fp"WH#1$;A^8.nqϥRz̻nxt*z@|-{{jp 3zd+UZmχ汽}:jM]+ ͤ&adv:)/E5LIuDFzmXwa!kjX]dX]0gp#&]`}3wR^eD߫V5,ؔ@ MuǠ@S$GN?SLbWH퇓n Rg=ɇfmZ 7F'eӧrٍӸ_T5(8b;oΩO<Ă#{HT>rf&^^M;H sH '=h6`FhydK9^`mbXҞ _׶(a\'p#<3(*Y~_4Iz$g̯dTJ[bל8&vM [궳٥16ה#y~a@oEkHvbgi}8T+(2l+omGlI˭ AI-f}](㈉Ge;֨ V ZZ<*j ҄P2>L1&/xZ0 WzC#P'6*8'] YQTV00a,7"s}ӵɡ|)?+;6T 4en^P*y!B{M_9ժ /uŌ=Y~R],%&ȡH4 aJljS &p6mǒ1 <=VFH#4/a}2Վs]sIqY7ծvJ=ǀoqjxRadb21xF'=Z}'8EI&eA;/+x4,.ȪC8$3W6nHbp*veh ^!rSah-m:NFo1A>pjٰjⵤmVƷ&JJE6VvU8 'CL4wb$]K {K6uJ.lIǝiz.Ag[pa:u &M!avP{nЍNJ` xDzqjeRhBdLi]3֗##=_.~9"CӤ+g=RN NMXC` B_ֆcUx{Qcx_ӌp46fXAtn坟Cξz.$y<eW>ė9 ;DCY_p-݉IY*?Əi{gOx Jꚩa4`-{L0'N6H>+;njo6DVE^. :w kLOr3,rٟ>W7[t-Ot8J68^?AG| ñ2q ҫ~(%/`vuh7 ɊyԑRW*?H =3 3{ڒ-ep&zBRp`>q\S.NQ)f/ьSЙ?z_.]rg [ND2D>!CNZ@l=Q) G'9٬ĸ*h>MNE3W6;"$}D;i W.$<$2镛<񞅫+TV)fp,Z ۝RfViFn* ΰrЛ`mm6ڙ3h"4="cN`Su˅d~pw^p0JqY(o:6o#X(~\̓P-(r`UMKORes^&oiKwLW C+^L͓uP W"w3ܪܜE.j{;Z=s*{OhvIw̤"p2h?PTZn?SGoAZTA`De~ltElkKŋ ]cx!C2;#BeD4< 3k洦Fhke']~ gVĄll2qEU-sWT"\+L6k `xN0$oCJ;qdd5vDKwgw9:ub̤Fe πuVFw#*aۇy=-dm8UBw*LMGMJڳ(\bFTWSoB, .;;(N5كn3pp`<nV\}-sY[iz$̕WU]Ń3i@NMfJL+S?3!;#'*s&>4trh"ɷ6%e`womܮq- i@Wɔ=b.e8 q+8w(k%jPg}n%AR~ ђ}PԒMOpQ=QS;xeΗгHA\໘; +ܧ:fF+GJ6c#ր>5VH`6Xd-b_ۗ)U}o?1!-ļPz]<Ph3Ũȗ_&b>Șn7 ?Y5 ]|¾Ά?to,`m1rH2CUDi.O?iRrgT9 I.Cjptceya0sDȵ W!H>m B቏!ZY)*j)ɀ#]Qy8+5؏?)$ #/g@P3UQ?1@,[SFJO`VI^hz5?ՔZ|nS,WKdRN,D+Ͽ}zۤ )@Jů޵N!0Z{1/GEj# ^k.+fl.?Ӧ\\ ~׋< JX\8>yFb# P{?j)L!OR1p(Xh+蘓Huwg ?U]V'$dY݌TyBy٫Q%9u b|-t)B)v(zq!1G#bb3tZ'b2;YY䛤u䇰8Ƙr^|YBə!?Zr~*&j q-Sd cn =aWf[dd`nLj֎BnjcelJj"J"?10z|$>KuT1( RB"mQ^~1Jg$W@g#Sǀ=ٳpMVH "ݘ@Z <ǛKڨ^ |o`8ՈNE @RFqQE33Y-3 FtMB-֢ip*Ÿ!D24j]UICw=D)\ϳҋ%i#EDy ^~05K~n.DU$dFoo~?(+أsuE.6SEp#}Ϭ \Twx :_ؐ:8p@ug]wͪDB=靇<:Ryvsa4!֜Χuz&%[֗PPƙX%1A&Nm' 5sVߛzkϨj.oZ/a?}3PM) $ FOF%`vdZhQh,78{kU\H;VRד?VҼeM%%6jœ}!M6(W,Ù?zW`VXAK$mFA7>{k\fT[gsT3 h{|߰KgȄ;.TFd@ Sa罩{o%]Y&9Uԗ= WsYJf9P'$mHŶϺr*|RW]FT4}(I&Sy'Jxgs.}攍7&(*ƉxB<Ә{  a䍮,v z~mk[r qN;(lnBO䨎#eDe猤 bmկ\؞>0K %g3sˇ.eE]u;A:(T6UN/UPd0\FPTo:Egh+~wWFR=t!{<|7h6a"!~r?lhxγ] 3+G#\v6x[!ݐ|pe%P8 ͘7ZkQaȭ0ȅ jm5DeoRK8c=zՐ (M1L;{3Qa,D$0t At80~KD?J}Z-&,Xjn'lB"KNnm _>ٲ џ}]ImyIEYؿlʺL<^ˠCG](iѕǂ$e9nb^"X稗j&e,*7[!'5'ȷd.!K꫰bgwEY90zwx6^͒\U.uqak(ĤV~ c\|H ?HH<+]H8ia1[̫E(܌k%~_Pk.I`W+=H^"0aD…YD3, ֐CNǛB1VX}9U<"53 `IVhsI5h8r{UF RKѓ R ܽ>ٱKu*`'Nή=,bDsj6K@Ԋ Hn}p oFnr@iJ<tRD#៫ ylV|\\?Jy[qe3& \rG;oܴ8TIвdVد(V3Wm>|09-P͒o[aR_sg5__٩17U CPԃP;.فhBrR+*njY43L#pʮ]p#XПFN+ EOzU%i7fk(OW@=@xicAZe ޕ_Y:9osxDF[4p3 皗P6[;mB3;W-3VL8'WDIzNoǐQ6Y!e@F&7Ths$zmHyMߐjNW d7{lQhwۗOU扆rl: ?Klr_o%+ƌ\Rphv zE`X+y#7S_,?ӤuԨ l,CΟٲL`?Y\kPTik?ǰNaYb5> tRVaM;l@YbiBU;-2,DA܂8S8CS;^`*i v**<×d=5"1y#"fG1cB -]`Qm 05WBuHD{i HH7 au(H Y4ZhSbN#xHD!؇A3jyxs>X Ybid~^-B#i, ]J&%;n$|uE CKSdqoOA1&=QQWHZ(s\JVvv!Pd &n4E$v e0>;zJ;ݳY8ZQgOJy,4j)ݧ Spbcv*6es̈́yRHb+YHx͂a:o>ƙaub~bn0iq[/ߚҩTBd =Ū'u #GUQׄS'44^yw]K+"ޛ4pSߵr aQ=9i92ێ̈2R/5| CGWD;Ǝ(tΩ;m9g! {dnM;g_/sPbHLXT~7yU@ Z&Gm*Z!5*#p}ldp.:Q%۹E'H0y2Ni-OJhg8fz1 ي"v;+u\FwύPɛbX0-7P^\ tQCr-,FG◄=޻ a<ìz,Uezp6YBžHpO@maïHv$TP޶ݤιꨉ+ppi{8aGLuҸ/÷!4n<حSeK+e`_aGrˆi2Y(G(_a&/Ube15<]+"6QŇ 3^*-ag?Q y!J[sÂb3P0,1D&ރe Qqy  E8J: ]VUcwdo7<+R^geH 1КBW sIATl}vsX/Ncm۪fʕ[.{.O\Ze_ϋ/%xmܶ(^\v kȪ85/ kb QD&l%ܜX&ٚDUxQdeڦޥ09 M 8YgUR espbo #zT}$4w$I~!ئ]aVjTiwKkQ^>IEM#ݳm6qLV[%ݎk5Mz3ål>@^HEXx(He3kq&F5U(g kfZIsW Gr1+Ԩ"\g蠵o4~tˆ[ʑ^sNFRp8d c'䕽WĥdnPn!E0J+C(*(;K"{T٥ ?r<ԖCt =, @ eYVArXj{GAFIb6H??' q&#)lAu`:SAiUP܆j+W) ?{RJx` o J5{X"84.t/3m1ȃP* GÁkv*4,59(LbTRi?iOȫO$iڸ[O^a!QFg;_,fQu#/±xOw4g20w=.Ab(F3Dz.5r|GՌ_Ϟ7%dg5LOٌ',I?m%؝fs!e6^<0 (텳<]I+|IqW7Ԥ)J8L A˜sHL{,Ӣ.܀d#΅آ OJKп:s-<@h W,Ҙk[ (|x$rYgvС y'^>k>!(C[> kW񼡯YBd7`N>\Q&Ânt%n~\tàAϐ;ʐTd"#s_ ޚiX P]3./DC@qQl~t#\O{(}1(}5Aσ8zqHV/Jc'yflC[,HfkB2KsOf[tHP-R(>*u3'țtlj- endstream endobj 1922 0 obj << /Length1 1668 /Length2 9531 /Length3 0 /Length 10618 /Filter /FlateDecode >> stream xڍTk6LwR#% % *5C  ) ҍtxy9k}ߚfkk׽^ ?-0SeZuʩONJZ#зܫQ`wy4& &zM|~' JFNq>X+ [I@[s{6yhw-)*fvv<52aҕz⚦/׃y@r큠بVHj]nw?2vleѿl7=<1(X ne@K֐qk BXo=JCĉ|f\$ݺj݋ "E{s{ymt+.A/Yv5F(qIPFatPݘ%hl}iEf0P LK>*OAgXUFkvAi˗&z]vou"x8(oSI9y-;gg*=18[jx/jşWH<+ ¹zFh˾0%5(̋@{bɽWg!VlQ%a |z'm v`z3dplvdB&6EިKN9cf)y[ Zc~)~6ى7h):X|yW$!`nN/gfvbE/.Ҽ u&-M%nopNrc(//do'X"[U΄Q#2 D]iJP s'A~fKȲd4ONY;YG:p7yo[ ~lSw)Q6j|tY^Ǚ'JS ,M ?>!@c(W0;t/`yiҳS ȿ?S@ef#s1o2U \52?{P^K(xN|3<탛|){lqD r/.zT n#%ǃ\ʹԭ^̯q(axbHPC7o7"P[Pw(h2_MAHt??ˮHEzH=>wHF4(PͰcMvʩʘ.D{ m~ _ĩB; fPIW[z,x{yP=Oě"M2'iE a%?{u@憋ԾCsV_}U oRfO7;_Ltp2@p'^GwF; T2ZHr=aծ!ʰG5_zJV?AKvULϒ(@{OSzl|NʋX["fKAj㙣8u(>rξ-nddZQ~2zЦ_;t|ޒi⛇g$?xAƃ'0 VRo|N s8䇳S̽ILD3֙ rH.&c¶h Mw`2{?Ma6OmLnG!ERۙm6f(Dܹѹw\(Y{v z _9Au.։u3Ǝ X5+% .0HN n;}6_@`n+-pGΒ?G'+*3ʎ<Ī~7ly:yd42 CO:kF5MJKB~4|fR÷/4%^QT^LC!{64b8?-Ss­}dk󰢼$˦à@ jU)'0c)^'WG]g\cC`,XlnMl(] YL[Ϙ4s80X|C>N%{t^[(J$QٜV;)Zy6?huX"=0GXɊF4I% ZyRV;5?8E.+[ 62.0{PndHέ#%Z25raHvqC!nO-[V#QWcINvUxv?ͅ<鏳 MJXY^K<܇PHH망FCKL;Og"Iue`Q P0xB7TYXN2æ@di8cw+=Spy*}rHڙ1X#od~gj٣KV^?8$Ћ%lSMFUHXv*kgN2$K?tiMny-m;ztk ٳZȥU?7EO.rgn27`*\Qۭy.Zd]̺p<"7˂WbVb 뎜h]U`Ҭ/6aJ&T1᳆neu4;곯129+Uo̓g8|HӀPgn&kiJ;MS?$5ӽWv')JRq:nċr:cʙes2 zv48ݙ4~yP_/ 3PBIhXT'.)+5hh%El/݇MխU R+QYI"Ycd e'[U>%x/oA㞳-aiSΞYu5S6`P z~U{~%گWi$c=xM}tvk~՚C1-#ANKV_ոۯ IyC${oR9>*lwJX侜nrblC&7{I˾/n)~'JDi|Ǵ~VG֧1[\q&f 4oK")#o52NT0Cq+/!gpg'kVqR#3@|R-*ӥ „ƪ)>tlK._Iɚh5-s3Efw $7)ҾÔ+ĜfQ]b;r5qdV$C$a~Fys)8ہhXdo Kqg#U6_&.>>DJ3߀ˆT.@,di,r1~ 0}QsmcJBӿ9Hv@2Y):ٺθX?݊1W[8Ƶ(o=/˴Q.6(ڡkUCwqja+_R.3 zgtsقD\զh\ixgm |y5ZCxc4nWڞxv!_ V_upUY`afy eQ]>}6YXs([&z)c[ e8@Y߫7}I65٪\5uEYS 9-d@1w~xY.=;}UЯ W^0…Z2tW W,3X}Ԛ%u߸>s-((wvF4.W! 5Ci5=<=~Ɯ5Q *kL "X0RTk[;0C镵 %>iMڼ/WzN(uxOWCD(7 V"ڤ,?uS"Bpߏ-W3]gVJi"~r]IW Ph m޸32t`_U&D`q 牜H J$)J369r5]#fL-RHp~g -Vvn 7,ĐILv(pAu7iQJ5{?y+KUAE0H7fGɭ,W6gsp }c<{h"/9h{~H/EaVJը \aTQiBʲ@Knq$ZKJj_/V>8\MTddG]Dg!%&b6[si:'ZJߌFͳx25N/ Uĝ囮(~QI4tշr5MsA1F$ ݆MutWǖ9 g Ef\YbOa߽6:g+$il.jHfZدXm,4i2 ^;,/4d(E= G?WbLB` ~4\xC˭/5/Rx\X6/*r*LSck1zՄ mGw)5 -iMݬ;c=A佹#xܐH5%h˴tMqOpewJv\#{S/4T6\DH&{UDq>\ !ȕT> $LCGS'n^g]Neϳr3Xc>#f,9x Ux:裯<i x\V|X)'|T"c@"-"Uj#$ D ŵ|O.iˇmgK}~j'$Cz EĈ˅cEl biQ]d7BdC%ox{6⵾L~X=MKcDu}C\U6Ar*yY[d+۞ah??L 8$P>vuG"qKfE0o|xz3^< dՍ p讟dȾ og>{qk,$ljҤ bУ[톺v Q߂8I+y}%냀+E;DViVXP֑ Ag{F@~+a t]Ac vfڎnon~LGx(ž?1ϑ^??Kc̗u1m~'~,qj}GQypIu?WAldF2C`xiyiӰ:ip1oBPٰ1QHOX('F%H~RX0AJ6G{P,> }Knpf^QRVP FaBH n5iS1 ~.T݁+ME!n%Q_ JaHiId2RNd,QǓ4IkGc3R*^!k +O0?.Pn4ƧDgWW\D+T@ 4(ʨm0]yɿ>iI|@^ዾ.ønذ١Z1j#[Y]wuӮT|u{~19!l;fCV_=p}usŅwZި7I[PP=< |2NU!>f:m" t*UXJߤJ;@8fG:lbm,WiWl$qX=Hs[oS~8_ľP[ p`|H6CXy}D |Ah6ԯ!0D(U2vRI F/Ԯhxd.-*jT꧔3 4lHu>'8!6ªYtn谕6g`[0 #X:!gظ'dTӾmX>j?űCDr]UJ=q 2/K*ZH]w<<'CC|M6 =>B0R0v$.zGH$}>Z+e\)*a;ֺHȦw8W\;%Z/J'%joů(WŠLۢZN ĕ?ϓ|/Cy}RzjH#X~яj5FA՗Y_|MgV (XXhBb(ZP'32Z<)K'k͛AÍw8d#uӨl l`PDZ?[s&&9*C"ߨ'#ԉ~\x\ }R/ < a/f~7N8o03g>m^-YM?ʹ.zz5qXeu a.R*8Lh.pȌS.H2MS W 1\LyvZx.G. [|h3 Y1}^2[ӌč?̌wR:v">˛pY;ϭ 䓲{TJ<4˅Cճ䆋йD4ʣk<$p*ƽvuwF15Q!6-9*)#dXJ3:3mzK:v!oTŨqY4Wt0X: 9G7k1-x]~$gU SO_#&yAHgENbatG[)I!|RQ w݋m툨Y ps#Spvx 9ԕ-.5ݠuV+&\nZhp`d`hjܡRZ2Hӽ5- /XI$Ky$ TzC5G-/zx2쉂\'_&$KJTwOk 'i'ȾuNmvO^m e,}pp0;<;\W=u^w&^Z|6h*I6D=|ޛqU߲u.aveӫ)z9zʞ$޴r>n8oyl! g hמ y:4Xyx7<13-7Itkc.e;SlY2w9G:8RF[o q[QVp an^M>r#I;@MyWP5?FeMu '@qi2+deX)*ܳ9ВR?ƚTdpַ=M-{@gr q uVON ;ުѻ~$8њ \pcK=Q3b{q@ Gohf?w|ask 3j2#jí*ӞЍވ+`=չb 6Ut2X2~P(5.!y[tw7BpWߕWQϣWOnR#?T?7=?yo=C_*ZxҟVn\*-5W=<gn"=uOVGK@؇2oBFQ>#hA~Viw!zeQ<ᆧ8_ỐLNy6g 5߈4Цm4C|ra< nVILdW*$LCD]\N3mrQ bYgn{tGYlj_s-D>gP%VKt^-X\HZmʴ%AX.q! wy+Jm"O{4= a5^~lO`"KNJC9q+n12ImlAgC*¬cw endstream endobj 1924 0 obj << /Length1 1398 /Length2 5888 /Length3 0 /Length 6843 /Filter /FlateDecode >> stream xڍuT6("LABa0$[mlAD@;%$DAB:D3~{}?};NV=C~E(FAB a0mp>aH4J!c``ަ hPĥABB@a!!h4P삄h ༏vt ߏ@.7$%%+ !`PC!`{!K9J h \!0,  ;&!C-{$CQP4T:PZ|? ODHԯ`0vpܑ(8ij p|@0 Ǣ`0lj TU qX,猂?YvppXvEy}E?ǀ:; N0u? ń$%D$Ł0' Y ivǀy#ma'00o Hh#Q0g1H7~ , QXPMOQȔq*)݀" $$,?x;bQh|~w.HG!'A rt !1! _!7dwloH{?x," -*;j\?3Hs4~egZk4v/DiўvI f&YwT<kGjDY icx G_ + Ʀm1gj 0DxQt_Tո8(/AZ(iF5,]= 'u%/ &5 d Uy6FOl2:T -_ܛ 7"BPpgt<xGBeRIGЕnlx%l_lq Շ_Yoz.Z\f@n"1b+;4Ij!#] .te& <2?ċB\ITj#$>嗚 7 4U[\ݦROi͌%ZzZT9u+^Br4)O=_?LfԢ]c#UF f}d?f|/s/sU{@Rcs+aU:h;\,iX RRl%ux1d"%qMꒆ|KYff$e7Qk.a+;z TL;߮QVz<D,2N|Ns=:l4`Pxo-Wb.;hi+> ?ɅŶSp.wnCe`aPJ^!M$S|{1K gwY2\ =̀|0Be= ~BFǤY 0GFBџŖLUT}N^4\aAT|~40l3ЗNe n]/a& ,^/+z`[,;_`Dy鲅]sp'JUfԂ)Ʊ'oP^&!`#qNOMUyI+PNqahN23Agc߭]'>)ҧ:Msͣc`D%Lu%K:Z$nD N=^$cUE ^q6Ǝ]9k-! >iV@ے U9](WR(o|@"Δ9K̼k7׾L8>׏ayi0Bڍ OEgKׁTS$< .~us%Ucݝ1Uѵ_t J,j ]⃒p7j]@bpTEFN_t$` gaI 7r׍0oܸeaA5YyPA})~iw6s|_+3<||/Z. !3td#d=?pKTXX-G5L7vp*rP٩NY ┪ůjvONF)_p!*&|Ua\[QV oτE\xAGrUvB=t+bŭHvDfhc_,!B=e>dj?nWɻ\ZKk"g%w f[0^ň|Su_? (51zkEWa|f m-8R JڴR3áDb[.ʖE?hkoAXc\fV^,Ztm^qMY{籨|# $ *߭SR3a20Oh{n7}ѨD$q$)Ԃ;G/9 Rڻ^ *}<9[fsL^`-iwmf,'<@{ +VvF,(*Cdg),VcW 8>S) Gp`VO*>&%Omot g_ra:#2"Ɨ 97cKTܣqa^={rÛ iPJ6F[Zիb&WU=B}k--_= .HF,`ZzWMWK'bV[IK_ica9 ,Jh~$3^Õh֧}RY(3q]Laբ0:wR]@g Dŭ37AZhx*l?T "Q\]|!hΖkAҍM$C$Q>A%~bvs#>bR_7T̿xEǾ6 tk@Ԉ1:cm$i9MU}-@3?nx{W8M H4, CY<V('^u}gw2MlT>8=z]0lFڒZR)-gB(V6ne-1NL{c#lc^ ogeծ~Й;d<ܩfp/#°y=܇Krɝe#cMZ_)GbNrZxYr@zNM_L*o\/iPa T+L,iNUuz6~ ,כX_*YU-\&,X9u{ՋYta)L|@!v3~4Y];-=TLڿ ȭ~)&{%m}܄4dTs*˶A[B=ǯ$ AONwew\rm_v?=yyU?3o$jHI6#d4d]+$?R}Oе`; ԓNp)},츅UG߃NiN3TW$]5Yjcij|ahZ蟅9 lH&n&H } MxHzRk^i>p?qu y*~=/Uѻ2_R˘aG쬶MF6/OnK?}" Q|NeiG4OپASUxtI^¶5fh"s7*=|fJ AȸJ(/BOrgh 55ɌjބI>e,<60)_aU.K/v=PX1,42z3>o$@*~K7}2SxP8ý5ɝmh1>mǫܖ_gy$Y_o(hJ/ȼ=ʢ S ^Y(N6oY~qZZ+"׊ ;"]Pn)lP֒I6djgǼ`̜Yߒ9e!17 xA?PU+ٍDv/G?߰?_j_율u++<3 ϕ-'2ᡟE/ʌTD3mc* &|T-Hyt(u1 6~LnY!O$q׹Z}ngydjDLK~dK$ߘݙP +sXIL|9*_ttV5> stream xڍtT. C "0twH0  13C HKJ*tt#t ){׺wZ|{gww?+g (a(^>@AKKM $P#䯛@B0P@@@(O0#@@ PB@TEP H'jkW ..w:@ A0eqœ9`(\v(?; GJs?CQv$ r``EmP q8B jgX]oBPd wr<0[ QCy@0_@# + w xH0B!FUsJ0kBO1g0;aYՙuq)`\$BP0x7t rc&r;l0C@|6E" Q+-F7揍Y>0b'C/k8?S4P3cp8WPD1/>, m\5 ]=e n?i1r3ysw⿪X )::sa/ZWFZp` }Z-5鿣j(F r0[ yP2b Ep0. qd 1!1jC^/?Pֿ'(B @$c,F(L 3 f13f7p_~"Ss @< ` 8Q}EPI;ڐ$^҉ P3"T҈r~zڌFt3my^J*O#^f [f#xcF :' L]Xw#nXvsPx߫蘊wSUnnn-KӤe7Yy5XAw/s):p5,,Q;UC$νRO_eݶu}(JG„Fs/2?mPyYܒݶ*\N8>Cnw̨$T{';[=l(@!0"QJ?`u2/X^HC բ#f".o ywU\ @4eڟvASe|[)\'F3wbqdNF}֠5,(#NUl`vk,mьH0Zݻ_0+>ʬN@Pف'ooRWHͲhE'B yߘk붲jrճ8Lo6e7:=)hrhԧ'0, 7͔aqݶQ.:2*H%A yoEVd+xEG Ive lyEis蒥ƍ8D'nLv>9QPFF}BI =`b[U|(?LJP=TtM )0y y7{KjnyzCPfEg NC )vFϕQ;݅[ =M ԛN9vy"V`̖#,Z&8E}冷QO -VE\ȮX{8ͪ7MSgtǡd (5&twmx X'+JɣC dY;ƹm@F!7 wy)Fy~ d!$gdNZXPW܏؞BLƷSy:Dvjqc/I/}D`wֱc$;=X7\]8%At| >;5m Q??-z+}R*^pzmx̳!xEVm2ӊR5hZ`]0C8BXKwSP=ͣ6BROLVYEnkD z>rLIsTKX i|OXIz&lCڷgXOʂg'[CCs& w?aIܧ  WEM:&49R#;~WI8aF J*סsncij?UKCJn;.ѭ wga˕Yw.${enj+ɣgnMȖ 76\*=*Aky_cKӟG|#p*GpiK/pIB6˾&g7q1 ̗~z\| ;$.ĵ2TXl+Tk6K ʉظI#P7m\~ycOLmAߢ=>*˝'![0@OS@yLgJ^uBt|P_=BM6ơ:FO{%sQ1݋1U3׃C]%yTR~S˩|بjEwߜxA"FNXJU,)1s9 K( cdBMo[U &6,?PqkhpnuWo62m0z0Et(8MfK75sY |{P+ڴƂNu &՗v Ui27qd{s/^W 侲O,jgaLX~)2e$`yL;oX/*ŦnZT,_"F[|8W&4DIa3Sz.4nr2cx'oٝ¿r<:q+.h$8*T7؜|+R<_ 00oĮ?*-zvSmȃ1^tStw"V?H_ϔs_ &?YSL 9ڇ;RP)39 JH&l7_y_=tK -Ȓ,u~kpShRWk5!)Fm_pʩmTHX]oQ(`ŝl?I~ H/LY 0͓OC}d D4M/jֲv씮bblsy`/hWT~W_~0o"K㳮qx3Ch5_k_+sjWЂ|~^FkdnB˝x\|m goWLHf(Q!X2rqjZAߧrM~91"XZ)"'즶(Ir.P9 .6M?%G"[!VɕҒHNow oR_@7|xj(AٔyZbE ._:tϯc/r+/m6ﬕ)[rShwXWKr*wraƛ(USYʟRg0Pe~꿀JGtb7 ˞X1y&pMO6txɄtͶ\ȥ$i48Nja7gURՇލ7qO<ˎ,f(rc`\6|i86`>r%XU0$r| ]Jeq;M6%ړe$ 5'R~%gxiT4b޴?aG\DGpVȉ@ݧxͥ^O"H$g@K3aO}DL=|OA/5*wv?JToD~2Y" N{Ps7>̹JPַ7Ӊt-B`3/NAv⁧9=?{KPe|sL3rwz(\ >'˖O+JÜ 6 .'v䰐*Ԫ͓Koݸ=revy>.$|N2r!"b~JGJtcD]0@z <7+SOX-۴өbuz[M]I&$O.NGQem㸻b>L7JV%kqT.p|׹J4tfI-i|Л J?'`U+5ܥ2(#Oqeͥ9i7ȑ&CN}Q;cj.g"Vj-eUNok@] o<țY㼏-xɾzBh0[XA7ND_Bv5> |{1H$)QKkZ2u60ҽ#?Sh-`KYTQ@݃z>/Te J6JuUR_])Үb;ùC׻[Gb܊3]nGo9 Tw4hUAF깞;džKYjYf5o"AVΟ%/FU%W$\7Fs/W{sܨ/i$p˖&N~ee/և5_(6t%Ӝ WUzMq:w4qFf_p"9ұRVh5/霃I9UMu1}JOT^#LOi KiPex Ċ'3:Ӟfj˭^L!ŏ'kwؽ6d-e&߭DjiUR$R}.C*V&#»'ϻj?NbZ2&(3炟z+G)QDf󺈓PM?=pYvGW~Dbloe(Qg"CVVɖK0]k+M|*_i)f4ljPF6Z Od9bB]b[fx23JtI3&ckIq.=ot3z\7~0-sޘiBfp.LMa+i}4> stream xڌP]Y.--Kp  8A[nACp'5{Sǔ$UVc1s0J:ػ02TYY,,L,,lV.@'g+{? Ĝ. N j `errXXxg7v2(0dbNV.4{ИXyyrL .@;PFSc[?!h,]\ݙ휙,hV.U3 h]0@weLuK+j.N@H`ke wyڛ5y#oc o`ne (I3x0~:;݌lM@17HAS3uYLh𛟸vO'kcn073]#{W?& «daae̿ë{:R*vtpZA݀'W"VV hae$Aw豀vߧw2s|5k J:ZWNT`dd^2nЃ(_{slAmcA o,E4Kb aQߖtKMGmlgehi]]@@t C4rZcAVΒV@3e+S˿oSfkeTvp}A?:2]ΠK7u0}8NNƞ!'t̀-1 0wpB=Q.No߈ ,b,x"n+b0K"6+b0˼"+q{E .E("+eW}Ej]k"PvWʮ@ٵ_(ο]E .Πݲry53yE֙8A/#sW9Կ PvW49A9LlA;/߆c6{l fV@'3~55 :\]AvsW1rV79CWR朿\2Y6hHP@Pl^At1Q9bf~ rf2ٻڙ_-`EA1bW5(#n `GHsh#W_ֿ[43O^vWS1 rrYw9'(_ӂ^M.N?Gw?@1\IARj+9P$/ߩs:F t9zMLCkCnE NSJe^tjwGM ZwIz-As%D}\ޒh:aaoPk/FLC'2%Vh v ~j۵ws4%ީ/dÀuWoZnj}KhJ'a̗I]2 ѩ|ðm*t.zϺU¢ >Bx™sLccm]K0ɷ(9l;; ؑ4:kMe.)z+[$IYv J \PSb]mOGOSRy*v(sH'pjr>.%13GK=WPf# aAFxAEb^u)憉A Ԝ<%Hf.Bp'Ls?Wz tPKCD4k&fe)xh=;k[Z<[ Y8|;g;p$Z/CYuReVl +IΕᣆG:iikO\g?SbJ--Jnz72-է_vMY։/d>|sZMӿ@8}z?O29[}JGiE w!9o1]Qvb"e(9n6%iʹJ.e ۇ/MI8z3~|8 siZhτ Ȟ; /\57.9$pJy`$ ۦ ROzv_^Zc$amɺd*P qZ{P+jVx ykŧM؅eLPPEzcښh8TrՕ_܂sC KNIMI!1Fp7@xCas.v|uecI/ 2'Ĩ`7Eh)n^ yg$ M{[.OpY8I 9ʣJDDp’צlou~Q/i-Mg  S*14M'nȳ,F>b0Y_%@lJnJMܲer*9 q˶>];3CD5X*Ra@qҫMrm #Q}DžIqoYIkU6x`uU-ߣ*j@*jlaN6_-Bq2i,Ƈ zfЍ;'|<ɦI0ɍ:ߎ zTmKud; ;IjNkEAAC+T&m"k s FGd k}ჸ# y%}I/;S;f)k~rV"%"A:hV_Vw/'Ou_].êBD\А0iZ [,yf]_pyBzJ)v- < I}i~)_\&iZcII%1ުKEotg7E"V J~>%.#<(7FS#9C yZ]ZU ?|{ >C:=7J[R!h=cGFIrFB.oeo[܆[ #T6KMC:Brc5ۼ&/-~Z|w̝о\m*2qO1`qV]W9Dde_~(6iFɛ{=$H"|HD Nq diާtl~$$j#|e&h˔M. BCyJ/'YDNk]x瀞aڄhN?}`}Fo/oB "U 5Ui~w _$o$Oq_aմ|mК l0oo[fZAk=HjĀ$5!Q1VX5s}6аri#g=6R#'Z;?IFʵ#ߠĠl/ /t>)ƒWd9bAzD|jУFaֽ;mF0 3kKYmȌ‰rRqd>*e?^>A{g0 fڊDOz5.$=f|& 6=Z xCvfszª윬|ub# O\BHT [YG֔rXuET76Wزm;&Zp04tw/XQ1IۡN:^aT8Ni"f2bFp./a ԑ,9|@9FUBѣ"eR==+8_'F$N&Th 2JK($̿8 9J.&Q~~o"G"0{$pNI^þ\j. #m**zQ7JOZJ\eLf}¤{i"8{r+b.+#sлjMZߑ0ȇH6cҢ&,$~Rwʈ2Ӧ$۰:9Y/x5Jo@ aABofxPIM^I\U6'kx%ۚ(OCA(m}vR?;2y: J-lThḍF-1B+H{{}[Z Feߞj'An/Ez*w4@ᘄe0+a|{NoٹT+^3O7w;gαBH)!;D[[֒p֯*m)t> [{99ڇA\wƅq9#ۧ%m?TP7EDRv\l̒PM3Urh)x6_RZћ8_3?m{S߁fpkB+}%D~!=S[/-i&P†'Cs۪V"G})Da!o,̸&O 0қ;[A3tƑ~%@Fmږ~iolѨ#>L?ES%Uۋ P,)me 5o}։ųt/^L49 3#DtKs'񧱬ysJ]f{}j>1H k z4 |rYeC8PLt@!@"?r!Zp鐗t,%*ҷOT,֥Ti/W,(Ȕzv9At7S9` ۬b*=?W*9B1P{86F[+r'lL 2U wX|7{Hr}KxS?]挅™И%.f*,TN3S򞇾i,:̋_*uq }]0ƒgZsEajӔHXR(K|&6pf (KDZ~g AݦB0Zޛ`I f8( K->n9,.GԦ0=:,d [Φs.>-i%Ν@i5Ô8! ˒TV ^M%Uur(v#=Н˜v@7Ui75ښtŠԜkr"<%Iի[+^x'5XM0^跨tg-c6XIalW Ub8 ;ԑ#ʲ sqt 29s4Bt`l_5xY(Y|(umONu&HqE;$k'*-XYn DҢ~sk [p͝yH&QA)Hnʙ }ԌlL5"Tj aiziJɹYi )tOc[cS?<>H}h7͘{Ψ~o}Fɮ5jb<\^f,CUR5j`Dt5TH_iB,blr9UIg!jہaVM>ohy9"^ی5pm$ 8mS*뾃܏/N< :fA&MF4)= r%WCSR%_Tb4&7}SuB>y9ޙ ؋k_[s4EG`S˱_+"db ڰE N GX˃R y\lSI?bq?/ƛ%9`Pn@Uv*T(0? 9d:4~)DONpz>0ʦ&w+o~%m[+$ƞ}<^*w+{Kgz)$rÓ;r gM<4#g|])X9;C8!E㫁h6}ܜGmh+cGee{(69-3]ӒApn~XE"3jY`=7(ՍPb?P-i4{jSXL EI&ELW] rx*xr0#*J6z/#ifh;;͹.\Gڟrr0oi|Z,hۢ|+t+pjg,]&' Odin UgɴF|kW= \1GJ]VW w&fprfC9iю́W2% ˾ lBw/'DiG˝ 6XAϫ=,ݰr^7#ɵ/O')QX[Ԅ;[7ɓßfMb IJNVav=uC+snǐKi U|D( ^hqJm5 ]iy4" >: R%H;]HՒI"Y{ =Q7~8'OrgVɳ.>!(ʲ3R1ZR~cBalvwk@`\6-tѧ_3vK:CT6Ӣ(6%hɉ71Xn}i4!ɵ Lv95B[ݴsHI(;Mzb3ŴnB99)^wY73iHhE!wh%F$^+-W e~ByxO|3u3yw0[{/omѰjxzGM2Q(:d\Kf'J,tDb~۶Z8IT<-%a.qiMi/BQ .6n7tw$u4N X({>$-zLR)M%$Snx 0{\4Q+8bdtqlZT@tІ9AG^ ^]apȮ| q\ˊ@)wtQ>Lewmn5AAq+t͍=vYJ-BZ}LՑ\ ʚha]FchʥÈAa;)Db37c(z0jʇ-Hچ0mw(JuW97|'S~Y,UN<CQ LQ,!"%h7/B妞Q(x큏߈ /N00<⺰>xDэ`dw;Y=@F1njWI5-‹K>%o\YuuK8ؒ,7UӲcFhL?hc NK@'JH}HEAZ( i$?P[CEW Wr]VǬ\Q\:9MC'? T(DCML|R49o_ 'XR*{hWQNt b1KZ藧=:ϋ(h·NoX(b 4TN2ru#E0PsjFO7[ ֦KۭJ TWmkzԋ_kP){}#sU \+kB |#۪e@7EN2qGtMd5wL5!۾~&;KUjzbr|n /E؎̷I3"zsKӦc{e 9Uת;"洶Ð.y'Ė#T#M ȣ@ Z4&0FHmBI4Y8<=F(1],⋝a[ mm8 fHγ:J ;K1瘂Ӟow6Պe!6ɆnB]ɵZ.$bl=yufGtcT_DMFEIMwrO**ۗ:Uϙ)\ɲ9 q.$"y.֔M~[~ pKّ\t)&O|5gegkhBy>tdy ׳-Ix*\2X¼#6kMG{ R<2H&r$i[%$@E Kr]?;ٵqxB$,+πrQ.͢oq#!潅lPN5'E6!N`.c(<ش3灯ZNgpbcOX"!TGx'(.k שW$,600]_l[>q%vpp ~;V'Ь_y({v$TTkEMhjgG8vn_V=($V=7Aٝ{8/pdb9ogBkgKp(T:yǚsǹ%xM8I&@$cP_1a%IkGqfmx޾f7" *KߜDI7ȷ{|}Uf&]̳{Q8"bp`9nw??̠L.F>b:UXovzw'9v>?e҄1.,BŖM' Ny]aR>7+gE}ozIk^즃ZGe9j5%E^q.T؄Hv=$_MF3p T&Ϭ0n7~Zh1]ut}QT/DFe|ś'N9^G0ts)ЊUlesnޓy5A'> ;GT$c&؁<6NG0jb<m3Yx^3s2w#B<4P+ú:uu$i?0+gdvI՚'6c&2MF:s7*3X9Bz>޹ )֘l e9f_@fO䘇tc<`Hd~L()A]D p9s0^ %?$T%q冬RX ,Ϣ oQ*jk7A<t&fqLrVL Q'NI>9$=DN$JNEhe:w-ΉιU8mHb#ewM5'T'/$}e4gźn>r T<@enXFANqa AKrBilNSSNa!Grn"Um?a&Q"/ o9Epk!YjgCFѐK| m7:u$ 4wh\.217S1f-ځ4bÂD>d۪oDJhC=Q_ hEdBLˆ+_EϚI%Yյ9$م6r@&?i<և_CPdu(P%6',DXf2!~*q|`ŔJ?~#pm iXR܁Mj2 ptr,nv&8OtKP0\W+׈ϝ@9N::(!2/ :LUq4ͯBҵ|$e]JJ,j̊qipzߚ=wrY_ לЮD˓M5d+'B(9ۀ'ɎÙҨK%šƛ+Y }١-rڄHBvVkjɦX?33eд6l&LR C_ lb%CpU^o2'=Qtv5VY*iO ALIYMd;)TȃdZ"D9:8yDAOOKI7m0tt|k Փs^WRGl}/?hm,,TݍuB1bu%Ofne؀ qꝊѲ}ՎM4OK2 0%m06jn 13ÎOFK*.zSl/Rˡ鐯Øoh&B43t9j!$u0vD&$ z ,ܹn1{n++W*M*;"p@9xJ\\h[DOYʟmWLIK3g'm 5ڏ6*b,΄_PwP\X MEg-ߤRA}/ضwV; y]ú~"Pڦ̷;Rb)MQ<󅀷?XvU|Ѓe7$sb[ˬt?MDQ/N4TXǏ`n%"=V" (> (! {*w[ Lo.-Hc|Wg$HUyFaxd3Ͻth#3` Mc _?7 x'.zg  sȓ}oRz\EZp&{<Y LPTwE]T?˱ Ϛrhtmrۑk֟ o+f6!csM7?6vg#3+[$\,*=0:DX&I'Q4ⷚeR ;xr:4VWB|岎es̆aNUˁgjhĹ_b<rwf|1e|giJOzFQ-ߒ`4Dz]\_!_bOvBH/x! GЖ-FebV3'G KWjySNNW vv@K 8ZHvxXaEiBQ;1#69J" J.U~̻Tn+uՏnF)e;Bo}'S$W,#j^on:90W[Qa#DJg VvHC^f MYWG䭐\[A0CʓIvrg#҅iQAm믉o6c)6m?>RVxX+-/R͞pYnTf-"YQ*`}Er +W)RH?G#XSQ-Q$a>孫Sh{\haA%e8J$aۂ-]}'S4IꕵwW+dq~f&?YWfT?W2`9L>igC =uV$N#N61*8,FY7JÑgQeK1! c4Q>UcS%|h.QDa`V,}Fv̘X3^u°%L<%'gYJttbswN"h:LWVpWyOEvJrR<#KFǽO*vSfKO1 ||z'n rA,h9=e[k6I 1\psIr)aa.4Ϳ t ٷNaՖӰߤd;FnmbU+qUnfBYҷH} p#Hj(_e=+ ȇrӣ)hN "D`=$wl7%0Oyx8U8'@ٽ+ÐrN |w`;wNي;H&iHC q +.5h Ջ ۍ -rzW/鳚¨@}0iسlۧhif%[dJEUC''ib c޳RXY8ڂ-Y9VV']JY_s>jӐBoBwY*V2P8,rT&@yu^6ȨL#I{ќ; tg-C5_r7!?0vmj Jʗvkiw  ;=+vu -od迣Y$)D襙 ^~.&9 ߓC 'f&\XsݚksFb}Qs,MDIpQq:h$J[5UzrIǥZPY1b/D)n"~ -L'` az:Ф:1'9ALGù llL3;R9}K]L#f7?W'g1emY)O,jad+jYE%ei_|?=Dq9Up='Ax>ٰn1"Z9G7葮}L'ްnL*Au `pln I ~j"@ SYak7m0c9>cƎ /OvϟXRAp B~A%Q-+LP 6uʹ!/W@ eDɺKak We e$[>9rz>j%cYuWzP9Qbqz(czМՏ nVh 5X9e󀟺ɖ 8B#mQ\oe Fz?C`0 ;"g?ۘLyהO9ʆ>S4W-&]ل ,ki͖!%m$t%zѰX ϠqTߨ2+OcYs~pU5IbmWlN%LqbB1B?G|?H% cQ2C㣸QkBA} ,?`"HG9f:d 8 L| æ['6'|.!&|UPAumUUOKR'mb?bʫjJd1;QqU`A(!5\SNo{EvI02d ;&eOv&ϛzo;o"UPkIKEe4ȫ>sn|]=IP*'ƞj}r)%l?%z>A'lR\01mzۙyKƧx<:}D00wzt~҅}ʥbV8,pFK}eH K[4 T OpT'hk[PՍcZyXBf+ax~?6y/|bJN$ƝڀYLm #ְS{Oϊ6*<=~=%҇T'Ә6jߖw$e̥sěĕs>b,/ B[Wk57`K_:]jAw<]7~QTҜZCZ(U~NܵX8*5azfڃ͞V?T_ IuxDVb:dǺ19 QULqԳL$SpBD-:!it._p644yW35-jhHg h.:) {iݓhV,GX]wyꏃc$JBM0( Q*wZZϦQY%?L 7` v;h(r hC}NVc9ä4&<$:R,qP>V>d1 m@R떓jbC/ pmԖetȔL{*-@aHr2Kfa͢ܣwZfl3jz8a.( iY6s}̤DCVjm(gMG@vHNy*vŖ܅_+zX;VFW!],ZHѴdp RS;Q lD~XfGyv޶Z>. H.393xO{F@mU9H4~[&f\4oKVHTEIK=^@H"!_49n`Hg5ͽQ(UE^?'ʰA'|Z}xe 8Ziu> ,kA}PJ!!˳c;Dg[c\nV;Ln7D!L~Q\P0JXg wlj'=?PO,.k+n -ɯ=WDxJru4ۀovA㦺e^.f-^dFsê4Gs'xJs\ CQOCQ9ݿ H6MGjK7ܣ3mJZa"?*Aݠ5LʈEQBd 0}@|9(: .U v[Ru@|.<)R(r6x1H~Ng&'mㇶĬQ)-mrpX!etv_xDHx6HKanZ"GchC ?5 {4W9@\qdC~,-'׻5]5`ϗsM"q&1uN@Q?N8K(.݁XDN" l(X__ρAz!~Gؕ"1Tf ^*C$;s(BVxiUv$ն$-:oB|1^n%98Yet)Cm@Ov|.Ӻ$~#bgZ= T^E4AƏWn%:KK9N#oA迂`W9pbiׄmM]'2^{1.߀tK)A^lH"(<ι89(NR4h̭U!!<%7mhL:/aph8ZSl$^K|˕_& }9D+a׭0Fg>Q(%})}Iw+Y)Wg׊ {8,jԉU]J#.( X\i4u/ 7&ӊw>eu%l({\*m/ І:^ <<8_[ u ։Il}'>anw 967]Yy};m "%PЪ[p&U_. !.%;o3|qܞŎ]7 /9tz0c8B*80L4p*hF4']Rš{ź` PezL$D;FWb#t \A xDi c}'q]0LQƠ dT*a<6Kg?[¹ K)ei٩;5E5Jc'iYb ` \`:9(F^(qQy2rslS1,F+'+r_k l:sW܃9Ul &W8Bi]\WGl(57Kd\ "4Z[ynx-/ƽ{W{v)瓉f\"h nZ xa#)z2bxmRAUBaۍNt$E8髃Î^w72 $!лAtQظa& pWfe53 ˮ@CǿJ}r ԥsa+  0HK.R kO^U[ ؋yBACHξU.D1ށquY *->!5` 43{~7;Na w]'2,yW,A-$ULtg͖P$5,Wμ~)#x/GА%և*5j|p((}Fآ60 mޒ8j/Go "$k1~3*hubB֨<-cyy٤.տq0nɷ>`_b cD`?},e@`.y~ლ KcR$ x)z\cp>xYіDڱxH-~KY~fs);G a(zmFz4>xepa{?b؃!6'ɹбxl*Y25b8*2g۠N>+SP@nktD\AcjQF8Ƃ!ZEi]U@7&2!`"'3 N  4v~b` q|+sl~3\[yC^e{J[7;.Z6Lnw7L'b|269-1[6UZ2d;,H(1TP|AAzMc#[PEĉTon`l5``_lcKE|=skXbGFu}5*T->Z7&=͡$d(apYgSDGBe`M;.W|sE I{M2Obn3k_zҶ,ɤͬH_|ӓd'j ouQgpՓ騢/Z 9c0L ք~@$ё{c 4'B<*f껚xs]5 HQ-J (U >v+l${4r'wډLK| }SGk+p`5{ *{j_u1Z*>G<7~ ufF^` {iu~x@ d$ \ybB~](Lj,2S+g@"k,.T'%r&̚:2C!"˖YeLF Ai&L˦sJ €;-vBaOR%LN5_c O25,뙑AS0&pe+ u;t k1f/vF8mc gB35`cUAO\бnnP3 ߝw5`DfK^bEЃ(} G .Xh-ܼ<ƀ(ڟ* Q`RG=$9WF$1/bAe$72AT;i[)sTw^ ' N{ r)beUЀLGI%gMlϦYe ӏU}ޝZ+$R};, 8?9_aoJ:.Ie` jQQ:hfșB+k N?ʪ` ky;̀ƣO$Hs{P2#4k\_q St*_ht"bM_㶞(6ީZLO[՚@(nyIm¡y 3U endstream endobj 1930 0 obj << /Length1 1458 /Length2 7016 /Length3 0 /Length 8006 /Filter /FlateDecode >> stream xڍTl7@Z%6 #H(%)) )-tHHIH()%i4}ys~WWEϐ_iSA"P$PQ@  #8 pH`PS0fHP BD%!b`0P !K;H;90B$$~a^p{( E917C݀H{8 \R($'u@z9p(g s*u.L4r{ (? 07bku=`?Z /_P{{G8n0"~Bݼ/N TB1U- wU!WLHww  fzX]H?ppU+e`N0P I0O +Q @z1%0 Q^>`+- 9c`3y/?>C< -$-Y.o  P sw=(,#@?b}>_ w,$0 ?1_gvc(o>*>nn\-WH g]apժG8D G;ׂ0=7׃䇀l+ Y_G:.AQ #:3@ Q `# k"B@#CY H1 o@XB," yc P^c?o_xyav70GP`0{ CڇOjG'9M3s^>g$i/s—ӆz>)s3_wZZS΃.l &oƞ32m]z'+JTB  t>[e=%+K:RWyqYf+ib4-2 [ FOCns^{.?SgצH2w%ߕ[|=Ci!zP:/,?_4O- i7ۺHuX^2 -ػSNںydR!O_%tI5 %0`ՑTkT<$0Qz'ú$hLA\K{tt7) 1MFZ?@7?S&h=y~+PsVHËYB^_?s/YfS'!_TgOѼ:g 2cќaM猽GwQ|p!ZLZbޥz[hB f_XՍϷ#q%* !hà3; x[?]OZ y4$1gsVbqRU}M} .$c{ 3m,I鯳yr١fz.0^9;yEҼ;jN/H{y+PrR# 'Qd_4("Q (?? a} t'$ʝ lGmFKDvxżM;\I,|@_֫2H47̯6coהBBnУn_@v2K I0ڇN pp\K0SZ'KJZbAgxƴ`+pEˇk{7â1-:_~+=I`'"ӝ.C%g8{<+]SaGg7,-;)AlC}܃4TK^Ӎ-!E #Nj/LI' (a}En1`Cc혘.~QKZْp27?lkRDRxmfumِs`\=WyuCS;:0ht2 m"jT~OăyeЅËpCcD]:H8"/e~ԗdĚyc, I[;B'8*6Lf*ǏELɂLe&u<7pKKxD1]y }df/_;*» 1+;m,9+"kB'bP ^W,/(ݥp*_ d3xS@9@05{'G0', {jIk s7Eb$`lr҄6kq:a ٺbL!7yn)IA]Nc5:(O?}y"J>OV5,i_{ĄuHq)*;-! U7Y{FW@p 4!G'ΌMf> Q~m`F\rZ(Q(,nG kSB&._?v*rx*h/W|9̐Tav)uJXɽ`4:ep 2T}2m{Q5!ڧ[im%!jl/zIG9ce˰sY&6Dm? # bn• Or8vMz;L4PfYXՋ EVuFQ7*SΎEVyבZ^u93Fo -J󍵆>ߗbI7Z-DdzO3Pns60ە[ċ Нu#e\"Puz#l̼0VNUl}֩'kQ\1 *]鴣KAYXRl5>ID  @]K!2~ڞ9QVV̈́TjrSHjZi]jx骶%fWG=gCr{ba$ĩFtUQM2{di$pBBq' 2hb-w)h2T!;^0R, $/~Y5f!]mtH؇aEj6/~Kg߿oH~B*-ËoϠhA"՛Ek5]%αcWe*|_zW9I(L}6haweGAGDtW1vҫȓ2`KܳǑvެ1$W_ ~ Kíԃus->6/W3ⲡrRV{/';3hĦQ_m;憎؁%Y :VeWH  =f';-ѧ|">w /AJl5є;W'huG͍6S7_΁t %QxA;t޽+)ږFՙ*~#hLʾ1w4 vWeǽ$ۋ7| ϧ J6Cr?xmEgS:SI.Y"HHY'hBu /aH}$elwfJ.WS9<xÜ&8_pAQN!@RVD4%猢_*qݵB=={܃:b 6W H85uJyt߱xw :Stkf0oCsbg ^\9дoIܽt.m9ŝZ5W̯ Ҡ[H;4]okӭ:cO4w-u5˫*62(a,TwKp.~ؔeɷV+7z@ H֧Rg-58AIr'^ -_( }>po pqG|nDdj}d~mxǸEV&bK}j?1ŀ|݋bL ]*&L ,*5&7މNJkmt*%XE^\"Q#~vW%k>C<8ϼ|Gc3XN sF&OʁRvPsQ 8ׁcϦ@*)I[-/^|;}>MR85bd 6S+^PAOp~ Q(OByЙvceYDuJg5Kj2 B b}剩Z3[tFG*4e [<"bwsւN-tڌ~&찰-NX h @2$ƮkB(A9{W𿡡zI v7i4i@x|D G 2w$~@2AZ'/d[$C56osJ-MP讀6T9hv2Ɗ]7\p3/IߨH8d(Jvx=`Τ'm}TO'\ `mw30tm+B3gIY+2Ҷ?B [FmKoMQq?ߌS҈pt]ؑ TDI\e)2GTCɸƮPYr_RNÅm̸A/oq1 E[n?4]~ m^zPoZļ ;(QC(Jh 2!␽A Q}sF^ʼnİԵ30$g΁?h+Knv$nM\ӿSkƋР.WlОYWf<'Cf&?$rёGw+". kvI|fVIw7_( Q0b4z>FhOvяr(3oyȓJV2K0~S(; ZK\xi]hEC^Bۡq]k;[SCI g%L}zި5Txe+E>ˬz6U2 $'|^ٟBMW#"T7^ք@_GHdX |}Vbֶ/茝aԕ3XSγ;⯘-OBGRTnD̾HD[[:Ulh-B=|ĎEVءbwM[F`sjKfG_JelbݰI#'4j 4]Zw :Ȳ!GBoOy= }rO|ƥnWxTK*,BgkL5DFc㟅|mNdi3 =(eXf\ {<|;Pj[z=Fd-m 2"$EV9%Kv8aM<}huCɰW4D:{[l/>8+yK,ȜKjfzIc ~7]Ğț?sb|Ba[;e/8 3:VA qhP=s[16"wZ[W{)q=KemWH>޽-zju1C-ѰBTAalU{ 5M{|P37rN{2ɂ}o嚕!+S/14hƾ!0[|@7zoaE/%xɦ,k3.Vfv_;;k7~% o:QtK EWRL=gOsWU *vawNzl7ޏɩ >HH>)f>ޏۙ-mVyyUv28^E%io]:ml)sYA 6閊)QEiZ{%A&=BNbD,LX߹7]LceLzNBg6i(f?%|VIaW&z޴/3KPE=-zP0xyj2rD5:7._U:O>:;O0IgU7c뚕w}A{ ZoYŦW@L@dztPN:86d8ٓX\),ruϋ\B-4}sg-]rem[ٜLk1^1!y4}wz[j#LUHHDH0U> stream xڍuT.HtHʀtRݩ003 " !HtJKt# J~9νkݻfw~wY m`8 (j< =&dg7࿴&`I/" B@[7m8 b@qI!!ĿIb ha`$!"w@Ve JH ; B9o+ڀC \()G?x@P0p~ 9 &@0r RP pBl0mkt]r}5 ;`=tUPh" w u8"tH@B'apgg0 $ݟuO?ku=` 0[#غ n`u=nU(v6yovnGB?H;B}?%B ` A?o`# h-ߟ,ne A=q\A #SSC]?ۤGE@!q!? w!O:[Woobp3`?7O ݿ?A\ zmū[ /jm!nmUGn9 !HlA8ƿ zp$ U6NL[gIe 7E Ix[I -Au`Gާ8@PH h$4#GI7p qϿ?`™)KʗM kC2kORgn$xI/I}Ⱦ(s}e^_ڐxsio0He{w.&F~#u+W@'zV WG$z誮ف5r1M1h( 7֙(~&|}48E FKmڑԖhcHl a+o8Ѓǯ9KA*PI7W3ibLw+h{>~šC+8. B]jD@/AyFnwrhj*&*G/gAբ Z=~2Z6z%>{S(>% M * mrmB>Px93Dh4vi[pTȊ4" @ S!zAv" L)z}#P}Vɏ\dZ_Q5fԌ gŏ'E(FP0E~c.mfaa|5ix-qR읇C;^rх/Q 0^dy*cTvG{Ph`=6?̍QwRԩlisbF,Be'wd)vtJT[*AHXze3M *9}?1CewP~07j'QS8Azcٹ!cMS5dA1LpDyøqYNrͤ3)!qy g- k[gcta~?x-!kL8K7gf_5#psr7;բʩ g.=U`/Cz'qw|3g$߽&{^/bZ]& mƐE 4,(*E["s~hXN3^.ԩj+ R$ LѴiunU։fMSUe %QL*F&UDfob]s ;lmk};C(NPED%Wjhp 1ط|[_yCV9 Ȟ AM&c! W#]L -\B*ܱN#혤`{lVCKd[}FѯĘT#}r"{᧘Yl fߞDPt},6s{eû{]~^(`*&u!焎*/5ca |Tu^qdMϚTQ?XBԤd\m(?y.wye-&ևo(1ta2ijHYW!"L'L&c!زBwvt=sVSmuτU"B}]ݝ[kwRHg-wt~ o$~-&_g_dg]19It.Ⱥ,b/I9(t~]`t4 } ;3N)LnX-wf(v7MM5Hf1O;KΉRLX =Mu9vL^9ֵl~7rqV LcJ%>D|嵃ެ, 3#ϵB" B7yOS 1Snt7X!oDݔJ,9eW4xG8w+(7'+ٱ?mr9cb*qY#\ҹaZ WcĠ}"[*AgF_i7drYN\>#N {OMz9_YcXJv DecsG$shac."[u4 Qq{ )2yEjHPΉ%׳h} 2y_jv*btLfŒޓHy+ֿ m{EnhE0_ަg|θw5.Klѣ6QL_MUT,Ns,ɖ> o ?] UJ&)9d( r̴<` el{v5]tˤ:H$I2甫 ?sy_![7\\F1CM'ipwP]{R4޼rrU|[\nY+j-<5gZ7k nhiG;^lC 4Uj<[#m>J+, R a'eJ J]$ڏ85NF.ɒ0#\a$5J(a #X5 i-I߭ɰ =15CbK=`,͆nNf 1p, a!*jmm0y14sWyKYbϐSFMotޣɩqBRɕl_tVV&}ZVzUDuQxg$p.̛ڵ&IP~ϘҭU9u;te {oqV|O3vV4wwYb:-)OS'&p)Vl%wMogX^RI[l|%ΕwV $'_'O6GKWFreMu\CDvYR I SJ#wv*uLlƓɜoTP 5/4E\XY>967/C)k buL!Q!HS砶iH}Ь-Ct2 _ȏֿPIOE ". hH $?NkÙ|ˀ55M 9?t:OVϻh/ , Ye}9ȬMs(G>Ew=0,P>ϭR\ԌOt6bc_ WjXg?J,zqgvx~k6\uo~ =U@G"gwCր+P].$ac[SSk\]a5QiL#UWuixX'JLĿ_Kl l {FA2bZʔ1h|>ضXb\pp=Uz M 0‹rHuZu ݳyWN8keMAJ'>ޗcҙ~§%@qs]nGϋ+>|` g{QYMPq1.dr I;PIE;jûؔǒwϹ!mDug:unI_a6YLRS߲UF1&ŭN>3CN9a8i4 Þi:үyyT0Dxƃq7Ւ kPqqjiV-!(Szim_0v_#`h(4^Ash3YvG1wP{6 mi[Gq!r|iS*sT'!C9&٘aZ8ϊH$t9HsQaf fK+uWPE1V4.r1׏#<}iE qT֨ D'-'Y3ux3co ^ՠc0^zqtKdS4W ; m@3ƮTJ7TbJ1PJErj.Ύ' k b {4[vkwVG?|xt[fyeõiO<N^,]F1-/dsT(Cb)E#q `B:iRQQߖȹoø<]>-b6NTgnϱ1Vap(X)yu\޾_anQeQ{&W>YaeF<]xׇ/O6hnmgk6m5S܄D.4:Dwҍ?ꝍX.kp(XQUP'(j{NiRZqt}DtCM - [~[N92 $$/NA&-8h1)MOz[zjyl)>q&/>?6#SXws hf4zB6>uW{*C4%!]N]R`ɠl-5*mޔ}j9CH/B cHo53Jny1~ ʝp˖~`׈f潿%*yj &Y;wXݻ4u1فp]֨ l|QAJn Dm',7\rC#N5)GD`9{ゅ3b"`*ZFYa&=]evA@}pJ@ /3h|a TSY3=ܮx&JK"cҩC=wY¤h  cM:|iKRJH*6fgeLm2^o2?&+ ~*A9nH^&S/1v"f\u鿧Z=yt> a"7|);Ygz-Y"*w_%kk ߵ "k?:jTPT P~#gŚݳ遱*]`NZ/3 /,hOD1wSEx^trԕ vsMMQK,d/>(5)s岦Txj߶Uh DmlT_X9SD/8^zŨ8'Zs6~ 4O_Nq垁m/i$.]N߮w7{lr\u?yա\ZD ~VaX4t܊GFNU`>S!6#ugtnNb݈EЫPنLۆ8Q됷yW֏ouon[Q&Qtb(|,[ eδ>nTұ a._y!xT%"P60~}4HTLư$H]gJԃ}%9vX{UiaV+7R:)s{@,ݒ" [qղdp$/IG _w> k=RlppomI94^Y06#SHgRKS;cƛ} x\(5DjUдm紳IJ]sLQ]5Bk^ 'ח7 kE"FR+c3zl;MUkEq.z/peVV1cl_yYx媿K SBEhᑍCyLgSFkExWJL2h!یMoEq2TWikڔ5ٔ9 گ6jw&G> 7wEWs\{c lߠơsg% ޟ_KH$cڗ͎PgV2GyRcm'+bT\ͪu Z)*=No 5\fuQnQ¡ʃQ>Ps0hץv@ VdW'όO:#jz%l~6:{"hꋴb{aH/]KHb\C%Qh%v~hkē;hP/F^fF /#)Y3xN> kV$kՋ~މR/ǒ;j})4NEk أPC@V-Jv$%OI17Tx1׾iSG%H %?Y#mkzSj=Vgg_#yW?} endstream endobj 1934 0 obj << /Length1 2289 /Length2 18916 /Length3 0 /Length 20268 /Filter /FlateDecode >> stream xڌP\.ӸKpi!ww'8![pdf^սUWPkHX9Ye,)M;;+;;' 67Fr / 4wI8.  ;;]\ + +@ tCrrqغzG%C@/u#di_=Z;,A@w2A/l,jj# 4n@WOwUsG_"mAnݽ]Wv{U[]Z 5g oa) smKA@2;3l[U`n*WY k~r!o3E[I99:nH-_W[N^`A`+)Xy8\< x%!<| mi۸3/&ok~N k' 7 dڀHλ쯃`u>j.*_ Òtp X8y\ׇnOtN}g1mKub?nn<Mo+z88ťpA>Ϋ8n^Ws_w@lOAn o:Q9@u'7``g_׭=n 4Rld{8yx殮>H-~E<?5z56V 5+~$~F6?&ؤ ad  `l Ыw?՟AAzlЫ7k~:kFz W+z996 a{l&`[ r?zo̿ kIl}m_OWڿ_pW1 ~\/Ϳ\NOP6;i?Wί(O9Cur8#kq'𼊻^? 6xxbl5@w/)_𵄞zrjO:@׿m[z&q~ z@K9'KPЎ: b/qm ,~hi 뮿$҆0Vdŗȟۚ#>h??&iNm#-L}(>h E$ar nVwGS/ľn\ ةUB~f{kT6KS`Ν} V bRQWgwjmNBjBRk)Z?ɽtEy򒕯 m%y+,{Y /c]?t_W|1uTím7vuYKv鵶 Yn||HG͍'؃UWu8齂5#蘮*O}\Ͳu/Ƿ+JC_\=gKbd-)DABKMY sv%Y$L&Ѫˁek_11ܥ^CiwB`Da輓mn |^-bms< [$ \/iΛȿa%ܞ!S0 ttjNl8iѻ/iSE|Z/WAG(o#w|*YQl[SL ]k;6J>9_eʼ1 5 n0Ӹa0[_*da8;\I5w1&%3 5toiCeQ(=2N̏L_ԭ0Qt#3ev&F/EܞvC6+ͫlgHX Z<KI >3-nԤVCl3$yhff=- `]k(W%Qz:=("0 1ҧ:,|7)V?/~j[z$[h M- %LUp0{0-xS1j@Ca+%Ǐ=TKe7<ό>nԇlǍ#J0~o}!ACf譠_C!@1%mha"c*2YX]iЙ [&?0sB ֩OLCǻ@@!epcp~a`']$87+QeDpخ5g,[Ӧ:o}+LV""[e~6Xr; o)Y"]Oڌ|ITݲ66p7k[nJ ކ׃R6ywcWdSVd1NJSܓĺ&8 xd2=Q-p Q\,cr} N b Ƹ b:h |9>BgQL ]WnadU?EA:/O%L__ ph{1*\꾴ĎE## W"m$-c3,3?@z|R%Ϧ/LsƥWǔzPMmHj४O2\4|Run O6 Z>1z}V6kn&>JwHm(u>m\w [< jo3 ^?HZ0@4n}ZI__0}rSuSR7fF Hb")s|9q Kf0_gUCuŬXv2t'vR6ǩpd@dtZ'O4:NGA 1W_WrEOckFз). G8V@qlVC6oSl<\m@3EBXl5:uXNaE0DHc(BOхajE'(JDP&?EtХM>| PqbRh措;=8Q  eH DF tfbjU0\Z蠭 ҫIK`8^S'!շ[om [7D/c-Sb?#p8ˢҜ@i w&3tөWiRVΑfHPp{&jH#³ɝ8rKG?ω!jnyɪcdF~nL9iީcf֎ެGI9^\-AC~q,i4k!LXdvL;] Gz:Su] N BǺ]PRx`|ALz*hʸW6v7^䠜^?ee`̭OoA'̓0=i SbgzT,te43Лy}e[/E70Ό餼*3L&^7R>d^EJ*2\Rr$0*PR"FU뛏Hm\%憲59<m]мYڼPjW̯ήD\_+ͳ.#p4qz97%ze8W])X0E&.lDh&6FD#!U:4`mSX(oz>,®k{Ac 2k{0#+Gkgߐ~puMT厚.𕦿^'ɴ-U Ư8]Ur)#o:@c }v~&z6Z$z7}@ LK[Sb EjaH. % 늑1QrV;$ 6:В"qD92p{.oRτjrVZ-ds@WaɈRKI*fU,!۵ 6BfqD-QI&4sXX i5Vl}Qms͕Ɍ/*'B!od&כ+y-/{Fz4m۱?wZ8\7V!P Q M=]^l~I \B6Wn;Q9z4Pv:#ILB|b JEȥKpXH|#,(H*%>/Zgs-c>ڬԺSueYݞvRr=j|LU7"F-87vAw.]2(b97ΞH22dk&Ux.3gx]6OgrtR/K(2+dù2*kLv5(:4t>Do4 X/9C4FB`{ĺntuh{&A_ȇ@ϭF l#r2AXU d*M%=XaZa|q`Y+W!E)Z@h g9+UYGӆ6٣"cS0cG5o, rzd[ 8 :/JHd%Scq⑑]j9 ?]MwUJ*Q\CߛbC(XJ O'ˌiIKS)Ő i%esJdnӒ4jNXcF3IyGXH[ nL3P)HT(MjJDeL @pYk^I5',/u)+zj41V.-nl?9֙Ү(t +=(|xwwr5؜I'׈դ,fiQIߒ(JX+5uT\y1n>>Ӱ@uIA2#8 Քض}9w?qꠞ <Uo!-s> TqO`r_\~Ϻ* a ʄcEN22ɱ]/(T]+q^5ržlᐰ nACirߓr<$ܞ=) c,Gߏ,Q'O[9 +0f6CkpH 'N~nK^TiFܔ+2 ؁bKT:q~DZ kB?Pr1Isݻ4Ho;F{f͡B6Ydf[%БF(׽3 ELyױ+z%ٟ8Сma8enOAuG1{2zqJ0:kċzK f/^rF\}}(i2{HҼU>e-y =Pܯǚgˑf:Oŋr=W7>/*O(f>̋ΤF\q׽x,t_:6x~fi^9\+)չpGn_J Tw>SdH6'Xfv= wV7WvSW|8Ӊ#,'T ۴b6@n|:uUa 7H}rmcM+|ă g  G{X}OϜ&nj1euWũ;t*~-'feP[+; m% BI$5`9zIC ( [W Ϝ/Wc\gZgt'NZf, ]5aB,K!ӯj-b- )t[TMitd?P?vh!5I: `H<9*ӿ k10Pl0eW&?l-][L$0j6_= ۝x[Oލ$B^?l%EhPjR~P3"H'<M~QwGy7儬`.fH_?K]zš[Ƈ6A39RQ?Vz2- EBHohq$&[Nj$,O@| L=gJP>cP*SVб[D0&emiyoyХ*5-Gu pP)KWe jNT^U(*X3El^A5,*؅AQm5s܏D8EY"n}OAmCq"!o&F{l;7ؗ &V4ٞLخw^f_GGiZ.](}U&v<59eU>PR<"lRͭ'^'<ξ3**/vՎ Bzȓ`⯆EKC5K#`v qqtgzXy}|a)НfE.` Q,0Ufzv &vڨSL4==X3zMA;)Ū|slS8ᓡgB#-TƣUVUQgq'6痊70Z5M| %6v K b@ޥ9`+ t[[oy4f%9NK$ f,oPU&BVaڬ? ]sx11~G11`|(RWtΠmīgFha t3d:{&.Y@Ibl<Wň%6N4Y߷fG%liuOƖ|p؟D:ťEGMkz~wOg ڒs<zXz_1f"eLX5E=H;<[H ]Xr\Dڵ|%;U Jyfա j銳R*D嬍V<'pT'd$څg؎dB#$  gyN &`nx4SXrUUق8J"~pot*ǡ_ڵj&xoRP7ƕ| ?|1+:}@51=_tH5;Z<[=gl'Xd75c':ݟۑſo/ǏA](*7]UtxmASƷs,Z=t#"j o >#~QϽY̛bIݲf5, ,fY&nqWJS7grz1?i+jD"jF}a`>T${N۔i9k 9kԼ)`7}?ȋ.;&WQ"Z+U 7׭. G9 E| S$FeK)@TM$6.V== }!K23yZ {xOotDHb! LZSYݱ|u.Cgi_¿oAQ"B03My4zu5Ջ{ ~QRzIqG͹ Ÿ!-m2u  Ѿ}ɣ<3<)E]+DR,M$^3]Ա|mj͍{ꑡ MWD޵Th̴M̶sktd{m䳞$>Udծj=:ȶ|B?+U9@Ȼr?̊,"B)k>H8$SEPJ9^KUƁ o¯m4LR7Q<\ƐVBj`vF$EvBY6f??WHQ$Q!ؗ }oRgzd(CUV#I1˂4gQXOvAx&H08|:6l}[qN+{fr.$FLH\:i5(=`)r;\!5IdLWycFQAŎ]e}b|QUθ5/Y>xTEBjgW=RfsĬnH[3 %KBE꿲*W:":ʖ"E5Csݳ#/ԺL^Em`tMfi(~o4a~NRe{)w_ڍwԞqc.˟q Ξ9KՋ{|LRp#]pXܵsZ?9S!v߰-uVE۟]8m2 ++^yk!!!~0یI'UG'bp79YĻCU*zV~ٯxߊD7X~*ZHzq'}"P'@ IژH3^1{wl`k.%KBZ>Wqq@rdn\]+1o8 !Dԩi㚤37DjϤs6YakhZJУT@1F:Lʔ;Q@ӆ}xPTڒ3&m{pah)àŊy'=JHUYԏQ?:)ԐD+zL&vIs4yS#@;bfwPDU;3KhfƓi9d6s]Fmں].tjxD2M"ds7՘ B-}v>wfc@ rou_c7a9^抖i'Or+ڭ?h˙Y|h|'т*V8Nc恢έm8 ̪hB|> n?酌<ǝ ݵn0!<B(ggxC B39F߁.[xa.`A:0S9z `Usq.bc*ޤFqԓ0zп6 D+ݽMq.Ӑ:5ieH~}'ఞ8TqELBdWѡrQKVpΎ8!#o=0&y Zx $ |E]g .ZU%O۔ŸZ !͵C?%-/jUR5Sۉ77b#+*tFɾJqA%Q'EYmؿ!2n-Nf RrEC9HuZE4\<ij~*=ʤ 5-}z< IWڲ쥱|y‰t;'y=no̽cߏ=VIL]眕; }kl(W%H3{BQAձt$ u鷙聝tܮK& R[ͻ Num~9#`_Sf3Zh u!K`(#c.MO(CުSaݤ]2| q)n{wo 5 '9>4В}!!Q`RrXEn5\κ={tn,Pv>u8RGQS%G ne"wNjhca:M 8CF*+Ljj%/x_O<< oG~]Z~[Pz`^t"˺O#?,dؔ!wSXwoxQz {8_FǤYg9l!x B7Bs;V;mYcY@ɍT"MqV{ i&l~vw&)>hrv@SoS S)v5IS{˫>2_9 ǭ򳊓abM+Z,W636|)Z-GR!< XH\T›k[ )エG"Sx&s+(T܌`5E8M|SRaVQ]HHp-Ά3-ز"D2[cGKWEZnZ(IܤPXPFx4Tl|-~8a mm%˗@YNeXMtjKkjVE8^(\a{І(`j8Ù3ڙ0\£>lځs囤7VZ=IFB {;ΩP2 P.ܘ"8+mSїK2OuDX=p3 ;dϹ7ͱl "ZS¤Pvϓ{+TҐMAv_ʙDsJH Q&IDΓtYh25A>1w)qkS.J

++ t!rm HyCÉ Յ{Tۿ:\ˏIm=D;#3z~2b_{ǒ-I WSנWҬ;(>bpsM*|}t "Z(So<ևeʐծq Ȳvre]67C6>UGeT ,X}X5}VО3u|DoWg}typLbքt8RH~Hz{/!aADf!Ic#{bUk%fH]+Jw5?Ws±H!S7,N#3%IxF;9,)׶?]zElRH (gh~&@C[qt4{t9ɔܔln!PMg~I#XM)^?BgrNS#\9O[%p9*JUPQM5^8ϹM3O?d%iO";#' A5. z!L%dg&Lbl FbXьƠ/LAMnlO^XdثzXbݥ\0ٷ|<>Dq*MThv^ kDl + [aOvяp3\tۧXlcM~9ğq44㴜LFϺ"6Ü܀$ԑX4OQSG# |E '_] cRS4yfwB?U|7 Nt[ &+Ub1|i*v2":}Vm NL6'T/ΙȜhn*Kq/ss PN7i1S.ȺIW60l#0 / <3M)Nc}#:!5uE'ij}2ɽ#8M-6}a]v2,(/ uhv896W a>\L=w}.Sof3?z5W0lhfnWLz%#(v[Ww3K=Pi%šny wo˿*R;E 5\{[?Էޔ]~ u c )˅zmC0ʮ]IiZm%8o![u9'%I@ ]RH陇GQ(W/$^ N]N%JG{h"QEblx E!;c]LwKuOF(?|YL.76=~~2qwSQv[đ,Y-l!۔JVgcIr<xϤǟTg2LL מ<>+eojڌ'[fH_ٍ O{cךsDspaLr)m9KfaZt؇CMŽ"2%/}P+DhB.gT!-2Ci93{ z04a_S{25sפT8M<6t'IX0b&||#>ǯo(8{s5«P5O2vYDE1 Izxa Ԗf}Zl!]v%tPv =!:vG 7 燊a)ʂo$Q' 6J+S>WKddZ0}tL A!yMPq9m!Oy)$qhGъ$p8a}Y ڗi& oLxf $_őpȱ4i> tIW!>/e!i saNob ޥQ4vGre'KԚLN=7!!GԍO] [w dSc|?fA~/U/%Qd jWdTVZe D,a0Vf*6b8 RLXnVaFQOΑ"pU~C!{˿-u<6DnʌP@x&=١(co83%_ D0?x;F0Ň5jA \\dRJAw3:}\FIJ!t?I u9k~X'7e%=m4՞<:Ĭ ~*2/~KG6W1$A`".vf|) %vvh"gR !MCZZ?i0"F5$IƻC-n[us)mu˲X)𪅥`X| ]j vĤwX/1Mzx)JOʆG_e6t14<&삵$N"J17qu۰'A?l6)ٍyXQEsM(S5'D5m hCw]bX\^$GN4ege}Oݯ*H(>vԭh\#O怉+>xCRo:ENo ؞ ULRh򝫢V3g(|shuruG}rޱZk=ecpϲ`ݙ ϒY@՚vJ/ND'_X`t6F [GPTˀa 4AY1:o**j["%&pby?I5-[2%K# E^K0!IOxa0wWM?"]DMl}TFb֏Ǡ瘼 r2($ 06v&lڼ'ͶH1jxC!搵^{?"B:-To#hj n,91٣[VHȣw"-ҿiV-fIjJw ;zxqga]Py0hv $W[3ݰ`R wuavJ.tSR&KaATD/VPS`D ΔEiȄ[;:o}  qMbNu'Hnh+"SUm1Zso{CBGf+^X|2AʭXWȞ?̳d|57H~3˛#t­C,ÄӸogLꢪp&{>dHW/zgPP,n8F7\ʣ0tjpV''F0K//QKEy?^BN @_O/}j0樻!~p0(l;ga8WÍ8)_|X/o:<2 2,grx;#QLOL%ztaXO.~pxFOe=x&6mU!3 +*2g#[#V1R]nn9뤦2cmƞН;_ >R^^DI%v^)Nې~}1(b[f< [$ikAuQ_6jֿ1x2ݴ'BJFi`"n|E>Pۂ6s=J`*]_ra¸BUb2v{A6 O3+;atY|973 I2LL }+I|8ƍS1Ar^}y;X TgeD}SFr*r=@,V%4Vg5c__} :Fdn7%-4v]F1s Z]yK;l0%SF;LQxmhXC R4W13%_݂B=" C´EB˜O |L:Ч 3[m'$.*C 2zFj`xEUO{+hdƇaBNVV'>9ܨ].E5~+\d'gw_78TfnԺA5U+yf&Y:7h !jE쁇2B۸ډ [uu-I.Ѵc_T//DbAΘȝAVQACsIUp+F*;tg=)wKǡA QQYt8% A1D%l]c?; F8c *{Onx ["rl}$@VX.mF,pHyKה+HAY:;[g#mAC>9>g<& ݂ig]Y ^7>,0{7g3ZsV9ϖ+qYْ}dB]n)IJd[W $:p!л= Nu&9X2/wbHaE<3uED^G뙢[tﲨTp\UaEq2~ט|ߤYV dm0{cStԆsZG"JI福q3SzAu(|~ Lc;ǘ؎6@#V|5[' io4~3@D{!Vu1ra/r5n'Ĥ R:0CJ絣0v0RE;dogQf\y#G{/ȖjW!#kkcHo%scKYkm&s_ѫb endstream endobj 1936 0 obj << /Length1 2251 /Length2 18242 /Length3 0 /Length 19581 /Filter /FlateDecode >> stream xڌT[ N @.hܝwn̙݃{k5S]U/)Pʁ $$@ggD %U9X#G Uك8!dwx ;+X[$- LVN6Nzz#==8N # -@ h@*dmj21uxG!_KP ` |hoP6\9 '3= /5` P휀F(d-F@ P6}dmo ,@@+wG+#=:@IB g[Yoj`e[d/c}CCkK}+W dȉJ:8PRԷ~wY++u}@ځliAq{E--V' ݕߗkneld 22 7+#PB:"?2] M j!_w66w@O1`t"`4Y!.Фo?_}~0#k+ ?b:eI) uS @B```d?xy}п5t ~\ Okѳ0n6H_+[,\޹S c> VWU@TA}L;o1^494˿5n +=a?g3fhD;_G߰"VF# +@N }(.eû '{ee % 6/bЉA :?@'1$xR{?@'Ǔ/b'GP#(A:?=޷?蝟{t"w7@򏋿.,(4B?LA8*&".W?;]?}qnjޢ0r4kC#ңԻOX1E?;exa'Xs0aN"N;ޭݽ?;3?=?#lhguU>]Kֆ\fivBnTwDp|rB:gB6я հu6ւ_TmP b֍rTTuVw}`xJ1R=r2kr 2CN˒+ngٗf IQi`:U(1bnAfa3dV2~>ǣ ,/3NIACHԐ Q( [NXS7nS:ҾS{~%5~8iQ{k֌hس_jou4/1 L5n HTăEӣ"YyAY\s؏J5Ap}_ok8" A Qo0x;>oqD1tRtcZ$B a|fiSwe5ȐGPa}Qd NJT-D൷ W-=bC= ]юt}1oj{ @|@ɳ2q1)2O#&~8*#bNF\HAQ%)/$CYgh ̆w+n!%v7tlφ1/XwI8 NًF) cG93ImE˩+Z#h|UX #dF BJ7y?G\FR:]' PP]w@jpz|^Rd}1$RŒ\ig~aӓی9V*EᗄS>G{AgG Vf\v^ Τ0nzX]4WBmN9vjz~a&wc󱒭eA&=\`?,qVLVtn >c3~p-=\#5t[+ؔq>)q Qht(JDsSrUOC6R$[ݠwz!$dު{b w0779BHG>#7yb|=N! fٵЋ]|+w9o{w #@'3JʹC`# GK3\<- ΖnnWk&>9qfh6vUF3n8.|N`&ꈉdf(o&o|-O{[T7;#a)c§̆T 4TŃwh~Nll< ^aiAܒ˷Yf` s6)AơԸu+oY\:"M?S=ȤXY CcQ7^1lI{n98akn痤 F|}*!XP6i) .㉣z`b3HF{f1\n/ۑ=QnHI@C#lfq2Ýj6RMN:b"?o>H]| AZL+oVr> `3eQ1Hy8il+p5UK^N>urƯ.K.TXn+2쨗4<ƃ|u8y+q۝$DפLrK$Q_9\RDɰ!Y1N=dG-ET N3:/ 49?Gg#ń\apxiOYPKcP :h7O>{I{Ծʑ>= >ᙾ [ XH>) hQ -[Tqr_/0L'0{c^FIHL!A{SiLqeC[[y&X%1ZWx&ڕ`Um\,bn#MX|HzAWI,rЊX614^ LҦriP?k$lQΘ]|ƾ}j '{u?vN*#OAJ Kߔ2jƓa2[skAkl99*G{&?VFGrb!DV!vZ jΧ›Ug{7ͮۚľYJڨ!]&4ҵ|vE>\ KV&3Sl#w^ 84i ͙9N6¡m!☿PTjk9crxT+e@ 9HmKZo"]ͽcinm"~{WُL/h$ёB2٦-aRt_ Ȧo +c+*f,CrRo} {9]nj[բn2Sܵer5gz`IΎ"@î+ZLŵ?~>X4 9JiS;V8[*޵g#{- els]AB큨Li$4\-h$KS$dfYP",nj.P8 뻿z-.iP +AMcc*MDڅ9\Dx9diJ'8^7n7<:I =mB]By>ݗ29d4 NY7uc y>j՛Q>! /gV>;Etqub;&7 `5'1h/A/_ə:zh?"M.c5~]Yo†?# %R͉ro8}ZBB>%lfjфoҾc; muʣOU@UkMK·fs_Q&>6Ðo"zk;y'4.]ǡGRTqӁ!"@|8E"9wN%q~3q j {[T:2yKs`D_vbV>3O=5[J?v֨?o7Ǜ%sa ?8$R/1NJwt)Cֽ!V.bLøpJIBtjUIqtIGC@In}mf6 OK:19mO[h-X, pI~nP,oʇZS j69_@SdYuD:.1caIFiq*Z՞xVeMtJ?΂>ic:^=;QuUJO>N& Pxf Z(}ԉCtD=z  Pbnޡ %fjm,(hl?-9=y*P̀9{ձHh $ɬ)7 C{ξ<(nvWoH9 P؅ZP~,/~~olE=yw0-OTE(^s?h6ĵqȃUm:idZ3s0 'OG68N=Aq[v9n !*Ng5mLcTgh~mg.3|n\=0T{j',=-l3E#K2\]CkI.GU?'lsjq0l3ʣ39, J ] 89I vP$> R} A7␓c}^+L:sGM,/R: 9zx"lA.5 )zsyl"=#:XYۥv4ۅb=mHlXTr"tyzKb=O/f!Sץ'n9!Cw܆GʅfWmQtʮ޹Y%O4wT2X!onLRV>q#V#`CL@Y֣ciߌe o&igAM`IuLI#ETFe~QJp=V tkp.n)})CAdl+bo1MNYRΎ4̡+-M7 Zyڳ>J,n zp)V*tV=="5i{&H{GF X*ac>)&MKY|:iEe(ރC~{tkåg,Z#zFY7kT[<slOpoi[< ţ#JVqّ_jO:Y9Z?dҰmGۈ׹n*}Oq_2L 3E؎쁳KO-gjxߠ^ sOc7⡫^}(Lu@Գ`2ml0uL#b0IܖXz7GQ؞0e5P>Q:?8~5N6\ɫyJC ]ΑAM_sEmrl Em=[PV'V<=%=U }пy_>VK%wh:r5SIV4.qAm6gKA lh__~3hR3 X#%mKck6yw"\$j3(&Զe[xbO]ddZ`0-rgx>jF 9K*෷ss=DXj8[vzm/klV o1͐A`!ϰ?%-I5L]Jo6܊^4ONL;':)B6WU~B_ Sj#ZG#9S2 jkÀcKE-ڿ`t;Y} CAq3;yn)86i0 UM6)aM6JpMV5|XYe@;׻XZz{NOgrVkR;noPX_Oǔ+SnKhMfB }ki/qzAqcFlΒ4:TՄY>.Ixꤡ$$3ՑyV٣tjɁ0K I\;7 14߲Q>y^ ;FqR!5ɪii$ᴋv=@}0δcS(^qVَVk@-ϣjg R.A5ĂeĀ5{XM~2`) D+f 3s9ᨩ3(OxȔ)T_˂| mi2ҿFSEn a _/[rXZ taNv5?A!7@ !u)=4i1xgl~c_V6.34 c^ky\o ni JDYή!s*wT. YD/+^o,RÆgv {]p2am{42)N+WkUyߢ""[CCg{-1 [r~_tFGRj YV؂>TZDTn ANwB=YWsɥ$~_3b%,v>HjSg A/VZ!T TҌ3~^B:aM}֬2bѥ|D݈vr4ZeSȃquMѐޘmW'`b&ʝay>;N}_$HLO7+u3Lta.?nTkWlgSZvDzXcQ0Y~!pnE^$l r$GX͆yvus9 ܕw"`2x3rza $_n5D]~$\N%KY) +djiap`juT)R/PP(?l6̓!:V|ONp+*񶖖J2[YQ( =kᤨG41 16/2p1A$F36Ok,ّ NYl505Mo獫:fOGt)455[ڇ*퀅hv|29?%!,XʊhP3ٴĶA2rt񷈵Ncxk\wĝ͔wrֳ8[5!uQ螒O|.ژ^U'm Ӥ6S R%$G ie v9ghup&)ɠ}\ EHR;Q|DIST9eB_- O1 #n`*<~梦fy"n:`<% D}F\H|l@޳D(}2Lºr5~"Bĕ.}`JP7Sf7$!FM'ʌԡ, (Q}28L) W<5Ք!9]X1$VJ ًZwlFM 6@-푦?uWa%"Mk3)[!)}듲F9L,cXW*c)JJg}%eִ0|]t@fWaFzC w\ Ek‡]*CSVd׭./Y“eRԻ/a>4 IJS@%]pyemQ@8ɸb&G<~]pexzӷG*O,Fcor)/2Rs| ,ADe[zp+{o3$AUWNvHh %h0`1 FKZ+[ XGӣXn?3zлnȝ pS"Qn<ъ&0N8=?<01 ? A ,9]i¢7KhcUb!,,r\j%R;C{ߡ*(ve+ Fg`ՖƝ<7$:\`Sv|n.l|\˼X:j Tm/A -_k\̗R)9# (=?G|U scjU%O3z%t$/87<ɇ~g!C'l͋I$2DSfQg~*s:o`Z\6C@0ZE^=/ɹKn "2 +=xpؤ0!$}^}zD7 JWߝU 2un){tߟ 'F /"w{₎bz 3xrYFnͅ.DFK 99^ڐv>as<۲W״]C^cs`cWP!}>){vT.ZB*kH_"Xk:\Hr(M_s~$"'Xl6[HRwϱVYQM4KLq|{˛erUEJ./-k$ϚGgqx0 *? Mjh=|(XKPRj+a /F#=3NC;\ժp5b  %shn(妡[i95j#Ϟk^e8E\ WAB(+C^:)[*ēMXwP%b 8YLu rEtVtЪED+{0_bhnb+=(>L?B૽8wBLδ+LA7sk[& IK볤Vo 5P)*gŘ!h plp-d(ƀE:Vsgo[q͢ J%+鶠e*$Ū*f†:#0+D@&󧷄 {R.N9 㙞➓I.{2@g:q1j/GE1.&؇i_(b5Οް׆'ӏh}VR?`i%'B X)`DIԦW>쀡#A2L{BHH>8/<?TVKgiNEt6|Q?@V% "WԾw>jN5$o^2REu@PHnbfpE̪>W#&o[Cuvq*ŬʇoCCVT2`ۨ?qel1NqY V6oPDZ:U/kSgTsoSNݎ+50f~Im]}Ǒ~6β/smZPb'գyir4Ǔ"M2ƭJ Cڼ`=hAN7O_h[_n4JvG$(n xv42fji3MU!J Ip0PN֡<¼tH$fվ'9^ 2Q" }*|qHr`fȵZuͩK_>p1*O)~O;{9HH]%Z)Vr~[0pa |#Tto7jw⁷öaTB4)6pyz19Pck,MY:ڂ@ -RIjd"1-B ?ƪ>d.pS YEbHr<+Md1<2eV˄.T ߧlZ^rq$K*㸳Ϻ=ԠbSq iV..(宥xӠnC2ڄ+#`p#>,nmF=zZɟ,YfZnթ]N]vAaOK+ E\0)g 38qo` ; fꋰՁ~λ290,9iDФ :?o5Hѷ"0F@o#~/f2-YNjA Ϥ -k!4amFfBJobLt 03죔@K~dc媡վy %0n|-sJDO{ՔM"`;DS <ĹAS8\`S{MhM~(anY$I֎ѥ-?cH\T]&+*pg;V>8DU֗Z6gηh#*Arz\NѮZ鯉 :-j̆to!n|K*[W)_;9e?Q-R;vkaMi9h%^f~`Jz(x[ՐV]k1q3YZUCY<$CW!$0D}6R*b28 1և&( *c/ٕD"N1S@4Ov~AWnCR$& .}EsEe.|zUl!ZLRW&N!ޘbZt5 [mbO:,5oɾ/Q0/5oBc99 !C|aJUBȎ [qG9.gvJyK)LK˷0[;qI^so:V8*<,OE N/7OSkVhYȊD#gk0(og PW K:ėmjhRNkC&MKY0wYEm؜nKV.v#a[`@B\z,=_jsw*&Eu5Il!Dȩ6CGXE!wRɚ԰Im768S^5?W9isiF>"74[҅RX`ZjT5kBU}Syu2O`o92cs>H~O-GWn=rF]Vb¤ b{d..f 4)厪bTKupIwP>կ63K'E!ufj3i}ɧN0׿##E,lɿYJ #Sp"nSٱ?zSEx7;Nw 銐aZK k%kl٦{?z/^O'TW'bq\/r ku蕫V>V'sFcPnr :!ϋd3;w9;FNd@aN@HI~S)TƷyg {(⿳`t<,›i4*.c5(>_ Yk C VB3zJcW>uT,ǎ^>\ɯm`!=I B&9fV'QќbP6Zg0^^Wj&4uT3~hW^2)DFVHɱp?4ƉlUIZ4)Ѽ򢝡Ne- Zrp)҃S*F]0O=A•8h8IIQSb#~,3'*^+ע!%N]GgykJ)oҊJ1Yߠ{cl2'D,,Lad*ɺ|T%D-N9l$c|uM|Jrw֊zE_ ӫpC\ӞmƚOԨ95 ov[֥1vqtu/Ek:J_=&/. XTcx4ݐ%S]ÖUJ?u-'~n8\$@vw5cN '8 fxU{"Wjݐiz锛*2Bw}ֲ>*5 e;o?)y ݮ0ЮIfps.<4Jt484~һLqK_ "&=b2%5Qv76ZFMn3T@Y0o$anhd`_$\{ystp#&j!}!Kz6;d)}8v ' ;Ge忞"J.EƯ`Yjڻ6XE"aU@OIrKO\IO܁"X b㓂_A; LS 7m'ۙ5_J&Tsù_FޞS#i` |G)%D|.WDtuMqփ[ !@}ϫV &=Еs!ówC(J۠dbPsdGV>XXVb)nnm? C}\1%#h+\] k wfsUa6;uᐷS~ŀ'T~PŧI|JW?t M`B]#y #oYė䲂uDG1l $•|έ6иkw)10H箯*9cr*(ĕרrYJ~|0 ug3ec8Sk&dvxE=f"*:Pꆯ5Rpv=HvE8XӢfWY@qe &1j_+kOb%p!#"ݷ+ȬG@oLi1<éP%u}1&Ur@\<@ ksaB::jw7pkisϒK7d=3p@E\˝K f-}^OUX&4,jvQqR~e{ JjQ]JK{7i{!룱h2}5tGH4"iY؅8|p{4u%$$9 oqNOJ?z]04D:,} >oa&)ssRrϕ U.St9f8eȜsփef:F7Y: 6!<6zkᖚY2xd%^՟p&x8%,P/WDP{m-ԵoO|/:"utyQv%*E7j&7)6ٺLICLkr&H]"|=-*NMþm&ꎕ7HS A,T$[*MfgR{0Zb҂#ݲStB2xkd۷]:H;:_ k nEo7u$@$^)"2cKr`G#kM;B8RMy5tyWb_yG|Z1dמg98rW5" AKo\HoU20.7 V2a1ֺt`Փu ed!"=ĒX:MQ(͓[7TxJ~Nx]tfE Ā)PfIs0Xj)Lpa~)ִp%7`G m Wf=d|}4TC]QUf%tڝy [mO3*~.LzYnA\PYىq"p/0hrpX:pdiќo>E9lusea4Ak߂CqGYk;Y/̽ɔ:_a><=cˁW>j!/PAιtTe8.K)5x*-a8+MI=s|m*@X9W U{|7I@H8Q*(w3RYh ۳6xslH/7CKǦپa,RtCQUYcˠhΣ(*7We%QcbӘ2>}e/9ҹ|X endstream endobj 1938 0 obj << /Length1 1800 /Length2 10401 /Length3 0 /Length 11522 /Filter /FlateDecode >> stream xڍveX.--!0 Hwt#) 3C3C ]" !HIIww7Ho9?5{?gYKO& C`P8;0@ZEKY[ɍIOm ׅ89[àH;AG \\<.~a.aNN7'пaN5PA!Θ0'kK+J~0\BB$!N [AWZ05_%_Ynnn@{gv+nЄ8C\!`@{cǤh[Y;҂Y݀N:?&@'-Eewm?5d wB= k;@MNg߁@;gc>hm4 < '>ANpgvgk]r.ѲP4;c'c= sz-`߭]8t֎.EE=0YB>NNNǃ8 +ߋh{8@rr6?sX<񱶀 7GaP;:h=EIeYC4 `s >]Hh/"*B-`>nԿ9K&R= `GƜ|Jw/'9;"E<(a8zXv_"8PGi mvvխ dYYC!0gW |}N 8J,9n>~ (*n>>p!S,`NVpA+Zy@^a|$a|da|a|T<H||||pgG.lc_3>p=w>w>&_Nx 5r7ʅ@! )H$ئ:R܍ms_3q]Ķ7B0%KFJY14\6FVH aB{+UactƑhhJ. Ť BaD~׆;jhT%0v `!6"iZ7zàdUwpEXL`69)7* >6'7(nliZk~3ޫYeDtN#.2rS_/cLĆ'`X[)(W`~^!Ǟ7MeqZ 6| ޵xBxm˜d#nhgRJҔn bi?߲,bNܸPqZ35TLuܛrE=h D;)=;xι[mK;^\#~P6OKB&ZK^2DDrefZ9Z2 Fy-|W!O in^hi(j9_qlHQ1\hi^NpekBUuCHʹ3p#!wFV{?#=.4 \GZMI 6=AtK.s>gZ_(tThTidvBt:¢3&L6>hoD9r-pۧg5ڜ1Ḃ!J@#Ѵ\t$gz}V4$KK2X}`+ɶ&Yϸ6=.CAZU4g;`E;іnȦ &Xb<ͻeI/b t:aOPN q@\zor Iў\r3~*G blqXj98"_^Vm1Н4=/z>$33$?g\A;q7:TF߶cVsO?ƨ[R}Z[R=EqOӸRΘN5Ju'/ݕTWh+ҩw,&|YF %K~P8x9P'xΧOivQ3sW,28g"7/4Iړu xcZpOf&'ҥ n)˴9F &r`5+@OTi7 'NP~yÃS UT~*Q>yŦ =uXqoSe+07hes0Y0y<謁fnlOȋk^ J7hMҍUdX+gKA>V@lدjyb~Uaeg:Cyja61/!giESt薈47u/Yod"1(^FpM}t:09ꙙ86B򖺋9{%3+L6yYAFu\HuF6fZ  DIS8oYR9BE"fdWMXAʌ}1-ǟ3SLΡJ'5:CjBEKX׊6,SˀtFH»lOΌ^Jl<|at>|VsgwpM#u L VTU/>cJxMzrֽC:ag/Kg*YZ/[d+eRh t3>'KmOm{A7ެTmLk_+̉m`}emGgdf-tG-nN:EL0ٚ{us;–uiguc%Qwj]!ꍩ#yI^kj\"yF0o<y9t"M@/Y,ٳ9F\$6W%Ч,~hTXi,ɹx0xrZnm\FEeMKҥx#LJ NV),g*#EdHͧ wtؖFZ8R [U?(i^~' 7y7,S6DbawVC^/ ?;XHD P~ee rAhrfnikCvŃڗh/P ;ftXI_R֮(BEzZτBLcUX>YԳu`O>nO1 9n|AY/IdUЎ!}`@O=Wou$iWiRnr=Z+D,BCڏ@{_;^+_o>c a.˪ʻ.]3w7zkQu;@*'.iH,w5j=fz@fI`[g(tw_=j [6fMd,- t&=񾐀/6?xЏ̃1w|1 wHXTc)b./FO\k| I8{fqĊkS"!AƐ7IVٞ^_ ˴P2u-N0V~orú֙<0EˌcT@aiZҊ2STWZNgS(f lQ_yd~5s3IӝۋZt)[ԩ'ɥo Of$892h 6DQcal0mQJP6_,vw4kVDbZzWxL/2=[&zJ#4;V+%MT?Kzӎ 4,3םM'#Ηùl8 /}1d|NN̵ iz~<*~uNYCNUпl[saz X\3i!IJJ}mN]D\!`=qH-^WnSUW)$JsbRڂm!,Okwo'):Y?BLlg߳5yYI*V犨( ٝ(Q+|~_/.Aޭ7i;HpWW+yR/;kVkz$`5kM ᤜZ x\0JsZWwڐ26Cx?iy Z9:v,9uH[-ټO."w%5ii9}B|j0 ȅbfS??{"_p){ KY]i܎g4r>) }]79DAIM6FF񒌯x@ݡ<^ު1+7a;0FKBY--nM^/W@IzjN./ϱzc7sqCϳVT-Fۨz+1슗V)0ݐ5*sY >[VVYV>@iYaJd]7 4D}0!/A>?豹F~XS6s~, ͢p;@_.gn%$x7.t?n19xi %ъ$+rYb'(29˴k ),X˝ŦK9ey2.u꟧S86_ `2ų | ]eU,Xc8] 9Ć<|7 -[!@xY^chGp>r̀J gx@ l9ɲ2~s|9ۊ>ݢ[2#X㒛5+nb=)Lb+#RlIx$G^fӏi9|wvŋXg6h?u?x8Zm'aE7\߿VJ@߇++PEqUf{U:"4cIJ a>9@{LJ-ٛ "Ι`b OF" yR\ $ؿJNGUoe{:Wr s{:?L~D|hΈHuAl΃Tp=)a$ϡR`<`}2+~Sh|e:Ŝ??tZ 9Gx*C 1S$CUt-c՝iC K+mWL͖^4 ?2`(0|hYҏxzUo U_ȐjwIjfcvt}hHDItI7)_}ؑDs YΜc?1jB5*\hALBP{3*1ؖӠi7tI[NK{xc/@.47HmM'{:yZ!|C@ƛ+Z놕 /$gm(\m_x+uΜ40;t2~~[:dnfD0Dk e)4a4EY IV^a39SL}?t }YQF5"}u4|ucg@P؅Ҡ6y|'Gcj}#2ʲQuŶSy+PI+/'o:ύþDfSZ:Y uֱ׺;ZEuw2;ۯS-ɶQ$Men =d6M md1XgMGGJGV rN톮{.sӮgXtSA"x *DO&L/NpN(v`B;#6SQ7^aWH~!b[*cL,GN,nQ] ( }*\ JJB@Ya>R o+t6 w'o܋Uh_tb-1"h<|fB }K_,~0 ` Rdx-~0\3},Ԯ^νk&V^5:ίR|Nzݢ/tNNp:F县 1.E]{\F]aRɫآ*p;Ld3^qxo8L0Q5l'(t펍Y3ap>=; F.,_jW Ly> Os9 H*7(@`xrlki=ØIv 4QԦ2JeTj#}6U#3|?r} l'87?i)C6tG3?[9izB{F3]?shS= )l65SOp„/!&h<Ƴ1¼(G֜ Y͞zX+5JGHeYR.r|p~@df>qѶn_BrgzY--ڼؐPB.ƹs:)',S#Y:iaE oځpmx;Ԟ 0 sm^Gx;y_!T|k{^~" Qf3vAoس0--ɮVoG01?9[6]r R oVI#'&< ~m)-puu!M;X$aLaafT1 .xuG-b[(vHz2z,MݶX!A"  |R2uƩ3Kcl᎜390]^qoM _~̑=ABvuO*;S#=Mzy @ k5Sn?*/23{⷗=/6!^Uwm` U &t1+)d4m'h mN1Q[+8c|#>`H}E-\x ϦX1ke7bGmd*q|#E0}AS蠁kߕwIv/yNwC߂p6Yy.+=tP_}f&|5Ч{Z@r[rPkS_49~N /?#yv=ޢaHkv_ }dXv v{O_(1sU%i.+9 ry<&t8j]3-,ӜGM}uokɼdKUeA[ג#ωE6/f SE}t)wQxF6ק6c85Az314#Y}yܪ!&bnNz$w xJ)gl8Wf{2-j1ż˯^o.-">]!k4UY=M{+Lc<]z9bZ-&$yz mÔd׸WMGc=w$`Ɂ,;e2 ! yaϵ ۞ {mfYQ:abe tM֠O8}[TBdAL$9v&si.詊"C{"'  H-~'\f,lx5?\2Xh]jj;6p&ij(2FL+_Hqy#N"O@ hw~.loh隢@ qVuUub74E]?RXE&Q:R~NbX Vh}\jق(Ti w#Ai0懥/*'ΐׁEaIy} ÈEsVr1s;]5L5spgfӾuC5SS:twJ1W~ RUm@LJ̗ܓRhBP8xʗsFڲ Ӧ7l6~3KOE;y-<-b\^D–h/9u铨~Ş-.& ksK@5)Oy*Hf!uM`l5V%ʼlZyg]z 4>Ba܃^?Opt+IA۴)-g/`XV(WDwr(A@= =B gňoUu?7oS[Lț8vV&~qݓYLݯv endstream endobj 1940 0 obj << /Length1 1401 /Length2 6058 /Length3 0 /Length 7007 /Filter /FlateDecode >> stream xڍwT[6R"C7 tw03 ] ҩH(%] " %!)~csZ߷fg}]{_^aa㑵@0$?/H /$¢E@B<P8L?0eS#Q@ 8 Pt~ ~Q =$T0EupD rܿYW 4HG+-ЃB!H`rD"$y^47 E: bBƋ;Bzp{7 .P[ A<Tu@OEr~?ODPد`- { RRE 0'삀^` :P ̇!~Am"N !x?Sz@lQpapo_+{(vn|0'DEeA H $@#n_Nf np75$jA#^ OǿWx @0k{@}3~7 0࿎OIDX;>??# Qaq i?mG Mu;&E\A [ԃ_!?;Rtqg `WH4()j\ *H0J 07P@촡H[|m74( G@-?_>lQE_.J=.P\Qz1 #Q!j@L@@?]_Um==PN/fZkKojn+TrV)Kͳ{~5IO0s͌rveړ%#4;gC>Y!s)ʹH4Ş%=hjDZ"k3L3$NרּUSM(:e1wb5bscE|1Xx n 90cjkX/b9YXŚFi}xp2 ZHTE-͵8o1!G0g<-Nx}:lI Ec&sXsA$qV]66Ϊ3okb.YnCZSh9iMX{#+= O"pRMG4sAIz [&^-pz^&3c\сi'%m=oD+Ek{UZ\]K-b4'0Xz#ᬉS:Qqˋ Png "eS?)<%C2M@GH-]D)מjZF!&gNHݑkN4dRyd2M扅}Yk 1tmb#Mp Gգ9L Ӹ^䉁ØifԇGz%`l恼GL{?u~dٷZ* C}Ce0#O\鶲LGnKRMz~9ei#涡hϟ|sa>9ݡզFǖִ` r6el:&cВeS @%ӱiGHC b/VD~"J]VM$Q& XsWc ?J#OYj1ۯM:'u+Ew"&LBs 0ݰ>$+jDk֡))O*ɮZb19+CoDXF̽GsV߰  }Gjd"L^WW/.Zi!M9΅Md[֮@&sb}ApP9ۊM,IΕSsKJ;w!\#-)%tipFT'݃@f & %^n›W.rv>K]7$e%: :fSnTQ}i֎L˱kz]#7{A" l81`ڗޏ >&~ʄۡei*PZqՠ*Ey F(A>+ufj\i{[ ,ьk;GS'AG)] 'ҶW2Ԫ'(l- {wf4 ǁ$1_N a*`XwMa4!d8dGZ 'mu&G% 9Np6~jR\剏˜Jh^Sp&S*>_#%ӼタJM[@(L3Mhcă;?#&$O3yj!XPoᡘC[Fi7 ~bʩ>ogNwvqi'N/45)PpeXQ~Gbwؔ1g?ZGQ'K~.YNab>#|Xͤ᲎o79WbqנGVv$uW?sqY|uRȑOq!k܈x~?gd!U#y)QzU679/^(K88-sAYav¾^5`QnW-eAh?G%.]S _⁋9sn' ?=s(o@␡GeicK48H!eg3n.is5A2{ֱ]S_6S צ\E̫Xg#|_s-21g Qf^&O>O6B2׵ȺXp<Qj$]ښY$k'?tWtymшP4==v|8Zgq1~y.5m/pUxl: YEd 䪆1kr0F mUϢJٻ>ŕ80AC͝a,*}lU0SX&\Tss#-={,^cR22y;} 7toQ%ـ]ڶ0TŜ Ux1)vCF MǘN2H'ȻdșK2NNSMI-gq "8hwTge OZ 7!yBC&̸,lǗwW"mJ7uY*_2 V#H%#- u~1_rb*s roF@cU\? *07NҶC,f[ŕ !+E]Ŧ@mXFuvOG>b۫\[-a#ݶG.gx;Ǜ7SKU)q|\K:͏/c:Q$HI{w?dzjltoc~=pt>p)UD,~Qg4&H'xPnk1~D!t:j8tśΪJ;tAcP ƴ=}<6O ܌~w%d1w{oƮMf̤FyUX+Zyn|2ηı4δA%ޑ1!Q_DH^K$]ْ]> ZWW͎ ż^ ,!c(<` 5 GnEΌ:S7CS™R%<ܵK.{˲0 zx޻ "i"h{fޣ-hT I>oȝ9jSōdcX~Uk?of-v£1~90?Y.y$Q̟Btz~1ó?Ljڬ;Yݸ2 y@6g`6Bo `geblK շjvL[̤8rܼe OV3꺣bs5Jwdvc2B7*6ψ Hj{);zByt^_^NA9H~CȳQXe.KΕ!ogaAf+^*h(>; X2 i?9RϺc;`v0A|{{P ޣב}@,T_RZ Z[frr*RG {5; &_&;?.`O^j㠻Y3|0V]Md[S>]k$iQ4/.[Ե[rkbWe=%-YfP0`?ꏚ̜ީc~YDH]5 TYȑʪ3Bo#NQyH]^i[[\dٔ>q]P>>UtD0%FM4K' a`t|I3_w^x:|,=s^޵E]ӎɵ V3'hgG6LtvbigoUn *ޤ;ȾFzG=h"Ic2QؖȜ 56N[LŎ:Go karj.t"MޜcqTZ7u|b2KЗ;mC^I|>HUxҌ}Q%󈔗Ӿʨ-zc%\+KKa52&ɷN#̟E<UB}1T*/5 >6#pvw5Lso}Pp;W5T?ox|8 _#`#,C'GlGa]%зa^ͅ:L#&fRcR[ cGL\u+'aNzoEk#z-n;X HDm@Kc3(R"ҍγqKXW$E˯ˈq̂>vqrTX5zSFZ}ՙ endstream endobj 1942 0 obj << /Length1 1398 /Length2 6092 /Length3 0 /Length 7054 /Filter /FlateDecode >> stream xڍx4\ڶ Z}^g{=1 ft轅QDA J""$$os{[֞u繮=6;#A@I@!vvc( Nn BBp@(yAQh= A0HI! Po Klu4p] uvA} s@b| /(бG@0 KwG eP x@FڻC&@0v"r!P^!p$:4z_`|? ODP`{0aNP-CᎿ0$oc;[* zH(׌ҠYpwQH_)C ` 9\78 wt5  PAms"@ QQ ]0v6g@xc@NA @yyCpQ3Nh35~K ~ _wh9"0TTD$@GՀ;!ާ[?3.\D L!?;R~?~{w(\oZ: 5%]#({hF e"U~G}( k #_Ot_>nM.ZC#MHD`eO>kJBA8g 8!~,H #4& @ F6 ߬@w!?`yt}u٠@ag}'.b(Vű$E7OmSαxRUB=ϧI?,"Ж1>g#yJ,;ns#%%guXқ;%PsȂm5faEDema2utؕ@2)wluUPI@h]4-e&Kx-Uj $ȹRUf +m{4ag];z_z7!Dd Nl mKskfSdw8\/ +f4ԙCTT^XhcmM}!l3}.1/$d)yTQT1dZ:@AN=~O!h9s:lUX1#lXyw~ 7d<*FED-wra\aQ!~gyidSabcEc]]| (9Rb OU֊~"&) |2}|K0qA6)^ǂBx6ZE=\*t95QS){ab kE?LBl)*Z9%~O{\),.w6dkI 9/93w[α)$GX#`5"JTq&]gmx^ZϾ,/oy~^ '\ު &5 Q&*NNd?.pqj%؆i.9d{Otq|>J 9* W/+Do㧇f:8+NJ,_km ߩkBghfi)G9{i:DWf̌y*'Gsg92r`̪?B0 ]@ϘT M.e+\x >N^:GM090Z,:jm7ЊHj$; ߽Ր-jL*oy{(swLm}jl/As*]K[:JS7S۔jbyk6Hc2єQx&ߔ,Q(3N/rxNJ[kf͌mC̥2eZ9y[n7rD'خƥ fuSrEƨzB8{ ShءјFSd.ӄE}WO_eq%6mvb\tr5}$ͧ+!>|lͬ.&:rgMr< b>ċ42+ dI|nͱpf&qhAyLDwd3Q-Plng8 ?R*0)i2ewg% W/ BNJk #[tb;b_0U#Ta!IJ|˂sxqbrio n#58,3y#2O0esӆ;`=)F n#bko 8\QEJ^]nrTkE Hp`|\#<(*|tey|`5nU8gvDž Ro'G"z1NPŰRԟz>8_7IlX <.R/ڽD/ʚdo,1I%Q{H).n]i@ӒdžֵjJrA2_Ƭ 2C=?pv'[+sKJJC~%)8f>a xTkmbgˉӖ)2fm|zٛwg9_q= yWCeE(lu^'7Mqn9 ϫPF$rT\Qnf-/T>5 qZb'b*\Gvb$L|G ^Vݧ5AUY"(=3gއ)EL*-7ϗtPKQXꐼe}>vYD >ZhR^&d6pmYWk9ћQy|Wc 䬾?m(;6@]SrȠ8[LImU%a|gXapYI7E:$xIP$"r/1K)")+ZZ*~3t,SDm7Î&&'CZΫ<  pǓڦq^t'OYS ۥtV>3xexy>4L0HbxeĸUTVS:u5 V{Ƹ"#{@]Kt%( `S{qCJ#塚 OW婩ڸKoq.SJ6$SOh.gWv+OgbM s"j@">U1=V!yAg?\sŴ3`kƷOSw捻2rSV'׉5>|QVXK"kgBfsu盈iӌI~Xlτ<~ =dė < | |}2A5B"dJb_ >gշd/1|Tmd 6:1X|!.tO '4c Ya?mfC+6 >*2=d;P)Nq!xd-{{ޖDDL\oNJ{ 5ݞϧI_og)Mzt ~)߂PVm'^}>v Z'Ҝ],,۟.n:E%ͻՉ pCc^jݺ>'[<88q\ˏmمOeY^gBO¨~Κ*]>F3z[@כ>w{H|3&Jl0&MA:F$ըdE2.<'7y&q$,AyhPiE Qj 0q]htCNCt0  _9u՚?oΑ%xjL?6,[V> ѽ'bL qe]{3:V/|،x=S'JVl. %O:p|F5V67lv#LtcׅUpf} V|UOکm%2~]y3̠INnF%魖' =3ض?zopk%rHIℹlYB^OQ7sҠ*"D_J_' 0_ݍ[Ju'HxTwohC3Еv3|w TGDR*8J'1xKr (wE >Vs v^i. |Bqm`}X+@+}ɫo8SЛAq ]:E0oJ/Hy,L̼]_v|+)׏XJ12ћ )[ s3r++7x_ڤ6uH,L#K{K <ӑJWEXw/1A,0q,0"<(> ?SCܝt'/[p?C0YղM\kp"Q>~ގm);W?uӋ^=5DګŤK,kTn;o # O-Ȧ^l=C-BmkWUJ{,ٰ!ylGCC;(fDZ۲W;C?M6~RPfK+:UX8;oWżXo?Úri,EvE;9f/H +I^1 *:Onvt.Vs4ToyxUǑp|"C] 3q z\-f+MI\n@V<8ãll~!9quBKCA]B+J8>rzZeo b*4K&C/3Yi.Jg%50xwu&>^p۩+8ƂzÉyW| "1uLDHf]dAbK0ݫZ烠-U}qe@.|[=Iw fܿ4a;ܩ"O5Dm5bWtcBy*~[Y仝}d8ν|.+1S{%~AZ*X"S埞#4ƭmqmQ7=x[pAp73UïV0EUnzw/} |`N1V_!2.B癟R.śF9R~KN5c;+'5> 3ky6̿2~ǽ@0/ٴYWSԝ%0tcy TidJeB2,Oou; ݏ ]\SdyN{փrfvζ4%aϫpW[{TN.K- %"w_>uaI ~"8>-iWVAG #ơ/|{pv8ڠ endstream endobj 1944 0 obj << /Length1 1736 /Length2 11602 /Length3 0 /Length 12700 /Filter /FlateDecode >> stream xڍP];wwww08 'xn-kBOv{}NCM,ndq1 $ll,llHZnɑu`['?,$]fno2)37Ce'@ ```cpU eak Pf(8`$jI'goW[ks 2wZfn6@Ƿ-N@7 A'd,bfqrgxں4`G3Gߥ Qll)4<\7~sqY]o4@_J0; G [ПfNf o[5PQbqrc,04s;y:@F\`V-\m,`[?jd#5K,% 70Iٺ-ݛڃG欖@v+`rX\V#y;ۼ?x2q|[-?-ٮ@?>oixr|KOYe[o>@iyB0Ԯ.Fȓ$E4Ǿz%g~x-#f{=<6{MhvX+]&i,#;OŮ.SN5iư,=>B4-U6MYP&c 8QB;ĿvTIԊuS/&Id8wWʘ mӈQ|Nt0K+M.=9x\SR0S~oBb/V^úEnh z Zr3x9펱 CTɷdBNnڲrYlaD%Dߡu,٘~J#3 ZٴB &5KE ı8[&@XxE)Z>t9djrG#`b?qY~\GvZa#¡>ˇ~ݱhوȬZ3% g3h͇bOm_3R2tS_Hkǭ⣐r]b-*}#xzN7E4=l)TcɲuE !p@\Wp@Mcչ׵CV_w諥P.b1Ǻ.}؆*K:|T{C"Y>CvYL>Pיz14`,;8 ,B6:Ƀy=w 1#5ePދB32^Pi>r]ZvEɢA$pHJ6UEnx$]}&q;t*B ~_VQ^B1+*6Ql+*l1~s99_Ƴ5|Ui`Ycyګ{͏%I$tI}92?iAx:9'!_SFH}NwAPFY֗9n #7ASt!8x47, tkʍR`;99Ȯ/J`uРg4TKQ$>le)w'R)flNڄ^txyl(s)൦rP`$!I3ihY \}0{8uRGfO}\'=ܠiUV}SxZkznѲÚ`l$WVok EFkM'©/TbF|yMWjW 6 K>F2K]>~*MQHJxK:QxPVI|ƥ.>ų$9uU,jVτLfOOwҡ9 iu.Iѝ t8FA.p?E b+@A~4FJq siX͓KFMA=jηlW@x0&,I:NQl{PyhX,?`)B:wߦ^7̪3oY]"[}KH"~F,)~]mZ c҅Itqc^Pm_˱ K#;FGD˺Xh‡_ԸaN"vjy.ġke1z"Όqe,yM^FѶwi?@"֨G[fD C&XpPؕ`X~fȻK8Y#r?5]MS-f_*ut%ّ"~aAϞḺ3n-]6CHqt;[;w`/%֏y *N"b>JGNMq'q'ȾyT|b A>971r@lNu *Dl)p4~6baG؅вCb)w `ݽ98K15sMO]Z,v(xp@b Lܸ#FfM$a}9hƽFkh5⻭!|ZyiQLj0HXK01W}ZKx]i24慄RBzЯ&o=f/ER/h)܌<:9/F\r[{? I9Z"]M8~Dשmp9M#,72#c.e,eߝ6VYC+ hs \,y3T3G腮J[=PZHMs 0^xe]&Mq~~l;Eҥ.6>mx=Ytz!f"Qz϶Hůyn43P9LB;_|DOw,f'O.iץpvz$9^il>=`I~C6lFuk~0f+ Pt:B,=#N(U_Dx:OB|P" LM/WC&e=#[@lb AԓsHuDS:Ïi7qjx5{s-t~Lex9oA&_Ʒ{g%H _F86sE jʆ##s5GUQ=DESr6v[uSP|#~u}&ԾgKEhh|q^נ>th>jǞ3C&P K'_^? [)鷜03Mo˚=NxO0mR>9ؒC.ƞ"@-օ׸U8&10Ar9쓚2-C-}ٵ޽)~ W?:TܲWVZ7WѧIwbnhx'jfL5އp~z_t=Sj) iVuثY ЂRdmR2D$J[Z\:UTAޠ$\,M$Y&ÙT-C`_ -,j-k)$f?ڰ^u*1xh;ҡTktiOi8fۢHy&^$AN] &65yΣe-MU{S:Eev3x4^ !^OJGmU\B;ߏ[b,0{Dk<~90Li8$廏~ǰh]9߬ 1K'σqQ^cŵ ^aNitT^j^@IW ɝ* NY®:}NN.\/288AsPMGצKk=lO GXScIh6Cy_j"Ȋf:BT( /99Vl;]-s1ys-M!GT23B8(<隞iv - c1l.LUм`Y))I_ZNYJǂJɧ2l=#I|Q%Q$; *1kwy{ 2_4/:)7vǒ,j`Zf&uszQiՎ8ζ"b{ɌfzwZFaО"GPnj\RGzנ"[T$.wЧ}+Z( RXD{fX;|yIS<*d4(o$災V!M1*d+Fg "#|jaZ 6''F%u;@M[H &I}FZTS+lݚֻY(OG!^VJ?bk1TW[1&Zz4;)m_B?(z+T'wABs@P J"L}=!{  8-OF#H۵{̊W$q9l\*ԿǺJAG ڷp~$J9azP/Go}<>Uqm70GQ p+*H%i4T`62օa3`xVP<a-CL+(I ts`2}]ȓF'z "eѐ}֕B p!) —PE>7< "+O_ V. Ervr~cޔlDeXM V oEfE6S38'oek3"lĔgDZ-Ä.13B\h0<4jT` >P-ȀeoV2}|sڅ? r8Ys [iĵSA65q&y 9٭(r"ff6bHk֨e 9x& >,k*-DDpHPn!}gJbU!0@6#hԒ,n4c2O P5!j8G.WPKȮ]<RH9P]FL=mHjoc _jxi,/κO“mN>QړKv{}LctI%O?Α? nH׀œ"϶E(XO_5)K׍|&hۈ jZP8U#k%i,nX&EU;`JX&QS?EƩ"̻EWUpx`9vr Sl +&>-_@lD|zhEḵd6Fd/eʬ#Zwv(tv- kWAn윏v:̀]{T䋾NT0Vd"!ݏ-L!8M$rL2T6jw`w=(䳅}0()>'d(\&FSqm[7b8"Ԇ4 =fZ0HzTڄ6:,acu)mW EBb<$XaOZ`ƭh/eIBwG"Np)bPdH`p=}m}knCGc( p^3{` I]E}ΏKt+Bb#uC}7BƧ_ꑫ_! .  4󈃔^]+g'BPqj{dEuzhwc ;*߫ 柷i|TE{BN,z,D9{}.h&|!mJyq#ޠ*?3?ɦ;<wf S0ifBXg] G(bM}Yv2g!%Ztn\]yj0=dďԥ]v1.GKM8AW/KfSHӾ*:K@.5;lx^RBE hb}9\ب*Ra \, 7_K)(auc=(KԨa4|[:8 Dߝ8uBgvåxx&蓂i2WHh̷Y&x< |GC%[R*biNd &C]ܴKV#]'JdZ{gVgٍk_AB".$BsxiKm^e((kb7!bRQOФ_=Y"PXIFF-0y$SGU3& 9d\$j48ɠDҮRGt߻_PaAvrbgB5f.t|8R;g#oY1odź8yX7O;0FI teL[F5% vUTνU?7_skޚ}㿜?6O 9Mк2Jx ]ꒆ_gf%a@z|<\wLE/yc8.fK;#ͅFtzd mJi֚lϯתD_"c[V.D(m 1H/WŶ?XǕJ$ iD2<ˁJ z %G)X,(/:m6VS1U+:s~!죈yQ? JȌcZq{5܏ٍ~J.i nd!ګou/pAW: qp| @n[dRr_QBxDDJ5*4B{(8髗{pJUG_Y<cT4ҧӘ̦"O\N౼k>FR:JP;sj+&朓BꚛժiX[jx/JPǐ畹t ~^ΏYƔ4{e4Aֳ/yб$jDM< kиː$.cQw(EПtyHGs1`ou<׉kj9ߟNi@5Ό$A/%Q5^aԒZm0I+%o!!;d?5;z9Oa Yn\rgG#IG1+:(`rg Í(JޓQd]/W=fWG /^[rYƋzbqMSBbyTϵ~4Xx >u􂉚Բvޢӝ"Z^;vvH97ʂyj{I(C{Ǖ# SE5Y\cm''`iO Gm.cm^OݭX=xd~ji^H;gҒϑϧHpcyuL5g|X1>8@aQ4L}*)/$K4$d<5u'rtc9 fCJ7lOY7): h̋=N&!M)ÐtYT\w̕_;2?~k@_8=.>~:f(B;% :d#B9p5crҾAaͷ=}3N=_"Hn 4F'%{S3(ID801J0[jmxL`9{Tth>FLjC/^<ܐŏξ@! {!Ghiq|QK7cRu|1]p湃jC-,mbtF r'άK_^zF$i?+>H_LlwtLƚ-dpkM/x_M.y)* 49F/Hh@^$9J.W4AkfV=W:K:Az#&y2H ށ O='oqG9_t5Ŭ^| U~Z SB}ΏJs1VO}iFTx.fkOS=ldԴT{{ q{u= =0D=TE9cФHJHh``vsY$Uvh[x_VACZzg=ޝZrGAOl~H3|9Wes(sJ0FdwGd 6V>S@YrEzzAf"V&ŗTi5s|aN.^ cHqM''\m6Nnd /Eo֧3O*4vofFU .^(حg#ԅ32}WkTvX1v˯=b{_o]v?u)=Ʉ\"2#ua#QYF]}&Jc?]f imΫcɧ8UFrgLIZMC,,)W{qa'R-,1ևnT)o%ʹ{V9j*uOTwZ{ϐI_+r0L-C6-P=+ݿ \޸8bb3s2S])lB8z'G]wv4|<r#?c%ĉJ,@hيB~4ߕ͎'^WG1DZe9&S!OB޾my A&vLj?, WPCYǓQl ^SwRBFzw/UP?Ҩbi -댢 >;O:"D|X.(9[)E--[0m2=e:nA΄Q'7yX/:[^E\ʌ/bOZL[)7Ϫg>܊ |sr>IR " nȚ Xr57&UM2/bݚvٸy] N9HuįNfkIZ+lK^̴#d@-mxsq<S~pT|n~cI nkY b$a&rv}@#C2 HyWd/99nt,')edhg eSG䲯C|xvJ>>;aa\ڪ ~VݜҌKg93>+qKS]( "jթ6=Acتq&eYryJj5T/t&d6ӵp(Ju9,6[$<4+=hK;M̕`EydÆǧQV# 0r Mq{Bsv ̒W= £5$c܅Tmyhq:;¹]̠~O tG}md1RxVJ7.9^׃m#F>pP![mhԔ0['B)8ǽ'F3 # wxIQڇ^l&eʝ)4l/y<ɉIik6[F/ņs'ƏڊNueDT-O\յ z)ʌ~C4E{oh =S5[Xʲxy vҼI>jI4҄I0o)ENt H>;3\,DrIl 6\1=fK1ƌ>M(jҏܲ4ˀB;>1w4%7Wxx#;Bj;). <+ p̷{t# 71f:>PCp딂Bi&_}Yvv٩dݨxA㚗Ŵ9)smCMIIJI-1 endstream endobj 1946 0 obj << /Length1 2800 /Length2 20165 /Length3 0 /Length 21753 /Filter /FlateDecode >> stream xڌP-w >Kpap`-=\[ nw>;9罪{aV*2U &1 PPdcr0#RQiڸ#Gڀpen`C%#@`gge4(1A@WD* 8hl||<.6榎%S7k8=@dntnnN,,̦ +a:F5@ tZ~ P6uS3"@o ḿ`wG !Pq:m#ؘ @69Lm6@"#◡+oajcoj6)@ZL ` \]l\]m+ R +/~6.@sp߽Y9\;G2,ܝX88$ˬn.VVV^v2f@ \ ` .oc Cu5\܁*!,lf@+Gb|.6^}VXPNpc( ; 7z6pu#pp:hqzq\ GTg??Xܬ] #n?1;8_oI ? >[? g7gp$ 7ww_Od?, h42(Fɴ3!4CF~ 6+dZp/2Q[#\D{ڧGDOSEGb DL~O~Zvm]TyX2^ +c;j H_bReϽ&uc"d 'z#ԅ 2*%FC7. Jp޾K0WGW G?'}F-pV[$"`~vfSN;xzitVJ"OGC*hN4@d`C?,f|G^ƒ'Q}df y=*((dܢ :[ QOǐJ{7=V GB-GQ0z-DQWQ\,ۂzEEɐRyrHs7(1a?vlT֯΢ROW(o0|7 1_U,tU?Fԗd" mLoGo{k6>K6~D&5fN9ѧ0U;ω]}ӦWOyˣMkF3J-3^s5cǫ(.;XU N~ܢ{,&oK` TvȲ6Z^ ‹^KRp OvZIݘE<>̑  ^##,#;`S#_tk;s%^IQJ\Gf~IhcKq ڲV 2]džWX/m.)}Eo3n(QC ={w>'KI^n+GhGSi6w-gR^!4C7\Bٷ:`ͱ<ِco9r #z[ƾX痯F'kj3ix%_G ''wIn@3?`"-мOGTN{g=p;)U 6;Đ06RiKڄH1WêDu b Z'>b?6DQ~;M/զex@grI?k*h ]G8Q)E~iIwTcȄ} C=1 p.FԆ2#Ҿo :(AٜN,MU4.uZ߫]܋ӊ2ϱ%7N&?2`c[}5$JEpQ- m2̯Lfh3)e.fdYS3^Q{sFxEM_ vpZ)rVRm]ޛ2cWT&D%m d<g9H"w2Zlsј93~f$DPVv뗹x>Nn^)Y h(f8ЏFNMl' cbSJ&" 䜦Q|t?̋,L2˥l]J:b dZ0o3umHf}3.V6E^iDΒq?L걓,Q[H_T(-ڈC,YUtwEGo768]T()ܢ2 ^>YMDNe q̀Ta~Y| U":C^2fR̞a nbqE;;&_8>Kx+GFHJ QL g)wyP6 96?kiŽplUFJ`+6X W\Ƀ-F;RE^3 R5N2{&/}+ڢ$FnCԴaL$aO|=0nwI<޻+F{X7O҇"NH˯F&c{&@M%}.tO-PsuB5zCg6(md!>A2/N ɭϤI,+v[„FLjVŠeb&%Q 9&Y:Isԗ#$2vŠ~nsk:^1qSt˷Y#[uX!}:))qZlwlx(?s!?66w=&5AmkBMRe#]ql,pR\ | R5n:oUz~]1|H$3;9zL >X%ǽ(A-BW &K !,f<~r0|0 ơūwt)OLz_/=zati8%-Wiuike#lLˏسuZE3JUUS7JNjq(i%sTv?M6YsUir^E`y+ؐۻE<+d\EIzKuGy_qfZ)c)!K&`N$!iSO60^9ǐpeyҦɋ`0b5d܇p[n,Emkz c1IH1K޾8DV0T,oOCG%77YǜY6%&mEC]XJE->߼JLJ;gOp?K1k5a̵d`sDi46rO5mS{phBdEw#&x,T wGBM/kWr]䧀h jRXdfNhHB ~A~П}5$c*aȥM CIw.E-‚" S:].:09`lNIgUZ"\R]=L%#c\JɎKZNTe^8t^ŦH\m+aC()^EHe'Rvv{QZ~m?uCS9+PVF(wjtMLk7HKgx/&vw)*T}94J)QRO55)d:N zY_p$%v&8/GۅԸkíkZ E5ۆ>pՖ(z)ER1H{ FBTn&x L"Ǚ48 M c/NO\7l G29v{cScuV]Knj\-y~s KvD&~ r@ܡ1>ӤCJwݳK_sjm00Q]W&271~^)(q|ں;33BiTߘ MYf!n#iSZC{ mB`\'hI fFj!6͙㵇LwhqMay?;ԓI*'Q6.7E%V1 {#fk CISrޖG҄Gf[5\,\M[˰8^r3_mhFS}C0ӆ{r5ު?-bfIC0}= L[C}=A=ND֭qm;tatx [wVSEVInj _LOl&gxDKe>o!}S!%pLF k)h'w|9y䘰f>̟k'<Ђ=M5;&&MqԠߋ`8,4p7 ezzy jUi'@RM%-"Y [ŤL)O:埰`1EjeZ"_R##M09&k[JXУS tgWkHrXd˂[̃_]YP!57-秊&)UiZr'xM'>aBhӈ +q»z`&G4ϤTSp\7Ȑ 4H{̙TjJN?R8蜲w#:]P/ΛJ3W߱ ,8ݢ9ЧFCY#.X& ! ML+܁əVo"BlDĠgbB0Uœ t_(κ@1$Ir Ƚݼ0QL8?7j;^Mj'F %iEC3g. (1`]?-@|YN.zGBzN]gUCf-ii2 mZ*m Rm»QE֋(ʂLJ(G7IwbOKT9@sQ˒]t̫7AR쵭E}JNM3.T"B1{ __G; 'oQD4Qeg]wlMRl".x+{5)abG%=1^8bFr+#,r)3vƥy~NV,+/ٵSS"vBn.FP}ڷ$a}Om|h ĩeףA~B(t0$շJ:V{h5j ^GZem_~U0U* a1ՅUcW7Vfގli0OU炚d5S? a\~lXP%dm&;` +={'a]|Ҍ)zoc,^oftHs=6j:(ݔ{2zcc}޽7-4*N@YgzH 53zR'}x.SA3Qs{ԫĪzoñ״TWYls,YWr4o3 UXẼd?~uYV(Ѳ$I+@l6ɉu2Rc]7Tе &Hح/ڌgo>8,ߑ%'YBB^p\MaOAPo1;=<֒ӸR[i"K&RͯÀˢxTAV~YZE/Pw7KǺS5`ۊv TehW PYE^-pZ}E謀dzL{2b xy8puJI`tBBG:Vf/O5C87 6,!۲?S':eM1E'@&K:~9JEtʆh,YFEVhwD KU(*Mԗg~]k?V_fid /G'v(#? Oy:^=;m@ϵ+^pMdH5٤'Mn:a6jSSq^.+|s{[P0c2Yz1R1bT]ջt&@*dB3DqݣIP %|%Gn;m>Wx-WfDіCEASJ@ a(IwG]'I+Tt>U_ePO@̘-Lտw#]t&.Jl-U}.XMZASnQmCNaL i&H篎_.F|hC9]kj?oa=2sT:ٺ"\f?\|csFI٩c884RA(K*uSܮgۇs u7ޫԻӢLfsGL*G0cI*_B/}]DT,ZT>cD4^D1_# 4|qiq⳸x@ɐZS`/&ϫ I>a6պ:Ox fcEe5*.>=)MvSk#A1~PeHA'|@g{MiDk K\E(U)wd;Vo_:{fcdl^Kh8j=b߲60:`6mjmؿj-L= .xqȂKe2,'+,Z찾6cq'fa{ ) ס6`>I sʇq't2jP" eck6B-kʺJ AL38kt>§DXFs9,t\9^NYJAQnHCOY=$}0EͳE6B$CVUiXK1~t=o#<2& c;S만K yh˨Sئ4@ -4+PS iQ_ha%0,Èa"&qĬO6:h&( ̠E#}DlV63ލ'|U[ŎJמvϰkf"j jrwgg OW+Ҩ  w?]DHz@턑@sx9r:]lMP X$Pgu݆ 9 tjq>q='%1 Nk{ %F4:yR Hf/!˿#YAC5tdCԓKL(LTM )Snpbvˠ4-l,a.>3&fbn5uA -[Qdrz:Fz]))PQD]"(WkX wk2zSe3'Fut:,|F~?1 }j]S2Κ 9'Kn݃蜥rH)vw52y@gs/H ^"h}э( NjH<tFt*Xž$|Sen0gJfX"LȮ.M9WZ*ki|ARm?J6>?.`^.mę+0cn^u SVKU]:w>_I8 r=2逌){`$i@m0Tk\U68Goh.'!:TR@>|ej?,?ehSyav<)XGuQ[E"6㥚ARk9  'yE3gTN7})з(}wN6ƾ,Rgcv 2g{jycѯ_Zvϲ\GXf6icNa+);]9EamTjE!4]-4g^bjtY)UxzD!T4^Q.pٶ;$ۼNu67 OvZa1.1"d;s2DME.7.rdh(ֿv /&`N_{嬔6R2qRp1PoEziKrg|3IQmDB:Z's@9j4aP;r t9cy"pNO/bۄ;$|}Qw-o2mNPNo^#YFGzSI11>X׳S8TSL{eTgM vL5xs| qb jN?_S I!^1֚eCK:+^+ҤJ= G^k(Aĸ>{ q&bdҶ=DF" H?n{Af3\r hRޖBFmnoDYCWP`$ke['\Lxb{{yY@;&oQN ~Z.rܙ78*\ti7v{C3^bW}3ZB=1>:߮rOLW"ubeB]m}NP2-)J Dq̺{B<2@I TXDBW!;4Dg,psw:- u4(^}t>GC#lͩPʳ1tV};Ȉzv{@uTgY=]܂17<]fV>8~.z:+#Xf.>~[[gKGK6fD3}S^T5Yq;[1;&CmjqYy{zz L&RyԷi 5ʔ7)X&P'+vI\90FqcA[34tMA#*N#%`][Z|D1r2;wIUj!oBt0'ǫ"(?ȴw%byY~5mO4-G~*]ϹF iFUsڇ ]1]Ei#:"qr>#Ls y4Kސ9ѷEvuYz|(f#jW^Go^5,~"gXr1l`ٱeU`QX"slE]~ ޱt-׎5ǡ>&hYYu[}ZQI/9A9ZPZFh6a]r);(SUDl%_w;s&_kgI;papEd]_ LeqEùd*2uZQ#&'R|ޤAL * ?1۞KPrN~Ɋf)1츙 ]:`LoW.s5Pa;6{ft:h'RREx|n-=}!m_p _`7WZלw iG҅< }+c#T6coj/wmta)fFRb ^LtD \uXE?r[*rTLoJIkWËm Yor=M#̚+%-Є璛Hd \QMaIw?'bRJkh 6-5]b7|miiu/!Y'$p[FT7F`5g}*Rp\'15>{YүC6f[k$„ep8j$ X9pZAt,a_f$7TS+yV|DDPrRb規uf~_VV0þ[,RC˹tG04O{Z Ba#wBIrG~_ڏBMKďѼ yǵK!/B0M- 3&%;|E@{n}oCʵr5&fGg\F\v #|$4cVQ "Ȝ*9(^ {xnt'%lbӦ U6VID`{-_l? [ved ]{!qvրHu#;ǽ>s`H62N U4:ȧ=&ř\;u/kLKy{kDe!#g{yv~+9hR;6:t@)9G17Ȗp^GfVw'r~'P{Eײ(K5xJFQwk H!_9F eˇ|_Ul >`*qm&V?A2!$moaHxw{Dz-J⅃L♹ */yV8Vg N2bo4_⼚lV\oD:%Ͷż8̻$e ls$I  DJϓ{KSrڍ2,u7ψ֍s6w !C\PC!2CY i 7U},>KmQ,,hJ&@̱zރa0&«sky)$,CVm#l>r,gA5) N+L `Y)HUA +ZO/&˭9w+SpGлC{ %ecG+( 'tt-`aCy:5~j_-}hRG|; kU"'c nFDuъF7 L",]%Lt'n1*>T#vSZᬼ.t&ajuvNhKVz"ٟQx/v4#@nUE?W͟Cl'z3g$BLtTZ--c@ڐsDGbj^D+]=ljp hR{ۖ<-nZkXZinC|V2ۍfs;PIND؃ԗ?kg2Ēa)Ɇ%FORS0'}9XCK S^NJtT+|2J0J,Q۪LJgo["oLyB('/4O[I\$O锈 aYsHkW53Y݊(PKM5Z/<>7K?sY'iHUU:l|݋$NUt#SkJVZkVz8!bOa* xC{)dlI>Y x~ bXow]z;p`52#&%=윫&U@ǣ V$9=Xö=̤EPvO +C+ qqeaCNp@FѬT b3 O\cbYn=~u)3fY2Qok̩X3@" 0ARe)p5NNT87f+Ə_*D]9Fl{)UDž\^Kʒ+p;tEF#<ۉقwIn4xSIX-/lQOL< ,@[O*vጅtkӦ'fQbn&Ϫp\jN'cWRɣ 8O|/-]*t.ٯ^mB„5}Bszu] lJRyֵ3nddدyOvY)1o{?\wҜBf٨QAݿ׏5>w1(3Xg$-uD'[xLJ|G .&l؀$leԱH{\2j9)ߢ/xG|cR6,ҭ/Ӫ!i›ߝB#KpR\O'pMאsQrf2;*7t嵨{܍WMl+}fTk,*"ԲT)=D gi`ɹD7R1f1ɜVlJOO brrɑM"xRT? VD49)=0ߍ诱E?_#CT<)ꈥ ; YގY3KXZd]?@eQyO}Y;W_6 \`3 %Py}dD){Ȟ JSB17Hɇ %LB=wi햨l.!W*ϙ݂'d"ghQyVur^k׸ʁth`oY{%lZ 8LK+$-R'ESOz|oKF4̉͗ UGq޴>3فՆ{ ovJ/[A&^{ E- :ӖEƦȣMX'ڀ]=A ,ۓEVF$Rvkǁ}߄*gSTOth0ak6*[nKds# [X'Fbjԋ)Z롯 .NE$ Ÿ@V،zF:c)29 F< yr= )2vSDߊ?cQÒT~ bھӾs< K<Ǯqi]@ Ťs|"KK.rʈLD~74z67 Kl>zơBQe AG3r oWqN巋I=bdS |{LIp ʛ{wӒJbwcx7i* 5&ުɓz$/c0oVޱ ¼MTEs7JĤOIUY&gl>B jit jkp: weBI-.X5kVEr(V )..zwC:>QX! bRpOTtb3p2?!ͰXI$d֬wZ}\X ;$ҹݰ<$.kٴ|0Ŕc ,n!ENP~,Ó9E.Q2(F63L?Ix^:z8k~* EA̦oel9Eu 4[SIqN앾]ڸRg_R]^$0۰g_"9Z$D؀"Z&+6KbWXn1h 7D=WȫnURu`t [́g 8Bu' ^=|9. xݗ<;$6<@Љ!$ RzT 2-Ip'0ē}tKӦ wUna;-E1D6v<:P>1+P^gRCf&_ߧM7>a Dۓ<ߡ`ޥ /$ܮbl*?I+kArMQa}*LC'T=Wnp?^Tpwo>Q-+f~X#SS(li5W_] eV ^uL#.=ܺ^sael.P+ZL{vo0VLh lQ ܽh܏'#SxNCު΢"ӅO Q "RlgO3x}H8W"29ḂLQm-N&Sxfyc)_d6mͼiԑZ5WMQTn#_oۆLE0`'%s5>?Z~dP*taMytg __75.de?H|_檳ɬ `hyoČ(6=?[]l`ѳx;@Dfڐ^Iqxd٥7qxhG[BD%ZWzz_ o0Ѿ endstream endobj 1948 0 obj << /Length1 1570 /Length2 3113 /Length3 0 /Length 4106 /Filter /FlateDecode >> stream xڍT 8/2R(_}f0v"Ša,ɒiA(RRY ![e_ Y?zﺾ뚙=ai#Ļ 8,TBDAbިv=Hqj1(8f;'ӈfx` @TY !՟D8.Xo`a`*G pr&ip8N# t8ýH"@&ɑ;=wƬC}|P82 S),=w^8<8$z lNqh&/ P x@j 1z & *F~@$? P!;D (@bdŁ~eQvDl @v>;CSE߽b^8uu@,WP`򊀒* 3%WWTKς 4ݢ_2w -ݐM;YO"?o]}ށ{ nȴ06o⚡X?{p.<$d @!-dfW?v;{š,$B!h˅$$w](y>G,=^}FNNͭ9I}XeBjwK]x1sZCK!fYb^}xfOu2>3!hw,$3L&m(~J矝e#P3fOM7*uݢJoO\gPE,Xfz%Zݪt8nkڗ$b}ߢg dr|R׶s9A5_,-{z\Bh3"Dx9z'UyBeJb*Z5SG/'T=mM&P)̘Ehl*X\xVKJ62T~RWB!xoR0D!IJ-+ gt4 /[mq r6n_i޳3upaudi8RK=v6CWZ泞׺ (@U| 󗉕wah(߱ .avJ鬻dbE֘dGNKUTĊoeJ< xE3,o׿M|1m=3ZaBXٮ%GœOCj}.yb;䷨.IxPqIȼ DeS.c=Xky LǤ,p+zطU'Gk\2${B-psu\& gՓ/(fV )P(ۻKN8\W!cMϤ!v%dLhJˠ'Su#l *n}$jJ慮ZdI9_"цKf%Cb,+ǔ*}8Y^(0[yXJ6^K Ĵ\]+tQXden]'ӉActuvQϲֲZKTLcc nsKeGh1sH]Fk3a nƂut^;-ͯgy/_?/Sy2I>EnA/ wnE n%޻ix\5^=ݔHMW&b ö(%-+Mߪj:&_y@@o.5xi1U=Ņo1xXR57.ih=4>4ڿםxy}=z#&.+vSHN6}(Bv[ 5ښvD AIjbe>WABvILNgEҺ_Nbm5 Fd5+ TI:\R93gO*%nb[,qґZd2"3%ߡ-|RYmɘߒʺK_:g6Z3z^ga=a4I8yC=bG3⋘ .*.5,%7ynnvpx FMwxL~\;wMuy :[rV3M۵U vۣ6no:'ƖPL7e%!g|LJ 5vt13eI:f>x${5^>wUbڔCFN{V 3q*b\ĒNS}۠=Fz\ּ^Z H#l9b}bn&¨.?m}.@:k@]F\ jqx8\&0BLT͜vNHjuKls3o_majk(7-MLvlSAvs6Mz_hoFp&qRUƗU ]J2Kvj\`oWVu ƔU:կ\d)c8o_}oh[*@ݐ~%v7 ]v[MށU}ST>:~?A}J=0ś]G?B$W8ȰC{5ڒt˕8Z,q܉߸ErUdK?οYx^h;ߒzTH%ՠzb*Yqƍ$S'.R)W ]Z5^gE'sgL>\X;warvE{ŮZD*F 1Vgk>n(q[4 -o,59pw'\^0RJ`CX_U`!|y#Yիnj>?:b1;5{Ib6^ݰY:8H:㴭~qX endstream endobj 1950 0 obj << /Length1 2240 /Length2 14660 /Length3 0 /Length 15980 /Filter /FlateDecode >> stream xڍP۶ 4@=и6Nn5\\{{{)c\_7:G+3+?@BICʎDEaj2b/ &i SrtȻ8ll<vVVqt$MݭJyG L?_ft6>>ƿb@@ hf43;Y]W ZA+WW'~fS{fG0# t܁怿>QƌDаvg]̀.7s &)8+ؘ?%v;`am(K+2z2Lr4sqǛZۙ~;])@ZL` y.f k'Wfk$R@Wꓴ:8z8XX;[%͉E ('ҟ5K+ t=ͬXJ2X,gm  7Ͽ !̭\H`წ=c7Cp{;:yq|Y5e?06qqGO7$*)O#Z?i3t#g?-nj~c￲-Ho3- n%G8_Wm?#4vV9WS9Xw]=*֮fV7?˚P;l2.~fr0s4kع +ع>lA4zfGWp`B@,b-,EHA|"V`,E+A`v?̮?A`v"^0S|'EkA`v?̧t|zN?ǙqN_sBm,8YX+/_`Ap VKk;a:;_v? . rZK./_ջlt_ |Z,08A3Gп  XN^TC(]g3?g& 4CZ^p4ix#`ڟNcYu=foR0vhoEWH_|N5jKRm}6NPoGZ>Y|*8HICW+dGx>ћBtKFw,%dL2 W!xB^!\nӷZ.8>>OԛdL=f}}wX? ,k.M%I0Aզg8s7<dž ,.SKȒRsQ0GALpyNQ4h'4 [fJYtzޙBNGB(Rͦ)d)gchw#UE|w+%di~,ieŸCw3RZ u% P7>m9x2Y>du6Hɡgf٫+ ۑ|&ⰍTq LqYeGtFK}#gGCa`5\BaIdDHKal:(PP7IjCojO:=מΈ%}'9#4sgZ YqWM5R%jæF6MkLO"BGBOS$0FEzMї'0=NrchqUh[nFrRBSz3f`80xt0l\b\ ޛLyJr"xGn |ACwj)4EPnנRppix8 $ei^܆WD؍gѲb71o:F^5фp@w9>$TËt#.Gf_>=l j,r,mu;<>‹Պ..uZؔ6;%7Ki[&VpޣG {]1ekޓC: XwJ[iNyJ&8swddYBDh[#e?;^fT(K^B_aOa32Gk rg_i;F0-:,~"/?+ڬ?t&:[/ye@%QS)Dj). Kd5HbWxY|YBPcUMq 7?l ˇ \։/&v˃џp^&v;"5Z*2!Eb(@A$ * xZB,^Dh 'xJ邛\=X6퓈lSGU!orEqcT#IfJ&TҰ5ZO'Ot.U梁"6j$\F HY {0#) E=_|I9e9~Eoe fMUHLAfy[cBp31 n% :k&q$rVPu v)-oNﶩʼnJ(eN sHtscK'fGN^,,!1Kcd9bWͩ1tM݂Q;y4:|~zP0'Nn2@ S:DOi4ؓGRx~).³sdm(>WV#+Ү̑+ϡ E窃l0R._|| 7Utmу#qq~jO̠xiViY_ 1WJ54Yy[p;/T'|:﫷sPK4^fqTaq&Z;uxZC߾VNLjOMbh}sdGo-tJ<!Hڗ6YYd9bl~.Nifl1"0Q(4'$lHlj艹Cӄ/я:֣`8~HV_!}?5}Sq," %D f}Y`G?'u5f=* 9Pm%/_80S349foP5?6| dJL>l%5<+Y'̇_I;(!ҶzBoٷ%wϒ"Pb;h; =NgKr<=B{lZ= . zy<>_6QQPnRd }@KuHI)%ٸNɻgR߹bUk<Ͳ[#˨nu}#v.yۀ-jCU 5WhBYQ}R+Y~i!DPո#5(_7*}p  GTdy1 :u:e)KD(_oj!W2v%h~e[tԍ#QIFNY{wz:zMDAE}Bg4a}GuFrsQ U-$X4\G7KU`=DNJ̙_XFi8z{rL|E 1*֡Ir; J4ezq [%'s<@OFPUܟҲR$-:$g _(Q;u?j>d ]B9Gϲ ݠA*= |f' sġuܢ7D=;l%z[')#! 7j51ev#/ 3Em=Y^f50nVPh$1 Œ7Xkf;P\9KxgVƻ([^?hBա[Ip,u lb GW ;dZqgH1&<rثXL@|]?~MORGZPv0mz\|0xlD}:wfnƅNT0BuφFAݰ3 nP!qqid59cCDU!ݧ渼9췖2Xߖ6V4G^wOX\@ɜU$$q&3T>*zz*Xf'#e0moF1}Mk+H4n#P֞`Ϥ+=E%: R^$z8mȜF-GE]\$lkd_M", ~Pam/u& [!#rH;`UjZ*i-d\[!+M8˼9bxl]R= Bi`2@,|:J P7xڂii3%.IMFu&H؂<+ cak6kꊇ։+#(Z)5SU94S˒)u Fd<ӧA<>R_ĞX( ܏j˺SY&u N B0f[t}?gġ{m2zߠ r<6}'C%0N/9k<2Dt;u[Z ^(~J?C%r7|v7d4oZ& ­|8ۢ4;XzBDù$+e(PcP^* ۷c&͗&MjE0ivu y67*iLN8ڠ`zu4 :y\1A]ĸ.O iIT$/V%d3u|#T:>z.tU?_CEV82Z>}>td\ k"ܣ XJ.)XF\8'"g߈׃%vzKX!ʖ^)9 = Ȝ|K/"%(BjAZrk}dHXǺ6}l=Q jN-[T"yqxʼnbrNo%}_~ܒ"Ϗz}P slK`<^7i".ITSq"&u'fXԌZfWO 愌{YS_ wLkaեXQpvȊ^E M{1SI-A rͷvEWE}ޝB~,`!pо"M3BeĴt =5վ.p?g~/_a16'{lw|0T񓀿) ^ AjG5aV4,H| Ӳm,US>#: |*2Z(zA(KYF{fn;O}R0#8 <)OQ%ȵ,0-( RyD>dl[JA5K8SFM+BFe|ޝ xB PZj)d SF`3QQ"vqˉ۴W,[,>^`H;zjӗ/g\ z} މ; -W>XB3 q 9a!.E. FH⾃bD*t+̙RiH &5Lr~Y]:zo2*'6Y1ELP \"3K 9xC~"A;ݒCJ_ox[_)žnΩ+YA* +nN*r67'X^=|:hJb+ycFG%NMâXQLVJCVsN^ˋZgZ'w{l=ϔ{TiUR44Sf#[-ZIxTk*4W;<=K͛3ffFd6>`..jTVCRCNHe8>U b%^اĪK<*YxԀP:b:~/MmE-P6qkc2({=ۘ_"PYY8-7} vU1Bg1N#\=U@7֠ܦZ役&|C{~r:|BhJP%QOxGG&.ejksu[:$(,/ ] ~vj>na^N MA)v2bI gRܕٽ-BӮv|s> [s|;nY庈Gi WPv-nU%s\oj{=2>7X;|D#^+a2~Hv&3&tIKL.1?gѐ,O_걻}Hՠ߇dhDbK3n93[߻2}CƫV#nH5cR$@#jm4H?%5-:9}A*&s:w!Z,~CnYwNy>0n\&*C pgOq\'Gr*66o03V1_%^PzsvЇOKH:cG>qVۼfֽ36ӕ\TMf޾~ite녙s ?XV0ߔ|0B`v{%Ƴyx bs$F$6ayn=zQW[qwcς qÿ$Rw[{a;%fќf­R29h$Qtjkzߺ3V7ZCƚe 4}N綳GH=g~<<兘ɬ|s>`ifQͭs^ TfD hgrRxwL_l}uMO}R6j\ۄ,ޠB5`lFĦ`|#]Sń{~-nS(xN1?_,i.mHJ|͙҄999tp;Ez8Ӓǝ<<X4xP3kTC t\ q[\j G0 V  D#NHvXmr}N ]Sxl &' Mf, F7H-Y4Zu4IWe-.&DGzk!)]R6 Md*qOEX_ͨ$S[3@pRj[zM撊};("nIkG.U|=0t, Nj}a& ]?Tp gy7>\^Ʈ6W ~z758 9vꉨ'eewP3Sdͮn 暑tۚ3Z\c0BHk:7\E{p`n ;'>hjMGڧ:鵫iJuMaڠ)|UeKDwyosGn/u5f[ EX8Z%ss!j`9G3 @)dpY]myT%ە뿙 hм(FQ0W1ln OQ{ 4z2ad '9y*B=5-"pVs֪.&N@RS;"G,j&պ"&'Ԙ&.3k,jd7wS}(=vH:> ݆a,#thULG ƴpe)fJ|YR/xr:*K7!^c-.l-а(-xIˌ)VΈdq 1E& lz x_4)icmB[T,kаRwߘ23M(6nPrdW |;nSTƍgj~*PHۗbGlW)@*bn`dvDYR̺x"La2Z3We̱mI[<.t$˖ ǦPg,.e>5~A(u1 g) iH=7ȃ˂ &FEQG\Ez&ޒۑM ^/ֻ8j~X[7f.ncw/6/X#k$TPR60Pz_G,t?Ck _L`Qޖ` bH cQ!57šJCԪ`ygV 0!A[VW&Y%On+yj2哢9!_ Jm=)IPRT'is;)Wb@E筏0&ߐ^ j' l+[x HɐUĸw%aؼ7p!{FF.GHo~nq(@ڤ" f #<vu.ҎVx]x.CFgHrNT9%-* tF53*{S3ؓF ]$Ĭ٢۹R!,l hG~/2|\oq~nS2.W )'c4 HHm>ȱ: WREp2;%DSC\_7j\k>;k *?P;?*Y5(Dz56'x}l)#:~wΓEL0tCy T8~5SBR6*~$vS;$M֜Z ˈ_<}kmn͏0MZ4sqb=%u}@S!zU']TcUښ=%26% { uF-v{p_6o2sP3ݲ$4~{="|i)MOE8}36φoFd|^H=֜ Ne.;bT)NGN.rw]>|)pTgqjʉ1{+Pi j};'h{gcz: OZc74RVDq7Cu~΁{eǮB @ ZT!Yzh_KHTC;sz~\^r~"u53O" ̩Z_DcC )tOaB*uFP endstream endobj 1910 0 obj << /Type /ObjStm /N 100 /First 996 /Length 3907 /Filter /FlateDecode >> stream x[YSI~ׯ0]1 ؎y13~3nvVuuUf~yWKL! 0RLhcp2 "uI^E")qLyaG0RLKq0Ǒcچ.0"7%NH18rS FYSYqV ;aN1g Ձy)q/zm5s 3|pȎeAjPZy D<.% .qBjQeȡ`bˀl0Z3S.sH((|, T)P` !4wU#-:q<HG ` I F h# :w( #-(t:@B(g# - Rp(=ZUp.*ezl!q-PTDw0F!ݔq1`dp-rqpء(΢BOj|<\Ѡ֑y"h퀾A{*-z`" Jz` a3-lx]hnGxbQ~7{bׁCD}W4Px2}u`ő/J=Ťs{{ b1鞤kq&>bO`8༵{9΃2qԣ,*8XcI3AѝC#g3V{65΀cQ( "F8jQDTU4'Qq#+*>NkiWVWpD U繯d{Rxi&MׁGIrT_5?ہ''GJ?Bs4я4z Slj8-dȐD]UF'ѿ8ߒ=:_h{TSA׃x@_L R{1yrςly"HJԯ)k '4ќdaf F)%8H |c2^C@:ȯȉ4R^ǔf4jge_%ғhEcXBL::F}`^wSbL*~s<+*m"8`% 1kXu@_(8+== h X3Eb) 1@ ;MJ6vB7Edhd;lU(9P6+B{}0ʯ4 qÅ24b =\[`#piQ}ײƕ-wH%ArX 2PԒr{U tYb*7W hh:wzW<(s68i\^V(JkE1}+'.=_*&>y,:&?tmtZpp0ɾ<5=1m/ LE>vގ2 |xO'oӜW GmWŇ|gI4{=^d٫({goCv}~βqv>gEgTv]N~v]eW\lͲdglE̖*[]-<[1n_bݜRPgB(#QaGz ;'윴y>N/&"_Nu~k*VW4n&/4\"EvLIYggW$BN{z}8tﰐZgGB6rf"%&zxCs)(2_.A7P=z oOT@/wޚA \ wG'/"ЏHSon70P D<<QClM!/iL#!.4Nf8?:4Oה0]NT4Fi||+5LowPr5b:ˋŮ' QϖjY99Gow1ncڐŌ^ oU'?x@@e@l?F4KKݠ+nTۂj 6 {RՑ'/_bXHBEMc3n#Zeks|ߺSON/)ز.DCx[]J9582RּT̊q;ŝy:6JϞ}zua A kvBOJ>d({~zzt}45d_9g*xp5k-Uv=.[6J?;<;`'ç S&گ)Mo:~\~ɕxn`yɓ#T`F=(gM5TxvI|2Ii5q_Nje[KߺnΧS lp/"nCO۔RThM}F}k_)zB?0c*Fˬ)؍G@g)V'?};_͸MWp}q,3PtUI@y0^a2$=,+ GcRbuŜ? `.@j*lK$E["4u%t5/zDWcT["Dzso:ٜUR?{t؇MEo򨎃PWG]w N.؁8{Gsi`;u&.4=ud462NS>`%]Kf;PRL <[ɥެ/ͤ/ [xM ёJ7$DL5Hl@VȬwV[q~=q\ݯ&K%: Kn}7ĸ0$%b㈩{/1OĂτ'OUgEBScO])Z.}dK&dXIb'x&M&e2GH<{& `~aЏ#}c˨Cf$TU"Fٖ2`B6 YBhB&yRI  Re\bP YxCJ8R0NbDHX izk*E=6}c~-&'WqFZz--٠h崙v!JwB[+K?*XhF4m&TdK :w'Oղ(lj-^&hgeW@ELBl $BQ0kb43mƮl7X6*VF}~-xanБP=x۵{u꧕v,+[3BּaE)^7P nfI=ih5SU}U[]Qh۴zn_K6h]EJ}Y endstream endobj 1958 0 obj << /Type /ObjStm /N 100 /First 889 /Length 2026 /Filter /FlateDecode >> stream x}ZM%7_eEò ! ! Y-&3 #_WJn]oKG:ұ(TZN%ZtП̉"=TRwMKI¬?1Ȕ=ծ,UgJ]V @@=&@WCwPw05h4룀N7:%EͳNUdjQN0 !' N!t}P~JI#fexRg}1&;RVâSMP DPX3AY(懰SD0g5W74(kFHBJTA}N1:F̚#y< `Ĝ!*MM5Y(ԌrgAUcZw##>%'#jAjM&i 3AP) .zDC5ZRt"CBjR3C$yLɖ$QPKO2(V 5JZЅ&ADYbSV U40T75ZT3U2:Su hH }ydUkQ4袿6ZBt?~u z>>yJ_sOC-s1e)G~s KUƥJY`fXc9.fɣ%P3'yȗե>L"AR͚x'_#BwX*UU:'V)5o",cU`aq KXlŢ;ek1:Z)^(4:5~$,NoV=epyVF~it.'e tڬ֎|5:\iuL5ﰤ9`e\.KH"fMQ3YҖw_2$^ڤڑ5M4M 82Ỹdd lFe;.t<muiBE$QN٪9YHdtiYpoφll^ld Nezg4E= O XG'< O X'[,0.2u-%+}#X'!Djam]z0VG4 ZhtNbv1"o Au ؤ {3:ϞdѺF7##/ƊVnr]Q:,{b#bXź'g VacY낭nÂK ciZdMf%p, llI5ߨIY۔G~;"`wAK>B :5/_Vr0Aˇo\a/Oh_pDYk N؁af*B{0cbW8]_>[-> endobj 1964 0 obj << /Type /ObjStm /N 36 /First 349 /Length 1736 /Filter /FlateDecode >> stream xڭXnI}W#y<}n !%& 8vjpx|[ʹAAUuTU_:*SJk!(cHIr.$%T0Q1¸2$cۘ,hsRTڇx?߿tsǓ+KJ'CX&?Λe :[l_FIg|~LQx%Iیh>ͅGr!GNۊng _)bZ\}=׼ wg5'f}掚DDƟ1ߐr61z<=H)+t<ʁqJ^i HϸG>C]-̫+!ݏ>Nn|$+UYϞΔ"Գu/gnzͰuB 2Y0l$7mnv}KDLƜjoۛfz+[A/v˯P4ϻwl'FB|8k7ynuEyV‡⹹ެr=uq <1B7A2BA689DB98EDE3489000B322B935>] /Length 4728 /Filter /FlateDecode >> stream x%ml\Ysgc'[c/q'_-8NĎNbHhJl[JIisD%EUnVUE]/?wf=sLI_ AP#\ ))̀P9PԀc8uA8Ah-mENN΀nzA8 ^CY 9A% *( '@ h] .1p̀9p,p<`\#`qpL+`Li0fU0yp,`KX+`k`l;.6}lm]y }b ],8.)p\7pl(9PNfp}#2 Vgy1SQq(8 XkfOΟۣM@F`_$ndI=htlni dЉ+1N>p \=s*Ȧ>6TmE )X1CX$ԻbUrz=%*C!z0 r'yr;Vr{䞒JX F9rf#MiFD8EpIr)svrgMEr.v8Hny@Iɍ^rFs./i i '] :\/PO&w!ԯ!oѫ#9HM%{4E&!"%̽oY [@E@C]IR ~[C\'Ώ5HMAG?Y[kX|IRTvz9˕W[4-ixr9]f2VL?9[ӧtZsa > zNF%k3 o5pU!^+Kk}7et+- E=Yucا˛5G͔%5ˏD^%5]>) 䢞L}D[E>S=XDd^s3Uy@s:h_"D'T:N|tRs: `^w4QQ"9!_z;Sq 0 GDXЏ}볛oqV7[2ZE~5dP(.|KU\yGup[G_Ƶe">ә)_֓w?h𔧆xJ9郯okZ FHe%c n?u)B(/aӒ~5H%z@^MnhQckx%!/]i)L!գ>"X;.]Ϊ*߹xBd5 SP:'>C%]hGyfǒhNJ] y{Kd~MCojM~MߤZ2GyAH ӋLڤQ2k! r'-ٝ[Kѵ0O:$iH&g$F"VґyId~ȝ̧Os$h Iy:I'TY2,uQ1|4 ɼŔh'D'Sy`(HA2'u<)t Ԣ"_P` YlU*lH=`$$/3}zE:Ov${iG$ Ɂd9Lxtַ ttKR::;VC ~},b!Ȁ,@4@ZXJ@Z ;i=`,=@;i+@SOY-KQ?"|7EtZzyzo jiSN/DN+rV $}SM7E}Sdӣiɵ)§"|)§"|)§"|)§"|)§"|)§"|)§"|wO>E"|# ȂyP j1pԂ:P 4 N6N"A'g@7 0`\0F(2W$`̂`\:X7" - V* `NrUؐ\Ϡ+mG}_QZ  @Tp @=h'@#h͠ S:i  z@/gA?8y0 E0 .0 8 &0 4*< n%p , n56p>x6xv x %7rj$൪b,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,Xb,XG1GXaqGX4h@Cd";Dv:T5>0'JbpXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXapXa Iað:mF0Y,Qj90/v3 N aڰlؾ0 6za{ٰ+h@6j~CYro.h ¾aǰghX0,6# KnÂa 3x7^%aܰ`66/Na'ΰ nF0,~ ;}æaghk3 {]( \3lvx k}ÎaɰhX7u~֯aڰa*3lGUrKQް-a؇0lv {cM`2yAHMM`H*0CI|j˰jj:&U۟q?hV8:k WU/Kjkjf$խjѢZ##j귾RspL9(_ѢԴΕ[GOo7Jh(%zDoQ4JF(Q%JDi(Q4JF(Q%J Z(Q)%.DRRJD(Q% DA(RtwV.G?& endstream endobj startxref 600421 %%EOF nettle-3.10/serpent-decrypt.c0000644000175000017500000003733414633602171015265 0ustar nissenisse/* serpent-decrypt.c The serpent block cipher. For more details on this algorithm, see the Serpent website at http://www.cl.cam.ac.uk/~rja14/serpent.html Copyright (C) 2011 Niels Möller Copyright (C) 2010, 2011 Simon Josefsson Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file is derived from cipher/serpent.c in Libgcrypt v1.4.6. The adaption to Nettle was made by Simon Josefsson on 2010-12-07 with final touches on 2011-05-30. Changes include replacing libgcrypt with nettle in the license template, renaming serpent_context to serpent_ctx, renaming u32 to uint32_t, removing libgcrypt stubs and selftests, modifying entry function prototypes, using FOR_BLOCKS to iterate through data in encrypt/decrypt, using LE_READ_UINT32 and LE_WRITE_UINT32 to access data in encrypt/decrypt, and running indent on the code. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "serpent.h" #include "macros.h" #include "serpent-internal.h" /* These are the S-Boxes of Serpent. They are copied from Serpents reference implementation (the optimized one, contained in `floppy2') and are therefore: Copyright (C) 1998 Ross Anderson, Eli Biham, Lars Knudsen. To quote the Serpent homepage (http://www.cl.cam.ac.uk/~rja14/serpent.html): "Serpent is now completely in the public domain, and we impose no restrictions on its use. This was announced on the 21st August at the First AES Candidate Conference. The optimised implementations in the submission package are now under the GNU PUBLIC LICENSE (GPL), although some comments in the code still say otherwise. You are welcome to use Serpent for any application." */ /* S0 inverse: 13 3 11 0 10 6 5 12 1 14 4 7 15 9 8 2 */ /* Original single-assignment form: t01 = x2 ^ x3; t02 = x0 | x1; t03 = x1 | x2; t04 = x2 & t01; t05 = t02 ^ t01; t06 = x0 | t04; y2 = ~ t05; t08 = x1 ^ x3; t09 = t03 & t08; t10 = x3 | y2; y1 = t09 ^ t06; t12 = x0 | t05; t13 = y1 ^ t12; t14 = t03 ^ t10; t15 = x0 ^ x2; y3 = t14 ^ t13; t17 = t05 & t13; t18 = t14 | t17; y0 = t15 ^ t18; */ #define SBOX0_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x2; \ y2 = x0 | x1; \ y1 = x2 ^ x3; \ y2 ^= y1; \ y1 &= x2; \ x2 |= x1; \ x1 ^= x3; \ y1 |= x0; \ x1 &= x2; \ y1 ^= x1; \ x0 |= y2; \ x0 ^= y1; \ x1 = y2 & x0; \ y2 = ~ y2; \ x3 |= y2; \ x3 ^= x2; \ y3 = x3 ^ x0; \ x1 |= x3; \ y0 ^= x1; \ } while (0) /* S1 inverse: 5 8 2 14 15 6 12 3 11 4 7 9 1 13 10 0 */ /* Original single-assignment form: t01 = x0 ^ x1; t02 = x1 | x3; t03 = x0 & x2; t04 = x2 ^ t02; t05 = x0 | t04; t06 = t01 & t05; t07 = x3 | t03; t08 = x1 ^ t06; t09 = t07 ^ t06; t10 = t04 | t03; t11 = x3 & t08; y2 = ~ t09; y1 = t10 ^ t11; t14 = x0 | y2; t15 = t06 ^ y1; y3 = t01 ^ t04; t17 = x2 ^ t15; y0 = t14 ^ t17; */ #define SBOX1_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x1 | x3; \ y1 ^= x2; \ y3 = x0 ^ x1; \ y0 = x0 | y1; \ y0 &= y3; \ x1 ^= y0; \ y3 ^= y1; \ x1 &= x3; \ y2 = x0 & x2; \ y1 |= y2; \ y2 |= x3; \ y2 ^= y0; \ y2 = ~ y2; \ y1 ^= x1; \ y0 ^= y1; \ y0 ^= x2; \ x0 |= y2; \ y0 ^= x0; \ } while (0) /* S2 inverse: 12 9 15 4 11 14 1 2 0 3 6 13 5 8 10 7 */ /* Original single-assignment form: t01 = x0 ^ x3; t02 = x2 ^ x3; t03 = x0 & x2; t04 = x1 | t02; y0 = t01 ^ t04; t06 = x0 | x2; t07 = x3 | y0; t08 = ~ x3; t09 = x1 & t06; t10 = t08 | t03; t11 = x1 & t07; t12 = t06 & t02; y3 = t09 ^ t10; y1 = t12 ^ t11; t15 = x2 & y3; t16 = y0 ^ y1; t17 = t10 ^ t15; y2 = t16 ^ t17; */ #define SBOX2_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y0 = x0 ^ x3; \ y2 = x2 ^ x3; \ y1 = x1 | y2; \ y0 ^= y1; \ y1 = x3 | y0; \ y1 &= x1; \ x3 = ~ x3; \ y3 = x0 | x2; \ y2 &= y3; \ y1 ^= y2; \ y3 &= x1; \ x0 &= x2; \ x0 |= x3; \ y3 ^= x0; \ x2 &= y3; \ x2 ^= x0; \ y2 = y0 ^ y1; \ y2 ^= x2; \ } while (0) /* S3 inverse: 0 9 10 7 11 14 6 13 3 5 12 2 4 8 15 1 */ /* Original single-assignment form: t01 = x2 | x3; t02 = x0 | x3; t03 = x2 ^ t02; t04 = x1 ^ t02; t05 = x0 ^ x3; t06 = t04 & t03; t07 = x1 & t01; y2 = t05 ^ t06; t09 = x0 ^ t03; y0 = t07 ^ t03; t11 = y0 | t05; t12 = t09 & t11; t13 = x0 & y2; t14 = t01 ^ t05; y1 = x1 ^ t12; t16 = x1 | t13; y3 = t14 ^ t16; */ #define SBOX3_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x2 | x3; \ y0 = x1 & y3; \ y2 = x0 | x3; \ y1 = x2 ^ y2; \ y0 ^= y1; \ x3 ^= x0; \ y3 ^= x3; \ y2 ^= x1; \ y2 &= y1; \ y2 ^= x3; \ y1 ^= x0; \ x3 |= y0; \ y1 &= x3; \ y1 ^= x1; \ x0 &= y2; \ x0 |= x1; \ y3 ^= x0; \ } while (0) /* S4 inverse: 5 0 8 3 10 9 7 14 2 12 11 6 4 15 13 1 */ /* Original single-assignment form: t01 = x1 | x3; t02 = x2 | x3; t03 = x0 & t01; t04 = x1 ^ t02; t05 = x2 ^ x3; t06 = ~ t03; t07 = x0 & t04; y1 = t05 ^ t07; t09 = y1 | t06; t10 = x0 ^ t07; t11 = t01 ^ t09; t12 = x3 ^ t04; t13 = x2 | t10; y3 = t03 ^ t12; t15 = x0 ^ t04; y2 = t11 ^ t13; y0 = t15 ^ t09; */ #define SBOX4_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x2 ^ x3; \ y2 = x2 | x3; \ y2 ^= x1; \ x1 |= x3; \ y0 = x0 ^ y2; \ x3 ^= y2; \ y2 &= x0; \ y1 ^= y2; \ y2 ^= x0; \ y2 |= x2; \ x0 &= x1; \ y3 = x0 ^ x3; \ x0 = ~ x0; \ x0 |= y1; \ y0 ^= x0; \ x0 ^= x1; \ y2 ^= x0; \ } while (0) /* S5 inverse: 8 15 2 9 4 1 13 14 11 6 5 3 7 12 10 0 */ /* Original single-assignment form: t01 = x0 & x3; t02 = x2 ^ t01; t03 = x0 ^ x3; t04 = x1 & t02; t05 = x0 & x2; y0 = t03 ^ t04; t07 = x0 & y0; t08 = t01 ^ y0; t09 = x1 | t05; t10 = ~ x1; y1 = t08 ^ t09; t12 = t10 | t07; t13 = y0 | y1; y3 = t02 ^ t12; t15 = t02 ^ t13; t16 = x1 ^ x3; y2 = t16 ^ t15; */ #define SBOX5_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y1 = x0 & x3; \ y3 = x2 ^ y1; \ y0 = x1 & y3; \ y2 = x0 ^ x3; \ x3 ^= x1; \ y0 ^= y2; \ x2 &= x0; \ x0 &= y0; \ x2 |= x1; \ y1 ^= y0; \ y1 ^= x2; \ y2 = y0 | y1; \ y2 ^= y3; \ y2 ^= x3; \ x1 = ~ x1; \ x1 |= x0; \ y3 ^= x1; \ } while (0) /* S6 inverse: 15 10 1 13 5 3 6 0 4 9 14 7 2 12 8 11 */ /* Original single-assignment form: t01 = x0 ^ x2; t02 = ~ x2; t03 = x1 & t01; t04 = x1 | t02; t05 = x3 | t03; t06 = x1 ^ x3; t07 = x0 & t04; t08 = x0 | t02; t09 = t07 ^ t05; y1 = t06 ^ t08; y0 = ~ t09; t12 = x1 & y0; t13 = t01 & t05; t14 = t01 ^ t12; t15 = t07 ^ t13; t16 = x3 | t02; t17 = x0 ^ y1; y3 = t17 ^ t15; y2 = t16 ^ t14; */ #define SBOX6_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y2 = x0 ^ x2; \ x2 = ~ x2; \ y0 = x1 ^ x3; \ y1 = x0 | x2; \ y1 ^= y0; \ y3 = x1 & y2; \ y3 |= x3; \ x3 |= x2; \ x2 |= x1; \ x2 &= x0; \ y0 = x2 ^ y3; \ y0 = ~ y0; \ y3 &= y2; \ y3 ^= x2; \ x0 ^= y1; \ y3 ^= x0; \ x1 &= y0; \ y2 ^= x1; \ y2 ^= x3; \ } while (0) /* S7 inverse: 3 0 6 13 9 14 15 8 5 12 11 7 10 1 4 2 */ /* Original single-assignment form: t01 = x0 & x1; t02 = x0 | x1; t03 = x2 | t01; t04 = x3 & t02; y3 = t03 ^ t04; t06 = x1 ^ t04; t07 = x3 ^ y3; t08 = ~ t07; t09 = t06 | t08; t10 = x1 ^ x3; t11 = x0 | x3; y1 = x0 ^ t09; t13 = x2 ^ t06; t14 = x2 & t11; t15 = x3 | y1; t16 = t01 | t10; y0 = t13 ^ t15; y2 = t14 ^ t16; */ #define SBOX7_INVERSE(x0, x1, x2, x3, y0, y1, y2, y3) \ do { \ y3 = x0 & x1; \ y2 = x1 ^ x3; \ y2 |= y3; \ y1 = x0 | x3; \ y1 &= x2; \ y2 ^= y1; \ y3 |= x2; \ y0 = x0 | x1; \ y0 &= x3; \ y3 ^= y0; \ y0 ^= x1; \ y1 = x3 ^ y3; \ y1 = ~ y1; \ y1 |= y0; \ y0 ^= x2; \ y1 ^= x0; \ x3 |= y1; \ y0 ^= x3; \ } while (0) /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION_INVERSE(x0,x1,x2,x3) \ do { \ x2 = ROTL32 (10, x2); \ x0 = ROTL32 (27, x0); \ x2 = x2 ^ x3 ^ (x1 << 7); \ x0 = x0 ^ x1 ^ x3; \ x3 = ROTL32 (25, x3); \ x1 = ROTL32 (31, x1); \ x3 = x3 ^ x2 ^ (x0 << 3); \ x1 = x1 ^ x0 ^ x2; \ x2 = ROTL32 (29, x2); \ x0 = ROTL32 (19, x0); \ } while (0) /* Round inputs are x0,x1,x2,x3 (destroyed), and round outputs are y0,y1,y2,y3. */ #define ROUND_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR(y0,y1,y2,y3, subkey); \ } while (0) #if HAVE_NATIVE_64_BIT /* In-place inverse linear transformation. */ #define LINEAR_TRANSFORMATION64_INVERSE(x0,x1,x2,x3) \ do { \ x2 = DROTL32 (10, x2); \ x0 = DROTL32 (27, x0); \ x2 = x2 ^ x3 ^ DRSHIFT32(7, x1); \ x0 = x0 ^ x1 ^ x3; \ x3 = DROTL32 (25, x3); \ x1 = DROTL32 (31, x1); \ x3 = x3 ^ x2 ^ DRSHIFT32(3, x0); \ x1 = x1 ^ x0 ^ x2; \ x2 = DROTL32 (29, x2); \ x0 = DROTL32 (19, x0); \ } while (0) #define ROUND64_INVERSE(which, subkey, x0,x1,x2,x3, y0,y1,y2,y3) \ do { \ LINEAR_TRANSFORMATION64_INVERSE (x0,x1,x2,x3); \ SBOX##which##_INVERSE(x0,x1,x2,x3, y0,y1,y2,y3); \ KEYXOR64(y0,y1,y2,y3, subkey); \ } while (0) #endif /* HAVE_NATIVE_64_BIT */ void serpent_decrypt (const struct serpent_ctx *ctx, size_t length, uint8_t * dst, const uint8_t * src) { assert( !(length % SERPENT_BLOCK_SIZE)); #if HAVE_NATIVE_64_BIT if (length & SERPENT_BLOCK_SIZE) #else while (length >= SERPENT_BLOCK_SIZE) #endif { uint32_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); /* Inverse of special round */ KEYXOR (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start32; while (k > 0) { k -= 8; ROUND_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start32: ROUND_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst, x0); LE_WRITE_UINT32 (dst + 4, x1); LE_WRITE_UINT32 (dst + 8, x2); LE_WRITE_UINT32 (dst + 12, x3); src += SERPENT_BLOCK_SIZE; dst += SERPENT_BLOCK_SIZE; length -= SERPENT_BLOCK_SIZE; } #if HAVE_NATIVE_64_BIT FOR_BLOCKS(length, dst, src, 2*SERPENT_BLOCK_SIZE) { uint64_t x0,x1,x2,x3, y0,y1,y2,y3; unsigned k; x0 = LE_READ_UINT32 (src); x1 = LE_READ_UINT32 (src + 4); x2 = LE_READ_UINT32 (src + 8); x3 = LE_READ_UINT32 (src + 12); x0 <<= 32; x0 |= LE_READ_UINT32 (src + 16); x1 <<= 32; x1 |= LE_READ_UINT32 (src + 20); x2 <<= 32; x2 |= LE_READ_UINT32 (src + 24); x3 <<= 32; x3 |= LE_READ_UINT32 (src + 28); /* Inverse of special round */ KEYXOR64 (x0,x1,x2,x3, ctx->keys[32]); SBOX7_INVERSE (x0,x1,x2,x3, y0,y1,y2,y3); KEYXOR64 (y0,y1,y2,y3, ctx->keys[31]); k = 24; goto start64; while (k > 0) { k -= 8; ROUND64_INVERSE (7, ctx->keys[k+7], x0,x1,x2,x3, y0,y1,y2,y3); start64: ROUND64_INVERSE (6, ctx->keys[k+6], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (5, ctx->keys[k+5], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (4, ctx->keys[k+4], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (3, ctx->keys[k+3], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (2, ctx->keys[k+2], y0,y1,y2,y3, x0,x1,x2,x3); ROUND64_INVERSE (1, ctx->keys[k+1], x0,x1,x2,x3, y0,y1,y2,y3); ROUND64_INVERSE (0, ctx->keys[k], y0,y1,y2,y3, x0,x1,x2,x3); } LE_WRITE_UINT32 (dst + 16, x0); LE_WRITE_UINT32 (dst + 20, x1); LE_WRITE_UINT32 (dst + 24, x2); LE_WRITE_UINT32 (dst + 28, x3); x0 >>= 32; LE_WRITE_UINT32 (dst, x0); x1 >>= 32; LE_WRITE_UINT32 (dst + 4, x1); x2 >>= 32; LE_WRITE_UINT32 (dst + 8, x2); x3 >>= 32; LE_WRITE_UINT32 (dst + 12, x3); } #endif /* HAVE_NATIVE_64_BIT */ } nettle-3.10/serpent.h0000644000175000017500000000570714633602172013622 0ustar nissenisse/* serpent.h The serpent block cipher. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Serpent is a 128-bit block cipher that accepts a key size of 256 * bits, designed by Ross Anderson, Eli Biham, and Lars Knudsen. See * http://www.cl.cam.ac.uk/~rja14/serpent.html for details. */ #ifndef NETTLE_SERPENT_H_INCLUDED #define NETTLE_SERPENT_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define serpent_set_key nettle_serpent_set_key #define serpent128_set_key nettle_serpent128_set_key #define serpent192_set_key nettle_serpent192_set_key #define serpent256_set_key nettle_serpent256_set_key #define serpent_encrypt nettle_serpent_encrypt #define serpent_decrypt nettle_serpent_decrypt #define SERPENT_BLOCK_SIZE 16 /* Other key lengths are possible, but the design of Serpent makes * smaller key lengths quite pointless; they cheated with the AES * requirements, using a 256-bit key length exclusively and just * padding it out if the desired key length was less, so there really * is no advantage to using key lengths less than 256 bits. */ #define SERPENT_KEY_SIZE 32 /* Allow keys of size 128 <= bits <= 256 */ #define SERPENT_MIN_KEY_SIZE 16 #define SERPENT_MAX_KEY_SIZE 32 #define SERPENT128_KEY_SIZE 16 #define SERPENT192_KEY_SIZE 24 #define SERPENT256_KEY_SIZE 32 struct serpent_ctx { uint32_t keys[33][4]; /* key schedule */ }; void serpent_set_key(struct serpent_ctx *ctx, size_t length, const uint8_t *key); void serpent128_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent192_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent256_set_key(struct serpent_ctx *ctx, const uint8_t *key); void serpent_encrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void serpent_decrypt(const struct serpent_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_SERPENT_H_INCLUDED */ nettle-3.10/mini-gmp.h0000644000175000017500000002656214633602172013661 0ustar nissenisse/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Copyright 2011-2015, 2017, 2019 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* About mini-gmp: This is a minimal implementation of a subset of the GMP interface. It is intended for inclusion into applications which have modest bignums needs, as a fallback when the real GMP library is not installed. This file defines the public interface. */ #ifndef __MINI_GMP_H__ #define __MINI_GMP_H__ /* For size_t */ #include #if defined (__cplusplus) extern "C" { #endif void mp_set_memory_functions (void *(*) (size_t), void *(*) (void *, size_t, size_t), void (*) (void *, size_t)); void mp_get_memory_functions (void *(**) (size_t), void *(**) (void *, size_t, size_t), void (**) (void *, size_t)); #ifndef MINI_GMP_LIMB_TYPE #define MINI_GMP_LIMB_TYPE long #endif typedef unsigned MINI_GMP_LIMB_TYPE mp_limb_t; typedef long mp_size_t; typedef unsigned long mp_bitcnt_t; typedef mp_limb_t *mp_ptr; typedef const mp_limb_t *mp_srcptr; typedef struct { int _mp_alloc; /* Number of *limbs* allocated and pointed to by the _mp_d field. */ int _mp_size; /* abs(_mp_size) is the number of limbs the last field points to. If _mp_size is negative this is a negative number. */ mp_limb_t *_mp_d; /* Pointer to the limbs. */ } __mpz_struct; typedef __mpz_struct mpz_t[1]; typedef __mpz_struct *mpz_ptr; typedef const __mpz_struct *mpz_srcptr; extern const int mp_bits_per_limb; void mpn_copyi (mp_ptr, mp_srcptr, mp_size_t); void mpn_copyd (mp_ptr, mp_srcptr, mp_size_t); void mpn_zero (mp_ptr, mp_size_t); int mpn_cmp (mp_srcptr, mp_srcptr, mp_size_t); int mpn_zero_p (mp_srcptr, mp_size_t); mp_limb_t mpn_add_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_add_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_add (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_sub_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_sub_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); mp_limb_t mpn_sub (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); mp_limb_t mpn_mul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_addmul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_submul_1 (mp_ptr, mp_srcptr, mp_size_t, mp_limb_t); mp_limb_t mpn_mul (mp_ptr, mp_srcptr, mp_size_t, mp_srcptr, mp_size_t); void mpn_mul_n (mp_ptr, mp_srcptr, mp_srcptr, mp_size_t); void mpn_sqr (mp_ptr, mp_srcptr, mp_size_t); int mpn_perfect_square_p (mp_srcptr, mp_size_t); mp_size_t mpn_sqrtrem (mp_ptr, mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_lshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_limb_t mpn_rshift (mp_ptr, mp_srcptr, mp_size_t, unsigned int); mp_bitcnt_t mpn_scan0 (mp_srcptr, mp_bitcnt_t); mp_bitcnt_t mpn_scan1 (mp_srcptr, mp_bitcnt_t); void mpn_com (mp_ptr, mp_srcptr, mp_size_t); mp_limb_t mpn_neg (mp_ptr, mp_srcptr, mp_size_t); mp_bitcnt_t mpn_popcount (mp_srcptr, mp_size_t); mp_limb_t mpn_invert_3by2 (mp_limb_t, mp_limb_t); #define mpn_invert_limb(x) mpn_invert_3by2 ((x), 0) size_t mpn_get_str (unsigned char *, int, mp_ptr, mp_size_t); mp_size_t mpn_set_str (mp_ptr, const unsigned char *, size_t, int); void mpz_init (mpz_t); void mpz_init2 (mpz_t, mp_bitcnt_t); void mpz_clear (mpz_t); #define mpz_odd_p(z) (((z)->_mp_size != 0) & (int) (z)->_mp_d[0]) #define mpz_even_p(z) (! mpz_odd_p (z)) int mpz_sgn (const mpz_t); int mpz_cmp_si (const mpz_t, long); int mpz_cmp_ui (const mpz_t, unsigned long); int mpz_cmp (const mpz_t, const mpz_t); int mpz_cmpabs_ui (const mpz_t, unsigned long); int mpz_cmpabs (const mpz_t, const mpz_t); int mpz_cmp_d (const mpz_t, double); int mpz_cmpabs_d (const mpz_t, double); void mpz_abs (mpz_t, const mpz_t); void mpz_neg (mpz_t, const mpz_t); void mpz_swap (mpz_t, mpz_t); void mpz_add_ui (mpz_t, const mpz_t, unsigned long); void mpz_add (mpz_t, const mpz_t, const mpz_t); void mpz_sub_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_sub (mpz_t, unsigned long, const mpz_t); void mpz_sub (mpz_t, const mpz_t, const mpz_t); void mpz_mul_si (mpz_t, const mpz_t, long int); void mpz_mul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_mul (mpz_t, const mpz_t, const mpz_t); void mpz_mul_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_addmul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_addmul (mpz_t, const mpz_t, const mpz_t); void mpz_submul_ui (mpz_t, const mpz_t, unsigned long int); void mpz_submul (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_qr (mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_q (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_fdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_tdiv_r (mpz_t, const mpz_t, const mpz_t); void mpz_cdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_q_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_cdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_fdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_tdiv_r_2exp (mpz_t, const mpz_t, mp_bitcnt_t); void mpz_mod (mpz_t, const mpz_t, const mpz_t); void mpz_divexact (mpz_t, const mpz_t, const mpz_t); int mpz_divisible_p (const mpz_t, const mpz_t); int mpz_congruent_p (const mpz_t, const mpz_t, const mpz_t); unsigned long mpz_cdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_qr_ui (mpz_t, mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_q_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_fdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_tdiv_r_ui (mpz_t, const mpz_t, unsigned long); unsigned long mpz_cdiv_ui (const mpz_t, unsigned long); unsigned long mpz_fdiv_ui (const mpz_t, unsigned long); unsigned long mpz_tdiv_ui (const mpz_t, unsigned long); unsigned long mpz_mod_ui (mpz_t, const mpz_t, unsigned long); void mpz_divexact_ui (mpz_t, const mpz_t, unsigned long); int mpz_divisible_ui_p (const mpz_t, unsigned long); unsigned long mpz_gcd_ui (mpz_t, const mpz_t, unsigned long); void mpz_gcd (mpz_t, const mpz_t, const mpz_t); void mpz_gcdext (mpz_t, mpz_t, mpz_t, const mpz_t, const mpz_t); void mpz_lcm_ui (mpz_t, const mpz_t, unsigned long); void mpz_lcm (mpz_t, const mpz_t, const mpz_t); int mpz_invert (mpz_t, const mpz_t, const mpz_t); void mpz_sqrtrem (mpz_t, mpz_t, const mpz_t); void mpz_sqrt (mpz_t, const mpz_t); int mpz_perfect_square_p (const mpz_t); void mpz_pow_ui (mpz_t, const mpz_t, unsigned long); void mpz_ui_pow_ui (mpz_t, unsigned long, unsigned long); void mpz_powm (mpz_t, const mpz_t, const mpz_t, const mpz_t); void mpz_powm_ui (mpz_t, const mpz_t, unsigned long, const mpz_t); void mpz_rootrem (mpz_t, mpz_t, const mpz_t, unsigned long); int mpz_root (mpz_t, const mpz_t, unsigned long); void mpz_fac_ui (mpz_t, unsigned long); void mpz_2fac_ui (mpz_t, unsigned long); void mpz_mfac_uiui (mpz_t, unsigned long, unsigned long); void mpz_bin_uiui (mpz_t, unsigned long, unsigned long); int mpz_probab_prime_p (const mpz_t, int); int mpz_tstbit (const mpz_t, mp_bitcnt_t); void mpz_setbit (mpz_t, mp_bitcnt_t); void mpz_clrbit (mpz_t, mp_bitcnt_t); void mpz_combit (mpz_t, mp_bitcnt_t); void mpz_com (mpz_t, const mpz_t); void mpz_and (mpz_t, const mpz_t, const mpz_t); void mpz_ior (mpz_t, const mpz_t, const mpz_t); void mpz_xor (mpz_t, const mpz_t, const mpz_t); mp_bitcnt_t mpz_popcount (const mpz_t); mp_bitcnt_t mpz_hamdist (const mpz_t, const mpz_t); mp_bitcnt_t mpz_scan0 (const mpz_t, mp_bitcnt_t); mp_bitcnt_t mpz_scan1 (const mpz_t, mp_bitcnt_t); int mpz_fits_slong_p (const mpz_t); int mpz_fits_ulong_p (const mpz_t); int mpz_fits_sint_p (const mpz_t); int mpz_fits_uint_p (const mpz_t); int mpz_fits_sshort_p (const mpz_t); int mpz_fits_ushort_p (const mpz_t); long int mpz_get_si (const mpz_t); unsigned long int mpz_get_ui (const mpz_t); double mpz_get_d (const mpz_t); size_t mpz_size (const mpz_t); mp_limb_t mpz_getlimbn (const mpz_t, mp_size_t); void mpz_realloc2 (mpz_t, mp_bitcnt_t); mp_srcptr mpz_limbs_read (mpz_srcptr); mp_ptr mpz_limbs_modify (mpz_t, mp_size_t); mp_ptr mpz_limbs_write (mpz_t, mp_size_t); void mpz_limbs_finish (mpz_t, mp_size_t); mpz_srcptr mpz_roinit_n (mpz_t, mp_srcptr, mp_size_t); #define MPZ_ROINIT_N(xp, xs) {{0, (xs),(xp) }} void mpz_set_si (mpz_t, signed long int); void mpz_set_ui (mpz_t, unsigned long int); void mpz_set (mpz_t, const mpz_t); void mpz_set_d (mpz_t, double); void mpz_init_set_si (mpz_t, signed long int); void mpz_init_set_ui (mpz_t, unsigned long int); void mpz_init_set (mpz_t, const mpz_t); void mpz_init_set_d (mpz_t, double); size_t mpz_sizeinbase (const mpz_t, int); char *mpz_get_str (char *, int, const mpz_t); int mpz_set_str (mpz_t, const char *, int); int mpz_init_set_str (mpz_t, const char *, int); /* This long list taken from gmp.h. */ /* For reference, "defined(EOF)" cannot be used here. In g++ 2.95.4, defines EOF but not FILE. */ #if defined (FILE) \ || defined (H_STDIO) \ || defined (_H_STDIO) /* AIX */ \ || defined (_STDIO_H) /* glibc, Sun, SCO */ \ || defined (_STDIO_H_) /* BSD, OSF */ \ || defined (__STDIO_H) /* Borland */ \ || defined (__STDIO_H__) /* IRIX */ \ || defined (_STDIO_INCLUDED) /* HPUX */ \ || defined (__dj_include_stdio_h_) /* DJGPP */ \ || defined (_FILE_DEFINED) /* Microsoft */ \ || defined (__STDIO__) /* Apple MPW MrC */ \ || defined (_MSL_STDIO_H) /* Metrowerks */ \ || defined (_STDIO_H_INCLUDED) /* QNX4 */ \ || defined (_ISO_STDIO_ISO_H) /* Sun C++ */ \ || defined (__STDIO_LOADED) /* VMS */ size_t mpz_out_str (FILE *, int, const mpz_t); #endif void mpz_import (mpz_t, size_t, int, size_t, int, size_t, const void *); void *mpz_export (void *, size_t *, int, size_t, int, size_t, const mpz_t); #if defined (__cplusplus) } #endif #endif /* __MINI_GMP_H__ */ nettle-3.10/config.h.in0000644000175000017500000001717414633602172014015 0ustar nissenisse/* config.h.in. Generated from configure.ac by autoheader. */ /* Define if building universal (internal helper macro) */ #undef AC_APPLE_UNIVERSAL_BUILD /* Define to 1 if using 'alloca.c'. */ #undef C_ALLOCA /* Define to 1 if you have 'alloca', as a function or macro. */ #undef HAVE_ALLOCA /* Define to 1 if works. */ #undef HAVE_ALLOCA_H /* Define if __builtin_bswap64 is available */ #undef HAVE_BUILTIN_BSWAP64 /* Define if clock_gettime is available */ #undef HAVE_CLOCK_GETTIME /* Define to 1 if you have the header file. */ #undef HAVE_DLFCN_H /* Define if fcntl file locking is available */ #undef HAVE_FCNTL_LOCKING /* Define if the compiler understands __attribute__ */ #undef HAVE_GCC_ATTRIBUTE /* Define to 1 if you have the `getline' function. */ #undef HAVE_GETLINE /* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H /* Define to 1 if you have dlopen (with -ldl). */ #undef HAVE_LIBDL /* Define to 1 if you have the `gmp' library (-lgmp). */ #undef HAVE_LIBGMP /* Define if compiler and linker supports __attribute__ ifunc */ #undef HAVE_LINK_IFUNC /* Define to 1 if you have the header file. */ #undef HAVE_MALLOC_H /* Define to 1 each of the following for which a native (ie. CPU specific) implementation of the corresponding routine exists. */ #undef HAVE_NATIVE_memxor3 #undef HAVE_NATIVE_aes_decrypt #undef HAVE_NATIVE_aes_encrypt #undef HAVE_NATIVE_aes_invert #undef HAVE_NATIVE_aes128_decrypt #undef HAVE_NATIVE_aes128_encrypt #undef HAVE_NATIVE_aes128_invert_key #undef HAVE_NATIVE_aes128_set_decrypt_key #undef HAVE_NATIVE_aes128_set_encrypt_key #undef HAVE_NATIVE_aes192_decrypt #undef HAVE_NATIVE_aes192_encrypt #undef HAVE_NATIVE_aes192_invert_key #undef HAVE_NATIVE_aes192_set_decrypt_key #undef HAVE_NATIVE_aes192_set_encrypt_key #undef HAVE_NATIVE_aes256_decrypt #undef HAVE_NATIVE_aes256_encrypt #undef HAVE_NATIVE_aes256_invert_key #undef HAVE_NATIVE_aes256_set_decrypt_key #undef HAVE_NATIVE_aes256_set_encrypt_key #undef HAVE_NATIVE_cbc_aes128_encrypt #undef HAVE_NATIVE_cbc_aes192_encrypt #undef HAVE_NATIVE_cbc_aes256_encrypt #undef HAVE_NATIVE_chacha_core #undef HAVE_NATIVE_chacha_2core #undef HAVE_NATIVE_chacha_3core #undef HAVE_NATIVE_chacha_4core #undef HAVE_NATIVE_fat_chacha_2core #undef HAVE_NATIVE_fat_chacha_3core #undef HAVE_NATIVE_fat_chacha_4core #undef HAVE_NATIVE_ecc_curve25519_modp #undef HAVE_NATIVE_ecc_curve448_modp #undef HAVE_NATIVE_ecc_secp192r1_modp #undef HAVE_NATIVE_ecc_secp192r1_redc #undef HAVE_NATIVE_ecc_secp224r1_modp #undef HAVE_NATIVE_ecc_secp224r1_redc #undef HAVE_NATIVE_ecc_secp256r1_modp #undef HAVE_NATIVE_ecc_secp256r1_redc #undef HAVE_NATIVE_ecc_secp384r1_modp #undef HAVE_NATIVE_ecc_secp384r1_redc #undef HAVE_NATIVE_ecc_secp521r1_modp #undef HAVE_NATIVE_ecc_secp521r1_redc #undef HAVE_NATIVE_poly1305_set_key #undef HAVE_NATIVE_poly1305_block #undef HAVE_NATIVE_poly1305_digest #undef HAVE_NATIVE_poly1305_blocks #undef HAVE_NATIVE_fat_poly1305_blocks #undef HAVE_NATIVE_ghash_set_key #undef HAVE_NATIVE_ghash_update #undef HAVE_NATIVE_gcm_aes_encrypt #undef HAVE_NATIVE_gcm_aes_decrypt #undef HAVE_NATIVE_salsa20_core #undef HAVE_NATIVE_salsa20_2core #undef HAVE_NATIVE_fat_salsa20_2core #undef HAVE_NATIVE_sha1_compress #undef HAVE_NATIVE_sha256_compress_n #undef HAVE_NATIVE_sha512_compress #undef HAVE_NATIVE_sha3_permute #undef HAVE_NATIVE_umac_nh #undef HAVE_NATIVE_umac_nh_n /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_EC_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_EVP_H /* Define to 1 if you have the header file. */ #undef HAVE_OPENSSL_RSA_H /* Define to 1 if you have the `secure_getenv' function. */ #undef HAVE_SECURE_GETENV /* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H /* Define to 1 if you have the header file. */ #undef HAVE_STDIO_H /* Define to 1 if you have the header file. */ #undef HAVE_STDLIB_H /* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H /* Define to 1 if you have the header file. */ #undef HAVE_STRING_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H /* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H /* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H /* Define to 1 if you have the header file. */ #undef HAVE_VALGRIND_MEMCHECK_H /* Define to the address where bug reports for this package should be sent. */ #undef PACKAGE_BUGREPORT /* Define to the full name of this package. */ #undef PACKAGE_NAME /* Define to the full name and version of this package. */ #undef PACKAGE_STRING /* Define to the one symbol short name of this package. */ #undef PACKAGE_TARNAME /* Define to the home page for this package. */ #undef PACKAGE_URL /* Define to the version of this package. */ #undef PACKAGE_VERSION /* The size of `long', as computed by sizeof. */ #undef SIZEOF_LONG /* The size of `size_t', as computed by sizeof. */ #undef SIZEOF_SIZE_T /* If using the C implementation of alloca, define if you know the direction of stack growth for your system; otherwise it will be automatically deduced at runtime. STACK_DIRECTION > 0 => grows toward higher addresses STACK_DIRECTION < 0 => grows toward lower addresses STACK_DIRECTION = 0 => direction of growth unknown */ #undef STACK_DIRECTION /* Define to 1 if all of the C90 standard headers exist (not just the ones required in a freestanding environment). This macro is provided for backward compatibility; new code need not use it. */ #undef STDC_HEADERS /* Defined to enable additional asserts */ #undef WITH_EXTRA_ASSERTS /* Defined if public key features are enabled */ #undef WITH_HOGWEED /* Define if you have openssl libcrypto (used for benchmarking) */ #undef WITH_OPENSSL /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel). */ #if defined AC_APPLE_UNIVERSAL_BUILD # if defined __BIG_ENDIAN__ # define WORDS_BIGENDIAN 1 # endif #else # ifndef WORDS_BIGENDIAN # undef WORDS_BIGENDIAN # endif #endif /* Define to empty if `const' does not conform to ANSI C. */ #undef const /* Define to `int' if doesn't define. */ #undef gid_t /* Define to `__inline__' or `__inline' if that's what the C compiler calls it, or to nothing if 'inline' is not supported under any name. */ #ifndef __cplusplus #undef inline #endif /* Define to `unsigned int' if does not define. */ #undef size_t /* Define to `int' if doesn't define. */ #undef uid_t /* AIX requires this to be the first thing in the file. */ #ifndef __GNUC__ # if HAVE_ALLOCA_H # include # else # ifdef _AIX #pragma alloca # else # ifndef alloca /* predefined by HP cc +Olibcalls */ char *alloca (); # endif # endif /* Needed for alloca on windows */ # if HAVE_MALLOC_H # include # endif # endif #else /* defined __GNUC__ */ # if HAVE_ALLOCA_H # include # else /* Needed for alloca on windows, also with gcc */ # if HAVE_MALLOC_H # include # endif # endif #endif #if __GNUC__ && HAVE_GCC_ATTRIBUTE # define NORETURN __attribute__ ((__noreturn__)) # define PRINTF_STYLE(f, a) __attribute__ ((__format__ (__printf__, f, a))) # define UNUSED __attribute__ ((__unused__)) #else # define NORETURN # define PRINTF_STYLE(f, a) # define UNUSED #endif #if defined(__x86_64__) || defined(__arch64__) # define HAVE_NATIVE_64_BIT 1 #else /* Needs include of before use. */ # define HAVE_NATIVE_64_BIT (SIZEOF_LONG * CHAR_BIT >= 64) #endif nettle-3.10/rsa-sha256-sign-tr.c0000644000175000017500000000375714633602171015313 0ustar nissenisse/* rsa-sha256-sign-tr.c Signatures using RSA and SHA256. Copyright (C) 2001, 2003, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha256_sign_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode(m, key->size, hash) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } int rsa_sha256_sign_digest_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, mpz_t s) { mpz_t m; int res; mpz_init (m); res = (pkcs1_rsa_sha256_encode_digest(m, key->size, digest) && rsa_compute_root_tr (pub, key, random_ctx, random, s, m)); mpz_clear (m); return res; } nettle-3.10/ecc-add-jjj.c0000644000175000017500000001000414633602171014151 0ustar nissenisse/* ecc-add-jjj.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 q #define y2 (q + ecc->p.size) #define z2 (q + 2*ecc->p.size) #define x3 r #define y3 (r + ecc->p.size) #define z3 (r + 2*ecc->p.size) /* Formulas, from djb, http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl: Computation Operation Live variables Z1Z1 = Z1^2 sqr Z1Z1 Z2Z2 = Z2^2 sqr Z1Z1, Z2Z2 U1 = X1*Z2Z2 mul Z1Z1, Z2Z2, U1 U2 = X2*Z1Z1 mul Z1Z1, Z2Z2, U1, U2 H = U2-U1 Z1Z1, Z2Z2, U1, H Z3 = ((Z1+Z2)^2-Z1Z1-Z2Z2)*H sqr, mul Z1Z1, Z2Z2, U1, H S1 = Y1*Z2*Z2Z2 mul, mul Z1Z1, U1, H, S1 S2 = Y2*Z1*Z1Z1 mul, mul U1, H, S1, S2 W = 2*(S2-S1) (djb: r) U1, H, S1, W I = (2*H)^2 sqr U1, H, S1, W, I J = H*I mul U1, S1, W, J, V V = U1*I mul S1, W, J, V X3 = W^2-J-2*V sqr S1, W, J, V Y3 = W*(V-X3)-2*S1*J mul, mul */ #define h scratch #define z1z1 (scratch + ecc->p.size) #define z2z2 z1z1 #define z1z2 (scratch + 2*ecc->p.size) #define w (scratch + ecc->p.size) #define i (scratch + 2*ecc->p.size) #define j h #define v i #define tp (scratch + 3*ecc->p.size) ecc_mod_sqr (&ecc->p, z2z2, z2, tp); /* z2z2 */ /* Store u1 at x3 */ ecc_mod_mul (&ecc->p, x3, x1, z2z2, tp); /* z2z2 */ ecc_mod_add (&ecc->p, z1z2, z1, z2); /* z2z2, z1z2 */ ecc_mod_sqr (&ecc->p, z1z2, z1z2, tp); ecc_mod_sub (&ecc->p, z1z2, z1z2, z2z2); /* z2z2, z1z2 */ /* Do s1 early, store at y3 */ ecc_mod_mul (&ecc->p, z2z2, z2z2, z2, tp); /* z2z2, z1z2 */ ecc_mod_mul (&ecc->p, y3, z2z2, y1, tp); /* z1z2 */ ecc_mod_sqr (&ecc->p, z1z1, z1, tp); /* z1z1, z1z2 */ ecc_mod_sub (&ecc->p, z1z2, z1z2, z1z1); ecc_mod_mul (&ecc->p, h, x2, z1z1, tp); /* z1z1, z1z2, h */ ecc_mod_sub (&ecc->p, h, h, x3); /* z1^3 */ ecc_mod_mul (&ecc->p, z1z1, z1z1, z1, tp); /* z3 <-- h z1 z2 delayed until now, since that may clobber z1. */ ecc_mod_mul (&ecc->p, z3, z1z2, h, tp); /* z1z1, h */ /* w = 2 (s2 - s1) */ ecc_mod_mul (&ecc->p, w, z1z1, y2, tp); /* h, w */ ecc_mod_sub (&ecc->p, w, w, y3); ecc_mod_add (&ecc->p, w, w, w); /* i = (2h)^2 */ ecc_mod_add (&ecc->p, i, h, h); /* h, w, i */ ecc_mod_sqr (&ecc->p, i, i, tp); /* j and h can overlap */ ecc_mod_mul (&ecc->p, j, h, i, tp); /* j, w, i */ /* v and i can overlap */ ecc_mod_mul (&ecc->p, v, x3, i, tp); /* j, w, v */ /* x3 <-- w^2 - j - 2v */ ecc_mod_sqr (&ecc->p, x3, w, tp); ecc_mod_sub (&ecc->p, x3, x3, j); ecc_mod_submul_1 (&ecc->p, x3, v, 2); /* y3 <-- w (v - x3) - 2 s1 j */ ecc_mod_mul (&ecc->p, j, j, y3, tp); ecc_mod_sub (&ecc->p, v, v, x3); ecc_mod_mul (&ecc->p, y3, v, w, tp); ecc_mod_submul_1 (&ecc->p, y3, j, 2); } nettle-3.10/cmac-aes128-meta.c0000644000175000017500000000262714633602171014762 0ustar nissenisse/* cmac-aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "cmac.h" const struct nettle_mac nettle_cmac_aes128 = { "cmac_aes128", sizeof(struct cmac_aes128_ctx), CMAC128_DIGEST_SIZE, AES128_KEY_SIZE, (nettle_set_key_func*) cmac_aes128_set_key, (nettle_hash_update_func*) cmac_aes128_update, (nettle_hash_digest_func*) cmac_aes128_digest }; nettle-3.10/gost28147-internal.h0000644000175000017500000000311014633602172015320 0ustar nissenisse/* gost28147-internal.h The GOST 28147-89 cipher function, described in RFC 5831. Copyright (C) 2019 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GOST28147_INTERNAL_H_INCLUDED #define NETTLE_GOST28147_INTERNAL_H_INCLUDED #include extern const struct gost28147_param _nettle_gost28147_param_test_3411; extern const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411; struct gost28147_param { uint32_t sbox[4][256]; }; void _nettle_gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out); #endif /* NETTLE_GOST28147_INTERNAL_H_INCLUDED */ nettle-3.10/md-internal.h0000644000175000017500000000435014633602172014345 0ustar nissenisse/* md-internal.h Copyright (C) 2001, 2010, 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD_INTERNAL_H_INCLUDED #define NETTLE_MD_INTERNAL_H_INCLUDED #include /* Internal helper macros for Merkle-Damgård hash functions. Assumes the context structs includes the following fields: uint8_t block[...]; // Buffer holding one block unsigned int index; // Index into block */ #define MD_FILL_OR_RETURN(ctx, length, data) \ do { \ unsigned __md_left = sizeof((ctx)->block) - (ctx)->index; \ if ((length) < __md_left) \ { \ memcpy((ctx)->block + (ctx)->index, (data), (length)); \ (ctx)->index += (length); \ return; \ } \ memcpy((ctx)->block + (ctx)->index, (data), __md_left); \ (data) += __md_left; \ (length) -= __md_left; \ } while(0) #define MD_FILL_OR_RETURN_INDEX(block_size, block, index, length, data) \ do { \ unsigned __md_left = (block_size) - (index); \ if ((length) < __md_left) \ { \ memcpy(block + (index), (data), (length)); \ return (index) + (length); \ } \ memcpy((block) + (index), (data), __md_left); \ (data) += __md_left; \ (length) -= __md_left; \ } while(0) #endif /* NETTLE_MD_INTERNAL_H_INCLUDED */ nettle-3.10/rsa-encrypt.c0000644000175000017500000000304014633602171014367 0ustar nissenisse/* rsa-encrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "pkcs1.h" int rsa_encrypt(const struct rsa_public_key *key, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t gibberish) { if (pkcs1_encrypt (key->size, random_ctx, random, length, message, gibberish)) { mpz_powm(gibberish, gibberish, key->e, key->n); return 1; } else return 0; } nettle-3.10/twofishdata.c0000644000175000017500000000634414633602172014450 0ustar nissenisse/* twofishdata.c Generates the permutations q0 and q1 for twofish. Copyright (C) 1999 Ruud de Rooij This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02111-1301 USA. */ #include #define ror4(x) (((x) >> 1) | (((x) & 1) << 3)) static unsigned char q0(unsigned char x) { static const unsigned char t0[16] = { 0x8, 0x1, 0x7, 0xD, 0x6, 0xF, 0x3, 0x2, 0x0, 0xB, 0x5, 0x9, 0xE, 0xC, 0xA, 0x4 }; static const unsigned char t1[16] = { 0xE, 0xC, 0xB, 0x8, 0x1, 0x2, 0x3, 0x5, 0xF, 0x4, 0xA, 0x6, 0x7, 0x0, 0x9, 0xD }; static const unsigned char t2[16] = { 0xB, 0xA, 0x5, 0xE, 0x6, 0xD, 0x9, 0x0, 0xC, 0x8, 0xF, 0x3, 0x2, 0x4, 0x7, 0x1 }; static const unsigned char t3[16] = { 0xD, 0x7, 0xF, 0x4, 0x1, 0x2, 0x6, 0xE, 0x9, 0xB, 0x3, 0x0, 0x8, 0x5, 0xC, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } static unsigned char q1(unsigned char x) { static const unsigned char t0[16] = { 0x2, 0x8, 0xB, 0xD, 0xF, 0x7, 0x6, 0xE, 0x3, 0x1, 0x9, 0x4, 0x0, 0xA, 0xC, 0x5 }; static const unsigned char t1[16] = { 0x1, 0xE, 0x2, 0xB, 0x4, 0xC, 0x3, 0x7, 0x6, 0xD, 0xA, 0x5, 0xF, 0x9, 0x0, 0x8 }; static const unsigned char t2[16] = { 0x4, 0xC, 0x7, 0x5, 0x1, 0x6, 0x9, 0xA, 0x0, 0xE, 0xD, 0x8, 0x2, 0xB, 0x3, 0xF }; static const unsigned char t3[16] = { 0xB, 0x9, 0x5, 0x1, 0xC, 0x3, 0xD, 0xE, 0x6, 0x4, 0x7, 0xF, 0x2, 0x0, 0x8, 0xA }; unsigned char a0 = x / 16; unsigned char b0 = x % 16; unsigned char a1 = a0 ^ b0; unsigned char b1 = a0 ^ ror4(b0) ^ ((8*a0) % 16); unsigned char a2 = t0[a1]; unsigned char b2 = t1[b1]; unsigned char a3 = a2 ^ b2; unsigned char b3 = a2 ^ ror4(b2) ^ ((8*a2) % 16); unsigned char a4 = t2[a3]; unsigned char b4 = t3[b3]; unsigned char y = 16*b4 + a4; return y; } int main(void) { unsigned i; printf("static const uint8_t q0[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q0(i)); } printf("\n};\n\n"); printf("static const uint8_t q1[256] = {"); for (i = 0; i < 256; i++) { if ( (i % 8) == 0) printf("\n "); printf("0x%02X,", q1(i)); } printf("\n};\n"); return 0; } nettle-3.10/streebog.c0000644000175000017500000016377714633602171013762 0ustar nissenisse/* streebog.c - GOST R 34.11-2012 (Streebog) hash function See RFC 6986 for the English translation of the standard Copyright (C) 2020 Dmitry Baryshkov Based on my code in libgcrypt. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "streebog.h" #include "macros.h" #include "nettle-write.h" /* Pre-computed results of multiplication of bytes on A and reordered with Pi[]. */ static const uint64_t streebog_table[8][256] = { /* 0 */ { 0xd01f715b5c7ef8e6ULL, 0x16fa240980778325ULL, 0xa8a42e857ee049c8ULL, 0x6ac1068fa186465bULL, 0x6e417bd7a2e9320bULL, 0x665c8167a437daabULL, 0x7666681aa89617f6ULL, 0x4b959163700bdcf5ULL, 0xf14be6b78df36248ULL, 0xc585bd689a625cffULL, 0x9557d7fca67d82cbULL, 0x89f0b969af6dd366ULL, 0xb0833d48749f6c35ULL, 0xa1998c23b1ecbc7cULL, 0x8d70c431ac02a736ULL, 0xd6dfbc2fd0a8b69eULL, 0x37aeb3e551fa198bULL, 0x0b7d128a40b5cf9cULL, 0x5a8f2008b5780cbcULL, 0xedec882284e333e5ULL, 0xd25fc177d3c7c2ceULL, 0x5e0f5d50b61778ecULL, 0x1d873683c0c24cb9ULL, 0xad040bcbb45d208cULL, 0x2f89a0285b853c76ULL, 0x5732fff6791b8d58ULL, 0x3e9311439ef6ec3fULL, 0xc9183a809fd3c00fULL, 0x83adf3f5260a01eeULL, 0xa6791941f4e8ef10ULL, 0x103ae97d0ca1cd5dULL, 0x2ce948121dee1b4aULL, 0x39738421dbf2bf53ULL, 0x093da2a6cf0cf5b4ULL, 0xcd9847d89cbcb45fULL, 0xf9561c078b2d8ae8ULL, 0x9c6a755a6971777fULL, 0xbc1ebaa0712ef0c5ULL, 0x72e61542abf963a6ULL, 0x78bb5fde229eb12eULL, 0x14ba94250fceb90dULL, 0x844d6697630e5282ULL, 0x98ea08026a1e032fULL, 0xf06bbea144217f5cULL, 0xdb6263d11ccb377aULL, 0x641c314b2b8ee083ULL, 0x320e96ab9b4770cfULL, 0x1ee7deb986a96b85ULL, 0xe96cf57a878c47b5ULL, 0xfdd6615f8842feb8ULL, 0xc83862965601dd1bULL, 0x2ea9f83e92572162ULL, 0xf876441142ff97fcULL, 0xeb2c455608357d9dULL, 0x5612a7e0b0c9904cULL, 0x6c01cbfb2d500823ULL, 0x4548a6a7fa037a2dULL, 0xabc4c6bf388b6ef4ULL, 0xbade77d4fdf8bebdULL, 0x799b07c8eb4cac3aULL, 0x0c9d87e805b19cf0ULL, 0xcb588aac106afa27ULL, 0xea0c1d40c1e76089ULL, 0x2869354a1e816f1aULL, 0xff96d17307fbc490ULL, 0x9f0a9d602f1a5043ULL, 0x96373fc6e016a5f7ULL, 0x5292dab8b3a6e41cULL, 0x9b8ae0382c752413ULL, 0x4f15ec3b7364a8a5ULL, 0x3fb349555724f12bULL, 0xc7c50d4415db66d7ULL, 0x92b7429ee379d1a7ULL, 0xd37f99611a15dfdaULL, 0x231427c05e34a086ULL, 0xa439a96d7b51d538ULL, 0xb403401077f01865ULL, 0xdda2aea5901d7902ULL, 0x0a5d4a9c8967d288ULL, 0xc265280adf660f93ULL, 0x8bb0094520d4e94eULL, 0x2a29856691385532ULL, 0x42a833c5bf072941ULL, 0x73c64d54622b7eb2ULL, 0x07e095624504536cULL, 0x8a905153e906f45aULL, 0x6f6123c16b3b2f1fULL, 0xc6e55552dc097bc3ULL, 0x4468feb133d16739ULL, 0xe211e7f0c7398829ULL, 0xa2f96419f7879b40ULL, 0x19074bdbc3ad38e9ULL, 0xf4ebc3f9474e0b0cULL, 0x43886bd376d53455ULL, 0xd8028beb5aa01046ULL, 0x51f23282f5cdc320ULL, 0xe7b1c2be0d84e16dULL, 0x081dfab006dee8a0ULL, 0x3b33340d544b857bULL, 0x7f5bcabc679ae242ULL, 0x0edd37c48a08a6d8ULL, 0x81ed43d9a9b33bc6ULL, 0xb1a3655ebd4d7121ULL, 0x69a1eeb5e7ed6167ULL, 0xf6ab73d5c8f73124ULL, 0x1a67a3e185c61fd5ULL, 0x2dc91004d43c065eULL, 0x0240b02c8fb93a28ULL, 0x90f7f2b26cc0eb8fULL, 0x3cd3a16f114fd617ULL, 0xaae49ea9f15973e0ULL, 0x06c0cd748cd64e78ULL, 0xda423bc7d5192a6eULL, 0xc345701c16b41287ULL, 0x6d2193ede4821537ULL, 0xfcf639494190e3acULL, 0x7c3b228621f1c57eULL, 0xfb16ac2b0494b0c0ULL, 0xbf7e529a3745d7f9ULL, 0x6881b6a32e3f7c73ULL, 0xca78d2bad9b8e733ULL, 0xbbfe2fc2342aa3a9ULL, 0x0dbddffecc6381e4ULL, 0x70a6a56e2440598eULL, 0xe4d12a844befc651ULL, 0x8c509c2765d0ba22ULL, 0xee8c6018c28814d9ULL, 0x17da7c1f49a59e31ULL, 0x609c4c1328e194d3ULL, 0xb3e3d57232f44b09ULL, 0x91d7aaa4a512f69bULL, 0x0ffd6fd243dabbccULL, 0x50d26a943c1fde34ULL, 0x6be15e9968545b4fULL, 0x94778fea6faf9fdfULL, 0x2b09dd7058ea4826ULL, 0x677cd9716de5c7bfULL, 0x49d5214fffb2e6ddULL, 0x0360e83a466b273cULL, 0x1fc786af4f7b7691ULL, 0xa0b9d435783ea168ULL, 0xd49f0c035f118cb6ULL, 0x01205816c9d21d14ULL, 0xac2453dd7d8f3d98ULL, 0x545217cc3f70aa64ULL, 0x26b4028e9489c9c2ULL, 0xdec2469fd6765e3eULL, 0x04807d58036f7450ULL, 0xe5f17292823ddb45ULL, 0xf30b569b024a5860ULL, 0x62dcfc3fa758aefbULL, 0xe84cad6c4e5e5aa1ULL, 0xccb81fce556ea94bULL, 0x53b282ae7a74f908ULL, 0x1b47fbf74c1402c1ULL, 0x368eebf39828049fULL, 0x7afbeff2ad278b06ULL, 0xbe5e0a8cfe97caedULL, 0xcfd8f7f413058e77ULL, 0xf78b2bc301252c30ULL, 0x4d555c17fcdd928dULL, 0x5f2f05467fc565f8ULL, 0x24f4b2a21b30f3eaULL, 0x860dd6bbecb768aaULL, 0x4c750401350f8f99ULL, 0x0000000000000000ULL, 0xecccd0344d312ef1ULL, 0xb5231806be220571ULL, 0xc105c030990d28afULL, 0x653c695de25cfd97ULL, 0x159acc33c61ca419ULL, 0xb89ec7f872418495ULL, 0xa9847693b73254dcULL, 0x58cf90243ac13694ULL, 0x59efc832f3132b80ULL, 0x5c4fed7c39ae42c4ULL, 0x828dabe3efd81cfaULL, 0xd13f294d95ace5f2ULL, 0x7d1b7a90e823d86aULL, 0xb643f03cf849224dULL, 0x3df3f979d89dcb03ULL, 0x7426d836272f2ddeULL, 0xdfe21e891fa4432aULL, 0x3a136c1b9d99986fULL, 0xfa36f43dcd46add4ULL, 0xc025982650df35bbULL, 0x856d3e81aadc4f96ULL, 0xc4a5e57e53b041ebULL, 0x4708168b75ba4005ULL, 0xaf44bbe73be41aa4ULL, 0x971767d029c4b8e3ULL, 0xb9be9feebb939981ULL, 0x215497ecd18d9aaeULL, 0x316e7e91dd2c57f3ULL, 0xcef8afe2dad79363ULL, 0x3853dc371220a247ULL, 0x35ee03c9de4323a3ULL, 0xe6919aa8c456fc79ULL, 0xe05157dc4880b201ULL, 0x7bdbb7e464f59612ULL, 0x127a59518318f775ULL, 0x332ecebd52956ddbULL, 0x8f30741d23bb9d1eULL, 0xd922d3fd93720d52ULL, 0x7746300c61440ae2ULL, 0x25d4eab4d2e2eefeULL, 0x75068020eefd30caULL, 0x135a01474acaea61ULL, 0x304e268714fe4ae7ULL, 0xa519f17bb283c82cULL, 0xdc82f6b359cf6416ULL, 0x5baf781e7caa11a8ULL, 0xb2c38d64fb26561dULL, 0x34ce5bdf17913eb7ULL, 0x5d6fb56af07c5fd0ULL, 0x182713cd0a7f25fdULL, 0x9e2ac576e6c84d57ULL, 0x9aaab82ee5a73907ULL, 0xa3d93c0f3e558654ULL, 0x7e7b92aaae48ff56ULL, 0x872d8ead256575beULL, 0x41c8dbfff96c0e7dULL, 0x99ca5014a3cc1e3bULL, 0x40e883e930be1369ULL, 0x1ca76e95091051adULL, 0x4e35b42dbab6b5b1ULL, 0x05a0254ecabd6944ULL, 0xe1710fca8152af15ULL, 0xf22b0e8dcb984574ULL, 0xb763a82a319b3f59ULL, 0x63fca4296e8ab3efULL, 0x9d4a2d4ca0a36a6bULL, 0xe331bfe60eeb953dULL, 0xd5bf541596c391a2ULL, 0xf5cb9bef8e9c1618ULL, 0x46284e9dbc685d11ULL, 0x2074cffa185f87baULL, 0xbd3ee2b6b8fcedd1ULL, 0xae64e3f1f23607b0ULL, 0xfeb68965ce29d984ULL, 0x55724fdaf6a2b770ULL, 0x29496d5cd753720eULL, 0xa75941573d3af204ULL, 0x8e102c0bea69800aULL, 0x111ab16bc573d049ULL, 0xd7ffe439197aab8aULL, 0xefac380e0b5a09cdULL, 0x48f579593660fbc9ULL, 0x22347fd697e6bd92ULL, 0x61bc1405e13389c7ULL, 0x4ab5c975b9d9c1e1ULL, 0x80cd1bcf606126d2ULL, 0x7186fd78ed92449aULL, 0x93971a882aabccb3ULL, 0x88d0e17f66bfce72ULL, 0x27945a985d5bd4d6ULL }, /* 1 */ { 0xde553f8c05a811c8ULL, 0x1906b59631b4f565ULL, 0x436e70d6b1964ff7ULL, 0x36d343cb8b1e9d85ULL, 0x843dfacc858aab5aULL, 0xfdfc95c299bfc7f9ULL, 0x0f634bdea1d51fa2ULL, 0x6d458b3b76efb3cdULL, 0x85c3f77cf8593f80ULL, 0x3c91315fbe737cb2ULL, 0x2148b03366ace398ULL, 0x18f8b8264c6761bfULL, 0xc830c1c495c9fb0fULL, 0x981a76102086a0aaULL, 0xaa16012142f35760ULL, 0x35cc54060c763cf6ULL, 0x42907d66cc45db2dULL, 0x8203d44b965af4bcULL, 0x3d6f3cefc3a0e868ULL, 0xbc73ff69d292bda7ULL, 0x8722ed0102e20a29ULL, 0x8f8185e8cd34deb7ULL, 0x9b0561dda7ee01d9ULL, 0x5335a0193227fad6ULL, 0xc9cecc74e81a6fd5ULL, 0x54f5832e5c2431eaULL, 0x99e47ba05d553470ULL, 0xf7bee756acd226ceULL, 0x384e05a5571816fdULL, 0xd1367452a47d0e6aULL, 0xf29fde1c386ad85bULL, 0x320c77316275f7caULL, 0xd0c879e2d9ae9ab0ULL, 0xdb7406c69110ef5dULL, 0x45505e51a2461011ULL, 0xfc029872e46c5323ULL, 0xfa3cb6f5f7bc0cc5ULL, 0x031f17cd8768a173ULL, 0xbd8df2d9af41297dULL, 0x9d3b4f5ab43e5e3fULL, 0x4071671b36feee84ULL, 0x716207e7d3e3b83dULL, 0x48d20ff2f9283a1aULL, 0x27769eb4757cbc7eULL, 0x5c56ebc793f2e574ULL, 0xa48b474f9ef5dc18ULL, 0x52cbada94ff46e0cULL, 0x60c7da982d8199c6ULL, 0x0e9d466edc068b78ULL, 0x4eec2175eaf865fcULL, 0x550b8e9e21f7a530ULL, 0x6b7ba5bc653fec2bULL, 0x5eb7f1ba6949d0ddULL, 0x57ea94e3db4c9099ULL, 0xf640eae6d101b214ULL, 0xdd4a284182c0b0bbULL, 0xff1d8fbf6304f250ULL, 0xb8accb933bf9d7e8ULL, 0xe8867c478eb68c4dULL, 0x3f8e2692391bddc1ULL, 0xcb2fd60912a15a7cULL, 0xaec935dbab983d2fULL, 0xf55ffd2b56691367ULL, 0x80e2ce366ce1c115ULL, 0x179bf3f8edb27e1dULL, 0x01fe0db07dd394daULL, 0xda8a0b76ecc37b87ULL, 0x44ae53e1df9584cbULL, 0xb310b4b77347a205ULL, 0xdfab323c787b8512ULL, 0x3b511268d070b78eULL, 0x65e6e3d2b9396753ULL, 0x6864b271e2574d58ULL, 0x259784c98fc789d7ULL, 0x02e11a7dfabb35a9ULL, 0x8841a6dfa337158bULL, 0x7ade78c39b5dcdd0ULL, 0xb7cf804d9a2cc84aULL, 0x20b6bd831b7f7742ULL, 0x75bd331d3a88d272ULL, 0x418f6aab4b2d7a5eULL, 0xd9951cbb6babdaf4ULL, 0xb6318dfde7ff5c90ULL, 0x1f389b112264aa83ULL, 0x492c024284fbaec0ULL, 0xe33a0363c608f9a0ULL, 0x2688930408af28a4ULL, 0xc7538a1a341ce4adULL, 0x5da8e677ee2171aeULL, 0x8c9e92254a5c7fc4ULL, 0x63d8cd55aae938b5ULL, 0x29ebd8daa97a3706ULL, 0x959827b37be88aa1ULL, 0x1484e4356adadf6eULL, 0xa7945082199d7d6bULL, 0xbf6ce8a455fa1cd4ULL, 0x9cc542eac9edcae5ULL, 0x79c16f0e1c356ca3ULL, 0x89bfab6fdee48151ULL, 0xd4174d1830c5f0ffULL, 0x9258048415eb419dULL, 0x6139d72850520d1cULL, 0x6a85a80c18ec78f1ULL, 0xcd11f88e0171059aULL, 0xcceff53e7ca29140ULL, 0xd229639f2315af19ULL, 0x90b91ef9ef507434ULL, 0x5977d28d074a1be1ULL, 0x311360fce51d56b9ULL, 0xc093a92d5a1f2f91ULL, 0x1a19a25bb6dc5416ULL, 0xeb996b8a09de2d3eULL, 0xfee3820f1ed7668aULL, 0xd7085ad5b7ad518cULL, 0x7fff41890fe53345ULL, 0xec5948bd67dde602ULL, 0x2fd5f65dbaaa68e0ULL, 0xa5754affe32648c2ULL, 0xf8ddac880d07396cULL, 0x6fa491468c548664ULL, 0x0c7c5c1326bdbed1ULL, 0x4a33158f03930fb3ULL, 0x699abfc19f84d982ULL, 0xe4fa2054a80b329cULL, 0x6707f9af438252faULL, 0x08a368e9cfd6d49eULL, 0x47b1442c58fd25b8ULL, 0xbbb3dc5ebc91769bULL, 0x1665fe489061eac7ULL, 0x33f27a811fa66310ULL, 0x93a609346838d547ULL, 0x30ed6d4c98cec263ULL, 0x1dd9816cd8df9f2aULL, 0x94662a03063b1e7bULL, 0x83fdd9fbeb896066ULL, 0x7b207573e68e590aULL, 0x5f49fc0a149a4407ULL, 0x343259b671a5a82cULL, 0xfbc2bb458a6f981fULL, 0xc272b350a0a41a38ULL, 0x3aaf1fd8ada32354ULL, 0x6cbb868b0b3c2717ULL, 0xa2b569c88d2583feULL, 0xf180c9d1bf027928ULL, 0xaf37386bd64ba9f5ULL, 0x12bacab2790a8088ULL, 0x4c0d3b0810435055ULL, 0xb2eeb9070e9436dfULL, 0xc5b29067cea7d104ULL, 0xdcb425f1ff132461ULL, 0x4f122cc5972bf126ULL, 0xac282fa651230886ULL, 0xe7e537992f6393efULL, 0xe61b3a2952b00735ULL, 0x709c0a57ae302ce7ULL, 0xe02514ae416058d3ULL, 0xc44c9dd7b37445deULL, 0x5a68c5408022ba92ULL, 0x1c278cdca50c0bf0ULL, 0x6e5a9cf6f18712beULL, 0x86dce0b17f319ef3ULL, 0x2d34ec2040115d49ULL, 0x4bcd183f7e409b69ULL, 0x2815d56ad4a9a3dcULL, 0x24698979f2141d0dULL, 0x0000000000000000ULL, 0x1ec696a15fb73e59ULL, 0xd86b110b16784e2eULL, 0x8e7f8858b0e74a6dULL, 0x063e2e8713d05fe6ULL, 0xe2c40ed3bbdb6d7aULL, 0xb1f1aeca89fc97acULL, 0xe1db191e3cb3cc09ULL, 0x6418ee62c4eaf389ULL, 0xc6ad87aa49cf7077ULL, 0xd6f65765ca7ec556ULL, 0x9afb6c6dda3d9503ULL, 0x7ce05644888d9236ULL, 0x8d609f95378feb1eULL, 0x23a9aa4e9c17d631ULL, 0x6226c0e5d73aac6fULL, 0x56149953a69f0443ULL, 0xeeb852c09d66d3abULL, 0x2b0ac2a753c102afULL, 0x07c023376e03cb3cULL, 0x2ccae1903dc2c993ULL, 0xd3d76e2f5ec63bc3ULL, 0x9e2458973356ff4cULL, 0xa66a5d32644ee9b1ULL, 0x0a427294356de137ULL, 0x783f62be61e6f879ULL, 0x1344c70204d91452ULL, 0x5b96c8f0fdf12e48ULL, 0xa90916ecc59bf613ULL, 0xbe92e5142829880eULL, 0x727d102a548b194eULL, 0x1be7afebcb0fc0ccULL, 0x3e702b2244c8491bULL, 0xd5e940a84d166425ULL, 0x66f9f41f3e51c620ULL, 0xabe80c913f20c3baULL, 0xf07ec461c2d1edf2ULL, 0xf361d3ac45b94c81ULL, 0x0521394a94b8fe95ULL, 0xadd622162cf09c5cULL, 0xe97871f7f3651897ULL, 0xf4a1f09b2bba87bdULL, 0x095d6559b2054044ULL, 0x0bbc7f2448be75edULL, 0x2af4cf172e129675ULL, 0x157ae98517094bb4ULL, 0x9fda55274e856b96ULL, 0x914713499283e0eeULL, 0xb952c623462a4332ULL, 0x74433ead475b46a8ULL, 0x8b5eb112245fb4f8ULL, 0xa34b6478f0f61724ULL, 0x11a5dd7ffe6221fbULL, 0xc16da49d27ccbb4bULL, 0x76a224d0bde07301ULL, 0x8aa0bca2598c2022ULL, 0x4df336b86d90c48fULL, 0xea67663a740db9e4ULL, 0xef465f70e0b54771ULL, 0x39b008152acb8227ULL, 0x7d1e5bf4f55e06ecULL, 0x105bd0cf83b1b521ULL, 0x775c2960c033e7dbULL, 0x7e014c397236a79fULL, 0x811cc386113255cfULL, 0xeda7450d1a0e72d8ULL, 0x5889df3d7a998f3bULL, 0x2e2bfbedc779fc3aULL, 0xce0eef438619a4e9ULL, 0x372d4e7bf6cd095fULL, 0x04df34fae96b6a4fULL, 0xf923a13870d4adb6ULL, 0xa1aa7e050a4d228dULL, 0xa8f71b5cb84862c9ULL, 0xb52e9a306097fde3ULL, 0x0d8251a35b6e2a0bULL, 0x2257a7fee1c442ebULL, 0x73831d9a29588d94ULL, 0x51d4ba64c89ccf7fULL, 0x502ab7d4b54f5ba5ULL, 0x97793dce8153bf08ULL, 0xe5042de4d5d8a646ULL, 0x9687307efc802bd2ULL, 0xa05473b5779eb657ULL, 0xb4d097801d446939ULL, 0xcff0e2f3fbca3033ULL, 0xc38cbee0dd778ee2ULL, 0x464f499c252eb162ULL, 0xcad1dbb96f72cea6ULL, 0xba4dd1eec142e241ULL, 0xb00fa37af42f0376ULL }, /* 2 */ { 0xcce4cd3aa968b245ULL, 0x089d5484e80b7fafULL, 0x638246c1b3548304ULL, 0xd2fe0ec8c2355492ULL, 0xa7fbdf7ff2374eeeULL, 0x4df1600c92337a16ULL, 0x84e503ea523b12fbULL, 0x0790bbfd53ab0c4aULL, 0x198a780f38f6ea9dULL, 0x2ab30c8f55ec48cbULL, 0xe0f7fed6b2c49db5ULL, 0xb6ecf3f422cadbdcULL, 0x409c9a541358df11ULL, 0xd3ce8a56dfde3fe3ULL, 0xc3e9224312c8c1a0ULL, 0x0d6dfa58816ba507ULL, 0xddf3e1b179952777ULL, 0x04c02a42748bb1d9ULL, 0x94c2abff9f2decb8ULL, 0x4f91752da8f8acf4ULL, 0x78682befb169bf7bULL, 0xe1c77a48af2ff6c4ULL, 0x0c5d7ec69c80ce76ULL, 0x4cc1e4928fd81167ULL, 0xfeed3d24d9997b62ULL, 0x518bb6dfc3a54a23ULL, 0x6dbf2d26151f9b90ULL, 0xb5bc624b05ea664fULL, 0xe86aaa525acfe21aULL, 0x4801ced0fb53a0beULL, 0xc91463e6c00868edULL, 0x1027a815cd16fe43ULL, 0xf67069a0319204cdULL, 0xb04ccc976c8abce7ULL, 0xc0b9b3fc35e87c33ULL, 0xf380c77c58f2de65ULL, 0x50bb3241de4e2152ULL, 0xdf93f490435ef195ULL, 0xf1e0d25d62390887ULL, 0xaf668bfb1a3c3141ULL, 0xbc11b251f00a7291ULL, 0x73a5eed47e427d47ULL, 0x25bee3f6ee4c3b2eULL, 0x43cc0beb34786282ULL, 0xc824e778dde3039cULL, 0xf97d86d98a327728ULL, 0xf2b043e24519b514ULL, 0xe297ebf7880f4b57ULL, 0x3a94a49a98fab688ULL, 0x868516cb68f0c419ULL, 0xeffa11af0964ee50ULL, 0xa4ab4ec0d517f37dULL, 0xa9c6b498547c567aULL, 0x8e18424f80fbbbb6ULL, 0x0bcdc53bcf2bc23cULL, 0x137739aaea3643d0ULL, 0x2c1333ec1bac2ff0ULL, 0x8d48d3f0a7db0625ULL, 0x1e1ac3f26b5de6d7ULL, 0xf520f81f16b2b95eULL, 0x9f0f6ec450062e84ULL, 0x0130849e1deb6b71ULL, 0xd45e31ab8c7533a9ULL, 0x652279a2fd14e43fULL, 0x3209f01e70f1c927ULL, 0xbe71a770cac1a473ULL, 0x0e3d6be7a64b1894ULL, 0x7ec8148cff29d840ULL, 0xcb7476c7fac3be0fULL, 0x72956a4a63a91636ULL, 0x37f95ec21991138fULL, 0x9e3fea5a4ded45f5ULL, 0x7b38ba50964902e8ULL, 0x222e580bbde73764ULL, 0x61e253e0899f55e6ULL, 0xfc8d2805e352ad80ULL, 0x35994be3235ac56dULL, 0x09add01af5e014deULL, 0x5e8659a6780539c6ULL, 0xb17c48097161d796ULL, 0x026015213acbd6e2ULL, 0xd1ae9f77e515e901ULL, 0xb7dc776a3f21b0adULL, 0xaba6a1b96eb78098ULL, 0x9bcf4486248d9f5dULL, 0x582666c536455efdULL, 0xfdbdac9bfeb9c6f1ULL, 0xc47999be4163cdeaULL, 0x765540081722a7efULL, 0x3e548ed8ec710751ULL, 0x3d041f67cb51bac2ULL, 0x7958af71ac82d40aULL, 0x36c9da5c047a78feULL, 0xed9a048e33af38b2ULL, 0x26ee7249c96c86bdULL, 0x900281bdeba65d61ULL, 0x11172c8bd0fd9532ULL, 0xea0abf73600434f8ULL, 0x42fc8f75299309f3ULL, 0x34a9cf7d3eb1ae1cULL, 0x2b838811480723baULL, 0x5ce64c8742ceef24ULL, 0x1adae9b01fd6570eULL, 0x3c349bf9d6bad1b3ULL, 0x82453c891c7b75c0ULL, 0x97923a40b80d512bULL, 0x4a61dbf1c198765cULL, 0xb48ce6d518010d3eULL, 0xcfb45c858e480fd6ULL, 0xd933cbf30d1e96aeULL, 0xd70ea014ab558e3aULL, 0xc189376228031742ULL, 0x9262949cd16d8b83ULL, 0xeb3a3bed7def5f89ULL, 0x49314a4ee6b8cbcfULL, 0xdcc3652f647e4c06ULL, 0xda635a4c2a3e2b3dULL, 0x470c21a940f3d35bULL, 0x315961a157d174b4ULL, 0x6672e81dda3459acULL, 0x5b76f77a1165e36eULL, 0x445cb01667d36ec8ULL, 0xc5491d205c88a69bULL, 0x456c34887a3805b9ULL, 0xffddb9bac4721013ULL, 0x99af51a71e4649bfULL, 0xa15be01cbc7729d5ULL, 0x52db2760e485f7b0ULL, 0x8c78576eba306d54ULL, 0xae560f6507d75a30ULL, 0x95f22f6182c687c9ULL, 0x71c5fbf54489aba5ULL, 0xca44f259e728d57eULL, 0x88b87d2ccebbdc8dULL, 0xbab18d32be4a15aaULL, 0x8be8ec93e99b611eULL, 0x17b713e89ebdf209ULL, 0xb31c5d284baa0174ULL, 0xeeca9531148f8521ULL, 0xb8d198138481c348ULL, 0x8988f9b2d350b7fcULL, 0xb9e11c8d996aa839ULL, 0x5a4673e40c8e881fULL, 0x1687977683569978ULL, 0xbf4123eed72acf02ULL, 0x4ea1f1b3b513c785ULL, 0xe767452be16f91ffULL, 0x7505d1b730021a7cULL, 0xa59bca5ec8fc980cULL, 0xad069eda20f7e7a3ULL, 0x38f4b1bba231606aULL, 0x60d2d77e94743e97ULL, 0x9affc0183966f42cULL, 0x248e6768f3a7505fULL, 0xcdd449a4b483d934ULL, 0x87b59255751baf68ULL, 0x1bea6d2e023d3c7fULL, 0x6b1f12455b5ffcabULL, 0x743555292de9710dULL, 0xd8034f6d10f5fddfULL, 0xc6198c9f7ba81b08ULL, 0xbb8109aca3a17edbULL, 0xfa2d1766ad12cabbULL, 0xc729080166437079ULL, 0x9c5fff7b77269317ULL, 0x0000000000000000ULL, 0x15d706c9a47624ebULL, 0x6fdf38072fd44d72ULL, 0x5fb6dd3865ee52b7ULL, 0xa33bf53d86bcff37ULL, 0xe657c1b5fc84fa8eULL, 0xaa962527735cebe9ULL, 0x39c43525bfda0b1bULL, 0x204e4d2a872ce186ULL, 0x7a083ece8ba26999ULL, 0x554b9c9db72efbfaULL, 0xb22cd9b656416a05ULL, 0x96a2bedea5e63a5aULL, 0x802529a826b0a322ULL, 0x8115ad363b5bc853ULL, 0x8375b81701901eb1ULL, 0x3069e53f4a3a1fc5ULL, 0xbd2136cfede119e0ULL, 0x18bafc91251d81ecULL, 0x1d4a524d4c7d5b44ULL, 0x05f0aedc6960daa8ULL, 0x29e39d3072ccf558ULL, 0x70f57f6b5962c0d4ULL, 0x989fd53903ad22ceULL, 0xf84d024797d91c59ULL, 0x547b1803aac5908bULL, 0xf0d056c37fd263f6ULL, 0xd56eb535919e58d8ULL, 0x1c7ad6d351963035ULL, 0x2e7326cd2167f912ULL, 0xac361a443d1c8cd2ULL, 0x697f076461942a49ULL, 0x4b515f6fdc731d2dULL, 0x8ad8680df4700a6fULL, 0x41ac1eca0eb3b460ULL, 0x7d988533d80965d3ULL, 0xa8f6300649973d0bULL, 0x7765c4960ac9cc9eULL, 0x7ca801adc5e20ea2ULL, 0xdea3700e5eb59ae4ULL, 0xa06b6482a19c42a4ULL, 0x6a2f96db46b497daULL, 0x27def6d7d487edccULL, 0x463ca5375d18b82aULL, 0xa6cb5be1efdc259fULL, 0x53eba3fef96e9cc1ULL, 0xce84d81b93a364a7ULL, 0xf4107c810b59d22fULL, 0x333974806d1aa256ULL, 0x0f0def79bba073e5ULL, 0x231edc95a00c5c15ULL, 0xe437d494c64f2c6cULL, 0x91320523f64d3610ULL, 0x67426c83c7df32ddULL, 0x6eefbc99323f2603ULL, 0x9d6f7be56acdf866ULL, 0x5916e25b2bae358cULL, 0x7ff89012e2c2b331ULL, 0x035091bf2720bd93ULL, 0x561b0d22900e4669ULL, 0x28d319ae6f279e29ULL, 0x2f43a2533c8c9263ULL, 0xd09e1be9f8fe8270ULL, 0xf740ed3e2c796fbcULL, 0xdb53ded237d5404cULL, 0x62b2c25faebfe875ULL, 0x0afd41a5d2c0a94dULL, 0x6412fd3ce0ff8f4eULL, 0xe3a76f6995e42026ULL, 0x6c8fa9b808f4f0e1ULL, 0xc2d9a6dd0f23aad1ULL, 0x8f28c6d19d10d0c7ULL, 0x85d587744fd0798aULL, 0xa20b71a39b579446ULL, 0x684f83fa7c7f4138ULL, 0xe507500adba4471dULL, 0x3f640a46f19a6c20ULL, 0x1247bd34f7dd28a1ULL, 0x2d23b77206474481ULL, 0x93521002cc86e0f2ULL, 0x572b89bc8de52d18ULL, 0xfb1d93f8b0f9a1caULL, 0xe95a2ecc4724896bULL, 0x3ba420048511ddf9ULL, 0xd63e248ab6bee54bULL, 0x5dd6c8195f258455ULL, 0x06a03f634e40673bULL, 0x1f2a476c76b68da6ULL, 0x217ec9b49ac78af7ULL, 0xecaa80102e4453c3ULL, 0x14e78257b99d4f9aULL }, /* 3 */ { 0x20329b2cc87bba05ULL, 0x4f5eb6f86546a531ULL, 0xd4f44775f751b6b1ULL, 0x8266a47b850dfa8bULL, 0xbb986aa15a6ca985ULL, 0xc979eb08f9ae0f99ULL, 0x2da6f447a2375ea1ULL, 0x1e74275dcd7d8576ULL, 0xbc20180a800bc5f8ULL, 0xb4a2f701b2dc65beULL, 0xe726946f981b6d66ULL, 0x48e6c453bf21c94cULL, 0x42cad9930f0a4195ULL, 0xefa47b64aacccd20ULL, 0x71180a8960409a42ULL, 0x8bb3329bf6a44e0cULL, 0xd34c35de2d36daccULL, 0xa92f5b7cbc23dc96ULL, 0xb31a85aa68bb09c3ULL, 0x13e04836a73161d2ULL, 0xb24dfc4129c51d02ULL, 0x8ae44b70b7da5acdULL, 0xe671ed84d96579a7ULL, 0xa4bb3417d66f3832ULL, 0x4572ab38d56d2de8ULL, 0xb1b47761ea47215cULL, 0xe81c09cf70aba15dULL, 0xffbdb872ce7f90acULL, 0xa8782297fd5dc857ULL, 0x0d946f6b6a4ce4a4ULL, 0xe4df1f4f5b995138ULL, 0x9ebc71edca8c5762ULL, 0x0a2c1dc0b02b88d9ULL, 0x3b503c115d9d7b91ULL, 0xc64376a8111ec3a2ULL, 0xcec199a323c963e4ULL, 0xdc76a87ec58616f7ULL, 0x09d596e073a9b487ULL, 0x14583a9d7d560dafULL, 0xf4c6dc593f2a0cb4ULL, 0xdd21d19584f80236ULL, 0x4a4836983ddde1d3ULL, 0xe58866a41ae745f9ULL, 0xf591a5b27e541875ULL, 0x891dc05074586693ULL, 0x5b068c651810a89eULL, 0xa30346bc0c08544fULL, 0x3dbf3751c684032dULL, 0x2a1e86ec785032dcULL, 0xf73f5779fca830eaULL, 0xb60c05ca30204d21ULL, 0x0cc316802b32f065ULL, 0x8770241bdd96be69ULL, 0xb861e18199ee95dbULL, 0xf805cad91418fcd1ULL, 0x29e70dccbbd20e82ULL, 0xc7140f435060d763ULL, 0x0f3a9da0e8b0cc3bULL, 0xa2543f574d76408eULL, 0xbd7761e1c175d139ULL, 0x4b1f4f737ca3f512ULL, 0x6dc2df1f2fc137abULL, 0xf1d05c3967b14856ULL, 0xa742bf3715ed046cULL, 0x654030141d1697edULL, 0x07b872abda676c7dULL, 0x3ce84eba87fa17ecULL, 0xc1fb0403cb79afdfULL, 0x3e46bc7105063f73ULL, 0x278ae987121cd678ULL, 0xa1adb4778ef47cd0ULL, 0x26dd906c5362c2b9ULL, 0x05168060589b44e2ULL, 0xfbfc41f9d79ac08fULL, 0x0e6de44ba9ced8faULL, 0x9feb08068bf243a3ULL, 0x7b341749d06b129bULL, 0x229c69e74a87929aULL, 0xe09ee6c4427c011bULL, 0x5692e30e725c4c3aULL, 0xda99a33e5e9f6e4bULL, 0x353dd85af453a36bULL, 0x25241b4c90e0fee7ULL, 0x5de987258309d022ULL, 0xe230140fc0802984ULL, 0x93281e86a0c0b3c6ULL, 0xf229d719a4337408ULL, 0x6f6c2dd4ad3d1f34ULL, 0x8ea5b2fbae3f0aeeULL, 0x8331dd90c473ee4aULL, 0x346aa1b1b52db7aaULL, 0xdf8f235e06042aa9ULL, 0xcc6f6b68a1354b7bULL, 0x6c95a6f46ebf236aULL, 0x52d31a856bb91c19ULL, 0x1a35ded6d498d555ULL, 0xf37eaef2e54d60c9ULL, 0x72e181a9a3c2a61cULL, 0x98537aad51952fdeULL, 0x16f6c856ffaa2530ULL, 0xd960281e9d1d5215ULL, 0x3a0745fa1ce36f50ULL, 0x0b7b642bf1559c18ULL, 0x59a87eae9aec8001ULL, 0x5e100c05408bec7cULL, 0x0441f98b19e55023ULL, 0xd70dcc5534d38aefULL, 0x927f676de1bea707ULL, 0x9769e70db925e3e5ULL, 0x7a636ea29115065aULL, 0x468b201816ef11b6ULL, 0xab81a9b73edff409ULL, 0xc0ac7de88a07bb1eULL, 0x1f235eb68c0391b7ULL, 0x6056b074458dd30fULL, 0xbe8eeac102f7ed67ULL, 0xcd381283e04b5fbaULL, 0x5cbefecec277c4e3ULL, 0xd21b4c356c48ce0dULL, 0x1019c31664b35d8cULL, 0x247362a7d19eea26ULL, 0xebe582efb3299d03ULL, 0x02aef2cb82fc289fULL, 0x86275df09ce8aaa8ULL, 0x28b07427faac1a43ULL, 0x38a9b7319e1f47cfULL, 0xc82e92e3b8d01b58ULL, 0x06ef0b409b1978bcULL, 0x62f842bfc771fb90ULL, 0x9904034610eb3b1fULL, 0xded85ab5477a3e68ULL, 0x90d195a663428f98ULL, 0x5384636e2ac708d8ULL, 0xcbd719c37b522706ULL, 0xae9729d76644b0ebULL, 0x7c8c65e20a0c7ee6ULL, 0x80c856b007f1d214ULL, 0x8c0b40302cc32271ULL, 0xdbcedad51fe17a8aULL, 0x740e8ae938dbdea0ULL, 0xa615c6dc549310adULL, 0x19cc55f6171ae90bULL, 0x49b1bdb8fe5fdd8dULL, 0xed0a89af2830e5bfULL, 0x6a7aadb4f5a65bd6ULL, 0x7e22972988f05679ULL, 0xf952b3325566e810ULL, 0x39fecedadf61530eULL, 0x6101c99f04f3c7ceULL, 0x2e5f7f6761b562ffULL, 0xf08725d226cf5c97ULL, 0x63af3b54860fef51ULL, 0x8ff2cb10ef411e2fULL, 0x884ab9bb35267252ULL, 0x4df04433e7ba8daeULL, 0x9afd8866d3690741ULL, 0x66b9bb34de94abb3ULL, 0x9baaf18d92171380ULL, 0x543c11c5f0a064a5ULL, 0x17a1b1bdbed431f1ULL, 0xb5f58eeaf3a2717fULL, 0xc355f6c849858740ULL, 0xec5df044694ef17eULL, 0xd83751f5dc6346d4ULL, 0xfc4433520dfdacf2ULL, 0x0000000000000000ULL, 0x5a51f58e596ebc5fULL, 0x3285aaf12e34cf16ULL, 0x8d5c39db6dbd36b0ULL, 0x12b731dde64f7513ULL, 0x94906c2d7aa7dfbbULL, 0x302b583aacc8e789ULL, 0x9d45facd090e6b3cULL, 0x2165e2c78905aec4ULL, 0x68d45f7f775a7349ULL, 0x189b2c1d5664fdcaULL, 0xe1c99f2f030215daULL, 0x6983269436246788ULL, 0x8489af3b1e148237ULL, 0xe94b702431d5b59cULL, 0x33d2d31a6f4adbd7ULL, 0xbfd9932a4389f9a6ULL, 0xb0e30e8aab39359dULL, 0xd1e2c715afcaf253ULL, 0x150f43763c28196eULL, 0xc4ed846393e2eb3dULL, 0x03f98b20c3823c5eULL, 0xfd134ab94c83b833ULL, 0x556b682eb1de7064ULL, 0x36c4537a37d19f35ULL, 0x7559f30279a5ca61ULL, 0x799ae58252973a04ULL, 0x9c12832648707ffdULL, 0x78cd9c6913e92ec5ULL, 0x1d8dac7d0effb928ULL, 0x439da0784e745554ULL, 0x413352b3cc887dcbULL, 0xbacf134a1b12bd44ULL, 0x114ebafd25cd494dULL, 0x2f08068c20cb763eULL, 0x76a07822ba27f63fULL, 0xeab2fb04f25789c2ULL, 0xe3676de481fe3d45ULL, 0x1b62a73d95e6c194ULL, 0x641749ff5c68832cULL, 0xa5ec4dfc97112cf3ULL, 0xf6682e92bdd6242bULL, 0x3f11c59a44782bb2ULL, 0x317c21d1edb6f348ULL, 0xd65ab5be75ad9e2eULL, 0x6b2dd45fb4d84f17ULL, 0xfaab381296e4d44eULL, 0xd0b5befeeeb4e692ULL, 0x0882ef0b32d7a046ULL, 0x512a91a5a83b2047ULL, 0x963e9ee6f85bf724ULL, 0x4e09cf132438b1f0ULL, 0x77f701c9fb59e2feULL, 0x7ddb1c094b726a27ULL, 0x5f4775ee01f5f8bdULL, 0x9186ec4d223c9b59ULL, 0xfeeac1998f01846dULL, 0xac39db1ce4b89874ULL, 0xb75b7c21715e59e0ULL, 0xafc0503c273aa42aULL, 0x6e3b543fec430bf5ULL, 0x704f7362213e8e83ULL, 0x58ff0745db9294c0ULL, 0x67eec2df9feabf72ULL, 0xa0facd9ccf8a6811ULL, 0xb936986ad890811aULL, 0x95c715c63bd9cb7aULL, 0xca8060283a2c33c7ULL, 0x507de84ee9453486ULL, 0x85ded6d05f6a96f6ULL, 0x1cdad5964f81ade9ULL, 0xd5a33e9eb62fa270ULL, 0x40642b588df6690aULL, 0x7f75eec2c98e42b8ULL, 0x2cf18dace3494a60ULL, 0x23cb100c0bf9865bULL, 0xeef3028febb2d9e1ULL, 0x4425d2d394133929ULL, 0xaad6d05c7fa1e0c8ULL, 0xad6ea2f7a5c68cb5ULL, 0xc2028f2308fb9381ULL, 0x819f2f5b468fc6d5ULL, 0xc5bafd88d29cfffcULL, 0x47dc59f357910577ULL, 0x2b49ff07392e261dULL, 0x57c59ae5332258fbULL, 0x73b6f842e2bcb2ddULL, 0xcf96e04862b77725ULL, 0x4ca73dd8a6c4996fULL, 0x015779eb417e14c1ULL, 0x37932a9176af8bf4ULL }, /* 4 */ { 0x190a2c9b249df23eULL, 0x2f62f8b62263e1e9ULL, 0x7a7f754740993655ULL, 0x330b7ba4d5564d9fULL, 0x4c17a16a46672582ULL, 0xb22f08eb7d05f5b8ULL, 0x535f47f40bc148ccULL, 0x3aec5d27d4883037ULL, 0x10ed0a1825438f96ULL, 0x516101f72c233d17ULL, 0x13cc6f949fd04eaeULL, 0x739853c441474bfdULL, 0x653793d90d3f5b1bULL, 0x5240647b96b0fc2fULL, 0x0c84890ad27623e0ULL, 0xd7189b32703aaea3ULL, 0x2685de3523bd9c41ULL, 0x99317c5b11bffefaULL, 0x0d9baa854f079703ULL, 0x70b93648fbd48ac5ULL, 0xa80441fce30bc6beULL, 0x7287704bdc36ff1eULL, 0xb65384ed33dc1f13ULL, 0xd36417343ee34408ULL, 0x39cd38ab6e1bf10fULL, 0x5ab861770a1f3564ULL, 0x0ebacf09f594563bULL, 0xd04572b884708530ULL, 0x3cae9722bdb3af47ULL, 0x4a556b6f2f5cbaf2ULL, 0xe1704f1f76c4bd74ULL, 0x5ec4ed7144c6dfcfULL, 0x16afc01d4c7810e6ULL, 0x283f113cd629ca7aULL, 0xaf59a8761741ed2dULL, 0xeed5a3991e215facULL, 0x3bf37ea849f984d4ULL, 0xe413e096a56ce33cULL, 0x2c439d3a98f020d1ULL, 0x637559dc6404c46bULL, 0x9e6c95d1e5f5d569ULL, 0x24bb9836045fe99aULL, 0x44efa466dac8ecc9ULL, 0xc6eab2a5c80895d6ULL, 0x803b50c035220cc4ULL, 0x0321658cba93c138ULL, 0x8f9ebc465dc7ee1cULL, 0xd15a5137190131d3ULL, 0x0fa5ec8668e5e2d8ULL, 0x91c979578d1037b1ULL, 0x0642ca05693b9f70ULL, 0xefca80168350eb4fULL, 0x38d21b24f36a45ecULL, 0xbeab81e1af73d658ULL, 0x8cbfd9cae7542f24ULL, 0xfd19cc0d81f11102ULL, 0x0ac6430fbb4dbc90ULL, 0x1d76a09d6a441895ULL, 0x2a01573ff1cbbfa1ULL, 0xb572e161894fde2bULL, 0x8124734fa853b827ULL, 0x614b1fdf43e6b1b0ULL, 0x68ac395c4238cc18ULL, 0x21d837bfd7f7b7d2ULL, 0x20c714304a860331ULL, 0x5cfaab726324aa14ULL, 0x74c5ba4eb50d606eULL, 0xf3a3030474654739ULL, 0x23e671bcf015c209ULL, 0x45f087e947b9582aULL, 0xd8bd77b418df4c7bULL, 0xe06f6c90ebb50997ULL, 0x0bd96080263c0873ULL, 0x7e03f9410e40dcfeULL, 0xb8e94be4c6484928ULL, 0xfb5b0608e8ca8e72ULL, 0x1a2b49179e0e3306ULL, 0x4e29e76961855059ULL, 0x4f36c4e6fcf4e4baULL, 0x49740ee395cf7bcaULL, 0xc2963ea386d17f7dULL, 0x90d65ad810618352ULL, 0x12d34c1b02a1fa4dULL, 0xfa44258775bb3a91ULL, 0x18150f14b9ec46ddULL, 0x1491861e6b9a653dULL, 0x9a1019d7ab2c3fc2ULL, 0x3668d42d06fe13d7ULL, 0xdcc1fbb25606a6d0ULL, 0x969490dd795a1c22ULL, 0x3549b1a1bc6dd2efULL, 0xc94f5e23a0ed770eULL, 0xb9f6686b5b39fdcbULL, 0xc4d4f4a6efeae00dULL, 0xe732851a1fff2204ULL, 0x94aad6de5eb869f9ULL, 0x3f8ff2ae07206e7fULL, 0xfe38a9813b62d03aULL, 0xa7a1ad7a8bee2466ULL, 0x7b6056c8dde882b6ULL, 0x302a1e286fc58ca7ULL, 0x8da0fa457a259bc7ULL, 0xb3302b64e074415bULL, 0x5402ae7eff8b635fULL, 0x08f8050c9cafc94bULL, 0xae468bf98a3059ceULL, 0x88c355cca98dc58fULL, 0xb10e6d67c7963480ULL, 0xbad70de7e1aa3cf3ULL, 0xbfb4a26e320262bbULL, 0xcb711820870f02d5ULL, 0xce12b7a954a75c9dULL, 0x563ce87dd8691684ULL, 0x9f73b65e7884618aULL, 0x2b1e74b06cba0b42ULL, 0x47cec1ea605b2df1ULL, 0x1c698312f735ac76ULL, 0x5fdbcefed9b76b2cULL, 0x831a354c8fb1cdfcULL, 0x820516c312c0791fULL, 0xb74ca762aeadabf0ULL, 0xfc06ef821c80a5e1ULL, 0x5723cbf24518a267ULL, 0x9d4df05d5f661451ULL, 0x588627742dfd40bfULL, 0xda8331b73f3d39a0ULL, 0x17b0e392d109a405ULL, 0xf965400bcf28fba9ULL, 0x7c3dbf4229a2a925ULL, 0x023e460327e275dbULL, 0x6cd0b55a0ce126b3ULL, 0xe62da695828e96e7ULL, 0x42ad6e63b3f373b9ULL, 0xe50cc319381d57dfULL, 0xc5cbd729729b54eeULL, 0x46d1e265fd2a9912ULL, 0x6428b056904eeff8ULL, 0x8be23040131e04b7ULL, 0x6709d5da2add2ec0ULL, 0x075de98af44a2b93ULL, 0x8447dcc67bfbe66fULL, 0x6616f655b7ac9a23ULL, 0xd607b8bded4b1a40ULL, 0x0563af89d3a85e48ULL, 0x3db1b4ad20c21ba4ULL, 0x11f22997b8323b75ULL, 0x292032b34b587e99ULL, 0x7f1cdace9331681dULL, 0x8e819fc9c0b65affULL, 0xa1e3677fe2d5bb16ULL, 0xcd33d225ee349da5ULL, 0xd9a2543b85aef898ULL, 0x795e10cbfa0af76dULL, 0x25a4bbb9992e5d79ULL, 0x78413344677b438eULL, 0xf0826688cef68601ULL, 0xd27b34bba392f0ebULL, 0x551d8df162fad7bcULL, 0x1e57c511d0d7d9adULL, 0xdeffbdb171e4d30bULL, 0xf4feea8e802f6caaULL, 0xa480c8f6317de55eULL, 0xa0fc44f07fa40ff5ULL, 0x95b5f551c3c9dd1aULL, 0x22f952336d6476eaULL, 0x0000000000000000ULL, 0xa6be8ef5169f9085ULL, 0xcc2cf1aa73452946ULL, 0x2e7ddb39bf12550aULL, 0xd526dd3157d8db78ULL, 0x486b2d6c08becf29ULL, 0x9b0f3a58365d8b21ULL, 0xac78cdfaadd22c15ULL, 0xbc95c7e28891a383ULL, 0x6a927f5f65dab9c3ULL, 0xc3891d2c1ba0cb9eULL, 0xeaa92f9f50f8b507ULL, 0xcf0d9426c9d6e87eULL, 0xca6e3baf1a7eb636ULL, 0xab25247059980786ULL, 0x69b31ad3df4978fbULL, 0xe2512a93cc577c4cULL, 0xff278a0ea61364d9ULL, 0x71a615c766a53e26ULL, 0x89dc764334fc716cULL, 0xf87a638452594f4aULL, 0xf2bc208be914f3daULL, 0x8766b94ac1682757ULL, 0xbbc82e687cdb8810ULL, 0x626a7a53f9757088ULL, 0xa2c202f358467a2eULL, 0x4d0882e5db169161ULL, 0x09e7268301de7da8ULL, 0xe897699c771ac0dcULL, 0xc8507dac3d9cc3edULL, 0xc0a878a0a1330aa6ULL, 0x978bb352e42ba8c1ULL, 0xe9884a13ea6b743fULL, 0x279afdbabecc28a2ULL, 0x047c8c064ed9eaabULL, 0x507e2278b15289f4ULL, 0x599904fbb08cf45cULL, 0xbd8ae46d15e01760ULL, 0x31353da7f2b43844ULL, 0x8558ff49e68a528cULL, 0x76fbfc4d92ef15b5ULL, 0x3456922e211c660cULL, 0x86799ac55c1993b4ULL, 0x3e90d1219a51da9cULL, 0x2d5cbeb505819432ULL, 0x982e5fd48cce4a19ULL, 0xdb9c1238a24c8d43ULL, 0xd439febecaa96f9bULL, 0x418c0bef0960b281ULL, 0x158ea591f6ebd1deULL, 0x1f48e69e4da66d4eULL, 0x8afd13cf8e6fb054ULL, 0xf5e1c9011d5ed849ULL, 0xe34e091c5126c8afULL, 0xad67ee7530a398f6ULL, 0x43b24dec2e82c75aULL, 0x75da99c1287cd48dULL, 0x92e81cdb3783f689ULL, 0xa3dd217cc537cecdULL, 0x60543c50de970553ULL, 0x93f73f54aaf2426aULL, 0xa91b62737e7a725dULL, 0xf19d4507538732e2ULL, 0x77e4dfc20f9ea156ULL, 0x7d229ccdb4d31dc6ULL, 0x1b346a98037f87e5ULL, 0xedf4c615a4b29e94ULL, 0x4093286094110662ULL, 0xb0114ee85ae78063ULL, 0x6ff1d0d6b672e78bULL, 0x6dcf96d591909250ULL, 0xdfe09e3eec9567e8ULL, 0x3214582b4827f97cULL, 0xb46dc2ee143e6ac8ULL, 0xf6c0ac8da7cd1971ULL, 0xebb60c10cd8901e4ULL, 0xf7df8f023abcad92ULL, 0x9c52d3d2c217a0b2ULL, 0x6b8d5cd0f8ab0d20ULL, 0x3777f7a29b8fa734ULL, 0x011f238f9d71b4e3ULL, 0xc1b75b2f3c42be45ULL, 0x5de588fdfe551ef7ULL, 0x6eeef3592b035368ULL, 0xaa3a07ffc4e9b365ULL, 0xecebe59a39c32a77ULL, 0x5ba742f8976e8187ULL, 0x4b4a48e0b22d0e11ULL, 0xddded83dcb771233ULL, 0xa59feb79ac0c51bdULL, 0xc7f5912a55792135ULL }, /* 5 */ { 0x6d6ae04668a9b08aULL, 0x3ab3f04b0be8c743ULL, 0xe51e166b54b3c908ULL, 0xbe90a9eb35c2f139ULL, 0xb2c7066637f2bec1ULL, 0xaa6945613392202cULL, 0x9a28c36f3b5201ebULL, 0xddce5a93ab536994ULL, 0x0e34133ef6382827ULL, 0x52a02ba1ec55048bULL, 0xa2f88f97c4b2a177ULL, 0x8640e513ca2251a5ULL, 0xcdf1d36258137622ULL, 0xfe6cb708dedf8ddbULL, 0x8a174a9ec8121e5dULL, 0x679896036b81560eULL, 0x59ed033395795feeULL, 0x1dd778ab8b74edafULL, 0xee533ef92d9f926dULL, 0x2a8c79baf8a8d8f5ULL, 0x6bcf398e69b119f6ULL, 0xe20491742fafdd95ULL, 0x276488e0809c2aecULL, 0xea955b82d88f5cceULL, 0x7102c63a99d9e0c4ULL, 0xf9763017a5c39946ULL, 0x429fa2501f151b3dULL, 0x4659c72bea05d59eULL, 0x984b7fdccf5a6634ULL, 0xf742232953fbb161ULL, 0x3041860e08c021c7ULL, 0x747bfd9616cd9386ULL, 0x4bb1367192312787ULL, 0x1b72a1638a6c44d3ULL, 0x4a0e68a6e8359a66ULL, 0x169a5039f258b6caULL, 0xb98a2ef44edee5a4ULL, 0xd9083fe85e43a737ULL, 0x967f6ce239624e13ULL, 0x8874f62d3c1a7982ULL, 0x3c1629830af06e3fULL, 0x9165ebfd427e5a8eULL, 0xb5dd81794ceeaa5cULL, 0x0de8f15a7834f219ULL, 0x70bd98ede3dd5d25ULL, 0xaccc9ca9328a8950ULL, 0x56664eda1945ca28ULL, 0x221db34c0f8859aeULL, 0x26dbd637fa98970dULL, 0x1acdffb4f068f932ULL, 0x4585254f64090fa0ULL, 0x72de245e17d53afaULL, 0x1546b25d7c546cf4ULL, 0x207e0ffffb803e71ULL, 0xfaaad2732bcf4378ULL, 0xb462dfae36ea17bdULL, 0xcf926fd1ac1b11fdULL, 0xe0672dc7dba7ba4aULL, 0xd3fa49ad5d6b41b3ULL, 0x8ba81449b216a3bcULL, 0x14f9ec8a0650d115ULL, 0x40fc1ee3eb1d7ce2ULL, 0x23a2ed9b758ce44fULL, 0x782c521b14fddc7eULL, 0x1c68267cf170504eULL, 0xbcf31558c1ca96e6ULL, 0xa781b43b4ba6d235ULL, 0xf6fd7dfe29ff0c80ULL, 0xb0a4bad5c3fad91eULL, 0xd199f51ea963266cULL, 0x414340349119c103ULL, 0x5405f269ed4dadf7ULL, 0xabd61bb649969dcdULL, 0x6813dbeae7bdc3c8ULL, 0x65fb2ab09f8931d1ULL, 0xf1e7fae152e3181dULL, 0xc1a67cef5a2339daULL, 0x7a4feea8e0f5bba1ULL, 0x1e0b9acf05783791ULL, 0x5b8ebf8061713831ULL, 0x80e53cdbcb3af8d9ULL, 0x7e898bd315e57502ULL, 0xc6bcfbf0213f2d47ULL, 0x95a38e86b76e942dULL, 0x092e94218d243cbaULL, 0x8339debf453622e7ULL, 0xb11be402b9fe64ffULL, 0x57d9100d634177c9ULL, 0xcc4e8db52217cbc3ULL, 0x3b0cae9c71ec7aa2ULL, 0xfb158ca451cbfe99ULL, 0x2b33276d82ac6514ULL, 0x01bf5ed77a04bde1ULL, 0xc5601994af33f779ULL, 0x75c4a3416cc92e67ULL, 0xf3844652a6eb7fc2ULL, 0x3487e375fdd0ef64ULL, 0x18ae430704609eedULL, 0x4d14efb993298efbULL, 0x815a620cb13e4538ULL, 0x125c354207487869ULL, 0x9eeea614ce42cf48ULL, 0xce2d3106d61fac1cULL, 0xbbe99247bad6827bULL, 0x071a871f7b1c149dULL, 0x2e4a1cc10db81656ULL, 0x77a71ff298c149b8ULL, 0x06a5d9c80118a97cULL, 0xad73c27e488e34b1ULL, 0x443a7b981e0db241ULL, 0xe3bbcfa355ab6074ULL, 0x0af276450328e684ULL, 0x73617a896dd1871bULL, 0x58525de4ef7de20fULL, 0xb7be3dcab8e6cd83ULL, 0x19111dd07e64230cULL, 0x842359a03e2a367aULL, 0x103f89f1f3401fb6ULL, 0xdc710444d157d475ULL, 0xb835702334da5845ULL, 0x4320fc876511a6dcULL, 0xd026abc9d3679b8dULL, 0x17250eee885c0b2bULL, 0x90dab52a387ae76fULL, 0x31fed8d972c49c26ULL, 0x89cba8fa461ec463ULL, 0x2ff5421677bcabb7ULL, 0x396f122f85e41d7dULL, 0xa09b332430bac6a8ULL, 0xc888e8ced7070560ULL, 0xaeaf201ac682ee8fULL, 0x1180d7268944a257ULL, 0xf058a43628e7a5fcULL, 0xbd4c4b8fbbce2b07ULL, 0xa1246df34abe7b49ULL, 0x7d5569b79be9af3cULL, 0xa9b5a705bd9efa12ULL, 0xdb6b835baa4bc0e8ULL, 0x05793bac8f147342ULL, 0x21c1512881848390ULL, 0xfdb0556c50d357e5ULL, 0x613d4fcb6a99ff72ULL, 0x03dce2648e0cda3eULL, 0xe949b9e6568386f0ULL, 0xfc0f0bbb2ad7ea04ULL, 0x6a70675913b5a417ULL, 0x7f36d5046fe1c8e3ULL, 0x0c57af8d02304ff8ULL, 0x32223abdfcc84618ULL, 0x0891caf6f720815bULL, 0xa63eeaec31a26fd4ULL, 0x2507345374944d33ULL, 0x49d28ac266394058ULL, 0xf5219f9aa7f3d6beULL, 0x2d96fea583b4cc68ULL, 0x5a31e1571b7585d0ULL, 0x8ed12fe53d02d0feULL, 0xdfade6205f5b0e4bULL, 0x4cabb16ee92d331aULL, 0x04c6657bf510cea3ULL, 0xd73c2cd6a87b8f10ULL, 0xe1d87310a1a307abULL, 0x6cd5be9112ad0d6bULL, 0x97c032354366f3f2ULL, 0xd4e0ceb22677552eULL, 0x0000000000000000ULL, 0x29509bde76a402cbULL, 0xc27a9e8bd42fe3e4ULL, 0x5ef7842cee654b73ULL, 0xaf107ecdbc86536eULL, 0x3fcacbe784fcb401ULL, 0xd55f90655c73e8cfULL, 0xe6c2f40fdabf1336ULL, 0xe8f6e7312c873b11ULL, 0xeb2a0555a28be12fULL, 0xe4a148bc2eb774e9ULL, 0x9b979db84156bc0aULL, 0x6eb60222e6a56ab4ULL, 0x87ffbbc4b026ec44ULL, 0xc703a5275b3b90a6ULL, 0x47e699fc9001687fULL, 0x9c8d1aa73a4aa897ULL, 0x7cea3760e1ed12ddULL, 0x4ec80ddd1d2554c5ULL, 0x13e36b957d4cc588ULL, 0x5d2b66486069914dULL, 0x92b90999cc7280b0ULL, 0x517cc9c56259deb5ULL, 0xc937b619ad03b881ULL, 0xec30824ad997f5b2ULL, 0xa45d565fc5aa080bULL, 0xd6837201d27f32f1ULL, 0x635ef3789e9198adULL, 0x531f75769651b96aULL, 0x4f77530a6721e924ULL, 0x486dd4151c3dfdb9ULL, 0x5f48dafb9461f692ULL, 0x375b011173dc355aULL, 0x3da9775470f4d3deULL, 0x8d0dcd81b30e0ac0ULL, 0x36e45fc609d888bbULL, 0x55baacbe97491016ULL, 0x8cb29356c90ab721ULL, 0x76184125e2c5f459ULL, 0x99f4210bb55edbd5ULL, 0x6f095cf59ca1d755ULL, 0x9f51f8c3b44672a9ULL, 0x3538bda287d45285ULL, 0x50c39712185d6354ULL, 0xf23b1885dcefc223ULL, 0x79930ccc6ef9619fULL, 0xed8fdc9da3934853ULL, 0xcb540aaa590bdf5eULL, 0x5c94389f1a6d2cacULL, 0xe77daad8a0bbaed7ULL, 0x28efc5090ca0bf2aULL, 0xbf2ff73c4fc64cd8ULL, 0xb37858b14df60320ULL, 0xf8c96ec0dfc724a7ULL, 0x828680683f329f06ULL, 0x941cd051cd6a29ccULL, 0xc3c5c05cae2b5e05ULL, 0xb601631dc2e27062ULL, 0xc01922382027843bULL, 0x24b86a840e90f0d2ULL, 0xd245177a276ffc52ULL, 0x0f8b4de98c3c95c6ULL, 0x3e759530fef809e0ULL, 0x0b4d2892792c5b65ULL, 0xc4df4743d5374a98ULL, 0xa5e20888bfaeb5eaULL, 0xba56cc90c0d23f9aULL, 0x38d04cf8ffe0a09cULL, 0x62e1adafe495254cULL, 0x0263bcb3f40867dfULL, 0xcaeb547d230f62bfULL, 0x6082111c109d4293ULL, 0xdad4dd8cd04f7d09ULL, 0xefec602e579b2f8cULL, 0x1fb4c4187f7c8a70ULL, 0xffd3e9dfa4db303aULL, 0x7bf0b07f9af10640ULL, 0xf49ec14dddf76b5fULL, 0x8f6e713247066d1fULL, 0x339d646a86ccfbf9ULL, 0x64447467e58d8c30ULL, 0x2c29a072f9b07189ULL, 0xd8b7613f24471ad6ULL, 0x6627c8d41185ebefULL, 0xa347d140beb61c96ULL, 0xde12b8f7255fb3aaULL, 0x9d324470404e1576ULL, 0x9306574eb6763d51ULL, 0xa80af9d2c79a47f3ULL, 0x859c0777442e8b9bULL, 0x69ac853d9db97e29ULL }, /* 6 */ { 0xc3407dfc2de6377eULL, 0x5b9e93eea4256f77ULL, 0xadb58fdd50c845e0ULL, 0x5219ff11a75bed86ULL, 0x356b61cfd90b1de9ULL, 0xfb8f406e25abe037ULL, 0x7a5a0231c0f60796ULL, 0x9d3cd216e1f5020bULL, 0x0c6550fb6b48d8f3ULL, 0xf57508c427ff1c62ULL, 0x4ad35ffa71cb407dULL, 0x6290a2da1666aa6dULL, 0xe284ec2349355f9fULL, 0xb3c307c53d7c84ecULL, 0x05e23c0468365a02ULL, 0x190bac4d6c9ebfa8ULL, 0x94bbbee9e28b80faULL, 0xa34fc777529cb9b5ULL, 0xcc7b39f095bcd978ULL, 0x2426addb0ce532e3ULL, 0x7e79329312ce4fc7ULL, 0xab09a72eebec2917ULL, 0xf8d15499f6b9d6c2ULL, 0x1a55b8babf8c895dULL, 0xdb8add17fb769a85ULL, 0xb57f2f368658e81bULL, 0x8acd36f18f3f41f6ULL, 0x5ce3b7bba50f11d3ULL, 0x114dcc14d5ee2f0aULL, 0xb91a7fcded1030e8ULL, 0x81d5425fe55de7a1ULL, 0xb6213bc1554adeeeULL, 0x80144ef95f53f5f2ULL, 0x1e7688186db4c10cULL, 0x3b912965db5fe1bcULL, 0xc281715a97e8252dULL, 0x54a5d7e21c7f8171ULL, 0x4b12535ccbc5522eULL, 0x1d289cefbea6f7f9ULL, 0x6ef5f2217d2e729eULL, 0xe6a7dc819b0d17ceULL, 0x1b94b41c05829b0eULL, 0x33d7493c622f711eULL, 0xdcf7f942fa5ce421ULL, 0x600fba8b7f7a8ecbULL, 0x46b60f011a83988eULL, 0x235b898e0dcf4c47ULL, 0x957ab24f588592a9ULL, 0x4354330572b5c28cULL, 0xa5f3ef84e9b8d542ULL, 0x8c711e02341b2d01ULL, 0x0b1874ae6a62a657ULL, 0x1213d8e306fc19ffULL, 0xfe6d7c6a4d9dba35ULL, 0x65ed868f174cd4c9ULL, 0x88522ea0e6236550ULL, 0x899322065c2d7703ULL, 0xc01e690bfef4018bULL, 0x915982ed8abddaf8ULL, 0xbe675b98ec3a4e4cULL, 0xa996bf7f82f00db1ULL, 0xe1daf8d49a27696aULL, 0x2effd5d3dc8986e7ULL, 0xd153a51f2b1a2e81ULL, 0x18caa0ebd690adfbULL, 0x390e3134b243c51aULL, 0x2778b92cdff70416ULL, 0x029f1851691c24a6ULL, 0x5e7cafeacc133575ULL, 0xfa4e4cc89fa5f264ULL, 0x5a5f9f481e2b7d24ULL, 0x484c47ab18d764dbULL, 0x400a27f2a1a7f479ULL, 0xaeeb9b2a83da7315ULL, 0x721c626879869734ULL, 0x042330a2d2384851ULL, 0x85f672fd3765aff0ULL, 0xba446b3a3e02061dULL, 0x73dd6ecec3888567ULL, 0xffac70ccf793a866ULL, 0xdfa9edb5294ed2d4ULL, 0x6c6aea7014325638ULL, 0x834a5a0e8c41c307ULL, 0xcdba35562fb2cb2bULL, 0x0ad97808d06cb404ULL, 0x0f3b440cb85aee06ULL, 0xe5f9c876481f213bULL, 0x98deee1289c35809ULL, 0x59018bbfcd394bd1ULL, 0xe01bf47220297b39ULL, 0xde68e1139340c087ULL, 0x9fa3ca4788e926adULL, 0xbb85679c840c144eULL, 0x53d8f3b71d55ffd5ULL, 0x0da45c5dd146caa0ULL, 0x6f34fe87c72060cdULL, 0x57fbc315cf6db784ULL, 0xcee421a1fca0fddeULL, 0x3d2d0196607b8d4bULL, 0x642c8a29ad42c69aULL, 0x14aff010bdd87508ULL, 0xac74837beac657b3ULL, 0x3216459ad821634dULL, 0x3fb219c70967a9edULL, 0x06bc28f3bb246cf7ULL, 0xf2082c9126d562c6ULL, 0x66b39278c45ee23cULL, 0xbd394f6f3f2878b9ULL, 0xfd33689d9e8f8cc0ULL, 0x37f4799eb017394fULL, 0x108cc0b26fe03d59ULL, 0xda4bd1b1417888d6ULL, 0xb09d1332ee6eb219ULL, 0x2f3ed975668794b4ULL, 0x58c0871977375982ULL, 0x7561463d78ace990ULL, 0x09876cff037e82f1ULL, 0x7fb83e35a8c05d94ULL, 0x26b9b58a65f91645ULL, 0xef20b07e9873953fULL, 0x3148516d0b3355b8ULL, 0x41cb2b541ba9e62aULL, 0x790416c613e43163ULL, 0xa011d380818e8f40ULL, 0x3a5025c36151f3efULL, 0xd57095bdf92266d0ULL, 0x498d4b0da2d97688ULL, 0x8b0c3a57353153a5ULL, 0x21c491df64d368e1ULL, 0x8f2f0af5e7091bf4ULL, 0x2da1c1240f9bb012ULL, 0xc43d59a92ccc49daULL, 0xbfa6573e56345c1fULL, 0x828b56a8364fd154ULL, 0x9a41f643e0df7cafULL, 0xbcf843c985266aeaULL, 0x2b1de9d7b4bfdce5ULL, 0x20059d79dedd7ab2ULL, 0x6dabe6d6ae3c446bULL, 0x45e81bf6c991ae7bULL, 0x6351ae7cac68b83eULL, 0xa432e32253b6c711ULL, 0xd092a9b991143cd2ULL, 0xcac711032e98b58fULL, 0xd8d4c9e02864ac70ULL, 0xc5fc550f96c25b89ULL, 0xd7ef8dec903e4276ULL, 0x67729ede7e50f06fULL, 0xeac28c7af045cf3dULL, 0xb15c1f945460a04aULL, 0x9cfddeb05bfb1058ULL, 0x93c69abce3a1fe5eULL, 0xeb0380dc4a4bdd6eULL, 0xd20db1e8f8081874ULL, 0x229a8528b7c15e14ULL, 0x44291750739fbc28ULL, 0xd3ccbd4e42060a27ULL, 0xf62b1c33f4ed2a97ULL, 0x86a8660ae4779905ULL, 0xd62e814a2a305025ULL, 0x477703a7a08d8addULL, 0x7b9b0e977af815c5ULL, 0x78c51a60a9ea2330ULL, 0xa6adfb733aaae3b7ULL, 0x97e5aa1e3199b60fULL, 0x0000000000000000ULL, 0xf4b404629df10e31ULL, 0x5564db44a6719322ULL, 0x9207961a59afec0dULL, 0x9624a6b88b97a45cULL, 0x363575380a192b1cULL, 0x2c60cd82b595a241ULL, 0x7d272664c1dc7932ULL, 0x7142769faa94a1c1ULL, 0xa1d0df263b809d13ULL, 0x1630e841d4c451aeULL, 0xc1df65ad44fa13d8ULL, 0x13d2d445bcf20bacULL, 0xd915c546926abe23ULL, 0x38cf3d92084dd749ULL, 0xe766d0272103059dULL, 0xc7634d5effde7f2fULL, 0x077d2455012a7ea4ULL, 0xedbfa82ff16fb199ULL, 0xaf2a978c39d46146ULL, 0x42953fa3c8bbd0dfULL, 0xcb061da59496a7dcULL, 0x25e7a17db6eb20b0ULL, 0x34aa6d6963050fbaULL, 0xa76cf7d580a4f1e4ULL, 0xf7ea10954ee338c4ULL, 0xfcf2643b24819e93ULL, 0xcf252d0746aeef8dULL, 0x4ef06f58a3f3082cULL, 0x563acfb37563a5d7ULL, 0x5086e740ce47c920ULL, 0x2982f186dda3f843ULL, 0x87696aac5e798b56ULL, 0x5d22bb1d1f010380ULL, 0x035e14f7d31236f5ULL, 0x3cec0d30da759f18ULL, 0xf3c920379cdb7095ULL, 0xb8db736b571e22bbULL, 0xdd36f5e44052f672ULL, 0xaac8ab8851e23b44ULL, 0xa857b3d938fe1fe2ULL, 0x17f1e4e76eca43fdULL, 0xec7ea4894b61a3caULL, 0x9e62c6e132e734feULL, 0xd4b1991b432c7483ULL, 0x6ad6c283af163acfULL, 0x1ce9904904a8e5aaULL, 0x5fbda34c761d2726ULL, 0xf910583f4cb7c491ULL, 0xc6a241f845d06d7cULL, 0x4f3163fe19fd1a7fULL, 0xe99c988d2357f9c8ULL, 0x8eee06535d0709a7ULL, 0x0efa48aa0254fc55ULL, 0xb4be23903c56fa48ULL, 0x763f52caabbedf65ULL, 0xeee1bcd8227d876cULL, 0xe345e085f33b4dccULL, 0x3e731561b369bbbeULL, 0x2843fd2067adea10ULL, 0x2adce5710eb1ceb6ULL, 0xb7e03767ef44ccbdULL, 0x8db012a48e153f52ULL, 0x61ceb62dc5749c98ULL, 0xe85d942b9959eb9bULL, 0x4c6f7709caef2c8aULL, 0x84377e5b8d6bbda3ULL, 0x30895dcbb13d47ebULL, 0x74a04a9bc2a2fbc3ULL, 0x6b17ce251518289cULL, 0xe438c4d0f2113368ULL, 0x1fb784bed7bad35fULL, 0x9b80fae55ad16efcULL, 0x77fe5e6c11b0cd36ULL, 0xc858095247849129ULL, 0x08466059b97090a2ULL, 0x01c10ca6ba0e1253ULL, 0x6988d6747c040c3aULL, 0x6849dad2c60a1e69ULL, 0x5147ebe67449db73ULL, 0xc99905f4fd8a837aULL, 0x991fe2b433cd4a5aULL, 0xf09734c04fc94660ULL, 0xa28ecbd1e892abe6ULL, 0xf1563866f5c75433ULL, 0x4dae7baf70e13ed9ULL, 0x7ce62ac27bd26b61ULL, 0x70837a39109ab392ULL, 0x90988e4b30b3c8abULL, 0xb2020b63877296bfULL, 0x156efcb607d6675bULL }, /* 7 */ { 0xe63f55ce97c331d0ULL, 0x25b506b0015bba16ULL, 0xc8706e29e6ad9ba8ULL, 0x5b43d3775d521f6aULL, 0x0bfa3d577035106eULL, 0xab95fc172afb0e66ULL, 0xf64b63979e7a3276ULL, 0xf58b4562649dad4bULL, 0x48f7c3dbae0c83f1ULL, 0xff31916642f5c8c5ULL, 0xcbb048dc1c4a0495ULL, 0x66b8f83cdf622989ULL, 0x35c130e908e2b9b0ULL, 0x7c761a61f0b34fa1ULL, 0x3601161cf205268dULL, 0x9e54ccfe2219b7d6ULL, 0x8b7d90a538940837ULL, 0x9cd403588ea35d0bULL, 0xbc3c6fea9ccc5b5aULL, 0xe5ff733b6d24aeedULL, 0xceed22de0f7eb8d2ULL, 0xec8581cab1ab545eULL, 0xb96105e88ff8e71dULL, 0x8ca03501871a5eadULL, 0x76ccce65d6db2a2fULL, 0x5883f582a7b58057ULL, 0x3f7be4ed2e8adc3eULL, 0x0fe7be06355cd9c9ULL, 0xee054e6c1d11be83ULL, 0x1074365909b903a6ULL, 0x5dde9f80b4813c10ULL, 0x4a770c7d02b6692cULL, 0x5379c8d5d7809039ULL, 0xb4067448161ed409ULL, 0x5f5e5026183bd6cdULL, 0xe898029bf4c29df9ULL, 0x7fb63c940a54d09cULL, 0xc5171f897f4ba8bcULL, 0xa6f28db7b31d3d72ULL, 0x2e4f3be7716eaa78ULL, 0x0d6771a099e63314ULL, 0x82076254e41bf284ULL, 0x2f0fd2b42733df98ULL, 0x5c9e76d3e2dc49f0ULL, 0x7aeb569619606cdbULL, 0x83478b07b2468764ULL, 0xcfadcb8d5923cd32ULL, 0x85dac7f05b95a41eULL, 0xb5469d1b4043a1e9ULL, 0xb821ecbbd9a592fdULL, 0x1b8e0b0e798c13c8ULL, 0x62a57b6d9a0be02eULL, 0xfcf1b793b81257f8ULL, 0x9d94ea0bd8fe28ebULL, 0x4cea408aeb654a56ULL, 0x23284a47e888996cULL, 0x2d8f1d128b893545ULL, 0xf4cbac3132c0d8abULL, 0xbd7c86b9ca912ebaULL, 0x3a268eef3dbe6079ULL, 0xf0d62f6077a9110cULL, 0x2735c916ade150cbULL, 0x89fd5f03942ee2eaULL, 0x1acee25d2fd16628ULL, 0x90f39bab41181bffULL, 0x430dfe8cde39939fULL, 0xf70b8ac4c8274796ULL, 0x1c53aeaac6024552ULL, 0x13b410acf35e9c9bULL, 0xa532ab4249faa24fULL, 0x2b1251e5625a163fULL, 0xd7e3e676da4841c7ULL, 0xa7b264e4e5404892ULL, 0xda8497d643ae72d3ULL, 0x861ae105a1723b23ULL, 0x38a6414991048aa4ULL, 0x6578dec92585b6b4ULL, 0x0280cfa6acbaeaddULL, 0x88bdb650c273970aULL, 0x9333bd5ebbff84c2ULL, 0x4e6a8f2c47dfa08bULL, 0x321c954db76cef2aULL, 0x418d312a72837942ULL, 0xb29b38bfffcdf773ULL, 0x6c022c38f90a4c07ULL, 0x5a033a240b0f6a8aULL, 0x1f93885f3ce5da6fULL, 0xc38a537e96988bc6ULL, 0x39e6a81ac759ff44ULL, 0x29929e43cee0fce2ULL, 0x40cdd87924de0ca2ULL, 0xe9d8ebc8a29fe819ULL, 0x0c2798f3cfbb46f4ULL, 0x55e484223e53b343ULL, 0x4650948ecd0d2fd8ULL, 0x20e86cb2126f0651ULL, 0x6d42c56baf5739e7ULL, 0xa06fc1405ace1e08ULL, 0x7babbfc54f3d193bULL, 0x424d17df8864e67fULL, 0xd8045870ef14980eULL, 0xc6d7397c85ac3781ULL, 0x21a885e1443273b1ULL, 0x67f8116f893f5c69ULL, 0x24f5efe35706cff6ULL, 0xd56329d076f2ab1aULL, 0x5e1eb9754e66a32dULL, 0x28d2771098bd8902ULL, 0x8f6013f47dfdc190ULL, 0x17a993fdb637553cULL, 0xe0a219397e1012aaULL, 0x786b9930b5da8606ULL, 0x6e82e39e55b0a6daULL, 0x875a0856f72f4ec3ULL, 0x3741ff4fa458536dULL, 0xac4859b3957558fcULL, 0x7ef6d5c75c09a57cULL, 0xc04a758b6c7f14fbULL, 0xf9acdd91ab26ebbfULL, 0x7391a467c5ef9668ULL, 0x335c7c1ee1319acaULL, 0xa91533b18641e4bbULL, 0xe4bf9a683b79db0dULL, 0x8e20faa72ba0b470ULL, 0x51f907737b3a7ae4ULL, 0x2268a314bed5ec8cULL, 0xd944b123b949edeeULL, 0x31dcb3b84d8b7017ULL, 0xd3fe65279f218860ULL, 0x097af2f1dc8ffab3ULL, 0x9b09a6fc312d0b91ULL, 0xcc6ded78a3c4520fULL, 0x3481d9ba5ebfcc50ULL, 0x4f2a667f1182d56bULL, 0xdfd9fdd4509ace94ULL, 0x26752045fbbc252bULL, 0xbffc491f662bc467ULL, 0xdd593272fc202449ULL, 0x3cbbc218d46d4303ULL, 0x91b372f817456e1fULL, 0x681faf69bc6385a0ULL, 0xb686bbeebaa43ed4ULL, 0x1469b5084cd0ca01ULL, 0x98c98009cbca94acULL, 0x6438379a73d8c354ULL, 0xc2caba2dc0c5fe26ULL, 0x3e3b0dbe78d7a9deULL, 0x50b9ee202d670f04ULL, 0x4590b27b37eab0e5ULL, 0x6025b4cb36b10af3ULL, 0xfb2c1237079c0162ULL, 0xa12f28130c936be8ULL, 0x4b37e52e54eb1cccULL, 0x083a1ba28ad28f53ULL, 0xc10a9cd83a22611bULL, 0x9f1425ad7444c236ULL, 0x069d4cf7e9d3237aULL, 0xedc56899e7f621beULL, 0x778c273680865fcfULL, 0x309c5aeb1bd605f7ULL, 0x8de0dc52d1472b4dULL, 0xf8ec34c2fd7b9e5fULL, 0xea18cd3d58787724ULL, 0xaad515447ca67b86ULL, 0x9989695a9d97e14cULL, 0x0000000000000000ULL, 0xf196c63321f464ecULL, 0x71116bc169557cb5ULL, 0xaf887f466f92c7c1ULL, 0x972e3e0ffe964d65ULL, 0x190ec4a8d536f915ULL, 0x95aef1a9522ca7b8ULL, 0xdc19db21aa7d51a9ULL, 0x94ee18fa0471d258ULL, 0x8087adf248a11859ULL, 0xc457f6da2916dd5cULL, 0xfa6cfb6451c17482ULL, 0xf256e0c6db13fbd1ULL, 0x6a9f60cf10d96f7dULL, 0x4daaa9d9bd383fb6ULL, 0x03c026f5fae79f3dULL, 0xde99148706c7bb74ULL, 0x2a52b8b6340763dfULL, 0x6fc20acd03edd33aULL, 0xd423c08320afdefaULL, 0xbbe1ca4e23420dc0ULL, 0x966ed75ca8cb3885ULL, 0xeb58246e0e2502c4ULL, 0x055d6a021334bc47ULL, 0xa47242111fa7d7afULL, 0xe3623fcc84f78d97ULL, 0x81c744a11efc6db9ULL, 0xaec8961539cfb221ULL, 0xf31609958d4e8e31ULL, 0x63e5923ecc5695ceULL, 0x47107ddd9b505a38ULL, 0xa3afe7b5a0298135ULL, 0x792b7063e387f3e6ULL, 0x0140e953565d75e0ULL, 0x12f4f9ffa503e97bULL, 0x750ce8902c3cb512ULL, 0xdbc47e8515f30733ULL, 0x1ed3610c6ab8af8fULL, 0x5239218681dde5d9ULL, 0xe222d69fd2aaf877ULL, 0xfe71783514a8bd25ULL, 0xcaf0a18f4a177175ULL, 0x61655d9860ec7f13ULL, 0xe77fbc9dc19e4430ULL, 0x2ccff441ddd440a5ULL, 0x16e97aaee06a20dcULL, 0xa855dae2d01c915bULL, 0x1d1347f9905f30b2ULL, 0xb7c652bdecf94b34ULL, 0xd03e43d265c6175dULL, 0xfdb15ec0ee4f2218ULL, 0x57644b8492e9599eULL, 0x07dda5a4bf8e569aULL, 0x54a46d71680ec6a3ULL, 0x5624a2d7c4b42c7eULL, 0xbebca04c3076b187ULL, 0x7d36f332a6ee3a41ULL, 0x3b6667bc6be31599ULL, 0x695f463aea3ef040ULL, 0xad08b0e0c3282d1cULL, 0xb15b1e4a052a684eULL, 0x44d05b2861b7c505ULL, 0x15295c5b1a8dbfe1ULL, 0x744c01c37a61c0f2ULL, 0x59c31cd1f1e8f5b7ULL, 0xef45a73f4b4ccb63ULL, 0x6bdf899c46841a9dULL, 0x3dfb2b4b823036e3ULL, 0xa2ef0ee6f674f4d5ULL, 0x184e2dfb836b8cf5ULL, 0x1134df0a5fe47646ULL, 0xbaa1231d751f7820ULL, 0xd17eaa81339b62bdULL, 0xb01bf71953771daeULL, 0x849a2ea30dc8d1feULL, 0x705182923f080955ULL, 0x0ea757556301ac29ULL, 0x041d83514569c9a7ULL, 0x0abad4042668658eULL, 0x49b72a88f851f611ULL, 0x8a3d79f66ec97dd7ULL, 0xcd2d042bf59927efULL, 0xc930877ab0f0ee48ULL, 0x9273540deda2f122ULL, 0xc797d02fd3f14261ULL, 0xe1e2f06a284d674aULL, 0xd2be8c74c97cfd80ULL, 0x9a494faf67707e71ULL, 0xb3dbd1eca9908293ULL, 0x72d14d3493b2e388ULL, 0xd6a30f258c153427ULL }, }; static const uint64_t C16[12][8] = { { 0xdd806559f2a64507ULL, 0x05767436cc744d23ULL, 0xa2422a08a460d315ULL, 0x4b7ce09192676901ULL, 0x714eb88d7585c4fcULL, 0x2f6a76432e45d016ULL, 0xebcb2f81c0657c1fULL, 0xb1085bda1ecadae9ULL }, { 0xe679047021b19bb7ULL, 0x55dda21bd7cbcd56ULL, 0x5cb561c2db0aa7caULL, 0x9ab5176b12d69958ULL, 0x61d55e0f16b50131ULL, 0xf3feea720a232b98ULL, 0x4fe39d460f70b5d7ULL, 0x6fa3b58aa99d2f1aULL }, { 0x991e96f50aba0ab2ULL, 0xc2b6f443867adb31ULL, 0xc1c93a376062db09ULL, 0xd3e20fe490359eb1ULL, 0xf2ea7514b1297b7bULL, 0x06f15e5f529c1f8bULL, 0x0a39fc286a3d8435ULL, 0xf574dcac2bce2fc7ULL }, { 0x220cbebc84e3d12eULL, 0x3453eaa193e837f1ULL, 0xd8b71333935203beULL, 0xa9d72c82ed03d675ULL, 0x9d721cad685e353fULL, 0x488e857e335c3c7dULL, 0xf948e1a05d71e4ddULL, 0xef1fdfb3e81566d2ULL }, { 0x601758fd7c6cfe57ULL, 0x7a56a27ea9ea63f5ULL, 0xdfff00b723271a16ULL, 0xbfcd1747253af5a3ULL, 0x359e35d7800fffbdULL, 0x7f151c1f1686104aULL, 0x9a3f410c6ca92363ULL, 0x4bea6bacad474799ULL }, { 0xfa68407a46647d6eULL, 0xbf71c57236904f35ULL, 0x0af21f66c2bec6b6ULL, 0xcffaa6b71c9ab7b4ULL, 0x187f9ab49af08ec6ULL, 0x2d66c4f95142a46cULL, 0x6fa4c33b7a3039c0ULL, 0xae4faeae1d3ad3d9ULL }, { 0x8886564d3a14d493ULL, 0x3517454ca23c4af3ULL, 0x06476983284a0504ULL, 0x0992abc52d822c37ULL, 0xd3473e33197a93c9ULL, 0x399ec6c7e6bf87c9ULL, 0x51ac86febf240954ULL, 0xf4c70e16eeaac5ecULL }, { 0xa47f0dd4bf02e71eULL, 0x36acc2355951a8d9ULL, 0x69d18d2bd1a5c42fULL, 0xf4892bcb929b0690ULL, 0x89b4443b4ddbc49aULL, 0x4eb7f8719c36de1eULL, 0x03e7aa020c6e4141ULL, 0x9b1f5b424d93c9a7ULL }, { 0x7261445183235adbULL, 0x0e38dc92cb1f2a60ULL, 0x7b2b8a9aa6079c54ULL, 0x800a440bdbb2ceb1ULL, 0x3cd955b7e00d0984ULL, 0x3a7d3a1b25894224ULL, 0x944c9ad8ec165fdeULL, 0x378f5a541631229bULL }, { 0x74b4c7fb98459cedULL, 0x3698fad1153bb6c3ULL, 0x7a1e6c303b7652f4ULL, 0x9fe76702af69334bULL, 0x1fffe18a1b336103ULL, 0x8941e71cff8a78dbULL, 0x382ae548b2e4f3f3ULL, 0xabbedea680056f52ULL }, { 0x6bcaa4cd81f32d1bULL, 0xdea2594ac06fd85dULL, 0xefbacd1d7d476e98ULL, 0x8a1d71efea48b9caULL, 0x2001802114846679ULL, 0xd8fa6bbbebab0761ULL, 0x3002c6cd635afe94ULL, 0x7bcd9ed0efc889fbULL }, { 0x48bc924af11bd720ULL, 0xfaf417d5d9b21b99ULL, 0xe71da4aa88e12852ULL, 0x5d80ef9d1891cc86ULL, 0xf82012d430219f9bULL, 0xcda43c32bcdf1d77ULL, 0xd21380b00449b17aULL, 0x378ee767f11631baULL }, }; #define strido(out, temp, i) do { \ uint64_t t; \ t = streebog_table[0][(temp[0] >> (i * 8)) & 0xff]; \ t ^= streebog_table[1][(temp[1] >> (i * 8)) & 0xff]; \ t ^= streebog_table[2][(temp[2] >> (i * 8)) & 0xff]; \ t ^= streebog_table[3][(temp[3] >> (i * 8)) & 0xff]; \ t ^= streebog_table[4][(temp[4] >> (i * 8)) & 0xff]; \ t ^= streebog_table[5][(temp[5] >> (i * 8)) & 0xff]; \ t ^= streebog_table[6][(temp[6] >> (i * 8)) & 0xff]; \ t ^= streebog_table[7][(temp[7] >> (i * 8)) & 0xff]; \ out[i] = t; } while(0) static void LPSX (uint64_t *out, const uint64_t *a, const uint64_t *b) { uint64_t temp[8]; temp[0] = a[0] ^ b[0]; temp[1] = a[1] ^ b[1]; temp[2] = a[2] ^ b[2]; temp[3] = a[3] ^ b[3]; temp[4] = a[4] ^ b[4]; temp[5] = a[5] ^ b[5]; temp[6] = a[6] ^ b[6]; temp[7] = a[7] ^ b[7]; strido (out, temp, 0); strido (out, temp, 1); strido (out, temp, 2); strido (out, temp, 3); strido (out, temp, 4); strido (out, temp, 5); strido (out, temp, 6); strido (out, temp, 7); } static inline void g (uint64_t *h, uint64_t *m, uint64_t *N) { uint64_t K[8]; uint64_t T[8]; int i; LPSX (K, h, N); LPSX (T, K, m); LPSX (K, K, C16[0]); for (i = 1; i < 12; i++) { LPSX (T, K, T); LPSX (K, K, C16[i]); } h[0] ^= T[0] ^ K[0] ^ m[0]; h[1] ^= T[1] ^ K[1] ^ m[1]; h[2] ^= T[2] ^ K[2] ^ m[2]; h[3] ^= T[3] ^ K[3] ^ m[3]; h[4] ^= T[4] ^ K[4] ^ m[4]; h[5] ^= T[5] ^ K[5] ^ m[5]; h[6] ^= T[6] ^ K[6] ^ m[6]; h[7] ^= T[7] ^ K[7] ^ m[7]; } static void streebog512_compress (struct streebog512_ctx *ctx, const uint8_t *input, uint64_t count) { uint64_t M[8]; uint64_t cf; int i; for (i = 0; i < 8; i++, input += 8) M[i] = LE_READ_UINT64(input); g (ctx->state, M, ctx->count); ctx->count[0] += count; if (ctx->count[0] < count) { /* overflow */ for (i = 1; i < 8; i++) { ctx->count[i]++; if (ctx->count[i] != 0) break; } } ctx->sigma[0] += M[0]; cf = (ctx->sigma[0] < M[0]); for (i = 1; i < 7; i++) { ctx->sigma[i] += cf; cf = (ctx->sigma[i] < cf); ctx->sigma[i] += M[i]; cf |= (ctx->sigma[i] < M[i]); } ctx->sigma[7] += M[7] + cf; } static void streebog_final (struct streebog512_ctx *ctx) { uint64_t Z[8] = {}; unsigned int i; /* PAD. It does not count towards message length */ i = ctx->index; /* We have at least one byte free) */ ctx->block[i++] = 1; while (i < 64) ctx->block[i++] = 0; streebog512_compress (ctx, ctx->block, ctx->index * 8); g (ctx->state, ctx->count, Z); g (ctx->state, ctx->sigma, Z); } #define COMPRESS(ctx, data) (streebog512_compress((ctx), (data), 64 * 8)) void streebog512_init(struct streebog512_ctx *ctx) { memset(ctx->state, 0, sizeof(ctx->state)); memset(ctx->count, 0, sizeof(ctx->count)); memset(ctx->sigma, 0, sizeof(ctx->sigma)); /* Initialize buffer */ ctx->index = 0; } void streebog512_update(struct streebog512_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, (void)0); } static void streebog512_write_digest(struct streebog512_ctx *ctx, size_t offset, size_t length, uint8_t *digest) { assert(offset + length <= STREEBOG512_DIGEST_SIZE); streebog_final(ctx); _nettle_write_le64(length, digest, ctx->state + offset); } void streebog512_digest(struct streebog512_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= STREEBOG512_DIGEST_SIZE); streebog512_write_digest(ctx, 0, length, digest); streebog512_init(ctx); } void streebog256_init(struct streebog256_ctx *ctx) { memset(ctx->state, 1, sizeof(ctx->state)); memset(ctx->count, 0, sizeof(ctx->count)); memset(ctx->sigma, 0, sizeof(ctx->sigma)); /* Initialize buffer */ ctx->index = 0; } void streebog256_digest(struct streebog256_ctx *ctx, size_t length, uint8_t *digest) { assert(length <= STREEBOG256_DIGEST_SIZE); streebog512_write_digest(ctx, 4, length, digest); streebog256_init(ctx); } nettle-3.10/fat-arm.c0000644000175000017500000002172714633602172013464 0ustar nissenisse/* fat-arm.c Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #include "nettle-types.h" #include "aes-internal.h" #include "chacha-internal.h" #include "salsa20-internal.h" #include "fat-setup.h" struct arm_features { /* /proc/cpuinfo "CPU Architecture" doesn't correspond exactly to ARM architecture version, but it's good enough for our purposes. Will be set to 5, 6, 7 or 8. */ unsigned arch_version; int have_neon; }; #define SKIP(s, slen, literal, llen) \ (((slen) >= (llen) && memcmp ((s), (literal), llen) == 0) \ ? ((slen) -= (llen), (s) += (llen), 1) : 0) #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_arm_features (struct arm_features *features) { const char *s; features->arch_version = 5; features->have_neon = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (SKIP (s, length, "arch:", 5)) { if (length == 1 && *s >= '0' && *s <= '9') features->arch_version = *s - '0'; } else if (MATCH (s, length, "neon", 4)) features->have_neon = 1; if (!sep) break; s = sep + 1; } else { FILE *f; char line[200]; int seen_arch = 0; int seen_features = 0; f = fopen ("/proc/cpuinfo", "r"); if (!f) return; while (seen_features + seen_arch < 2 && fgets (line, sizeof(line), f)) { char *sep; char *p; sep = strchr (line, ':'); if (!sep) continue; for (p = sep; p - line > 0 && p[-1] == '\t'; p--) ; *p = '\0'; p = sep+1; if (strcmp (line, "Features") == 0) { features->have_neon = (strstr (p, " neon ") != NULL); seen_features = 1; } else if (strcmp (line, "CPU architecture") == 0) { /* Don't use strtol, since it's locale dependent. */ while (p[0] == ' ') p++; if (p[0] > '5' && p[0] <= '9') features->arch_version = p[0] - '0'; else if (strcmp (p, "AArch64") == 0) features->arch_version = 8; seen_arch = 1; } } if (features->arch_version >= 8) { /* Neon is not required, and maybe not listed in feature flags */ features->have_neon = 1; } fclose (f); } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, arm) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, armv6) DECLARE_FAT_FUNC(_nettle_salsa20_crypt, salsa20_crypt_func) DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(salsa20_crypt, salsa20_crypt_func, 2core) DECLARE_FAT_FUNC(nettle_sha1_compress, sha1_compress_func) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, c) DECLARE_FAT_FUNC_VAR(sha1_compress, sha1_compress_func, armv6) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, armv6) DECLARE_FAT_FUNC(_nettle_sha512_compress, sha512_compress_func) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, c) DECLARE_FAT_FUNC_VAR(sha512_compress, sha512_compress_func, neon) DECLARE_FAT_FUNC(nettle_sha3_permute, sha3_permute_func) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, c) DECLARE_FAT_FUNC_VAR(sha3_permute, sha3_permute_func, neon) DECLARE_FAT_FUNC(_nettle_umac_nh, umac_nh_func) DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, c); DECLARE_FAT_FUNC_VAR(umac_nh, umac_nh_func, neon); DECLARE_FAT_FUNC(_nettle_umac_nh_n, umac_nh_n_func) DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, c); DECLARE_FAT_FUNC_VAR(umac_nh_n, umac_nh_n_func, neon); DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) static void CONSTRUCTOR fat_init (void) { struct arm_features features; int verbose; get_arm_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features: arch:%d%s\n", features.arch_version, features.have_neon ? ",neon" : ""); if (features.arch_version >= 6) { if (verbose) fprintf (stderr, "libnettle: enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_armv6; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_armv6; nettle_sha1_compress_vec = _nettle_sha1_compress_armv6; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_armv6; } else { if (verbose) fprintf (stderr, "libnettle: not enabling armv6 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_arm; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_arm; nettle_sha1_compress_vec = _nettle_sha1_compress_c; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } if (features.have_neon) { if (verbose) fprintf (stderr, "libnettle: enabling neon code.\n"); _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_2core; _nettle_sha512_compress_vec = _nettle_sha512_compress_neon; nettle_sha3_permute_vec = _nettle_sha3_permute_neon; _nettle_umac_nh_vec = _nettle_umac_nh_neon; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_neon; nettle_chacha_crypt_vec = _nettle_chacha_crypt_3core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_3core; } else { if (verbose) fprintf (stderr, "libnettle: not enabling neon code.\n"); _nettle_salsa20_crypt_vec = _nettle_salsa20_crypt_1core; _nettle_sha512_compress_vec = _nettle_sha512_compress_c; nettle_sha3_permute_vec = _nettle_sha3_permute_c; _nettle_umac_nh_vec = _nettle_umac_nh_c; _nettle_umac_nh_n_vec = _nettle_umac_nh_n_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_salsa20_crypt, void, (struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src), (ctx, rounds, length, dst, src)) DEFINE_FAT_FUNC(nettle_sha1_compress, void, (uint32_t *state, const uint8_t *input), (state, input)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) DEFINE_FAT_FUNC(_nettle_sha512_compress, void, (uint64_t *state, const uint8_t *input, const uint64_t *k), (state, input, k)) DEFINE_FAT_FUNC(nettle_sha3_permute, void, (struct sha3_state *state), (state)) DEFINE_FAT_FUNC(_nettle_umac_nh, uint64_t, (const uint32_t *key, unsigned length, const uint8_t *msg), (key, length, msg)) DEFINE_FAT_FUNC(_nettle_umac_nh_n, void, (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg), (out, n, key, length, msg)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) nettle-3.10/fat-ppc.c0000644000175000017500000003011014633602172013451 0ustar nissenisse/* fat-ppc.c Copyright (C) 2020 Mamone Tarsha This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #define _GNU_SOURCE #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include #if defined(_AIX) # include #elif defined(__linux__) && defined(__GLIBC__) && defined(__GLIBC_PREREQ) # if __GLIBC_PREREQ(2, 16) # define USE_GETAUXVAL 1 # include # include # endif #elif defined(__FreeBSD__) # include # ifdef PPC_FEATURE2_HAS_VEC_CRYPTO # define PPC_FEATURE2_VEC_CRYPTO PPC_FEATURE2_HAS_VEC_CRYPTO # endif # if __FreeBSD__ >= 12 # include # else # include # endif #endif #include "nettle-types.h" #include "aes-internal.h" #include "chacha-internal.h" #include "ghash-internal.h" #include "poly1305.h" #include "fat-setup.h" /* Defines from arch/powerpc/include/uapi/asm/cputable.h in Linux kernel */ #ifndef PPC_FEATURE_HAS_ALTIVEC #define PPC_FEATURE_HAS_ALTIVEC 0x10000000 #endif #ifndef PPC_FEATURE_HAS_VSX #define PPC_FEATURE_HAS_VSX 0x00000080 #endif #ifndef PPC_FEATURE2_VEC_CRYPTO #define PPC_FEATURE2_VEC_CRYPTO 0x02000000 #endif #ifndef PPC_FEATURE2_ARCH_3_00 #define PPC_FEATURE2_ARCH_3_00 0x00800000 #endif struct ppc_features { int have_crypto_ext; int have_altivec; int have_power9; }; #define MATCH(s, slen, literal, llen) \ ((slen) == (llen) && memcmp ((s), (literal), llen) == 0) static void get_ppc_features (struct ppc_features *features) { const char *s; features->have_crypto_ext = 0; features->have_altivec = 0; features->have_power9 = 0; s = secure_getenv (ENV_OVERRIDE); if (s) for (;;) { const char *sep = strchr (s, ','); size_t length = sep ? (size_t) (sep - s) : strlen(s); if (MATCH (s, length, "crypto_ext", 10)) features->have_crypto_ext = 1; else if (MATCH(s, length, "altivec", 7)) features->have_altivec = 1; else if (MATCH(s, length, "power9", 6)) features->have_power9 = 1; if (!sep) break; s = sep + 1; } else { #if defined(_AIX) features->have_crypto_ext = _system_configuration.implementation >= 0x10000u; features->have_altivec = _system_configuration.vmx_version > 1; #else unsigned long hwcap = 0; unsigned long hwcap2 = 0; # if USE_GETAUXVAL hwcap = getauxval(AT_HWCAP); hwcap2 = getauxval(AT_HWCAP2); # elif defined(__FreeBSD__) # if __FreeBSD__ >= 12 elf_aux_info(AT_HWCAP, &hwcap, sizeof(hwcap)); elf_aux_info(AT_HWCAP2, &hwcap2, sizeof(hwcap2)); # else size_t len; len = sizeof(hwcap); sysctlbyname("hw.cpu_features", &hwcap, &len, NULL, 0); len = sizeof(hwcap2); sysctlbyname("hw.cpu_features2", &hwcap2, &len, NULL, 0); # endif # endif features->have_crypto_ext = ((hwcap2 & PPC_FEATURE2_VEC_CRYPTO) == PPC_FEATURE2_VEC_CRYPTO); features->have_power9 = ((hwcap2 & PPC_FEATURE2_ARCH_3_00) == PPC_FEATURE2_ARCH_3_00); /* We also need VSX instructions, mainly for load and store. */ features->have_altivec = ((hwcap & (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)) == (PPC_FEATURE_HAS_ALTIVEC | PPC_FEATURE_HAS_VSX)); #endif } } DECLARE_FAT_FUNC(_nettle_aes_encrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_encrypt, aes_crypt_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_aes_decrypt, aes_crypt_internal_func) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_decrypt, aes_crypt_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_aes_invert, aes_invert_internal_func) DECLARE_FAT_FUNC_VAR(aes_invert, aes_invert_internal_func, c) DECLARE_FAT_FUNC_VAR(aes_invert, aes_invert_internal_func, ppc64) DECLARE_FAT_FUNC(_nettle_ghash_set_key, ghash_set_key_func) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, c) DECLARE_FAT_FUNC_VAR(ghash_set_key, ghash_set_key_func, ppc64) DECLARE_FAT_FUNC(_nettle_ghash_update, ghash_update_func) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, c) DECLARE_FAT_FUNC_VAR(ghash_update, ghash_update_func, ppc64) DECLARE_FAT_FUNC(_nettle_gcm_aes_encrypt, gcm_aes_crypt_func) DECLARE_FAT_FUNC_VAR(gcm_aes_encrypt, gcm_aes_crypt_func, c) DECLARE_FAT_FUNC_VAR(gcm_aes_encrypt, gcm_aes_crypt_func, ppc64) DECLARE_FAT_FUNC(_nettle_gcm_aes_decrypt, gcm_aes_crypt_func) DECLARE_FAT_FUNC_VAR(gcm_aes_decrypt, gcm_aes_crypt_func, c) DECLARE_FAT_FUNC_VAR(gcm_aes_decrypt, gcm_aes_crypt_func, ppc64) DECLARE_FAT_FUNC(_nettle_chacha_core, chacha_core_func) DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, c); DECLARE_FAT_FUNC_VAR(chacha_core, chacha_core_func, altivec); DECLARE_FAT_FUNC(nettle_chacha_crypt, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(nettle_chacha_crypt32, chacha_crypt_func) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 1core) DECLARE_FAT_FUNC_VAR(chacha_crypt32, chacha_crypt_func, 3core) DECLARE_FAT_FUNC(_nettle_poly1305_set_key, poly1305_set_key_func) DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, c) DECLARE_FAT_FUNC_VAR(poly1305_set_key, poly1305_set_key_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_block, poly1305_block_func) DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, c) DECLARE_FAT_FUNC_VAR(poly1305_block, poly1305_block_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_digest, poly1305_digest_func) DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, c) DECLARE_FAT_FUNC_VAR(poly1305_digest, poly1305_digest_func, ppc64) DECLARE_FAT_FUNC(_nettle_poly1305_blocks, poly1305_blocks_func) DECLARE_FAT_FUNC_VAR(poly1305_blocks, poly1305_blocks_func, c) DECLARE_FAT_FUNC_VAR(poly1305_blocks, poly1305_blocks_func, ppc64) DECLARE_FAT_FUNC(_nettle_sha256_compress_n, sha256_compress_n_func) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, c) DECLARE_FAT_FUNC_VAR(sha256_compress_n, sha256_compress_n_func, ppc64) /* Nop implementation for _gcm_aes_encrypt and _gcm_aes_decrypt. */ static size_t gcm_aes_crypt_c (struct gcm_key *key UNUSED, unsigned rounds UNUSED, size_t size UNUSED, uint8_t *dst UNUSED, const uint8_t *src UNUSED) { return 0; } static void CONSTRUCTOR fat_init (void) { struct ppc_features features; int verbose; get_ppc_features (&features); verbose = getenv (ENV_VERBOSE) != NULL; if (verbose) fprintf (stderr, "libnettle: cpu features: %s\n", features.have_crypto_ext ? "crypto extensions" : ""); if (features.have_crypto_ext) { if (verbose) fprintf (stderr, "libnettle: enabling arch 2.07 code.\n"); _nettle_aes_encrypt_vec = _nettle_aes_encrypt_ppc64; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_ppc64; _nettle_aes_invert_vec = _nettle_aes_invert_ppc64; /* Make sure _nettle_ghash_set_key_vec function is compatible with _nettle_ghash_update_vec function e.g. _nettle_ghash_key_c() fills gcm_key table with values that are incompatible with _nettle_ghash_update_arm64() */ _nettle_ghash_set_key_vec = _nettle_ghash_set_key_ppc64; _nettle_ghash_update_vec = _nettle_ghash_update_ppc64; _nettle_gcm_aes_encrypt_vec = _nettle_gcm_aes_encrypt_ppc64; _nettle_gcm_aes_decrypt_vec = _nettle_gcm_aes_decrypt_ppc64; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_ppc64; } else { _nettle_aes_encrypt_vec = _nettle_aes_encrypt_c; _nettle_aes_decrypt_vec = _nettle_aes_decrypt_c; _nettle_aes_invert_vec = _nettle_aes_invert_c; _nettle_ghash_set_key_vec = _nettle_ghash_set_key_c; _nettle_ghash_update_vec = _nettle_ghash_update_c; _nettle_gcm_aes_encrypt_vec = gcm_aes_crypt_c; _nettle_gcm_aes_decrypt_vec = gcm_aes_crypt_c; _nettle_sha256_compress_n_vec = _nettle_sha256_compress_n_c; } if (features.have_altivec) { if (verbose) fprintf (stderr, "libnettle: enabling altivec code.\n"); _nettle_chacha_core_vec = _nettle_chacha_core_altivec; nettle_chacha_crypt_vec = _nettle_chacha_crypt_4core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_4core; } else { _nettle_chacha_core_vec = _nettle_chacha_core_c; nettle_chacha_crypt_vec = _nettle_chacha_crypt_1core; nettle_chacha_crypt32_vec = _nettle_chacha_crypt32_1core; } if (features.have_power9) { if (verbose) fprintf (stderr, "libnettle: enabling arch 3.00 code.\n"); _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_ppc64; _nettle_poly1305_block_vec = _nettle_poly1305_block_ppc64; _nettle_poly1305_digest_vec = _nettle_poly1305_digest_ppc64; _nettle_poly1305_blocks_vec = _nettle_poly1305_blocks_ppc64; } else { _nettle_poly1305_set_key_vec = _nettle_poly1305_set_key_c; _nettle_poly1305_block_vec = _nettle_poly1305_block_c; _nettle_poly1305_digest_vec = _nettle_poly1305_digest_c; _nettle_poly1305_blocks_vec = _nettle_poly1305_blocks_c; } } DEFINE_FAT_FUNC(_nettle_aes_encrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_decrypt, void, (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src), (rounds, keys, T, length, dst, src)) DEFINE_FAT_FUNC(_nettle_aes_invert, void, (unsigned rounds, uint32_t *dst, const uint32_t *src), (rounds, dst, src)) DEFINE_FAT_FUNC(_nettle_ghash_set_key, void, (struct gcm_key *ctx, const union nettle_block16 *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_ghash_update, const uint8_t *, (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data), (ctx, state, blocks, data)) DEFINE_FAT_FUNC(_nettle_gcm_aes_encrypt, size_t, (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src), (key, rounds, len, dst, src)) DEFINE_FAT_FUNC(_nettle_gcm_aes_decrypt, size_t, (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src), (key, rounds, len, dst, src)) DEFINE_FAT_FUNC(_nettle_chacha_core, void, (uint32_t *dst, const uint32_t *src, unsigned rounds), (dst, src, rounds)) DEFINE_FAT_FUNC(nettle_chacha_crypt, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(nettle_chacha_crypt32, void, (struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src), (ctx, length, dst, src)) DEFINE_FAT_FUNC(_nettle_poly1305_set_key, void, (struct poly1305_ctx *ctx, const uint8_t *key), (ctx, key)) DEFINE_FAT_FUNC(_nettle_poly1305_block, void, (struct poly1305_ctx *ctx, const uint8_t *m, unsigned high), (ctx, m, high)) DEFINE_FAT_FUNC(_nettle_poly1305_digest, void, (struct poly1305_ctx *ctx, union nettle_block16 *s), (ctx, s)) DEFINE_FAT_FUNC(_nettle_poly1305_blocks, const uint8_t *, (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m), (ctx, blocks, m)) DEFINE_FAT_FUNC(_nettle_sha256_compress_n, const uint8_t *, (uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input), (state, k, blocks, input)) nettle-3.10/hogweed-internal.h0000644000175000017500000000314514633602172015370 0ustar nissenisse/* hogweed-internal.h Bignum operations that are missing from gmp. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HOGWEED_INTERNAL_H_INCLUDED #define NETTLE_HOGWEED_INTERNAL_H_INCLUDED void _nettle_generate_pocklington_prime (mpz_t p, mpz_t r, unsigned bits, int top_bits_set, void *ctx, nettle_random_func *random, const mpz_t p0, const mpz_t q, const mpz_t p0q); #define _pkcs1_signature_prefix _nettle_pkcs1_signature_prefix uint8_t * _pkcs1_signature_prefix(unsigned key_size, uint8_t *buffer, unsigned id_size, const uint8_t *id, unsigned digest_size); #endif /* NETTLE_HOGWEED_INTERNAL_H_INCLUDED */ nettle-3.10/config.sub0000755000175000017500000010775614633602172013763 0ustar nissenisse#! /bin/sh # Configuration validation subroutine script. # Copyright 1992-2024 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale timestamp='2024-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # Please send patches to . # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # https://git.savannah.gnu.org/cgit/config.git/plain/config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. # The "shellcheck disable" line above the timestamp inhibits complaints # about features and limitations of the classic Bourne shell that were # superseded or lifted in POSIX. However, this script identifies a wide # variety of pre-POSIX systems that do not have POSIX shells at all, and # even some reasonably current systems (Solaris 10 as case-in-point) still # have a pre-POSIX /bin/sh. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright 1992-2024 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try '$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) # First pass through any local machine types. echo "$1" exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Split fields of configuration type # shellcheck disable=SC2162 saved_IFS=$IFS IFS="-" read field1 field2 field3 field4 <&2 exit 1 ;; *-*-*-*) basic_machine=$field1-$field2 basic_os=$field3-$field4 ;; *-*-*) # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two # parts maybe_os=$field2-$field3 case $maybe_os in nto-qnx* | linux-* | uclinux-uclibc* \ | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ | storm-chaos* | os2-emx* | rtmk-nova* | managarm-* \ | windows-* ) basic_machine=$field1 basic_os=$maybe_os ;; android-linux) basic_machine=$field1-unknown basic_os=linux-android ;; *) basic_machine=$field1-$field2 basic_os=$field3 ;; esac ;; *-*) # A lone config we happen to match not fitting any pattern case $field1-$field2 in decstation-3100) basic_machine=mips-dec basic_os= ;; *-*) # Second component is usually, but not always the OS case $field2 in # Prevent following clause from handling this valid os sun*os*) basic_machine=$field1 basic_os=$field2 ;; zephyr*) basic_machine=$field1-unknown basic_os=$field2 ;; # Manufacturers dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ | unicom* | ibm* | next | hp | isi* | apollo | altos* \ | convergent* | ncr* | news | 32* | 3600* | 3100* \ | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ | ultra | tti* | harris | dolphin | highlevel | gould \ | cbm | ns | masscomp | apple | axis | knuth | cray \ | microblaze* | sim | cisco \ | oki | wec | wrs | winbond) basic_machine=$field1-$field2 basic_os= ;; *) basic_machine=$field1 basic_os=$field2 ;; esac ;; esac ;; *) # Convert single-component short-hands not valid as part of # multi-component configurations. case $field1 in 386bsd) basic_machine=i386-pc basic_os=bsd ;; a29khif) basic_machine=a29k-amd basic_os=udi ;; adobe68k) basic_machine=m68010-adobe basic_os=scout ;; alliant) basic_machine=fx80-alliant basic_os= ;; altos | altos3068) basic_machine=m68k-altos basic_os= ;; am29k) basic_machine=a29k-none basic_os=bsd ;; amdahl) basic_machine=580-amdahl basic_os=sysv ;; amiga) basic_machine=m68k-unknown basic_os= ;; amigaos | amigados) basic_machine=m68k-unknown basic_os=amigaos ;; amigaunix | amix) basic_machine=m68k-unknown basic_os=sysv4 ;; apollo68) basic_machine=m68k-apollo basic_os=sysv ;; apollo68bsd) basic_machine=m68k-apollo basic_os=bsd ;; aros) basic_machine=i386-pc basic_os=aros ;; aux) basic_machine=m68k-apple basic_os=aux ;; balance) basic_machine=ns32k-sequent basic_os=dynix ;; blackfin) basic_machine=bfin-unknown basic_os=linux ;; cegcc) basic_machine=arm-unknown basic_os=cegcc ;; convex-c1) basic_machine=c1-convex basic_os=bsd ;; convex-c2) basic_machine=c2-convex basic_os=bsd ;; convex-c32) basic_machine=c32-convex basic_os=bsd ;; convex-c34) basic_machine=c34-convex basic_os=bsd ;; convex-c38) basic_machine=c38-convex basic_os=bsd ;; cray) basic_machine=j90-cray basic_os=unicos ;; crds | unos) basic_machine=m68k-crds basic_os= ;; da30) basic_machine=m68k-da30 basic_os= ;; decstation | pmax | pmin | dec3100 | decstatn) basic_machine=mips-dec basic_os= ;; delta88) basic_machine=m88k-motorola basic_os=sysv3 ;; dicos) basic_machine=i686-pc basic_os=dicos ;; djgpp) basic_machine=i586-pc basic_os=msdosdjgpp ;; ebmon29k) basic_machine=a29k-amd basic_os=ebmon ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson basic_os=ose ;; gmicro) basic_machine=tron-gmicro basic_os=sysv ;; go32) basic_machine=i386-pc basic_os=go32 ;; h8300hms) basic_machine=h8300-hitachi basic_os=hms ;; h8300xray) basic_machine=h8300-hitachi basic_os=xray ;; h8500hms) basic_machine=h8500-hitachi basic_os=hms ;; harris) basic_machine=m88k-harris basic_os=sysv3 ;; hp300 | hp300hpux) basic_machine=m68k-hp basic_os=hpux ;; hp300bsd) basic_machine=m68k-hp basic_os=bsd ;; hppaosf) basic_machine=hppa1.1-hp basic_os=osf ;; hppro) basic_machine=hppa1.1-hp basic_os=proelf ;; i386mach) basic_machine=i386-mach basic_os=mach ;; isi68 | isi) basic_machine=m68k-isi basic_os=sysv ;; m68knommu) basic_machine=m68k-unknown basic_os=linux ;; magnum | m3230) basic_machine=mips-mips basic_os=sysv ;; merlin) basic_machine=ns32k-utek basic_os=sysv ;; mingw64) basic_machine=x86_64-pc basic_os=mingw64 ;; mingw32) basic_machine=i686-pc basic_os=mingw32 ;; mingw32ce) basic_machine=arm-unknown basic_os=mingw32ce ;; monitor) basic_machine=m68k-rom68k basic_os=coff ;; morphos) basic_machine=powerpc-unknown basic_os=morphos ;; moxiebox) basic_machine=moxie-unknown basic_os=moxiebox ;; msdos) basic_machine=i386-pc basic_os=msdos ;; msys) basic_machine=i686-pc basic_os=msys ;; mvs) basic_machine=i370-ibm basic_os=mvs ;; nacl) basic_machine=le32-unknown basic_os=nacl ;; ncr3000) basic_machine=i486-ncr basic_os=sysv4 ;; netbsd386) basic_machine=i386-pc basic_os=netbsd ;; netwinder) basic_machine=armv4l-rebel basic_os=linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony basic_os=newsos ;; news1000) basic_machine=m68030-sony basic_os=newsos ;; necv70) basic_machine=v70-nec basic_os=sysv ;; nh3000) basic_machine=m68k-harris basic_os=cxux ;; nh[45]000) basic_machine=m88k-harris basic_os=cxux ;; nindy960) basic_machine=i960-intel basic_os=nindy ;; mon960) basic_machine=i960-intel basic_os=mon960 ;; nonstopux) basic_machine=mips-compaq basic_os=nonstopux ;; os400) basic_machine=powerpc-ibm basic_os=os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson basic_os=ose ;; os68k) basic_machine=m68k-none basic_os=os68k ;; paragon) basic_machine=i860-intel basic_os=osf ;; parisc) basic_machine=hppa-unknown basic_os=linux ;; psp) basic_machine=mipsallegrexel-sony basic_os=psp ;; pw32) basic_machine=i586-unknown basic_os=pw32 ;; rdos | rdos64) basic_machine=x86_64-pc basic_os=rdos ;; rdos32) basic_machine=i386-pc basic_os=rdos ;; rom68k) basic_machine=m68k-rom68k basic_os=coff ;; sa29200) basic_machine=a29k-amd basic_os=udi ;; sei) basic_machine=mips-sei basic_os=seiux ;; sequent) basic_machine=i386-sequent basic_os= ;; sps7) basic_machine=m68k-bull basic_os=sysv2 ;; st2000) basic_machine=m68k-tandem basic_os= ;; stratus) basic_machine=i860-stratus basic_os=sysv4 ;; sun2) basic_machine=m68000-sun basic_os= ;; sun2os3) basic_machine=m68000-sun basic_os=sunos3 ;; sun2os4) basic_machine=m68000-sun basic_os=sunos4 ;; sun3) basic_machine=m68k-sun basic_os= ;; sun3os3) basic_machine=m68k-sun basic_os=sunos3 ;; sun3os4) basic_machine=m68k-sun basic_os=sunos4 ;; sun4) basic_machine=sparc-sun basic_os= ;; sun4os3) basic_machine=sparc-sun basic_os=sunos3 ;; sun4os4) basic_machine=sparc-sun basic_os=sunos4 ;; sun4sol2) basic_machine=sparc-sun basic_os=solaris2 ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun basic_os= ;; sv1) basic_machine=sv1-cray basic_os=unicos ;; symmetry) basic_machine=i386-sequent basic_os=dynix ;; t3e) basic_machine=alphaev5-cray basic_os=unicos ;; t90) basic_machine=t90-cray basic_os=unicos ;; toad1) basic_machine=pdp10-xkl basic_os=tops20 ;; tpf) basic_machine=s390x-ibm basic_os=tpf ;; udi29k) basic_machine=a29k-amd basic_os=udi ;; ultra3) basic_machine=a29k-nyu basic_os=sym1 ;; v810 | necv810) basic_machine=v810-nec basic_os=none ;; vaxv) basic_machine=vax-dec basic_os=sysv ;; vms) basic_machine=vax-dec basic_os=vms ;; vsta) basic_machine=i386-pc basic_os=vsta ;; vxworks960) basic_machine=i960-wrs basic_os=vxworks ;; vxworks68) basic_machine=m68k-wrs basic_os=vxworks ;; vxworks29k) basic_machine=a29k-wrs basic_os=vxworks ;; xbox) basic_machine=i686-pc basic_os=mingw32 ;; ymp) basic_machine=ymp-cray basic_os=unicos ;; *) basic_machine=$1 basic_os= ;; esac ;; esac # Decode 1-component or ad-hoc basic machines case $basic_machine in # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) cpu=hppa1.1 vendor=winbond ;; op50n) cpu=hppa1.1 vendor=oki ;; op60c) cpu=hppa1.1 vendor=oki ;; ibm*) cpu=i370 vendor=ibm ;; orion105) cpu=clipper vendor=highlevel ;; mac | mpw | mac-mpw) cpu=m68k vendor=apple ;; pmac | pmac-mpw) cpu=powerpc vendor=apple ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) cpu=m68000 vendor=att ;; 3b*) cpu=we32k vendor=att ;; bluegene*) cpu=powerpc vendor=ibm basic_os=cnk ;; decsystem10* | dec10*) cpu=pdp10 vendor=dec basic_os=tops10 ;; decsystem20* | dec20*) cpu=pdp10 vendor=dec basic_os=tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) cpu=m68k vendor=motorola ;; dpx2*) cpu=m68k vendor=bull basic_os=sysv3 ;; encore | umax | mmax) cpu=ns32k vendor=encore ;; elxsi) cpu=elxsi vendor=elxsi basic_os=${basic_os:-bsd} ;; fx2800) cpu=i860 vendor=alliant ;; genix) cpu=ns32k vendor=ns ;; h3050r* | hiux*) cpu=hppa1.1 vendor=hitachi basic_os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) cpu=m68000 vendor=hp ;; hp9k3[2-9][0-9]) cpu=m68k vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) cpu=hppa1.1 vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp cpu=hppa1.1 vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp cpu=hppa1.1 vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) cpu=hppa1.1 vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) cpu=hppa1.0 vendor=hp ;; i*86v32) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv32 ;; i*86v4*) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv4 ;; i*86v) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=sysv ;; i*86sol2) cpu=`echo "$1" | sed -e 's/86.*/86/'` vendor=pc basic_os=solaris2 ;; j90 | j90-cray) cpu=j90 vendor=cray basic_os=${basic_os:-unicos} ;; iris | iris4d) cpu=mips vendor=sgi case $basic_os in irix*) ;; *) basic_os=irix4 ;; esac ;; miniframe) cpu=m68000 vendor=convergent ;; *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) cpu=m68k vendor=atari basic_os=mint ;; news-3600 | risc-news) cpu=mips vendor=sony basic_os=newsos ;; next | m*-next) cpu=m68k vendor=next case $basic_os in openstep*) ;; nextstep*) ;; ns2*) basic_os=nextstep2 ;; *) basic_os=nextstep3 ;; esac ;; np1) cpu=np1 vendor=gould ;; op50n-* | op60c-*) cpu=hppa1.1 vendor=oki basic_os=proelf ;; pa-hitachi) cpu=hppa1.1 vendor=hitachi basic_os=hiuxwe2 ;; pbd) cpu=sparc vendor=tti ;; pbb) cpu=m68k vendor=tti ;; pc532) cpu=ns32k vendor=pc532 ;; pn) cpu=pn vendor=gould ;; power) cpu=power vendor=ibm ;; ps2) cpu=i386 vendor=ibm ;; rm[46]00) cpu=mips vendor=siemens ;; rtpc | rtpc-*) cpu=romp vendor=ibm ;; sde) cpu=mipsisa32 vendor=sde basic_os=${basic_os:-elf} ;; simso-wrs) cpu=sparclite vendor=wrs basic_os=vxworks ;; tower | tower-32) cpu=m68k vendor=ncr ;; vpp*|vx|vx-*) cpu=f301 vendor=fujitsu ;; w65) cpu=w65 vendor=wdc ;; w89k-*) cpu=hppa1.1 vendor=winbond basic_os=proelf ;; none) cpu=none vendor=none ;; leon|leon[3-9]) cpu=sparc vendor=$basic_machine ;; leon-*|leon[3-9]-*) cpu=sparc vendor=`echo "$basic_machine" | sed 's/-.*//'` ;; *-*) # shellcheck disable=SC2162 saved_IFS=$IFS IFS="-" read cpu vendor <&2 exit 1 ;; esac ;; esac # Here we canonicalize certain aliases for manufacturers. case $vendor in digital*) vendor=dec ;; commodore*) vendor=cbm ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if test x"$basic_os" != x then # First recognize some ad-hoc cases, or perhaps split kernel-os, or else just # set os. obj= case $basic_os in gnu/linux*) kernel=linux os=`echo "$basic_os" | sed -e 's|gnu/linux|gnu|'` ;; os2-emx) kernel=os2 os=`echo "$basic_os" | sed -e 's|os2-emx|emx|'` ;; nto-qnx*) kernel=nto os=`echo "$basic_os" | sed -e 's|nto-qnx|qnx|'` ;; *-*) # shellcheck disable=SC2162 saved_IFS=$IFS IFS="-" read kernel os <&2 fi ;; *) echo "Invalid configuration '$1': OS '$os' not recognized" 1>&2 exit 1 ;; esac case $obj in aout* | coff* | elf* | pe*) ;; '') # empty is fine ;; *) echo "Invalid configuration '$1': Machine code format '$obj' not recognized" 1>&2 exit 1 ;; esac # Here we handle the constraint that a (synthetic) cpu and os are # valid only in combination with each other and nowhere else. case $cpu-$os in # The "javascript-unknown-ghcjs" triple is used by GHC; we # accept it here in order to tolerate that, but reject any # variations. javascript-ghcjs) ;; javascript-* | *-ghcjs) echo "Invalid configuration '$1': cpu '$cpu' is not valid with os '$os$obj'" 1>&2 exit 1 ;; esac # As a final step for OS-related things, validate the OS-kernel combination # (given a valid OS), if there is a kernel. case $kernel-$os-$obj in linux-gnu*- | linux-android*- | linux-dietlibc*- | linux-llvm*- \ | linux-mlibc*- | linux-musl*- | linux-newlib*- \ | linux-relibc*- | linux-uclibc*- ) ;; uclinux-uclibc*- ) ;; managarm-mlibc*- | managarm-kernel*- ) ;; windows*-msvc*-) ;; -dietlibc*- | -llvm*- | -mlibc*- | -musl*- | -newlib*- | -relibc*- \ | -uclibc*- ) # These are just libc implementations, not actual OSes, and thus # require a kernel. echo "Invalid configuration '$1': libc '$os' needs explicit kernel." 1>&2 exit 1 ;; -kernel*- ) echo "Invalid configuration '$1': '$os' needs explicit kernel." 1>&2 exit 1 ;; *-kernel*- ) echo "Invalid configuration '$1': '$kernel' does not support '$os'." 1>&2 exit 1 ;; *-msvc*- ) echo "Invalid configuration '$1': '$os' needs 'windows'." 1>&2 exit 1 ;; kfreebsd*-gnu*- | kopensolaris*-gnu*-) ;; vxworks-simlinux- | vxworks-simwindows- | vxworks-spe-) ;; nto-qnx*-) ;; os2-emx-) ;; *-eabi*- | *-gnueabi*-) ;; none--*) # None (no kernel, i.e. freestanding / bare metal), # can be paired with an machine code file format ;; -*-) # Blank kernel with real OS is always fine. ;; --*) # Blank kernel and OS with real machine code file format is always fine. ;; *-*-*) echo "Invalid configuration '$1': Kernel '$kernel' not known to work with OS '$os'." 1>&2 exit 1 ;; esac # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. case $vendor in unknown) case $cpu-$os in *-riscix*) vendor=acorn ;; *-sunos*) vendor=sun ;; *-cnk* | *-aix*) vendor=ibm ;; *-beos*) vendor=be ;; *-hpux*) vendor=hp ;; *-mpeix*) vendor=hp ;; *-hiux*) vendor=hitachi ;; *-unos*) vendor=crds ;; *-dgux*) vendor=dg ;; *-luna*) vendor=omron ;; *-genix*) vendor=ns ;; *-clix*) vendor=intergraph ;; *-mvs* | *-opened*) vendor=ibm ;; *-os400*) vendor=ibm ;; s390-* | s390x-*) vendor=ibm ;; *-ptx*) vendor=sequent ;; *-tpf*) vendor=ibm ;; *-vxsim* | *-vxworks* | *-windiss*) vendor=wrs ;; *-aux*) vendor=apple ;; *-hms*) vendor=hitachi ;; *-mpw* | *-macos*) vendor=apple ;; *-*mint | *-mint[0-9]* | *-*MiNT | *-MiNT[0-9]*) vendor=atari ;; *-vos*) vendor=stratus ;; esac ;; esac echo "$cpu-$vendor${kernel:+-$kernel}${os:+-$os}${obj:+-$obj}" exit # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: nettle-3.10/siv-gcm-aes128.c0000644000175000017500000000353114633602171014473 0ustar nissenisse/* siv-gcm-aes128.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "siv-gcm.h" void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { struct aes128_ctx ctr_ctx; siv_gcm_encrypt_message (&nettle_aes128, ctx, &ctr_ctx, nlength, nonce, alength, adata, clength, dst, src); } int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { struct aes128_ctx ctr_ctx; return siv_gcm_decrypt_message (&nettle_aes128, ctx, &ctr_ctx, nlength, nonce, alength, adata, mlength, dst, src); } nettle-3.10/ecc-dup-th.c0000644000175000017500000000565314633602171014065 0ustar nissenisse/* ecc-dup-th.c Copyright (C) 2014, 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" /* Double a point on a twisted Edwards curve, in homogeneous coordinates */ void ecc_dup_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch) { #define x1 p #define y1 (p + ecc->p.size) #define z1 (p + 2*ecc->p.size) #define x2 r #define y2 (r + ecc->p.size) #define z2 (r + 2*ecc->p.size) /* Formulas (from djb, http://www.hyperelliptic.org/EFD/g1p/auto-twisted-projective.html#doubling-dbl-2008-bbjlp): B = (X1+Y1)^2 C = X1^2 D = Y1^2 (E = a*C = -C) F = E+D H = Z1^2 J = F-2*H X3 = (B-C-D)*J Y3 = F*(E-D) Z3 = F*J (-C+D)*(-C+D - 2Z1^2) In the formula for Y3, we have E - D = -(C+D). To avoid explicit negation, negate all of X3, Y3, Z3, and use Computation Operation Live variables B = (X1+Y1)^2 sqr B C = X1^2 sqr B, C D = Y1^2 sqr B, C, D F = -C+D B, C, D, F H = Z1^2 sqr B, C, D, F, H J = 2*H - F B, C, D, F, J X3 = (B-C-D)*J mul C, F, J (Replace C <-- C+D) Y3 = F*(C+D) mul F, J Z3 = F*J mul 3M+4S */ #define C scratch #define D (scratch + 1*ecc->p.size) #define B (scratch + 2*ecc->p.size) #define F C ecc_mod_sqr (&ecc->p, C, x1, C); /* C */ ecc_mod_sqr (&ecc->p, D, y1, D); /* C, D */ ecc_mod_add (&ecc->p, B, x1, y1); ecc_mod_sqr (&ecc->p, B, B, x2); /* C, D, B */ /* C+D stored at y' */ ecc_mod_add (&ecc->p, y2, C, D); /* B - C - C stored at x' */ ecc_mod_sub (&ecc->p, x2, B, y2); ecc_mod_sub (&ecc->p, F, D, C); /* F */ /* Use D as scratch for the following multiplies. */ ecc_mod_mul (&ecc->p, y2, y2, F, D); /* H and J stored at z' */ ecc_mod_sqr (&ecc->p, z2, z1, D); ecc_mod_add (&ecc->p, z2, z2, z2); ecc_mod_sub (&ecc->p, z2, z2, F); ecc_mod_mul (&ecc->p, x2, x2, z2, D); ecc_mod_mul (&ecc->p, z2, z2, F, D); } nettle-3.10/twofish.c0000644000175000017500000003541614633602171013617 0ustar nissenisse/* twofish.c The twofish block cipher. Copyright (C) 2001, 2014 Niels Möller Copyright (C) 1999 Ruud de Rooij Modifications for lsh, integrated testing Copyright (C) 1999 J.H.M. Dassen (Ray) This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "twofish.h" #include "macros.h" /* Bitwise rotations on 32-bit words. These are defined as macros that * evaluate their argument twice, so do not apply to any expressions with * side effects. */ #define rol1(x) (((x) << 1) | (((x) & 0x80000000) >> 31)) #define rol8(x) (((x) << 8) | (((x) & 0xFF000000) >> 24)) #define rol9(x) (((x) << 9) | (((x) & 0xFF800000) >> 23)) #define ror1(x) (((x) >> 1) | (((x) & 0x00000001) << 31)) /* ------------------------------------------------------------------------- */ /* The permutations q0 and q1. These are fixed permutations on 8-bit values. * The permutations have been computed using the program twofish-data, * which is distributed along with this file. */ static const uint8_t q0[256] = { 0xA9,0x67,0xB3,0xE8,0x04,0xFD,0xA3,0x76, 0x9A,0x92,0x80,0x78,0xE4,0xDD,0xD1,0x38, 0x0D,0xC6,0x35,0x98,0x18,0xF7,0xEC,0x6C, 0x43,0x75,0x37,0x26,0xFA,0x13,0x94,0x48, 0xF2,0xD0,0x8B,0x30,0x84,0x54,0xDF,0x23, 0x19,0x5B,0x3D,0x59,0xF3,0xAE,0xA2,0x82, 0x63,0x01,0x83,0x2E,0xD9,0x51,0x9B,0x7C, 0xA6,0xEB,0xA5,0xBE,0x16,0x0C,0xE3,0x61, 0xC0,0x8C,0x3A,0xF5,0x73,0x2C,0x25,0x0B, 0xBB,0x4E,0x89,0x6B,0x53,0x6A,0xB4,0xF1, 0xE1,0xE6,0xBD,0x45,0xE2,0xF4,0xB6,0x66, 0xCC,0x95,0x03,0x56,0xD4,0x1C,0x1E,0xD7, 0xFB,0xC3,0x8E,0xB5,0xE9,0xCF,0xBF,0xBA, 0xEA,0x77,0x39,0xAF,0x33,0xC9,0x62,0x71, 0x81,0x79,0x09,0xAD,0x24,0xCD,0xF9,0xD8, 0xE5,0xC5,0xB9,0x4D,0x44,0x08,0x86,0xE7, 0xA1,0x1D,0xAA,0xED,0x06,0x70,0xB2,0xD2, 0x41,0x7B,0xA0,0x11,0x31,0xC2,0x27,0x90, 0x20,0xF6,0x60,0xFF,0x96,0x5C,0xB1,0xAB, 0x9E,0x9C,0x52,0x1B,0x5F,0x93,0x0A,0xEF, 0x91,0x85,0x49,0xEE,0x2D,0x4F,0x8F,0x3B, 0x47,0x87,0x6D,0x46,0xD6,0x3E,0x69,0x64, 0x2A,0xCE,0xCB,0x2F,0xFC,0x97,0x05,0x7A, 0xAC,0x7F,0xD5,0x1A,0x4B,0x0E,0xA7,0x5A, 0x28,0x14,0x3F,0x29,0x88,0x3C,0x4C,0x02, 0xB8,0xDA,0xB0,0x17,0x55,0x1F,0x8A,0x7D, 0x57,0xC7,0x8D,0x74,0xB7,0xC4,0x9F,0x72, 0x7E,0x15,0x22,0x12,0x58,0x07,0x99,0x34, 0x6E,0x50,0xDE,0x68,0x65,0xBC,0xDB,0xF8, 0xC8,0xA8,0x2B,0x40,0xDC,0xFE,0x32,0xA4, 0xCA,0x10,0x21,0xF0,0xD3,0x5D,0x0F,0x00, 0x6F,0x9D,0x36,0x42,0x4A,0x5E,0xC1,0xE0, }; static const uint8_t q1[256] = { 0x75,0xF3,0xC6,0xF4,0xDB,0x7B,0xFB,0xC8, 0x4A,0xD3,0xE6,0x6B,0x45,0x7D,0xE8,0x4B, 0xD6,0x32,0xD8,0xFD,0x37,0x71,0xF1,0xE1, 0x30,0x0F,0xF8,0x1B,0x87,0xFA,0x06,0x3F, 0x5E,0xBA,0xAE,0x5B,0x8A,0x00,0xBC,0x9D, 0x6D,0xC1,0xB1,0x0E,0x80,0x5D,0xD2,0xD5, 0xA0,0x84,0x07,0x14,0xB5,0x90,0x2C,0xA3, 0xB2,0x73,0x4C,0x54,0x92,0x74,0x36,0x51, 0x38,0xB0,0xBD,0x5A,0xFC,0x60,0x62,0x96, 0x6C,0x42,0xF7,0x10,0x7C,0x28,0x27,0x8C, 0x13,0x95,0x9C,0xC7,0x24,0x46,0x3B,0x70, 0xCA,0xE3,0x85,0xCB,0x11,0xD0,0x93,0xB8, 0xA6,0x83,0x20,0xFF,0x9F,0x77,0xC3,0xCC, 0x03,0x6F,0x08,0xBF,0x40,0xE7,0x2B,0xE2, 0x79,0x0C,0xAA,0x82,0x41,0x3A,0xEA,0xB9, 0xE4,0x9A,0xA4,0x97,0x7E,0xDA,0x7A,0x17, 0x66,0x94,0xA1,0x1D,0x3D,0xF0,0xDE,0xB3, 0x0B,0x72,0xA7,0x1C,0xEF,0xD1,0x53,0x3E, 0x8F,0x33,0x26,0x5F,0xEC,0x76,0x2A,0x49, 0x81,0x88,0xEE,0x21,0xC4,0x1A,0xEB,0xD9, 0xC5,0x39,0x99,0xCD,0xAD,0x31,0x8B,0x01, 0x18,0x23,0xDD,0x1F,0x4E,0x2D,0xF9,0x48, 0x4F,0xF2,0x65,0x8E,0x78,0x5C,0x58,0x19, 0x8D,0xE5,0x98,0x57,0x67,0x7F,0x05,0x64, 0xAF,0x63,0xB6,0xFE,0xF5,0xB7,0x3C,0xA5, 0xCE,0xE9,0x68,0x44,0xE0,0x4D,0x43,0x69, 0x29,0x2E,0xAC,0x15,0x59,0xA8,0x0A,0x9E, 0x6E,0x47,0xDF,0x34,0x35,0x6A,0xCF,0xDC, 0x22,0xC9,0xC0,0x9B,0x89,0xD4,0xED,0xAB, 0x12,0xA2,0x0D,0x52,0xBB,0x02,0x2F,0xA9, 0xD7,0x61,0x1E,0xB4,0x50,0x04,0xF6,0xC2, 0x16,0x25,0x86,0x56,0x55,0x09,0xBE,0x91, }; /* ------------------------------------------------------------------------- */ /* uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) * * Multiplication in GF(2^8). Larger return type, to avoid need for * type casts when the return value is shifted left. * * This function multiplies a times b in the Galois Field GF(2^8) with * primitive polynomial p. * The representation of the polynomials a, b, and p uses bits with * values 2^i to represent the terms x^i. The polynomial p contains an * implicit term x^8. * * Note that addition and subtraction in GF(2^8) is simply the XOR * operation. */ static uint32_t gf_multiply(uint8_t p, uint8_t a, uint8_t b) { uint32_t shift = b; uint8_t result = 0; while (a) { if (a & 1) result ^= shift; a = a >> 1; shift = shift << 1; if (shift & 0x100) shift ^= p; } return result; } /* ------------------------------------------------------------------------- */ /* The matrix RS as specified in section 4.3 the twofish paper. */ static const uint8_t rs_matrix[4][8] = { { 0x01, 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E }, { 0xA4, 0x56, 0x82, 0xF3, 0x1E, 0xC6, 0x68, 0xE5 }, { 0x02, 0xA1, 0xFC, 0xC1, 0x47, 0xAE, 0x3D, 0x19 }, { 0xA4, 0x55, 0x87, 0x5A, 0x58, 0xDB, 0x9E, 0x03 } }; /* uint32_t compute_s(uint32_t m1, uint32_t m2); * * Computes the value RS * M, where M is a byte vector composed of the * bytes of m1 and m2. Arithmetic is done in GF(2^8) with primitive * polynomial x^8 + x^6 + x^3 + x^2 + 1. * * This function is used to compute the sub-keys S which are in turn used * to generate the S-boxes. */ static uint32_t compute_s(uint32_t m1, uint32_t m2) { uint32_t s = 0; int i; for (i = 0; i < 4; i++) s |= (( gf_multiply(0x4D, m1, rs_matrix[i][0]) ^ gf_multiply(0x4D, m1 >> 8, rs_matrix[i][1]) ^ gf_multiply(0x4D, m1 >> 16, rs_matrix[i][2]) ^ gf_multiply(0x4D, m1 >> 24, rs_matrix[i][3]) ^ gf_multiply(0x4D, m2, rs_matrix[i][4]) ^ gf_multiply(0x4D, m2 >> 8, rs_matrix[i][5]) ^ gf_multiply(0x4D, m2 >> 16, rs_matrix[i][6]) ^ gf_multiply(0x4D, m2 >> 24, rs_matrix[i][7])) << (i*8)); return s; } /* ------------------------------------------------------------------------- */ /* This table describes which q S-boxes are used for each byte in each stage * of the function h, cf. figure 2 of the twofish paper. */ static const uint8_t * const q_table[4][5] = { { q1, q1, q0, q0, q1 }, { q0, q1, q1, q0, q0 }, { q0, q0, q0, q1, q1 }, { q1, q0, q1, q1, q0 } }; /* The matrix MDS as specified in section 4.3.2 of the twofish paper. */ static const uint8_t mds_matrix[4][4] = { { 0x01, 0xEF, 0x5B, 0x5B }, { 0x5B, 0xEF, 0xEF, 0x01 }, { 0xEF, 0x5B, 0x01, 0xEF }, { 0xEF, 0x01, 0xEF, 0x5B } }; /* uint32_t h_uint8_t(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3); * * Perform the h function (section 4.3.2) on one byte. It consists of * repeated applications of the q permutation, followed by a XOR with * part of a sub-key. Finally, the value is multiplied by one column of * the MDS matrix. To obtain the result for a full word, the results of * h for the individual bytes are XORed. * * k is the key size (/ 64 bits), i is the byte number (0 = LSB), x is the * actual byte to apply the function to; l0, l1, l2, and l3 are the * appropriate bytes from the subkey. Note that only l0..l(k-1) are used. */ static uint32_t h_byte(int k, int i, uint8_t x, uint8_t l0, uint8_t l1, uint8_t l2, uint8_t l3) { uint8_t y = q_table[i][4][l0 ^ q_table[i][3][l1 ^ q_table[i][2][k == 2 ? x : l2 ^ q_table[i][1][k == 3 ? x : l3 ^ q_table[i][0][x]]]]]; return ( (gf_multiply(0x69, mds_matrix[0][i], y)) | (gf_multiply(0x69, mds_matrix[1][i], y) << 8) | (gf_multiply(0x69, mds_matrix[2][i], y) << 16) | (gf_multiply(0x69, mds_matrix[3][i], y) << 24) ); } /* uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3); * * Perform the function h on a word. See the description of h_byte() above. */ static uint32_t h(int k, uint8_t x, uint32_t l0, uint32_t l1, uint32_t l2, uint32_t l3) { return ( h_byte(k, 0, x, l0, l1, l2, l3) ^ h_byte(k, 1, x, l0 >> 8, l1 >> 8, l2 >> 8, l3 >> 8) ^ h_byte(k, 2, x, l0 >> 16, l1 >> 16, l2 >> 16, l3 >> 16) ^ h_byte(k, 3, x, l0 >> 24, l1 >> 24, l2 >> 24, l3 >> 24) ); } /* ------------------------------------------------------------------------- */ /* API */ /* Structure which contains the tables containing the subkeys and the * key-dependent s-boxes. */ /* Set up internal tables required for twofish encryption and decryption. * * The key size is specified in bytes. Key sizes up to 32 bytes are * supported. Larger key sizes are silently truncated. */ void twofish_set_key(struct twofish_ctx *context, size_t keysize, const uint8_t *key) { uint8_t key_copy[32]; uint32_t m[8], s[4], t; int i, j, k; /* Extend key as necessary */ assert(keysize <= 32); /* We do a little more copying than necessary, but that doesn't * really matter. */ memset(key_copy, 0, 32); memcpy(key_copy, key, keysize); for (i = 0; i<8; i++) m[i] = LE_READ_UINT32(key_copy + i*4); if (keysize <= 16) k = 2; else if (keysize <= 24) k = 3; else k = 4; /* Compute sub-keys */ for (i = 0; i < 20; i++) { t = h(k, 2*i+1, m[1], m[3], m[5], m[7]); t = rol8(t); t += (context->keys[2*i] = t + h(k, 2*i, m[0], m[2], m[4], m[6])); t = rol9(t); context->keys[2*i+1] = t; } /* Compute key-dependent S-boxes */ for (i = 0; i < k; i++) s[k-1-i] = compute_s(m[2*i], m[2*i+1]); for (i = 0; i < 4; i++) for (j = 0; j < 256; j++) context->s_box[i][j] = h_byte(k, i, j, s[0] >> (i*8), s[1] >> (i*8), s[2] >> (i*8), s[3] >> (i*8)); } void twofish128_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH128_KEY_SIZE, key); } void twofish192_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH192_KEY_SIZE, key); } void twofish256_set_key(struct twofish_ctx *context, const uint8_t *key) { twofish_set_key (context, TWOFISH256_KEY_SIZE, key); } /* Encrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the encryption algorithm. * * This function always encrypts 16 bytes of plaintext to 16 bytes of * ciphertext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_encrypt(const struct twofish_ctx *context, size_t length, uint8_t *ciphertext, const uint8_t *plaintext) { const uint32_t * keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; assert( !(length % TWOFISH_BLOCK_SIZE) ); for ( ; length; length -= TWOFISH_BLOCK_SIZE) { uint32_t words[4]; uint32_t r0, r1, r2, r3, t0, t1; int i; for (i = 0; i<4; i++, plaintext += 4) words[i] = LE_READ_UINT32(plaintext); r0 = words[0] ^ keys[0]; r1 = words[1] ^ keys[1]; r2 = words[2] ^ keys[2]; r3 = words[3] ^ keys[3]; for (i = 0; i < 8; i++) { t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[4*i+9]) ^ rol1(r3); r2 = (t0 + keys[4*i+8]) ^ r2; r2 = ror1(r2); t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[4*i+11]) ^ rol1(r1); r0 = (t0 + keys[4*i+10]) ^ r0; r0 = ror1(r0); } words[0] = r2 ^ keys[4]; words[1] = r3 ^ keys[5]; words[2] = r0 ^ keys[6]; words[3] = r1 ^ keys[7]; for (i = 0; i<4; i++, ciphertext += 4) LE_WRITE_UINT32(ciphertext, words[i]); } } /* Decrypt blocks of 16 bytes of data with the twofish algorithm. * * Before this function can be used, twofish_set_key() must be used in order to * set up various tables required for the decryption algorithm. * * This function always decrypts 16 bytes of ciphertext to 16 bytes of * plaintext. The memory areas of the plaintext and the ciphertext can * overlap. */ void twofish_decrypt(const struct twofish_ctx *context, size_t length, uint8_t *plaintext, const uint8_t *ciphertext) { const uint32_t *keys = context->keys; const uint32_t (*s_box)[256] = context->s_box; assert( !(length % TWOFISH_BLOCK_SIZE) ); for ( ; length; length -= TWOFISH_BLOCK_SIZE) { uint32_t words[4]; uint32_t r0, r1, r2, r3, t0, t1; int i; for (i = 0; i<4; i++, ciphertext += 4) words[i] = LE_READ_UINT32(ciphertext); r0 = words[2] ^ keys[6]; r1 = words[3] ^ keys[7]; r2 = words[0] ^ keys[4]; r3 = words[1] ^ keys[5]; for (i = 0; i < 8; i++) { t1 = ( s_box[1][r3 & 0xFF] ^ s_box[2][(r3 >> 8) & 0xFF] ^ s_box[3][(r3 >> 16) & 0xFF] ^ s_box[0][(r3 >> 24) & 0xFF]); t0 = ( s_box[0][r2 & 0xFF] ^ s_box[1][(r2 >> 8) & 0xFF] ^ s_box[2][(r2 >> 16) & 0xFF] ^ s_box[3][(r2 >> 24) & 0xFF]) + t1; r1 = (t1 + t0 + keys[39-4*i]) ^ r1; r1 = ror1(r1); r0 = (t0 + keys[38-4*i]) ^ rol1(r0); t1 = ( s_box[1][r1 & 0xFF] ^ s_box[2][(r1 >> 8) & 0xFF] ^ s_box[3][(r1 >> 16) & 0xFF] ^ s_box[0][(r1 >> 24) & 0xFF]); t0 = ( s_box[0][r0 & 0xFF] ^ s_box[1][(r0 >> 8) & 0xFF] ^ s_box[2][(r0 >> 16) & 0xFF] ^ s_box[3][(r0 >> 24) & 0xFF]) + t1; r3 = (t1 + t0 + keys[37-4*i]) ^ r3; r3 = ror1(r3); r2 = (t0 + keys[36-4*i]) ^ rol1(r2); } words[0] = r0 ^ keys[0]; words[1] = r1 ^ keys[1]; words[2] = r2 ^ keys[2]; words[3] = r3 ^ keys[3]; for (i = 0; i<4; i++, plaintext += 4) LE_WRITE_UINT32(plaintext, words[i]); } } nettle-3.10/dsa-internal.h0000644000175000017500000000265514633602172014522 0ustar nissenisse/* dsa-internal.h The DSA publickey algorithm. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_INTERNAL_H_INCLUDED #define NETTLE_DSA_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Internal functions. */ void _nettle_dsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest); void _nettle_gostdsa_hash (mp_limb_t *hp, unsigned bit_size, size_t length, const uint8_t *digest); #endif /* NETTLE_DSA_INTERNAL_H_INCLUDED */ nettle-3.10/COPYINGv20000644000175000017500000004325414633602172013273 0ustar nissenisse GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. , 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Lesser General Public License instead of this License. nettle-3.10/NEWS0000644000175000017500000020721414633602172012465 0ustar nissenisseNEWS for the Nettle 3.10 release This is a maintenance release, including a few each of bug fixes, new features and optimizations. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.9 and libhogweed.so.6.9, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Add missing hash functions sha512_224 and sha512_256 to the nettle_get_hashes() list. The name values in the corresponding nettle_hash structs also changed to use underscore instead of dash, for consistency. * Fix a few cases of formally undefined calls to memcpy(dst, NULL, 0), resulting from valid calls to, e.g., sha256_update(ctx, 0, NULL). New features: * Support RSA-OAEP encryption. Contributed by Nicolas Mora and Daiki Ueno. * New function sha3_256_shake_output, new functions sha3_128_init, sha3_128_update, sha3_128_shake, sha3_128_shake_output. Contributed by Daiki Ueno. * Added DRBG-CTR with AES256, contributed by Simon Josefsson. Optimizations: * New combined gcm-aes assembly for powerpc64, contributed by Danny Tsen. * New sha256 assembly for powerpc64, contributed by Eric Richter. * Improved performance for powerpc64 AES decrypt, by skipping subkey transformations that don't suit the vncipher instructions. * Add arm64 CPU feature detection for Android and for Apple systems, contributed by Foolbar and Tim Kosse, prespectively. Miscellaneous: * New tests for side-channel silence, based on valgrind. * Delete all md5 assembly code. Delete all sparc32 assembly code. NEWS for the Nettle 3.9.1 release This is a bugfix release, fixing a few bugs reported for Nettle-3.9. The bug in the new OCB code may be exploitable for denial of service or worse, since triggering it leads to memory corruption. Upgrading from Nettle-3.9 to the new version is strongly recommended. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.8 and libhogweed.so.6.8, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix OCB loop for processing messages of size 272 bytes or larger. Reported and fixed by Jussi Kivilinna. * Fix alignment bug in the new x86_64 non-pclmul assembly implementation of ghash. Reported by Henrik Grubbström. * Fix build-time memory leak in eccdata. Reported by Noah Watkins. NEWS for the Nettle 3.9 release This release includes bug fixes, several new features, a few performance improvements, and one performance regression affecting GCM on certain platforms. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.7 and libhogweed.so.6.7, with sonames libnettle.so.8 and libhogweed.so.6. This release includes a rewrite of the C implementation of GHASH (dating from 2011), as well as the plain x86_64 assembly version, to use precomputed tables in a different way, with tables always accessed in the same sequential manner. This should make Nettle's GHASH implementation side-channel silent on all platforms, but considerably slower on platforms without carry-less mul instructions. E.g., benchmarks of the C implementation on x86_64 showed a slowdown of 3 times. Bug fixes: * Fix bug in ecdsa and gostdsa signature verify operation, for the unlikely corner case that point addition really is point duplication. * Fix for chacha on Power7, nettle's assembly used an instruction only available on later processors. Fixed by Mamone Tarsha. * GHASH implementation should now be side-channel silent on all architectures. * A few portability fixes for *BSD. New features: * Support for the SM4 block cipher, contributed by Tianjia Zhang. * Support for the Balloon password hash, contributed by Zoltan Fridrich. * Support for SIV-GCM authenticated encryption mode, contributed by Daiki Ueno. * Support for OCB authenticated encryption mode. * New exported functions md5_compress, sha1_compress, sha256_compress, sha512_compress, based on patches from Corentin Labbe. Optimizations: * Improved sha256 performance, in particular for x86_64 and s390x. * Use GMP's mpn_sec_tabselect, which is implemented in assembly on many platforms, and delete the similar nettle function. Gives a modest speedup to all ecc operations. * Faster poly1305 for x86_64 and ppc64. New ppc code contributed by Mamone Tarsha. Miscellaneous: * New ASM_FLAGS variable recognized by configure. * Delete all arcfour assembly code. Affects 32-bit x86, 32-bit and 64-bit sparc. Known issues: * Version 6.2.1 of GNU GMP (the most recent GMP release as of this writing) has a known issue for MacOS on 64-bit ARM: GMP assembly files use the reserved x18 register. On this platform it is recommended to use a GMP snapshot where this bug is fixed, and upgrade to a later GMP release when one becomes available. * Also on MacOS, Nettle's testsuite may still break due to DYLD_LIBRARY_PATH being discarded under some circumstances. As a workaround, use make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)' NEWS for the Nettle 3.8.1 release This is a bugfix release, fixing a few portability issues reported for Nettle-3.8. Bug fixes: * Avoid non-posix m4 argument references in the chacha implementation for arm64, powerpc64 and s390x. Reported by Christian Weisgerber, fix contributed by Mamone Tarsha. * Use explicit .machine pseudo-ops where needed in s390x assembly files. Bug report by Andreas K. Huettel, fix contributed by Mamone Tarsha. Optimizations: * Implemented runtime detection of cpu features for OpenBSD on arm64. Contributed by Christian Weisgerber. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.6 and libhogweed.so.6.6, with sonames libnettle.so.8 and libhogweed.so.6. NEWS for the Nettle 3.8 release This release includes a couple of new features, and many performance improvements. It adds assembly code for two more architectures: ARM64 and S390x. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.5 and libhogweed.so.6.5, with sonames libnettle.so.8 and libhogweed.so.6. New features: * AES keywrap (RFC 3394), contributed by Nicolas Mora. * SM3 hash function, contributed by Tianjia Zhang. * New functions cbc_aes128_encrypt, cbc_aes192_encrypt, cbc_aes256_encrypt. On processors where AES is fast enough, e.g., x86_64 with aesni instructions, the overhead of using Nettle's general cbc_encrypt can be significant. The new functions can be implemented in assembly, to do multiple blocks with reduced per-block overhead. Note that there's no corresponding new decrypt functions, since the general cbc_decrypt doesn't suffer from the same performance problem. Bug fixes: * Fix fat builds for x86_64 windows, these appear to never have worked. Optimizations: * New ARM64 implementation of AES, GCM, Chacha, SHA1 and SHA256, for processors supporting crypto extensions. Great speedups, and fat builds are supported. Contributed by Mamone Tarsha. * New s390x implementation of AES, GCM, Chacha, memxor, SHA1, SHA256, SHA512 and SHA3. Great speedups, and fat builds are supported. Contributed by Mamone Tarsha. * New PPC64 assembly for ecc modulo/redc operations, contributed by Amitay Isaacs, Martin Schwenke and Alastair D´Silva. * The x86_64 AES implementation using aesni instructions has been reorganized with one separate function per key size, each interleaving the processing of two blocks at a time (when the caller processes multiple blocks with each call). This gives a modest performance improvement on some processors. * Rewritten and faster x86_64 poly1305 assembly. Known issues: * Nettle's testsuite doesn't work out-of-the-box on recent MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH environment variable. Nettle's test scripts handle this in some cases, but currently fails the test cases that are themselves written as /bin/sh scripts. As a workaround, use make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)' Miscellaneous: * Updated manual to current makeinfo conventions, with no explicit node pointers. Generate pdf version with texi2pdf, to get working hyper links. * Added square root functions for NIST ecc curves, as a preparation for supporting compact point representation. * Reworked internal GCM/ghash interfaces, simplifying assembly implementations. Deleted unused GCM C implementation variants with less than 8-bit lookup table. NEWS for the Nettle 3.7.3 release This is bugfix release, fixing bugs that could make the RSA decryption functions crash on invalid inputs. Upgrading to the new version is strongly recommended. For applications that want to support older versions of Nettle, the bug can be worked around by adding a check that the RSA ciphertext is in the range 0 < ciphertext < n, before attempting to decrypt it. Thanks to Paul Schaub and Justus Winter for reporting these problems. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.4 and libhogweed.so.6.4, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix crash for zero input to rsa_sec_decrypt and rsa_decrypt_tr. Potential denial of service vector. * Ensure that all of rsa_decrypt_tr and rsa_sec_decrypt return failure for out of range inputs, instead of either crashing, or silently reducing input modulo n. Potential denial of service vector. * Ensure that rsa_decrypt returns failure for out of range inputs, instead of silently reducing input modulo n. * Ensure that rsa_sec_decrypt returns failure if the message size is too large for the given key. Unlike the other bugs, this would typically be triggered by invalid local configuration, rather than by processing untrusted remote data. NEWS for the Nettle 3.7.2 release This is a bugfix release, fixing a bug in ECDSA signature verification that could lead to a denial of service attack (via an assertion failure) or possibly incorrect results. It also fixes a few related problems where scalars are required to be canonically reduced modulo the ECC group order, but in fact may be slightly larger. Upgrading to the new version is strongly recommended. Even when no assert is triggered in ecdsa_verify, ECC point multiplication may get invalid intermediate values as input, and produce incorrect results. It's trivial to construct alleged signatures that result in invalid intermediate values. It appears difficult to construct an alleged signature that makes the function misbehave in such a way that an invalid signature is accepted as valid, but such attacks can't be ruled out without further analysis. Thanks to Guido Vranken for setting up the fuzzer tests that uncovered this problem. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.3 and libhogweed.so.6.3, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fixed bug in ecdsa_verify, and added a corresponding test case. * Similar fixes to ecc_gostdsa_verify and gostdsa_vko. * Similar fixes to eddsa signatures. The problem is less severe for these curves, because (i) the potentially out or range value is derived from output of a hash function, making it harder for the attacker to to hit the narrow range of problematic values, and (ii) the ecc operations are inherently more robust, and my current understanding is that unless the corresponding assert is hit, the verify operation should complete with a correct result. * Fix to ecdsa_sign, which with a very low probability could return out of range signature values, which would be rejected immediately by a verifier. NEWS for the Nettle 3.7.1 release This is primarily a bug fix release, fixing a couple of problems found in Nettle-3.7. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.2 and libhogweed.so.6.2, with sonames libnettle.so.8 and libhogweed.so.6. Bug fixes: * Fix bug in chacha counter update logic. The problem affected ppc64 and ppc64el, with the new altivec assembly code enabled. Reported by Andreas Metzler, after breakage in GnuTLS tests on ppc64. * Support for big-endian ARM platforms has been restored. Fixes contributed by Michael Weiser. * Fix build problem on OpenBSD/powerpc64, reported by Jasper Lievisse Adriaanse. * Fix corner case bug in ECDSA verify, it would produce incorrect result in the unlikely case of an all-zero message hash. Reported by Guido Vranken. New features: * Support for pbkdf2_hmac_sha384 and pbkdf2_hmac_sha512, contributed by Nicolas Mora. Miscellaneous: * Poorly performing ARM Neon code for doing single-block Salsa20 and Chacha has been deleted. The code to do two or three blocks in parallel, introduced in Nettle-3.7, is unchanged. NEWS for the Nettle 3.7 release This release adds one new feature, the bcrypt password hashing function, and lots of optimizations. There's also one important change to how Nettle is configured: Fat builds are now on by default. The release adds PowerPC64 assembly for a few algorithms, resulting in great speedups. Benchmarked on a Power9 machine, speedup was 13 times for AES256-CTR and AES256-GCM, and 3.5 times for Chacha. For fat builds (now the default), the new code is used automatically, on processors supporting the needed instruction set extensions. The new version is intended to be fully source and binary compatible with Nettle-3.6. The shared library names are libnettle.so.8.1 and libhogweed.so.6.1, with sonames libnettle.so.8 and libhogweed.so.6. New features: * Support for bcrypt, contributed by Stephen R. van den Berg. Optimizations: * Much faster AES and GCM on PowerPC64 processors supporting the corresponding crypto extensions. Contributed by Mamone Tarsha. * Speed of Chacha improved on PowerPC64, x86_64 and ARM Neon. * Speed of Salsa20 improved on x86_64 and ARM Neon. * Overhaul of some elliptic curve primitives, improving ECDSA signature speed. Configure: * Fat builds are enabled by default on the architectures where it is supported (x86_64, arm and powerpc64). To disable runtime selection, and instead specify the processor flavor at configure time, you need to pass --disable-fat to the configure script. Known issues: * The ARM assembly code in this release doesn't work correctly on big-endian ARM systems. This will hopefully be fixed in a later release. Miscellaneous: * Use a few more gmp-6.1 functions: mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap. Delete corresponding internal Nettle functions. * Convert all assembly files to use the default m4 quote characters. NEWS for the Nettle 3.6 release This release adds a couple of new features, most notable being support for ED448 signatures. It is not binary compatible with earlier releases. The shared library names are libnettle.so.8.0 and libhogweed.so.6.0, with sonames libnettle.so.8 and libhogweed.so.6. The changed sonames are mainly to avoid upgrade problems with recent GnuTLS versions, that depend on Nettle internals outside of the advertised ABI. But also because of the removal of internal poly1305 functions which were undocumented but declared in an installed header file, see Interface changes below. New features: * Support for Curve448 and ED448 signatures. Contributed by Daiki Ueno. * Support for SHAKE256 (SHA3 variant with arbitrary output size). Contributed by Daiki Ueno. * Support for SIV-CMAC (Synthetic Initialization Vector) mode, contributed by Nikos Mavrogiannopoulos. * Support for CMAC64, contributed by Dmitry Baryshkov. * Support for the "CryptoPro" variant of the GOST hash function, as gosthash94cp. Contributed by Dmitry Baryshkov. * Support for GOST DSA signatures, including GOST curves gc256b and gc512a. Contributed by Dmitry Baryshkov. * Support for Intel CET in x86 and x86_64 assembly files, if enabled via CFLAGS (gcc --fcf-protection=full). Contributed by H.J. Lu and Simo Sorce. * A few new functions to improve support for the Chacha variant with 96-bit nonce and 32-bit block counter (the existing functions use nonce and counter of 64-bit each), and functions to set the counter. Contributed by Daiki Ueno. * New interface, struct nettle_mac, for MAC (message authentication code) algorithms. This abstraction is only for MACs that don't require a per-message nonce. For HMAC, the key size is fixed, and equal the digest size of the underlying hash function. Bug fixes: * Fix bug in cfb8_decrypt. Previously, the IV was not updated correctly in the case of input data shorter than the block size. Reported by Stephan Mueller, fixed by Daiki Ueno. * Fix configure check for __builtin_bswap64, the incorrect check would result in link errors on platforms missing this function. Patch contributed by George Koehler. * All use of old-fashioned suffix rules in the Makefiles have been replaced with %-pattern rules. Nettle's use of suffix rules in earlier versions depended on undocumented GNU make behavior, which is being deprecated in GNU make 4.3. Building with other make programs than GNU make is untested and unsupported. (Building with BSD make or Solaris make used to work years ago, but has not been tested recently). Interface changes: * Declarations of internal poly1305.h functions have been removed from the header file poly1305.h, to make it clear that they are not part of the advertised API or ABI. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.1.0 or later (unless --enable-mini-gmp is used). * A fair amount of changes to ECC internals, with a few deleted and a few new fields in the internal struct ecc_curve. Files and functions have been renamed to more consistently match the curve name, e.g., ecc-256.c has been renamed to ecc-secp256r1.c. * Documentation for chacha-poly1305 updated. It is no longer experimental. The implementation was updated to follow RFC 8439 in Nettle-3.1, but that was not documented or announced at the time. NEWS for the Nettle 3.5.1 release The Nettle-3.5.1 corrects a packaging mistake in Nettle-3.5. The new directory x86_64/sha_ni were missing in the tar file, breaking x86_64 builds with --enable-fat, and producing worse performance than promised for builds with --enable-x86-sha-ni. Also a few unused in-progress assembly files were accidentally included in the tar file. These problems are corrected in Nettle-3.5.1. There are no other changes, and also the library version numbers are unchanged. NEWS for the Nettle 3.5 release This release adds a couple of new features and optimizations, and deletes or deprecates a few obsolete features. It is *not* binary (ABI) compatible with earlier versions. Except for deprecations listed below, it is intended to be fully source-level (API) compatible with Nettle-3.4.1. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0, with sonames libnettle.so.7 and libhogweed.so.5. Changes in behavior: * Nettle's gcm_crypt will now call the underlying block cipher to process more than one block at a time. This is not a change to the documented behavior, but unfortunately breaks assumptions accidentally made in GnuTLS, up to and including version 3.6.1. New features: * Support for CFB8 (Cipher Feedback Mode, processing a single octet per block cipher operation), contributed by Dmitry Eremin-Solenikov. * Support for CMAC (RFC 4493), contributed by Nikos Mavrogiannopoulos. * Support for XTS mode, contributed by Simo Sorce. Optimizations: * Improved performance of the x86_64 AES implementation using the aesni instructions. Gives a large speedup for operations processing multiple blocks at a time (including CTR mode, GCM mode, and CBC decrypt, but *not* CBC encrypt). * Improved performance for CTR mode, for the common case of 16-byte block size. Pass more data at a time to underlying block cipher, and fill the counter blocks more efficiently. Extension to also handle GCM mode efficiently contributed by Nikos Mavrogiannopoulos. * New x86_64 implementation of sha1 and sha256, for processors supporting the sha_ni instructions. Speedup of 3-5 times on affected processors. * Improved parameters for the precomputation of tables used for ecc signatures. Roughly 10%-15% speedup of the ecdsa sign operation using the secp_256r1, secp_384r1 and secp_521r1 curves, and 25% speedup of ed25519 sign operation, benchmarked on x86_64. Table sizes unchanged, around 16 KB per curve. * In ARM fat builds, automatically select Neon implementation of Chacha, where possible. Contributed by Yuriy M. Kaminskiy. Deleted features: * The header file des-compat.h and everything declared therein has been deleted, as announced earlier. This file provided a subset of the old libdes/ssleay/openssl interface for DES and triple-DES. DES is still supported, via the functions declared in des.h. * Functions using the old struct aes_ctx have been marked as deprecated. Use the fixed key size interface instead, e.g., struct aes256_ctx, introduced in Nettle-3.0. * The header file nettle-stdint.h, and corresponding autoconf tests, have been deleted. Nettle now requires that the compiler/libc provides . Miscellaneous: * Support for big-endian ARM systems, contributed by Michael Weiser. * The programs aesdata, desdata, twofishdata, shadata and gcmdata are no longer built by default. Makefile improvements contributed by Jay Foad. * The "example" program examples/eratosthenes.c has been deleted. * The contents of hash context structs, and the deprecated aes_ctx struct, have been reorganized, to enable later optimizations. The shared library names are libnettle.so.7.0 and libhogweed.so.5.0. NEWS for the Nettle 3.4.1 release This release fixes a few bugs, and makes the RSA private key operations side channel silent. The RSA improvements are contributed by Simo Sorce and Red Hat, and include one new public function, rsa_sec_decrypt, see below. All functions using RSA private keys are now side-channel silent, meaning that they try hard to avoid any branches or memory accesses depending on secret data. This applies both to the bignum calculations, which now use GMP's mpn_sec_* family of functions, and the processing of PKCS#1 padding needed for RSA decryption. Nettle's ECC functions were already side-channel silent, while the DSA functions still aren't. There's also one caveat regarding the improved RSA functions: due to small table lookups in relevant mpn_sec_* functions in GMP-6.1.2, the lowest and highest few bits of the secret factors p and q may still leak. I'm not aware of any attacks on RSA where knowing a few bits of the factors makes a significant difference. This leak will likely be plugged in later GMP versions. Changes in behavior: * The functions rsa_decrypt and rsa_decrypt_tr may now clobber all of the provided message buffer, independent of the actual message length. They are side-channel silent, in that branches and memory accesses don't depend on the validity or length of the message. Side-channel leakage from the caller's use of length and return value may still provide an oracle useable for a Bleichenbacher-style chosen ciphertext attack. Which is why the new function rsa_sec_decrypt is recommended. New features: * A new function rsa_sec_decrypt. It differs from rsa_decrypt_tr in that the length of the decrypted message is given a priori, and PKCS#1 padding indicating a different length is treated as an error. For applications that may be subject to chosen ciphertext attacks, it is recommended to initialize the message area with random data, call this function, and ignore the return value. This applies in particular to RSA-based key exchange in the TLS protocol. Bug fixes: * Fix bug in pkcs1-conv, missing break statements in the parsing of PEM input files. * Fix link error on the pss-mgf1-test test, affecting builds without public key support. Performance regression: * All RSA private key operations employing RSA blinding, i.e., rsa_decrypt_tr, rsa_*_sign_tr, the new rsa_sec_decrypt, and rsa_compute_root_tr, are significantly slower. This is because (i) RSA blinding now use side-channel silent operations, (ii) blinding includes a modular inversion, and (iii) side-channel silent modular inversion, implemented as mpn_sec_invert, is very expensive. A 60% slowdown for 2048-bit RSA keys have been measured. Miscellaneous: * Building the public key support of nettle now requires GMP version 6.0 or later (unless --enable-mini-gmp is used). The shared library names are libnettle.so.6.5 and libhogweed.so.4.5, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.4 release This release fixes bugs and adds a few new features. It also addresses an ABI compatibility issue affecting Nettle-3.1 and later, see below. Bug fixes: * Fixed an improper use of GMP mpn_mul, breaking curve2559 and eddsa on certain platforms. Reported by Sergei Trofimovich. * Fixed memory leak when handling invalid signatures in ecdsa_verify. Fix contributed by Nikos Mavrogiannopoulos. * Fix compilation error with --enable-fat om ARM. Fix contributed by Andreas Schneider. * Reorganized the way certain data items are made available. Short version: Nettle header files now define the symbols nettle_hashes, nettle_ciphers, and nettle_aeads, as preprocessor macros invoking a corresponding accessor function. For backwards ABI compatibility, the symbols are still present in the compiled libraries, and with the same sizes as in nettle-3.3. New features: * Support for RSA-PSS signatures, contributed by Daiki Ueno. * Support for the HKDF key derivation function, defined by RFC 5869. Contributed by Nikos Mavrogiannopoulos. * Support for the Cipher Feedback Mode (CFB), contributed by Dmitry Eremin-Solenikov. * New accessor functions: nettle_get_hashes, nettle_get_ciphers, nettle_get_aeads, nettle_get_secp_192r1, nettle_get_secp_224r1, nettle_get_secp_256r1, nettle_get_secp_384r1, nettle_get_secp_521r1. For source-level compatibility with future versions, applications are encouraged to migrate to using these functions instead of referring to the corresponding data items directly. Miscellaneous: * The base16 and base64 functions now use the type char * for ascii data, rather than uint8_t *. This eliminates the last pointer-signedness warnings when building Nettle. This is a minor API change, and applications may need to be adjusted, but the ABI is unaffected on all platforms I'm aware of. * The contents of the header file nettle/version.h is now architecture independent, except in --enable-mini-gmp configurations. ABI issue: Since the breakage was a bit subtle, let me document it here. The nettle and hogweed libraries export a couple of data symbols, and for some of these, the size was never intended to be part of the ABI. E.g., extern const struct nettle_hash * const nettle_hashes[]; which is an NULL-terminated array. It turns out the sizes nevertheless may leak into the ABI, and that increasing the sizes can break old executables linked with a newer version of the library. When linking a classic non-PIE executable with a shared library, we get ELF relocations of type R_X86_64_COPY for references to data items. These mean that the linker allocates space for the data item in the data segment of executable, at a fixed address determined at link-time, and with size extracted from the version of the .so-file seen when linking. At load time, the run time linker then copies the contents of the symbol from the .so file to that location, and uses the copy instead of the version loaded with the .so-file. And if the data item in the .so file used at load time is larger than the data item seen at link time, it is silently truncated in the process. So when SHA3 hashes were was added to the nettle_hashes array in the nettle-3.3 release, this way of linking produces a truncated array at load time, no longer NULL-terminated. We will get similar problems for planned extensions of the internal struct ecc_curve, and exported data items like extern const struct ecc_curve nettle_secp_256r1; where the ecc_curve struct is only forward declared in the public headers. To prepare, applications should migrate to using the new function nettle_get_secp_256r1, and similarly for the other curves. In some future version, the plan is to add a leading underscore to the name of the actual data items. E.g., nettle_hashes --> _nettle_hashes, breaking the ABI, while keeping the nettle_get_hashes function and the nettle_hashes macro as the supported ways to access it. We will also rename nettle_secp_256r1 --> _nettle_secp_256r1, breaking both ABI and API. Note that data items like nettle_sha256 are *not* affected, since the size and layout of this struct is considered part of the ABI, and R_X86_64_COPY-relocations then work fine. The shared library names are libnettle.so.6.4 and libhogweed.so.4.4, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.3 release This release fixes a couple of bugs, and improves resistance to side-channel attacks on RSA and DSA private key operations. Changes in behavior: * Invalid private RSA keys, with an even modulo, are now rejected by rsa_private_key_prepare. (Earlier versions allowed such keys, even if results of using them were bogus). Nettle applications are required to call rsa_private_key_prepare and check the return value, before using any other RSA private key functions; failing to do so may result in crashes for invalid private keys. As a workaround for versions of Gnutls which don't use rsa_private_key_prepare, additional checks for even moduli are added to the rsa_*_tr functions which are used by all recent versions of Gnutls. * Ignore bit 255 of the x coordinate of the input point to curve25519_mul, as required by RFC 7748. To differentiate at compile time, curve25519.h defines the constant NETTLE_CURVE25519_RFC7748. Security: * RSA and DSA now use side-channel silent modular exponentiation, to defend against attacks on the private key from evil processes sharing the same processor cache. This attack scenario is of particular relevance when running an HTTPS server on a virtual machine, where you don't know who you share the cache hardware with. (Private key operations on elliptic curves were already side-channel silent). Bug fixes: * Fix sexp-conv crashes on invalid input. Reported by Hanno Böck. * Fix out-of-bounds read in des_weak_p. Fixed by Nikos Mavrogiannopoulos. * Fix a couple of formally undefined shift operations, reported by Nikos Mavrogiannopoulos. * Fix compilation with c89. Reported by Henrik Grubbström. New features: * New function memeql_sec, for side-channel silent comparison of two memory areas. Miscellaneous: * Building the public key support of nettle now requires GMP version 5.0 or later (unless --enable-mini-gmp is used). * Filenames of windows DLL libraries now include major number only. So the dll names change at the same time as the corresponding soname on ELF platforms. Fixed by Nikos Mavrogiannopoulos. * Eliminate most pointer-signedness warnings. In the process, the strings representing expression type for sexp_interator functions were changed from const uint8_t * to const char *. These functions are undocumented, and it doesn't change the ABI on any platform I'm aware of. The shared library names are libnettle.so.6.3 and libhogweed.so.4.3, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.2 release Bug fixes: * The SHA3 implementation is updated according to the FIPS 202 standard. It is not interoperable with earlier versions of Nettle. Thanks to Nikos Mavrogiannopoulos. To easily differentiate at compile time, sha3.h defines the constant NETTLE_SHA3_FIPS202. * Fix corner-case carry propagation bugs affecting elliptic curve operations on the curves secp_256r1 and secp_384r1 on certain platforms, including x86_64. Reported by Hanno Böck. New features: * New functions for RSA private key operations, identified by the "_tr" suffix, with better resistance to side channel attacks and to hardware or software failures which could break the CRT optimization. See the Nettle manual for details. Initial patch by Nikos Mavrogiannopoulos. * New functions nettle_version_major, nettle_version_minor, as a run-time variant of the compile-time constants NETTLE_VERSION_MAJOR and NETTLE_VERSION_MINOR. Optimizations: * New ARM Neon implementation of the chacha stream cipher. Miscellaneous: * ABI detection on mips, with improved default libdir location. Contributed by Klaus Ziegler. * Fixes for ARM assembly syntax, to work better with the clang assembler. Thanks to Jukka Ukkonen. * Disabled use of ifunc relocations for fat builds, to fix problems most easily triggered by using dlopen RTLD_NOW. The shared library names are libnettle.so.6.2 and libhogweed.so.4.2, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1.1 release This release fixes a couple of non-critical bugs. Bug fixes: * By accident, nettle-3.1 disabled the assembly code for the secp_224r1 and secp_521r1 elliptic curves on all x86_64 configurations, making signature operations on those curves 10%-30% slower. This code is now re-enabled. * The x86_64 assembly implementation of gcm hashing has been fixed to work with the Sun/Oracle assembler. The shared library names are libnettle.so.6.1 and libhogweed.so.4.1, with sonames still libnettle.so.6 and libhogweed.so.4. It is intended to be fully binary compatible with nettle-3.1. NEWS for the Nettle 3.1 release This release adds a couple of new features. The library is mostly source-level compatible with nettle-3.0. It is however not binary compatible, due to the introduction of versioned symbols, and extensions to the base64 context structs. The shared library names are libnettle.so.6.0 and libhogweed.so.4.0, with sonames libnettle.so.6 and libhogweed.so.4. Bug fixes: * Fixed a missing include of , which made the camellia implementation fail on all 64-bit non-x86 platforms. * Eliminate out-of-bounds reads in the C implementation of memxor (related to valgrind's --partial-loads-ok flag). Interface changes: * Declarations of many internal functions are moved from ecc.h to ecc-internal.h. The functions are undocumented, and luckily they're apparently also unused by applications, so I don't expect any problems from this change. New features: * Support for curve25519 and for EdDSA25519 signatures. * Support for "fat builds" on x86_64 and arm, where the implementation of certain functions is selected at run-time depending on available cpu features. Configure with --enable-fat to try this out. If it turns out to work well enough, it will likely be enabled by default in later releases. * Support for building the hogweed library (public key support) using "mini-gmp", a small but slower implementation of a subset of the GMP interfaces. Note that builds using mini-gmp are *not* binary compatible with regular builds, and more likely to leak side-channel information. One intended use-case is for small embedded applications which need to verify digital signatures. * The shared libraries are now built with versioned symbols. Should reduce problems in case a program links explicitly to nettle and/or hogweed, and to gnutls, and the program and gnutls expect different versions. * Support for "URL-safe" base64 encoding and decoding, as specified in RFC 4648. Contributed by Amos Jeffries. Optimizations: * New x86_64 implementation of AES, using the "aesni" instructions. Autodetected in fat builds. In non-fat builds, it has to be enabled explicitly with --enable-x86-aesni. Build system: * Use the same object files for both static and shared libraries. This eliminates the *.po object files which were confusing to some tools (as well as humans). Like before, PIC code is used by default; to build a non-pic static library, configure with --disable-pic --disable-shared. Miscellaneous: * Made type-checking hack in CBC_ENCRYPT and similar macros stricter, to generate warnings if they are used with functions which have a length argument smaller than size_t. NEWS for the Nettle 3.0 release This is a major release, including several interface changes, and new features, some of which are a bit experimental. Feedback is highly appreciated. It is *not* binary (ABI) compatible with earlier versions. It is mostly source-level (API) compatible, with a couple of incompatibilities noted below. The shared library names are libnettle.so.5.0 and libhogweed.so.3.0, with sonames libnettle.so.5 and libhogweed.so.3. There may be some problems in the new interfaces and new features which really need incompatible fixes. It is likely that there will be an update in the form of a 3.1 release in the not too distant future, with small but incompatible changes, and if that happens, bugfix-only releases 3.0.x are unlikely. Users and applications which desire better API and ABI stability are advised to stay with nettle-2.7.x (latest version is now 2.7.1) until the dust settles. Interface changes: * For the many _set_key functions, it is now consider the normal case to have a fixed key size, with no key_size arguments. _set_key functions with a length parameter are provided only for algorithms with a truly variable keysize, and where it makes sense for backwards compatibility. INCOMPATIBLE CHANGE: cast128_set_key no longer accepts a key size argument. The old function is available under a new name, cast5_set_key. INCOMPATIBLE CHANGE: The function typedef nettle_set_key_func no longer accepts a key size argument. In particular, this affects users of struct nettle_cipher. * The nettle_cipher abstraction (in nettle-meta.h) is restricted to block ciphers only. The encrypt and decrypt functions now take a const argument for the context. INCOMPATIBLE CHANGE: nettle_arcfour, i.e., the nettle_cipher abstraction for the arcfour stream cipher, is deleted. INCOMPATIBLE CHANGE: New type, nettle_cipher_func, for the encrypt and decrypt fields of struct nettle_cipher. * New DSA interface, with a separate struct dsa_param to represent the underlying group, and generalized dsa_sign and dsa_verify functions which don't care about the hash function used. Limited backwards compatibility provided in dsa-compat.h. INCOMPATIBLE CHANGE: Declarations of the old interface, e.g., struct dsa_public_key, dsa_sha1_sign, etc, is moved to dsa-compat.h. INCOMPATIBLE CHANGE: The various key conversion functions, e.g., dsa_keypair_to_sexp, all use the new DSA interface, with no backwards compatible functions. INCOMPATIBLE CHANGE: dsa_generate_keypair also uses the new interface. dsa-compat.h declares a function dsa_compat_generate_keypair, implementing the old interface, and #defines dsa_generate_keypair to refer to this backwards compatible function. * New AES and Camellia interfaces. There are now separate context structs for each key size, e.g., aes128_ctx and camellia256_ctx, and corresponding new functions. The old interface, with struct aes_ctx and struct camellia_ctx, is kept for backwards compatibility, but might be removed in later versions. * The type of most length arguments is changed from unsigned to size_t. The memxor functions have their pointer arguments changed from uint8_t * to void *, for consistency with related libc functions. * For hash functions, the constants *_DATA_SIZE have been renamed to *_BLOCK_SIZE. Old names kept for backwards compatibility. Removed features: * The nettle_next_prime function has been deleted. Applications should use GMP's mpz_nextprime instead. * Deleted the RSAREF compatibility, including the header file rsa-compat.h and everything declared therein. * Also under consideration for removal is des-compat.h and everything declared therein. This implements a subset of the old libdes/ssleay/openssl interface for DES and triple-DES, and it is poorly tested. If anyone uses this interface, please speak up! Otherwise, it will likely be removed in the next release. Bug fixes: * Building with ./configure --disable-static now works. * Use GMP's allocation functions for temporary storage related to bignums, to avoid potentially large stack allocations. * Fixes for shared libraries on M$ Windows. New features: * Support for Poly1305-AES MAC. * Support for the ChaCha stream cipher and EXPERIMENTAL support for the ChaCha-Poly1305 AEAD mode. Specifications are still in flux, and future releases may do incompatible changes to track standardization. Currently uses 256-bit key and 64-bit nonce. * Support for EAX mode. * Support for CCM mode. Contributed by Owen Kirby. * Additional variants of SHA512 with output size of 224 and 256 bits. Contributed by Joachim Strömbergson. * New interface, struct nettle_aead, for mechanisms providing authenticated encryption with associated data (AEAD). * DSA: Support a wider range for the size of q and a wider range for the digest size. Optimizations: * New x86_64 assembly for GCM and MD5. Modest speedups on the order of 10%-20%. Miscellaneous: * SHA3 is now documented as EXPERIMENTAL. Nettle currently implements SHA3 as specified at the time Keccak won the SHA3 competition. However, the final standard specified by NIST is likely to be incompatible, in which case future releases may do incompatible changes to track standardization. * The portability fix for the rotation macros, mentioned in NEWS for 2.7.1, actually didn't make it into that release. It is included now. * cast128_set_key rewritten for clarity, also eliminating a couple of compiler warnings. * New command line tool nettle-pbkdf2. NEWS for the 2.7.1 release This is a bugfix release. Bug fixes: * Fixed a bug in the new ECC code. The ecc_j_to_a function called GMP:s mpn_mul_n (via ecc_modp_mul) with overlapping input and output arguments, which is not supported. * The assembly files for SHA1, SHA256 and AES depend on ARMv6 instructions, breaking nettle-2.7 for pre-v6 ARM processors. The configure script now enables those assembly files only when building for ARMv6 or later. * Use a more portable C expression for rotations. The previous version used the following "standard" expression for 32-bit rotation: (x << n) | (x >> (32 - n)) But this gives undefined behavior (according to the C specification) for n = 0. The rotate expression is replaced by the more portable: (x << n) | (x >> ((-n)&31)) This change affects only CAST128, which uses non-constant rotation counts. Unfortunately, the new expression is poorly optimized by released versions of gcc, making CAST128 a bit slower. This is being fixed by the gcc hackers, see http://gcc.gnu.org/bugzilla/show_bug.cgi?id=57157. The following problems have been reported, but are *not* fixed in this release: * ARM assembly files use instruction syntax which is not supported by all assemblers. Workaround: Use a current version of GNU as, or configure with --disable-assembler. * Configuring with --disable-static doesn't work on windows. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.7 and libhogweed.so.2.5, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.7 release This release includes an implementation of elliptic curve cryptography (ECC) and optimizations for the ARM architecture. This work was done at the offices of South Pole AB, and generously funded by the .SE Internet Fund. Bug fixes: * Fixed a bug in the buffer handling for incremental SHA3 hashing, with a possible buffer overflow. Patch by Edgar E. Iglesias. New features: * Support for ECDSA signatures. Elliptic curve operations over the following curves: secp192r1, secp224r1, secp256r1, secp384r1 and secp521r1, including x86_64 and ARM assembly for the most important primitives. * Support for UMAC, including x86_64 and ARM assembly. * Support for 12-round salsa20, "salsa20r12", as specified by eSTREAM. Contributed by Nikos Mavrogiannopoulos. Optimizations: * ARM assembly code for several additional algorithms, including AES, Salsa20, and the SHA family of hash functions. * x86_64 assembly for SHA256, SHA512, and SHA3. (SHA3 assembly was included in the 2.6 release, but disabled due to poor performance on some AMD processors. Hopefully, that performance problem is fixed now). The ARM code was tested and benchmarked on Cortex-A9. Some of the functions use "neon" instructions. The configure script decides if neon instructions can be used, and the command line options --enable-arm-neon and --disable-arm-neon can be used to override its choice. Feedback appreciated. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.6 and libhogweed.so.2.4, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.6 release Bug fixes: * Fixed a bug in ctr_crypt. For zero length (which should be a NOP), it sometimes incremented the counter. Reported by Tim Kosse. * Fixed a small memory leak in nettle_realloc and nettle_xrealloc. New features: * Support for PKCS #5 PBKDF2, to generate a key from a password or passphrase. Contributed by Simon Josefsson. Specification in RFC 2898 and test vectors in RFC 6070. * Support for SHA3. * Support for the GOST R 34.11-94 hash algorithm. Ported from librhash by Nikos Mavrogiannopoulos. Written by Aleksey Kravchenko. More information in RFC4357. Test vectors taken from the GOST hash wikipedia page. Miscellaneous: * The include file has been split into and . For now, sha.h is kept for backwards compatibility and it simply includes both files, but applications are encouraged to use the new names. The new SHA3 functions are declared in . * Testsuite can be run under valgrind, using make check EMULATOR='$(VALGRIND)' For this to work, test programs and other executables now deallocate storage. * New configure options --disable-documentation and --disable-static. Contributed by Sam Thursfield and Alon Bar-Lev, respectively. * The section on hash functions in the manual is split into separate nodes for recommended hash functions and legacy hash functions. * Various smaller improvements, most of them portability fixes. Credits go to David Woodhouse, Tim Rühsen, Martin Storsjö, Nikos Mavrogiannopoulos, Fredrik Thulin and Dennis Clarke. Finally, a note on the naming of the various "SHA" hash functions. Naming is a bit inconsistent; we have, e.g., SHA1: sha1_digest SHA2: sha256_digest (not sha2_256_digest) SHA3: sha3_256_digest Renaming the SHA2 functions to make Nettle's naming more consistent has been considered, but the current naming follows common usage. Most documents (including the specification for SHA2) refer to 256-bit SHA2 as "SHA-256" or "SHA256" rather than "SHA2-256". The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.5 and libhogweed.so.2.3, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.5 release This release includes important portability fixes for Windows and MacOS. There are also a few new features. First a *warning*: Some internal functions have been removed from the library. Since the functions in question are internal and not documented, this is not considered a change of ABI or API. Programs explicitly using any of these functions will break. * The function pkcs1_signature_prefix has been renamed to _pkcs1_signature_prefix, and with slightly different behavior. * The file nettle-internal.c is no longer included in the library (the features defined there are used by the benchmark and test programs, and were never intended for public use). New features: * Support for the salsa20 stream cipher, including x86_64 assembler. Originally contributed by Simon Josefsson, based on the reference implementation, then further optimized. * Tentative interface for timing-resistant RSA functions, contributed by Nikos Mavrogiannopoulos. * A more general interface for PKCS#1 signatures, taking the input in the form of a "DigestInfo". Suggested by Nikos Mavrogiannopoulos. Configuration: * Building of shared libraries (./configure --enable-shared) is now enabled by default. * Various portability fixes for MacOS and M$ Windows. A lot of this work done by Martin Storsjö. * In particular, Nettle now hopefully works on 64-bit Windows builds, "W64", including the x86_64 assembly code. Miscellaneous: * Documentation and example programs for the base16 and base64 functions. Was contributed by Jeronimo Pellegrini back in 2006, but unfortunately forgotten until now. * Use an additional table to avoid GF2^8 multiplications in aes_invert_key (mainly used by aes_set_decrypt_key). Also tabulate round constants in aes_set_encrypt_key. * The nettle repository has been migrated from cvs to git, with a public repository at http://git.lysator.liu.se/nettle. To make it independent of the LSH repository, a few files have been moved around. While at it, files have also been converted from latin-1 to utf-8. The libraries are intended to be binary compatible with nettle-2.2 and later. The shared library names are libnettle.so.4.4 and libhogweed.so.2.2, with sonames still libnettle.so.4 and libhogweed.so.2 NEWS for the 2.4 release This is a bugfix release only. It turned out ripemd160 in the 2.3 release was broken on all big-endian systems, due to a missing include of config.h. nettle-2.4 fixes this. The library is intended to be binary compatible with nettle-2.2 and nettle-2.3. The shared library names are libnettle.so.4.3 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.3 release * Support for the ripemd-160 hash function. * Generates and installs nettle.pc and hogweed.pc files, for use with pkg-config. Feedback appreciated. For projects using autoconf, the traditional non-pkg-config ways of detecting libraries, and setting LIBS and LDFLAGS, is still recommended. * Fixed a bug which made the testsuite fail in the GCM test on certain platforms. Should not affect any documented features of the library. * Reorganization of the code for the various Merkle-Damgård hash functions. Some fields in the context structs for md4, md5 and sha1 have been renamed, for consistency. Applications should not peek inside these structs, and the ABI is unchanged. * In the manual, fixed mis-placed const in certain function prototypes. The library is intended to be binary compatible with nettle-2.2. The shared library names are libnettle.so.4.2 and libhogweed.so.2.1, with sonames still libnettle.so.4 and libhogweed.so.2. NEWS for the 2.2 release Licensing change: * Relicensed as LGPL v2.1 or later (user's option). * Replaced blowfish and serpent implementation. New code is based on the LGPLed code in libgcrypt. New features: * Support for Galois/Counter Mode (GCM). * New interface for enumerating (most) available algorithms, contributed by Daniel Kahn Gillmor. * New tool nettle-hash. Can generate hash digests using any supported hash function, with output compatible with md5sum and friends from GNU coreutils. Checking (like md5sum -c) not yet implemented. Bug fixes: * The old serpent code had a byte order bug (introduced by yours truly about ten years ago). New serpent implementation does not interoperate with earlier versions of nettle. * Fixed ABI-dependent libdir default for Linux-based systems which do not follow the Linux File Hierarchy Standard, e.g., Debian GNU/Linux. Optimizations: * x86_64 implemention of serpent. * x86_64 implemention of camellia. * Optimized memxor using word rather than byte operations. Both generic C and x86_64 assembler. * Eliminated a memcpy for in-place CBC decrypt. Miscellaneous: * In command line tools, no longer support -? for requesting help, since using it without shell quoting is a dangerous habit. Use long option --help instead. The shared library names are libnettle.so.4.1 and libhogweed.so.2.1, with sonames libnettle.so.4 and libhogweed.so.2. NEWS for the 2.1 release *Important*: this release breaks source and binary compatibility for the digital signature functions, and for the DES and BLOWFISH ciphers which have weak keys. Incompatible changes: * The functions rsa_md5_sign, rsa_sha1_sign and rsa_sha256_sign, and the corresponding _digest variants, now have a return value which callers should check. The functions return failure if the key is too small for the type of signature. * The functions dsa_sign and dsa_verify are renamed to dsa_sha1_sign and dsa_sha1_verify. The _-digest variants are renamed similarly. These functions now have a return value which callers should check, and they return failure if the number q is not of the appropriate size. * The return value from des_set_key, des3_set_key and blowfish_set_key now indicates whether or not the given key is weak. But in either case, the key setup is done, and applications that don't care about weak keys can ignore the return value. The incompatible part of this change is that enum des_error and enum blowfish_error has been deleted, and so has the status attribute in struct des_ctx, struct des3_ctx, and struct blowfish_ctx. The shared library names are libnettle.so.4.0 and libhogweed.so.2.0, with sonames libnettle.so.4 and libhogweed.so.2. Other changes: * Support for the Camellia block cipher, including an assembler implementation for x86_32. * New function aes_invert_key, useful for applications that need both encryption and decryption using the same AES key. * des_set_key and des3_set_key no longer check the key parity bits. Parity bits are silently ignored. A new function des_check_parity is provided, for applications that care about the DES parity bits. * Support for sha224, sha384 and sha512. * Support for digital signatures using rsa-sha512 and dsa-sha256. Due to lack of official test vectors and interop testing, this support should be considered somewhat experimental. * Key generation for RSA and DSA changed to use Maurer's algorithm to generate provably prime numbers (as usual, the mathematical proof does not guaranteee that the implementation is bug free). * x86_64 assembler implementation actually included in the distribution (was accidentally left out in nettle-2.0). * Configure script now detects if the compiler uses a 32-bit or 64-bit ABI on x86_64 (prevously did this for sparc only). Also sets the default location for installing libraries (libdir) depending on system type and the ABI used. * Added the nettle and gmp libraries as dependencies when linking shared library libhogweed.so. On systems using shared libraries where such dependencies work (in particular, ELF systems), it is sufficient to link applications with -lhogweed. For static linking -lhogweed -lnettle -lgmp is still required. * The program pkcs1-conv is extended to also handle dsa keys. Contributed by Magnus Holmgren. * Slightly improved sha1 performance on x86. NEWS for the 2.0 release This release breaks binary compatibility by splitting the library into two. Some other smaller changes that are not backwards compatible are also done at the same time. * The nettle library is split into two libraries, libnettle and libhogweed. libnettle contains the symmetric crypto algorithms that don't depend on GMP, while libhogweed contains the public key algorithms that depend on GMP. Using a single library worked fine with static linking, but not with dynamic linking. Consider an application that uses nettle and which doesn't use any public key cryptography. If this application is linked dynamically to nettle, it would have to be linked also with GMP if and only if public key support was enabled when the nettle library was installed. The library names are libnettle.so.3.0 and libhogweed.so.1.0, with sonames libnettle.so.3 and libhogweed.so.1. * Function typedefs have been changed to non-pointer types. E.g, the typedef void (nettle_hash_init_func *)(void *ctx); of previous versions is replaced by typedef void (nettle_hash_init_func)(void *ctx); This makes it possible to use the type when declaring functions, like nettle_hash_init_func foo_hash_init; void foo_hash_init(void *ctx) { ... } * Changes to the yarrow256 interface. The automatic seed file generation, and the seed_file member in struct yarrow256_ctx, has been removed. To generate a new seed file, use yarrow256_random. The function yarrow256_force_reseed has been replaced by the two functions yarrow256_fast_reseed and yarrow256_slow_reseed, which were previously static. This interface change makes it easier to mix in the current content of the seed file before overwriting it with newly generated data. Other changes: * Nettle manual now contributed to the public domain, to enable remixing into documentation of programs that use Nettle. * The sexp-conv program preserves comments when using the advanced syntax for output. Optionally locks the output file. * The base64 decoder recognizes ASCII FF (form feed) and VT (vertical tab) as white space. * New x86_64 implementations of AES and SHA1. On a 2.2 GHz opteron, SHA1 was benchmarked at 250 MByte/s, and AES-128 at 110 MByte/s. * Performance of AES increased by 20-30% on x86. * New programs in the examples directory: erathostenes and next-prime. NEWS for the 1.15 release Added support for PKCS#1 style RSA signatures using SHA256, according to RFC 3447. Currently lacks interoperability testing. Header files are now C++ aware, so C++ programs using Nettle should now use plain #include rather than #extern "C" { #include } as was the recommendation for the previous version. This breaks source-level compatibility with C++, even though there's full binary compatibility. The file rfc1750.txt (which is considered non-free by debian) has been removed from the distribution. The file was used as input for the Yarrow testcase, and has been replaced by the short story "The Gold-bug" by Edgar Allan Poe. Anyway, RFC 1750 is obsoleted by RFC 4086. Fixes for Darwin shared library support, contributed by Grant Robinsson. Example programs now use a supplied getopt.c. Configure tests for assemblers with a logarithmic .align directive. The library is intended to be upwards binary compatible with earlier versions. The library name is libnettle.so.2.6, soname is still libnettle.so.2. NEWS for the 1.14 release Experimental support for reading keys in PKCS#1 ASN1/DER format, and a new command line tool pkcs1-conv. Improved MD5 performance on x86. Fixed support for sparc64. Reorganized AES code. Better performance for all three implementations (C, x86 assembler, sparc assembler). New sparc assembler for arcfour. Compared to the code generated by gcc, the new code is about 25% faster on old sparcs, and 6 times faster on ultrasparc. Replaced the internal function nettle_mpz_from_octets with a call to mpz_import, if available in the installed GMP library. More Makefile fixes; it now seems to work to build with the the make programs on Solaris and FreeBSD (although --disable-dependency-tracking is required for the latter). The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.5, soname is still libnettle.so.2. NEWS for the 1.13 release Fixed problem with broken m4 on bsd, which resulted in corrupted x86 assembler for sha1. Nettle probably works on windows: I've been able to cross compile it with ./configure --host=i586-mingw32msvc (without public-key support), and the testsuite binaries seem to run fine in Wine. Implemented CTR mode. Improved sha1 performance on x86. Configure check to figure out if symbols in assembler files need a leading underscore. Improved benchmark program. Displays cycles per byte and block, and compares with openssl (if openssl is installed). Terminating newline in output from sexp-conv --hash. The library is intended to be binary compatible with earlier versions. The library name is libnettle.so.2.4. However, the interface for the internal function _nettle_sha1_compress has changed; any program that calls this function directly will break. NEWS for the 1.12 release Fixed a bug in the configure script. Updated the description of aes_set_encrypt_key and aes_set_decrypt_key in the manual. NEWS for the 1.11 release Nettle no longer uses automake. Side effects: * Dependency tracking is enabled only for gcc-3 (help with supporting dependency tracking with other compilers is appreciated). * Makefile compatibility with make programs other than GNU make is mostly unknown, please report any problems. Support for arctwo. Fixes to the libdes compatibility code. Declarations should now match openssl/libdes better. des_cbc_cksum pads input with NUL's, if it's not an integral number of blocks (in general, such unreversible padding is a bad idea). By default, also the static library is compiled as position independent code. This is needed on some systems to make it possible to link nettle into a dynamically loaded module. Use the configure flag --disable-pic if this is not desired. Stricter constness typing for the sexp_iterator_assoc and sexp_iterator_check_types arguments. Minor tweaks of arcfour on x86 cpu:s, to speed it up on older x86 variants such as PII and PPro. The shared library is intended to be binary compatible with nettle-1.8 - nettle-1.10. Only the minor version number of the shared library is increased. The soname is still libnettle.so.2. NEWS for the 1.10 release Nettle should now compile also on Tru64, Darwin, FreeBSD and Windows. (The only tested windows build uses the rntcl rsh wrapper to run the command line M$ C compiler "cl". See http://pike.ida.liu.se for those tools, I don't know all details about the Pike team's windows setup). There are some known testsuite failures, on Windows and on one of the xenofarm HPUX machines, see http://www.lysator.liu.se/~nisse/xeno-lsh/latest.html. Help tracking these down is appreciated. There are no new features. This release is intended to be binary compatible with nettle-1.8 and nettle-1.9. NEWS for the 1.9 release Optimized C implementation of arcfour. Optimized x86 implementations of arcfour and sha1. Improved benchmark program. Fixed bug in the rsa-encrypt example program. Fixed bug in make install, some of the header files were forgotten. Portability fixes. Fixes to make Nettle compile on systems without gmp. This version has been tested on GNU/Linux, Solaris, HPUX and AIX. The shared library is intended to be binary compatible with nettle-1.8. Only the minor version number of the shared library is increased. NEWS for the 1.8 release New example programs, demonstrating encrypting and decrypting files using RSA, and random sessions keys for bulk encryption and message authentication. Support for systems that don't have alloca. On such systems, some of Nettle's functions have arbitrary limits applied to their input. Uses AX_CREATE_STDINT_H, to support systems without inttypes.h. Support for the md2 and md4 hash functions. New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle_ prefix when seen by the linker. For most functions, the header file that declares a function also uses #define to provide a shorter more readable name without the prefix. The shared library soname for this version is libnettle.so.2. NEWS for the 1.7 release Implemented DSA. Renamed RSA functions for consistency. Now it's rsa_public_key_init, not rsa_init_public_key, etc. Both RSA and DSA now have sign/verify functions that take the hash digest as argument. A rewritten and much more powerful sexp-conv program. Other changes to the sexp code, in particular updating it to the latest SPKI draft. Building nettle as a shared library (ELF only) seems to work. The version number is increased, so the library "soname" for this release is "libnettle.so.1". Bugfixes. Fixes for build and portability problems. NEWS for the 1.6 release Optimized assembler implementations of aes, for sparc and x86. The aes interface has changed slightly. The function aes_set_key is no more. Instead one has to use aes_set_encrypt_key or aes_set_decrypt_key. Sorry about that. New example programs, rsa-keygen, rsa-sign and rsa-verify, located in the examples directory. New configure option --enable-shared, which builds a shared library. Not tested. New experimental features, including sexp parsing and formatting, and changes to base64 encoding and decoding. The interfaces to these functions are subject to change, and are documented only in the source code. NEWS for the 1.5 release RSA support. Key generation and signatures. Support for HMAC (RFC-2104). An implementation of the Yarrow-256 PRNG. New sections in the manual. Changed the interface for hash functions. The md5_digest function is now equivalent to the old sequence of md5_final, md5_digest, md5_init, and similarly for the other hashing algorithms. This makes the interface simpler. NEWS for the 1.0 release Fixed twofish bug spotted by Jean-Pierre Stierlin. Added des3 and cbc. New RFC-1321-like interface in nettle/md5-compat.h, suggested by Assar Westerlund. New libdes-style compatibility interface in nettle/des-compat.h. nettle-3.10/xts-aes128.c0000644000175000017500000000457114633602171013751 0ustar nissenisse/* xts-aes128.c XTS Mode using AES128 as the underlying cipher. Copyright (C) 2018 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" #include "xts.h" void xts_aes128_set_encrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { aes128_set_encrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } void xts_aes128_set_decrypt_key(struct xts_aes128_key *xts_key, const uint8_t *key) { aes128_set_decrypt_key(&xts_key->cipher, key); aes128_set_encrypt_key(&xts_key->tweak_cipher, &key[AES128_KEY_SIZE]); } void xts_aes128_encrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_encrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes128_encrypt, tweak, length, dst, src); } void xts_aes128_decrypt_message(const struct xts_aes128_key *xts_key, const uint8_t *tweak, size_t length, uint8_t *dst, const uint8_t *src) { xts_decrypt_message(&xts_key->cipher, &xts_key->tweak_cipher, (nettle_cipher_func *) aes128_decrypt, (nettle_cipher_func *) aes128_encrypt, tweak, length, dst, src); } nettle-3.10/hmac-sha512-meta.c0000644000175000017500000000245514633602171014766 0ustar nissenisse/* hmac-sha512-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha512_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha512_set_key (ctx, SHA512_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha512 = _NETTLE_HMAC(hmac_sha512, SHA512); nettle-3.10/nettle.info0000644000175000017500000130200014633602172014124 0ustar nissenisseThis is nettle.info, produced by makeinfo version 6.8 from nettle.texinfo. This manual is for the Nettle library (version 3.9), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2023. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. INFO-DIR-SECTION Encryption START-INFO-DIR-ENTRY * Nettle: (nettle). A low-level cryptographic library. END-INFO-DIR-ENTRY  File: nettle.info, Node: Top, Next: Introduction, Up: (dir) Nettle ****** This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. This manual is for the Nettle library (version 3.9), a low-level cryptographic library. Originally written 2001 by Niels Möller, updated 2023. This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. * Menu: * Introduction:: What is Nettle? * Copyright:: Your rights. * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. * Compatibility:: On API and ABI compatibility between versions. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. * Index:: Function and concept index. — The Detailed Node Listing — Reference * Hash functions:: * Cipher functions:: * Cipher modes:: * Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: Hash functions * Recommended hash functions:: * Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher functions * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction:: Cipher modes * CBC:: * CTR:: * CFB and CFB8:: * XTS:: Authenticated encryption with associated data * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction:: Keyed Hash Functions * HMAC:: * UMAC:: * CMAC:: * Poly1305:: Public-key algorithms * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA Elliptic curves * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448::  File: nettle.info, Node: Introduction, Next: Copyright, Prev: Top, Up: Top 1 Introduction ************** Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a _simple_ but general interface to it. In particular, Nettle doesn’t do algorithm selection. It doesn’t do memory allocation. It doesn’t do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use.  File: nettle.info, Node: Copyright, Next: Conventions, Prev: Introduction, Up: Top 2 Copyright *********** Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required.  File: nettle.info, Node: Conventions, Next: Example, Prev: Copyright, Up: Top 3 Conventions ************* For each supported algorithm, there is an include file that defines a _context struct_, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects. For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don’t show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application. If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. By convention, for an algorithm named ‘foo’, the struct tag for the context struct is ‘foo_ctx’, constants and functions uses prefixes like ‘FOO_BLOCK_SIZE’ (a constant) and ‘foo_set_key’ (a function). In all functions, strings are represented with an explicit length, of type ‘size_t’, and a pointer of type ‘uint8_t *’ or ‘const uint8_t *’. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for ‘ccm_encrypt_message’, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas _must not_ overlap in any other way. Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure.  File: nettle.info, Node: Example, Next: Linking, Prev: Conventions, Up: Top 4 Example ********* A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. #include #include #include #define BUF_SIZE 1000 static void display_hex(unsigned length, uint8_t *data) { unsigned i; for (i = 0; i’. -- Context struct: struct sha256_ctx -- Constant: SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. -- Constant: SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. -- Function: void sha256_init (struct sha256_ctx *CTX) Initialize the SHA256 state. -- Function: void sha256_update (struct sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha256_digest (struct sha256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA256_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha256_init’. -- Function: void sha256_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw SHA256 compress on SHA256_BLOCK_SIZE bytes fromINPUT using STATE as IV (an array of 8 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA256). Earlier versions of nettle defined SHA256 in the header file ‘’, which is now deprecated, but kept for compatibility. 7.1.1.2 SHA224 .............. SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha224_ctx -- Constant: SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. -- Constant: SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. -- Function: void sha224_init (struct sha224_ctx *CTX) Initialize the SHA224 state. -- Function: void sha224_update (struct sha224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha224_digest (struct sha224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA224_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha224_init’. 7.1.1.3 SHA512 .............. SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha512_ctx -- Constant: SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. -- Constant: SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. -- Function: void sha512_init (struct sha512_ctx *CTX) Initialize the SHA512 state. -- Function: void sha512_update (struct sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha512_digest (struct sha512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA512_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha512_init’. -- Function: void sha512_compress (const uint64_t *STATE, uint8_t *INPUT) Perform a raw SHA512 compress on SHA512_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 8 uint64_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA512). 7.1.1.4 SHA384 and other variants of SHA512 ........................................... Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha512_224_ctx -- Context struct: struct sha512_256_ctx -- Context struct: struct sha384_ctx These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. -- Constant: SHA512_224_DIGEST_SIZE -- Constant: SHA512_256_DIGEST_SIZE -- Constant: SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. -- Constant: SHA512_224_BLOCK_SIZE -- Constant: SHA512_256_BLOCK_SIZE -- Constant: SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. -- Function: void sha512_224_init (struct sha512_224_ctx *CTX) -- Function: void sha512_256_init (struct sha512_256_ctx *CTX) -- Function: void sha384_init (struct sha384_ctx *CTX) Initialize the context struct. -- Function: void sha512_224_update (struct sha512_224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha512_256_update (struct sha512_256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void sha384_update (struct sha384_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. These are all aliases for sha512_update, which does the same thing. -- Function: void sha512_224_digest (struct sha512_224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void sha512_256_digest (struct sha512_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void sha384_digest (struct sha384_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than the specified digest size, in which case only the first LENGTH octets of the digest are written. These function also reset the context in the same way as the corresponding init function. 7.1.1.5 SHA3-224 ................ The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, . Note that the SHA3 implementation in earlier versions of Nettle was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The ‘nette/sha3.h’ defines a preprocessor symbol ‘NETTLE_SHA3_FIPS202’ to indicate conformance with the standard. -- Constant: NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. Nettle defines SHA3-224 in ‘’. -- Context struct: struct sha3_224_ctx -- Constant: SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. -- Constant: SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. -- Function: void sha3_224_init (struct sha3_224_ctx *CTX) Initialize the SHA3-224 state. -- Function: void sha3_224_update (struct sha3_224_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_224_digest (struct sha3_224_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_224_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 7.1.1.6 SHA3-256 ................ This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in ‘’. -- Context struct: struct sha3_256_ctx -- Constant: SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. -- Constant: SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. -- Function: void sha3_256_init (struct sha3_256_ctx *CTX) Initialize the SHA3-256 state. -- Function: void sha3_256_update (struct sha3_256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_256_digest (struct sha3_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_256_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 7.1.1.7 SHA3-384 ................ This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in ‘’. -- Context struct: struct sha3_384_ctx -- Constant: SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. -- Constant: SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. -- Function: void sha3_384_init (struct sha3_384_ctx *CTX) Initialize the SHA3-384 state. -- Function: void sha3_384_update (struct sha3_384_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_384_digest (struct sha3_384_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_384_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 7.1.1.8 SHA3-512 ................ This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in ‘’. -- Context struct: struct sha3_512_ctx -- Constant: SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. -- Constant: SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. -- Function: void sha3_512_init (struct sha3_512_ctx *CTX) Initialize the SHA3-512 state. -- Function: void sha3_512_update (struct sha3_512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_512_digest (struct sha3_512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA3_512_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context. 7.1.1.9 SHAKE ............. In addition to those SHA-3 hash functions, Nettle also supports a SHA-3 extendable-output function (XOF) called SHAKE. Unlike hash functions, SHAKE can produce an output digest of any desired length. There are two variants, SHAKE-128 and SHAKE-256, with different security strengths in terms of collision or preimage resistance: SHAKE-128 internally uses a SHA-3 hash function with 128-bit security, while SHAKE-256 corresponds to SHA3-256 which provides 256-bit security. To use SHAKE, the context struct needs to be initialized with the ‘init’ function and data is hashed using the ‘update’ function. Afterwards, a digest can be generated using either the ‘shake’ or ‘shake_ouput’ function, where the former generates the digest at once and resets the context, while the latter can be called multiple times to generate the digest in an incremental manner. For SHAKE-128 they are defined as follows. -- Context struct: struct sha3_128_ctx -- Function: void sha3_128_init (struct sha3_128_ctx *CTX) Initialize the SHA3-256 state. -- Function: void sha3_128_update (struct sha3_128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha3_128_shake (struct sha3_128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-128 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function also resets the context. -- Function: void sha3_128_shake_output (struct sha3_128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-128 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function does not reset the context. For SHAKE-256, the corresponding context struct and the ‘init’ and ‘update’ functions are the same as SHA3-256. To generate a digest, use either the ‘shake’ or ‘shake_output’ function. -- Function: void sha3_256_shake (struct sha3_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-256 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function also resets the context. -- Function: void sha3_256_shake_output (struct sha3_256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and produces a SHAKE-256 digest, writing it to DIGEST. LENGTH can be of arbitrary size. This function does not reset the context.  File: nettle.info, Node: Miscellaneous hash functions, Next: Legacy hash functions, Prev: Recommended hash functions, Up: Hash functions 7.1.2 Miscellaneous hash functions ---------------------------------- 7.1.2.1 STREEBOG512 ................... STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in ‘’. -- Context struct: struct streebog512_ctx -- Constant: STREEBOG512_DIGEST_SIZE The size of a STREEBOG512 digest, i.e. 64. -- Constant: STREEBOG512_BLOCK_SIZE The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512. -- Function: void streebog512_init (struct streebog512_ctx *CTX) Initialize the STREEBOG512 state. -- Function: void streebog512_update (struct streebog512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void streebog512_digest (struct streebog512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘STREEBOG512_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘streebog512_init’. 7.1.2.2 STREEBOG256 ................... STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in ‘’. -- Context struct: struct streebog256_ctx -- Constant: STREEBOG256_DIGEST_SIZE The size of a STREEBOG256 digest, i.e. 32. -- Constant: STREEBOG256_BLOCK_SIZE The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256. -- Function: void streebog256_init (struct streebog256_ctx *CTX) Initialize the STREEBOG256 state. -- Function: void streebog256_update (struct streebog256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void streebog256_digest (struct streebog256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘STREEBOG256_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘streebog256_init’. 7.1.2.3 SM3 ........... SM3 is a cryptographic hash function standard adopted by the government of the People’s Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 "SM3 Cryptographic Hash Algorithm". SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256. Nettle defines SM3 in ‘’. -- Context struct: struct sm3_ctx -- Constant: SM3_DIGEST_SIZE The size of a SM3 digest, i.e. 32. -- Constant: SM3_BLOCK_SIZE The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3. -- Function: void sm3_init (struct sm3_ctx *CTX) Initialize the SM3 state. -- Function: void sm3_update (struct sm3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sm3_digest (struct sm3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SM3_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sm3_init’.  File: nettle.info, Node: Legacy hash functions, Next: nettle_hash abstraction, Prev: Miscellaneous hash functions, Up: Hash functions 7.1.3 Legacy hash functions --------------------------- The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a “legacy” hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. 7.1.3.1 MD5 ........... MD5 is a message digest function constructed by Ronald Rivest, and described in ‘RFC 1321’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in ‘’. -- Context struct: struct md5_ctx -- Constant: MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. -- Constant: MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. -- Function: void md5_init (struct md5_ctx *CTX) Initialize the MD5 state. -- Function: void md5_update (struct md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md5_digest (struct md5_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD5_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md5_init’. -- Function: void md5_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 4 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5). The normal way to use MD5 is to call the functions in order: First ‘md5_init’, then ‘md5_update’ zero or more times, and finally ‘md5_digest’. After ‘md5_digest’, the context is reset to its initial state, so you can start over calling ‘md5_update’ to hash new data. To start over, you can call ‘md5_init’ at any time. 7.1.3.2 MD2 ........... MD2 is another hash function of Ronald Rivest’s, described in ‘RFC 1319’. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in ‘’. -- Context struct: struct md2_ctx -- Constant: MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. -- Constant: MD2_BLOCK_SIZE The internal block size of MD2. -- Function: void md2_init (struct md2_ctx *CTX) Initialize the MD2 state. -- Function: void md2_update (struct md2_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md2_digest (struct md2_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD2_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md2_init’. 7.1.3.3 MD4 ........... MD4 is a predecessor of MD5, described in ‘RFC 1320’. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in ‘’. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. -- Context struct: struct md4_ctx -- Constant: MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. -- Constant: MD4_BLOCK_SIZE The internal block size of MD4. -- Function: void md4_init (struct md4_ctx *CTX) Initialize the MD4 state. -- Function: void md4_update (struct md4_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void md4_digest (struct md4_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘MD4_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘md4_init’. 7.1.3.4 RIPEMD160 ................. RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in ‘nettle/ripemd160.h’. -- Context struct: struct ripemd160_ctx -- Constant: RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. -- Constant: RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. -- Function: void ripemd160_init (struct ripemd160_ctx *CTX) Initialize the RIPEMD160 state. -- Function: void ripemd160_update (struct ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void ripemd160_digest (struct ripemd160_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘RIPEMD160_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘ripemd160_init’. 7.1.3.5 SHA1 ............ SHA1 is a hash function specified by “NIST” (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in ‘’ (and in ‘’, for backwards compatibility). -- Context struct: struct sha1_ctx -- Constant: SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. -- Constant: SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. -- Function: void sha1_init (struct sha1_ctx *CTX) Initialize the SHA1 state. -- Function: void sha1_update (struct sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void sha1_digest (struct sha1_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘SHA1_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘sha1_init’. -- Function: void sha1_compress (const uint32_t *STATE, uint8_t *INPUT) Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from INPUT using STATE as IV (an array of 5 uint32_t). The output is stored in STATE. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1). 7.1.3.6 GOSTHASH94 and GOSTHASH94CP ................................... The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see ‘RFC 4357’). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in ‘’. -- Context struct: struct gosthash94_ctx -- Constant: GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. -- Constant: GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. -- Function: void gosthash94_init (struct gosthash94_ctx *CTX) Initialize the GOSTHASH94 state. -- Function: void gosthash94_update (struct gosthash94_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void gosthash94_digest (struct gosthash94_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘GOSTHASH94_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘gosthash94_init’. -- Context struct: struct gosthash94cp_ctx -- Constant: GOSTHASH94CP_DIGEST_SIZE The size of a GOSTHASH94CP digest, i.e. 32. -- Constant: GOSTHASH94CP_BLOCK_SIZE The internal block size of GOSTHASH94CP, i.e., 32. -- Function: void gosthash94cp_init (struct gosthash94cp_ctx *CTX) Initialize the GOSTHASH94CP state. -- Function: void gosthash94cp_update (struct gosthash94cp_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Hash some more data. -- Function: void gosthash94cp_digest (struct gosthash94cp_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Performs final processing and extracts the message digest, writing it to DIGEST. LENGTH may be smaller than ‘GOSTHASH94CP_DIGEST_SIZE’, in which case only the first LENGTH octets of the digest are written. This function also resets the context in the same way as ‘gosthash94cp_init’.  File: nettle.info, Node: nettle_hash abstraction, Prev: Legacy hash functions, Up: Hash functions 7.1.4 The ‘struct nettle_hash’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’, and is used by Nettle’s implementation of HMAC (*note Keyed hash functions::). -- Meta struct: struct nettle_hash name context_size digest_size block_size init update digest The last three attributes are function pointers, of types ‘nettle_hash_init_func *’, ‘nettle_hash_update_func *’, and ‘nettle_hash_digest_func *’. The first argument to these functions is ‘void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_hash nettle_md2 -- Constant Struct: struct nettle_hash nettle_md4 -- Constant Struct: struct nettle_hash nettle_md5 -- Constant Struct: struct nettle_hash nettle_ripemd160 -- Constant Struct: struct nettle_hash nettle_sha1 -- Constant Struct: struct nettle_hash nettle_sha224 -- Constant Struct: struct nettle_hash nettle_sha256 -- Constant Struct: struct nettle_hash nettle_sha384 -- Constant Struct: struct nettle_hash nettle_sha512 -- Constant Struct: struct nettle_hash nettle_sha3_256 -- Constant Struct: struct nettle_hash nettle_gosthash94 -- Constant Struct: struct nettle_hash nettle_gosthash94cp -- Constant Struct: struct nettle_hash nettle_sm3 These are all the hash functions that Nettle implements. Nettle also exports a list of all these hashes. -- Function: const struct nettle_hash ** nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., ‘nettle_hashes[0]->name’ for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases.  File: nettle.info, Node: Cipher functions, Next: Cipher modes, Prev: Hash functions, Up: Reference 7.2 Cipher functions ==================== A “cipher” is a function that takes a message or “plaintext” and a secret “key” and transforms it to a “ciphertext”. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called “blocks”. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called “ECB”, Electronic Code Book mode. However, using ECB is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some “feedback mode”, “CBC” (Cipher Block Chaining) and “CTR” (Counter mode) being two of of the most popular. See *Note Cipher modes::, for information on how to apply CBC and CTR with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of N octets, you key the generator, generate N octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. *Caution:* The first rule for this kind of cipher is the same as for a One Time Pad: _never_ ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you’re reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can’t decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in CBC mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to _always_ use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like HMAC-SHA1 (*note Keyed hash functions::), or digital signatures like RSA. Some ciphers have so called “weak keys”, keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don’t have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as “key setup”. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. * Menu: * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction::  File: nettle.info, Node: AES, Next: Arcfour, Up: Cipher functions 7.2.1 AES --------- AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in ‘’, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, ‘struct aes_ctx’, for all key sizes. This interface kept for backwards compatibility). -- Context struct: struct aes128_ctx -- Context struct: struct aes192_ctx -- Context struct: struct aes256_ctx -- Context struct: struct aes_ctx Alternative struct, for the old AES interface. -- Constant: AES_BLOCK_SIZE The AES block-size, 16. -- Constant: AES128_KEY_SIZE -- Constant: AES192_KEY_SIZE -- Constant: AES256_KEY_SIZE -- Constant: AES_MIN_KEY_SIZE -- Constant: AES_MAX_KEY_SIZE -- Constant: AES_KEY_SIZE Default AES key size, 32. -- Function: void aes128_set_encrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes128_set_decrypt_key (struct aes128_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_encrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes192_set_decrypt_key (struct aes192_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_encrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) -- Function: void aes256_set_decrypt_key (struct aes256_ctx *CTX, const uint8_t *KEY) -- Function: void aes_set_encrypt_key (struct aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void aes_set_decrypt_key (struct aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void aes128_invert_key (struct aes128_ctx *DST, const struct aes128_ctx *SRC) -- Function: void aes192_invert_key (struct aes192_ctx *DST, const struct aes192_ctx *SRC) -- Function: void aes256_invert_key (struct aes256_ctx *DST, const struct aes256_ctx *SRC) -- Function: void aes_invert_key (struct aes_ctx *DST, const struct aes_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key, because calling, e.g., ‘aes128_set_encrypt_key’ and ‘aes128_invert_key’, is more efficient than calling ‘aes128_set_encrypt_key’ and ‘aes128_set_decrypt_key’. -- Function: void aes128_encrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_encrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_encrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes_encrypt (struct aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void aes128_decrypt (struct aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes192_decrypt (struct aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes256_decrypt (struct aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void aes_decrypt (struct aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to the encryption functions above.  File: nettle.info, Node: Arcfour, Next: Arctwo, Prev: AES, Up: Cipher functions 7.2.2 Arcfour ------------- ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher. We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards. One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like “secret:1”, “secret:2”, .... If you have keys that don’t look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) { struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); } Nettle defines ARCFOUR in ‘’. -- Context struct: struct arcfour_ctx -- Constant: ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. -- Constant: ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. -- Constant: ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. -- Function: void arcfour_set_key (struct arcfour_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void arcfour_crypt (struct arcfour_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called ‘arcfour_crypt’ only once with all the data.  File: nettle.info, Node: Arctwo, Next: Blowfish, Prev: Arcfour, Up: Cipher functions 7.2.3 Arctwo ------------ ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to ‘sci.crypt’ by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, ‘ekb’. This parameter can be used to artificially reduce the key size. In practice, ‘ekb’ is usually set equal to the input key size. Nettle defines ARCTWO in ‘’. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. -- Context struct: struct arctwo_ctx -- Constant: ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. -- Constant: ARCTWO_MIN_KEY_SIZE -- Constant: ARCTWO_MAX_KEY_SIZE -- Constant: ARCTWO_KEY_SIZE Default ARCTWO key size, 8. -- Function: void arctwo_set_key_ekb (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY, unsigned EKB) -- Function: void arctwo_set_key (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void arctwo_set_key_gutmann (struct arctwo_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for EKB is 1024, and for convenience, ‘ekb = 0’ has the same effect as ‘ekb = 1024’. ‘arctwo_set_key(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 8*length)’, and ‘arctwo_set_key_gutmann(ctx, length, key)’ is equivalent to ‘arctwo_set_key_ekb(ctx, length, key, 1024)’ -- Function: void arctwo_encrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void arctwo_decrypt (struct arctwo_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘arctwo_encrypt’  File: nettle.info, Node: Blowfish, Next: Camellia, Prev: Arctwo, Up: Cipher functions 7.2.4 Blowfish -------------- BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in ‘’. -- Context struct: struct blowfish_ctx -- Constant: BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. -- Constant: BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. -- Constant: BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. -- Constant: BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. -- Function: int blowfish_set_key (struct blowfish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value. ‘blowfish_encrypt’ or ‘blowfish_decrypt’ with a weak key will crash with an assert violation. -- Function: void blowfish_encrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void blowfish_decrypt (struct blowfish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘blowfish_encrypt’ -- Function: int blowfish_bcrypt_hash (char *DST, size_t LENKEY, const char *KEY, size_t LENSCHEME, const char *SCHEME, int LOG2ROUNDS, const uint8_t *SALT) Compute the bcrypt password hash. The function will return ‘0’ if the hash cannot be computed due to invalid input. The function will return ‘1’ and store the computed hash in the array pointed to by DST. The hash is computed based on the chosen SCHEME, number of rounds LOG2ROUNDS and specified SALT. DST must point to a character array of at least ‘BLOWFISH_BCRYPT_HASH_SIZE’ bytes. KEY contains the plaintext password string of size LENKEY. SCHEME is of size LENSCHEME and contains either just the chosen scheme (valid schemes are: ‘2a’, ‘2b’, ‘2x’ or ‘2y’), or (the prefix of) an existing hashed password (typically ‘$2b$10$...’). LOG2ROUNDS contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is ‘-1’ the value will be extracted from SCHEME. SALT should point to an array of ‘BLOWFISH_BCRYPT_BINSALT_SIZE’ random bytes to be used to perturb the hash computation. If it is ‘NULL’ the salt will be extracted from SCHEME. Sample code to generate a bcrypt hash: char password[] = "ExamplePassword"; char scheme[] = "2b"; uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; ... /* Make sure that salt is filled with random bytes */ ... char hash[BLOWFISH_BCRYPT_HASH_SIZE]; int result = blowfish_bcrypt(hash, sizeof(password) - 1, password, sizeof(scheme) - 1, scheme, 10, salt); if (result) printf("%s\n", hash); -- Function: int blowfish_bcrypt_verify (size_t LENKEY, const char *KEY, size_t LENHASHED, const char *HASHED) Verifies the bcrypt password hash against the supplied plaintext password. The function will return ‘0’ if the password does not match. The function will return ‘1’ if the password matches. KEY contains the plaintext password string of size LENKEY. HASHED contains the hashed string of size LENHASHED to compare with. Sample code to verify a bcrypt hash: char password[] = "ExamplePassword"; char hash[] = "$2y$" /* Hash algorithm version */ "10" /* 2^10 hash rounds (strength) */ "$" /* separator */ "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ if (blowfish_bcrypt_verify(sizeof(password) - 1, password, sizeof(hash) - 1, hash)) printf("Password is correct."); else printf("Password is incorrect.");  File: nettle.info, Node: Camellia, Next: CAST128, Prev: Blowfish, Up: Cipher functions 7.2.5 Camellia -------------- Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in ‘RFC3713’. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at , but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in ‘’, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, ‘struct camellia_ctx’, for all key sizes. This interface kept for backwards compatibility). -- Context struct: struct camellia128_ctx -- Context struct: struct camellia192_ctx -- Context struct: struct camellia256_ctx Contexts structs. Actually, ‘camellia192_ctx’ is an alias for ‘camellia256_ctx’. -- Context struct: struct camellia_ctx Alternative struct, for the old Camellia interface. -- Constant: CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. -- Constant: CAMELLIA128_KEY_SIZE -- Constant: CAMELLIA192_KEY_SIZE -- Constant: CAMELLIA256_KEY_SIZE -- Constant: CAMELLIA_MIN_KEY_SIZE -- Constant: CAMELLIA_MAX_KEY_SIZE -- Constant: CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. -- Function: void camellia128_set_encrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia128_set_decrypt_key (struct camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_encrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia192_set_decrypt_key (struct camellia192_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_encrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia256_set_decrypt_key (struct camellia256_ctx *CTX, const uint8_t *KEY) -- Function: void camellia_set_encrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) -- Function: void camellia_set_decrypt_key (struct camellia_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher, for encryption or decryption, respectively. -- Function: void camellia128_invert_key (struct camellia128_ctx *DST, const struct camellia128_ctx *SRC) -- Function: void camellia192_invert_key (struct camellia192_ctx *DST, const struct camellia192_ctx *SRC) -- Function: void camellia256_invert_key (struct camellia256_ctx *DST, const struct camellia256_ctx *SRC) -- Function: void camellia_invert_key (struct camellia_ctx *DST, const struct camellia_ctx *SRC) Given a context SRC initialized for encryption, initializes the context struct DST for decryption, using the same key. If the same context struct is passed for both ‘src’ and ‘dst’, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the _same_ key. -- Function: void camellia128_crypt (struct camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia192_crypt (struct camellia192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia256_crypt (struct camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void camellia_crypt (struct camellia_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) The same function is used for both encryption and decryption. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way.  File: nettle.info, Node: CAST128, Next: ChaCha, Prev: Camellia, Up: Cipher functions 7.2.6 CAST128 ------------- CAST-128 is a block cipher, specified in ‘RFC 2144’. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in ‘’. -- Context struct: struct cast128_ctx -- Constant: CAST128_BLOCK_SIZE The CAST128 block-size, 8. -- Constant: CAST128_KEY_SIZE The CAST128 key size, 16. -- Constant: CAST5_MIN_KEY_SIZE Minimum CAST5 key size, 5. -- Constant: CAST5_MAX_KEY_SIZE Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128. -- Function: void cast128_set_key (struct cast128_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void cast128_encrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void cast128_decrypt (struct cast128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘cast128_encrypt’ -- Function: void cast5_set_key (struct cast128_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption.  File: nettle.info, Node: ChaCha, Next: DES, Prev: CAST128, Up: Cipher functions 7.2.7 ChaCha ------------ ChaCha is a variant of the stream cipher Salsa20 (*note Salsa20::), below, also designed by D. J. Bernstein. Nettle defines ChaCha in ‘’. -- Context struct: struct chacha_ctx -- Constant: CHACHA_KEY_SIZE ChaCha key size, 32. -- Constant: CHACHA_BLOCK_SIZE ChaCha block size, 64. -- Constant: CHACHA_NONCE_SIZE Size of the nonce, 8. -- Constant: CHACHA_COUNTER_SIZE Size of the counter, 8. -- Function: void chacha_set_key (struct chacha_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you _must_ also call ‘chacha_set_nonce’, see below. -- Function: void chacha_set_nonce (struct chacha_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘CHACHA_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void chacha_set_counter (struct chacha_ctx *CTX, const uint8_t *COUNTER) Sets the block counter. It is always of size ‘CHACHA_COUNTER_SIZE’, 8 octets. This is rarely needed since ‘chacha_set_nonce’ initializes the block counter to zero. When it is still necessary, this function must be called after ‘chacha_set_nonce’. -- Function: void chacha_crypt (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to ‘chacha_crypt’, all but the last call _must_ use a length that is a multiple of ‘CHACHA_BLOCK_SIZE’. 7.2.7.1 32-bit counter variant .............................. While the original paper uses 64-bit counter value, the variant defined in ‘RFC 8439’ uses 32-bit counter value. This variant is particularly useful for *note ChaCha-Poly1305:: AEAD construction, which supports 12-octet nonces. -- Constant: CHACHA_NONCE96_SIZE Size of the nonce, 12. -- Constant: CHACHA_COUNTER32_SIZE Size of the counter, 4. -- Function: void chacha_set_nonce96 (struct chacha_ctx *CTX, const uint8_t *NONCE) Sets the nonce. This is similar to the above ‘chacha_set_nonce’, but the input is always of size ‘CHACHA_NONCE96_SIZE’, 12 octets. -- Function: void chacha_set_counter32 (struct chacha_ctx *CTX, const uint8_t *COUNTER) Sets the block counter. This is similar to the above ‘chacha_set_counter’, but the input is always of size ‘CHACHA_COUNTER32_SIZE’, 4 octets. -- Function: void chacha_crypt32 (struct chacha_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above ‘chacha_crypt’, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long.  File: nettle.info, Node: DES, Next: DES3, Prev: ChaCha, Up: Cipher functions 7.2.8 DES --------- DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn’t be using plain DES at all today, if one uses DES at all one should be using “triple DES”, see DES3 below. DES also has some weak keys. Nettle defines DES in ‘’. -- Context struct: struct des_ctx -- Constant: DES_BLOCK_SIZE The DES block-size, 8. -- Constant: DES_KEY_SIZE DES key size, 8. -- Function: int des_set_key (struct des_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don’t care about weak keys can ignore the return value. -- Function: void des_encrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des_decrypt (struct des_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’ -- Function: int des_check_parity (size_t LENGTH, const uint8_t *KEY) Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. -- Function: void des_fix_parity (size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Adjusts the parity bits to match DES’s requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. DST and SRC may be equal.  File: nettle.info, Node: DES3, Next: Salsa20, Prev: DES, Up: Cipher functions 7.2.9 DES3 ---------- The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES’s key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then _decrypt_ it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as “ede” triple-DES, for “encrypt-decrypt-encrypt”. The “ede” construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a “two-key” variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it’s simple to implement triple-DES on top of Nettle’s DES functions. Nettle includes an implementation of three-key “ede” triple-DES, it is defined in the same place as plain DES, ‘’. -- Context struct: struct des3_ctx -- Constant: DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. -- Constant: DES3_KEY_SIZE DES key size, 24. -- Function: int des3_set_key (struct des3_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don’t care about weak keys can ignore the return value. For random-looking strings, you can use ‘des_fix_parity’ to adjust the parity bits before calling ‘des3_set_key’. -- Function: void des3_encrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void des3_decrypt (struct des3_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘des_encrypt’  File: nettle.info, Node: Salsa20, Next: Serpent, Prev: DES3, Up: Cipher functions 7.2.10 Salsa20 -------------- Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, *note CTR::). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It’s also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). *Caution:* The hash function used in Salsa20 is _not_ directly applicable for use as a general hash function. It’s _not_ collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a “nonce”, the latter playing a similar rôle to the initialization vector (IV) used with CBC or CTR mode. One can use the same key for several messages, provided one uses a unique random iv for each message. The iv is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in ‘’. -- Context struct: struct salsa20_ctx -- Constant: SALSA20_128_KEY_SIZE -- Constant: SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. -- Constant: SALSA20_KEY_SIZE Recommended key size, 32. -- Constant: SALSA20_BLOCK_SIZE Salsa20 block size, 64. -- Constant: SALSA20_NONCE_SIZE Size of the nonce, 8. -- Function: void salsa20_128_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_256_set_key (struct salsa20_ctx *CTX, const uint8_t *KEY) -- Function: void salsa20_set_key (struct salsa20_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. ‘salsa20_128_set_key’ and ‘salsa20_128_set_key’ use a fix key size each, 16 and 32 octets, respectively. The function ‘salsa20_set_key’ is provided for backwards compatibility, and the LENGTH argument must be either 16 or 32. Before using the cipher, you _must_ also call ‘salsa20_set_nonce’, see below. -- Function: void salsa20_set_nonce (struct salsa20_ctx *CTX, const uint8_t *NONCE) Sets the nonce. It is always of size ‘SALSA20_NONCE_SIZE’, 8 octets. This function also initializes the block counter, setting it to zero. -- Function: void salsa20_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to ‘salsa20_crypt’, all but the last call _must_ use a length that is a multiple of ‘SALSA20_BLOCK_SIZE’. The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see . Nettle calls this variant ‘salsa20r12’. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. -- Function: void salsa20r12_crypt (struct salsa20_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds.  File: nettle.info, Node: Serpent, Next: SM4, Prev: Salsa20, Up: Cipher functions 7.2.11 Serpent -------------- SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES’. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in ‘’. -- Context struct: struct serpent_ctx -- Constant: SERPENT_BLOCK_SIZE The SERPENT block-size, 16. -- Constant: SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. -- Constant: SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. -- Constant: SERPENT_KEY_SIZE Default SERPENT key size, 32. -- Function: void serpent_set_key (struct serpent_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void serpent_encrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void serpent_decrypt (struct serpent_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘serpent_encrypt’  File: nettle.info, Node: SM4, Next: Twofish, Prev: Serpent, Up: Cipher functions 7.2.12 SM4 ---------- SM4 is a block cipher standard adopted by the government of the People’s Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 "SM4 block cipher algorithm". Nettle defines it in ‘’. -- Context struct: struct sm4_ctx -- Constant: SM4_BLOCK_SIZE The SM4 block-size, 16. -- Constant: SM4_KEY_SIZE Default SM4 key size, 16. -- Function: void sm4_set_encrypt_key (struct sm4_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The function is used for encryption. -- Function: void sm4_set_decrypt_key (struct sm4_ctx *CTX, const uint8_t *KEY) Initialize the cipher. The function is used for decryption. -- Function: void sm4_crypt (const struct sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Cryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption.  File: nettle.info, Node: Twofish, Next: nettle_cipher abstraction, Prev: SM4, Up: Cipher functions 7.2.13 Twofish -------------- Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in ‘’. -- Context struct: struct twofish_ctx -- Constant: TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. -- Constant: TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. -- Constant: TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. -- Constant: TWOFISH_KEY_SIZE Default TWOFISH key size, 32. -- Function: void twofish_set_key (struct twofish_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Initialize the cipher. The same function is used for both encryption and decryption. -- Function: void twofish_encrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encryption function. LENGTH must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. ‘src’ and ‘dst’ may be equal, but they must not overlap in any other way. -- Function: void twofish_decrypt (struct twofish_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Analogous to ‘twofish_encrypt’  File: nettle.info, Node: nettle_cipher abstraction, Prev: Twofish, Up: Cipher functions 7.2.14 The ‘struct nettle_cipher’ abstraction --------------------------------------------- Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in ‘’. -- Meta struct: struct nettle_cipher name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types ‘nettle_set_key_func *’ and ‘nettle_cipher_func *’. The first argument to these functions is a ‘const void *’ pointer to a context struct, which is of size ‘context_size’. -- Constant Struct: struct nettle_cipher nettle_aes128 -- Constant Struct: struct nettle_cipher nettle_aes192 -- Constant Struct: struct nettle_cipher nettle_aes256 -- Constant Struct: struct nettle_cipher nettle_arctwo40 -- Constant Struct: struct nettle_cipher nettle_arctwo64 -- Constant Struct: struct nettle_cipher nettle_arctwo128 -- Constant Struct: struct nettle_cipher nettle_arctwo_gutmann128 -- Constant Struct: struct nettle_cipher nettle_arcfour128 -- Constant Struct: struct nettle_cipher nettle_camellia128 -- Constant Struct: struct nettle_cipher nettle_camellia192 -- Constant Struct: struct nettle_cipher nettle_camellia256 -- Constant Struct: struct nettle_cipher nettle_cast128 -- Constant Struct: struct nettle_cipher nettle_serpent128 -- Constant Struct: struct nettle_cipher nettle_serpent192 -- Constant Struct: struct nettle_cipher nettle_serpent256 -- Constant Struct: struct nettle_cipher nettle_twofish128 -- Constant Struct: struct nettle_cipher nettle_twofish192 -- Constant Struct: struct nettle_cipher nettle_twofish256 Nettle includes such structs for all the _regular_ ciphers, i.e. ones without weak keys or other oddities. Nettle also exports a list of all these ciphers without weak keys or other oddities. -- Function: const struct nettle_cipher ** nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Cipher modes, Next: Authenticated encryption, Prev: Cipher functions, Up: Reference 7.3 Cipher modes ================ Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher’s block size. As explained in *Note Cipher functions::, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, ECB), leaks information. Besides ECB, Nettle provides several other modes of operation: Cipher Block Chaining (CBC), Counter mode (CTR), Cipher Feedback (CFB and CFB8), XEX-based tweaked-codebook mode with ciphertext stealing (XTS) and a couple of AEAD modes (*note Authenticated encryption::). CBC is widely used, but there are a few subtle issues of information leakage, see, e.g., SSH CBC vulnerability (https://www.kb.cert.org/vuls/id/958563). Today, CTR is usually preferred over CBC. Modes like CBC, CTR, CFB and CFB8 provide _no_ message authentication, and should always be used together with a MAC (*note Keyed hash functions::) or signature to authenticate the message. * Menu: * CBC:: * CTR:: * CFB and CFB8:: * XTS::  File: nettle.info, Node: CBC, Next: CTR, Up: Cipher modes 7.3.1 Cipher Block Chaining --------------------------- When using CBC mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in CBC mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an “IV”, or Initialization Vector, is used as the “previous ciphertext block”. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if ‘E_k’ is the encryption function of a block cipher, and ‘IV’ is the initialization vector, then ‘n’ plaintext blocks ‘M_1’,... ‘M_n’ are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) ... C_n = E_k(C_(n-1) XOR M_n) Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (CBC) mode, one for encryption and one for decryption. These functions uses ‘const void *’ to pass cipher contexts around. The CBC interface is defined in ‘’. -- Function: void cbc_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CBC mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cbc_encrypt’. The function F is of type ‘void F (const void *CTX, size_t LENGTH, uint8_t DST, const uint8_t *SRC)’, and the ‘cbc_encrypt’ and ‘cbc_decrypt’ functions pass their argument CTX on to F. 7.3.1.1 Utility macros ...................... There are also some macros to help use these functions correctly. -- Macro: CBC_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } It can be used to define a CBC context struct, either directly, struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx; or to give it a struct tag, struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE); -- Macro: CBC_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. -- Macro: CBC_ENCRYPT (CTX, F, LENGTH, DST, SRC) -- Macro: CBC_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cbc_encrypt’ and ‘cbc_decrypt’. The first argument is a pointer to a context struct as defined by ‘CBC_CTX’, and the second argument is an encryption or decryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. These macros use some tricks to make the compiler display a warning if the types of F and CTX don’t match, e.g. if you try to use an ‘struct aes_ctx’ context with the ‘des_encrypt’ function. 7.3.1.2 Cipher-specific functions ................................. Encryption in CBC mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher’s encrypt function. Optimizations to process several blocks in parallel can’t be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, ‘cbc_encrypt’ can be considerably slower than both ‘cbc_decrypt’ and CTR mode. The second reason for poor performance can be addressed by having a combined CBC and encrypt function, for ciphers where the overhead is significant. Nettle currently includes such special functions only for AES. -- Function: void cbc_aes128_encrypt (const struct aes128_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_aes192_encrypt (const struct aes192_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cbc_aes256_encrypt (const struct aes256_ctx *CTX, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Calling ‘cbc_aes128_encrypt(ctx, iv, length, dst, src)’ does the same thing as calling ‘cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src)’, but is more efficient on certain platforms.  File: nettle.info, Node: CTR, Next: CFB and CFB8, Prev: CBC, Up: Cipher modes 7.3.2 Counter mode ------------------ Counter mode (CTR) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size. If ‘E_k’ is the encryption function of a block cipher, ‘IC’ is the initial counter, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 ... C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n The IC is the initial value for the counter, it plays a similar rôle as the IV for CBC. When adding, ‘IC + x’, IC is interpreted as an integer, in network byte order. For the last block, ‘E_k(IC + n - 1) [1..m]’ means that the cipher output is truncated to ‘m’ bytes. -- Function: void ctr_crypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *CTR, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption function F in CTR mode. Note that for CTR mode, encryption and decryption is the same operation, and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘ctr_crypt’, all but the last call _must_ use a length that is a multiple of the block size. Like for CBC, there are also a couple of helper macros. -- Macro: CTR_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t ctr[block_size]; } -- Macro: CTR_SET_COUNTER (CTX, IV) First argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second is a pointer to an initial counter that is copied into that context. -- Macro: CTR_CRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘ctr_crypt’. The first argument is a pointer to a context struct as defined by ‘CTR_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: CFB and CFB8, Next: XTS, Prev: CTR, Up: Cipher modes 7.3.3 Cipher Feedback mode -------------------------- Cipher Feedback mode (CFB) and Cipher Feedback 8-bit mode (CFB8) being close relatives to both CBC mode and CTR mode borrow some characteristics from stream ciphers. For CFB the message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher’s block size. If ‘E_k’ is the encryption function of a block cipher, ‘IV’ is the initialization vector, then the ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows: C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 ... C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n Cipher Feedback 8-bit mode (CFB8) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding. If ‘E_k’ is the encryption function of a block cipher, ‘b’ is ‘E_k’ block size, ‘IV’ is the initialization vector, then the ‘n’ plaintext bytes are transformed into ‘n’ ciphertext bytes ‘C_1’,... ‘C_n’ as follows: I_1 = IV C_1 = E_k(I_1) [1..8] XOR M_1 I_2 = I_1 [9..b] << 8 | C_1 C_2 = E_k(I_2) [1..8] XOR M_2 ... I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) I_n = I_(n-1) [9..b] << 8 | C_(n-1) C_n = E_k(I_n) [1..8] XOR M_n Nettle’s includes functions for applying a block cipher in Cipher Feedback (CFB) and Cipher Feedback 8-bit (CFB8) modes. These functions uses ‘void *’ to pass cipher contexts around. -- Function: void cfb_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cfb_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CFB mode. The final ciphertext block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cfb_encrypt’. Note that for CFB mode internally uses encryption only function and hence F should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to ‘cfb_encrypt’, all but the last call _must_ use a length that is a multiple of the block size. -- Function: void cfb8_encrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void cfb8_decrypt (const void *CTX, nettle_cipher_func *F, size_t BLOCK_SIZE, uint8_t *IV, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption or decryption function F in CFB8 mode. The final IV block processed is copied into IV before returning, so that a large message can be processed by a sequence of calls to ‘cfb8_encrypt’. Note that for CFB8 mode internally uses encryption only function and hence F should always be the encryption function for the underlying block cipher. Like for CBC, there are also a couple of helper macros. -- Macro: CFB_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } -- Macro: CFB_SET_IV(CTX, IV) First argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second is a pointer to an initialization vector that is copied into that context. -- Macro: CFB_ENCRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_encrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb_decrypt’. The first argument is a pointer to a context struct as defined by ‘CFB_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB8_CTX (CONTEXT_TYPE, BLOCK_SIZE) Expands to { context_type ctx; uint8_t iv[block_size]; } -- Macro: CFB8_SET_IV (CTX, IV) First argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second is a pointer to an initialization vector that is copied into that context. -- Macro: CFB8_ENCRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb8_encrypt’. The first argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation. -- Macro: CFB8_DECRYPT (CTX, F, LENGTH, DST, SRC) A simpler way to invoke ‘cfb8_decrypt’. The first argument is a pointer to a context struct as defined by ‘CFB8_CTX’, and the second argument is an encryption function following Nettle’s conventions. The last three arguments define the source and destination area for the operation.  File: nettle.info, Node: XTS, Prev: CFB and CFB8, Up: Cipher modes 7.3.4 XEX-based tweaked-codebook mode with ciphertext stealing -------------------------------------------------------------- XEX-based tweaked-codebook mode with ciphertext stealing (XTS) is a block mode like (CBC) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical. The message is divided into ‘n’ blocks ‘M_1’,... ‘M_n’, where ‘M_n’ is of size ‘m’ which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length. Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256). XTS encryption mode operates given: • A multiplication by a primitive element alpha. ‘MUL a^j’ here represents the multiplication, where ‘j’ is the power of alpha, and the input value is converted into a 16 bytes array ‘a_0[k], k = 0,1,..,15’. The multiplication is calculated as ‘a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)’ ‘a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15’ Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte. • The encryption key is provided as the ‘Key = K1 | K2’, where ‘|’ denotes string concatenation. ‘E_k1’ is the encryption function of the block cipher using ‘K1’ as the key, and ‘E_k2’ is the same encryption function using ‘K2’ • A 128 bit tweak value is provided as input and is denoted as ‘IV’ The ‘n’ plaintext blocks are transformed into ‘n’ ciphertext blocks ‘C_1’,... ‘C_n’ as follows. For a plaintext length that is a perfect multiple of the XTS block size: T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 ... T_n = T_(n-1) MUL a C_n = E_k1(P_n XOR T_n) XOR T_n For any other plaintext lengths: T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 ... T_(n-2) = T_(n-3) MUL a C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) T_(n-1) = T_(n-2) MUL a CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) T_n = T_(n-1) MUL a PP = [1..m]Pn | [m+1..128]CC_(n-1) C_(n-1) = E_k1(PP XOR T_n) XOR T_n C_n = [1..m]CC_(n-1) 7.3.4.1 General (XTS) interface. ................................ The two general functions to encrypt and decrypt using the XTS block cipher mode are the following: -- Function: void xts_encrypt_message (const void *ENC_CTX, const void *TWK_CTX, nettle_cipher_func *ENCF, const uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_decrypt_message (const void *DEC_CTX, const void *TWK_CTX, nettle_cipher_func *DECF, nettle_cipher_func *ENCF, const uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Applies the encryption function ENCF or the decryption function DECF in XTS mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal. The functions ENCF DECF are of type ‘void f (const void *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC)’, and the ‘xts_encrypt_message’ and ‘xts_decrypt_message’ functions pass their arguments ENC_CTX, TWK_CTX and DEC_CTX to the functions ENCF, DECF as CTX. 7.3.4.2 XTS-AES interface ......................... The AES XTS functions provide an API for using the XTS mode with the AES block ciphers. The parameters all have the same meaning as the general interface, except that the ENC_CTX, DEC_CTX, TWK_CTX, ENCF and DECF are replaced with an AES context structure called CTX, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface. -- Context struct: struct xts_aes128_key Holds state corresponding to the AES-128 block cipher. -- Context struct: struct xts_aes256_key Holds state corresponding to the AES-256 block cipher. -- Function: void xts_aes128_set_encrypt_key (struct xts_aes128_key *CTX, const uint8_t *KEY) -- Function: void xts_aes256_set_encrypt_key (struct xts_aes256_key *CTX, const uint8_t *KEY) -- Function: void xts_aes128_set_decrypt_key (struct xts_aes128_key *CTX, const uint8_t *KEY) -- Function: void xts_aes256_set_decrypt_key (struct xts_aes256_key *CTX, const uint8_t *KEY) Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions. -- Function: void xts_aes128_encrypt_message (struct xts_aes128_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes256_encrypt_message (struct xts_aes256_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes128_decrypt_message (struct xts_aes128_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void xts_aes256_decrypt_message (struct xts_aes256_key *CTX, uint8_t *TWEAK, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘xts_encrypt_message’ and ‘xts_decrypt_message’, except that ENC_CTX, DEC_CTX, TWK_CTX, ENCF and DECF are replaced by the CTX context structure.  File: nettle.info, Node: Authenticated encryption, Next: Keyed hash functions, Prev: Cipher modes, Up: Reference 7.4 Authenticated encryption with associated data ================================================= Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a MAC. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the “associated data”, which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called AEAD, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle. For encryption, the inputs are: • The key, which can be used for many messages. • A nonce, which must be unique for each message using the same key. • Additional associated data to be authenticated, but not included in the message. • The cleartext message to be encrypted. The outputs are: • The ciphertext, of the same size as the cleartext. • A digest or “authentication tag”. Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported AEAD algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption. Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle’s low level AEAD functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some AEAD may implement more liberal conventions. The CCM mode is a bit special in that it requires the message lengths up front, other AEAD constructions don’t have this restriction. The supported AEAD constructions are Galois/Counter mode (GCM), EAX, ChaCha-Poly1305, and Counter with CBC-MAC (CCM). There are some weaknesses in GCM authentication, see . CCM and EAX use the same building blocks, but the EAX design is cleaner and avoids a couple of inconveniences of CCM. Therefore, EAX seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important. * Menu: * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction::  File: nettle.info, Node: EAX, Next: GCM, Up: Authenticated encryption 7.4.1 EAX --------- The EAX mode is an AEAD mode which combines CTR mode encryption, *Note CTR::, with a message authentication based on CBC, *Note CBC::. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). EAX was defined as a reaction to the CCM mode, *Note CCM::, which uses the same primitives but has some undesirable and inelegant properties. EAX supports arbitrary nonce size; it’s even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle’s support for EAX consists of a low-level general interface, some convenience macros, and specific functions for EAX using AES-128 as the underlying cipher. These interfaces are defined in ‘’ 7.4.1.1 General EAX interface ............................. -- Context struct: struct eax_key EAX state which depends only on the key, but not on the nonce or the message. -- Context struct: struct eax_ctx Holds state corresponding to a particular message. -- Constant: EAX_BLOCK_SIZE EAX’s block size, 16. -- Constant: EAX_DIGEST_SIZE Size of the EAX digest, also 16. -- Function: void eax_set_key (struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void eax_set_nonce (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce. -- Function: void eax_update (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t DATA_LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. Unlike many other AEAD constructions, for EAX it’s not necessary to complete the processing of all associated data before encrypting or decrypting the message data. -- Function: void eax_encrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_decrypt (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_digest (struct eax_ctx *EAX, const struct eax_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of the digest are written. 7.4.1.2 EAX helper macros ......................... The following macros are defined. -- Macro: EAX_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher and all EAX state. It expands to { struct eax_key key; struct eax_ctx eax; context_type cipher; } For all these macros, CTX, is a context struct as defined by ‘EAX_CTX’, and ENCRYPT is the encryption function of the underlying cipher. -- Macro: EAX_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) SET_KEY is the function for setting the encryption key for the underlying cipher, and KEY is the key. -- Macro: EAX_SET_NONCE (CTX, ENCRYPT, LENGTH, NONCE) Sets the nonce to be used for the message. -- Macro: EAX_UPDATE (CTX, ENCRYPT, LENGTH, DATA) Process associated data for authentication. -- Macro: EAX_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: EAX_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) Process message data for encryption or decryption. -- Macro: EAX_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) Extract the authentication tag for the message. 7.4.1.3 EAX-AES128 interface ............................ The following functions implement EAX using AES-128 as the underlying cipher. -- Context struct: struct eax_aes128_ctx The context struct, defined using ‘EAX_CTX’. -- Function: void eax_aes128_set_key (struct eax_aes128_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void eax_aes128_set_nonce (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given nonce. -- Function: void eax_aes128_update (struct eax_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_encrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void eax_aes128_decrypt (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void eax_aes128_digest (struct eax_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘EAX_DIGEST_SIZE’, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: GCM, Next: CCM, Prev: EAX, Up: Authenticated encryption 7.4.2 Galois counter mode ------------------------- Galois counter mode is an AEAD constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular MAC algorithms (*note Keyed hash functions::) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, NIST Special Publication 800-38D (https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf). It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in GCM has some known weaknesses, see . In particular, don’t use GCM with short authentication tags. Nettle’s support for GCM consists of a low-level general interface, some convenience macros, and specific functions for GCM using AES or Camellia as the underlying cipher. These interfaces are defined in ‘’ 7.4.2.1 General GCM interface ............................. -- Context struct: struct gcm_key Message independent hash sub-key, and related tables. -- Context struct: struct gcm_ctx Holds state corresponding to a particular message. -- Constant: GCM_BLOCK_SIZE GCM’s block size, 16. -- Constant: GCM_DIGEST_SIZE Size of the GCM digest, also 16. -- Constant: GCM_IV_SIZE Recommended size of the IV, 12. Arbitrary sizes are allowed. -- Function: void gcm_set_key (struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes KEY. CIPHER gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and F is the encryption function. -- Function: void gcm_set_iv (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *IV) Initializes CTX using the given IV. The KEY argument is actually needed only if LENGTH differs from ‘GCM_IV_SIZE’. -- Function: void gcm_update (struct gcm_ctx *CTX, const struct gcm_key *KEY, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_encrypt’ or ‘gcm_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_encrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_decrypt (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_digest (struct gcm_ctx *CTX, const struct gcm_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. To encrypt a message using GCM, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: ‘gcm_set_key’, ‘gcm_set_iv’, ‘gcm_update’, ‘gcm_encrypt’, ‘gcm_digest’. The decryption procedure is analogous, just calling ‘gcm_decrypt’ instead of ‘gcm_encrypt’ (note that GCM decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call ‘gcm_set_iv’ with a new iv. 7.4.2.2 GCM helper macros ......................... The following macros are defined. -- Macro: GCM_CTX (CONTEXT_TYPE) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to { struct gcm_key key; struct gcm_ctx gcm; context_type cipher; } Example use: struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); The following macros operate on context structs of this form. -- Macro: GCM_SET_KEY (CTX, SET_KEY, ENCRYPT, KEY) First argument, CTX, is a context struct as defined by ‘GCM_CTX’. SET_KEY and ENCRYPT are functions for setting the encryption key and for encrypting data using the underlying cipher. -- Macro: GCM_SET_IV (CTX, LENGTH, DATA) First argument is a context struct as defined by ‘GCM_CTX’. LENGTH and DATA give the initialization vector (IV). -- Macro: GCM_UPDATE (CTX, LENGTH, DATA) Simpler way to call ‘gcm_update’. First argument is a context struct as defined by ‘GCM_CTX’ -- Macro: GCM_ENCRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DECRYPT (CTX, ENCRYPT, LENGTH, DST, SRC) -- Macro: GCM_DIGEST (CTX, ENCRYPT, LENGTH, DIGEST) Simpler way to call ‘gcm_encrypt’, ‘gcm_decrypt’ or ‘gcm_digest’. First argument is a context struct as defined by ‘GCM_CTX’. Second argument, ENCRYPT, is the encryption function of the underlying cipher. 7.4.2.3 GCM-AES interface ......................... The following functions implement the common case of GCM using AES as the underlying cipher. The variants with a specific AES flavor are recommended, while the fucntinos using ‘struct gcm_aes_ctx’ are kept for compatibility with older versiosn of Nettle. -- Context struct: struct gcm_aes128_ctx -- Context struct: struct gcm_aes192_ctx -- Context struct: struct gcm_aes256_ctx Context structs, defined using ‘GCM_CTX’. -- Context struct: struct gcm_aes_ctx Alternative context struct, using the old AES interface. -- Function: void gcm_aes128_set_key (struct gcm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes192_set_key (struct gcm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_aes256_set_key (struct gcm_aes256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_aes_set_key (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *KEY) Corresponding function, using the old AES interface. All valid AES key sizes can be used. -- Function: void gcm_aes128_set_iv (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes192_set_iv (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes256_set_iv (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_aes_set_iv (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_aes128_update (struct gcm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes192_update (struct gcm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes256_update (struct gcm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_aes_update (struct gcm_aes_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_aes_encrypt’ or ‘gcm_aes_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_encrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_encrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_encrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes_encrypt (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes128_decrypt (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes192_decrypt (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes256_decrypt (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_aes_decrypt (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_aes128_digest (struct gcm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes192_digest (struct gcm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes256_digest (struct gcm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_aes_digest (struct gcm_aes_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. 7.4.2.4 GCM-Camellia interface .............................. The following functions implement the case of GCM using Camellia as the underlying cipher. -- Context struct: struct gcm_camellia128_ctx -- Context struct: struct gcm_camellia256_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_camellia128_set_key (struct gcm_camellia128_ctx *CTX, const uint8_t *KEY) -- Function: void gcm_camellia256_set_key (struct gcm_camellia256_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *IV) -- Function: void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_camellia128_update (struct gcm_camellia128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void gcm_camellia256_update (struct gcm_camellia256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_camellia_encrypt’ or ‘gcm_camellia_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_camellia128_digest (struct gcm_camellia128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia192_digest (struct gcm_camellia192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia256_digest (struct gcm_camellia256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void gcm_camellia_digest (struct gcm_camellia_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. 7.4.2.5 GCM-SM4 interface ......................... The following functions implement the case of GCM using SM4 as the underlying cipher. -- Context struct: struct gcm_sm4_ctx Context structs, defined using ‘GCM_CTX’. -- Function: void gcm_sm4_set_key (struct gcm_sm4_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. -- Function: void gcm_sm4_set_iv (struct gcm_sm4_ctx *CTX, size_t LENGTH, const uint8_t *IV) Initializes the per-message state, using the given IV. -- Function: void gcm_sm4_update (struct gcm_sm4_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. If used, must be called before ‘gcm_sm4_encrypt’ or ‘gcm_sm4_decrypt’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_sm4_encrypt (struct gcm_sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void gcm_sm4_decrypt (struct gcm_sm4_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void gcm_sm4_digest (struct gcm_sm4_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. It’s strongly recommended that LENGTH is ‘GCM_DIGEST_SIZE’, but if you provide a smaller value, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: CCM, Next: ChaCha-Poly1305, Prev: GCM, Up: Authenticated encryption 7.4.3 Counter with CBC-MAC mode ------------------------------- CCM mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as EAX, *note EAX::. It is constructed on top of a block cipher which must have a block size of 128 bits. CCM mode is recommended by NIST in NIST Special Publication 800-38C (https://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf). Nettle’s support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in ‘’. In CCM, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is 2^24 - 1 octets. CCM mode encryption operates as follows: • The nonce and message length are concatenated to create ‘B_0 = flags | nonce | mlength’ • The authenticated data and plaintext is formatted into the string ‘B = L(adata) | adata | padding | plaintext | padding’ with ‘padding’ being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and ‘L(adata)’ is an encoding of the length of ‘adata’. • The string ‘B’ is separated into blocks ‘B_1’ ... ‘B_n’ • The authentication tag ‘T’ is calculated as ‘T=0, for i=0 to n, do T = E_k(B_i XOR T)’ • An initial counter is then initialized from the nonce to create ‘IC = flags | nonce | padding’, where ‘padding’ is the shortest string of zero bytes such that ‘IC’ is exactly one block in length. • The authentication tag is encrypted using using CTR mode: ‘MAC = E_k(IC) XOR T’ • The plaintext is then encrypted using CTR mode with an initial counter of ‘IC+1’. CCM mode decryption operates similarly, except that the ciphertext and MAC are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity. 7.4.3.1 General CCM interface ............................. For all of the functions in the CCM interface, CIPHER is the context struct for the underlying cipher and F is the encryption function. The cipher’s encryption key must be set before calling any of the CCM functions. The cipher’s decryption function and key are never used. -- Context struct: struct ccm_ctx Holds state corresponding to a particular message. -- Constant: CCM_BLOCK_SIZE CCM’s block size, 16. -- Constant: CCM_DIGEST_SIZE Size of the CCM digest, 16. -- Constant: CCM_MIN_NONCE_SIZE -- Constant: CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an CCM nonce, 7 and 14, respectively. -- Macro: CCM_MAX_MSG_SIZE (NONCE_SIZE) The largest allowed plaintext length, when using CCM with a nonce of the given size. -- Function: void ccm_set_nonce (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) Initializes CTX using the given nonce and the sizes of the authenticated data, message, and MAC to be processed. -- Function: void ccm_update (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) Provides associated data to be authenticated. Must be called after ‘ccm_set_nonce’, and before ‘ccm_encrypt’, ‘ccm_decrypt’, or ‘ccm_digest’. -- Function: void ccm_encrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_decrypt (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the message data. Must be called after ‘ccm_set_nonce’ and before ‘ccm_digest’. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ccm_digest (struct ccm_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. LENGTH is usually equal to the TAGLEN parameter supplied to ‘ccm_set_nonce’, but if you provide a smaller value, only the first LENGTH octets of the digest are written. To encrypt a message using the general CCM interface, set the message nonce and length using ‘ccm_set_nonce’ and then call ‘ccm_update’ to generate the digest of any authenticated data. After all of the authenticated data has been digested use ‘ccm_encrypt’ to encrypt the plaintext. Finally, use ‘ccm_digest’ to return the encrypted MAC. To decrypt a message, use ‘ccm_set_nonce’ and ‘ccm_update’ the same as you would for encryption, and then call ‘ccm_decrypt’ to decrypt the ciphertext. After decrypting the ciphertext ‘ccm_digest’ will return the encrypted MAC which should be identical to the MAC in the received message. 7.4.3.2 CCM message interface ............................. The CCM message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by MLENGTH and the length of the ciphertext is given by CLENGTH, always exactly TLENGTH bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, CLENGTH for the encryption functions, and MLENGTH for the decryption functions. -- Function: void ccm_encrypt_message (void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the encrypted MAC to ciphertext and outputs it to DST. -- Function: int ccm_decrypt_message (void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the MAC from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated MACs are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. 7.4.3.3 CCM-AES interface ......................... The AES CCM functions provide an API for using CCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface. -- Context struct: struct ccm_aes128_ctx Holds state corresponding to a particular message encrypted using the AES-128 block cipher. -- Context struct: struct ccm_aes192_ctx Holds state corresponding to a particular message encrypted using the AES-192 block cipher. -- Context struct: struct ccm_aes256_ctx Holds state corresponding to a particular message encrypted using the AES-256 block cipher. -- Function: void ccm_aes128_set_key (struct ccm_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes192_set_key (struct ccm_aes192_ctx *CTX, const uint8_t *KEY) -- Function: void ccm_aes256_set_key (struct ccm_aes256_ctx *CTX, const uint8_t *KEY) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES CCM interface. -- Function: void ccm_aes128_set_nonce (struct ccm_aes128_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes192_set_nonce (struct ccm_aes192_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) -- Function: void ccm_aes256_set_nonce (struct ccm_aes256_ctx *CTX, size_t NONCELEN, const uint8_t *NONCE, size_t AUTHLEN, size_t MSGLEN, size_t TAGLEN) These are identical to ‘ccm_set_nonce’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_update (struct ccm_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes192_update (struct ccm_aes192_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void ccm_aes256_update (struct ccm_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These are identical to ‘ccm_set_update’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_encrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes128_decrypt (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_decrypt (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_decrypt (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_set_encrypt’ and ‘ccm_set_decrypt’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_digest (struct ccm_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void ccm_aes192_digest (struct ccm_aes192_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void ccm_aes256_digest (struct ccm_aes256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) These are identical to ‘ccm_set_digest’, except that CIPHER, F, and CTX are replaced with a context structure. -- Function: void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) These are identical to ‘ccm_encrypt_message’ and ‘ccm_decrypt_message’ except that CIPHER and F are replaced with a context structure.  File: nettle.info, Node: ChaCha-Poly1305, Next: OCB, Prev: CCM, Up: Authenticated encryption 7.4.4 ChaCha-Poly1305 --------------------- ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (*note Poly1305::). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle’s implementation of ChaCha-Poly1305 follows ‘RFC 8439’, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver’s behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in ‘’. -- Constant: CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. -- Constant: CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. -- Constant: CHACHA_POLY1305_NONCE_SIZE ChaCha-Poly1305 nonce size, 12. -- Constant: CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. -- Context struct: struct chacha_poly1305_ctx -- Function: void chacha_poly1305_set_key (struct chacha_poly1305_ctx *CTX, const uint8_t *KEY) Initializes CTX using the given key. Before using the context, you _must_ also call ‘chacha_poly1305_set_nonce’, see below. -- Function: void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *CTX, const uint8_t *NONCE) Initializes the per-message state, using the given nonce. -- Function: void chacha_poly1305_update (struct chacha_poly1305_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. -- Function: void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts or decrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void chacha_poly1305_digest (struct chacha_poly1305_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. If LENGTH is smaller than ‘CHACHA_POLY1305_DIGEST_SIZE’, only the first LENGTH octets of the digest are written.  File: nettle.info, Node: OCB, Next: SIV-CMAC, Prev: ChaCha-Poly1305, Up: Authenticated encryption 7.4.5 OCB (Offset Code Book) Mode --------------------------------- The OCB mode is an AEAD construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits. There have been several versions of the OCB scheme, the implementation in Nettle follows ‘RFC 7253’, which is almost the same as the scheme OCB3. 7.4.5.1 General interface ......................... -- Context struct: struct ocb_key OCB state which depends only on the key, but not on the nonce or the message. -- Context struct: struct ocb_ctx Holds state corresponding to a particular message. -- Constant: OCB_BLOCK_SIZE The block size for OCB’s block size, 16. -- Constant: OCB_MAX_NONCE_SIZE The maximum nonce size for OCB, 15. -- Constant: OCB_DIGEST_SIZE Size of the OCB authentication tag. -- Function: void ocb_set_key (struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F) Initializes the KEY struct. The CIPHER context must be initialized for encryption, and F should be the corresponding encryption function. -- Function: void ocb_set_nonce (struct ocb_ctx *CTX, const void *CIPHER, nettle_cipher_func *F, size_t TAG_LENGTH, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce. The CIPHER must be initialized for encryption, and F should be the corresponding encryption function. The TAG_LENGTH (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ‘ocb_digest’. Nonce is optional, and length at most 15 bytes. -- Function: void ocb_update (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_encrypt (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts the data of a message. CIPHER is the context struct for the underlying cipher and F is the encryption function. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_decrypt (struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *ENCRYPT_CTX, nettle_cipher_func *ENCRYPT, const void *DECRYPT_CTX, nettle_cipher_func *DECRYPT, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the data of a message. ENCRYPT_CTX and ENCRYPT define the encryption operation of the underlying cipher, while DECRYPT_CTX and DECRYPT represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_digest (const struct ocb_ctx *CTX, const struct ocb_key *KEY, const void *CIPHER, nettle_cipher_func *F, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. The LENGTH value _should_ be the same as the tag length passed to the preceding ‘ocb_set_nonce’ call (using a different length is possible, but incompatible with ‘RFC 7253’). -- Function: void ocb_encrypt_message (const struct ocb_key *OCB_KEY, const void *CIPHER, nettle_cipher_func *F, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the tag to the ciphertext and writes it to DST. The CLENGTH variable must be equal to the length of SRC plus TLENGTH. -- Function: int ocb_decrypt_message (const struct ocb_key *OCB_KEY, const void *ENCRYPT_CTX, nettle_cipher_func *ENCRYPT, const void *DECRYPT_CTX, nettle_cipher_func *DECRYPT, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST. Like ‘ocb_decrypt’, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. 7.4.5.2 OCB-AES interface ......................... -- Context struct: struct ocb_aes128_encrypt_key Key-dependent state for encryption using OCB-AES128. For decryption, a separate ‘struct aes128_ctx’, initialized for decryption, is needed as well. -- Function: void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *OCB, const uint8_t *KEY) Initializes OCB and the underlying AES cipher with the given key. -- Function: void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *OCB, struct aes128_ctx *DECRYPT, const uint8_t *KEY) Initializes OCB and the underlying AES cipher with the given key. In addition, initialize DECRYPT for decryption using the same key; this is needed for ‘ocb_aes128_decrypt’ and ‘ocb_aes128_decrypt_message’. -- Function: void ocb_aes128_set_nonce (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t TAG_LENGTH, size_t NONCE_LENGTH, const uint8_t *NONCE) Initializes CTX for processing a new message, using the given nonce and key. The TAG_LENGTH (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to ‘ocb_digest’. Nonce is optional, and length at most 15 bytes. -- Function: void ocb_aes128_update (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t LENGTH, const uint8_t *DATA) Process associated data for authentication. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_encrypt (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Encrypts the data of a message. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_decrypt (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, const struct aes128_ctx *DECRYPT, size_t LENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the data of a message. DECRYPT is an AES context initialized for decryption using the same key. All but the last call for each message _must_ use a length that is a multiple of the block size. -- Function: void ocb_aes128_digest (struct ocb_ctx *CTX, const struct ocb_aes128_encrypt_key *KEY, size_t LENGTH, uint8_t *DIGEST) Extracts the message digest (also known “authentication tag”). This is the final operation when processing a message. The LENGTH value _should_ be the same as the tag length passed to the preceding ‘ocb_aes128_set_nonce’ call (using a different length is possible, but incompatible with ‘RFC 7253’). -- Function: void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *KEY, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the tag to the ciphertext and writes it to DST. The CLENGTH variable must be equal to the length of SRC plus TLENGTH. -- Function: int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *KEY, const struct aes128_ctx *DECRYPT, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t TLENGTH, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST. Like ‘ocb_aes128_decrypt’, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from ADATA and the plaintext, and compares it to the final TLENGTH bytes of SRC. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: SIV-CMAC, Next: SIV-GCM, Prev: OCB, Up: Authenticated encryption 7.4.6 Synthetic Initialization Vector AEAD ------------------------------------------ SIV-CMAC mode is a combination of counter mode with message authentication based on CMAC. Unlike other counter AEAD modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle’s support for SIV-CMAC consists of a message encryption and authentication interface, for SIV-CMAC using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in ‘’. Unlike other AEAD mode in SIV-CMAC the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext. Note also, that the SIV-CMAC algorithm, as specified in ‘RFC 5297’, introduces the notion of authenticated data which consist of multiple components. For example with SIV-CMAC the authentication tag of data ‘X’ followed by ‘Y’, is different than the concatenated data ‘X || Y’. The interfaces described below follow the AEAD paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext. 7.4.6.1 General interface ......................... -- Constant: SIV_BLOCK_SIZE SIV-CMAC’s block size, 16. -- Constant: SIV_DIGEST_SIZE Size of the SIV-CMAC digest or initialization vector, 16. -- Constant: SIV_MIN_NONCE_SIZE The the minimum size for an SIV-CMAC nonce, 1. 7.4.6.2 SIV-CMAC-AES interface .............................. The AES SIV-CMAC functions provide an API for using SIV-CMAC mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure, and a set-key function must be called before using any of the other functions in this interface. -- Context struct: struct siv_cmac_aes128_ctx Holds state corresponding to a particular message encrypted using the AES-128 block cipher. -- Context struct: struct siv_cmac_aes256_ctx Holds state corresponding to a particular message encrypted using the AES-256 block cipher. -- Function: void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *CTX, const uint8_t *KEY) -- Function: void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *CTX, const uint8_t *KEY) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the AES SIV-CMAC interface. -- Function: void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, prepends the initialization vector to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_DIGEST_SIZE’. -- Function: int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: SIV-GCM, Next: nettle_aead abstraction, Prev: SIV-CMAC, Up: Authenticated encryption 7.4.7 SIV-GCM ------------- SIV-GCM, described in ‘RFC 8452’, is an AEAD construction similar to AES-GCM, but provides protection against accidental nonce misuse like SIV-CMAC mode. It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle’s support for SIV-GCM consists of a message encryption and authentication interface, for SIV-GCM using AES as the underlying block cipher. These interfaces are defined in ‘’. Unlike other AEAD mode in SIV-GCM the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext. 7.4.7.1 General interface ......................... -- Constant: SIV_GCM_BLOCK_SIZE SIV-GCM’s block size, 16. -- Constant: SIV_GCM_DIGEST_SIZE Size of the SIV-GCM digest for tags, 16. -- Constant: SIV_GCM_NONCE_SIZE Size of the SIV-GCM nonce, 12. -- Function: void siv_gcm_encrypt_message (const struct nettle_cipher *NC, const void *CTX, void *CTR_CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the authentication tag to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_GCM_DIGEST_SIZE’. -- Function: int siv_gcm_decrypt_message (const struct nettle_cipher *NC, const void *CTX, void *CTR_CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. In the above interface, NC must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The CTX context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the CTR_CTX context structure must have the same size as CTX, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *CTX is destroyed by the call. For convenience, Nettle provides wrapper functions that works with AES described in the following section. 7.4.7.2 SIV-GCM-AES interface ............................. The SIV-GCM functions provide an API for using SIV-GCM mode with the AES block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the CIPHER, F, and CTX parameters are replaced with an AES context structure. The AES context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. -- Function: void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t CLENGTH, uint8_t *DST, const uint8_t *SRC) Computes the message digest from the ADATA and SRC parameters, encrypts the plaintext from SRC, appends the authentication tag to the ciphertext and outputs it to DST. The CLENGTH variable must be equal to the length of SRC plus ‘SIV_GCM_DIGEST_SIZE’. -- Function: int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) -- Function: int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *CTX, size_t NLENGTH, const uint8_t *NONCE, size_t ALENGTH, const uint8_t *ADATA, size_t MLENGTH, uint8_t *DST, const uint8_t *SRC) Decrypts the ciphertext from SRC, outputs the plaintext to DST, recalculates the initialization vector from ADATA and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero.  File: nettle.info, Node: nettle_aead abstraction, Prev: SIV-GCM, Up: Authenticated encryption 7.4.8 The ‘struct nettle_aead’ abstraction ------------------------------------------ Nettle includes a struct including information about the supported hash functions. It is defined in ‘’. -- Meta struct: struct nettle_aead name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. -- Constant Struct: struct nettle_aead nettle_gcm_aes128 -- Constant Struct: struct nettle_aead nettle_gcm_aes192 -- Constant Struct: struct nettle_aead nettle_gcm_aes256 -- Constant Struct: struct nettle_aead nettle_gcm_camellia128 -- Constant Struct: struct nettle_aead nettle_gcm_camellia256 -- Constant Struct: struct nettle_aead nettle_eax_aes128 -- Constant Struct: struct nettle_aead nettle_chacha_poly1305 These are most of the AEAD constructions that Nettle implements. Note that CCM is missing; it requirement that the message size is specified in advance makes it incompatible with the ‘nettle_aead’ abstraction. Nettle also exports a list of all these constructions. -- Function: const struct nettle_aead ** nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. -- Macro: nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers.  File: nettle.info, Node: Keyed hash functions, Next: Key derivation functions, Prev: Authenticated encryption, Up: Reference 7.5 Keyed Hash Functions ======================== A “keyed hash function”, or “Message Authentication Code” (MAC) is a function that takes a key and a message, and produces fixed size MAC. It should be hard to compute a message and a matching MAC without knowledge of the key. It should also be hard to compute the key given only messages and corresponding MACs. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the MAC and attaches it to the message. The receiver, Bob, also computes the MAC of the message, using the same key, and compares that to Alice’s value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can’t show the message and the MAC to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the _same_ key is used on both sides, and anyone knowing the key can create a correct MAC for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn’t attach a MAC to a particular message, he knows it must be Alice who did it. However, the third party can’t distinguish between a MAC created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. * Menu: * HMAC:: * UMAC:: * CMAC:: * Poly1305::  File: nettle.info, Node: HMAC, Next: UMAC, Up: Keyed hash functions 7.5.1 HMAC ---------- One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is HMAC, described in ‘RFC 2104’. For an underlying hash function ‘H’, with digest size ‘l’ and internal block size ‘b’, HMAC-H is constructed as follows: From a given key ‘k’, two distinct subkeys ‘k_i’ and ‘k_o’ are constructed, both of length ‘b’. The HMAC-H of a message ‘m’ is then computed as ‘H(k_o | H(k_i | m))’, where ‘|’ denotes string concatenation. HMAC keys can be of any length, but it is recommended to use keys of length ‘l’, the digest size of the underlying hash function ‘H’. Keys that are longer than ‘b’ are shortened to length ‘l’ by hashing with ‘H’, so arbitrarily long keys aren’t very useful. Nettle’s HMAC functions are defined in ‘’. There are abstract functions that use a pointer to a ‘struct nettle_hash’ to represent the underlying hash function and ‘void *’ pointers that point to three different context structs for that hash function. There are also concrete functions for HMAC-MD5, HMAC-RIPEMD160 HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, and HMAC-SM3. First, the abstract functions: -- Function: void hmac_set_key (void *OUTER, void *INNER, void *STATE, const struct nettle_hash *H, size_t LENGTH, const uint8_t *KEY) Initializes the three context structs from the key. The OUTER and INNER contexts corresponds to the subkeys ‘k_o’ and ‘k_i’. STATE is used for hashing the message, and is initialized as a copy of the INNER context. -- Function: void hmac_update (void *STATE, const struct nettle_hash *H, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. Actually, ‘hmac_update(state, H, length, data)’ is equivalent to ‘H->update(state, length, data)’, so if you wish you can use the ordinary update function of the underlying hash function instead. -- Function: void hmac_digest (const void *OUTER, const void *INNER, void *STATE, const struct nettle_hash *H, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. OUTER and INNER are not modified. LENGTH is usually equal to ‘H->digest_size’, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function also resets the STATE context so that you can start over processing a new message (with the same key). Like for CBC, there are some macros to help use these functions correctly. -- Macro: HMAC_CTX (TYPE) Expands to { type outer; type inner; type state; } It can be used to define a HMAC context struct, either directly, struct HMAC_CTX(struct md5_ctx) ctx; or to give it a struct tag, struct hmac_md5_ctx HMAC_CTX (struct md5_ctx); -- Macro: HMAC_SET_KEY (CTX, H, LENGTH, KEY) CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is a pointer to a ‘const struct nettle_hash’ describing the underlying hash function (so it must match the type of the components of CTX). The last two arguments specify the secret key. -- Macro: HMAC_DIGEST (CTX, H, LENGTH, DIGEST) CTX is a pointer to a context struct as defined by ‘HMAC_CTX’, H is a pointer to a ‘const struct nettle_hash’ describing the underlying hash function. The last two arguments specify where the digest is written. Note that there is no ‘HMAC_UPDATE’ macro; simply call ‘hmac_update’ function directly, or the update function of the underlying hash function. Now we come to the specialized HMAC functions, which are easier to use than the general HMAC functions. 7.5.1.1 HMAC-MD5 ................ -- Context struct: struct hmac_md5_ctx -- Function: void hmac_md5_set_key (struct hmac_md5_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_md5_update (struct hmac_md5_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_md5_digest (struct hmac_md5_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘MD5_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 7.5.1.2 HMAC-RIPEMD160 ...................... -- Context struct: struct hmac_ripemd160_ctx -- Function: void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_ripemd160_update (struct hmac_ripemd160_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘RIPEMD160_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 7.5.1.3 HMAC-SHA1 ................. -- Context struct: struct hmac_sha1_ctx -- Function: void hmac_sha1_set_key (struct hmac_sha1_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha1_update (struct hmac_sha1_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha1_digest (struct hmac_sha1_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA1_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 7.5.1.4 HMAC-SHA256 ................... -- Context struct: struct hmac_sha256_ctx -- Function: void hmac_sha256_set_key (struct hmac_sha256_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha256_update (struct hmac_sha256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha256_digest (struct hmac_sha256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA256_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 7.5.1.5 HMAC-SHA512 ................... -- Context struct: struct hmac_sha512_ctx -- Function: void hmac_sha512_set_key (struct hmac_sha512_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sha512_update (struct hmac_sha512_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sha512_digest (struct hmac_sha512_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SHA512_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key. 7.5.1.6 HMAC-SM3 ................ -- Context struct: struct hmac_sm3_ctx -- Function: void hmac_sm3_set_key (struct hmac_sm3_ctx *CTX, size_t KEY_LENGTH, const uint8_t *KEY) Initializes the context with the key. -- Function: void hmac_sm3_update (struct hmac_sm3_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process some more data. -- Function: void hmac_sm3_digest (struct hmac_sm3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC, writing it to DIGEST. LENGTH may be smaller than ‘SM3_DIGEST_SIZE’, in which case only the first LENGTH octets of the MAC are written. This function also resets the context for processing new messages, with the same key.  File: nettle.info, Node: UMAC, Next: CMAC, Prev: HMAC, Up: Keyed hash functions 7.5.2 UMAC ---------- UMAC is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, *Note GCM::, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. UMAC is specified in ‘RFC 4418’. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the AES block cipher. This cipher is used in counter mode to generate various internal subkeys needed in UMAC. Messages are of arbitrary size, and for each message, UMAC also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle’s implementation of UMAC increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is “abc” (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to “abd”, and this incremented value is zero-padded to 16 octets. UMAC is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and MAC functions, Nettle’s ‘_digest’ functions for UMAC accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the umac variant corresponding to the desired size. The internal block size of UMAC is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and MAC algorithms in Nettle. Nettle defines UMAC in ‘’. -- Context struct: struct umac32_ctx -- Context struct: struct umac64_ctx -- Context struct: struct umac96_ctx -- Context struct: struct umac128_ctx Each UMAC variant uses its own context struct. -- Constant: UMAC_KEY_SIZE The UMAC key size, 16. -- Constant: UMAC_MIN_NONCE_SIZE -- Constant: UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. -- Constant: UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. -- Constant: UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. -- Constant: UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. -- Constant: UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. -- Constant: UMAC_BLOCK_SIZE The internal block size of UMAC. -- Function: void umac32_set_key (struct umac32_ctx *CTX, const uint8_t *KEY) -- Function: void umac64_set_key (struct umac64_ctx *CTX, const uint8_t *KEY) -- Function: void umac96_set_key (struct umac96_ctx *CTX, const uint8_t *KEY) -- Function: void umac128_set_key (struct umac128_ctx *CTX, const uint8_t *KEY) These functions initialize the UMAC context struct. They also initialize the nonce to zero (with length 16, for auto-increment). -- Function: void umac32_set_nonce (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac64_set_nonce (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac96_set_nonce (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) -- Function: void umac128_set_nonce (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *NONCE) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for UMAC (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called _before_ the first ‘_update’ call for the message. -- Function: void umac32_update (struct umac32_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac64_update (struct umac64_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac96_update (struct umac96_ctx *CTX, size_t LENGTH, const uint8_t *DATA) -- Function: void umac128_update (struct umac128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) These functions are called zero or more times to process the message. -- Function: void umac32_digest (struct umac32_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac64_digest (struct umac64_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac96_digest (struct umac96_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) -- Function: void umac128_digest (struct umac128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the ‘_set_nonce’ function explicitly for each message.  File: nettle.info, Node: CMAC, Next: Poly1305, Prev: UMAC, Up: Keyed hash functions 7.5.3 CMAC ---------- CMAC is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. CMAC-128 is specified in ‘RFC4493’. The block size is always 128 bits (16 octets). CMAC-64 is specified by NIST Special Publication 800-38B (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf). The block size is always 64 bits (8 octets). Nettle provides helper functions for CMAC-128 with the AES block cipher and for CMAC-64 with the Tripple-DES block cipher. Nettle defines CMAC in ‘’. -- Context struct: struct cmac_aes128_ctx -- Context struct: struct cmac_aes256_ctx -- Constant: CMAC128_DIGEST_SIZE The size of an CMAC-128 digest, 16. -- Function: void cmac_aes128_set_key (struct cmac_aes128_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for AES-128. -- Function: void cmac_aes128_update (struct cmac_aes128_ctx *CTX, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_aes128_digest (struct cmac_aes128_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function resets the context for processing of a new message with the same key. -- Function: void cmac_aes256_set_key (struct cmac_aes256_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for AES-256. -- Function: void cmac_aes256_update (struct cmac_aes256_ctx *CTX, size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_aes256_digest (struct cmac_aes256_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function resets the context for processing of a new message with the same key. -- Context struct: struct cmac_des3_ctx -- Constant: CMAC64_DIGEST_SIZE The size of an CMAC-64 digest, 8. -- Function: void cmac_des3_set_key (struct cmac_des3_ctx *CTX, const uint8_t *KEY) This function initializes the CMAC context struct for Tripple-DES. -- Function: void cmac_des3_update (struct cmac_des3_ctx *CTX,size_t LENGTH, const uint8_t *DATA) This function is called zero or more times to process the message. -- Function: void cmac_des3_digest (struct cmac_des3_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the MAC of the message, writing it to DIGEST. LENGTH is usually equal to the specified output size, but if you provide a smaller value, only the first LENGTH octets of the MAC are written. This function resets the context for processing of a new message with the same key.  File: nettle.info, Node: Poly1305, Prev: CMAC, Up: Keyed hash functions 7.5.4 Poly1305 -------------- Poly1305-AES is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number 2^130 - 5. The key, 256 bits, consists of two parts, where the first half is an AES-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point ‘r’. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the AES key, and that’s the only thing AES is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo 2^130 - 5, and the polynomial is evaluated at the point ‘r’. Finally, this value is reduced modulo 2^128, and added (also modulo 2^128) to the encrypted nonce, to produce an 128-bit authenticator for the message. See for further details. Clearly, variants using a different cipher than AES could be defined. Another variant is the ChaCha-Poly1305 AEAD construction (*note ChaCha-Poly1305::). Nettle defines Poly1305-AES in ‘nettle/poly1305.h’. -- Constant: POLY1305_AES_KEY_SIZE Key size, 32 octets. -- Constant: POLY1305_AES_DIGEST_SIZE Size of the digest or “authenticator”, 16 octets. -- Constant: POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. -- Context struct: struct poly1305_aes_ctx The poly1305-aes context struct. -- Function: void poly1305_aes_set_key (struct poly1305_aes_ctx *CTX, const uint8_t *KEY) Initialize the context struct. Also sets the nonce to zero. -- Function: void poly1305_aes_set_nonce (struct poly1305_aes_ctx *CTX, const uint8_t *NONCE) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. -- Function: void poly1305_aes_update (struct poly1305_aes_ctx *CTX, size_t LENGTH, const uint8_t *DATA) Process more data. -- Function: void poly1305_aes_digest (struct poly1305_aes_ctx *CTX, size_t LENGTH, uint8_t *DIGEST) Extracts the digest. If LENGTH is smaller than ‘POLY1305_AES_DIGEST_SIZE’, only the first LENGTH octets are written. Also increments the nonce, and prepares the context for processing a new message.  File: nettle.info, Node: Key derivation functions, Next: Public-key algorithms, Prev: Keyed hash functions, Up: Reference 7.6 Key derivation Functions ============================ A “key derivation function” (KDF) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the “password-based key derivation functions” (PBKDFs), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. 7.6.1 HKDF: HMAC-based Extract-and-Expand ----------------------------------------- HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in ‘RFC 5869’, and is split into two logical modules, called ’extract’ and ’expand’. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle’s HKDF functions are defined in ‘’. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the ‘nettle_hash_update_func’, and ‘nettle_hash_digest_func’ interfaces. -- Function: void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the secret SECRET of length SECRET_LENGTH. The output length is fixed to DIGEST_SIZE octets, thus the output buffer DST must have room for at least DIGEST_SIZE octets. -- Function: void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the info INFO of length INFO_LENGTH, and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 7.6.2 PBKDF2 ------------ The most well known PBKDF is the ‘PKCS #5 PBKDF2’ described in ‘RFC 2898’ which uses a pseudo-random function such as HMAC-SHA1. Nettle’s PBKDF2 functions are defined in ‘’. There is an abstract function that operate on any PRF implemented via the ‘nettle_hash_update_func’, ‘nettle_hash_digest_func’ interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function: -- Function: void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the UPDATE and DIGEST functions passing the MAC_CTX context parameter as an argument in order to compute digest of size DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. Like for CBC and HMAC, there is a macro to help use the function correctly. -- Macro: PBKDF2 (CTX, UPDATE, DIGEST, DIGEST_SIZE, ITERATIONS, SALT_LENGTH, SALT, LENGTH, DST) CTX is a pointer to a context struct passed to the UPDATE and DIGEST functions (of the types ‘nettle_hash_update_func’ and ‘nettle_hash_digest_func’ respectively) to implement the underlying PRF with digest size of DIGEST_SIZE. Inputs are the salt SALT of length SALT_LENGTH, the iteration counter ITERATIONS (> 0), and the desired derived output length LENGTH. The output buffer is DST which must have room for at least LENGTH octets. 7.6.3 Concrete PBKDF2 functions ------------------------------- Now we come to the specialized PBKDF2 functions, which are easier to use than the general PBKDF2 function. 7.6.3.1 PBKDF2-HMAC-SHA1 ........................ -- Function: void pbkdf2_hmac_sha1 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA1. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 7.6.3.2 PBKDF2-HMAC-SHA256 .......................... -- Function: void pbkdf2_hmac_sha256 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA256. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 7.6.3.3 PBKDF2-HMAC-SHA384 .......................... -- Function: void pbkdf2_hmac_sha384 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA384. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 7.6.3.4 PBKDF2-HMAC-SHA512 .......................... -- Function: void pbkdf2_hmac_sha512 (size_t KEY_LENGTH, const uint8_t *KEY, unsigned ITERATIONS, size_t SALT_LENGTH, const uint8_t *SALT, size_t LENGTH, uint8_t *DST) PBKDF2 with HMAC-SHA512. Derive LENGTH bytes of key into buffer DST using the password KEY of length KEY_LENGTH and salt SALT of length SALT_LENGTH, with iteration counter ITERATIONS (> 0). The output buffer is DST which must have room for at least LENGTH octets. 7.6.4 BALLOON ------------- Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from Nettle’s definition of the BALLOON algorithm can be found in ‘’. There is a general BALLOON function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs. Each BALLOON function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter S_COST determines how many blocks of working space the algorithm will require during its computation. It is common to set S_COST to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter T_COST determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer SCRATCH is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function ‘balloon_itch’. Output of BALLOON algorithm will be written into the output buffer DST that has to be at least DIGEST_SIZE bytes long. Note that it is safe to use the same buffer for both SCRATCH and DST. Next follows the description of the general BALLOON function. -- Function: void balloon (void *HASH_CTX, nettle_hash_update_func *UPDATE, nettle_hash_digest_func *DIGEST, size_t DIGEST_SIZE, size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) Compute hash of given password PASSWD of length PASSWD_LENGTH salted with SALT of length SALT_LENGTH and write DIGEST_SIZE bytes into the output buffer DST. Parameter HASH_CTX is a context for the underlying hash function, which much be initialized by the caller. UPDATE and DIGEST are the update and digest functions of the chosen hash algorithm. DIGEST_SIZE is the digest size of the chosen hash algorithm and determines the size of the output. -- Function: size_t balloon_itch (size_t DIGEST_SIZE, size_t S_COST) Compute the size of the scratch buffer SCRATCH. DIGEST_SIZE is the digest size of the chosen hash algorithm. S_COST is the space parameter used by the ‘balloon’ function. 7.6.5 Concrete BALLOON functions -------------------------------- Here follows a list of the specialized BALLOON functions, which are more user-friendly variants of the general function. 7.6.5.1 BALLOON-SHA1 .................... -- Function: void balloon_sha1 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA1 as the underlying hash function. 7.6.5.2 BALLOON-SHA256 ...................... -- Function: void balloon_sha256 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA256 as the underlying hash function. 7.6.5.3 BALLOON-SHA384 ...................... -- Function: void balloon_sha384 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA384 as the underlying hash function. 7.6.5.4 BALLOON-SHA512 ...................... -- Function: void balloon_sha512 (size_t S_COST, size_t T_COST, size_t PASSWD_LENGTH, const uint8_t *PASSWD, size_t SALT_LENGTH, const uint8_t *SALT, uint8_t *SCRATCH, uint8_t *DST) BALLOON algorithm using SHA512 as the underlying hash function.  File: nettle.info, Node: Public-key algorithms, Next: Randomness, Prev: Key derivation functions, Up: Reference 7.7 Public-key algorithms ========================= Nettle uses GMP, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install GMP, at least version 3.0, before compiling Nettle, and you need to link your programs with ‘-lhogweed -lnettle -lgmp’. The concept of “Public-key” encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, “symmetric”, cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each _pair_ needs a shared secret key known by nobody else. Public-key cryptography uses trapdoor one-way functions. A “one-way function” is a function ‘F’ such that it is easy to compute the value ‘F(x)’ for any ‘x’, but given a value ‘y’, it is hard to compute a corresponding ‘x’ such that ‘y = F(x)’. Two examples are cryptographic hash functions, and exponentiation in certain groups. A “trapdoor one-way function” is a function ‘F’ that is one-way, unless one knows some secret information about ‘F’. If one knows the secret, it is easy to compute both ‘F’ and it’s inverse. If this sounds strange, look at the RSA example below. Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. To use a digital signature algorithm, one must first create a “key-pair”: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user’s list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can’t cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the “someone” also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as “grant access to whoever knows the private key corresponding to this particular public key, and to no others”. * Menu: * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA  File: nettle.info, Node: RSA, Next: DSA, Up: Public-key algorithms 7.7.1 RSA --------- The RSA algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the USA in 1983. The patent expired on September 20, 2000, and since that day, RSA can be used freely, even in the USA. It’s remarkably simple to describe the trapdoor function behind RSA. The “one-way”-function used is F(x) = x^e mod n I.e. raise x to the ‘e’’th power, while discarding all multiples of ‘n’. The pair of numbers ‘n’ and ‘e’ is the public key. ‘e’ can be quite small, even ‘e = 3’ has been used, although slightly larger numbers are recommended. ‘n’ should be about 2000 bits or larger. If ‘n’ is large enough, and properly chosen, the inverse of F, the computation of ‘e’’th roots modulo ‘n’, is very difficult. But, where’s the trapdoor? Let’s first look at how RSA key-pairs are generated. First ‘n’ is chosen as the product of two large prime numbers ‘p’ and ‘q’ of roughly the same size (so if ‘n’ is 2000 bits, ‘p’ and ‘q’ are about 1000 bits each). One also computes the number ‘phi = (p-1)(q-1)’, in mathematical speak, ‘phi’ is the order of the multiplicative group of integers modulo n. Next, ‘e’ is chosen. It must have no factors in common with ‘phi’ (in particular, it must be odd), but can otherwise be chosen more or less randomly. ‘e = 65537’ is a popular choice, because it makes raising to the ‘e’’th power particularly efficient, and being prime, it usually has no factors common with ‘phi’. Finally, a number ‘d’, ‘d < n’ is computed such that ‘e d mod phi = 1’. It can be shown that such a number exists (this is why ‘e’ and ‘phi’ must have no common factors), and that for all x, (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x Using Euclid’s algorithm, ‘d’ can be computed quite easily from ‘phi’ and ‘e’. But it is still hard to get ‘d’ without knowing ‘phi’, which depends on the factorization of ‘n’. So ‘d’ is the trapdoor, if we know ‘d’ and ‘y = F(x)’, we can recover x as ‘y^d mod n’. ‘d’ is also the private half of the RSA key-pair. The most common signature operation for RSA is defined in ‘PKCS#1’, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. MD5 or SHA1. Next, some padding, the ASN.1 “Algorithm Identifier” for the hash function, and the message digest itself, are concatenated and converted to a number ‘x’. The signature is computed from ‘x’ and the private key as ‘s = x^d mod n’(1) (*note RSA-Footnote-1::). The signature, ‘s’ is a number of about the same size of ‘n’, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, ‘x’ is computed from the message in the same way as above. Then ‘s^e mod n’ is computed, the operation returns true if and only if the result equals ‘x’. The RSA algorithm can also be used for encryption. RSA encryption uses the public key ‘(n,e)’ to compute the ciphertext ‘m^e mod n’. The ‘PKCS#1’ padding scheme will use at least 8 random and non-zero octets, using M of the form ‘[00 02 padding 00 plaintext]’. It is required that ‘m < n’, and therefor the plaintext must be smaller than the octet size of the modulo ‘n’, with some margin. To decrypt the message, one needs the private key to compute ‘m = c^e mod n’ followed by checking and removing the padding. 7.7.1.1 Nettle’s RSA support ............................ Nettle represents RSA keys using two structures that contain large numbers (of type ‘mpz_t’). -- Context struct: rsa_public_key size n e ‘size’ is the size, in octets, of the modulo, and is used internally. ‘n’ and ‘e’ is the public key. -- Context struct: rsa_private_key size d p q a b c ‘size’ is the size, in octets, of the modulo, and is used internally. ‘d’ is the secret exponent, but it is not actually used when signing. Instead, the factors ‘p’ and ‘q’, and the parameters ‘a’, ‘b’ and ‘c’ are used. They are computed from ‘p’, ‘q’ and ‘e’ such that ‘a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1’. Before use, these structs must be initialized by calling one of -- Function: void rsa_public_key_init (struct rsa_public_key *PUB) -- Function: void rsa_private_key_init (struct rsa_private_key *KEY) Calls ‘mpz_init’ on all numbers in the key struct. and when finished with them, the space for the numbers must be deallocated by calling one of -- Function: void rsa_public_key_clear (struct rsa_public_key *PUB) -- Function: void rsa_private_key_clear (struct rsa_private_key *KEY) Calls ‘mpz_clear’ on all numbers in the key struct. In general, Nettle’s RSA functions deviates from Nettle’s “no memory allocation”-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see *Note GMP Allocation: (gmp)Custom Allocation. When you have assigned values to the attributes of a key, you must call -- Function: int rsa_public_key_prepare (struct rsa_public_key *PUB) -- Function: int rsa_private_key_prepare (struct rsa_private_key *KEY) Computes the octet size of the key (stored in the ‘size’ attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can’t be used, for instance if the modulo is smaller than the minimum size needed for RSA operations specified by PKCS#1. For each operation using the private key, there are two variants, e.g., ‘rsa_sha256_sign’ and ‘rsa_sha256_sign_tr’. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized RSA blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function’s context struct to the RSA signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with RSA signatures, since there’s no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an RSA signature is done with one of the following functions: -- Function: int rsa_md5_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’’ed earlier). The hash context is reset so that it can be used for new messages. The RANDOM_CTX and RANDOM pointers are used to generate the RSA blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature from the given hash digest. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t SIGNATURE) Similar to the above ‘_sign_digest_tr’ functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. -- Function: int rsa_md5_sign (const struct rsa_private_key *KEY, struct md5_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign (const struct rsa_private_key *KEY, struct sha1_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign (const struct rsa_private_key *KEY, struct sha256_ctx *HASH, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign (const struct rsa_private_key *KEY, struct sha512_ctx *HASH, mpz_t SIGNATURE) The signature is stored in SIGNATURE (which must have been ‘mpz_init’’ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it’s not possible to create a signature using SHA512 and a 512-bit RSA key. -- Function: int rsa_md5_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha1_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha256_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_sha512_sign_digest (const struct rsa_private_key *KEY, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’, respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. -- Function: int rsa_pkcs1_sign (const struct rsa_private_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, mpz_t S) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. Verifying an RSA signature is done with one of the following functions: -- Function: int rsa_md5_verify (const struct rsa_public_key *KEY, struct md5_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify (const struct rsa_public_key *KEY, struct sha1_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify (const struct rsa_public_key *KEY, struct sha256_ctx *HASH, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify (const struct rsa_public_key *KEY, struct sha512_ctx *HASH, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. In either case, the hash context is reset so that it can be used for new messages. -- Function: int rsa_md5_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha1_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha256_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_sha512_verify_digest (const struct rsa_public_key *KEY, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. DIGEST should point to a digest of size ‘MD5_DIGEST_SIZE’, ‘SHA1_DIGEST_SIZE’, ‘SHA256_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. -- Function: int rsa_pkcs1_verify (const struct rsa_public_key *KEY, size_t LENGTH, const uint8_t *DIGEST_INFO, const mpz_t SIGNATURE) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 “DigestInfo”, and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. While the above functions for the RSA signature operations use the ‘PKCS#1’ padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in ‘RFC 8017’. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the RSA algorithm, a longer salt value does not always mean a better security . The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t SALT_LENGTH, const uint8_t *SALT, const uint8_t *DIGEST, mpz_t SIGNATURE) Creates a signature using the PSS padding scheme. SALT should point to a salt string of size SALT_LENGTH. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’respectively. The signature is stored in SIGNATURE (which must have been ‘mpz_init’:ed earlier). Returns one on success, or zero on failure. Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: -- Function: int rsa_pss_sha256_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha384_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) -- Function: int rsa_pss_sha512_verify_digest (const struct rsa_public_key *KEY, size_t SALT_LENGTH, const uint8_t *DIGEST, const mpz_t SIGNATURE) Returns 1 if the signature is valid, or 0 if it isn’t. DIGEST should point to a digest of size ‘SHA256_DIGEST_SIZE’, ‘SHA384_DIGEST_SIZE’, or ‘SHA512_DIGEST_SIZE’ respectively. The following function is used to encrypt a clear text message using RSA. -- Function: int rsa_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LENGTH, const uint8_t *CLEARTEXT, mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. The following function is used to decrypt a cipher text message using RSA. -- Function: int rsa_decrypt (const struct rsa_private_key *KEY, size_t *LENGTH, uint8_t *CLEARTEXT, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by CLEARTEXT must be of size *LENGTH. After decryption, *LENGTH will be updated with the size of the message. There is also a timing resistant version of decryption that utilizes randomized RSA blinding. -- Function: int rsa_decrypt_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t *LENGTH, uint8_t *MESSAGE, const mpz_t CIPHERTEXT) Returns 1 on success, 0 on failure. While the above functions for the RSA encryption operations use the ‘PKCS#1’ padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in ‘RFC 8017’. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs. Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions: -- Function: int rsa_oaep_sha256_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha384_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha512_encrypt (const struct rsa_public_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t LENGTH, const uint8_t *MESSAGE, uint8_t *CIPHERTEXT) Returns 1 on success, 0 on failure. The label is optional and if omitted, LABEL_LENGTH and LABEL is set to 0 and ‘NULL’ respectively. The maximum size of MESSAGE can be calculated with ‘k - 2 * hLen - 2’, where ‘k’ is the key size in octets obtained with KEY->size, and ‘hLen’ is the output size of the underlying hash function (e.g., ‘SHA256_DIGEST_SIZE’ for ‘rsa_oaep_sha256_encrypt’). Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions: -- Function: int rsa_oaep_sha256_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha384_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) -- Function: int rsa_oaep_sha512_decrypt (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t LABEL_LENGTH, const uint8_t *LABEL, size_t *LENGTH, uint8_t *MESSAGE, const uint8_t *CIPHERTEXT) Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to ‘rsa_decrypt_tr’. The message buffer pointed to by CLEARTEXT must be of size *LENGTH. After decryption, *LENGTH will be updated with the size of the message. If you need to use the RSA trapdoor, the private key, in a way that isn’t supported by the above functions Nettle also includes a function that computes ‘x^d mod n’ and nothing more, using the CRT optimization. -- Function: int rsa_compute_root_tr (const struct rsa_public_key *PUB, const struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, mpz_t X, const mpz_t M) Computes ‘x = m^d’. Returns one on success, or zero if a failure in the computation was detected. -- Function: void rsa_compute_root (struct rsa_private_key *KEY, mpz_t X, const mpz_t M) Computes ‘x = m^d’. At last, how do you create new keys? -- Function: int rsa_generate_keypair (struct rsa_public_key *PUB, struct rsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned N_SIZE, unsigned E_SIZE) There are lots of parameters. PUB and KEY is where the resulting key pair is stored. The structs should be initialized, but you don’t need to call ‘rsa_public_key_prepare’ or ‘rsa_private_key_prepare’ after key generation. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. SIZE_N is the desired size of the modulo, in bits. If SIZE_E is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if E_SIZE is zero, it is assumed that the caller has already chosen a value for ‘e’, and stored it in PUB. Returns one on success, and zero on failure. The function can fail for example if if N_SIZE is too small, or if E_SIZE is zero and ‘pub->e’ is an even number.  File: nettle.info, Node: RSA-Footnotes, Up: RSA (1) Actually, the computation is not done like this, it is done more efficiently using ‘p’, ‘q’ and the Chinese remainder theorem (CRT). But the result is the same.  File: nettle.info, Node: DSA, Next: Elliptic curves, Prev: RSA, Up: Public-key algorithms 7.7.2 DSA --------- The DSA digital signature algorithm is more complex than RSA. It was specified during the early 1990s, and in 1994 NIST published FIPS 186 which is the authoritative specification. Sometimes DSA is referred to using the acronym DSS, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than sha1. For DSA, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime ‘p’, a small prime ‘q’ which is a factor of ‘p-1’, a number ‘g’ which generates a subgroup of order ‘q’ modulo ‘p’, and an element ‘y’ in that subgroup. In the original DSA, the size of ‘q’ is fixed to 160 bits, to match with the SHA1 hash algorithm. The size of ‘p’ is in principle unlimited, but the standard specifies only nine specific sizes: ‘512 + l*64’, where ‘l’ is between 0 and 8. Thus, the maximum size of ‘p’ is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute g^t mod p for all possible integers ‘t’, you will get precisely ‘q’ distinct values. The private key is a secret exponent ‘x’, such that g^x = y mod p In mathematical speak, ‘x’ is the “discrete logarithm” of ‘y’ mod ‘p’, with respect to the generator ‘g’. The size of ‘x’ will also be about the same size as ‘q’. The security of the DSA algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack DSA, are of two types. The first type works directly in the (multiplicative) group of integers mod ‘p’. The best known algorithm of this type is the Number Field Sieve, and it’s complexity is similar to the complexity of factoring numbers of the same size as ‘p’. The other type works in the smaller ‘q’-sized subgroup generated by ‘g’, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity ‘sqrt(q)’. The important point is that security depends on the size of _both_ ‘p’ and ‘q’, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original DSA may be uncomfortably small. Using a ‘p’ of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit RSA modulo, and using a ‘q’ of size 160 bits implies that cracking using Pollard-rho will take roughly ‘2^80’ group operations. With the size of ‘q’ fixed, tied to the SHA1 digest size, it may be tempting to increase the size of ‘p’ to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a DSA signature, you need a good source for random numbers (*note Randomness::). Let us describe the common case of a 160-bit ‘q’. To create a signature, one starts with the hash digest of the message, ‘h’, which is a 160 bit number, and a random number ‘k, 0’. A DSA group is represented using the following struct. -- Context struct: dsa_params p q g Parameters of the DSA group. -- Function: void dsa_params_init (struct dsa_params *PARAMS) Calls ‘mpz_init’ on all numbers in the struct. -- Function: void dsa_params_clear (struct dsa_params *PARAMSparams) Calls ‘mpz_clear’ on all numbers in the struct. -- Function: int dsa_generate_params (struct dsa_params *PARAMS, void *RANDOM_CTX, nettle_random_func *RANDOM, void *PROGRESS_CTX, nettle_progress_func *PROGRESS, unsigned P_BITS, unsigned Q_BITS) Generates parameters of a new group. The PARAMS struct should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. To generate keys that conform to the original DSA standard, you must use ‘q_bits = 160’ and select P_BITS of the form ‘p_bits = 512 + l*64’, for ‘0 <= l <= 8’, where the smaller sizes are no longer recommended, so you should most likely stick to ‘p_bits = 1024’. Non-standard sizes are possible, in particular ‘p_bits’ larger than 1024, although DSA implementations can not in general be expected to support such keys. Also note that using very large P_BITS, with Q_BITS fixed at 160, doesn’t make much sense, because the security is also limited by the size of the smaller prime. To generate DSA keys for use with SHA256, use ‘q_bits = 256’ and, e.g., ‘p_bits = 2048’. Returns one on success, and zero on failure. The function will fail if Q_BITS is too small, or too close to P_BITS. Signatures are represented using the structure below. -- Context struct: dsa_signature r s The R and S fields are both of type ‘mpz_t’. -- Function: void dsa_signature_init (struct dsa_signature *SIGNATURE) -- Function: void dsa_signature_clear (struct dsa_signature *SIGNATURE) You must call ‘dsa_signature_init’ before creating or using a signature, and call ‘dsa_signature_clear’ when you are finished with it. Keys are represented as bignums, of type ‘mpz_t’. A public key represents a group element, and is of the same size as ‘p’, while a private key is an exponent, of the same size as ‘q’. -- Function: int dsa_sign (const struct dsa_params *PARAMS, const mpz_t X, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_SIZE, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Creates a signature from the given hash digest, using the private key X. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo ‘q’ fails. -- Function: int dsa_verify (const struct dsa_params *PARAMS, const mpz_t Y, size_t DIGEST_SIZE, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. To generate a keypair, first generate a DSA group using ‘dsa_generate_params’. A keypair in this group is then created using -- Function: void dsa_generate_keypair (const struct dsa_params *PARAMS, mpz_t PUB, mpz_t KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) Generates a new keypair, using the group PARAMS. The public key is stored in PUB, and the private key in KEY. Both variables must be initialized using ‘mpz_init’ before this call. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. 7.7.2.2 Old, deprecated, DSA interface ...................................... Versions before nettle-3.0 used a different interface for DSA signatures, where the group parameters and the public key was packed together as ‘struct dsa_public_key’. Most of this interface is kept for backwards compatibility, and declared in ‘nettle/dsa-compat.h’. Below is the old documentation. The old and new interface use distinct names and don’t confict, with one exception: The key generation function. The ‘nettle/dsa-compat.h’ redefines ‘dsa_generate_keypair’ as an alias for ‘dsa_compat_generate_keypair’, compatible with the old interface and documented below. The old DSA functions are very similar to the corresponding RSA functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to ‘rsa_public_key_prepare’ and ‘rsa_private_key_prepare’. -- Context struct: dsa_public_key p q g y The public parameters described above. -- Context struct: dsa_private_key x The private key ‘x’. Before use, these structs must be initialized by calling one of -- Function: void dsa_public_key_init (struct dsa_public_key *PUB) -- Function: void dsa_private_key_init (struct dsa_private_key *KEY) Calls ‘mpz_init’ on all numbers in the key struct. When finished with them, the space for the numbers must be deallocated by calling one of -- Function: void dsa_public_key_clear (struct dsa_public_key *PUB) -- Function: void dsa_private_key_clear (struct dsa_private_key *KEY) Calls ‘mpz_clear’ on all numbers in the key struct. Signatures are represented using ‘struct dsa_signature’, described earlier. For signing, you need to provide both the public and the private key (unlike RSA, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the SHA1 or the SHA256 hash function, although the implementation of DSA with SHA256 should be considered somewhat experimental due to lack of official test vectors and interoperability testing. -- Function: int dsa_sha1_sign (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, struct sha1_ctx *HASH, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha1_sign_digest (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_sign (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, struct sha256_ctx *HASH, struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_sign_digest (const struct dsa_public_key *PUB, const struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Creates a signature from the given hash context or digest. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don’t match. Verifying signatures is a little easier, since no randomness generator is needed. The functions are -- Function: int dsa_sha1_verify (const struct dsa_public_key *KEY, struct sha1_ctx *HASH, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha1_verify_digest (const struct dsa_public_key *KEY, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_verify (const struct dsa_public_key *KEY, struct sha256_ctx *HASH, const struct dsa_signature *SIGNATURE) -- Function: int dsa_sha256_verify_digest (const struct dsa_public_key *KEY, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Verifies a signature. Returns 1 if the signature is valid, otherwise 0. Key generation uses mostly the same parameters as the corresponding RSA function. -- Function: int dsa_compat_generate_keypair (struct dsa_public_key *PUB, struct dsa_private_key *KEY, void *RANDOM_CTX, nettle_random_func RANDOM, void *PROGRESS_CTX, nettle_progress_func PROGRESS, unsigned P_BITS, unsigned Q_BITS) PUB and KEY is where the resulting key pair is stored. The structs should be initialized before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::. PROGRESS and PROGRESS_CTX can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. PROGRESS can be NULL, in that case there are no callbacks. P_BITS and Q_BITS are the desired sizes of ‘p’ and ‘q’. See ‘dsa_generate_keypair’ for details.  File: nettle.info, Node: Elliptic curves, Prev: DSA, Up: Public-key algorithms 7.7.3 Elliptic curves --------------------- For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If P and Q are two points, and k is an integer, the point sum, P + Q, and the multiple k P can be computed efficiently, but given only two points P and Q, finding an integer k such that Q = k P is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form y^2 = x^3 - 3 x + b (mod p), i.e., the points have coordinates (x,y), both considered as integers modulo a specified prime p. Curves are represented as a ‘struct ecc_curve’. It also supports curve25519, which uses a different form of curve. Supported curves are declared in ‘’, e.g., call ‘nettle_get_secp_256r1’ for a standardized curve using the 256-bit prime p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1. The contents of these structs is not visible to nettle users. The “bitsize of the curve” is used as a shorthand for the bitsize of the curve’s prime p, e.g., 256 bits for the SECP 256R1 curve. * Menu: * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448::  File: nettle.info, Node: Side-channel silence, Next: ECDSA, Up: Elliptic curves 7.7.3.1 Side-channel silence ............................ Nettle’s implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: • Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. • Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. Nettle’s ECC implementation is designed to be “side-channel silent”, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks.  File: nettle.info, Node: ECDSA, Next: GOSTDSA, Prev: Side-channel silence, Up: Elliptic curves 7.7.3.2 ECDSA ............. ECDSA is a variant of the DSA digital signature scheme (*note DSA::), which works over an elliptic curve group rather than over a (subgroup of) integers modulo p. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in ‘’. We first need to define the data types used to represent public and private keys. -- struct: struct ecc_point Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. -- Function: void ecc_point_init (struct ecc_point *P, const struct ecc_curve *ECC) Initializes P to represent points on the given curve ECC. Allocates storage for the coordinates, using the same allocation functions as GMP. -- Function: void ecc_point_clear (struct ecc_point *P) Deallocate storage allocated by previous ecc_point_init. -- Function: int ecc_point_set (struct ecc_point *P, const mpz_t X, const mpz_t Y) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. -- Function: void ecc_point_get (const struct ecc_point *P, mpz_t X, mpz_t Y) Extracts the coordinate of the point P. The output parameters X or Y may be NULL if the caller doesn’t want that coordinate. -- struct: struct ecc_scalar Represents an integer in the range 0 < x < group order, where the “group order” refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. -- Function: void ecc_scalar_init (struct ecc_scalar *S, const struct ecc_curve *ECC) Initializes S to represent a scalar suitable for the given curve ECC. Allocates storage using the same allocation functions as GMP. -- Function: void ecc_scalar_clear (struct ecc_scalar *S) Deallocate the storage allocated by previous ecc_scalar_init. -- Function: int ecc_scalar_set (struct ecc_scalar *S, const mpz_t Z) Check that Z is in the correct range. If so, copies the value to S and returns 1, otherwise returns 0. -- Function: void ecc_scalar_get (const struct ecc_scalar *S, mpz_t Z) Extracts the scalar, in GMP ‘mpz_t’ representation. To create and verify ECDSA signatures, the following functions are used. -- Function: void ecdsa_sign (const struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Uses the private key KEY to create a signature of DIGEST. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. The signature is stored in SIGNATURE, in the same way as for plain DSA. -- Function: int ecdsa_verify (const struct ecc_point *PUB, size_t LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid signature for the message digest DIGEST (of LENGTH octets). Returns 1 if the signature is valid, otherwise 0. Finally, generating a new ECDSA key pair: -- Function: void ecdsa_generate_keypair (struct ecc_point *PUB, struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM) PUB and KEY is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. For advice, see *Note Randomness::.  File: nettle.info, Node: GOSTDSA, Next: Curve 25519 and Curve 448, Prev: ECDSA, Up: Elliptic curves 7.7.3.3 GOSTDSA ............... GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (*note DSA::) and ECDSA (*note ECDSA::) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in ‘RFC 5832’ and ‘RFC 7091’. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, ‘RFC 5831’). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, ‘RFC 6986’) of corresponding size (256 or 512) depending on curve size. Nettle defines GOSTDSA in ‘’. GOSTDSA reuses ECDSA data types (‘struct ecc_point’, ‘struct ecc_scalar’) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use ‘ecdsa_generate_keypair()’ function. To create and verify GOSTDSA signatures, the following functions are used. -- Function: void gostdsa_sign (const struct ecc_scalar *KEY, void *RANDOM_CTX, nettle_random_func *RANDOM, size_t DIGEST_LENGTH, const uint8_t *DIGEST, struct dsa_signature *SIGNATURE) Uses the private key KEY to create a signature of DIGEST. RANDOM_CTX and RANDOM is a randomness generator. ‘random(random_ctx, length, dst)’ should generate ‘length’ random octets and store them at ‘dst’. The signature is stored in SIGNATURE, in the same was as for plain DSA. -- Function: int gostdsa_verify (const struct ecc_point *PUB, size_t LENGTH, const uint8_t *DIGEST, const struct dsa_signature *SIGNATURE) Uses the public key PUB to verify that SIGNATURE is a valid signature for the message digest DIGEST (of LENGTH octets). Returns 1 if the signature is valid, otherwise 0. For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle’s view on curves and actual identifiers defined in ‘RFC 4357’ and ‘RFC 7836’. -- Function: const struct ecc_curve nettle_get_gost_gc256b (void) Returns curve corresponding to following identifiers: • id-GostR3410-2001-CryptoPro-A-ParamSet (‘RFC 4357’) • id-GostR3410-2001-CryptoPro-XchA-ParamSet (‘RFC 4357’) • id-tc26-gost-3410-12-256-paramSetB -- Function: const struct ecc_curve nettle_get_gost_gc512a (void) Returns curve corresponding to following identifiers: • id-tc26-gost-3410-12-512-paramSetA (‘RFC 7836’) For GOST key pairs key derivation/key agreement function (VKO) is defined in ‘RFC 4357’ and ‘RFC 7836’. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (*note GOSTHASH94CP::) or GOST R 34.11-2012, Streebog, which nor part of the library yet). -- Function: void gostdsa_vko (const struct ecc_scalar *PRIV, const struct ecc_point *PUB, size_t UKM_LENGTH, const uint8_t *UKM, uint8_t *OUT) Uses private key PRIV, public ket PUB and shared key material UKM to generate shared secret, written to buffer OUT. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret.  File: nettle.info, Node: Curve 25519 and Curve 448, Prev: GOSTDSA, Up: Elliptic curves 7.7.3.4 Curve25519 and Curve448 ............................... Curve25519 is an elliptic curve of Montgomery type, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^255 - 19. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in ‘RFC 7748’. The group generator is defined by x = 9 (there are actually two points with x = 9, differing by the sign of the y-coordinate, but that doesn’t matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range 2^251 <= s < 2^252. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value x for which the the curve equation can be solved for y. The other half correspond to points on a related “twist curve”. The function ‘curve25519_mul’ uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by ‘RFC 7748’. The output is therefore well defined for _all_ possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from ‘RFC 7748’, in that bit 255 of the x coordinate of the point input to curve25519_mul was not ignored. The ‘nette/curve25519.h’ defines a preprocessor symbol ‘NETTLE_CURVE25519_RFC7748’ to indicate conformance with the standard. Nettle defines Curve 25519 in ‘’. -- Constant: NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. -- Constant: CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. -- Function: void curve25519_mul_g (uint8_t *Q, const uint8_t *N) Computes Q = N G, where G is the group generator and N is an integer. The input argument N and the output argument Q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult_base’ in the NaCl library. -- Function: void curve25519_mul (uint8_t *Q, const uint8_t *N, const uint8_t *P) Computes Q = N P, where P is an input point and N is an integer. The input arguments N and P and the output argument Q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size ‘CURVE25519_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^448 - 2^224 - 1. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in ‘RFC 7748’. Nettle defines Curve 448 in ‘’. -- Constant: CURVE448_SIZE The octet length of the strings representing curve448 points and scalars, 56. -- Function: void curve448_mul_g (uint8_t *Q, const uint8_t *N) Computes Q = N G, where G is the group generator and N is an integer. The input argument N and the output argument Q use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size ‘CURVE448_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult_base’ in the NaCl library. -- Function: void curve448_mul (uint8_t *Q, const uint8_t *N, const uint8_t *P) Computes Q = N P, where P is an input point and N is an integer. The input arguments N and P and the output argument Q use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size ‘CURVE448_SIZE’. This function is intended to be compatible with the function ‘crypto_scalar_mult’ in the NaCl library. 7.7.3.5 EdDSA ............. EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a “Twisted Edwards curve”, of the form -x^2 + y^2 = 1 + d x^2 y^2. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. -- Constant: ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. -- Constant: ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. -- Function: void ed25519_sha512_public_key (uint8_t *PUB, const uint8_t *PRIV) Computes the public key corresponding to the given private key. Both input and output are of size ‘ED25519_KEY_SIZE’. -- Function: void ed25519_sha512_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. -- Function: int ed25519_sha512_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448. -- Constant: ED448_KEY_SIZE The size of a private or public Ed448 key, 57 octets. -- Constant: ED448_SIGNATURE_SIZE The size of an Ed448 signature, 114 octets. -- Function: void ed448_shake256_public_key (uint8_t *PUB, const uint8_t *PRIV) Computes the public key corresponding to the given private key. Both input and output are of size ‘ED448_KEY_SIZE’. -- Function: void ed448_shake256_sign (const uint8_t *PUB, const uint8_t *PRIV, size_t LENGTH, const uint8_t *MSG, uint8_t *SIGNATURE) Signs a message using the provided key pair. -- Function: int ed448_shake256_verify (const uint8_t *PUB, size_t LENGTH, const uint8_t *MSG, const uint8_t *SIGNATURE) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0.  File: nettle.info, Node: Randomness, Next: ASCII encoding, Prev: Public-key algorithms, Up: Reference 7.8 Randomness ============== A crucial ingredient in many cryptographic contexts is randomness: Let ‘p’ be a random prime, choose a random initialization vector ‘iv’, a random key ‘k’ and a random exponent ‘e’, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: • It’s too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that’s far too easy. For example, if the process id is 16 bits, the resolution of “current time” is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. • The generator output reveals too much. By observing only a small segment of the generator’s output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. A randomness generator that is used for cryptographic purposes must have better properties. Let’s first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what’s unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called “entropy”, or “conditional entropy” (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask ‘n’ yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can’t guess the seed correctly, then the conditional entropy is more than ‘n’ bits. Let’s look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or “unguessability” to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it’s one of the better randomness source one can find in a digital, mostly predictable, computer. User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, TELNET session, or even SSH session may be visible to an attacker, in full or partially. Audio input Any room, or even a microphone input that’s left unconnected, is a source of some random background noise, which can be fed into the seeding process. Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. For all practical sources, it’s difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can’t observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let’s assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably the Linux ‘/dev/random’ generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from ‘/dev/random’, you should get 128 “truly random” bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn’t matter much. For most application, there’s no limit on the amount of useful “random” data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let’s call it the generator’s key. The key is initialized from the unguessable seed. Important properties of a generator are: “Key-hiding” An attacker observing the output should not be able to recover the generator’s key. “Independence of outputs” Observing some of the output should not help the attacker to guess previous or future output. “Forward secrecy” Even if an attacker compromises the generator’s key, he should not be able to guess the generator output _before_ the key compromise. “Recovery from key compromise” If an attacker compromises the generator’s key, he can compute _all_ future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time ‘t_1’, there is another later time ‘t_2’, such that if the attacker observes all output generated between ‘t_1’ and ‘t_2’, he still can’t guess what output is generated after ‘t_2’. Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. ChaCha (*note ChaCha::), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There’s no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (*note Arcfour::) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key. The “lagged Fibonacci” generator in ‘’ is a fast generator with good statistical properties, but is *not* for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. 7.8.1 Yarrow ------------ Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at , and it uses SHA1 and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses SHA256 and AES to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness “pools”, referred to as the “slow pool” and the “fast pool”. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a “fast reseed” happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a “slow reseed” takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using AES to encrypt a counter, using the generator’s current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a “seed file” to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in ‘’. -- Context struct: struct yarrow256_ctx -- Context struct: struct yarrow_source Information about a single source. -- Constant: YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. -- Function: void yarrow256_init (struct yarrow256_ctx *CTX, unsigned NSOURCES, struct yarrow_source *SOURCES) Initializes the yarrow context, and its NSOURCES sources. It’s possible to call it with NSOURCES=0 and SOURCES=NULL, if you don’t need the update features. -- Function: void yarrow256_seed (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *SEED_FILE) Seeds Yarrow-256 from a previous seed file. LENGTH should be at least ‘YARROW256_SEED_FILE_SIZE’, but it can be larger. The generator will trust you that the SEED_FILE data really is unguessable. After calling this function, you _must_ overwrite the old seed file with newly generated data from ‘yarrow256_random’. If it’s possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. -- Function: int yarrow256_update (struct yarrow256_ctx *CTX, unsigned SOURCE, unsigned ENTROPY, size_t LENGTH, const uint8_t *DATA) Updates the generator with data from source SOURCE (an index that must be smaller than the number of sources). ENTROPY is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero ENTROPY is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with ‘yarrow256_random’ and overwrite the seed file. Otherwise, the function returns 0. -- Function: void yarrow256_random (struct yarrow256_ctx *CTX, size_t LENGTH, uint8_t *DST) Generates LENGTH octets of output. The generator must be seeded before you call this function. If you don’t need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. -- Function: int yarrow256_is_seeded (struct yarrow256_ctx *CTX) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. -- Function: unsigned yarrow256_needed_sources (struct yarrow256_ctx *CTX) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. -- Function: void yarrow256_fast_reseed (struct yarrow256_ctx *CTX) -- Function: void yarrow256_slow_reseed (struct yarrow256_ctx *CTX) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. Nettle includes an entropy estimator for one kind of input source: User keyboard input. -- Context struct: struct yarrow_key_event_ctx Information about recent key events. -- Function: void yarrow_key_event_init (struct yarrow_key_event_ctx *CTX) Initializes the context. -- Function: unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *CTX, unsigned KEY, unsigned TIME) KEY is the id of the key (ASCII value, hardware key code, X keysym, ..., it doesn’t matter), and TIME is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, TIME should be provided in units of microseconds. But if you use ‘gettimeofday’ on a typical Unix system where the clock ticks 10 or so microseconds at a time, TIME should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling ‘yarrow256_update’. Usually, 0, 1 or 2 bits. 7.8.2 DRBG-CTR -------------- The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A. We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented. Personalization strings can be implemented by the caller, if desired, with xor. If you need re-seeding or entropy derivation, we suggest that you use Yarrow instead. The security bounds of DRBG-CTR are not intuitive, see “Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator” by Matthew J. Campagna, from . Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm. Nettle defines DRBG-CTR in ‘’. -- Context struct: struct drbg_ctr_aes256_ctx -- Constant: DRBG_CTR_AES256_SEED_SIZE The size of the seeding material. -- Function: void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *CTX, uint8_t *SEED_MATERIAL) Initialize the DRBG-CTR-AES256 context using ‘DRBG_CTR_AES256_SEED_SIZE’ bytes of SEED_MATERIAL. -- Function: void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *CTX, size_t n, uint8_t *DST) Generates N octets of output into DST. The generator must be initialized before you call this function.  File: nettle.info, Node: ASCII encoding, Next: Miscellaneous functions, Prev: Randomness, Up: Reference 7.9 ASCII encoding ================== Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the ’+’, ’/’ and ’=’ symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There’s also a “URL safe” variant, which is useful for encoding binary data into URLs and filenames. See ‘RFC 4648’. The base16 encoding, also known as “hexadecimal”, uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn’t need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in ‘’. -- Context struct: struct base64_encode_ctx -- Function: void base64_encode_init (struct base64_encode_ctx *CTX) -- Function: void base64url_encode_init (struct base64_encode_ctx *CTX) Initializes a base64 context. This is necessary before starting an encoding session. ‘base64_encode_init’ selects the standard base64 alphabet, while ‘base64url_encode_init’ selects the URL safe alphabet. -- Function: size_t base64_encode_single (struct base64_encode_ctx *CTX, uint8_t *DST, uint8_t SRC) Encodes a single byte. Returns amount of output (always 1 or 2). -- Macro: BASE64_ENCODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_encode_update’. -- Function: size_t base64_encode_update (struct base64_encode_ctx *CTX, uint8_t *DST, size_t LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to encode LENGTH bytes from SRC. The result will be placed in DST, and the return value will be the number of bytes generated. Note that DST must be at least of size BASE64_ENCODE_LENGTH(LENGTH). -- Constant: BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from ‘base64_encode_final’. -- Function: size_t base64_encode_final (struct base64_encode_ctx *CTX, uint8_t *DST) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. -- Context struct: struct base64_decode_ctx -- Function: void base64_decode_init (struct base64_decode_ctx *CTX) -- Function: void base64url_decode_init (struct base64_decode_ctx *CTX) Initializes a base64 decoding context. This is necessary before starting a decoding session. ‘base64_decode_init’ selects the standard base64 alphabet, while ‘base64url_decode_init’ selects the URL safe alphabet. -- Function: int base64_decode_single (struct base64_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte (SRC) and stores the result in DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE64_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base64_decode_update’. -- Function: void base64_decode_update (struct base64_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. DST should point to an area of size at least BASE64_DECODE_LENGTH(SRC_LENGTH). The amount of data generated is returned in *DST_LENGTH. Returns 1 on success and 0 on error. -- Function: int base64_decode_final (struct base64_decode_ctx *CTX) Check that final padding is correct. Returns 1 on success, and 0 on error. Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in ‘’. Note that there is no encoding context necessary for doing base16 encoding. -- Function: void base16_encode_single (uint8_t *DST, uint8_t SRC) Encodes a single byte. Always stores two digits in DST[0] and DST[1]. -- Macro: BASE16_ENCODE_LENGTH (LENGTH) The number of output bytes when passing LENGTH input bytes to ‘base16_encode_update’. -- Function: void base16_encode_update (uint8_t *DST, size_t LENGTH, const uint8_t *SRC) Always stores BASE16_ENCODE_LENGTH(LENGTH) digits in DST. -- Context struct: struct base16_decode_ctx -- Function: void base16_decode_init (struct base16_decode_ctx *CTX) Initializes a base16 decoding context. This is necessary before starting a decoding session. -- Function: int base16_decode_single (struct base16_decode_ctx *CTX, uint8_t *DST, uint8_t SRC) Decodes a single byte from SRC into DST. Returns amount of output (0 or 1), or -1 on errors. -- Macro: BASE16_DECODE_LENGTH (LENGTH) The maximum number of output bytes when passing LENGTH input bytes to ‘base16_decode_update’. -- Function: int base16_decode_update (struct base16_decode_ctx *CTX, size_t *DST_LENGTH, uint8_t *DST, size_t SRC_LENGTH, const uint8_t *SRC) After CTX is initialized, this function may be called to decode SRC_LENGTH bytes from SRC. DST should point to an area of size at least BASE16_DECODE_LENGTH(SRC_LENGTH). The amount of data generated is returned in *DST_LENGTH. Returns 1 on success and 0 on error. -- Function: int base16_decode_final (struct base16_decode_ctx *CTX) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error.  File: nettle.info, Node: Miscellaneous functions, Next: Compatibility functions, Prev: ASCII encoding, Up: Reference 7.10 Miscellaneous functions ============================ -- Function: void * memxor (void *DST, const void *SRC, size_t N) XORs the source area on top of the destination area. The interface doesn’t follow the Nettle conventions, because it is intended to be similar to the ANSI-C ‘memcpy’ function. -- Function: void * memxor3 (void *DST, const void *A, const void *B, size_t N) Like ‘memxor’, but takes two source areas and separate destination area. -- Function: int memeql_sec (const void *A, const void *B, size_t N) Side-channel silent comparison of the N bytes at A and B. I.e., instructions executed and memory accesses are identical no matter where the areas differ, *note Side-channel silence::. Return non-zero if the areas are equal, and zero if they differ. These functions are declared in ‘’. For compatibility with earlier versions of Nettle, ‘memxor’ and ‘memxor3’ are also declared in ‘’.  File: nettle.info, Node: Compatibility functions, Prev: Miscellaneous functions, Up: Reference 7.11 Compatibility functions ============================ For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation. MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in ‘’. This file defines the typedef ‘MD5_CTX’, and declares the functions ‘MD5Init’, ‘MD5Update’ and ‘MD5Final’.  File: nettle.info, Node: Nettle soup, Next: Installation, Prev: Reference, Up: Top 8 Traditional Nettle Soup ************************* For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. 1 liter fresh nettles (urtica dioica) 2 tablespoons butter 3 tablespoons flour 1 liter stock (meat or vegetable) 1/2 teaspoon salt a tad white pepper some cream or milk Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves.  File: nettle.info, Node: Installation, Next: Index, Prev: Nettle soup, Up: Top 9 Installation ************** Nettle uses ‘autoconf’. To build it, unpack the source and run ./configure make make check make install to install it under the default prefix, ‘/usr/local’. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed. To get a list of configure options, use ‘./configure --help’. Some of the more interesting are: ‘--enable-fat’ Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64. ‘--enable-mini-gmp’ Use the smaller and slower “mini-gmp” implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are *not* binary compatible with regular builds of Nettle, and more likely to leak side-channel information. ‘--disable-shared’ Omit building the shared libraries. ‘--disable-dependency-tracking’ Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make.  File: nettle.info, Node: Index, Prev: Installation, Up: Top Function and Concept Index ************************** [index] * Menu: * 3DES: DES3. (line 6) * ABI compatibility: Compatibility. (line 6) * AEAD: Authenticated encryption. (line 6) * AES: AES. (line 6) * aes128_decrypt: AES. (line 86) * aes128_encrypt: AES. (line 73) * aes128_invert_key: AES. (line 56) * aes128_set_decrypt_key: AES. (line 40) * aes128_set_encrypt_key: AES. (line 38) * aes192_decrypt: AES. (line 88) * aes192_encrypt: AES. (line 75) * aes192_invert_key: AES. (line 58) * aes192_set_decrypt_key: AES. (line 44) * aes192_set_encrypt_key: AES. (line 42) * aes256_decrypt: AES. (line 90) * aes256_encrypt: AES. (line 77) * aes256_invert_key: AES. (line 60) * aes256_set_decrypt_key: AES. (line 48) * aes256_set_encrypt_key: AES. (line 46) * aes_decrypt: AES. (line 92) * aes_encrypt: AES. (line 79) * aes_invert_key: AES. (line 62) * aes_set_decrypt_key: AES. (line 52) * aes_set_encrypt_key: AES. (line 50) * API compatibility: Compatibility. (line 6) * Arcfour: Arcfour. (line 6) * arcfour_crypt: Arcfour. (line 59) * arcfour_set_key: Arcfour. (line 54) * Arctwo: Arctwo. (line 6) * arctwo_decrypt: Arctwo. (line 60) * arctwo_encrypt: Arctwo. (line 53) * arctwo_set_key: Arctwo. (line 37) * arctwo_set_key_ekb: Arctwo. (line 35) * arctwo_set_key_gutmann: Arctwo. (line 39) * Authenticated encryption: Authenticated encryption. (line 6) * balloon: Key derivation functions. (line 181) * Balloon password-hashing algorithm: Key derivation functions. (line 150) * balloon_itch: Key derivation functions. (line 194) * balloon_sha1: Key derivation functions. (line 208) * balloon_sha256: Key derivation functions. (line 216) * balloon_sha384: Key derivation functions. (line 224) * balloon_sha512: Key derivation functions. (line 232) * base16_decode_final: ASCII encoding. (line 143) * base16_decode_init: ASCII encoding. (line 121) * BASE16_DECODE_LENGTH: ASCII encoding. (line 130) * base16_decode_single: ASCII encoding. (line 125) * base16_decode_update: ASCII encoding. (line 134) * BASE16_ENCODE_LENGTH: ASCII encoding. (line 111) * base16_encode_single: ASCII encoding. (line 107) * base16_encode_update: ASCII encoding. (line 115) * base64url_decode_init: ASCII encoding. (line 75) * base64url_encode_init: ASCII encoding. (line 41) * base64_decode_final: ASCII encoding. (line 99) * base64_decode_init: ASCII encoding. (line 74) * BASE64_DECODE_LENGTH: ASCII encoding. (line 86) * base64_decode_single: ASCII encoding. (line 81) * base64_decode_update: ASCII encoding. (line 90) * base64_encode_final: ASCII encoding. (line 65) * base64_encode_init: ASCII encoding. (line 40) * BASE64_ENCODE_LENGTH: ASCII encoding. (line 51) * base64_encode_single: ASCII encoding. (line 47) * base64_encode_update: ASCII encoding. (line 55) * Binary compatibility: Compatibility. (line 6) * Block Cipher: Cipher functions. (line 12) * Blowfish: Blowfish. (line 6) * blowfish_bcrypt_hash: Blowfish. (line 45) * blowfish_bcrypt_verify: Blowfish. (line 85) * blowfish_decrypt: Blowfish. (line 41) * blowfish_encrypt: Blowfish. (line 34) * blowfish_set_key: Blowfish. (line 24) * Camellia: Camellia. (line 6) * camellia128_crypt: Camellia. (line 80) * camellia128_invert_key: Camellia. (line 66) * camellia128_set_decrypt_key: Camellia. (line 50) * camellia128_set_encrypt_key: Camellia. (line 48) * camellia192_crypt: Camellia. (line 82) * camellia192_invert_key: Camellia. (line 68) * camellia192_set_decrypt_key: Camellia. (line 54) * camellia192_set_encrypt_key: Camellia. (line 52) * camellia256_crypt: Camellia. (line 84) * camellia256_invert_key: Camellia. (line 70) * camellia256_set_decrypt_key: Camellia. (line 58) * camellia256_set_encrypt_key: Camellia. (line 56) * camellia_crypt: Camellia. (line 86) * camellia_invert_key: Camellia. (line 72) * camellia_set_decrypt_key: Camellia. (line 62) * camellia_set_encrypt_key: Camellia. (line 60) * CAST: CAST128. (line 6) * cast128_decrypt: CAST128. (line 41) * cast128_encrypt: CAST128. (line 34) * cast128_set_key: CAST128. (line 29) * cast5_set_key: CAST128. (line 45) * CBC Mode: CBC. (line 6) * cbc_aes128_encrypt: CBC. (line 103) * cbc_aes192_encrypt: CBC. (line 105) * cbc_aes256_encrypt: CBC. (line 107) * CBC_CTX: CBC. (line 55) * cbc_decrypt: CBC. (line 35) * CBC_DECRYPT: CBC. (line 76) * cbc_encrypt: CBC. (line 32) * CBC_ENCRYPT: CBC. (line 75) * CBC_SET_IV: CBC. (line 70) * CCM Mode: CCM. (line 6) * ccm_aes128_decrypt: CCM. (line 211) * ccm_aes128_decrypt_message: CCM. (line 242) * ccm_aes128_digest: CCM. (line 221) * ccm_aes128_encrypt: CCM. (line 205) * ccm_aes128_encrypt_message: CCM. (line 230) * ccm_aes128_set_key: CCM. (line 174) * ccm_aes128_set_nonce: CCM. (line 184) * ccm_aes128_update: CCM. (line 196) * ccm_aes192_decrypt: CCM. (line 213) * ccm_aes192_decrypt_message: CCM. (line 246) * ccm_aes192_decrypt_message <1>: CCM. (line 250) * ccm_aes192_digest: CCM. (line 223) * ccm_aes192_encrypt: CCM. (line 207) * ccm_aes192_encrypt_message: CCM. (line 234) * ccm_aes192_set_key: CCM. (line 176) * ccm_aes192_set_nonce: CCM. (line 187) * ccm_aes192_update: CCM. (line 198) * ccm_aes256_decrypt: CCM. (line 215) * ccm_aes256_digest: CCM. (line 225) * ccm_aes256_encrypt: CCM. (line 209) * ccm_aes256_encrypt_message: CCM. (line 238) * ccm_aes256_set_key: CCM. (line 178) * ccm_aes256_set_nonce: CCM. (line 190) * ccm_aes256_update: CCM. (line 200) * ccm_decrypt: CCM. (line 95) * ccm_decrypt_message: CCM. (line 142) * ccm_digest: CCM. (line 103) * ccm_encrypt: CCM. (line 92) * ccm_encrypt_message: CCM. (line 134) * CCM_MAX_MSG_SIZE: CCM. (line 76) * ccm_set_nonce: CCM. (line 80) * ccm_update: CCM. (line 86) * CFB Modes: CFB and CFB8. (line 6) * CFB8 Mode: CFB and CFB8. (line 6) * CFB8_CTX: CFB and CFB8. (line 112) * cfb8_decrypt: CFB and CFB8. (line 73) * CFB8_DECRYPT: CFB and CFB8. (line 131) * cfb8_encrypt: CFB and CFB8. (line 70) * CFB8_ENCRYPT: CFB and CFB8. (line 124) * CFB8_SET_IV: CFB and CFB8. (line 119) * CFB_CTX: CFB and CFB8. (line 86) * cfb_decrypt: CFB and CFB8. (line 55) * CFB_DECRYPT: CFB and CFB8. (line 105) * cfb_encrypt: CFB and CFB8. (line 52) * CFB_ENCRYPT: CFB and CFB8. (line 98) * CFB_SET_IV(CTX,: CFB and CFB8. (line 93) * ChaCha: ChaCha. (line 6) * chacha_crypt: ChaCha. (line 44) * chacha_crypt32: ChaCha. (line 76) * chacha_poly1305_decrypt: ChaCha-Poly1305. (line 63) * chacha_poly1305_digest: ChaCha-Poly1305. (line 69) * chacha_poly1305_encrypt: ChaCha-Poly1305. (line 61) * chacha_poly1305_set_key: ChaCha-Poly1305. (line 48) * chacha_poly1305_set_nonce: ChaCha-Poly1305. (line 53) * chacha_poly1305_update: ChaCha-Poly1305. (line 57) * chacha_set_counter: ChaCha. (line 36) * chacha_set_counter32: ChaCha. (line 70) * chacha_set_key: ChaCha. (line 24) * chacha_set_nonce: ChaCha. (line 30) * chacha_set_nonce96: ChaCha. (line 65) * Cipher: Cipher functions. (line 6) * Cipher Block Chaining: CBC. (line 6) * Cipher Feedback 8-bit Mode: CFB and CFB8. (line 6) * Cipher Feedback Mode: CFB and CFB8. (line 6) * CMAC: CMAC. (line 6) * CMAC-128: CMAC. (line 6) * CMAC-64: CMAC. (line 6) * cmac_aes128_digest: CMAC. (line 33) * cmac_aes128_set_key: CMAC. (line 25) * cmac_aes128_update: CMAC. (line 29) * cmac_aes256_digest: CMAC. (line 49) * cmac_aes256_set_key: CMAC. (line 41) * cmac_aes256_update: CMAC. (line 45) * cmac_des3_digest: CMAC. (line 70) * cmac_des3_set_key: CMAC. (line 62) * cmac_des3_update: CMAC. (line 66) * Collision-resistant: Hash functions. (line 18) * Conditional entropy: Randomness. (line 51) * Counter Mode: CTR. (line 6) * Counter with CBC-MAC Mode: CCM. (line 6) * CTR Mode: CTR. (line 6) * ctr_crypt: CTR. (line 33) * CTR_CRYPT: CTR. (line 60) * CTR_CTX: CTR. (line 48) * CTR_SET_COUNTER: CTR. (line 55) * Curve 25519: Curve 25519 and Curve 448. (line 6) * Curve 448: Curve 25519 and Curve 448. (line 6) * curve25519_mul: Curve 25519 and Curve 448. (line 60) * curve25519_mul_g: Curve 25519 and Curve 448. (line 51) * curve448_mul: Curve 25519 and Curve 448. (line 91) * curve448_mul_g: Curve 25519 and Curve 448. (line 82) * DES: DES. (line 6) * DES3: DES3. (line 6) * des3_decrypt: DES3. (line 65) * des3_encrypt: DES3. (line 58) * des3_set_key: DES3. (line 47) * des_check_parity: DES. (line 47) * des_decrypt: DES. (line 43) * des_encrypt: DES. (line 36) * des_fix_parity: DES. (line 51) * des_set_key: DES. (line 29) * drbg_ctr_aes256_init: Randomness. (line 333) * drbg_ctr_aes256_random: Randomness. (line 338) * dsa_compat_generate_keypair: DSA. (line 301) * dsa_generate_keypair: DSA. (line 199) * dsa_generate_params: DSA. (line 131) * dsa_params: DSA. (line 122) * dsa_params_clear: DSA. (line 128) * dsa_params_init: DSA. (line 125) * dsa_private_key: DSA. (line 232) * dsa_private_key_clear: DSA. (line 245) * dsa_private_key_init: DSA. (line 238) * dsa_public_key: DSA. (line 229) * dsa_public_key_clear: DSA. (line 244) * dsa_public_key_init: DSA. (line 237) * dsa_sha1_sign: DSA. (line 258) * dsa_sha1_sign_digest: DSA. (line 262) * dsa_sha1_verify: DSA. (line 284) * dsa_sha1_verify_digest: DSA. (line 286) * dsa_sha256_sign: DSA. (line 266) * dsa_sha256_sign_digest: DSA. (line 270) * dsa_sha256_verify: DSA. (line 289) * dsa_sha256_verify_digest: DSA. (line 292) * dsa_sign: DSA. (line 178) * dsa_signature: DSA. (line 165) * dsa_signature_clear: DSA. (line 169) * dsa_signature_init: DSA. (line 168) * dsa_verify: DSA. (line 190) * eax_aes128_decrypt: EAX. (line 136) * eax_aes128_digest: EAX. (line 142) * eax_aes128_encrypt: EAX. (line 134) * eax_aes128_set_key: EAX. (line 120) * eax_aes128_set_nonce: EAX. (line 124) * eax_aes128_update: EAX. (line 128) * EAX_CTX: EAX. (line 81) * eax_decrypt: EAX. (line 60) * EAX_DECRYPT: EAX. (line 105) * eax_digest: EAX. (line 68) * EAX_DIGEST: EAX. (line 108) * eax_encrypt: EAX. (line 57) * EAX_ENCRYPT: EAX. (line 104) * eax_set_key: EAX. (line 36) * EAX_SET_KEY: EAX. (line 94) * eax_set_nonce: EAX. (line 42) * EAX_SET_NONCE: EAX. (line 98) * eax_update: EAX. (line 48) * EAX_UPDATE: EAX. (line 101) * ecc_point_clear: ECDSA. (line 36) * ecc_point_get: ECDSA. (line 47) * ecc_point_init: ECDSA. (line 30) * ecc_point_set: ECDSA. (line 39) * ecc_scalar_clear: ECDSA. (line 62) * ecc_scalar_get: ECDSA. (line 69) * ecc_scalar_init: ECDSA. (line 57) * ecc_scalar_set: ECDSA. (line 65) * ecdsa_generate_keypair: ECDSA. (line 93) * ecdsa_sign: ECDSA. (line 75) * ecdsa_verify: ECDSA. (line 84) * ed25519_sha512_public_key: Curve 25519 and Curve 448. (line 131) * ed25519_sha512_sign: Curve 25519 and Curve 448. (line 136) * ed25519_sha512_verify: Curve 25519 and Curve 448. (line 141) * ed448_shake256_public_key: Curve 25519 and Curve 448. (line 155) * ed448_shake256_sign: Curve 25519 and Curve 448. (line 160) * ed448_shake256_verify: Curve 25519 and Curve 448. (line 165) * eddsa: Curve 25519 and Curve 448. (line 104) * Entropy: Randomness. (line 51) * Galois Counter Mode: GCM. (line 6) * GCM: GCM. (line 6) * gcm_aes128_decrypt: GCM. (line 192) * gcm_aes128_digest: GCM. (line 204) * gcm_aes128_encrypt: GCM. (line 184) * gcm_aes128_set_iv: GCM. (line 161) * gcm_aes128_set_key: GCM. (line 148) * gcm_aes128_update: GCM. (line 171) * gcm_aes192_decrypt: GCM. (line 194) * gcm_aes192_digest: GCM. (line 206) * gcm_aes192_encrypt: GCM. (line 186) * gcm_aes192_set_iv: GCM. (line 163) * gcm_aes192_set_key: GCM. (line 150) * gcm_aes192_update: GCM. (line 173) * gcm_aes256_decrypt: GCM. (line 196) * gcm_aes256_digest: GCM. (line 208) * gcm_aes256_encrypt: GCM. (line 188) * gcm_aes256_set_iv: GCM. (line 165) * gcm_aes256_set_key: GCM. (line 152) * gcm_aes256_update: GCM. (line 175) * gcm_aes_decrypt: GCM. (line 198) * gcm_aes_digest: GCM. (line 210) * gcm_aes_encrypt: GCM. (line 190) * gcm_aes_set_iv: GCM. (line 167) * gcm_aes_set_key: GCM. (line 156) * gcm_aes_update: GCM. (line 177) * gcm_camellia128_decrypt: GCM. (line 253) * gcm_camellia128_digest: GCM. (line 261) * gcm_camellia128_encrypt: GCM. (line 249) * gcm_camellia128_set_iv: GCM. (line 234) * gcm_camellia128_set_key: GCM. (line 228) * gcm_camellia128_update: GCM. (line 240) * gcm_camellia192_digest: GCM. (line 263) * gcm_camellia256_decrypt: GCM. (line 255) * gcm_camellia256_digest: GCM. (line 265) * gcm_camellia256_encrypt: GCM. (line 251) * gcm_camellia256_set_iv: GCM. (line 236) * gcm_camellia256_set_key: GCM. (line 230) * gcm_camellia256_update: GCM. (line 242) * gcm_camellia_digest: GCM. (line 267) * GCM_CTX: GCM. (line 96) * gcm_decrypt: GCM. (line 65) * GCM_DECRYPT: GCM. (line 125) * gcm_digest: GCM. (line 73) * GCM_DIGEST: GCM. (line 126) * gcm_encrypt: GCM. (line 62) * GCM_ENCRYPT: GCM. (line 124) * gcm_set_iv: GCM. (line 50) * GCM_SET_IV: GCM. (line 116) * gcm_set_key: GCM. (line 44) * GCM_SET_KEY: GCM. (line 111) * gcm_sm4_decrypt: GCM. (line 301) * gcm_sm4_digest: GCM. (line 307) * gcm_sm4_encrypt: GCM. (line 299) * gcm_sm4_set_iv: GCM. (line 288) * gcm_sm4_set_key: GCM. (line 284) * gcm_sm4_update: GCM. (line 292) * gcm_update: GCM. (line 55) * GCM_UPDATE: GCM. (line 120) * GOST DSA: GOSTDSA. (line 6) * GOST hash: Legacy hash functions. (line 203) * gostdsa_sign: GOSTDSA. (line 30) * gostdsa_verify: GOSTDSA. (line 39) * gostdsa_vko: GOSTDSA. (line 68) * gosthash94cp_digest: Legacy hash functions. (line 253) * gosthash94cp_init: Legacy hash functions. (line 246) * gosthash94cp_update: Legacy hash functions. (line 249) * gosthash94_digest: Legacy hash functions. (line 228) * gosthash94_init: Legacy hash functions. (line 221) * gosthash94_update: Legacy hash functions. (line 224) * Hash function: Hash functions. (line 6) * HKDF: Key derivation functions. (line 16) * hkdf_expand: Key derivation functions. (line 42) * hkdf_extract: Key derivation functions. (line 29) * HMAC: HMAC. (line 6) * HMAC_CTX: HMAC. (line 58) * hmac_digest: HMAC. (line 44) * HMAC_DIGEST: HMAC. (line 80) * hmac_md5_digest: HMAC. (line 106) * hmac_md5_set_key: HMAC. (line 98) * hmac_md5_update: HMAC. (line 102) * hmac_ripemd160_digest: HMAC. (line 128) * hmac_ripemd160_set_key: HMAC. (line 120) * hmac_ripemd160_update: HMAC. (line 124) * hmac_set_key: HMAC. (line 29) * HMAC_SET_KEY: HMAC. (line 74) * hmac_sha1_digest: HMAC. (line 150) * hmac_sha1_set_key: HMAC. (line 142) * hmac_sha1_update: HMAC. (line 146) * hmac_sha256_digest: HMAC. (line 172) * hmac_sha256_set_key: HMAC. (line 164) * hmac_sha256_update: HMAC. (line 168) * hmac_sha512_digest: HMAC. (line 194) * hmac_sha512_set_key: HMAC. (line 186) * hmac_sha512_update: HMAC. (line 190) * hmac_sm3_digest: HMAC. (line 216) * hmac_sm3_set_key: HMAC. (line 208) * hmac_sm3_update: HMAC. (line 212) * hmac_update: HMAC. (line 37) * KDF: Key derivation functions. (line 58) * Key Derivation Function: Key derivation functions. (line 6) * Keyed Hash Function: Keyed hash functions. (line 6) * MAC: Keyed hash functions. (line 6) * md2_digest: Legacy hash functions. (line 84) * md2_init: Legacy hash functions. (line 77) * md2_update: Legacy hash functions. (line 80) * md4_digest: Legacy hash functions. (line 117) * md4_init: Legacy hash functions. (line 110) * md4_update: Legacy hash functions. (line 113) * md5_compress: Legacy hash functions. (line 48) * md5_digest: Legacy hash functions. (line 39) * md5_init: Legacy hash functions. (line 32) * md5_update: Legacy hash functions. (line 35) * memeql_sec: Miscellaneous functions. (line 16) * memxor: Miscellaneous functions. (line 6) * memxor3: Miscellaneous functions. (line 11) * Message Authentication Code: Keyed hash functions. (line 6) * nettle_aead: nettle_aead abstraction. (line 6) * nettle_aeads: nettle_aead abstraction. (line 33) * nettle_cipher: nettle_cipher abstraction. (line 6) * nettle_ciphers: nettle_cipher abstraction. (line 53) * nettle_get_aeads: nettle_aead abstraction. (line 28) * nettle_get_ciphers: nettle_cipher abstraction. (line 48) * nettle_get_gost_gc256b: GOSTDSA. (line 51) * nettle_get_gost_gc512a: GOSTDSA. (line 57) * nettle_get_hashes: nettle_hash abstraction. (line 35) * nettle_hash: nettle_hash abstraction. (line 6) * nettle_hashes: nettle_hash abstraction. (line 40) * OCB: OCB. (line 6) * OCB mode: OCB. (line 6) * ocb_aes128_decrypt: OCB. (line 152) * ocb_aes128_decrypt_message: OCB. (line 177) * ocb_aes128_digest: OCB. (line 160) * ocb_aes128_encrypt: OCB. (line 146) * ocb_aes128_encrypt_message: OCB. (line 168) * ocb_aes128_set_decrypt_key: OCB. (line 122) * ocb_aes128_set_encrypt_key: OCB. (line 118) * ocb_aes128_set_nonce: OCB. (line 130) * ocb_aes128_update: OCB. (line 139) * ocb_decrypt: OCB. (line 65) * ocb_decrypt_message: OCB. (line 95) * ocb_digest: OCB. (line 76) * ocb_encrypt: OCB. (line 57) * ocb_encrypt_message: OCB. (line 85) * ocb_set_key: OCB. (line 34) * ocb_set_nonce: OCB. (line 40) * ocb_update: OCB. (line 50) * Offset Code Book: OCB. (line 6) * One-way: Hash functions. (line 14) * One-way function: Public-key algorithms. (line 18) * Password Based Key Derivation Function: Key derivation functions. (line 58) * PBKDF: Key derivation functions. (line 58) * pbkdf2: Key derivation functions. (line 68) * PBKDF2: Key derivation functions. (line 84) * pbkdf2_hmac_sha1: Key derivation functions. (line 103) * pbkdf2_hmac_sha256: Key derivation functions. (line 114) * pbkdf2_hmac_sha384: Key derivation functions. (line 126) * pbkdf2_hmac_sha512: Key derivation functions. (line 138) * PKCS #5: Key derivation functions. (line 58) * poly1305_aes_digest: Poly1305. (line 56) * poly1305_aes_set_key: Poly1305. (line 43) * poly1305_aes_set_nonce: Poly1305. (line 47) * poly1305_aes_update: Poly1305. (line 52) * Public Key Cryptography: Public-key algorithms. (line 18) * Randomness: Randomness. (line 6) * RC2: Arctwo. (line 6) * RC4: Arcfour. (line 6) * ripemd160_digest: Legacy hash functions. (line 150) * ripemd160_init: Legacy hash functions. (line 143) * ripemd160_update: Legacy hash functions. (line 146) * rsa_compute_root: RSA. (line 412) * rsa_compute_root_tr: RSA. (line 406) * rsa_decrypt: RSA. (line 335) * rsa_decrypt_tr: RSA. (line 344) * rsa_encrypt: RSA. (line 328) * rsa_generate_keypair: RSA. (line 418) * rsa_md5_sign: RSA. (line 203) * rsa_md5_sign_digest: RSA. (line 218) * rsa_md5_sign_digest_tr: RSA. (line 171) * rsa_md5_sign_tr: RSA. (line 146) * rsa_md5_verify: RSA. (line 244) * rsa_md5_verify_digest: RSA. (line 256) * rsa_oaep_sha256_decrypt: RSA. (line 382) * rsa_oaep_sha256_encrypt: RSA. (line 359) * rsa_oaep_sha384_decrypt: RSA. (line 387) * rsa_oaep_sha384_encrypt: RSA. (line 363) * rsa_oaep_sha512_decrypt: RSA. (line 392) * rsa_oaep_sha512_encrypt: RSA. (line 367) * rsa_pkcs1_sign: RSA. (line 234) * rsa_pkcs1_sign_tr: RSA. (line 194) * rsa_pkcs1_verify: RSA. (line 269) * rsa_private_key: RSA. (line 86) * rsa_private_key_clear: RSA. (line 104) * rsa_private_key_init: RSA. (line 97) * rsa_private_key_prepare: RSA. (line 117) * rsa_pss_sha256_sign_digest_tr: RSA. (line 291) * rsa_pss_sha256_verify_digest: RSA. (line 313) * rsa_pss_sha384_sign_digest_tr: RSA. (line 295) * rsa_pss_sha384_verify_digest: RSA. (line 316) * rsa_pss_sha512_sign_digest_tr: RSA. (line 299) * rsa_pss_sha512_verify_digest: RSA. (line 319) * rsa_public_key: RSA. (line 82) * rsa_public_key_clear: RSA. (line 103) * rsa_public_key_init: RSA. (line 96) * rsa_public_key_prepare: RSA. (line 116) * rsa_sha1_sign: RSA. (line 205) * rsa_sha1_sign_digest: RSA. (line 220) * rsa_sha1_sign_digest_tr: RSA. (line 175) * rsa_sha1_sign_tr: RSA. (line 150) * rsa_sha1_verify: RSA. (line 246) * rsa_sha1_verify_digest: RSA. (line 258) * rsa_sha256_sign: RSA. (line 207) * rsa_sha256_sign_digest: RSA. (line 222) * rsa_sha256_sign_digest_tr: RSA. (line 179) * rsa_sha256_sign_tr: RSA. (line 154) * rsa_sha256_verify: RSA. (line 248) * rsa_sha256_verify_digest: RSA. (line 260) * rsa_sha512_sign: RSA. (line 209) * rsa_sha512_sign_digest: RSA. (line 224) * rsa_sha512_sign_digest_tr: RSA. (line 183) * rsa_sha512_sign_tr: RSA. (line 158) * rsa_sha512_verify: RSA. (line 250) * rsa_sha512_verify_digest: RSA. (line 262) * Salsa20: Salsa20. (line 6) * salsa20r12_crypt: Salsa20. (line 84) * salsa20_128_set_key: Salsa20. (line 49) * salsa20_256_set_key: Salsa20. (line 51) * salsa20_crypt: Salsa20. (line 69) * salsa20_set_key: Salsa20. (line 53) * salsa20_set_nonce: Salsa20. (line 63) * Serpent: Serpent. (line 6) * serpent_decrypt: Serpent. (line 38) * serpent_encrypt: Serpent. (line 31) * serpent_set_key: Serpent. (line 26) * sha1_compress: Legacy hash functions. (line 193) * sha1_digest: Legacy hash functions. (line 184) * sha1_init: Legacy hash functions. (line 177) * sha1_update: Legacy hash functions. (line 180) * sha224_digest: Recommended hash functions. (line 76) * sha224_init: Recommended hash functions. (line 69) * sha224_update: Recommended hash functions. (line 72) * sha256_compress: Recommended hash functions. (line 41) * sha256_digest: Recommended hash functions. (line 32) * sha256_init: Recommended hash functions. (line 25) * sha256_update: Recommended hash functions. (line 28) * SHA3: Recommended hash functions. (line 189) * sha384_digest: Recommended hash functions. (line 176) * sha384_init: Recommended hash functions. (line 160) * sha384_update: Recommended hash functions. (line 167) * sha3_128_init: Recommended hash functions. (line 353) * sha3_128_shake: Recommended hash functions. (line 360) * sha3_128_shake_output: Recommended hash functions. (line 367) * sha3_128_update: Recommended hash functions. (line 356) * sha3_224_digest: Recommended hash functions. (line 228) * sha3_224_init: Recommended hash functions. (line 221) * sha3_224_update: Recommended hash functions. (line 224) * sha3_256_digest: Recommended hash functions. (line 260) * sha3_256_init: Recommended hash functions. (line 253) * sha3_256_shake: Recommended hash functions. (line 378) * sha3_256_shake_output: Recommended hash functions. (line 385) * sha3_256_update: Recommended hash functions. (line 256) * sha3_384_digest: Recommended hash functions. (line 291) * sha3_384_init: Recommended hash functions. (line 284) * sha3_384_update: Recommended hash functions. (line 287) * sha3_512_digest: Recommended hash functions. (line 322) * sha3_512_init: Recommended hash functions. (line 315) * sha3_512_update: Recommended hash functions. (line 318) * sha512_224_digest: Recommended hash functions. (line 172) * sha512_224_init: Recommended hash functions. (line 158) * sha512_224_update: Recommended hash functions. (line 163) * sha512_256_digest: Recommended hash functions. (line 174) * sha512_256_init: Recommended hash functions. (line 159) * sha512_256_update: Recommended hash functions. (line 165) * sha512_compress: Recommended hash functions. (line 120) * sha512_digest: Recommended hash functions. (line 111) * sha512_init: Recommended hash functions. (line 104) * sha512_update: Recommended hash functions. (line 107) * SHAKE: Recommended hash functions. (line 334) * Side-channel attack: Side-channel silence. (line 6) * SIV mode: SIV-CMAC. (line 6) * SIV-CMAC mode: SIV-CMAC. (line 6) * siv_cmac_aes128_decrypt_message: SIV-CMAC. (line 83) * siv_cmac_aes128_encrypt_message: SIV-CMAC. (line 70) * siv_cmac_aes128_set_key: SIV-CMAC. (line 62) * siv_cmac_aes256_decrypt_message: SIV-CMAC. (line 87) * siv_cmac_aes256_encrypt_message: SIV-CMAC. (line 74) * siv_cmac_aes256_set_key: SIV-CMAC. (line 64) * siv_gcm_aes128_decrypt_message: SIV-GCM. (line 87) * siv_gcm_aes128_encrypt_message: SIV-GCM. (line 74) * siv_gcm_aes256_decrypt_message: SIV-GCM. (line 91) * siv_gcm_aes256_encrypt_message: SIV-GCM. (line 78) * siv_gcm_decrypt_message: SIV-GCM. (line 41) * siv_gcm_encrypt_message: SIV-GCM. (line 32) * sm3_digest: Miscellaneous hash functions. (line 107) * sm3_init: Miscellaneous hash functions. (line 100) * sm3_update: Miscellaneous hash functions. (line 103) * SM4: SM4. (line 6) * sm4_crypt: SM4. (line 27) * sm4_set_decrypt_key: SM4. (line 23) * sm4_set_encrypt_key: SM4. (line 19) * Stream Cipher: Cipher functions. (line 12) * streebog256_digest: Miscellaneous hash functions. (line 62) * streebog256_init: Miscellaneous hash functions. (line 55) * streebog256_update: Miscellaneous hash functions. (line 58) * streebog512_digest: Miscellaneous hash functions. (line 29) * streebog512_init: Miscellaneous hash functions. (line 22) * streebog512_update: Miscellaneous hash functions. (line 25) * struct aes128_ctx: AES. (line 19) * struct aes192_ctx: AES. (line 20) * struct aes256_ctx: AES. (line 21) * struct aes_ctx: AES. (line 23) * struct arcfour_ctx: Arcfour. (line 43) * struct arctwo_ctx: Arctwo. (line 23) * struct base16_decode_ctx: ASCII encoding. (line 119) * struct base64_decode_ctx: ASCII encoding. (line 72) * struct base64_encode_ctx: ASCII encoding. (line 38) * struct blowfish_ctx: Blowfish. (line 10) * struct camellia128_ctx: Camellia. (line 27) * struct camellia192_ctx: Camellia. (line 28) * struct camellia256_ctx: Camellia. (line 29) * struct camellia_ctx: Camellia. (line 33) * struct cast128_ctx: CAST128. (line 14) * struct ccm_aes128_ctx: CCM. (line 162) * struct ccm_aes192_ctx: CCM. (line 166) * struct ccm_aes256_ctx: CCM. (line 170) * struct ccm_ctx: CCM. (line 62) * struct chacha_ctx: ChaCha. (line 10) * struct chacha_poly1305_ctx: ChaCha-Poly1305. (line 46) * struct cmac_aes128_ctx: CMAC. (line 19) * struct cmac_aes256_ctx: CMAC. (line 20) * struct cmac_des3_ctx: CMAC. (line 57) * struct des3_ctx: DES3. (line 39) * struct des_ctx: DES. (line 21) * struct drbg_ctr_aes256_ctx: Randomness. (line 328) * struct eax_aes128_ctx: EAX. (line 117) * struct eax_ctx: EAX. (line 27) * struct eax_key: EAX. (line 23) * struct ecc_point: ECDSA. (line 26) * struct ecc_scalar: ECDSA. (line 52) * struct gcm_aes128_ctx: GCM. (line 140) * struct gcm_aes192_ctx: GCM. (line 141) * struct gcm_aes256_ctx: GCM. (line 142) * struct gcm_aes_ctx: GCM. (line 145) * struct gcm_camellia128_ctx: GCM. (line 224) * struct gcm_camellia256_ctx: GCM. (line 225) * struct gcm_ctx: GCM. (line 32) * struct gcm_key: GCM. (line 29) * struct gcm_sm4_ctx: GCM. (line 281) * struct gosthash94cp_ctx: Legacy hash functions. (line 238) * struct gosthash94_ctx: Legacy hash functions. (line 213) * struct hmac_md5_ctx: HMAC. (line 96) * struct hmac_ripemd160_ctx: HMAC. (line 118) * struct hmac_sha1_ctx: HMAC. (line 140) * struct hmac_sha256_ctx: HMAC. (line 162) * struct hmac_sha512_ctx: HMAC. (line 184) * struct hmac_sm3_ctx: HMAC. (line 206) * struct md2_ctx: Legacy hash functions. (line 69) * struct md4_ctx: Legacy hash functions. (line 102) * struct md5_ctx: Legacy hash functions. (line 23) * struct nettle_aead: nettle_aead abstraction. (line 9) * struct nettle_cipher: nettle_cipher abstraction. (line 11) * struct nettle_hash: nettle_hash abstraction. (line 10) * struct ocb_aes128_encrypt_key: OCB. (line 113) * struct ocb_ctx: OCB. (line 22) * struct ocb_key: OCB. (line 18) * struct poly1305_aes_ctx: Poly1305. (line 40) * struct ripemd160_ctx: Legacy hash functions. (line 135) * struct salsa20_ctx: Salsa20. (line 34) * struct serpent_ctx: Serpent. (line 12) * struct sha1_ctx: Legacy hash functions. (line 168) * struct sha224_ctx: Recommended hash functions. (line 60) * struct sha256_ctx: Recommended hash functions. (line 16) * struct sha384_ctx: Recommended hash functions. (line 140) * struct sha3_128_ctx: Recommended hash functions. (line 351) * struct sha3_224_ctx: Recommended hash functions. (line 213) * struct sha3_256_ctx: Recommended hash functions. (line 245) * struct sha3_384_ctx: Recommended hash functions. (line 276) * struct sha3_512_ctx: Recommended hash functions. (line 307) * struct sha512_224_ctx: Recommended hash functions. (line 138) * struct sha512_256_ctx: Recommended hash functions. (line 139) * struct sha512_ctx: Recommended hash functions. (line 95) * struct siv_cmac_aes128_ctx: SIV-CMAC. (line 54) * struct siv_cmac_aes256_ctx: SIV-CMAC. (line 58) * struct sm3_ctx: Miscellaneous hash functions. (line 91) * struct sm4_ctx: SM4. (line 11) * struct streebog256_ctx: Miscellaneous hash functions. (line 46) * struct streebog512_ctx: Miscellaneous hash functions. (line 13) * struct twofish_ctx: Twofish. (line 9) * struct umac128_ctx: UMAC. (line 50) * struct umac32_ctx: UMAC. (line 47) * struct umac64_ctx: UMAC. (line 48) * struct umac96_ctx: UMAC. (line 49) * struct xts_aes128_key: XTS. (line 112) * struct xts_aes256_key: XTS. (line 115) * struct yarrow256_ctx: Randomness. (line 217) * struct yarrow_key_event_ctx: Randomness. (line 284) * struct yarrow_source: Randomness. (line 219) * Triple-DES: DES3. (line 6) * Twofish: Twofish. (line 6) * twofish_decrypt: Twofish. (line 35) * twofish_encrypt: Twofish. (line 28) * twofish_set_key: Twofish. (line 23) * UMAC: UMAC. (line 6) * umac128_digest: UMAC. (line 113) * umac128_set_key: UMAC. (line 76) * umac128_set_nonce: UMAC. (line 87) * umac128_update: UMAC. (line 102) * umac32_digest: UMAC. (line 107) * umac32_set_key: UMAC. (line 70) * umac32_set_nonce: UMAC. (line 81) * umac32_update: UMAC. (line 96) * umac64_digest: UMAC. (line 109) * umac64_set_key: UMAC. (line 72) * umac64_set_nonce: UMAC. (line 83) * umac64_update: UMAC. (line 98) * umac96_digest: UMAC. (line 111) * umac96_set_key: UMAC. (line 74) * umac96_set_nonce: UMAC. (line 85) * umac96_update: UMAC. (line 100) * XEX-based tweaked-codebook mode with ciphertext stealing: XTS. (line 6) * XTS Mode: XTS. (line 6) * xts_aes128_decrypt_message: XTS. (line 138) * xts_aes128_encrypt_message: XTS. (line 132) * xts_aes128_set_decrypt_key: XTS. (line 122) * xts_aes128_set_encrypt_key: XTS. (line 118) * xts_aes256_decrypt_message: XTS. (line 141) * xts_aes256_encrypt_message: XTS. (line 135) * xts_aes256_set_decrypt_key: XTS. (line 124) * xts_aes256_set_encrypt_key: XTS. (line 120) * xts_decrypt_message: XTS. (line 83) * xts_encrypt_message: XTS. (line 80) * yarrow256_fast_reseed: Randomness. (line 276) * yarrow256_init: Randomness. (line 225) * yarrow256_is_seeded: Randomness. (line 266) * yarrow256_needed_sources: Randomness. (line 270) * yarrow256_random: Randomness. (line 256) * yarrow256_seed: Randomness. (line 231) * yarrow256_slow_reseed: Randomness. (line 277) * yarrow256_update: Randomness. (line 243) * yarrow_key_event_estimate: Randomness. (line 291) * yarrow_key_event_init: Randomness. (line 287)  Tag Table: Node: Top543 Node: Introduction2993 Node: Copyright4572 Node: Conventions5399 Node: Example7553 Node: Linking8852 Node: Compatibility9717 Node: Reference13343 Node: Hash functions13794 Node: Recommended hash functions15343 Node: Miscellaneous hash functions30264 Node: Legacy hash functions34505 Ref: GOSTHASH94CP42051 Node: nettle_hash abstraction44481 Node: Cipher functions46750 Node: AES50843 Node: Arcfour55188 Node: Arctwo57702 Node: Blowfish60393 Node: Camellia65028 Node: CAST12869594 Node: ChaCha71533 Node: DES74629 Node: DES377046 Node: Salsa2080159 Node: Serpent84204 Node: SM485717 Node: Twofish87006 Node: nettle_cipher abstraction88308 Node: Cipher modes90837 Node: CBC92021 Node: CTR96950 Node: CFB and CFB899572 Node: XTS105354 Node: Authenticated encryption111729 Node: EAX115041 Node: GCM121181 Node: CCM135707 Node: ChaCha-Poly1305148496 Node: OCB151995 Node: SIV-CMAC161453 Node: SIV-GCM166174 Node: nettle_aead abstraction171093 Node: Keyed hash functions172768 Node: HMAC174419 Node: UMAC183107 Node: CMAC188978 Node: Poly1305192302 Node: Key derivation functions194960 Node: Public-key algorithms206647 Node: RSA210718 Node: RSA-Footnotes234297 Ref: RSA-Footnote-1234350 Node: DSA234528 Node: Elliptic curves250062 Node: Side-channel silence251447 Node: ECDSA252894 Node: GOSTDSA257706 Node: Curve 25519 and Curve 448261704 Node: Randomness269619 Node: ASCII encoding286654 Node: Miscellaneous functions293381 Node: Compatibility functions294541 Node: Nettle soup295230 Node: Installation296227 Node: Index297603  End Tag Table  Local Variables: coding: utf-8 End: nettle-3.10/pkcs1-rsa-md5.c0000644000175000017500000000546514633602171014424 0ustar nissenisse/* pkcs1-rsa-md5.c PKCS stuff for rsa-md5. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From pkcs-1v2 * * md5 OBJECT IDENTIFIER ::= * {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5} * * The parameters part of the algorithm identifier is NULL: * * md5Identifier ::= AlgorithmIdentifier {md5, NULL} */ static const uint8_t md5_prefix[] = { /* 18 octets prefix, 16 octets hash, 34 total. */ 0x30, 32, /* SEQUENCE */ 0x30, 12, /* SEQUENCE */ 0x06, 8, /* OBJECT IDENTIFIER */ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0, /* NULL */ 0x04, 16 /* OCTET STRING */ /* Here comes the raw hash value */ }; int pkcs1_rsa_md5_encode(mpz_t m, size_t key_size, struct md5_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { md5_digest(hash, MD5_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(md5_prefix), md5_prefix, MD5_DIGEST_SIZE); if (p) { memcpy(p, digest, MD5_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.10/config.guess0000755000175000017500000014304614633602172014310 0ustar nissenisse#! /bin/sh # Attempt to guess a canonical system name. # Copyright 1992-2024 Free Software Foundation, Inc. # shellcheck disable=SC2006,SC2268 # see below for rationale timestamp='2024-01-01' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that # program. This Exception is an additional permission under section 7 # of the GNU General Public License, version 3 ("GPLv3"). # # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: # https://git.savannah.gnu.org/cgit/config.git/plain/config.guess # # Please send patches to . # The "shellcheck disable" line above the timestamp inhibits complaints # about features and limitations of the classic Bourne shell that were # superseded or lifted in POSIX. However, this script identifies a wide # variety of pre-POSIX systems that do not have POSIX shells at all, and # even some reasonably current systems (Solaris 10 as case-in-point) still # have a pre-POSIX /bin/sh. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system '$me' is run on. Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright 1992-2024 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try '$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi # Just in case it came from the environment. GUESS= # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, 'CC_FOR_BUILD' used to be named 'HOST_CC'. We still # use 'HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. tmp= # shellcheck disable=SC2172 trap 'test -z "$tmp" || rm -fr "$tmp"' 0 1 2 13 15 set_cc_for_build() { # prevent multiple calls if $tmp is already set test "$tmp" && return 0 : "${TMPDIR=/tmp}" # shellcheck disable=SC2039,SC3028 { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } dummy=$tmp/dummy case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in ,,) echo "int x;" > "$dummy.c" for driver in cc gcc c89 c99 ; do if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then CC_FOR_BUILD=$driver break fi done if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac } # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown case $UNAME_SYSTEM in Linux|GNU|GNU/*) LIBC=unknown set_cc_for_build cat <<-EOF > "$dummy.c" #if defined(__ANDROID__) LIBC=android #else #include #if defined(__UCLIBC__) LIBC=uclibc #elif defined(__dietlibc__) LIBC=dietlibc #elif defined(__GLIBC__) LIBC=gnu #elif defined(__LLVM_LIBC__) LIBC=llvm #else #include /* First heuristic to detect musl libc. */ #ifdef __DEFINED_va_list LIBC=musl #endif #endif #endif EOF cc_set_libc=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` eval "$cc_set_libc" # Second heuristic to detect musl libc. if [ "$LIBC" = unknown ] && command -v ldd >/dev/null && ldd --version 2>&1 | grep -q ^musl; then LIBC=musl fi # If the system lacks a compiler, then just pick glibc. # We could probably try harder. if [ "$LIBC" = unknown ]; then LIBC=gnu fi ;; esac # Note: order is significant - the case branches are not exclusive. case $UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ /sbin/sysctl -n hw.machine_arch 2>/dev/null || \ /usr/sbin/sysctl -n hw.machine_arch 2>/dev/null || \ echo unknown)` case $UNAME_MACHINE_ARCH in aarch64eb) machine=aarch64_be-unknown ;; armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; earmv*) arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` machine=${arch}${endian}-unknown ;; *) machine=$UNAME_MACHINE_ARCH-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. case $UNAME_MACHINE_ARCH in earm*) os=netbsdelf ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # Determine ABI tags. case $UNAME_MACHINE_ARCH in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case $UNAME_VERSION in Debian*) release='-gnu' ;; *) release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. GUESS=$machine-${os}${release}${abi-} ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-bitrig$UNAME_RELEASE ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-openbsd$UNAME_RELEASE ;; *:SecBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/SecBSD.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-secbsd$UNAME_RELEASE ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` GUESS=$UNAME_MACHINE_ARCH-unknown-libertybsd$UNAME_RELEASE ;; *:MidnightBSD:*:*) GUESS=$UNAME_MACHINE-unknown-midnightbsd$UNAME_RELEASE ;; *:ekkoBSD:*:*) GUESS=$UNAME_MACHINE-unknown-ekkobsd$UNAME_RELEASE ;; *:SolidBSD:*:*) GUESS=$UNAME_MACHINE-unknown-solidbsd$UNAME_RELEASE ;; *:OS108:*:*) GUESS=$UNAME_MACHINE-unknown-os108_$UNAME_RELEASE ;; macppc:MirBSD:*:*) GUESS=powerpc-unknown-mirbsd$UNAME_RELEASE ;; *:MirBSD:*:*) GUESS=$UNAME_MACHINE-unknown-mirbsd$UNAME_RELEASE ;; *:Sortix:*:*) GUESS=$UNAME_MACHINE-unknown-sortix ;; *:Twizzler:*:*) GUESS=$UNAME_MACHINE-unknown-twizzler ;; *:Redox:*:*) GUESS=$UNAME_MACHINE-unknown-redox ;; mips:OSF1:*.*) GUESS=mips-dec-osf1 ;; alpha:OSF1:*:*) # Reset EXIT trap before exiting to avoid spurious non-zero exit code. trap '' 0 case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case $ALPHA_CPU_TYPE in "EV4 (21064)") UNAME_MACHINE=alpha ;; "EV4.5 (21064)") UNAME_MACHINE=alpha ;; "LCA4 (21066/21068)") UNAME_MACHINE=alpha ;; "EV5 (21164)") UNAME_MACHINE=alphaev5 ;; "EV5.6 (21164A)") UNAME_MACHINE=alphaev56 ;; "EV5.6 (21164PC)") UNAME_MACHINE=alphapca56 ;; "EV5.7 (21164PC)") UNAME_MACHINE=alphapca57 ;; "EV6 (21264)") UNAME_MACHINE=alphaev6 ;; "EV6.7 (21264A)") UNAME_MACHINE=alphaev67 ;; "EV6.8CB (21264C)") UNAME_MACHINE=alphaev68 ;; "EV6.8AL (21264B)") UNAME_MACHINE=alphaev68 ;; "EV6.8CX (21264D)") UNAME_MACHINE=alphaev68 ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE=alphaev69 ;; "EV7 (21364)") UNAME_MACHINE=alphaev7 ;; "EV7.9 (21364A)") UNAME_MACHINE=alphaev79 ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. OSF_REL=`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` GUESS=$UNAME_MACHINE-dec-osf$OSF_REL ;; Amiga*:UNIX_System_V:4.0:*) GUESS=m68k-unknown-sysv4 ;; *:[Aa]miga[Oo][Ss]:*:*) GUESS=$UNAME_MACHINE-unknown-amigaos ;; *:[Mm]orph[Oo][Ss]:*:*) GUESS=$UNAME_MACHINE-unknown-morphos ;; *:OS/390:*:*) GUESS=i370-ibm-openedition ;; *:z/VM:*:*) GUESS=s390-ibm-zvmoe ;; *:OS400:*:*) GUESS=powerpc-ibm-os400 ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) GUESS=arm-acorn-riscix$UNAME_RELEASE ;; arm*:riscos:*:*|arm*:RISCOS:*:*) GUESS=arm-unknown-riscos ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) GUESS=hppa1.1-hitachi-hiuxmpp ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. case `(/bin/universe) 2>/dev/null` in att) GUESS=pyramid-pyramid-sysv3 ;; *) GUESS=pyramid-pyramid-bsd ;; esac ;; NILE*:*:*:dcosx) GUESS=pyramid-pyramid-svr4 ;; DRS?6000:unix:4.0:6*) GUESS=sparc-icl-nx6 ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) GUESS=sparc-icl-nx7 ;; esac ;; s390x:SunOS:*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=$UNAME_MACHINE-ibm-solaris2$SUN_REL ;; sun4H:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-hal-solaris2$SUN_REL ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-sun-solaris2$SUN_REL ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) GUESS=i386-pc-auroraux$UNAME_RELEASE ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) set_cc_for_build SUN_ARCH=i386 # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -m64 -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH=x86_64 fi fi SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=$SUN_ARCH-pc-solaris2$SUN_REL ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=sparc-sun-solaris3$SUN_REL ;; sun4*:SunOS:*:*) case `/usr/bin/arch -k` in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like '4.1.3-JL'. SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/'` GUESS=sparc-sun-sunos$SUN_REL ;; sun3*:SunOS:*:*) GUESS=m68k-sun-sunos$UNAME_RELEASE ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case `/bin/arch` in sun3) GUESS=m68k-sun-sunos$UNAME_RELEASE ;; sun4) GUESS=sparc-sun-sunos$UNAME_RELEASE ;; esac ;; aushp:SunOS:*:*) GUESS=sparc-auspex-sunos$UNAME_RELEASE ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) GUESS=m68k-atari-mint$UNAME_RELEASE ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) GUESS=m68k-milan-mint$UNAME_RELEASE ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) GUESS=m68k-hades-mint$UNAME_RELEASE ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) GUESS=m68k-unknown-mint$UNAME_RELEASE ;; m68k:machten:*:*) GUESS=m68k-apple-machten$UNAME_RELEASE ;; powerpc:machten:*:*) GUESS=powerpc-apple-machten$UNAME_RELEASE ;; RISC*:Mach:*:*) GUESS=mips-dec-mach_bsd4.3 ;; RISC*:ULTRIX:*:*) GUESS=mips-dec-ultrix$UNAME_RELEASE ;; VAX*:ULTRIX*:*:*) GUESS=vax-dec-ultrix$UNAME_RELEASE ;; 2020:CLIX:*:* | 2430:CLIX:*:*) GUESS=clipper-intergraph-clix$UNAME_RELEASE ;; mips:*:*:UMIPS | mips:*:*:RISCos) set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" && dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } GUESS=mips-mips-riscos$UNAME_RELEASE ;; Motorola:PowerMAX_OS:*:*) GUESS=powerpc-motorola-powermax ;; Motorola:*:4.3:PL8-*) GUESS=powerpc-harris-powermax ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) GUESS=powerpc-harris-powermax ;; Night_Hawk:Power_UNIX:*:*) GUESS=powerpc-harris-powerunix ;; m88k:CX/UX:7*:*) GUESS=m88k-harris-cxux7 ;; m88k:*:4*:R4*) GUESS=m88k-motorola-sysv4 ;; m88k:*:3*:R3*) GUESS=m88k-motorola-sysv3 ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if test "$UNAME_PROCESSOR" = mc88100 || test "$UNAME_PROCESSOR" = mc88110 then if test "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx || \ test "$TARGET_BINARY_INTERFACE"x = x then GUESS=m88k-dg-dgux$UNAME_RELEASE else GUESS=m88k-dg-dguxbcs$UNAME_RELEASE fi else GUESS=i586-dg-dgux$UNAME_RELEASE fi ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) GUESS=m88k-dolphin-sysv3 ;; M88*:*:R3*:*) # Delta 88k system running SVR3 GUESS=m88k-motorola-sysv3 ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) GUESS=m88k-tektronix-sysv3 ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) GUESS=m68k-tektronix-bsd ;; *:IRIX*:*:*) IRIX_REL=`echo "$UNAME_RELEASE" | sed -e 's/-/_/g'` GUESS=mips-sgi-irix$IRIX_REL ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. GUESS=romp-ibm-aix # uname -m gives an 8 hex-code CPU id ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) GUESS=i386-ibm-aix ;; ia64:AIX:*:*) if test -x /usr/bin/oslevel ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi GUESS=$UNAME_MACHINE-ibm-aix$IBM_REV ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then GUESS=$SYSTEM_NAME else GUESS=rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then GUESS=rs6000-ibm-aix3.2.4 else GUESS=rs6000-ibm-aix3.2 fi ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if test -x /usr/bin/lslpp ; then IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | \ awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else IBM_REV=$UNAME_VERSION.$UNAME_RELEASE fi GUESS=$IBM_ARCH-ibm-aix$IBM_REV ;; *:AIX:*:*) GUESS=rs6000-ibm-aix ;; ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) GUESS=romp-ibm-bsd4.4 ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and GUESS=romp-ibm-bsd$UNAME_RELEASE # 4.3 with uname added to ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) GUESS=rs6000-bull-bosx ;; DPX/2?00:B.O.S.:*:*) GUESS=m68k-bull-sysv3 ;; 9000/[34]??:4.3bsd:1.*:*) GUESS=m68k-hp-bsd ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) GUESS=m68k-hp-bsd4.4 ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` case $UNAME_MACHINE in 9000/31?) HP_ARCH=m68000 ;; 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if test -x /usr/bin/getconf; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case $sc_cpu_version in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case $sc_kernel_bits in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi if test "$HP_ARCH" = ""; then set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if test "$HP_ARCH" = hppa2.0w then set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH=hppa2.0w else HP_ARCH=hppa64 fi fi GUESS=$HP_ARCH-hp-hpux$HPUX_REV ;; ia64:HP-UX:*:*) HPUX_REV=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*.[0B]*//'` GUESS=ia64-hp-hpux$HPUX_REV ;; 3050*:HI-UX:*:*) set_cc_for_build sed 's/^ //' << EOF > "$dummy.c" #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } GUESS=unknown-hitachi-hiuxwe2 ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) GUESS=hppa1.1-hp-bsd ;; 9000/8??:4.3bsd:*:*) GUESS=hppa1.0-hp-bsd ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) GUESS=hppa1.0-hp-mpeix ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) GUESS=hppa1.1-hp-osf ;; hp8??:OSF1:*:*) GUESS=hppa1.0-hp-osf ;; i*86:OSF1:*:*) if test -x /usr/sbin/sysversion ; then GUESS=$UNAME_MACHINE-unknown-osf1mk else GUESS=$UNAME_MACHINE-unknown-osf1 fi ;; parisc*:Lites*:*:*) GUESS=hppa1.1-hp-lites ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) GUESS=c1-convex-bsd ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) GUESS=c34-convex-bsd ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) GUESS=c38-convex-bsd ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) GUESS=c4-convex-bsd ;; CRAY*Y-MP:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=ymp-cray-unicos$CRAY_REL ;; CRAY*[A-Z]90:*:*:*) echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=t90-cray-unicos$CRAY_REL ;; CRAY*T3E:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=alphaev5-cray-unicosmk$CRAY_REL ;; CRAY*SV1:*:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=sv1-cray-unicos$CRAY_REL ;; *:UNICOS/mp:*:*) CRAY_REL=`echo "$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/'` GUESS=craynv-cray-unicosmp$CRAY_REL ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` GUESS=${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` GUESS=sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL} ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) GUESS=$UNAME_MACHINE-pc-bsdi$UNAME_RELEASE ;; sparc*:BSD/OS:*:*) GUESS=sparc-unknown-bsdi$UNAME_RELEASE ;; *:BSD/OS:*:*) GUESS=$UNAME_MACHINE-unknown-bsdi$UNAME_RELEASE ;; arm:FreeBSD:*:*) UNAME_PROCESSOR=`uname -p` set_cc_for_build if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabi else FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL-gnueabihf fi ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`uname -p` case $UNAME_PROCESSOR in amd64) UNAME_PROCESSOR=x86_64 ;; i386) UNAME_PROCESSOR=i586 ;; esac FREEBSD_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_PROCESSOR-unknown-freebsd$FREEBSD_REL ;; i*:CYGWIN*:*) GUESS=$UNAME_MACHINE-pc-cygwin ;; *:MINGW64*:*) GUESS=$UNAME_MACHINE-pc-mingw64 ;; *:MINGW*:*) GUESS=$UNAME_MACHINE-pc-mingw32 ;; *:MSYS*:*) GUESS=$UNAME_MACHINE-pc-msys ;; i*:PW*:*) GUESS=$UNAME_MACHINE-pc-pw32 ;; *:SerenityOS:*:*) GUESS=$UNAME_MACHINE-pc-serenity ;; *:Interix*:*) case $UNAME_MACHINE in x86) GUESS=i586-pc-interix$UNAME_RELEASE ;; authenticamd | genuineintel | EM64T) GUESS=x86_64-unknown-interix$UNAME_RELEASE ;; IA64) GUESS=ia64-unknown-interix$UNAME_RELEASE ;; esac ;; i*:UWIN*:*) GUESS=$UNAME_MACHINE-pc-uwin ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) GUESS=x86_64-pc-cygwin ;; prep*:SunOS:5.*:*) SUN_REL=`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'` GUESS=powerpcle-unknown-solaris2$SUN_REL ;; *:GNU:*:*) # the GNU system GNU_ARCH=`echo "$UNAME_MACHINE" | sed -e 's,[-/].*$,,'` GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's,/.*$,,'` GUESS=$GNU_ARCH-unknown-$LIBC$GNU_REL ;; *:GNU/*:*:*) # other systems with GNU libc and userland GNU_SYS=`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"` GNU_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_MACHINE-unknown-$GNU_SYS$GNU_REL-$LIBC ;; x86_64:[Mm]anagarm:*:*|i?86:[Mm]anagarm:*:*) GUESS="$UNAME_MACHINE-pc-managarm-mlibc" ;; *:[Mm]anagarm:*:*) GUESS="$UNAME_MACHINE-unknown-managarm-mlibc" ;; *:Minix:*:*) GUESS=$UNAME_MACHINE-unknown-minix ;; aarch64:Linux:*:*) set_cc_for_build CPU=$UNAME_MACHINE LIBCABI=$LIBC if test "$CC_FOR_BUILD" != no_compiler_found; then ABI=64 sed 's/^ //' << EOF > "$dummy.c" #ifdef __ARM_EABI__ #ifdef __ARM_PCS_VFP ABI=eabihf #else ABI=eabi #endif #endif EOF cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` eval "$cc_set_abi" case $ABI in eabi | eabihf) CPU=armv8l; LIBCABI=$LIBC$ABI ;; esac fi GUESS=$CPU-unknown-linux-$LIBCABI ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' /proc/cpuinfo 2>/dev/null` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; arc:Linux:*:* | arceb:Linux:*:* | arc32:Linux:*:* | arc64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; arm*:Linux:*:*) set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then GUESS=$UNAME_MACHINE-unknown-linux-$LIBC else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabi else GUESS=$UNAME_MACHINE-unknown-linux-${LIBC}eabihf fi fi ;; avr32*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; cris:Linux:*:*) GUESS=$UNAME_MACHINE-axis-linux-$LIBC ;; crisv32:Linux:*:*) GUESS=$UNAME_MACHINE-axis-linux-$LIBC ;; e2k:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; frv:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; hexagon:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; i*86:Linux:*:*) GUESS=$UNAME_MACHINE-pc-linux-$LIBC ;; ia64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; k1om:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; kvx:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; kvx:cos:*:*) GUESS=$UNAME_MACHINE-unknown-cos ;; kvx:mbr:*:*) GUESS=$UNAME_MACHINE-unknown-mbr ;; loongarch32:Linux:*:* | loongarch64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m32r*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; m68*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; mips:Linux:*:* | mips64:Linux:*:*) set_cc_for_build IS_GLIBC=0 test x"${LIBC}" = xgnu && IS_GLIBC=1 sed 's/^ //' << EOF > "$dummy.c" #undef CPU #undef mips #undef mipsel #undef mips64 #undef mips64el #if ${IS_GLIBC} && defined(_ABI64) LIBCABI=gnuabi64 #else #if ${IS_GLIBC} && defined(_ABIN32) LIBCABI=gnuabin32 #else LIBCABI=${LIBC} #endif #endif #if ${IS_GLIBC} && defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 CPU=mipsisa64r6 #else #if ${IS_GLIBC} && !defined(__mips64) && defined(__mips_isa_rev) && __mips_isa_rev>=6 CPU=mipsisa32r6 #else #if defined(__mips64) CPU=mips64 #else CPU=mips #endif #endif #endif #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) MIPS_ENDIAN=el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) MIPS_ENDIAN= #else MIPS_ENDIAN= #endif #endif EOF cc_set_vars=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU\|^MIPS_ENDIAN\|^LIBCABI'` eval "$cc_set_vars" test "x$CPU" != x && { echo "$CPU${MIPS_ENDIAN}-unknown-linux-$LIBCABI"; exit; } ;; mips64el:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; openrisc*:Linux:*:*) GUESS=or1k-unknown-linux-$LIBC ;; or32:Linux:*:* | or1k*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; padre:Linux:*:*) GUESS=sparc-unknown-linux-$LIBC ;; parisc64:Linux:*:* | hppa64:Linux:*:*) GUESS=hppa64-unknown-linux-$LIBC ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) GUESS=hppa1.1-unknown-linux-$LIBC ;; PA8*) GUESS=hppa2.0-unknown-linux-$LIBC ;; *) GUESS=hppa-unknown-linux-$LIBC ;; esac ;; ppc64:Linux:*:*) GUESS=powerpc64-unknown-linux-$LIBC ;; ppc:Linux:*:*) GUESS=powerpc-unknown-linux-$LIBC ;; ppc64le:Linux:*:*) GUESS=powerpc64le-unknown-linux-$LIBC ;; ppcle:Linux:*:*) GUESS=powerpcle-unknown-linux-$LIBC ;; riscv32:Linux:*:* | riscv32be:Linux:*:* | riscv64:Linux:*:* | riscv64be:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; s390:Linux:*:* | s390x:Linux:*:*) GUESS=$UNAME_MACHINE-ibm-linux-$LIBC ;; sh64*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; sh*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; sparc:Linux:*:* | sparc64:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; tile*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; vax:Linux:*:*) GUESS=$UNAME_MACHINE-dec-linux-$LIBC ;; x86_64:Linux:*:*) set_cc_for_build CPU=$UNAME_MACHINE LIBCABI=$LIBC if test "$CC_FOR_BUILD" != no_compiler_found; then ABI=64 sed 's/^ //' << EOF > "$dummy.c" #ifdef __i386__ ABI=x86 #else #ifdef __ILP32__ ABI=x32 #endif #endif EOF cc_set_abi=`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^ABI' | sed 's, ,,g'` eval "$cc_set_abi" case $ABI in x86) CPU=i686 ;; x32) LIBCABI=${LIBC}x32 ;; esac fi GUESS=$CPU-pc-linux-$LIBCABI ;; xtensa*:Linux:*:*) GUESS=$UNAME_MACHINE-unknown-linux-$LIBC ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. GUESS=i386-sequent-sysv4 ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. GUESS=$UNAME_MACHINE-pc-sysv4.2uw$UNAME_VERSION ;; i*86:OS/2:*:*) # If we were able to find 'uname', then EMX Unix compatibility # is probably installed. GUESS=$UNAME_MACHINE-pc-os2-emx ;; i*86:XTS-300:*:STOP) GUESS=$UNAME_MACHINE-unknown-stop ;; i*86:atheos:*:*) GUESS=$UNAME_MACHINE-unknown-atheos ;; i*86:syllable:*:*) GUESS=$UNAME_MACHINE-pc-syllable ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) GUESS=i386-unknown-lynxos$UNAME_RELEASE ;; i*86:*DOS:*:*) GUESS=$UNAME_MACHINE-pc-msdosdjgpp ;; i*86:*:4.*:*) UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then GUESS=$UNAME_MACHINE-univel-sysv$UNAME_REL else GUESS=$UNAME_MACHINE-pc-sysv$UNAME_REL fi ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac GUESS=$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 GUESS=$UNAME_MACHINE-pc-sco$UNAME_REL else GUESS=$UNAME_MACHINE-pc-sysv32 fi ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configure will decide that # this is a cross-build. GUESS=i586-pc-msdosdjgpp ;; Intel:Mach:3*:*) GUESS=i386-pc-mach3 ;; paragon:*:*:*) GUESS=i860-intel-osf1 ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then GUESS=i860-stardent-sysv$UNAME_RELEASE # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. GUESS=i860-unknown-sysv$UNAME_RELEASE # Unknown i860-SVR4 fi ;; mini*:CTIX:SYS*5:*) # "miniframe" GUESS=m68010-convergent-sysv ;; mc68k:UNIX:SYSTEM5:3.51m) GUESS=m68k-convergent-sysv ;; M680?0:D-NIX:5.3:*) GUESS=m68k-diab-dnix ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) GUESS=m68k-unknown-lynxos$UNAME_RELEASE ;; mc68030:UNIX_System_V:4.*:*) GUESS=m68k-atari-sysv4 ;; TSUNAMI:LynxOS:2.*:*) GUESS=sparc-unknown-lynxos$UNAME_RELEASE ;; rs6000:LynxOS:2.*:*) GUESS=rs6000-unknown-lynxos$UNAME_RELEASE ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) GUESS=powerpc-unknown-lynxos$UNAME_RELEASE ;; SM[BE]S:UNIX_SV:*:*) GUESS=mips-dde-sysv$UNAME_RELEASE ;; RM*:ReliantUNIX-*:*:*) GUESS=mips-sni-sysv4 ;; RM*:SINIX-*:*:*) GUESS=mips-sni-sysv4 ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` GUESS=$UNAME_MACHINE-sni-sysv4 else GUESS=ns32k-sni-sysv fi ;; PENTIUM:*:4.0*:*) # Unisys 'ClearPath HMP IX 4000' SVR4/MP effort # says GUESS=i586-unisys-sysv4 ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm GUESS=hppa1.1-stratus-sysv4 ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. GUESS=i860-stratus-sysv4 ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. GUESS=$UNAME_MACHINE-stratus-vos ;; *:VOS:*:*) # From Paul.Green@stratus.com. GUESS=hppa1.1-stratus-vos ;; mc68*:A/UX:*:*) GUESS=m68k-apple-aux$UNAME_RELEASE ;; news*:NEWS-OS:6*:*) GUESS=mips-sony-newsos6 ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if test -d /usr/nec; then GUESS=mips-nec-sysv$UNAME_RELEASE else GUESS=mips-unknown-sysv$UNAME_RELEASE fi ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. GUESS=powerpc-be-beos ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. GUESS=powerpc-apple-beos ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. GUESS=i586-pc-beos ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. GUESS=i586-pc-haiku ;; ppc:Haiku:*:*) # Haiku running on Apple PowerPC GUESS=powerpc-apple-haiku ;; *:Haiku:*:*) # Haiku modern gcc (not bound by BeOS compat) GUESS=$UNAME_MACHINE-unknown-haiku ;; SX-4:SUPER-UX:*:*) GUESS=sx4-nec-superux$UNAME_RELEASE ;; SX-5:SUPER-UX:*:*) GUESS=sx5-nec-superux$UNAME_RELEASE ;; SX-6:SUPER-UX:*:*) GUESS=sx6-nec-superux$UNAME_RELEASE ;; SX-7:SUPER-UX:*:*) GUESS=sx7-nec-superux$UNAME_RELEASE ;; SX-8:SUPER-UX:*:*) GUESS=sx8-nec-superux$UNAME_RELEASE ;; SX-8R:SUPER-UX:*:*) GUESS=sx8r-nec-superux$UNAME_RELEASE ;; SX-ACE:SUPER-UX:*:*) GUESS=sxace-nec-superux$UNAME_RELEASE ;; Power*:Rhapsody:*:*) GUESS=powerpc-apple-rhapsody$UNAME_RELEASE ;; *:Rhapsody:*:*) GUESS=$UNAME_MACHINE-apple-rhapsody$UNAME_RELEASE ;; arm64:Darwin:*:*) GUESS=aarch64-apple-darwin$UNAME_RELEASE ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` case $UNAME_PROCESSOR in unknown) UNAME_PROCESSOR=powerpc ;; esac if command -v xcode-select > /dev/null 2> /dev/null && \ ! xcode-select --print-path > /dev/null 2> /dev/null ; then # Avoid executing cc if there is no toolchain installed as # cc will be a stub that puts up a graphical alert # prompting the user to install developer tools. CC_FOR_BUILD=no_compiler_found else set_cc_for_build fi if test "$CC_FOR_BUILD" != no_compiler_found; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_PPC >/dev/null then UNAME_PROCESSOR=powerpc fi elif test "$UNAME_PROCESSOR" = i386 ; then # uname -m returns i386 or x86_64 UNAME_PROCESSOR=$UNAME_MACHINE fi GUESS=$UNAME_PROCESSOR-apple-darwin$UNAME_RELEASE ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = x86; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi GUESS=$UNAME_PROCESSOR-$UNAME_MACHINE-nto-qnx$UNAME_RELEASE ;; *:QNX:*:4*) GUESS=i386-pc-qnx ;; NEO-*:NONSTOP_KERNEL:*:*) GUESS=neo-tandem-nsk$UNAME_RELEASE ;; NSE-*:NONSTOP_KERNEL:*:*) GUESS=nse-tandem-nsk$UNAME_RELEASE ;; NSR-*:NONSTOP_KERNEL:*:*) GUESS=nsr-tandem-nsk$UNAME_RELEASE ;; NSV-*:NONSTOP_KERNEL:*:*) GUESS=nsv-tandem-nsk$UNAME_RELEASE ;; NSX-*:NONSTOP_KERNEL:*:*) GUESS=nsx-tandem-nsk$UNAME_RELEASE ;; *:NonStop-UX:*:*) GUESS=mips-compaq-nonstopux ;; BS2000:POSIX*:*:*) GUESS=bs2000-siemens-sysv ;; DS/*:UNIX_System_V:*:*) GUESS=$UNAME_MACHINE-$UNAME_SYSTEM-$UNAME_RELEASE ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "${cputype-}" = 386; then UNAME_MACHINE=i386 elif test "x${cputype-}" != x; then UNAME_MACHINE=$cputype fi GUESS=$UNAME_MACHINE-unknown-plan9 ;; *:TOPS-10:*:*) GUESS=pdp10-unknown-tops10 ;; *:TENEX:*:*) GUESS=pdp10-unknown-tenex ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) GUESS=pdp10-dec-tops20 ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) GUESS=pdp10-xkl-tops20 ;; *:TOPS-20:*:*) GUESS=pdp10-unknown-tops20 ;; *:ITS:*:*) GUESS=pdp10-unknown-its ;; SEI:*:*:SEIUX) GUESS=mips-sei-seiux$UNAME_RELEASE ;; *:DragonFly:*:*) DRAGONFLY_REL=`echo "$UNAME_RELEASE" | sed -e 's/[-(].*//'` GUESS=$UNAME_MACHINE-unknown-dragonfly$DRAGONFLY_REL ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case $UNAME_MACHINE in A*) GUESS=alpha-dec-vms ;; I*) GUESS=ia64-dec-vms ;; V*) GUESS=vax-dec-vms ;; esac ;; *:XENIX:*:SysV) GUESS=i386-pc-xenix ;; i*86:skyos:*:*) SKYOS_REL=`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'` GUESS=$UNAME_MACHINE-pc-skyos$SKYOS_REL ;; i*86:rdos:*:*) GUESS=$UNAME_MACHINE-pc-rdos ;; i*86:Fiwix:*:*) GUESS=$UNAME_MACHINE-pc-fiwix ;; *:AROS:*:*) GUESS=$UNAME_MACHINE-unknown-aros ;; x86_64:VMkernel:*:*) GUESS=$UNAME_MACHINE-unknown-esx ;; amd64:Isilon\ OneFS:*:*) GUESS=x86_64-unknown-onefs ;; *:Unleashed:*:*) GUESS=$UNAME_MACHINE-unknown-unleashed$UNAME_RELEASE ;; *:Ironclad:*:*) GUESS=$UNAME_MACHINE-unknown-ironclad ;; esac # Do we have a guess based on uname results? if test "x$GUESS" != x; then echo "$GUESS" exit fi # No uname command or uname output not recognized. set_cc_for_build cat > "$dummy.c" < #include #endif #if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) #if defined (vax) || defined (__vax) || defined (__vax__) || defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) #include #if defined(_SIZE_T_) || defined(SIGLOST) #include #endif #endif #endif main () { #if defined (sony) #if defined (MIPSEB) /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, I don't know.... */ printf ("mips-sony-bsd\n"); exit (0); #else #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 "4" #else "" #endif ); exit (0); #endif #endif #if defined (NeXT) #if !defined (__ARCHITECTURE__) #define __ARCHITECTURE__ "m68k" #endif int version; version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; if (version < 4) printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); else printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); exit (0); #endif #if defined (MULTIMAX) || defined (n16) #if defined (UMAXV) printf ("ns32k-encore-sysv\n"); exit (0); #else #if defined (CMU) printf ("ns32k-encore-mach\n"); exit (0); #else printf ("ns32k-encore-bsd\n"); exit (0); #endif #endif #endif #if defined (__386BSD__) printf ("i386-pc-bsd\n"); exit (0); #endif #if defined (sequent) #if defined (i386) printf ("i386-sequent-dynix\n"); exit (0); #endif #if defined (ns32000) printf ("ns32k-sequent-dynix\n"); exit (0); #endif #endif #if defined (_SEQUENT_) struct utsname un; uname(&un); if (strncmp(un.version, "V2", 2) == 0) { printf ("i386-sequent-ptx2\n"); exit (0); } if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ printf ("i386-sequent-ptx1\n"); exit (0); } printf ("i386-sequent-ptx\n"); exit (0); #endif #if defined (vax) #if !defined (ultrix) #include #if defined (BSD) #if BSD == 43 printf ("vax-dec-bsd4.3\n"); exit (0); #else #if BSD == 199006 printf ("vax-dec-bsd4.3reno\n"); exit (0); #else printf ("vax-dec-bsd\n"); exit (0); #endif #endif #else printf ("vax-dec-bsd\n"); exit (0); #endif #else #if defined(_SIZE_T_) || defined(SIGLOST) struct utsname un; uname (&un); printf ("vax-dec-ultrix%s\n", un.release); exit (0); #else printf ("vax-dec-ultrix\n"); exit (0); #endif #endif #endif #if defined(ultrix) || defined(_ultrix) || defined(__ultrix) || defined(__ultrix__) #if defined(mips) || defined(__mips) || defined(__mips__) || defined(MIPS) || defined(__MIPS__) #if defined(_SIZE_T_) || defined(SIGLOST) struct utsname *un; uname (&un); printf ("mips-dec-ultrix%s\n", un.release); exit (0); #else printf ("mips-dec-ultrix\n"); exit (0); #endif #endif #endif #if defined (alliant) && defined (i860) printf ("i860-alliant-bsd\n"); exit (0); #endif exit (1); } EOF $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. test -d /usr/apollo && { echo "$ISP-apollo-$SYSTYPE"; exit; } echo "$0: unable to guess system type" >&2 case $UNAME_MACHINE:$UNAME_SYSTEM in mips:Linux | mips64:Linux) # If we got here on MIPS GNU/Linux, output extra information. cat >&2 <&2 <&2 </dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = "$UNAME_MACHINE" UNAME_RELEASE = "$UNAME_RELEASE" UNAME_SYSTEM = "$UNAME_SYSTEM" UNAME_VERSION = "$UNAME_VERSION" EOF fi exit 1 # Local variables: # eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: nettle-3.10/poly1305-internal.c0000644000175000017500000001662214633602171015240 0ustar nissenisse/* poly1305-internal.c Copyright: 2012-2013 Andrew M. (floodyberry) Copyright: 2013 Nikos Mavrogiannopoulos Copyright: 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on https://github.com/floodyberry/poly1305-donna. * Modified for nettle by Nikos Mavrogiannopoulos and Niels Möller. * Original license notice: * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "poly1305.h" #include "poly1305-internal.h" #include "macros.h" #define mul32x32_64(a,b) ((uint64_t)(a) * (b)) #define r0 r.r32[0] #define r1 r.r32[1] #define r2 r.r32[2] #define r3 r.r32[3] #define r4 r.r32[4] #define s1 r.r32[5] #define s2 s32[0] #define s3 s32[1] #define s4 s32[2] #define h0 h.h32[0] #define h1 h.h32[1] #define h2 h.h32[2] #define h3 h.h32[3] #define h4 hh /* For fat builds */ #if HAVE_NATIVE_poly1305_set_key void _nettle_poly1305_set_key_c(struct poly1305_ctx *ctx, const uint8_t key[16]); # define _nettle_poly1305_set_key _nettle_poly1305_set_key_c #endif #if HAVE_NATIVE_poly1305_block void _nettle_poly1305_block_c(struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4); # define _nettle_poly1305_block _nettle_poly1305_block_c #endif #if HAVE_NATIVE_poly1305_digest void _nettle_poly1305_digest_c(struct poly1305_ctx *ctx, union nettle_block16 *s); # define _nettle_poly1305_digest _nettle_poly1305_digest_c #endif void _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[16]) { uint32_t t0,t1,t2,t3; t0 = LE_READ_UINT32(key); t1 = LE_READ_UINT32(key+4); t2 = LE_READ_UINT32(key+8); t3 = LE_READ_UINT32(key+12); ctx->r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; ctx->r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; ctx->r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; ctx->r3 = t2 & 0x3f03fff; t3 >>= 8; ctx->r4 = t3 & 0x00fffff; ctx->s1 = ctx->r1 * 5; ctx->s2 = ctx->r2 * 5; ctx->s3 = ctx->r3 * 5; ctx->s4 = ctx->r4 * 5; ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } void _nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned t4) { uint32_t t0,t1,t2,t3; uint32_t b; uint64_t t[5]; uint64_t c; t0 = LE_READ_UINT32(m); t1 = LE_READ_UINT32(m+4); t2 = LE_READ_UINT32(m+8); t3 = LE_READ_UINT32(m+12); ctx->h0 += t0 & 0x3ffffff; ctx->h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff; ctx->h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff; ctx->h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff; ctx->h4 += (t3 >> 8) | ((uint32_t) t4 << 24); /* poly1305_donna_mul: */ t[0] = mul32x32_64(ctx->h0,ctx->r0) + mul32x32_64(ctx->h1,ctx->s4) + mul32x32_64(ctx->h2,ctx->s3) + mul32x32_64(ctx->h3,ctx->s2) + mul32x32_64(ctx->h4,ctx->s1); t[1] = mul32x32_64(ctx->h0,ctx->r1) + mul32x32_64(ctx->h1,ctx->r0) + mul32x32_64(ctx->h2,ctx->s4) + mul32x32_64(ctx->h3,ctx->s3) + mul32x32_64(ctx->h4,ctx->s2); t[2] = mul32x32_64(ctx->h0,ctx->r2) + mul32x32_64(ctx->h1,ctx->r1) + mul32x32_64(ctx->h2,ctx->r0) + mul32x32_64(ctx->h3,ctx->s4) + mul32x32_64(ctx->h4,ctx->s3); t[3] = mul32x32_64(ctx->h0,ctx->r3) + mul32x32_64(ctx->h1,ctx->r2) + mul32x32_64(ctx->h2,ctx->r1) + mul32x32_64(ctx->h3,ctx->r0) + mul32x32_64(ctx->h4,ctx->s4); t[4] = mul32x32_64(ctx->h0,ctx->r4) + mul32x32_64(ctx->h1,ctx->r3) + mul32x32_64(ctx->h2,ctx->r2) + mul32x32_64(ctx->h3,ctx->r1) + mul32x32_64(ctx->h4,ctx->r0); ctx->h0 = (uint32_t)t[0] & 0x3ffffff; c = (t[0] >> 26); t[1] += c; ctx->h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26); t[2] += b; ctx->h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26); t[3] += b; ctx->h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26); t[4] += b; ctx->h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26); ctx->h0 += b * 5; } /* Adds digest to the nonce */ void _nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s) { uint32_t b, nb; uint64_t f0,f1,f2,f3; uint32_t g0,g1,g2,g3,g4; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; b = ctx->h1 >> 26; ctx->h1 = ctx->h1 & 0x3ffffff; ctx->h2 += b; b = ctx->h2 >> 26; ctx->h2 = ctx->h2 & 0x3ffffff; ctx->h3 += b; b = ctx->h3 >> 26; ctx->h3 = ctx->h3 & 0x3ffffff; ctx->h4 += b; b = ctx->h4 >> 26; ctx->h4 = ctx->h4 & 0x3ffffff; ctx->h0 += b * 5; b = ctx->h0 >> 26; ctx->h0 = ctx->h0 & 0x3ffffff; ctx->h1 += b; g0 = ctx->h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; g1 = ctx->h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; g2 = ctx->h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; g3 = ctx->h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; g4 = ctx->h4 + b - (1 << 26); b = (g4 >> 31) - 1; nb = ~b; ctx->h0 = (ctx->h0 & nb) | (g0 & b); ctx->h1 = (ctx->h1 & nb) | (g1 & b); ctx->h2 = (ctx->h2 & nb) | (g2 & b); ctx->h3 = (ctx->h3 & nb) | (g3 & b); ctx->h4 = (ctx->h4 & nb) | (g4 & b); /* FIXME: Take advantage of s being aligned as an unsigned long. */ f0 = ((ctx->h0 )|(ctx->h1<<26)) + (uint64_t)LE_READ_UINT32(s->b); f1 = ((ctx->h1>> 6)|(ctx->h2<<20)) + (uint64_t)LE_READ_UINT32(s->b+4); f2 = ((ctx->h2>>12)|(ctx->h3<<14)) + (uint64_t)LE_READ_UINT32(s->b+8); f3 = ((ctx->h3>>18)|(ctx->h4<< 8)) + (uint64_t)LE_READ_UINT32(s->b+12); LE_WRITE_UINT32(s->b, f0); f1 += (f0 >> 32); LE_WRITE_UINT32(s->b+4, f1); f2 += (f1 >> 32); LE_WRITE_UINT32(s->b+8, f2); f3 += (f2 >> 32); LE_WRITE_UINT32(s->b+12, f3); ctx->h0 = 0; ctx->h1 = 0; ctx->h2 = 0; ctx->h3 = 0; ctx->h4 = 0; } nettle-3.10/aes256-meta.c0000644000175000017500000000265514633602171014064 0ustar nissenisse/* aes256-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "aes.h" const struct nettle_cipher nettle_aes256 = { "aes256", sizeof(struct aes256_ctx), AES_BLOCK_SIZE, AES256_KEY_SIZE, (nettle_set_key_func *) aes256_set_encrypt_key, (nettle_set_key_func *) aes256_set_decrypt_key, (nettle_cipher_func *) aes256_encrypt, (nettle_cipher_func *) aes256_decrypt }; nettle-3.10/knuth-lfib.h0000644000175000017500000000424614633602172014202 0ustar nissenisse/* knuth-lfib.h The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #ifndef NETTLE_KNUTH_LFIB_H_INCLUDED #define NETTLE_KNUTH_LFIB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define knuth_lfib_init nettle_knuth_lfib_init #define knuth_lfib_get nettle_knuth_lfib_get #define knuth_lfib_get_array nettle_knuth_lfib_get_array #define knuth_lfib_random nettle_knuth_lfib_random #define _KNUTH_LFIB_KK 100 struct knuth_lfib_ctx { uint32_t x[_KNUTH_LFIB_KK]; unsigned index; }; void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed); /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx); /* Get an array of numbers */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a); /* Get an array of octets. */ void knuth_lfib_random(struct knuth_lfib_ctx *ctx, size_t n, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_KNUTH_LFIB_H_INCLUDED */ nettle-3.10/ecc-point-mul-g.c0000644000175000017500000000325014633602171015023 0ustar nissenisse/* ecc-point-mul-g.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n) { const struct ecc_curve *ecc = r->ecc; mp_limb_t size = ecc->p.size; mp_size_t itch = 3*size + ecc->mul_g_itch; mp_limb_t *scratch = gmp_alloc_limbs (itch); assert (n->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_g_itch); ecc->mul_g (ecc, scratch, n->p, scratch + 3*size); ecc->h_to_a (ecc, 0, r->p, scratch, scratch + 3*size); gmp_free_limbs (scratch, itch); } nettle-3.10/md4.h0000644000175000017500000000373114633602172012621 0ustar nissenisse/* md4.h The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD4_H_INCLUDED #define NETTLE_MD4_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md4_init nettle_md4_init #define md4_update nettle_md4_update #define md4_digest nettle_md4_digest #define MD4_DIGEST_SIZE 16 #define MD4_BLOCK_SIZE 64 /* For backwards compatibility */ #define MD4_DATA_SIZE MD4_BLOCK_SIZE /* Digest is kept internally as 4 32-bit words. */ #define _MD4_DIGEST_LENGTH 4 /* FIXME: Identical to md5_ctx */ struct md4_ctx { uint32_t state[_MD4_DIGEST_LENGTH]; uint64_t count; /* Block count */ unsigned index; /* Into buffer */ uint8_t block[MD4_BLOCK_SIZE]; /* Block buffer */ }; void md4_init(struct md4_ctx *ctx); void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data); void md4_digest(struct md4_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD4_H_INCLUDED */ nettle-3.10/AUTHORS0000644000175000017500000001025314633602172013031 0ustar nissenisseAuthors of GNU Nettle The oldest code in Nettle was copied into precursors of the Nettle library from other public domain or LGPLv2 sources. Steve Reid Original CAST128 implementation Dana L. How Original DES implementation, Colin Plumb Original MD5 implementation Peter Gutmann Original SHA1 implementation Andrew Kuchling Original MD2 implementation Free Software Foundation Holds copyrights on code ported from libgcrypt, written by Werner Koch and others. J.H.M. Dassen Original port of blowfish to GNU lsh, later split off into Nettle. (This blowfish implementation was replaced later). Twofish tests. Ruud de Rooij Twofish implementation for GNU lsh, later split off into Nettle. Rafael Sevilla AES C and x86 implementation, original port of Serpent, for GNU lsh, later split off into Nettle. Authors of Nettle (in roughly chronological order of initial contribution) Niels Möller Main author. Dan Egnor Base64 conversion. Andreas Sigfridsson Port of MD2, from Andrew Kuchling's python cryptography toolkit. Marcus Comstedt Implemented MD4. D. J. Bernstein Salsa20 public domain reference implementation. Simon Josefsson Port of Arctwo, from GnuTLS and libgcrypt. New ports of LGPL Serpent and Blowfish code, from libgcrypt. Port of Salsa20, based on djb's reference. Implementation of PBKDF2 (RFC 2898) and drbg-ctr. Henrik Grubbström AES assembly for Sparc64. Magnus Holmgren Conversion of DSA keys from DER format to SEXP format. Daniel Kahn Gillmor Added the lists for nettle_get_ciphers, nettle_get_hashes and nettle_get_armors. Test vectors for hashes and hmac. Nippon Telegraph and Telephone Corporation LGPL:ed reference implementation of the Camellia cipher. Andrew M. (floodyberry) The poly1305 code nettle's C implementation is derived from. Aleksey Kravchenko The gosthash94 implementation in rhash library. Stefan Metzmacher, Jeremy Allison, Michael Adam Contributed to the CMAC code, which was added to Nettle by Nikos Mavroyanopoulos. Nikos Mavroyanopoulos GCM implementation, RSA blinding code, interface for general rsa-pkcs1 signatures. Port of gosthash94 implementation from rhash. Port of poly1305. Salsa20r12 variant. HKDF (RFC 5869) implementation. CMAC and SIV-CMAV implementation. CTR and GCM optimizations. Implementation of versioned symbols. Setup of .gitlab-ci.yml. Large number of smaller fixes. Andres Mejia Ported Ripemd160 from libgcrypt. Martin Storsjö Implemented m4 macrology to make x86_64 assembly files work with the windows ABI. Several other portability improvements. Jeronimo Pellegrini Documentation for base16 and base64 functions. Tim Ruehsen Several smaller cleanups and bugfixes. Fredrik Thulin Test vectors for pbkdf2-hmac-sha512. Joachim Strömbergson Chacha implementation. Support for sha512_224 and sha512_256. Owen Kirby Implementation of CCM mode. Amos Jeffries Implementation of base64url encoding. Daiki Ueno Implementation of RSA-PSS signatures, curve448, SHA3 shake, ed448-shake256 signatures, chacha functions for 32-bit nonce, struct nettle_mac interface, siv-gcm, RSA-OAEP. Dmitry Baryshkov CFB and CFB8 modes, CMAC64. gosthash94cp and Streebog hash functions, GOST DSA signatures and curves GC256B and GC512A. Various bug fixes and cleanups. Simo Sorce Side-channel silent RSA functions. XTS implementation. H.J. Lu Assembly annotations for Intel "Control-flow Enforcement Technology". Stephen R. van den Berg Port of bcrypt. Mamone Tarsha Kurdi Powerpc64 assembly and fat build setup, including AES, GCM and poly1305. Arm64 assembly and fat build setup, including AES, Chacha, GCM, SHA1, SHA256. S390x assembly and fat build setup, including AES, Chacha, memxor, memxor3, SHA1, SHA256, SHA512, SHA3. Nicolas Mora RFC 3394 keywrap, RSA-OAEP. Tianjia Zhang SM3 hash function, SM4 block cipher. Amitay Isaacs Powerpc64 assembly for secp192r1, secp224r1 and secp256r1. Martin Schwenke Powerpc64 assembly for secp384r1, secp521r1, curve25519 and curve448. Zoltan Fridrich Balloon password hashing. Danny Tsen Powerpc64 assembly for combined GCM-AES. Eric Richter Powerpc64 sha256 assembly. nettle-3.10/ed25519-sha512.c0000644000175000017500000000267114633602172014131 0ustar nissenisse/* ed25519-sha512.c Copyright (C) 2019 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa-internal.h" #include "nettle-types.h" #include "sha2.h" static nettle_eddsa_dom_func ed25519_dom; static void ed25519_dom(void *ctx UNUSED) {} const struct ecc_eddsa _nettle_ed25519_sha512 = { (nettle_hash_update_func *) sha512_update, (nettle_hash_digest_func *) sha512_digest, ed25519_dom, ~(mp_limb_t) 7, (mp_limb_t) 1 << (254 % GMP_NUMB_BITS), }; nettle-3.10/pkcs1-decrypt.c0000644000175000017500000000304514633602171014616 0ustar nissenisse/* pkcs1-decrypt.c The RSA publickey algorithm. PKCS#1 decryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "pkcs1.h" #include "pkcs1-internal.h" #include "bignum.h" #include "gmp-glue.h" int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message) { TMP_GMP_DECL(em, uint8_t); int ret; TMP_GMP_ALLOC(em, key_size); nettle_mpz_get_str_256(key_size, em, m); ret = _pkcs1_sec_decrypt_variable (length, message, key_size, em); TMP_GMP_FREE(em); return ret; } nettle-3.10/ripemd160-internal.h0000644000175000017500000000257714633602172015465 0ustar nissenisse/* ripemd160-internal.h RIPEMD-160 hash function. Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RIPEMD160_INTERNAL_H_INCLUDED #define NETTLE_RIPEMD160_INTERNAL_H_INCLUDED /* Internal compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data); #endif /* NETTLE_RIPEMD160_INTERNAL_H_INCLUDED */ nettle-3.10/mini-gmp.c0000644000175000017500000025767514633602172013667 0ustar nissenisse/* mini-gmp, a minimalistic implementation of a GNU GMP subset. Contributed to the GNU project by Niels Möller Copyright 1991-1997, 1999-2020 Free Software Foundation, Inc. This file is part of the GNU MP Library. The GNU MP Library is free software; you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. The GNU MP Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with the GNU MP Library. If not, see https://www.gnu.org/licenses/. */ /* NOTE: All functions in this file which are not declared in mini-gmp.h are internal, and are not intended to be compatible neither with GMP nor with future versions of mini-gmp. */ /* Much of the material copied from GMP files, including: gmp-impl.h, longlong.h, mpn/generic/add_n.c, mpn/generic/addmul_1.c, mpn/generic/lshift.c, mpn/generic/mul_1.c, mpn/generic/mul_basecase.c, mpn/generic/rshift.c, mpn/generic/sbpi1_div_qr.c, mpn/generic/sub_n.c, mpn/generic/submul_1.c. */ #include #include #include #include #include #include #include "mini-gmp.h" #if !defined(MINI_GMP_DONT_USE_FLOAT_H) #include #endif /* Macros */ #define GMP_LIMB_BITS (sizeof(mp_limb_t) * CHAR_BIT) #define GMP_LIMB_MAX ((mp_limb_t) ~ (mp_limb_t) 0) #define GMP_LIMB_HIGHBIT ((mp_limb_t) 1 << (GMP_LIMB_BITS - 1)) #define GMP_HLIMB_BIT ((mp_limb_t) 1 << (GMP_LIMB_BITS / 2)) #define GMP_LLIMB_MASK (GMP_HLIMB_BIT - 1) #define GMP_ULONG_BITS (sizeof(unsigned long) * CHAR_BIT) #define GMP_ULONG_HIGHBIT ((unsigned long) 1 << (GMP_ULONG_BITS - 1)) #define GMP_ABS(x) ((x) >= 0 ? (x) : -(x)) #define GMP_NEG_CAST(T,x) (-((T)((x) + 1) - 1)) #define GMP_MIN(a, b) ((a) < (b) ? (a) : (b)) #define GMP_MAX(a, b) ((a) > (b) ? (a) : (b)) #define GMP_CMP(a,b) (((a) > (b)) - ((a) < (b))) #if defined(DBL_MANT_DIG) && FLT_RADIX == 2 #define GMP_DBL_MANT_BITS DBL_MANT_DIG #else #define GMP_DBL_MANT_BITS (53) #endif /* Return non-zero if xp,xsize and yp,ysize overlap. If xp+xsize<=yp there's no overlap, or if yp+ysize<=xp there's no overlap. If both these are false, there's an overlap. */ #define GMP_MPN_OVERLAP_P(xp, xsize, yp, ysize) \ ((xp) + (xsize) > (yp) && (yp) + (ysize) > (xp)) #define gmp_assert_nocarry(x) do { \ mp_limb_t __cy = (x); \ assert (__cy == 0); \ } while (0) #define gmp_clz(count, x) do { \ mp_limb_t __clz_x = (x); \ unsigned __clz_c = 0; \ int LOCAL_SHIFT_BITS = 8; \ if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) \ for (; \ (__clz_x & ((mp_limb_t) 0xff << (GMP_LIMB_BITS - 8))) == 0; \ __clz_c += 8) \ { __clz_x <<= LOCAL_SHIFT_BITS; } \ for (; (__clz_x & GMP_LIMB_HIGHBIT) == 0; __clz_c++) \ __clz_x <<= 1; \ (count) = __clz_c; \ } while (0) #define gmp_ctz(count, x) do { \ mp_limb_t __ctz_x = (x); \ unsigned __ctz_c = 0; \ gmp_clz (__ctz_c, __ctz_x & - __ctz_x); \ (count) = GMP_LIMB_BITS - 1 - __ctz_c; \ } while (0) #define gmp_add_ssaaaa(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) + (bl); \ (sh) = (ah) + (bh) + (__x < (al)); \ (sl) = __x; \ } while (0) #define gmp_sub_ddmmss(sh, sl, ah, al, bh, bl) \ do { \ mp_limb_t __x; \ __x = (al) - (bl); \ (sh) = (ah) - (bh) - ((al) < (bl)); \ (sl) = __x; \ } while (0) #define gmp_umul_ppmm(w1, w0, u, v) \ do { \ int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; \ if (sizeof(unsigned int) * CHAR_BIT >= 2 * GMP_LIMB_BITS) \ { \ unsigned int __ww = (unsigned int) (u) * (v); \ w0 = (mp_limb_t) __ww; \ w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ } \ else if (GMP_ULONG_BITS >= 2 * GMP_LIMB_BITS) \ { \ unsigned long int __ww = (unsigned long int) (u) * (v); \ w0 = (mp_limb_t) __ww; \ w1 = (mp_limb_t) (__ww >> LOCAL_GMP_LIMB_BITS); \ } \ else { \ mp_limb_t __x0, __x1, __x2, __x3; \ unsigned __ul, __vl, __uh, __vh; \ mp_limb_t __u = (u), __v = (v); \ \ __ul = __u & GMP_LLIMB_MASK; \ __uh = __u >> (GMP_LIMB_BITS / 2); \ __vl = __v & GMP_LLIMB_MASK; \ __vh = __v >> (GMP_LIMB_BITS / 2); \ \ __x0 = (mp_limb_t) __ul * __vl; \ __x1 = (mp_limb_t) __ul * __vh; \ __x2 = (mp_limb_t) __uh * __vl; \ __x3 = (mp_limb_t) __uh * __vh; \ \ __x1 += __x0 >> (GMP_LIMB_BITS / 2);/* this can't give carry */ \ __x1 += __x2; /* but this indeed can */ \ if (__x1 < __x2) /* did we get it? */ \ __x3 += GMP_HLIMB_BIT; /* yes, add it in the proper pos. */ \ \ (w1) = __x3 + (__x1 >> (GMP_LIMB_BITS / 2)); \ (w0) = (__x1 << (GMP_LIMB_BITS / 2)) + (__x0 & GMP_LLIMB_MASK); \ } \ } while (0) #define gmp_udiv_qrnnd_preinv(q, r, nh, nl, d, di) \ do { \ mp_limb_t _qh, _ql, _r, _mask; \ gmp_umul_ppmm (_qh, _ql, (nh), (di)); \ gmp_add_ssaaaa (_qh, _ql, _qh, _ql, (nh) + 1, (nl)); \ _r = (nl) - _qh * (d); \ _mask = -(mp_limb_t) (_r > _ql); /* both > and >= are OK */ \ _qh += _mask; \ _r += _mask & (d); \ if (_r >= (d)) \ { \ _r -= (d); \ _qh++; \ } \ \ (r) = _r; \ (q) = _qh; \ } while (0) #define gmp_udiv_qr_3by2(q, r1, r0, n2, n1, n0, d1, d0, dinv) \ do { \ mp_limb_t _q0, _t1, _t0, _mask; \ gmp_umul_ppmm ((q), _q0, (n2), (dinv)); \ gmp_add_ssaaaa ((q), _q0, (q), _q0, (n2), (n1)); \ \ /* Compute the two most significant limbs of n - q'd */ \ (r1) = (n1) - (d1) * (q); \ gmp_sub_ddmmss ((r1), (r0), (r1), (n0), (d1), (d0)); \ gmp_umul_ppmm (_t1, _t0, (d0), (q)); \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), _t1, _t0); \ (q)++; \ \ /* Conditionally adjust q and the remainders */ \ _mask = - (mp_limb_t) ((r1) >= _q0); \ (q) += _mask; \ gmp_add_ssaaaa ((r1), (r0), (r1), (r0), _mask & (d1), _mask & (d0)); \ if ((r1) >= (d1)) \ { \ if ((r1) > (d1) || (r0) >= (d0)) \ { \ (q)++; \ gmp_sub_ddmmss ((r1), (r0), (r1), (r0), (d1), (d0)); \ } \ } \ } while (0) /* Swap macros. */ #define MP_LIMB_T_SWAP(x, y) \ do { \ mp_limb_t __mp_limb_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_limb_t_swap__tmp; \ } while (0) #define MP_SIZE_T_SWAP(x, y) \ do { \ mp_size_t __mp_size_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_size_t_swap__tmp; \ } while (0) #define MP_BITCNT_T_SWAP(x,y) \ do { \ mp_bitcnt_t __mp_bitcnt_t_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_bitcnt_t_swap__tmp; \ } while (0) #define MP_PTR_SWAP(x, y) \ do { \ mp_ptr __mp_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_ptr_swap__tmp; \ } while (0) #define MP_SRCPTR_SWAP(x, y) \ do { \ mp_srcptr __mp_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mp_srcptr_swap__tmp; \ } while (0) #define MPN_PTR_SWAP(xp,xs, yp,ys) \ do { \ MP_PTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPN_SRCPTR_SWAP(xp,xs, yp,ys) \ do { \ MP_SRCPTR_SWAP (xp, yp); \ MP_SIZE_T_SWAP (xs, ys); \ } while(0) #define MPZ_PTR_SWAP(x, y) \ do { \ mpz_ptr __mpz_ptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_ptr_swap__tmp; \ } while (0) #define MPZ_SRCPTR_SWAP(x, y) \ do { \ mpz_srcptr __mpz_srcptr_swap__tmp = (x); \ (x) = (y); \ (y) = __mpz_srcptr_swap__tmp; \ } while (0) const int mp_bits_per_limb = GMP_LIMB_BITS; /* Memory allocation and other helper functions. */ static void gmp_die (const char *msg) { fprintf (stderr, "%s\n", msg); abort(); } static void * gmp_default_alloc (size_t size) { void *p; assert (size > 0); p = malloc (size); if (!p) gmp_die("gmp_default_alloc: Virtual memory exhausted."); return p; } static void * gmp_default_realloc (void *old, size_t unused_old_size, size_t new_size) { void * p; p = realloc (old, new_size); if (!p) gmp_die("gmp_default_realloc: Virtual memory exhausted."); return p; } static void gmp_default_free (void *p, size_t unused_size) { free (p); } static void * (*gmp_allocate_func) (size_t) = gmp_default_alloc; static void * (*gmp_reallocate_func) (void *, size_t, size_t) = gmp_default_realloc; static void (*gmp_free_func) (void *, size_t) = gmp_default_free; void mp_get_memory_functions (void *(**alloc_func) (size_t), void *(**realloc_func) (void *, size_t, size_t), void (**free_func) (void *, size_t)) { if (alloc_func) *alloc_func = gmp_allocate_func; if (realloc_func) *realloc_func = gmp_reallocate_func; if (free_func) *free_func = gmp_free_func; } void mp_set_memory_functions (void *(*alloc_func) (size_t), void *(*realloc_func) (void *, size_t, size_t), void (*free_func) (void *, size_t)) { if (!alloc_func) alloc_func = gmp_default_alloc; if (!realloc_func) realloc_func = gmp_default_realloc; if (!free_func) free_func = gmp_default_free; gmp_allocate_func = alloc_func; gmp_reallocate_func = realloc_func; gmp_free_func = free_func; } #define gmp_xalloc(size) ((*gmp_allocate_func)((size))) #define gmp_free(p) ((*gmp_free_func) ((p), 0)) static mp_ptr gmp_xalloc_limbs (mp_size_t size) { return (mp_ptr) gmp_xalloc (size * sizeof (mp_limb_t)); } static mp_ptr gmp_xrealloc_limbs (mp_ptr old, mp_size_t size) { assert (size > 0); return (mp_ptr) (*gmp_reallocate_func) (old, 0, size * sizeof (mp_limb_t)); } /* MPN interface */ void mpn_copyi (mp_ptr d, mp_srcptr s, mp_size_t n) { mp_size_t i; for (i = 0; i < n; i++) d[i] = s[i]; } void mpn_copyd (mp_ptr d, mp_srcptr s, mp_size_t n) { while (--n >= 0) d[n] = s[n]; } int mpn_cmp (mp_srcptr ap, mp_srcptr bp, mp_size_t n) { while (--n >= 0) { if (ap[n] != bp[n]) return ap[n] > bp[n] ? 1 : -1; } return 0; } static int mpn_cmp4 (mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { if (an != bn) return an < bn ? -1 : 1; else return mpn_cmp (ap, bp, an); } static mp_size_t mpn_normalized_size (mp_srcptr xp, mp_size_t n) { while (n > 0 && xp[n-1] == 0) --n; return n; } int mpn_zero_p(mp_srcptr rp, mp_size_t n) { return mpn_normalized_size (rp, n) == 0; } void mpn_zero (mp_ptr rp, mp_size_t n) { while (--n >= 0) rp[n] = 0; } mp_limb_t mpn_add_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t r = ap[i] + b; /* Carry out */ b = (r < b); rp[i] = r; } while (++i < n); return b; } mp_limb_t mpn_add_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b, r; a = ap[i]; b = bp[i]; r = a + cy; cy = (r < cy); r += b; cy += (r < b); rp[i] = r; } return cy; } mp_limb_t mpn_add (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_add_n (rp, ap, bp, bn); if (an > bn) cy = mpn_add_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_sub_1 (mp_ptr rp, mp_srcptr ap, mp_size_t n, mp_limb_t b) { mp_size_t i; assert (n > 0); i = 0; do { mp_limb_t a = ap[i]; /* Carry out */ mp_limb_t cy = a < b; rp[i] = a - b; b = cy; } while (++i < n); return b; } mp_limb_t mpn_sub_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mp_size_t i; mp_limb_t cy; for (i = 0, cy = 0; i < n; i++) { mp_limb_t a, b; a = ap[i]; b = bp[i]; b += cy; cy = (b < cy); cy += (a < b); rp[i] = a - b; } return cy; } mp_limb_t mpn_sub (mp_ptr rp, mp_srcptr ap, mp_size_t an, mp_srcptr bp, mp_size_t bn) { mp_limb_t cy; assert (an >= bn); cy = mpn_sub_n (rp, ap, bp, bn); if (an > bn) cy = mpn_sub_1 (rp + bn, ap + bn, an - bn, cy); return cy; } mp_limb_t mpn_mul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_addmul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl + lpl; cl += lpl < rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_submul_1 (mp_ptr rp, mp_srcptr up, mp_size_t n, mp_limb_t vl) { mp_limb_t ul, cl, hpl, lpl, rl; assert (n >= 1); cl = 0; do { ul = *up++; gmp_umul_ppmm (hpl, lpl, ul, vl); lpl += cl; cl = (lpl < cl) + hpl; rl = *rp; lpl = rl - lpl; cl += lpl > rl; *rp++ = lpl; } while (--n != 0); return cl; } mp_limb_t mpn_mul (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr vp, mp_size_t vn) { assert (un >= vn); assert (vn >= 1); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, up, un)); assert (!GMP_MPN_OVERLAP_P(rp, un + vn, vp, vn)); /* We first multiply by the low order limb. This result can be stored, not added, to rp. We also avoid a loop for zeroing this way. */ rp[un] = mpn_mul_1 (rp, up, un, vp[0]); /* Now accumulate the product of up[] and the next higher limb from vp[]. */ while (--vn >= 1) { rp += 1, vp += 1; rp[un] = mpn_addmul_1 (rp, up, un, vp[0]); } return rp[un]; } void mpn_mul_n (mp_ptr rp, mp_srcptr ap, mp_srcptr bp, mp_size_t n) { mpn_mul (rp, ap, n, bp, n); } void mpn_sqr (mp_ptr rp, mp_srcptr ap, mp_size_t n) { mpn_mul (rp, ap, n, ap, n); } mp_limb_t mpn_lshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); up += n; rp += n; tnc = GMP_LIMB_BITS - cnt; low_limb = *--up; retval = low_limb >> tnc; high_limb = (low_limb << cnt); while (--n != 0) { low_limb = *--up; *--rp = high_limb | (low_limb >> tnc); high_limb = (low_limb << cnt); } *--rp = high_limb; return retval; } mp_limb_t mpn_rshift (mp_ptr rp, mp_srcptr up, mp_size_t n, unsigned int cnt) { mp_limb_t high_limb, low_limb; unsigned int tnc; mp_limb_t retval; assert (n >= 1); assert (cnt >= 1); assert (cnt < GMP_LIMB_BITS); tnc = GMP_LIMB_BITS - cnt; high_limb = *up++; retval = (high_limb << tnc); low_limb = high_limb >> cnt; while (--n != 0) { high_limb = *up++; *rp++ = low_limb | (high_limb << tnc); low_limb = high_limb >> cnt; } *rp = low_limb; return retval; } static mp_bitcnt_t mpn_common_scan (mp_limb_t limb, mp_size_t i, mp_srcptr up, mp_size_t un, mp_limb_t ux) { unsigned cnt; assert (ux == 0 || ux == GMP_LIMB_MAX); assert (0 <= i && i <= un ); while (limb == 0) { i++; if (i == un) return (ux == 0 ? ~(mp_bitcnt_t) 0 : un * GMP_LIMB_BITS); limb = ux ^ up[i]; } gmp_ctz (cnt, limb); return (mp_bitcnt_t) i * GMP_LIMB_BITS + cnt; } mp_bitcnt_t mpn_scan1 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan ( ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, 0); } mp_bitcnt_t mpn_scan0 (mp_srcptr ptr, mp_bitcnt_t bit) { mp_size_t i; i = bit / GMP_LIMB_BITS; return mpn_common_scan (~ptr[i] & (GMP_LIMB_MAX << (bit % GMP_LIMB_BITS)), i, ptr, i, GMP_LIMB_MAX); } void mpn_com (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (--n >= 0) *rp++ = ~ *up++; } mp_limb_t mpn_neg (mp_ptr rp, mp_srcptr up, mp_size_t n) { while (*up == 0) { *rp = 0; if (!--n) return 0; ++up; ++rp; } *rp = - *up; mpn_com (++rp, ++up, --n); return 1; } /* MPN division interface. */ /* The 3/2 inverse is defined as m = floor( (B^3-1) / (B u1 + u0)) - B */ mp_limb_t mpn_invert_3by2 (mp_limb_t u1, mp_limb_t u0) { mp_limb_t r, m; { mp_limb_t p, ql; unsigned ul, uh, qh; /* For notation, let b denote the half-limb base, so that B = b^2. Split u1 = b uh + ul. */ ul = u1 & GMP_LLIMB_MASK; uh = u1 >> (GMP_LIMB_BITS / 2); /* Approximation of the high half of quotient. Differs from the 2/1 inverse of the half limb uh, since we have already subtracted u0. */ qh = (u1 ^ GMP_LIMB_MAX) / uh; /* Adjust to get a half-limb 3/2 inverse, i.e., we want qh' = floor( (b^3 - 1) / u) - b = floor ((b^3 - b u - 1) / u = floor( (b (~u) + b-1) / u), and the remainder r = b (~u) + b-1 - qh (b uh + ul) = b (~u - qh uh) + b-1 - qh ul Subtraction of qh ul may underflow, which implies adjustments. But by normalization, 2 u >= B > qh ul, so we need to adjust by at most 2. */ r = ((~u1 - (mp_limb_t) qh * uh) << (GMP_LIMB_BITS / 2)) | GMP_LLIMB_MASK; p = (mp_limb_t) qh * ul; /* Adjustment steps taken from udiv_qrnnd_c */ if (r < p) { qh--; r += u1; if (r >= u1) /* i.e. we didn't get carry when adding to r */ if (r < p) { qh--; r += u1; } } r -= p; /* Low half of the quotient is ql = floor ( (b r + b-1) / u1). This is a 3/2 division (on half-limbs), for which qh is a suitable inverse. */ p = (r >> (GMP_LIMB_BITS / 2)) * qh + r; /* Unlike full-limb 3/2, we can add 1 without overflow. For this to work, it is essential that ql is a full mp_limb_t. */ ql = (p >> (GMP_LIMB_BITS / 2)) + 1; /* By the 3/2 trick, we don't need the high half limb. */ r = (r << (GMP_LIMB_BITS / 2)) + GMP_LLIMB_MASK - ql * u1; if (r >= (GMP_LIMB_MAX & (p << (GMP_LIMB_BITS / 2)))) { ql--; r += u1; } m = ((mp_limb_t) qh << (GMP_LIMB_BITS / 2)) + ql; if (r >= u1) { m++; r -= u1; } } /* Now m is the 2/1 inverse of u1. If u0 > 0, adjust it to become a 3/2 inverse. */ if (u0 > 0) { mp_limb_t th, tl; r = ~r; r += u0; if (r < u0) { m--; if (r >= u1) { m--; r -= u1; } r -= u1; } gmp_umul_ppmm (th, tl, u0, m); r += th; if (r < th) { m--; m -= ((r > u1) | ((r == u1) & (tl > u0))); } } return m; } struct gmp_div_inverse { /* Normalization shift count. */ unsigned shift; /* Normalized divisor (d0 unused for mpn_div_qr_1) */ mp_limb_t d1, d0; /* Inverse, for 2/1 or 3/2. */ mp_limb_t di; }; static void mpn_div_qr_1_invert (struct gmp_div_inverse *inv, mp_limb_t d) { unsigned shift; assert (d > 0); gmp_clz (shift, d); inv->shift = shift; inv->d1 = d << shift; inv->di = mpn_invert_limb (inv->d1); } static void mpn_div_qr_2_invert (struct gmp_div_inverse *inv, mp_limb_t d1, mp_limb_t d0) { unsigned shift; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 <<= shift; } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } static void mpn_div_qr_invert (struct gmp_div_inverse *inv, mp_srcptr dp, mp_size_t dn) { assert (dn > 0); if (dn == 1) mpn_div_qr_1_invert (inv, dp[0]); else if (dn == 2) mpn_div_qr_2_invert (inv, dp[1], dp[0]); else { unsigned shift; mp_limb_t d1, d0; d1 = dp[dn-1]; d0 = dp[dn-2]; assert (d1 > 0); gmp_clz (shift, d1); inv->shift = shift; if (shift > 0) { d1 = (d1 << shift) | (d0 >> (GMP_LIMB_BITS - shift)); d0 = (d0 << shift) | (dp[dn-3] >> (GMP_LIMB_BITS - shift)); } inv->d1 = d1; inv->d0 = d0; inv->di = mpn_invert_3by2 (d1, d0); } } /* Not matching current public gmp interface, rather corresponding to the sbpi1_div_* functions. */ static mp_limb_t mpn_div_qr_1_preinv (mp_ptr qp, mp_srcptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { mp_limb_t d, di; mp_limb_t r; mp_ptr tp = NULL; if (inv->shift > 0) { /* Shift, reusing qp area if possible. In-place shift if qp == np. */ tp = qp ? qp : gmp_xalloc_limbs (nn); r = mpn_lshift (tp, np, nn, inv->shift); np = tp; } else r = 0; d = inv->d1; di = inv->di; while (--nn >= 0) { mp_limb_t q; gmp_udiv_qrnnd_preinv (q, r, r, np[nn], d, di); if (qp) qp[nn] = q; } if ((inv->shift > 0) && (tp != qp)) gmp_free (tp); return r >> inv->shift; } static void mpn_div_qr_2_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, const struct gmp_div_inverse *inv) { unsigned shift; mp_size_t i; mp_limb_t d1, d0, di, r1, r0; assert (nn >= 2); shift = inv->shift; d1 = inv->d1; d0 = inv->d0; di = inv->di; if (shift > 0) r1 = mpn_lshift (np, np, nn, shift); else r1 = 0; r0 = np[nn - 1]; i = nn - 2; do { mp_limb_t n0, q; n0 = np[i]; gmp_udiv_qr_3by2 (q, r1, r0, r1, r0, n0, d1, d0, di); if (qp) qp[i] = q; } while (--i >= 0); if (shift > 0) { assert ((r0 & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - shift))) == 0); r0 = (r0 >> shift) | (r1 << (GMP_LIMB_BITS - shift)); r1 >>= shift; } np[1] = r1; np[0] = r0; } static void mpn_div_qr_pi1 (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_limb_t n1, mp_srcptr dp, mp_size_t dn, mp_limb_t dinv) { mp_size_t i; mp_limb_t d1, d0; mp_limb_t cy, cy1; mp_limb_t q; assert (dn > 2); assert (nn >= dn); d1 = dp[dn - 1]; d0 = dp[dn - 2]; assert ((d1 & GMP_LIMB_HIGHBIT) != 0); /* Iteration variable is the index of the q limb. * * We divide * by */ i = nn - dn; do { mp_limb_t n0 = np[dn-1+i]; if (n1 == d1 && n0 == d0) { q = GMP_LIMB_MAX; mpn_submul_1 (np+i, dp, dn, q); n1 = np[dn-1+i]; /* update n1, last loop's value will now be invalid */ } else { gmp_udiv_qr_3by2 (q, n1, n0, n1, n0, np[dn-2+i], d1, d0, dinv); cy = mpn_submul_1 (np + i, dp, dn-2, q); cy1 = n0 < cy; n0 = n0 - cy; cy = n1 < cy1; n1 = n1 - cy1; np[dn-2+i] = n0; if (cy != 0) { n1 += d1 + mpn_add_n (np + i, np + i, dp, dn - 1); q--; } } if (qp) qp[i] = q; } while (--i >= 0); np[dn - 1] = n1; } static void mpn_div_qr_preinv (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn, const struct gmp_div_inverse *inv) { assert (dn > 0); assert (nn >= dn); if (dn == 1) np[0] = mpn_div_qr_1_preinv (qp, np, nn, inv); else if (dn == 2) mpn_div_qr_2_preinv (qp, np, nn, inv); else { mp_limb_t nh; unsigned shift; assert (inv->d1 == dp[dn-1]); assert (inv->d0 == dp[dn-2]); assert ((inv->d1 & GMP_LIMB_HIGHBIT) != 0); shift = inv->shift; if (shift > 0) nh = mpn_lshift (np, np, nn, shift); else nh = 0; mpn_div_qr_pi1 (qp, np, nn, nh, dp, dn, inv->di); if (shift > 0) gmp_assert_nocarry (mpn_rshift (np, np, dn, shift)); } } static void mpn_div_qr (mp_ptr qp, mp_ptr np, mp_size_t nn, mp_srcptr dp, mp_size_t dn) { struct gmp_div_inverse inv; mp_ptr tp = NULL; assert (dn > 0); assert (nn >= dn); mpn_div_qr_invert (&inv, dp, dn); if (dn > 2 && inv.shift > 0) { tp = gmp_xalloc_limbs (dn); gmp_assert_nocarry (mpn_lshift (tp, dp, dn, inv.shift)); dp = tp; } mpn_div_qr_preinv (qp, np, nn, dp, dn, &inv); if (tp) gmp_free (tp); } /* MPN base conversion. */ static unsigned mpn_base_power_of_two_p (unsigned b) { switch (b) { case 2: return 1; case 4: return 2; case 8: return 3; case 16: return 4; case 32: return 5; case 64: return 6; case 128: return 7; case 256: return 8; default: return 0; } } struct mpn_base_info { /* bb is the largest power of the base which fits in one limb, and exp is the corresponding exponent. */ unsigned exp; mp_limb_t bb; }; static void mpn_get_base_info (struct mpn_base_info *info, mp_limb_t b) { mp_limb_t m; mp_limb_t p; unsigned exp; m = GMP_LIMB_MAX / b; for (exp = 1, p = b; p <= m; exp++) p *= b; info->exp = exp; info->bb = p; } static mp_bitcnt_t mpn_limb_size_in_base_2 (mp_limb_t u) { unsigned shift; assert (u > 0); gmp_clz (shift, u); return GMP_LIMB_BITS - shift; } static size_t mpn_get_str_bits (unsigned char *sp, unsigned bits, mp_srcptr up, mp_size_t un) { unsigned char mask; size_t sn, j; mp_size_t i; unsigned shift; sn = ((un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]) + bits - 1) / bits; mask = (1U << bits) - 1; for (i = 0, j = sn, shift = 0; j-- > 0;) { unsigned char digit = up[i] >> shift; shift += bits; if (shift >= GMP_LIMB_BITS && ++i < un) { shift -= GMP_LIMB_BITS; digit |= up[i] << (bits - shift); } sp[j] = digit & mask; } return sn; } /* We generate digits from the least significant end, and reverse at the end. */ static size_t mpn_limb_get_str (unsigned char *sp, mp_limb_t w, const struct gmp_div_inverse *binv) { mp_size_t i; for (i = 0; w > 0; i++) { mp_limb_t h, l, r; h = w >> (GMP_LIMB_BITS - binv->shift); l = w << binv->shift; gmp_udiv_qrnnd_preinv (w, r, h, l, binv->d1, binv->di); assert ((r & (GMP_LIMB_MAX >> (GMP_LIMB_BITS - binv->shift))) == 0); r >>= binv->shift; sp[i] = r; } return i; } static size_t mpn_get_str_other (unsigned char *sp, int base, const struct mpn_base_info *info, mp_ptr up, mp_size_t un) { struct gmp_div_inverse binv; size_t sn; size_t i; mpn_div_qr_1_invert (&binv, base); sn = 0; if (un > 1) { struct gmp_div_inverse bbinv; mpn_div_qr_1_invert (&bbinv, info->bb); do { mp_limb_t w; size_t done; w = mpn_div_qr_1_preinv (up, up, un, &bbinv); un -= (up[un-1] == 0); done = mpn_limb_get_str (sp + sn, w, &binv); for (sn += done; done < info->exp; done++) sp[sn++] = 0; } while (un > 1); } sn += mpn_limb_get_str (sp + sn, up[0], &binv); /* Reverse order */ for (i = 0; 2*i + 1 < sn; i++) { unsigned char t = sp[i]; sp[i] = sp[sn - i - 1]; sp[sn - i - 1] = t; } return sn; } size_t mpn_get_str (unsigned char *sp, int base, mp_ptr up, mp_size_t un) { unsigned bits; assert (un > 0); assert (up[un-1] > 0); bits = mpn_base_power_of_two_p (base); if (bits) return mpn_get_str_bits (sp, bits, up, un); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_get_str_other (sp, base, &info, up, un); } } static mp_size_t mpn_set_str_bits (mp_ptr rp, const unsigned char *sp, size_t sn, unsigned bits) { mp_size_t rn; size_t j; unsigned shift; for (j = sn, rn = 0, shift = 0; j-- > 0; ) { if (shift == 0) { rp[rn++] = sp[j]; shift += bits; } else { rp[rn-1] |= (mp_limb_t) sp[j] << shift; shift += bits; if (shift >= GMP_LIMB_BITS) { shift -= GMP_LIMB_BITS; if (shift > 0) rp[rn++] = (mp_limb_t) sp[j] >> (bits - shift); } } } rn = mpn_normalized_size (rp, rn); return rn; } /* Result is usually normalized, except for all-zero input, in which case a single zero limb is written at *RP, and 1 is returned. */ static mp_size_t mpn_set_str_other (mp_ptr rp, const unsigned char *sp, size_t sn, mp_limb_t b, const struct mpn_base_info *info) { mp_size_t rn; mp_limb_t w; unsigned k; size_t j; assert (sn > 0); k = 1 + (sn - 1) % info->exp; j = 0; w = sp[j++]; while (--k != 0) w = w * b + sp[j++]; rp[0] = w; for (rn = 1; j < sn;) { mp_limb_t cy; w = sp[j++]; for (k = 1; k < info->exp; k++) w = w * b + sp[j++]; cy = mpn_mul_1 (rp, rp, rn, info->bb); cy += mpn_add_1 (rp, rp, rn, w); if (cy > 0) rp[rn++] = cy; } assert (j == sn); return rn; } mp_size_t mpn_set_str (mp_ptr rp, const unsigned char *sp, size_t sn, int base) { unsigned bits; if (sn == 0) return 0; bits = mpn_base_power_of_two_p (base); if (bits) return mpn_set_str_bits (rp, sp, sn, bits); else { struct mpn_base_info info; mpn_get_base_info (&info, base); return mpn_set_str_other (rp, sp, sn, base, &info); } } /* MPZ interface */ void mpz_init (mpz_t r) { static const mp_limb_t dummy_limb = GMP_LIMB_MAX & 0xc1a0; r->_mp_alloc = 0; r->_mp_size = 0; r->_mp_d = (mp_ptr) &dummy_limb; } /* The utility of this function is a bit limited, since many functions assigns the result variable using mpz_swap. */ void mpz_init2 (mpz_t r, mp_bitcnt_t bits) { mp_size_t rn; bits -= (bits != 0); /* Round down, except if 0 */ rn = 1 + bits / GMP_LIMB_BITS; r->_mp_alloc = rn; r->_mp_size = 0; r->_mp_d = gmp_xalloc_limbs (rn); } void mpz_clear (mpz_t r) { if (r->_mp_alloc) gmp_free (r->_mp_d); } static mp_ptr mpz_realloc (mpz_t r, mp_size_t size) { size = GMP_MAX (size, 1); if (r->_mp_alloc) r->_mp_d = gmp_xrealloc_limbs (r->_mp_d, size); else r->_mp_d = gmp_xalloc_limbs (size); r->_mp_alloc = size; if (GMP_ABS (r->_mp_size) > size) r->_mp_size = 0; return r->_mp_d; } /* Realloc for an mpz_t WHAT if it has less than NEEDED limbs. */ #define MPZ_REALLOC(z,n) ((n) > (z)->_mp_alloc \ ? mpz_realloc(z,n) \ : (z)->_mp_d) /* MPZ assignment and basic conversions. */ void mpz_set_si (mpz_t r, signed long int x) { if (x >= 0) mpz_set_ui (r, x); else /* (x < 0) */ if (GMP_LIMB_BITS < GMP_ULONG_BITS) { mpz_set_ui (r, GMP_NEG_CAST (unsigned long int, x)); mpz_neg (r, r); } else { r->_mp_size = -1; MPZ_REALLOC (r, 1)[0] = GMP_NEG_CAST (unsigned long int, x); } } void mpz_set_ui (mpz_t r, unsigned long int x) { if (x > 0) { r->_mp_size = 1; MPZ_REALLOC (r, 1)[0] = x; if (GMP_LIMB_BITS < GMP_ULONG_BITS) { int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; while (x >>= LOCAL_GMP_LIMB_BITS) { ++ r->_mp_size; MPZ_REALLOC (r, r->_mp_size)[r->_mp_size - 1] = x; } } } else r->_mp_size = 0; } void mpz_set (mpz_t r, const mpz_t x) { /* Allow the NOP r == x */ if (r != x) { mp_size_t n; mp_ptr rp; n = GMP_ABS (x->_mp_size); rp = MPZ_REALLOC (r, n); mpn_copyi (rp, x->_mp_d, n); r->_mp_size = x->_mp_size; } } void mpz_init_set_si (mpz_t r, signed long int x) { mpz_init (r); mpz_set_si (r, x); } void mpz_init_set_ui (mpz_t r, unsigned long int x) { mpz_init (r); mpz_set_ui (r, x); } void mpz_init_set (mpz_t r, const mpz_t x) { mpz_init (r); mpz_set (r, x); } int mpz_fits_slong_p (const mpz_t u) { return mpz_cmp_si (u, LONG_MAX) <= 0 && mpz_cmp_si (u, LONG_MIN) >= 0; } static int mpn_absfits_ulong_p (mp_srcptr up, mp_size_t un) { int ulongsize = GMP_ULONG_BITS / GMP_LIMB_BITS; mp_limb_t ulongrem = 0; if (GMP_ULONG_BITS % GMP_LIMB_BITS != 0) ulongrem = (mp_limb_t) (ULONG_MAX >> GMP_LIMB_BITS * ulongsize) + 1; return un <= ulongsize || (up[ulongsize] < ulongrem && un == ulongsize + 1); } int mpz_fits_ulong_p (const mpz_t u) { mp_size_t us = u->_mp_size; return us >= 0 && mpn_absfits_ulong_p (u->_mp_d, us); } int mpz_fits_sint_p (const mpz_t u) { return mpz_cmp_si (u, INT_MAX) <= 0 && mpz_cmp_si (u, INT_MIN) >= 0; } int mpz_fits_uint_p (const mpz_t u) { return u->_mp_size >= 0 && mpz_cmpabs_ui (u, UINT_MAX) <= 0; } int mpz_fits_sshort_p (const mpz_t u) { return mpz_cmp_si (u, SHRT_MAX) <= 0 && mpz_cmp_si (u, SHRT_MIN) >= 0; } int mpz_fits_ushort_p (const mpz_t u) { return u->_mp_size >= 0 && mpz_cmpabs_ui (u, USHRT_MAX) <= 0; } long int mpz_get_si (const mpz_t u) { unsigned long r = mpz_get_ui (u); unsigned long c = -LONG_MAX - LONG_MIN; if (u->_mp_size < 0) /* This expression is necessary to properly handle -LONG_MIN */ return -(long) c - (long) ((r - c) & LONG_MAX); else return (long) (r & LONG_MAX); } unsigned long int mpz_get_ui (const mpz_t u) { if (GMP_LIMB_BITS < GMP_ULONG_BITS) { int LOCAL_GMP_LIMB_BITS = GMP_LIMB_BITS; unsigned long r = 0; mp_size_t n = GMP_ABS (u->_mp_size); n = GMP_MIN (n, 1 + (mp_size_t) (GMP_ULONG_BITS - 1) / GMP_LIMB_BITS); while (--n >= 0) r = (r << LOCAL_GMP_LIMB_BITS) + u->_mp_d[n]; return r; } return u->_mp_size == 0 ? 0 : u->_mp_d[0]; } size_t mpz_size (const mpz_t u) { return GMP_ABS (u->_mp_size); } mp_limb_t mpz_getlimbn (const mpz_t u, mp_size_t n) { if (n >= 0 && n < GMP_ABS (u->_mp_size)) return u->_mp_d[n]; else return 0; } void mpz_realloc2 (mpz_t x, mp_bitcnt_t n) { mpz_realloc (x, 1 + (n - (n != 0)) / GMP_LIMB_BITS); } mp_srcptr mpz_limbs_read (mpz_srcptr x) { return x->_mp_d; } mp_ptr mpz_limbs_modify (mpz_t x, mp_size_t n) { assert (n > 0); return MPZ_REALLOC (x, n); } mp_ptr mpz_limbs_write (mpz_t x, mp_size_t n) { return mpz_limbs_modify (x, n); } void mpz_limbs_finish (mpz_t x, mp_size_t xs) { mp_size_t xn; xn = mpn_normalized_size (x->_mp_d, GMP_ABS (xs)); x->_mp_size = xs < 0 ? -xn : xn; } static mpz_srcptr mpz_roinit_normal_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { x->_mp_alloc = 0; x->_mp_d = (mp_ptr) xp; x->_mp_size = xs; return x; } mpz_srcptr mpz_roinit_n (mpz_t x, mp_srcptr xp, mp_size_t xs) { mpz_roinit_normal_n (x, xp, xs); mpz_limbs_finish (x, xs); return x; } /* Conversions and comparison to double. */ void mpz_set_d (mpz_t r, double x) { int sign; mp_ptr rp; mp_size_t rn, i; double B; double Bi; mp_limb_t f; /* x != x is true when x is a NaN, and x == x * 0.5 is true when x is zero or infinity. */ if (x != x || x == x * 0.5) { r->_mp_size = 0; return; } sign = x < 0.0 ; if (sign) x = - x; if (x < 1.0) { r->_mp_size = 0; return; } B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; for (rn = 1; x >= B; rn++) x *= Bi; rp = MPZ_REALLOC (r, rn); f = (mp_limb_t) x; x -= f; assert (x < 1.0); i = rn-1; rp[i] = f; while (--i >= 0) { x = B * x; f = (mp_limb_t) x; x -= f; assert (x < 1.0); rp[i] = f; } r->_mp_size = sign ? - rn : rn; } void mpz_init_set_d (mpz_t r, double x) { mpz_init (r); mpz_set_d (r, x); } double mpz_get_d (const mpz_t u) { int m; mp_limb_t l; mp_size_t un; double x; double B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); un = GMP_ABS (u->_mp_size); if (un == 0) return 0.0; l = u->_mp_d[--un]; gmp_clz (m, l); m = m + GMP_DBL_MANT_BITS - GMP_LIMB_BITS; if (m < 0) l &= GMP_LIMB_MAX << -m; for (x = l; --un >= 0;) { x = B*x; if (m > 0) { l = u->_mp_d[un]; m -= GMP_LIMB_BITS; if (m < 0) l &= GMP_LIMB_MAX << -m; x += l; } } if (u->_mp_size < 0) x = -x; return x; } int mpz_cmpabs_d (const mpz_t x, double d) { mp_size_t xn; double B, Bi; mp_size_t i; xn = x->_mp_size; d = GMP_ABS (d); if (xn != 0) { xn = GMP_ABS (xn); B = 4.0 * (double) (GMP_LIMB_HIGHBIT >> 1); Bi = 1.0 / B; /* Scale d so it can be compared with the top limb. */ for (i = 1; i < xn; i++) d *= Bi; if (d >= B) return -1; /* Compare floor(d) to top limb, subtract and cancel when equal. */ for (i = xn; i-- > 0;) { mp_limb_t f, xl; f = (mp_limb_t) d; xl = x->_mp_d[i]; if (xl > f) return 1; else if (xl < f) return -1; d = B * (d - f); } } return - (d > 0.0); } int mpz_cmp_d (const mpz_t x, double d) { if (x->_mp_size < 0) { if (d >= 0.0) return -1; else return -mpz_cmpabs_d (x, d); } else { if (d < 0.0) return 1; else return mpz_cmpabs_d (x, d); } } /* MPZ comparisons and the like. */ int mpz_sgn (const mpz_t u) { return GMP_CMP (u->_mp_size, 0); } int mpz_cmp_si (const mpz_t u, long v) { mp_size_t usize = u->_mp_size; if (v >= 0) return mpz_cmp_ui (u, v); else if (usize >= 0) return 1; else return - mpz_cmpabs_ui (u, GMP_NEG_CAST (unsigned long int, v)); } int mpz_cmp_ui (const mpz_t u, unsigned long v) { mp_size_t usize = u->_mp_size; if (usize < 0) return -1; else return mpz_cmpabs_ui (u, v); } int mpz_cmp (const mpz_t a, const mpz_t b) { mp_size_t asize = a->_mp_size; mp_size_t bsize = b->_mp_size; if (asize != bsize) return (asize < bsize) ? -1 : 1; else if (asize >= 0) return mpn_cmp (a->_mp_d, b->_mp_d, asize); else return mpn_cmp (b->_mp_d, a->_mp_d, -asize); } int mpz_cmpabs_ui (const mpz_t u, unsigned long v) { mp_size_t un = GMP_ABS (u->_mp_size); if (! mpn_absfits_ulong_p (u->_mp_d, un)) return 1; else { unsigned long uu = mpz_get_ui (u); return GMP_CMP(uu, v); } } int mpz_cmpabs (const mpz_t u, const mpz_t v) { return mpn_cmp4 (u->_mp_d, GMP_ABS (u->_mp_size), v->_mp_d, GMP_ABS (v->_mp_size)); } void mpz_abs (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = GMP_ABS (r->_mp_size); } void mpz_neg (mpz_t r, const mpz_t u) { mpz_set (r, u); r->_mp_size = -r->_mp_size; } void mpz_swap (mpz_t u, mpz_t v) { MP_SIZE_T_SWAP (u->_mp_size, v->_mp_size); MP_SIZE_T_SWAP (u->_mp_alloc, v->_mp_alloc); MP_PTR_SWAP (u->_mp_d, v->_mp_d); } /* MPZ addition and subtraction */ void mpz_add_ui (mpz_t r, const mpz_t a, unsigned long b) { mpz_t bb; mpz_init_set_ui (bb, b); mpz_add (r, a, bb); mpz_clear (bb); } void mpz_sub_ui (mpz_t r, const mpz_t a, unsigned long b) { mpz_ui_sub (r, b, a); mpz_neg (r, r); } void mpz_ui_sub (mpz_t r, unsigned long a, const mpz_t b) { mpz_neg (r, b); mpz_add_ui (r, r, a); } static mp_size_t mpz_abs_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); mp_ptr rp; mp_limb_t cy; if (an < bn) { MPZ_SRCPTR_SWAP (a, b); MP_SIZE_T_SWAP (an, bn); } rp = MPZ_REALLOC (r, an + 1); cy = mpn_add (rp, a->_mp_d, an, b->_mp_d, bn); rp[an] = cy; return an + cy; } static mp_size_t mpz_abs_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t an = GMP_ABS (a->_mp_size); mp_size_t bn = GMP_ABS (b->_mp_size); int cmp; mp_ptr rp; cmp = mpn_cmp4 (a->_mp_d, an, b->_mp_d, bn); if (cmp > 0) { rp = MPZ_REALLOC (r, an); gmp_assert_nocarry (mpn_sub (rp, a->_mp_d, an, b->_mp_d, bn)); return mpn_normalized_size (rp, an); } else if (cmp < 0) { rp = MPZ_REALLOC (r, bn); gmp_assert_nocarry (mpn_sub (rp, b->_mp_d, bn, a->_mp_d, an)); return -mpn_normalized_size (rp, bn); } else return 0; } void mpz_add (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_add (r, a, b); else rn = mpz_abs_sub (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } void mpz_sub (mpz_t r, const mpz_t a, const mpz_t b) { mp_size_t rn; if ( (a->_mp_size ^ b->_mp_size) >= 0) rn = mpz_abs_sub (r, a, b); else rn = mpz_abs_add (r, a, b); r->_mp_size = a->_mp_size >= 0 ? rn : - rn; } /* MPZ multiplication */ void mpz_mul_si (mpz_t r, const mpz_t u, long int v) { if (v < 0) { mpz_mul_ui (r, u, GMP_NEG_CAST (unsigned long int, v)); mpz_neg (r, r); } else mpz_mul_ui (r, u, v); } void mpz_mul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t vv; mpz_init_set_ui (vv, v); mpz_mul (r, u, vv); mpz_clear (vv); return; } void mpz_mul (mpz_t r, const mpz_t u, const mpz_t v) { int sign; mp_size_t un, vn, rn; mpz_t t; mp_ptr tp; un = u->_mp_size; vn = v->_mp_size; if (un == 0 || vn == 0) { r->_mp_size = 0; return; } sign = (un ^ vn) < 0; un = GMP_ABS (un); vn = GMP_ABS (vn); mpz_init2 (t, (un + vn) * GMP_LIMB_BITS); tp = t->_mp_d; if (un >= vn) mpn_mul (tp, u->_mp_d, un, v->_mp_d, vn); else mpn_mul (tp, v->_mp_d, vn, u->_mp_d, un); rn = un + vn; rn -= tp[rn-1] == 0; t->_mp_size = sign ? - rn : rn; mpz_swap (r, t); mpz_clear (t); } void mpz_mul_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bits) { mp_size_t un, rn; mp_size_t limbs; unsigned shift; mp_ptr rp; un = GMP_ABS (u->_mp_size); if (un == 0) { r->_mp_size = 0; return; } limbs = bits / GMP_LIMB_BITS; shift = bits % GMP_LIMB_BITS; rn = un + limbs + (shift > 0); rp = MPZ_REALLOC (r, rn); if (shift > 0) { mp_limb_t cy = mpn_lshift (rp + limbs, u->_mp_d, un, shift); rp[rn-1] = cy; rn -= (cy == 0); } else mpn_copyd (rp + limbs, u->_mp_d, un); mpn_zero (rp, limbs); r->_mp_size = (u->_mp_size < 0) ? - rn : rn; } void mpz_addmul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init_set_ui (t, v); mpz_mul (t, u, t); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul_ui (mpz_t r, const mpz_t u, unsigned long int v) { mpz_t t; mpz_init_set_ui (t, v); mpz_mul (t, u, t); mpz_sub (r, r, t); mpz_clear (t); } void mpz_addmul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_add (r, r, t); mpz_clear (t); } void mpz_submul (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t t; mpz_init (t); mpz_mul (t, u, v); mpz_sub (r, r, t); mpz_clear (t); } /* MPZ division */ enum mpz_div_round_mode { GMP_DIV_FLOOR, GMP_DIV_CEIL, GMP_DIV_TRUNC }; /* Allows q or r to be zero. Returns 1 iff remainder is non-zero. */ static int mpz_div_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d, enum mpz_div_round_mode mode) { mp_size_t ns, ds, nn, dn, qs; ns = n->_mp_size; ds = d->_mp_size; if (ds == 0) gmp_die("mpz_div_qr: Divide by zero."); if (ns == 0) { if (q) q->_mp_size = 0; if (r) r->_mp_size = 0; return 0; } nn = GMP_ABS (ns); dn = GMP_ABS (ds); qs = ds ^ ns; if (nn < dn) { if (mode == GMP_DIV_CEIL && qs >= 0) { /* q = 1, r = n - d */ if (r) mpz_sub (r, n, d); if (q) mpz_set_ui (q, 1); } else if (mode == GMP_DIV_FLOOR && qs < 0) { /* q = -1, r = n + d */ if (r) mpz_add (r, n, d); if (q) mpz_set_si (q, -1); } else { /* q = 0, r = d */ if (r) mpz_set (r, n); if (q) q->_mp_size = 0; } return 1; } else { mp_ptr np, qp; mp_size_t qn, rn; mpz_t tq, tr; mpz_init_set (tr, n); np = tr->_mp_d; qn = nn - dn + 1; if (q) { mpz_init2 (tq, qn * GMP_LIMB_BITS); qp = tq->_mp_d; } else qp = NULL; mpn_div_qr (qp, np, nn, d->_mp_d, dn); if (qp) { qn -= (qp[qn-1] == 0); tq->_mp_size = qs < 0 ? -qn : qn; } rn = mpn_normalized_size (np, dn); tr->_mp_size = ns < 0 ? - rn : rn; if (mode == GMP_DIV_FLOOR && qs < 0 && rn != 0) { if (q) mpz_sub_ui (tq, tq, 1); if (r) mpz_add (tr, tr, d); } else if (mode == GMP_DIV_CEIL && qs >= 0 && rn != 0) { if (q) mpz_add_ui (tq, tq, 1); if (r) mpz_sub (tr, tr, d); } if (q) { mpz_swap (tq, q); mpz_clear (tq); } if (r) mpz_swap (tr, r); mpz_clear (tr); return rn != 0; } } void mpz_cdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_qr (mpz_t q, mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (q, r, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_CEIL); } void mpz_fdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_q (mpz_t q, const mpz_t n, const mpz_t d) { mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC); } void mpz_cdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_CEIL); } void mpz_fdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_tdiv_r (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, GMP_DIV_TRUNC); } void mpz_mod (mpz_t r, const mpz_t n, const mpz_t d) { mpz_div_qr (NULL, r, n, d, d->_mp_size >= 0 ? GMP_DIV_FLOOR : GMP_DIV_CEIL); } static void mpz_div_q_2exp (mpz_t q, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t un, qn; mp_size_t limb_cnt; mp_ptr qp; int adjust; un = u->_mp_size; if (un == 0) { q->_mp_size = 0; return; } limb_cnt = bit_index / GMP_LIMB_BITS; qn = GMP_ABS (un) - limb_cnt; bit_index %= GMP_LIMB_BITS; if (mode == ((un > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* un != 0 here. */ /* Note: Below, the final indexing at limb_cnt is valid because at that point we have qn > 0. */ adjust = (qn <= 0 || !mpn_zero_p (u->_mp_d, limb_cnt) || (u->_mp_d[limb_cnt] & (((mp_limb_t) 1 << bit_index) - 1))); else adjust = 0; if (qn <= 0) qn = 0; else { qp = MPZ_REALLOC (q, qn); if (bit_index != 0) { mpn_rshift (qp, u->_mp_d + limb_cnt, qn, bit_index); qn -= qp[qn - 1] == 0; } else { mpn_copyi (qp, u->_mp_d + limb_cnt, qn); } } q->_mp_size = qn; if (adjust) mpz_add_ui (q, q, 1); if (un < 0) mpz_neg (q, q); } static void mpz_div_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t bit_index, enum mpz_div_round_mode mode) { mp_size_t us, un, rn; mp_ptr rp; mp_limb_t mask; us = u->_mp_size; if (us == 0 || bit_index == 0) { r->_mp_size = 0; return; } rn = (bit_index + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; assert (rn > 0); rp = MPZ_REALLOC (r, rn); un = GMP_ABS (us); mask = GMP_LIMB_MAX >> (rn * GMP_LIMB_BITS - bit_index); if (rn > un) { /* Quotient (with truncation) is zero, and remainder is non-zero */ if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* Have to negate and sign extend. */ mp_size_t i; gmp_assert_nocarry (! mpn_neg (rp, u->_mp_d, un)); for (i = un; i < rn - 1; i++) rp[i] = GMP_LIMB_MAX; rp[rn-1] = mask; us = -us; } else { /* Just copy */ if (r != u) mpn_copyi (rp, u->_mp_d, un); rn = un; } } else { if (r != u) mpn_copyi (rp, u->_mp_d, rn - 1); rp[rn-1] = u->_mp_d[rn-1] & mask; if (mode == ((us > 0) ? GMP_DIV_CEIL : GMP_DIV_FLOOR)) /* us != 0 here. */ { /* If r != 0, compute 2^{bit_count} - r. */ mpn_neg (rp, rp, rn); rp[rn-1] &= mask; /* us is not used for anything else, so we can modify it here to indicate flipped sign. */ us = -us; } } rn = mpn_normalized_size (rp, rn); r->_mp_size = us < 0 ? -rn : rn; } void mpz_cdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_q_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_q_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_cdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_CEIL); } void mpz_fdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_FLOOR); } void mpz_tdiv_r_2exp (mpz_t r, const mpz_t u, mp_bitcnt_t cnt) { mpz_div_r_2exp (r, u, cnt, GMP_DIV_TRUNC); } void mpz_divexact (mpz_t q, const mpz_t n, const mpz_t d) { gmp_assert_nocarry (mpz_div_qr (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_p (const mpz_t n, const mpz_t d) { return mpz_div_qr (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } int mpz_congruent_p (const mpz_t a, const mpz_t b, const mpz_t m) { mpz_t t; int res; /* a == b (mod 0) iff a == b */ if (mpz_sgn (m) == 0) return (mpz_cmp (a, b) == 0); mpz_init (t); mpz_sub (t, a, b); res = mpz_divisible_p (t, m); mpz_clear (t); return res; } static unsigned long mpz_div_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d, enum mpz_div_round_mode mode) { unsigned long ret; mpz_t rr, dd; mpz_init (rr); mpz_init_set_ui (dd, d); mpz_div_qr (q, rr, n, dd, mode); mpz_clear (dd); ret = mpz_get_ui (rr); if (r) mpz_swap (r, rr); mpz_clear (rr); return ret; } unsigned long mpz_cdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_qr_ui (mpz_t q, mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_q_ui (mpz_t q, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_r_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_TRUNC); } unsigned long mpz_cdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_CEIL); } unsigned long mpz_fdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_FLOOR); } unsigned long mpz_tdiv_ui (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC); } unsigned long mpz_mod_ui (mpz_t r, const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, r, n, d, GMP_DIV_FLOOR); } void mpz_divexact_ui (mpz_t q, const mpz_t n, unsigned long d) { gmp_assert_nocarry (mpz_div_qr_ui (q, NULL, n, d, GMP_DIV_TRUNC)); } int mpz_divisible_ui_p (const mpz_t n, unsigned long d) { return mpz_div_qr_ui (NULL, NULL, n, d, GMP_DIV_TRUNC) == 0; } /* GCD */ static mp_limb_t mpn_gcd_11 (mp_limb_t u, mp_limb_t v) { unsigned shift; assert ( (u | v) > 0); if (u == 0) return v; else if (v == 0) return u; gmp_ctz (shift, u | v); u >>= shift; v >>= shift; if ( (u & 1) == 0) MP_LIMB_T_SWAP (u, v); while ( (v & 1) == 0) v >>= 1; while (u != v) { if (u > v) { u -= v; do u >>= 1; while ( (u & 1) == 0); } else { v -= u; do v >>= 1; while ( (v & 1) == 0); } } return u << shift; } unsigned long mpz_gcd_ui (mpz_t g, const mpz_t u, unsigned long v) { mpz_t t; mpz_init_set_ui(t, v); mpz_gcd (t, u, t); if (v > 0) v = mpz_get_ui (t); if (g) mpz_swap (t, g); mpz_clear (t); return v; } static mp_bitcnt_t mpz_make_odd (mpz_t r) { mp_bitcnt_t shift; assert (r->_mp_size > 0); /* Count trailing zeros, equivalent to mpn_scan1, because we know that there is a 1 */ shift = mpn_common_scan (r->_mp_d[0], 0, r->_mp_d, 0, 0); mpz_tdiv_q_2exp (r, r, shift); return shift; } void mpz_gcd (mpz_t g, const mpz_t u, const mpz_t v) { mpz_t tu, tv; mp_bitcnt_t uz, vz, gz; if (u->_mp_size == 0) { mpz_abs (g, v); return; } if (v->_mp_size == 0) { mpz_abs (g, u); return; } mpz_init (tu); mpz_init (tv); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); if (tu->_mp_size < tv->_mp_size) mpz_swap (tu, tv); mpz_tdiv_r (tu, tu, tv); if (tu->_mp_size == 0) { mpz_swap (g, tv); } else for (;;) { int c; mpz_make_odd (tu); c = mpz_cmp (tu, tv); if (c == 0) { mpz_swap (g, tu); break; } if (c < 0) mpz_swap (tu, tv); if (tv->_mp_size == 1) { mp_limb_t vl = tv->_mp_d[0]; mp_limb_t ul = mpz_tdiv_ui (tu, vl); mpz_set_ui (g, mpn_gcd_11 (ul, vl)); break; } mpz_sub (tu, tu, tv); } mpz_clear (tu); mpz_clear (tv); mpz_mul_2exp (g, g, gz); } void mpz_gcdext (mpz_t g, mpz_t s, mpz_t t, const mpz_t u, const mpz_t v) { mpz_t tu, tv, s0, s1, t0, t1; mp_bitcnt_t uz, vz, gz; mp_bitcnt_t power; if (u->_mp_size == 0) { /* g = 0 u + sgn(v) v */ signed long sign = mpz_sgn (v); mpz_abs (g, v); if (s) s->_mp_size = 0; if (t) mpz_set_si (t, sign); return; } if (v->_mp_size == 0) { /* g = sgn(u) u + 0 v */ signed long sign = mpz_sgn (u); mpz_abs (g, u); if (s) mpz_set_si (s, sign); if (t) t->_mp_size = 0; return; } mpz_init (tu); mpz_init (tv); mpz_init (s0); mpz_init (s1); mpz_init (t0); mpz_init (t1); mpz_abs (tu, u); uz = mpz_make_odd (tu); mpz_abs (tv, v); vz = mpz_make_odd (tv); gz = GMP_MIN (uz, vz); uz -= gz; vz -= gz; /* Cofactors corresponding to odd gcd. gz handled later. */ if (tu->_mp_size < tv->_mp_size) { mpz_swap (tu, tv); MPZ_SRCPTR_SWAP (u, v); MPZ_PTR_SWAP (s, t); MP_BITCNT_T_SWAP (uz, vz); } /* Maintain * * u = t0 tu + t1 tv * v = s0 tu + s1 tv * * where u and v denote the inputs with common factors of two * eliminated, and det (s0, t0; s1, t1) = 2^p. Then * * 2^p tu = s1 u - t1 v * 2^p tv = -s0 u + t0 v */ /* After initial division, tu = q tv + tu', we have * * u = 2^uz (tu' + q tv) * v = 2^vz tv * * or * * t0 = 2^uz, t1 = 2^uz q * s0 = 0, s1 = 2^vz */ mpz_setbit (t0, uz); mpz_tdiv_qr (t1, tu, tu, tv); mpz_mul_2exp (t1, t1, uz); mpz_setbit (s1, vz); power = uz + vz; if (tu->_mp_size > 0) { mp_bitcnt_t shift; shift = mpz_make_odd (tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); power += shift; for (;;) { int c; c = mpz_cmp (tu, tv); if (c == 0) break; if (c < 0) { /* tv = tv' + tu * * u = t0 tu + t1 (tv' + tu) = (t0 + t1) tu + t1 tv' * v = s0 tu + s1 (tv' + tu) = (s0 + s1) tu + s1 tv' */ mpz_sub (tv, tv, tu); mpz_add (t0, t0, t1); mpz_add (s0, s0, s1); shift = mpz_make_odd (tv); mpz_mul_2exp (t1, t1, shift); mpz_mul_2exp (s1, s1, shift); } else { mpz_sub (tu, tu, tv); mpz_add (t1, t0, t1); mpz_add (s1, s0, s1); shift = mpz_make_odd (tu); mpz_mul_2exp (t0, t0, shift); mpz_mul_2exp (s0, s0, shift); } power += shift; } } /* Now tv = odd part of gcd, and -s0 and t0 are corresponding cofactors. */ mpz_mul_2exp (tv, tv, gz); mpz_neg (s0, s0); /* 2^p g = s0 u + t0 v. Eliminate one factor of two at a time. To adjust cofactors, we need u / g and v / g */ mpz_divexact (s1, v, tv); mpz_abs (s1, s1); mpz_divexact (t1, u, tv); mpz_abs (t1, t1); while (power-- > 0) { /* s0 u + t0 v = (s0 - v/g) u - (t0 + u/g) v */ if (mpz_odd_p (s0) || mpz_odd_p (t0)) { mpz_sub (s0, s0, s1); mpz_add (t0, t0, t1); } assert (mpz_even_p (t0) && mpz_even_p (s0)); mpz_tdiv_q_2exp (s0, s0, 1); mpz_tdiv_q_2exp (t0, t0, 1); } /* Arrange so that |s| < |u| / 2g */ mpz_add (s1, s0, s1); if (mpz_cmpabs (s0, s1) > 0) { mpz_swap (s0, s1); mpz_sub (t0, t0, t1); } if (u->_mp_size < 0) mpz_neg (s0, s0); if (v->_mp_size < 0) mpz_neg (t0, t0); mpz_swap (g, tv); if (s) mpz_swap (s, s0); if (t) mpz_swap (t, t0); mpz_clear (tu); mpz_clear (tv); mpz_clear (s0); mpz_clear (s1); mpz_clear (t0); mpz_clear (t1); } void mpz_lcm (mpz_t r, const mpz_t u, const mpz_t v) { mpz_t g; if (u->_mp_size == 0 || v->_mp_size == 0) { r->_mp_size = 0; return; } mpz_init (g); mpz_gcd (g, u, v); mpz_divexact (g, u, g); mpz_mul (r, g, v); mpz_clear (g); mpz_abs (r, r); } void mpz_lcm_ui (mpz_t r, const mpz_t u, unsigned long v) { if (v == 0 || u->_mp_size == 0) { r->_mp_size = 0; return; } v /= mpz_gcd_ui (NULL, u, v); mpz_mul_ui (r, u, v); mpz_abs (r, r); } int mpz_invert (mpz_t r, const mpz_t u, const mpz_t m) { mpz_t g, tr; int invertible; if (u->_mp_size == 0 || mpz_cmpabs_ui (m, 1) <= 0) return 0; mpz_init (g); mpz_init (tr); mpz_gcdext (g, tr, NULL, u, m); invertible = (mpz_cmp_ui (g, 1) == 0); if (invertible) { if (tr->_mp_size < 0) { if (m->_mp_size >= 0) mpz_add (tr, tr, m); else mpz_sub (tr, tr, m); } mpz_swap (r, tr); } mpz_clear (g); mpz_clear (tr); return invertible; } /* Higher level operations (sqrt, pow and root) */ void mpz_pow_ui (mpz_t r, const mpz_t b, unsigned long e) { unsigned long bit; mpz_t tr; mpz_init_set_ui (tr, 1); bit = GMP_ULONG_HIGHBIT; do { mpz_mul (tr, tr, tr); if (e & bit) mpz_mul (tr, tr, b); bit >>= 1; } while (bit > 0); mpz_swap (r, tr); mpz_clear (tr); } void mpz_ui_pow_ui (mpz_t r, unsigned long blimb, unsigned long e) { mpz_t b; mpz_init_set_ui (b, blimb); mpz_pow_ui (r, b, e); mpz_clear (b); } void mpz_powm (mpz_t r, const mpz_t b, const mpz_t e, const mpz_t m) { mpz_t tr; mpz_t base; mp_size_t en, mn; mp_srcptr mp; struct gmp_div_inverse minv; unsigned shift; mp_ptr tp = NULL; en = GMP_ABS (e->_mp_size); mn = GMP_ABS (m->_mp_size); if (mn == 0) gmp_die ("mpz_powm: Zero modulo."); if (en == 0) { mpz_set_ui (r, 1); return; } mp = m->_mp_d; mpn_div_qr_invert (&minv, mp, mn); shift = minv.shift; if (shift > 0) { /* To avoid shifts, we do all our reductions, except the final one, using a *normalized* m. */ minv.shift = 0; tp = gmp_xalloc_limbs (mn); gmp_assert_nocarry (mpn_lshift (tp, mp, mn, shift)); mp = tp; } mpz_init (base); if (e->_mp_size < 0) { if (!mpz_invert (base, b, m)) gmp_die ("mpz_powm: Negative exponent and non-invertible base."); } else { mp_size_t bn; mpz_abs (base, b); bn = base->_mp_size; if (bn >= mn) { mpn_div_qr_preinv (NULL, base->_mp_d, base->_mp_size, mp, mn, &minv); bn = mn; } /* We have reduced the absolute value. Now take care of the sign. Note that we get zero represented non-canonically as m. */ if (b->_mp_size < 0) { mp_ptr bp = MPZ_REALLOC (base, mn); gmp_assert_nocarry (mpn_sub (bp, mp, mn, bp, bn)); bn = mn; } base->_mp_size = mpn_normalized_size (base->_mp_d, bn); } mpz_init_set_ui (tr, 1); while (--en >= 0) { mp_limb_t w = e->_mp_d[en]; mp_limb_t bit; bit = GMP_LIMB_HIGHBIT; do { mpz_mul (tr, tr, tr); if (w & bit) mpz_mul (tr, tr, base); if (tr->_mp_size > mn) { mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } bit >>= 1; } while (bit > 0); } /* Final reduction */ if (tr->_mp_size >= mn) { minv.shift = shift; mpn_div_qr_preinv (NULL, tr->_mp_d, tr->_mp_size, mp, mn, &minv); tr->_mp_size = mpn_normalized_size (tr->_mp_d, mn); } if (tp) gmp_free (tp); mpz_swap (r, tr); mpz_clear (tr); mpz_clear (base); } void mpz_powm_ui (mpz_t r, const mpz_t b, unsigned long elimb, const mpz_t m) { mpz_t e; mpz_init_set_ui (e, elimb); mpz_powm (r, b, e, m); mpz_clear (e); } /* x=trunc(y^(1/z)), r=y-x^z */ void mpz_rootrem (mpz_t x, mpz_t r, const mpz_t y, unsigned long z) { int sgn; mpz_t t, u; sgn = y->_mp_size < 0; if ((~z & sgn) != 0) gmp_die ("mpz_rootrem: Negative argument, with even root."); if (z == 0) gmp_die ("mpz_rootrem: Zeroth root."); if (mpz_cmpabs_ui (y, 1) <= 0) { if (x) mpz_set (x, y); if (r) r->_mp_size = 0; return; } mpz_init (u); mpz_init (t); mpz_setbit (t, mpz_sizeinbase (y, 2) / z + 1); if (z == 2) /* simplify sqrt loop: z-1 == 1 */ do { mpz_swap (u, t); /* u = x */ mpz_tdiv_q (t, y, u); /* t = y/x */ mpz_add (t, t, u); /* t = y/x + x */ mpz_tdiv_q_2exp (t, t, 1); /* x'= (y/x + x)/2 */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ else /* z != 2 */ { mpz_t v; mpz_init (v); if (sgn) mpz_neg (t, t); do { mpz_swap (u, t); /* u = x */ mpz_pow_ui (t, u, z - 1); /* t = x^(z-1) */ mpz_tdiv_q (t, y, t); /* t = y/x^(z-1) */ mpz_mul_ui (v, u, z - 1); /* v = x*(z-1) */ mpz_add (t, t, v); /* t = y/x^(z-1) + x*(z-1) */ mpz_tdiv_q_ui (t, t, z); /* x'=(y/x^(z-1) + x*(z-1))/z */ } while (mpz_cmpabs (t, u) < 0); /* |x'| < |x| */ mpz_clear (v); } if (r) { mpz_pow_ui (t, u, z); mpz_sub (r, y, t); } if (x) mpz_swap (x, u); mpz_clear (u); mpz_clear (t); } int mpz_root (mpz_t x, const mpz_t y, unsigned long z) { int res; mpz_t r; mpz_init (r); mpz_rootrem (x, r, y, z); res = r->_mp_size == 0; mpz_clear (r); return res; } /* Compute s = floor(sqrt(u)) and r = u - s^2. Allows r == NULL */ void mpz_sqrtrem (mpz_t s, mpz_t r, const mpz_t u) { mpz_rootrem (s, r, u, 2); } void mpz_sqrt (mpz_t s, const mpz_t u) { mpz_rootrem (s, NULL, u, 2); } int mpz_perfect_square_p (const mpz_t u) { if (u->_mp_size <= 0) return (u->_mp_size == 0); else return mpz_root (NULL, u, 2); } int mpn_perfect_square_p (mp_srcptr p, mp_size_t n) { mpz_t t; assert (n > 0); assert (p [n-1] != 0); return mpz_root (NULL, mpz_roinit_normal_n (t, p, n), 2); } mp_size_t mpn_sqrtrem (mp_ptr sp, mp_ptr rp, mp_srcptr p, mp_size_t n) { mpz_t s, r, u; mp_size_t res; assert (n > 0); assert (p [n-1] != 0); mpz_init (r); mpz_init (s); mpz_rootrem (s, r, mpz_roinit_normal_n (u, p, n), 2); assert (s->_mp_size == (n+1)/2); mpn_copyd (sp, s->_mp_d, s->_mp_size); mpz_clear (s); res = r->_mp_size; if (rp) mpn_copyd (rp, r->_mp_d, res); mpz_clear (r); return res; } /* Combinatorics */ void mpz_mfac_uiui (mpz_t x, unsigned long n, unsigned long m) { mpz_set_ui (x, n + (n == 0)); if (m + 1 < 2) return; while (n > m + 1) mpz_mul_ui (x, x, n -= m); } void mpz_2fac_ui (mpz_t x, unsigned long n) { mpz_mfac_uiui (x, n, 2); } void mpz_fac_ui (mpz_t x, unsigned long n) { mpz_mfac_uiui (x, n, 1); } void mpz_bin_uiui (mpz_t r, unsigned long n, unsigned long k) { mpz_t t; mpz_set_ui (r, k <= n); if (k > (n >> 1)) k = (k <= n) ? n - k : 0; mpz_init (t); mpz_fac_ui (t, k); for (; k > 0; --k) mpz_mul_ui (r, r, n--); mpz_divexact (r, r, t); mpz_clear (t); } /* Primality testing */ /* Computes Kronecker (a/b) with odd b, a!=0 and GCD(a,b) = 1 */ /* Adapted from JACOBI_BASE_METHOD==4 in mpn/generic/jacbase.c */ static int gmp_jacobi_coprime (mp_limb_t a, mp_limb_t b) { int c, bit = 0; assert (b & 1); assert (a != 0); /* assert (mpn_gcd_11 (a, b) == 1); */ /* Below, we represent a and b shifted right so that the least significant one bit is implicit. */ b >>= 1; gmp_ctz(c, a); a >>= 1; for (;;) { a >>= c; /* (2/b) = -1 if b = 3 or 5 mod 8 */ bit ^= c & (b ^ (b >> 1)); if (a < b) { if (a == 0) return bit & 1 ? -1 : 1; bit ^= a & b; a = b - a; b -= a; } else { a -= b; assert (a != 0); } gmp_ctz(c, a); ++c; } } static void gmp_lucas_step_k_2k (mpz_t V, mpz_t Qk, const mpz_t n) { mpz_mod (Qk, Qk, n); /* V_{2k} <- V_k ^ 2 - 2Q^k */ mpz_mul (V, V, V); mpz_submul_ui (V, Qk, 2); mpz_tdiv_r (V, V, n); /* Q^{2k} = (Q^k)^2 */ mpz_mul (Qk, Qk, Qk); } /* Computes V_k, Q^k (mod n) for the Lucas' sequence */ /* with P=1, Q=Q; k = (n>>b0)|1. */ /* Requires an odd n > 4; b0 > 0; -2*Q must not overflow a long */ /* Returns (U_k == 0) and sets V=V_k and Qk=Q^k. */ static int gmp_lucas_mod (mpz_t V, mpz_t Qk, long Q, mp_bitcnt_t b0, const mpz_t n) { mp_bitcnt_t bs; mpz_t U; int res; assert (b0 > 0); assert (Q <= - (LONG_MIN / 2)); assert (Q >= - (LONG_MAX / 2)); assert (mpz_cmp_ui (n, 4) > 0); assert (mpz_odd_p (n)); mpz_init_set_ui (U, 1); /* U1 = 1 */ mpz_set_ui (V, 1); /* V1 = 1 */ mpz_set_si (Qk, Q); for (bs = mpz_sizeinbase (n, 2) - 1; --bs >= b0;) { /* U_{2k} <- U_k * V_k */ mpz_mul (U, U, V); /* V_{2k} <- V_k ^ 2 - 2Q^k */ /* Q^{2k} = (Q^k)^2 */ gmp_lucas_step_k_2k (V, Qk, n); /* A step k->k+1 is performed if the bit in $n$ is 1 */ /* mpz_tstbit(n,bs) or the bit is 0 in $n$ but */ /* should be 1 in $n+1$ (bs == b0) */ if (b0 == bs || mpz_tstbit (n, bs)) { /* Q^{k+1} <- Q^k * Q */ mpz_mul_si (Qk, Qk, Q); /* U_{k+1} <- (U_k + V_k) / 2 */ mpz_swap (U, V); /* Keep in V the old value of U_k */ mpz_add (U, U, V); /* We have to compute U/2, so we need an even value, */ /* equivalent (mod n) */ if (mpz_odd_p (U)) mpz_add (U, U, n); mpz_tdiv_q_2exp (U, U, 1); /* V_{k+1} <-(D*U_k + V_k) / 2 = U_{k+1} + (D-1)/2*U_k = U_{k+1} - 2Q*U_k */ mpz_mul_si (V, V, -2*Q); mpz_add (V, U, V); mpz_tdiv_r (V, V, n); } mpz_tdiv_r (U, U, n); } res = U->_mp_size == 0; mpz_clear (U); return res; } /* Performs strong Lucas' test on x, with parameters suggested */ /* for the BPSW test. Qk is only passed to recycle a variable. */ /* Requires GCD (x,6) = 1.*/ static int gmp_stronglucas (const mpz_t x, mpz_t Qk) { mp_bitcnt_t b0; mpz_t V, n; mp_limb_t maxD, D; /* The absolute value is stored. */ long Q; mp_limb_t tl; /* Test on the absolute value. */ mpz_roinit_normal_n (n, x->_mp_d, GMP_ABS (x->_mp_size)); assert (mpz_odd_p (n)); /* assert (mpz_gcd_ui (NULL, n, 6) == 1); */ if (mpz_root (Qk, n, 2)) return 0; /* A square is composite. */ /* Check Ds up to square root (in case, n is prime) or avoid overflows */ maxD = (Qk->_mp_size == 1) ? Qk->_mp_d [0] - 1 : GMP_LIMB_MAX; D = 3; /* Search a D such that (D/n) = -1 in the sequence 5,-7,9,-11,.. */ /* For those Ds we have (D/n) = (n/|D|) */ do { if (D >= maxD) return 1 + (D != GMP_LIMB_MAX); /* (1 + ! ~ D) */ D += 2; tl = mpz_tdiv_ui (n, D); if (tl == 0) return 0; } while (gmp_jacobi_coprime (tl, D) == 1); mpz_init (V); /* n-(D/n) = n+1 = d*2^{b0}, with d = (n>>b0) | 1 */ b0 = mpz_scan0 (n, 0); /* D= P^2 - 4Q; P = 1; Q = (1-D)/4 */ Q = (D & 2) ? (long) (D >> 2) + 1 : -(long) (D >> 2); if (! gmp_lucas_mod (V, Qk, Q, b0, n)) /* If Ud != 0 */ while (V->_mp_size != 0 && --b0 != 0) /* while Vk != 0 */ /* V <- V ^ 2 - 2Q^k */ /* Q^{2k} = (Q^k)^2 */ gmp_lucas_step_k_2k (V, Qk, n); mpz_clear (V); return (b0 != 0); } static int gmp_millerrabin (const mpz_t n, const mpz_t nm1, mpz_t y, const mpz_t q, mp_bitcnt_t k) { assert (k > 0); /* Caller must initialize y to the base. */ mpz_powm (y, y, q, n); if (mpz_cmp_ui (y, 1) == 0 || mpz_cmp (y, nm1) == 0) return 1; while (--k > 0) { mpz_powm_ui (y, y, 2, n); if (mpz_cmp (y, nm1) == 0) return 1; /* y == 1 means that the previous y was a non-trivial square root of 1 (mod n). y == 0 means that n is a power of the base. In either case, n is not prime. */ if (mpz_cmp_ui (y, 1) <= 0) return 0; } return 0; } /* This product is 0xc0cfd797, and fits in 32 bits. */ #define GMP_PRIME_PRODUCT \ (3UL*5UL*7UL*11UL*13UL*17UL*19UL*23UL*29UL) /* Bit (p+1)/2 is set, for each odd prime <= 61 */ #define GMP_PRIME_MASK 0xc96996dcUL int mpz_probab_prime_p (const mpz_t n, int reps) { mpz_t nm1; mpz_t q; mpz_t y; mp_bitcnt_t k; int is_prime; int j; /* Note that we use the absolute value of n only, for compatibility with the real GMP. */ if (mpz_even_p (n)) return (mpz_cmpabs_ui (n, 2) == 0) ? 2 : 0; /* Above test excludes n == 0 */ assert (n->_mp_size != 0); if (mpz_cmpabs_ui (n, 64) < 0) return (GMP_PRIME_MASK >> (n->_mp_d[0] >> 1)) & 2; if (mpz_gcd_ui (NULL, n, GMP_PRIME_PRODUCT) != 1) return 0; /* All prime factors are >= 31. */ if (mpz_cmpabs_ui (n, 31*31) < 0) return 2; mpz_init (nm1); mpz_init (q); /* Find q and k, where q is odd and n = 1 + 2**k * q. */ mpz_abs (nm1, n); nm1->_mp_d[0] -= 1; k = mpz_scan1 (nm1, 0); mpz_tdiv_q_2exp (q, nm1, k); /* BPSW test */ mpz_init_set_ui (y, 2); is_prime = gmp_millerrabin (n, nm1, y, q, k) && gmp_stronglucas (n, y); reps -= 24; /* skip the first 24 repetitions */ /* Use Miller-Rabin, with a deterministic sequence of bases, a[j] = j^2 + j + 41 using Euler's polynomial. We potentially stop early, if a[j] >= n - 1. Since n >= 31*31, this can happen only if reps > 30 (a[30] == 971 > 31*31 == 961). */ for (j = 0; is_prime & (j < reps); j++) { mpz_set_ui (y, (unsigned long) j*j+j+41); if (mpz_cmp (y, nm1) >= 0) { /* Don't try any further bases. This "early" break does not affect the result for any reasonable reps value (<=5000 was tested) */ assert (j >= 30); break; } is_prime = gmp_millerrabin (n, nm1, y, q, k); } mpz_clear (nm1); mpz_clear (q); mpz_clear (y); return is_prime; } /* Logical operations and bit manipulation. */ /* Numbers are treated as if represented in two's complement (and infinitely sign extended). For a negative values we get the two's complement from -x = ~x + 1, where ~ is bitwise complement. Negation transforms xxxx10...0 into yyyy10...0 where yyyy is the bitwise complement of xxxx. So least significant bits, up to and including the first one bit, are unchanged, and the more significant bits are all complemented. To change a bit from zero to one in a negative number, subtract the corresponding power of two from the absolute value. This can never underflow. To change a bit from one to zero, add the corresponding power of two, and this might overflow. E.g., if x = -001111, the two's complement is 110001. Clearing the least significant bit, we get two's complement 110000, and -010000. */ int mpz_tstbit (const mpz_t d, mp_bitcnt_t bit_index) { mp_size_t limb_index; unsigned shift; mp_size_t ds; mp_size_t dn; mp_limb_t w; int bit; ds = d->_mp_size; dn = GMP_ABS (ds); limb_index = bit_index / GMP_LIMB_BITS; if (limb_index >= dn) return ds < 0; shift = bit_index % GMP_LIMB_BITS; w = d->_mp_d[limb_index]; bit = (w >> shift) & 1; if (ds < 0) { /* d < 0. Check if any of the bits below is set: If so, our bit must be complemented. */ if (shift > 0 && (mp_limb_t) (w << (GMP_LIMB_BITS - shift)) > 0) return bit ^ 1; while (--limb_index >= 0) if (d->_mp_d[limb_index] > 0) return bit ^ 1; } return bit; } static void mpz_abs_add_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_limb_t bit; mp_ptr dp; dn = GMP_ABS (d->_mp_size); limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); if (limb_index >= dn) { mp_size_t i; /* The bit should be set outside of the end of the number. We have to increase the size of the number. */ dp = MPZ_REALLOC (d, limb_index + 1); dp[limb_index] = bit; for (i = dn; i < limb_index; i++) dp[i] = 0; dn = limb_index + 1; } else { mp_limb_t cy; dp = d->_mp_d; cy = mpn_add_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit); if (cy > 0) { dp = MPZ_REALLOC (d, dn + 1); dp[dn++] = cy; } } d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } static void mpz_abs_sub_bit (mpz_t d, mp_bitcnt_t bit_index) { mp_size_t dn, limb_index; mp_ptr dp; mp_limb_t bit; dn = GMP_ABS (d->_mp_size); dp = d->_mp_d; limb_index = bit_index / GMP_LIMB_BITS; bit = (mp_limb_t) 1 << (bit_index % GMP_LIMB_BITS); assert (limb_index < dn); gmp_assert_nocarry (mpn_sub_1 (dp + limb_index, dp + limb_index, dn - limb_index, bit)); dn = mpn_normalized_size (dp, dn); d->_mp_size = (d->_mp_size < 0) ? - dn : dn; } void mpz_setbit (mpz_t d, mp_bitcnt_t bit_index) { if (!mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_add_bit (d, bit_index); else mpz_abs_sub_bit (d, bit_index); } } void mpz_clrbit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index)) { if (d->_mp_size >= 0) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } } void mpz_combit (mpz_t d, mp_bitcnt_t bit_index) { if (mpz_tstbit (d, bit_index) ^ (d->_mp_size < 0)) mpz_abs_sub_bit (d, bit_index); else mpz_abs_add_bit (d, bit_index); } void mpz_com (mpz_t r, const mpz_t u) { mpz_add_ui (r, u, 1); mpz_neg (r, r); } void mpz_and (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { r->_mp_size = 0; return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc & vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is positive, higher limbs don't matter. */ rn = vx ? un : vn; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul & vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul & vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_ior (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, rn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc | vc; ux = -uc; vx = -vc; rx = -rc; /* If the smaller input is negative, by sign extension higher limbs don't matter. */ rn = vx ? vn : un; rp = MPZ_REALLOC (r, rn + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = ( (ul | vl) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < rn; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = ( (ul | vx) ^ rx) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[rn++] = rc; else rn = mpn_normalized_size (rp, rn); r->_mp_size = rx ? -rn : rn; } void mpz_xor (mpz_t r, const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_ptr up, vp, rp; mp_limb_t ux, vx, rx; mp_limb_t uc, vc, rc; mp_limb_t ul, vl, rl; un = GMP_ABS (u->_mp_size); vn = GMP_ABS (v->_mp_size); if (un < vn) { MPZ_SRCPTR_SWAP (u, v); MP_SIZE_T_SWAP (un, vn); } if (vn == 0) { mpz_set (r, u); return; } uc = u->_mp_size < 0; vc = v->_mp_size < 0; rc = uc ^ vc; ux = -uc; vx = -vc; rx = -rc; rp = MPZ_REALLOC (r, un + (mp_size_t) rc); up = u->_mp_d; vp = v->_mp_d; i = 0; do { ul = (up[i] ^ ux) + uc; uc = ul < uc; vl = (vp[i] ^ vx) + vc; vc = vl < vc; rl = (ul ^ vl ^ rx) + rc; rc = rl < rc; rp[i] = rl; } while (++i < vn); assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ ux) + uc; uc = ul < uc; rl = (ul ^ ux) + rc; rc = rl < rc; rp[i] = rl; } if (rc) rp[un++] = rc; else un = mpn_normalized_size (rp, un); r->_mp_size = rx ? -un : un; } static unsigned gmp_popcount_limb (mp_limb_t x) { unsigned c; /* Do 16 bits at a time, to avoid limb-sized constants. */ int LOCAL_SHIFT_BITS = 16; for (c = 0; x > 0;) { unsigned w = x - ((x >> 1) & 0x5555); w = ((w >> 2) & 0x3333) + (w & 0x3333); w = (w >> 4) + w; w = ((w >> 8) & 0x000f) + (w & 0x000f); c += w; if (GMP_LIMB_BITS > LOCAL_SHIFT_BITS) x >>= LOCAL_SHIFT_BITS; else x = 0; } return c; } mp_bitcnt_t mpn_popcount (mp_srcptr p, mp_size_t n) { mp_size_t i; mp_bitcnt_t c; for (c = 0, i = 0; i < n; i++) c += gmp_popcount_limb (p[i]); return c; } mp_bitcnt_t mpz_popcount (const mpz_t u) { mp_size_t un; un = u->_mp_size; if (un < 0) return ~(mp_bitcnt_t) 0; return mpn_popcount (u->_mp_d, un); } mp_bitcnt_t mpz_hamdist (const mpz_t u, const mpz_t v) { mp_size_t un, vn, i; mp_limb_t uc, vc, ul, vl, comp; mp_srcptr up, vp; mp_bitcnt_t c; un = u->_mp_size; vn = v->_mp_size; if ( (un ^ vn) < 0) return ~(mp_bitcnt_t) 0; comp = - (uc = vc = (un < 0)); if (uc) { assert (vn < 0); un = -un; vn = -vn; } up = u->_mp_d; vp = v->_mp_d; if (un < vn) MPN_SRCPTR_SWAP (up, un, vp, vn); for (i = 0, c = 0; i < vn; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; vl = (vp[i] ^ comp) + vc; vc = vl < vc; c += gmp_popcount_limb (ul ^ vl); } assert (vc == 0); for (; i < un; i++) { ul = (up[i] ^ comp) + uc; uc = ul < uc; c += gmp_popcount_limb (ul ^ comp); } return c; } mp_bitcnt_t mpz_scan1 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* Past the end there's no 1 bits for u>=0, or an immediate 1 bit for u<0. Notice this test picks up any u==0 too. */ if (i >= un) return (us >= 0 ? ~(mp_bitcnt_t) 0 : starting_bit); up = u->_mp_d; ux = 0; limb = up[i]; if (starting_bit != 0) { if (us < 0) { ux = mpn_zero_p (up, i); limb = ~ limb + ux; ux = - (mp_limb_t) (limb >= ux); } /* Mask to 0 all bits before starting_bit, thus ignoring them. */ limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); } return mpn_common_scan (limb, i, up, un, ux); } mp_bitcnt_t mpz_scan0 (const mpz_t u, mp_bitcnt_t starting_bit) { mp_ptr up; mp_size_t us, un, i; mp_limb_t limb, ux; us = u->_mp_size; ux = - (mp_limb_t) (us >= 0); un = GMP_ABS (us); i = starting_bit / GMP_LIMB_BITS; /* When past end, there's an immediate 0 bit for u>=0, or no 0 bits for u<0. Notice this test picks up all cases of u==0 too. */ if (i >= un) return (ux ? starting_bit : ~(mp_bitcnt_t) 0); up = u->_mp_d; limb = up[i] ^ ux; if (ux == 0) limb -= mpn_zero_p (up, i); /* limb = ~(~limb + zero_p) */ /* Mask all bits before starting_bit, thus ignoring them. */ limb &= GMP_LIMB_MAX << (starting_bit % GMP_LIMB_BITS); return mpn_common_scan (limb, i, up, un, ux); } /* MPZ base conversion. */ size_t mpz_sizeinbase (const mpz_t u, int base) { mp_size_t un; mp_srcptr up; mp_ptr tp; mp_bitcnt_t bits; struct gmp_div_inverse bi; size_t ndigits; assert (base >= 2); assert (base <= 62); un = GMP_ABS (u->_mp_size); if (un == 0) return 1; up = u->_mp_d; bits = (un - 1) * GMP_LIMB_BITS + mpn_limb_size_in_base_2 (up[un-1]); switch (base) { case 2: return bits; case 4: return (bits + 1) / 2; case 8: return (bits + 2) / 3; case 16: return (bits + 3) / 4; case 32: return (bits + 4) / 5; /* FIXME: Do something more clever for the common case of base 10. */ } tp = gmp_xalloc_limbs (un); mpn_copyi (tp, up, un); mpn_div_qr_1_invert (&bi, base); ndigits = 0; do { ndigits++; mpn_div_qr_1_preinv (tp, tp, un, &bi); un -= (tp[un-1] == 0); } while (un > 0); gmp_free (tp); return ndigits; } char * mpz_get_str (char *sp, int base, const mpz_t u) { unsigned bits; const char *digits; mp_size_t un; size_t i, sn; digits = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; if (base > 1) { if (base <= 36) digits = "0123456789abcdefghijklmnopqrstuvwxyz"; else if (base > 62) return NULL; } else if (base >= -1) base = 10; else { base = -base; if (base > 36) return NULL; } sn = 1 + mpz_sizeinbase (u, base); if (!sp) sp = (char *) gmp_xalloc (1 + sn); un = GMP_ABS (u->_mp_size); if (un == 0) { sp[0] = '0'; sp[1] = '\0'; return sp; } i = 0; if (u->_mp_size < 0) sp[i++] = '-'; bits = mpn_base_power_of_two_p (base); if (bits) /* Not modified in this case. */ sn = i + mpn_get_str_bits ((unsigned char *) sp + i, bits, u->_mp_d, un); else { struct mpn_base_info info; mp_ptr tp; mpn_get_base_info (&info, base); tp = gmp_xalloc_limbs (un); mpn_copyi (tp, u->_mp_d, un); sn = i + mpn_get_str_other ((unsigned char *) sp + i, base, &info, tp, un); gmp_free (tp); } for (; i < sn; i++) sp[i] = digits[(unsigned char) sp[i]]; sp[sn] = '\0'; return sp; } int mpz_set_str (mpz_t r, const char *sp, int base) { unsigned bits, value_of_a; mp_size_t rn, alloc; mp_ptr rp; size_t dn; int sign; unsigned char *dp; assert (base == 0 || (base >= 2 && base <= 62)); while (isspace( (unsigned char) *sp)) sp++; sign = (*sp == '-'); sp += sign; if (base == 0) { if (sp[0] == '0') { if (sp[1] == 'x' || sp[1] == 'X') { base = 16; sp += 2; } else if (sp[1] == 'b' || sp[1] == 'B') { base = 2; sp += 2; } else base = 8; } else base = 10; } if (!*sp) { r->_mp_size = 0; return -1; } dp = (unsigned char *) gmp_xalloc (strlen (sp)); value_of_a = (base > 36) ? 36 : 10; for (dn = 0; *sp; sp++) { unsigned digit; if (isspace ((unsigned char) *sp)) continue; else if (*sp >= '0' && *sp <= '9') digit = *sp - '0'; else if (*sp >= 'a' && *sp <= 'z') digit = *sp - 'a' + value_of_a; else if (*sp >= 'A' && *sp <= 'Z') digit = *sp - 'A' + 10; else digit = base; /* fail */ if (digit >= (unsigned) base) { gmp_free (dp); r->_mp_size = 0; return -1; } dp[dn++] = digit; } if (!dn) { gmp_free (dp); r->_mp_size = 0; return -1; } bits = mpn_base_power_of_two_p (base); if (bits > 0) { alloc = (dn * bits + GMP_LIMB_BITS - 1) / GMP_LIMB_BITS; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_bits (rp, dp, dn, bits); } else { struct mpn_base_info info; mpn_get_base_info (&info, base); alloc = (dn + info.exp - 1) / info.exp; rp = MPZ_REALLOC (r, alloc); rn = mpn_set_str_other (rp, dp, dn, base, &info); /* Normalization, needed for all-zero input. */ assert (rn > 0); rn -= rp[rn-1] == 0; } assert (rn <= alloc); gmp_free (dp); r->_mp_size = sign ? - rn : rn; return 0; } int mpz_init_set_str (mpz_t r, const char *sp, int base) { mpz_init (r); return mpz_set_str (r, sp, base); } size_t mpz_out_str (FILE *stream, int base, const mpz_t x) { char *str; size_t len; str = mpz_get_str (NULL, base, x); len = strlen (str); len = fwrite (str, 1, len, stream); gmp_free (str); return len; } static int gmp_detect_endian (void) { static const int i = 2; const unsigned char *p = (const unsigned char *) &i; return 1 - *p; } /* Import and export. Does not support nails. */ void mpz_import (mpz_t r, size_t count, int order, size_t size, int endian, size_t nails, const void *src) { const unsigned char *p; ptrdiff_t word_step; mp_ptr rp; mp_size_t rn; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes already copied to this limb (starting from the low end). */ size_t bytes; /* The index where the limb should be stored, when completed. */ mp_size_t i; if (nails != 0) gmp_die ("mpz_import: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) src; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); rn = (size * count + sizeof(mp_limb_t) - 1) / sizeof(mp_limb_t); rp = MPZ_REALLOC (r, rn); for (limb = 0, bytes = 0, i = 0; count > 0; count--, p += word_step) { size_t j; for (j = 0; j < size; j++, p -= (ptrdiff_t) endian) { limb |= (mp_limb_t) *p << (bytes++ * CHAR_BIT); if (bytes == sizeof(mp_limb_t)) { rp[i++] = limb; bytes = 0; limb = 0; } } } assert (i + (bytes > 0) == rn); if (limb != 0) rp[i++] = limb; else i = mpn_normalized_size (rp, i); r->_mp_size = i; } void * mpz_export (void *r, size_t *countp, int order, size_t size, int endian, size_t nails, const mpz_t u) { size_t count; mp_size_t un; if (nails != 0) gmp_die ("mpz_import: Nails not supported."); assert (order == 1 || order == -1); assert (endian >= -1 && endian <= 1); assert (size > 0 || u->_mp_size == 0); un = u->_mp_size; count = 0; if (un != 0) { size_t k; unsigned char *p; ptrdiff_t word_step; /* The current (partial) limb. */ mp_limb_t limb; /* The number of bytes left to do in this limb. */ size_t bytes; /* The index where the limb was read. */ mp_size_t i; un = GMP_ABS (un); /* Count bytes in top limb. */ limb = u->_mp_d[un-1]; assert (limb != 0); k = (GMP_LIMB_BITS <= CHAR_BIT); if (!k) { do { int LOCAL_CHAR_BIT = CHAR_BIT; k++; limb >>= LOCAL_CHAR_BIT; } while (limb != 0); } /* else limb = 0; */ count = (k + (un-1) * sizeof (mp_limb_t) + size - 1) / size; if (!r) r = gmp_xalloc (count * size); if (endian == 0) endian = gmp_detect_endian (); p = (unsigned char *) r; word_step = (order != endian) ? 2 * size : 0; /* Process bytes from the least significant end, so point p at the least significant word. */ if (order == 1) { p += size * (count - 1); word_step = - word_step; } /* And at least significant byte of that word. */ if (endian == 1) p += (size - 1); for (bytes = 0, i = 0, k = 0; k < count; k++, p += word_step) { size_t j; for (j = 0; j < size; ++j, p -= (ptrdiff_t) endian) { if (sizeof (mp_limb_t) == 1) { if (i < un) *p = u->_mp_d[i++]; else *p = 0; } else { int LOCAL_CHAR_BIT = CHAR_BIT; if (bytes == 0) { if (i < un) limb = u->_mp_d[i++]; bytes = sizeof (mp_limb_t); } *p = limb; limb >>= LOCAL_CHAR_BIT; bytes--; } } } assert (i == un); assert (k == count); } if (countp) *countp = count; return r; } nettle-3.10/sha2.h0000644000175000017500000001204414633602172012767 0ustar nissenisse/* sha2.h The sha2 family of hash functions. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA2_H_INCLUDED #define NETTLE_SHA2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha224_init nettle_sha224_init #define sha224_digest nettle_sha224_digest #define sha256_init nettle_sha256_init #define sha256_update nettle_sha256_update #define sha256_digest nettle_sha256_digest #define sha256_compress nettle_sha256_compress #define sha384_init nettle_sha384_init #define sha384_digest nettle_sha384_digest #define sha512_init nettle_sha512_init #define sha512_update nettle_sha512_update #define sha512_digest nettle_sha512_digest #define sha512_compress nettle_sha512_compress #define sha512_224_init nettle_sha512_224_init #define sha512_224_digest nettle_sha512_224_digest #define sha512_256_init nettle_sha512_256_init #define sha512_256_digest nettle_sha512_256_digest /* For backwards compatibility */ #define SHA224_DATA_SIZE SHA256_BLOCK_SIZE #define SHA256_DATA_SIZE SHA256_BLOCK_SIZE #define SHA512_DATA_SIZE SHA512_BLOCK_SIZE #define SHA384_DATA_SIZE SHA512_BLOCK_SIZE /* SHA256 */ #define SHA256_DIGEST_SIZE 32 #define SHA256_BLOCK_SIZE 64 /* Digest is kept internally as 8 32-bit words. */ #define _SHA256_DIGEST_LENGTH 8 struct sha256_ctx { uint32_t state[_SHA256_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA256_BLOCK_SIZE]; /* SHA256 data buffer */ }; void sha256_init(struct sha256_ctx *ctx); void sha256_update(struct sha256_ctx *ctx, size_t length, const uint8_t *data); void sha256_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest); void sha256_compress(uint32_t *state, const uint8_t *input); /* SHA224, a truncated SHA256 with different initial state. */ #define SHA224_DIGEST_SIZE 28 #define SHA224_BLOCK_SIZE SHA256_BLOCK_SIZE #define sha224_ctx sha256_ctx void sha224_init(struct sha256_ctx *ctx); #define sha224_update nettle_sha256_update void sha224_digest(struct sha256_ctx *ctx, size_t length, uint8_t *digest); /* SHA512 */ #define SHA512_DIGEST_SIZE 64 #define SHA512_BLOCK_SIZE 128 /* Digest is kept internally as 8 64-bit words. */ #define _SHA512_DIGEST_LENGTH 8 struct sha512_ctx { uint64_t state[_SHA512_DIGEST_LENGTH]; /* State variables */ uint64_t count_low, count_high; /* 128-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA512_BLOCK_SIZE]; /* SHA512 data buffer */ }; void sha512_init(struct sha512_ctx *ctx); void sha512_update(struct sha512_ctx *ctx, size_t length, const uint8_t *data); void sha512_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest); void sha512_compress(uint64_t *state, const uint8_t *input); /* SHA384, a truncated SHA512 with different initial state. */ #define SHA384_DIGEST_SIZE 48 #define SHA384_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha384_ctx sha512_ctx void sha384_init(struct sha512_ctx *ctx); #define sha384_update nettle_sha512_update void sha384_digest(struct sha512_ctx *ctx, size_t length, uint8_t *digest); /* SHA512_224 and SHA512_256, two truncated versions of SHA512 with different initial states. */ #define SHA512_224_DIGEST_SIZE 28 #define SHA512_224_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_224_ctx sha512_ctx void sha512_224_init(struct sha512_224_ctx *ctx); #define sha512_224_update nettle_sha512_update void sha512_224_digest(struct sha512_224_ctx *ctx, size_t length, uint8_t *digest); #define SHA512_256_DIGEST_SIZE 32 #define SHA512_256_BLOCK_SIZE SHA512_BLOCK_SIZE #define sha512_256_ctx sha512_ctx void sha512_256_init(struct sha512_256_ctx *ctx); #define sha512_256_update nettle_sha512_update void sha512_256_digest(struct sha512_256_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA2_H_INCLUDED */ nettle-3.10/umac128.c0000644000175000017500000000671014633602171013307 0ustar nissenisse/* umac128.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "umac.h" #include "umac-internal.h" #include "macros.h" void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key) { _nettle_umac_set_key (ctx->l1_key, ctx->l2_key, ctx->l3_key1, ctx->l3_key2, &ctx->pdf_key, key, 4); /* Clear nonce */ memset (ctx->nonce, 0, sizeof(ctx->nonce)); ctx->nonce_length = sizeof(ctx->nonce); /* Initialize buffer */ ctx->count = ctx->index = 0; } void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce) { assert (nonce_length > 0); assert (nonce_length <= AES_BLOCK_SIZE); memcpy (ctx->nonce, nonce, nonce_length); memset (ctx->nonce + nonce_length, 0, AES_BLOCK_SIZE - nonce_length); ctx->nonce_length = nonce_length; } #define UMAC128_BLOCK(ctx, block) do { \ uint64_t __umac128_y[4]; \ _nettle_umac_nh_n (__umac128_y, 4, ctx->l1_key, UMAC_BLOCK_SIZE, block); \ __umac128_y[0] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[1] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[2] += 8*UMAC_BLOCK_SIZE; \ __umac128_y[3] += 8*UMAC_BLOCK_SIZE; \ _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, __umac128_y); \ } while (0) void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, UMAC128_BLOCK, (void)0); } void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest) { uint32_t tag[4]; unsigned i; assert (length > 0); assert (length <= 16); if (ctx->index > 0 || ctx->count == 0) { /* Zero pad to multiple of 32 */ uint64_t y[4]; unsigned pad = (ctx->index > 0) ? 31 & - ctx->index : 32; memset (ctx->block + ctx->index, 0, pad); _nettle_umac_nh_n (y, 4, ctx->l1_key, ctx->index + pad, ctx->block); y[0] += 8 * ctx->index; y[1] += 8 * ctx->index; y[2] += 8 * ctx->index; y[3] += 8 * ctx->index; _nettle_umac_l2 (ctx->l2_key, ctx->l2_state, 4, ctx->count++, y); } assert (ctx->count > 0); aes128_encrypt (&ctx->pdf_key, AES_BLOCK_SIZE, (uint8_t *) tag, ctx->nonce); INCREMENT (ctx->nonce_length, ctx->nonce); _nettle_umac_l2_final (ctx->l2_key, ctx->l2_state, 4, ctx->count); for (i = 0; i < 4; i++) tag[i] ^= ctx->l3_key2[i] ^ _nettle_umac_l3 (ctx->l3_key1 + 8*i, ctx->l2_state + 2*i); memcpy (digest, tag, length); /* Reinitialize */ ctx->count = ctx->index = 0; } nettle-3.10/gcm.h0000644000175000017500000002655614633602172012715 0ustar nissenisse/* gcm.h Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2014 Niels Möller Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_GCM_H_INCLUDED #define NETTLE_GCM_H_INCLUDED #include "aes.h" #include "camellia.h" #include "sm4.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define gcm_set_key nettle_gcm_set_key #define gcm_set_iv nettle_gcm_set_iv #define gcm_update nettle_gcm_update #define gcm_encrypt nettle_gcm_encrypt #define gcm_decrypt nettle_gcm_decrypt #define gcm_digest nettle_gcm_digest #define gcm_aes128_set_key nettle_gcm_aes128_set_key #define gcm_aes128_set_iv nettle_gcm_aes128_set_iv #define gcm_aes128_update nettle_gcm_aes128_update #define gcm_aes128_encrypt nettle_gcm_aes128_encrypt #define gcm_aes128_decrypt nettle_gcm_aes128_decrypt #define gcm_aes128_digest nettle_gcm_aes128_digest #define gcm_aes192_set_key nettle_gcm_aes192_set_key #define gcm_aes192_set_iv nettle_gcm_aes192_set_iv #define gcm_aes192_update nettle_gcm_aes192_update #define gcm_aes192_encrypt nettle_gcm_aes192_encrypt #define gcm_aes192_decrypt nettle_gcm_aes192_decrypt #define gcm_aes192_digest nettle_gcm_aes192_digest #define gcm_aes256_set_key nettle_gcm_aes256_set_key #define gcm_aes256_set_iv nettle_gcm_aes256_set_iv #define gcm_aes256_update nettle_gcm_aes256_update #define gcm_aes256_encrypt nettle_gcm_aes256_encrypt #define gcm_aes256_decrypt nettle_gcm_aes256_decrypt #define gcm_aes256_digest nettle_gcm_aes256_digest #define gcm_aes_set_key nettle_gcm_aes_set_key #define gcm_aes_set_iv nettle_gcm_aes_set_iv #define gcm_aes_update nettle_gcm_aes_update #define gcm_aes_encrypt nettle_gcm_aes_encrypt #define gcm_aes_decrypt nettle_gcm_aes_decrypt #define gcm_aes_digest nettle_gcm_aes_digest #define gcm_camellia128_set_key nettle_gcm_camellia128_set_key #define gcm_camellia128_set_iv nettle_gcm_camellia128_set_iv #define gcm_camellia128_update nettle_gcm_camellia128_update #define gcm_camellia128_encrypt nettle_gcm_camellia128_encrypt #define gcm_camellia128_decrypt nettle_gcm_camellia128_decrypt #define gcm_camellia128_digest nettle_gcm_camellia128_digest #define gcm_camellia256_set_key nettle_gcm_camellia256_set_key #define gcm_camellia256_set_iv nettle_gcm_camellia256_set_iv #define gcm_camellia256_update nettle_gcm_camellia256_update #define gcm_camellia256_encrypt nettle_gcm_camellia256_encrypt #define gcm_camellia256_decrypt nettle_gcm_camellia256_decrypt #define gcm_camellia256_digest nettle_gcm_camellia256_digest #define gcm_sm4_set_key nettle_gcm_sm4_set_key #define gcm_sm4_set_iv nettle_gcm_sm4_set_iv #define gcm_sm4_update nettle_gcm_sm4_update #define gcm_sm4_encrypt nettle_gcm_sm4_encrypt #define gcm_sm4_decrypt nettle_gcm_sm4_decrypt #define gcm_sm4_digest nettle_gcm_sm4_digest #define GCM_BLOCK_SIZE 16 #define GCM_IV_SIZE (GCM_BLOCK_SIZE - 4) #define GCM_DIGEST_SIZE 16 #define GCM_TABLE_BITS 8 /* Hashing subkey */ struct gcm_key { union nettle_block16 h[1 << GCM_TABLE_BITS]; }; /* Per-message state, depending on the iv */ struct gcm_ctx { /* Original counter block */ union nettle_block16 iv; /* Updated for each block. */ union nettle_block16 ctr; /* Hashing state */ union nettle_block16 x; uint64_t auth_size; uint64_t data_size; }; void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f); void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv); void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data); void gcm_encrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* Convenience macrology (not sure how useful it is) */ /* All-in-one context, with hash subkey, message state, and cipher. */ #define GCM_CTX(type) \ { struct gcm_key key; struct gcm_ctx gcm; type cipher; } /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define GCM_SET_KEY(ctx, set_key, encrypt, gcm_key) \ do { \ (set_key)(&(ctx)->cipher, (gcm_key)); \ if (0) (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ gcm_set_key(&(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt)); \ } while (0) #define GCM_SET_IV(ctx, length, data) \ gcm_set_iv(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_UPDATE(ctx, length, data) \ gcm_update(&(ctx)->gcm, &(ctx)->key, (length), (data)) #define GCM_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_encrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_decrypt(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define GCM_DIGEST(ctx, encrypt, length, digest) \ (0 ? (encrypt)(&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : gcm_digest(&(ctx)->gcm, &(ctx)->key, &(ctx)->cipher, \ (nettle_cipher_func *) (encrypt), \ (length), (digest))) struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); void gcm_aes128_set_key(struct gcm_aes128_ctx *ctx, const uint8_t *key); /* FIXME: Define _update and _set_iv as some kind of aliaes, there's nothing aes-specific. */ void gcm_aes128_update (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes128_set_iv (struct gcm_aes128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes128_encrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_decrypt(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes128_digest(struct gcm_aes128_ctx *ctx, size_t length, uint8_t *digest); struct gcm_aes192_ctx GCM_CTX(struct aes192_ctx); void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key); void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest); struct gcm_aes256_ctx GCM_CTX(struct aes256_ctx); void gcm_aes256_set_key(struct gcm_aes256_ctx *ctx, const uint8_t *key); void gcm_aes256_update (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *data); void gcm_aes256_set_iv (struct gcm_aes256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_aes256_encrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_decrypt(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_aes256_digest(struct gcm_aes256_ctx *ctx, size_t length, uint8_t *digest); /* Old deprecated aes interface, for backwards compatibility */ struct gcm_aes_ctx GCM_CTX(struct aes_ctx); void gcm_aes_set_key(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_update(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED; void gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest) _NETTLE_ATTRIBUTE_DEPRECATED; struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx); void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key); void gcm_camellia128_set_iv(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia128_update(struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest); struct gcm_camellia256_ctx GCM_CTX(struct camellia256_ctx); void gcm_camellia256_set_key(struct gcm_camellia256_ctx *ctx, const uint8_t *key); void gcm_camellia256_set_iv(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *iv); void gcm_camellia256_update(struct gcm_camellia256_ctx *ctx, size_t length, const uint8_t *data); void gcm_camellia256_encrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_decrypt(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_camellia256_digest(struct gcm_camellia256_ctx *ctx, size_t length, uint8_t *digest); struct gcm_sm4_ctx GCM_CTX(struct sm4_ctx); void gcm_sm4_set_key(struct gcm_sm4_ctx *ctx, const uint8_t *key); void gcm_sm4_set_iv(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv); void gcm_sm4_update(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data); void gcm_sm4_encrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_sm4_decrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void gcm_sm4_digest(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_GCM_H_INCLUDED */ nettle-3.10/curve25519-eh-to-x.c0000644000175000017500000000430214633602172015134 0ustar nissenisse/* curve25519-x.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Transform a point on the twisted Edwards curve to the curve25519 Montgomery curve, and return the x coordinate. */ void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch) { #define vp (p + ecc->p.size) #define wp (p + 2*ecc->p.size) #define t0 scratch #define t1 (scratch + ecc->p.size) #define tp (scratch + 2*ecc->p.size) const struct ecc_curve *ecc = &_nettle_curve25519; /* If u = U/W and v = V/W are the coordinates of the point on the Edwards curve we get the curve25519 x coordinate as x = (1+v) / (1-v) = (W + V) / (W - V) */ /* NOTE: For the infinity point, this subtraction gives zero (mod p), which isn't invertible. For curve25519, the desired output is x = 0, and we should be fine, since ecc_mod_inv for ecc->p returns 0 in this case. */ ecc_mod_sub (&ecc->p, t0, wp, vp); /* Needs a total of 6*size storage. */ ecc->p.invert (&ecc->p, t1, t0, tp); ecc_mod_add (&ecc->p, t0, wp, vp); ecc_mod_mul_canonical (&ecc->p, xp, t0, t1, tp); #undef vp #undef wp #undef t0 #undef t1 #undef tp } nettle-3.10/gcm-camellia128.c0000644000175000017500000000402014633602171014665 0ustar nissenisse/* gcm-camellia128.c Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_camellia128_set_key(struct gcm_camellia128_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, camellia128_set_encrypt_key, camellia128_crypt, key); } void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_camellia128_update (struct gcm_camellia128_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_camellia128_encrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_decrypt(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, camellia128_crypt, length, dst, src); } void gcm_camellia128_digest(struct gcm_camellia128_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, camellia128_crypt, length, digest); } nettle-3.10/curve25519-mul-g.c0000644000175000017500000000367014633602172014703 0ustar nissenisse/* curve25519-mul-g.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve25519.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult_base. */ void curve25519_mul_g (uint8_t *r, const uint8_t *n) { const struct ecc_curve *ecc = &_nettle_curve25519; uint8_t t[CURVE25519_SIZE]; mp_limb_t *scratch; mp_size_t itch; #define ng scratch #define x (scratch + 3*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) memcpy (t, n, sizeof(t)); t[0] &= ~7; t[CURVE25519_SIZE-1] = (t[CURVE25519_SIZE-1] & 0x3f) | 0x40; itch = 4*ecc->p.size + ecc->mul_g_itch; scratch = gmp_alloc_limbs (itch); mpn_set_base256_le (x, ecc->p.size, t, CURVE25519_SIZE); ecc_mul_g_eh (ecc, ng, x, scratch_out); curve25519_eh_to_x (x, ng, scratch_out); mpn_get_base256_le (r, CURVE25519_SIZE, x, ecc->p.size); gmp_free_limbs (scratch, itch); #undef p #undef x #undef scratch_out } nettle-3.10/sha3.h0000644000175000017500000001264314633602172012775 0ustar nissenisse/* sha3.h The sha3 hash function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA3_H_INCLUDED #define NETTLE_SHA3_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha3_permute nettle_sha3_permute #define sha3_128_init nettle_sha3_128_init #define sha3_128_update nettle_sha3_128_update #define sha3_128_shake nettle_sha3_128_shake #define sha3_128_shake_output nettle_sha3_128_shake_output #define sha3_224_init nettle_sha3_224_init #define sha3_224_update nettle_sha3_224_update #define sha3_224_digest nettle_sha3_224_digest #define sha3_256_init nettle_sha3_256_init #define sha3_256_update nettle_sha3_256_update #define sha3_256_digest nettle_sha3_256_digest #define sha3_256_shake nettle_sha3_256_shake #define sha3_256_shake_output nettle_sha3_256_shake_output #define sha3_384_init nettle_sha3_384_init #define sha3_384_update nettle_sha3_384_update #define sha3_384_digest nettle_sha3_384_digest #define sha3_512_init nettle_sha3_512_init #define sha3_512_update nettle_sha3_512_update #define sha3_512_digest nettle_sha3_512_digest /* Indicates that SHA3 is the NIST FIPS 202 version. */ #define NETTLE_SHA3_FIPS202 1 /* The sha3 state is a 5x5 matrix of 64-bit words. In the notation of Keccak description, S[x,y] is element x + 5*y, so if x is interpreted as the row index and y the column index, it is stored in column-major order. */ #define SHA3_STATE_LENGTH 25 /* The "width" is 1600 bits or 200 octets */ struct sha3_state { uint64_t a[SHA3_STATE_LENGTH]; }; void sha3_permute (struct sha3_state *state); /* The "capacity" is set to 2*(digest size), 512 bits or 64 octets. The "rate" is the width - capacity, or width - 2 * (digest size). */ #define SHA3_128_DIGEST_SIZE 16 #define SHA3_128_BLOCK_SIZE 168 #define SHA3_224_DIGEST_SIZE 28 #define SHA3_224_BLOCK_SIZE 144 #define SHA3_256_DIGEST_SIZE 32 #define SHA3_256_BLOCK_SIZE 136 #define SHA3_384_DIGEST_SIZE 48 #define SHA3_384_BLOCK_SIZE 104 #define SHA3_512_DIGEST_SIZE 64 #define SHA3_512_BLOCK_SIZE 72 /* For backwards compatibility */ #define SHA3_224_DATA_SIZE SHA3_224_BLOCK_SIZE #define SHA3_256_DATA_SIZE SHA3_256_BLOCK_SIZE #define SHA3_384_DATA_SIZE SHA3_384_BLOCK_SIZE #define SHA3_512_DATA_SIZE SHA3_512_BLOCK_SIZE struct sha3_128_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_128_BLOCK_SIZE]; }; void sha3_128_init (struct sha3_128_ctx *ctx); void sha3_128_update (struct sha3_128_ctx *ctx, size_t length, const uint8_t *data); void sha3_128_shake (struct sha3_128_ctx *ctx, size_t length, uint8_t *digest); void sha3_128_shake_output (struct sha3_128_ctx *ctx, size_t length, uint8_t *digest); struct sha3_224_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_224_BLOCK_SIZE]; }; void sha3_224_init (struct sha3_224_ctx *ctx); void sha3_224_update (struct sha3_224_ctx *ctx, size_t length, const uint8_t *data); void sha3_224_digest(struct sha3_224_ctx *ctx, size_t length, uint8_t *digest); struct sha3_256_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_256_BLOCK_SIZE]; }; void sha3_256_init (struct sha3_256_ctx *ctx); void sha3_256_update (struct sha3_256_ctx *ctx, size_t length, const uint8_t *data); void sha3_256_digest(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest); /* Alternative digest function implementing shake256, with arbitrary digest size */ void sha3_256_shake(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest); /* Unlike sha3_256_shake, this function can be called multiple times to retrieve output from shake256 in an incremental manner */ void sha3_256_shake_output(struct sha3_256_ctx *ctx, size_t length, uint8_t *digest); struct sha3_384_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_384_BLOCK_SIZE]; }; void sha3_384_init (struct sha3_384_ctx *ctx); void sha3_384_update (struct sha3_384_ctx *ctx, size_t length, const uint8_t *data); void sha3_384_digest(struct sha3_384_ctx *ctx, size_t length, uint8_t *digest); struct sha3_512_ctx { struct sha3_state state; unsigned index; uint8_t block[SHA3_512_BLOCK_SIZE]; }; void sha3_512_init (struct sha3_512_ctx *ctx); void sha3_512_update (struct sha3_512_ctx *ctx, size_t length, const uint8_t *data); void sha3_512_digest(struct sha3_512_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_SHA3_H_INCLUDED */ nettle-3.10/aes256-set-encrypt-key.c0000644000175000017500000000274614633602171016202 0ustar nissenisse/* aes256-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_set_encrypt_key void _nettle_aes256_set_encrypt_key_c(struct aes256_ctx *ctx, const uint8_t *key); # define nettle_aes256_set_encrypt_key _nettle_aes256_set_encrypt_key_c #endif void nettle_aes256_set_encrypt_key(struct aes256_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES256_ROUNDS, AES256_KEY_SIZE / 4, ctx->keys, key); } nettle-3.10/ecc-curve.h0000644000175000017500000000357414633602172014016 0ustar nissenisse/* ecc-curve.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_CURVE_H_INCLUDED #define NETTLE_ECC_CURVE_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* The contents of this struct is internal. */ struct ecc_curve; const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc256b(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_gost_gc512a(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_384r1(void); const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_521r1(void); #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_CURVE_H_INCLUDED */ nettle-3.10/rsa.c0000644000175000017500000000373414633602171012717 0ustar nissenisse/* rsa.c The RSA publickey algorithm. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" void rsa_public_key_init(struct rsa_public_key *key) { mpz_init(key->n); mpz_init(key->e); /* Not really necessary, but it seems cleaner to initialize all the * storage. */ key->size = 0; } void rsa_public_key_clear(struct rsa_public_key *key) { mpz_clear(key->n); mpz_clear(key->e); } /* Computes the size, in octets, of a the modulo. Returns 0 if the * modulo is too small to be useful, or otherwise appears invalid. */ size_t _rsa_check_size(mpz_t n) { /* Round upwards */ size_t size; /* Even moduli are invalid, and not supported by mpz_powm_sec. */ if (mpz_even_p (n)) return 0; size = (mpz_sizeinbase(n, 2) + 7) / 8; if (size < RSA_MINIMUM_N_OCTETS) return 0; return size; } int rsa_public_key_prepare(struct rsa_public_key *key) { key->size = _rsa_check_size(key->n); return (key->size > 0); } nettle-3.10/eccdata.c0000644000175000017500000011300514633602172013510 0ustar nissenisse/* eccdata.c Generate compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014, 2017 Niels Möller Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #include #include #include #include #include "mini-gmp.c" /* Affine coordinates, for simplicity. Infinity point, i.e., te neutral group element, is represented using the is_zero flag. */ struct ecc_point { int is_zero; mpz_t x; mpz_t y; }; enum ecc_type { /* y^2 = x^3 - 3x + b (mod p) */ ECC_TYPE_WEIERSTRASS, /* x^2 + y^2 = 1 - d x^2 y^2 */ ECC_TYPE_EDWARDS, /* -x^2 + y^2 = 1 - d x^2 y^2 */ ECC_TYPE_TWISTED_EDWARDS, }; struct ecc_curve { unsigned bit_size; unsigned pippenger_k; unsigned pippenger_c; enum ecc_type type; /* Prime */ mpz_t p; /* Curve constant */ mpz_t b; /* Curve order */ mpz_t q; struct ecc_point g; /* Table for pippenger's algorithm. Element i 2^c + j_0 + j_1 2 + j_2 2^2 + ... + j_{c-1} 2^{c-1} holds 2^{ikc} ( j_0 + j_1 2^k + j_2 2^{2k} + ... + j_{c-1} 2^{(c-1)k}) g */ mp_size_t table_size; struct ecc_point *table; /* If non-NULL, holds 2g, 3g, 4g */ struct ecc_point *ref; }; static void ecc_init (struct ecc_point *p) { mpz_init (p->x); mpz_init (p->y); } static void ecc_clear (struct ecc_point *p) { mpz_clear (p->x); mpz_clear (p->y); } static int ecc_zero_p (const struct ecc_point *p) { return p->is_zero; } static int ecc_equal_p (const struct ecc_point *p, const struct ecc_point *q) { return p->is_zero ? q->is_zero : !q->is_zero && mpz_cmp (p->x, q->x) == 0 && mpz_cmp (p->y, q->y) == 0; } static void ecc_set_zero (const struct ecc_curve *ecc, struct ecc_point *r) { r->is_zero = 1; mpz_set_ui (r->x, 0); mpz_set_ui (r->y, ecc->type != ECC_TYPE_WEIERSTRASS); } static void ecc_set (struct ecc_point *r, const struct ecc_point *p) { r->is_zero = p->is_zero; mpz_set (r->x, p->x); mpz_set (r->y, p->y); } static void ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q); /* Needs to support in-place operation. */ static void ecc_dup (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p) { if (ecc->type != ECC_TYPE_WEIERSTRASS) { ecc_add (ecc, r, p, p); return; } if (ecc_zero_p (p)) ecc_set_zero (ecc, r); else { mpz_t m, t, x, y; mpz_init (m); mpz_init (t); mpz_init (x); mpz_init (y); /* m = (2 y)^-1 */ mpz_mul_ui (m, p->y, 2); mpz_invert (m, m, ecc->p); /* t = 3 (x^2 - 1) * m */ mpz_mul (t, p->x, p->x); mpz_mod (t, t, ecc->p); mpz_sub_ui (t, t, 1); mpz_mul_ui (t, t, 3); mpz_mul (t, t, m); mpz_mod (t, t, ecc->p); /* x' = t^2 - 2 x */ mpz_mul (x, t, t); mpz_submul_ui (x, p->x, 2); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (m); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_add (const struct ecc_curve *ecc, struct ecc_point *r, const struct ecc_point *p, const struct ecc_point *q) { if (ecc->type == ECC_TYPE_WEIERSTRASS) { if (ecc_zero_p (p)) ecc_set (r, q); else if (ecc_zero_p (q)) ecc_set (r, p); else if (mpz_cmp (p->x, q->x) == 0) { if (mpz_cmp (p->y, q->y) == 0) ecc_dup (ecc, r, p); else ecc_set_zero (ecc, r); } else { mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = (q_y - p_y) / (q_x - p_x) */ mpz_sub (t, q->x, p->x); mpz_invert (t, t, ecc->p); mpz_sub (s, q->y, p->y); mpz_mul (t, t, s); mpz_mod (t, t, ecc->p); /* x' = t^2 - p_x - q_x */ mpz_mul (x, t, t); mpz_sub (x, x, p->x); mpz_sub (x, x, q->x); mpz_mod (x, x, ecc->p); /* y' = (x - x') * t - y */ mpz_sub (y, p->x, x); mpz_mul (y, y, t); mpz_sub (y, y, p->y); mpz_mod (y, y, ecc->p); r->is_zero = 0; mpz_swap (x, r->x); mpz_swap (y, r->y); mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } else if (ecc->type == ECC_TYPE_EDWARDS) { mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = d p_x p_y q_x q_y */ mpz_mul (t, ecc->b, p->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, p->y); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->y); mpz_mod (t, t, ecc->p); /* x' = (p_x q_y + q_x p_y) / (1 + t) */ mpz_mul (x, p->x, q->y); mpz_mod (x, x, ecc->p); mpz_addmul (x, q->x, p->y); mpz_mod (x, x, ecc->p); mpz_add_ui (s, t, 1); mpz_invert (s, s, ecc->p); mpz_mul (x, x, s); mpz_mod (x, x, ecc->p); /* y' = (p_y q_y - p_x q_x) / (1 - t) */ mpz_mul (y, p->y, q->y); mpz_mod (y, y, ecc->p); mpz_submul (y, p->x, q->x); mpz_mod (y, y, ecc->p); mpz_set_ui (s, 1); mpz_sub (s, s, t); mpz_invert (s, s, ecc->p); mpz_mul (y, y, s); mpz_mod (y, y, ecc->p); mpz_swap (x, r->x); mpz_swap (y, r->y); r->is_zero = mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0; mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } else { /* Untwisted: x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) y = (p_y q_y - p_x q_x) / (1 + d p_x p_y q_x q_y) Twisted: x = (p_x q_y + p_y q_x) / (1 - d p_x p_y q_x q_y) y = (p_y q_y + p_x q_x) / (1 + d p_x p_y q_x q_y) So they differ only by a sign in the expression for the new y coordinate. */ mpz_t s, t, x, y; mpz_init (s); mpz_init (t); mpz_init (x); mpz_init (y); /* t = d p_x p_y q_x q_y */ mpz_mul (t, ecc->b, p->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, p->y); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->x); mpz_mod (t, t, ecc->p); mpz_mul (t, t, q->y); mpz_mod (t, t, ecc->p); /* x' = (p_x q_y + q_x p_y) / (1 - t) */ mpz_mul (x, p->x, q->y); mpz_mod (x, x, ecc->p); mpz_addmul (x, q->x, p->y); mpz_mod (x, x, ecc->p); mpz_ui_sub (s, 1, t); mpz_invert (s, s, ecc->p); mpz_mul (x, x, s); mpz_mod (x, x, ecc->p); /* y' = (p_y q_y - p_x q_x) / (1 + t) */ mpz_mul (y, p->y, q->y); mpz_mod (y, y, ecc->p); mpz_addmul (y, p->x, q->x); mpz_mod (y, y, ecc->p); mpz_add_ui (s, t, 1); mpz_invert (s, s, ecc->p); mpz_mul (y, y, s); mpz_mod (y, y, ecc->p); mpz_swap (x, r->x); mpz_swap (y, r->y); r->is_zero = (mpz_cmp_ui (r->x, 0) == 0 && mpz_cmp_ui (r->y, 1) == 0); mpz_clear (s); mpz_clear (t); mpz_clear (x); mpz_clear (y); } } static void ecc_mul_binary (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n, const struct ecc_point *p) { /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned k; assert (r != p); assert (mpz_sgn (n) > 0); ecc_set (r, p); /* Index of highest one bit */ for (k = mpz_sizeinbase (n, 2) - 1; k-- > 0; ) { ecc_dup (ecc, r, r); if (mpz_tstbit (n, k)) ecc_add (ecc, r, r, p); } } static struct ecc_point * ecc_alloc (size_t n) { struct ecc_point *p = malloc (n * sizeof(*p)); size_t i; if (!p) { fprintf (stderr, "Virtual memory exhausted.\n"); exit (EXIT_FAILURE); } for (i = 0; i < n; i++) ecc_init (&p[i]); return p; } static void ecc_set_str (struct ecc_point *p, const char *x, const char *y) { p->is_zero = 0; mpz_set_str (p->x, x, 16); mpz_set_str (p->y, y, 16); } static void ecc_curve_init_str (struct ecc_curve *ecc, enum ecc_type type, const char *p, const char *b, const char *q, const char *gx, const char *gy) { ecc->type = type; mpz_init_set_str (ecc->p, p, 16); mpz_init_set_str (ecc->b, b, 16); mpz_init_set_str (ecc->q, q, 16); ecc_init (&ecc->g); ecc_set_str (&ecc->g, gx, gy); ecc->pippenger_k = 0; ecc->pippenger_c = 0; ecc->table = NULL; ecc->ref = NULL; } static void ecc_curve_init (struct ecc_curve *ecc, const char *curve) { if (!strcmp (curve, "secp192r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{192} - 2^{64} - 1 */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" "FFFFFFFFFFFFFFFF", "64210519e59c80e70fa7e9ab72243049" "feb8deecc146b9b1", "ffffffffffffffffffffffff99def836" "146bc9b1b4d22831", "188da80eb03090f67cbf20eb43a18800" "f4ff0afd82ff1012", "07192b95ffc8da78631011ed6b24cdd5" "73f977a11e794811"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "dafebf5828783f2ad35534631588a3f629a70fb16982a888", "dd6bda0d993da0fa46b27bbc141b868f59331afa5c7e93ab"); ecc_set_str (&ecc->ref[1], /* 3 g */ "76e32a2557599e6edcd283201fb2b9aadfd0d359cbb263da", "782c37e372ba4520aa62e0fed121d49ef3b543660cfd05fd"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35433907297cc378b0015703374729d7a4fe46647084e4ba", "a2649984f2135c301ea3acb0776cd4f125389b311db3be32"); } else if (!strcmp (curve, "secp224r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{224} - 2^{96} + 1 */ "ffffffffffffffffffffffffffffffff" "000000000000000000000001", "b4050a850c04b3abf54132565044b0b7" "d7bfd8ba270b39432355ffb4", "ffffffffffffffffffffffffffff16a2" "e0b8f03e13dd29455c5c2a3d", "b70e0cbd6bb4bf7f321390b94a03c1d3" "56c21122343280d6115c1d21", "bd376388b5f723fb4c22dfe6cd4375a0" "5a07476444d5819985007e34"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "706a46dc76dcb76798e60e6d89474788d16dc18032d268fd1a704fa6", "1c2b76a7bc25e7702a704fa986892849fca629487acf3709d2e4e8bb"); ecc_set_str (&ecc->ref[1], /* 3 g */ "df1b1d66a551d0d31eff822558b9d2cc75c2180279fe0d08fd896d04", "a3f7f03cadd0be444c0aa56830130ddf77d317344e1af3591981a925"); ecc_set_str (&ecc->ref[2], /* 4 g */ "ae99feebb5d26945b54892092a8aee02912930fa41cd114e40447301", "482580a0ec5bc47e88bc8c378632cd196cb3fa058a7114eb03054c9"); } else if (!strcmp (curve, "secp256r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1 */ "FFFFFFFF000000010000000000000000" "00000000FFFFFFFFFFFFFFFFFFFFFFFF", "5AC635D8AA3A93E7B3EBBD55769886BC" "651D06B0CC53B0F63BCE3C3E27D2604B", "FFFFFFFF00000000FFFFFFFFFFFFFFFF" "BCE6FAADA7179E84F3B9CAC2FC632551", "6B17D1F2E12C4247F8BCE6E563A440F2" "77037D812DEB33A0F4A13945D898C296", "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" "2BCE33576B315ECECBB6406837BF51F5"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "7cf27b188d034f7e8a52380304b51ac3c08969e277f21b35a60b48fc47669978", "7775510db8ed040293d9ac69f7430dbba7dade63ce982299e04b79d227873d1"); ecc_set_str (&ecc->ref[1], /* 3 g */ "5ecbe4d1a6330a44c8f7ef951d4bf165e6c6b721efada985fb41661bc6e7fd6c", "8734640c4998ff7e374b06ce1a64a2ecd82ab036384fb83d9a79b127a27d5032"); ecc_set_str (&ecc->ref[2], /* 4 g */ "e2534a3532d08fbba02dde659ee62bd0031fe2db785596ef509302446b030852", "e0f1575a4c633cc719dfee5fda862d764efc96c3f30ee0055c42c23f184ed8c6"); } else if (!strcmp (curve, "secp384r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, /* p = 2^{384} - 2^{128} - 2^{96} + 2^{32} - 1 */ "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffe" "ffffffff0000000000000000ffffffff", "b3312fa7e23ee7e4988e056be3f82d19" "181d9c6efe8141120314088f5013875a" "c656398d8a2ed19d2a85c8edd3ec2aef", "ffffffffffffffffffffffffffffffff" "ffffffffffffffffc7634d81f4372ddf" "581a0db248b0a77aecec196accc52973", "aa87ca22be8b05378eb1c71ef320ad74" "6e1d3b628ba79b9859f741e082542a38" "5502f25dbf55296c3a545e3872760ab7", "3617de4a96262c6f5d9e98bf9292dc29" "f8f41dbd289a147ce9da3113b5f0b8c0" "0a60b1ce1d7e819d7a431d7c90ea0e5f"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "8d999057ba3d2d969260045c55b97f089025959a6f434d651d207d19fb96e9e4fe0e86ebe0e64f85b96a9c75295df61", "8e80f1fa5b1b3cedb7bfe8dffd6dba74b275d875bc6cc43e904e505f256ab4255ffd43e94d39e22d61501e700a940e80"); ecc_set_str (&ecc->ref[1], /* 3 g */ "77a41d4606ffa1464793c7e5fdc7d98cb9d3910202dcd06bea4f240d3566da6b408bbae5026580d02d7e5c70500c831", "c995f7ca0b0c42837d0bbe9602a9fc998520b41c85115aa5f7684c0edc111eacc24abd6be4b5d298b65f28600a2f1df1"); ecc_set_str (&ecc->ref[2], /* 4 g */ "138251cd52ac9298c1c8aad977321deb97e709bd0b4ca0aca55dc8ad51dcfc9d1589a1597e3a5120e1efd631c63e1835", "cacae29869a62e1631e8a28181ab56616dc45d918abc09f3ab0e63cf792aa4dced7387be37bba569549f1c02b270ed67"); } else if (!strcmp (curve, "secp521r1")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "1ff" /* p = 2^{521} - 1 */ "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff", "051" "953eb9618e1c9a1f929a21a0b68540ee" "a2da725b99b315f3b8b489918ef109e1" "56193951ec7e937b1652c0bd3bb1bf07" "3573df883d2c34f1ef451fd46b503f00", "1ff" "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffffa" "51868783bf2f966b7fcc0148f709a5d0" "3bb5c9b8899c47aebb6fb71e91386409", "c6" "858e06b70404e9cd9e3ecb662395b442" "9c648139053fb521f828af606b4d3dba" "a14b5e77efe75928fe1dc127a2ffa8de" "3348b3c1856a429bf97e7e31c2e5bd66", "118" "39296a789a3bc0045c8a5fb42c7d1bd9" "98f54449579b446817afbd17273e662c" "97ee72995ef42640c550b9013fad0761" "353c7086a272c24088be94769fd16650"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "433c219024277e7e682fcb288148c282747403279b1ccc06352c6e5505d769be97b3b204da6ef55507aa104a3a35c5af41cf2fa364d60fd967f43e3933ba6d783d", "f4bb8cc7f86db26700a7f3eceeeed3f0b5c6b5107c4da97740ab21a29906c42dbbb3e377de9f251f6b93937fa99a3248f4eafcbe95edc0f4f71be356d661f41b02"); ecc_set_str (&ecc->ref[1], /* 3 g */ "1a73d352443de29195dd91d6a64b5959479b52a6e5b123d9ab9e5ad7a112d7a8dd1ad3f164a3a4832051da6bd16b59fe21baeb490862c32ea05a5919d2ede37ad7d", "13e9b03b97dfa62ddd9979f86c6cab814f2f1557fa82a9d0317d2f8ab1fa355ceec2e2dd4cf8dc575b02d5aced1dec3c70cf105c9bc93a590425f588ca1ee86c0e5"); ecc_set_str (&ecc->ref[2], /* 4 g */ "35b5df64ae2ac204c354b483487c9070cdc61c891c5ff39afc06c5d55541d3ceac8659e24afe3d0750e8b88e9f078af066a1d5025b08e5a5e2fbc87412871902f3", "82096f84261279d2b673e0178eb0b4abb65521aef6e6e32e1b5ae63fe2f19907f279f283e54ba385405224f750a95b85eebb7faef04699d1d9e21f47fc346e4d0d"); } else if (!strcmp (curve, "curve25519")) { /* curve25519, y^2 = x^3 + 486662 x^2 + x (mod p), with p = 2^{255} - 19. According to http://cr.yp.to/papers.html#newelliptic, this is birationally equivalent to the Edwards curve x^2 + y^2 = 1 + (121665/121666) x^2 y^2 (mod p). But instead of using this curve, we use a twisted curve, following RFC 7748, -x^2 + y^2 = 1 - (121665/121666) x^2 y^2 (mod p) (this is possible because -1 is a square modulo p). The generator is x = 0x216936d3cd6e53fec0a4e231fdd6dc5c692cc7609525a7b2c9562d608f25d51a y = 0x6666666666666666666666666666666666666666666666666666666666666658 */ ecc_curve_init_str (ecc, ECC_TYPE_TWISTED_EDWARDS, "7fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffed", /* (121665/121666) mod p, from PARI/GP c = Mod(121665, p); c / (c+1) */ "2dfc9311d490018c7338bf8688861767" "ff8ff5b2bebe27548a14b235eca6874a", /* Order of the subgroup is 2^252 + q_0, where q_0 = 27742317777372353535851937790883648493, 125 bits. */ "10000000000000000000000000000000" "14def9dea2f79cd65812631a5cf5d3ed", /* Generator */ "216936d3cd6e53fec0a4e231fdd6dc5c" "692cc7609525a7b2c9562d608f25d51a", "66666666666666666666666666666666" "66666666666666666666666666666658"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "36ab384c9f5a046c3d043b7d1833e7ac" "080d8e4515d7a45f83c5a14e2843ce0e", "2260cdf3092329c21da25ee8c9a21f56" "97390f51643851560e5f46ae6af8a3c9"); ecc_set_str (&ecc->ref[1], /* 3 g */ "67ae9c4a22928f491ff4ae743edac83a" "6343981981624886ac62485fd3f8e25c", "1267b1d177ee69aba126a18e60269ef7" "9f16ec176724030402c3684878f5b4d4"); ecc_set_str (&ecc->ref[2], /* 4 g */ "203da8db56cff1468325d4b87a3520f9" "1a739ec193ce1547493aa657c4c9f870", "47d0e827cb1595e1470eb88580d5716c" "4cf22832ea2f0ff0df38ab61ca32112f"); } else if (!strcmp (curve, "gost_gc256b")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffd97", "00000000000000000000000000000000" "000000000000000000000000000000a6", "ffffffffffffffffffffffffffffffff" "6c611070995ad10045841b09b761b893", "00000000000000000000000000000000" "00000000000000000000000000000001", "8d91e471e0989cda27df505a453f2b76" "35294f2ddf23e3b122acc99c9e9f1e14"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd95", "726e1b8e1f676325d820afa5bac0d489cad6b0d220dc1c4edd5336636160df83"); ecc_set_str (&ecc->ref[1], /* 3 g */ "8e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38e38d2c", "76bcd1ca9a23b041d4d9baf507a6cd821267a94c838768e8486117796b788a51"); ecc_set_str (&ecc->ref[2], /* 4 g */ "f7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e7063e4b7", "83ccf17ba6706d73625cc3534c7a2b9d6ec1ee6a9a7e07c10d84b388de59f741"); } else if (!strcmp (curve, "gost_gc512a")) { ecc_curve_init_str (ecc, ECC_TYPE_WEIERSTRASS, "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "fffffffffffffffffffffffffffffdc7", "e8c2505dedfc86ddc1bd0b2b6667f1da" "34b82574761cb0e879bd081cfd0b6265" "ee3cb090f30d27614cb4574010da90dd" "862ef9d4ebee4761503190785a71c760", "ffffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffffffffff" "27e69532f48d89116ff22b8d4e056060" "9b4b38abfad2b85dcacdb1411f10b275", "00000000000000000000000000000000" "00000000000000000000000000000000" "00000000000000000000000000000000" "00000000000000000000000000000003", "7503cfe87a836ae3a61b8816e25450e6" "ce5e1c93acf1abc1778064fdcbefa921" "df1626be4fd036e93d75e6a50e3a41e9" "8028fe5fc235f5b889a589cb5215f2a4"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "3b89dcfc622996ab97a5869dbff15cf51db00954f43a58a5e5f6b0470a132b2f4434bbcd405d2a9516151d2a6a04f2e4375bf48de1fdb21fb982afd9d2ea137c", "c813c4e2e2e0a8a391774c7903da7a6f14686e98e183e670ee6fb784809a3e92ca209dc631d85b1c7534ed3b37fddf64d854d7e01f91f18bb3fd307591afc051"); ecc_set_str (&ecc->ref[1], /* 3 g */ "a1ff1ab2712a267eb53935ddb5a567f84db156cc096168a1174291d5f488fba543d2840b4d2dd35d764b2f57b308907aec55cfba10544e8416e134687ccb87c3", "3cb5c4417ec4637f30374f189bb5b984c41e3a48d7f84fbfa3819e3f333f7eb311d3af7e67c4c16eeacfac2fe94c6dd4c6366f711a4fb6c7125cd7ec518d90d6"); ecc_set_str (&ecc->ref[2], /* 4 g */ "b7bfb80956c8670031ba191929f64e301d681634236d47a60e571a4bedc0ef257452ef78b5b98dbb3d9f3129d9349433ce2a3a35cb519c91e2d633d7b373ae16", "3bee95e29eecc5d5ad2beba941abcbf9f1cad478df0fecf614f63aeebef77850da7efdb93de8f3df80bc25eac09239c14175f5c29704ce9a3e383f1b3ec0e929"); } else if (!strcmp (curve, "curve448")) { /* curve448, y^2 = x^3 + 156326 x^2 + x (mod p), with p = 2^{448} - 2^{224} - 1. According to RFC 7748, this is 4-isogenious to the Edwards curve called "edwards448" x^2 + y^2 = 1 - 39081 x^2 y^2 (mod p). And since the constant is not a square, the Edwards formulas should be "complete", with no special cases needed for doubling, neutral element, negatives, etc. Generator is x = 5, with y coordinate 355293926785568175264127502063783334808976399387714271831880898435169088786967410002932673765864550910142774147268105838985595290606362, according to x = Mod(5, 2^448-2^224-1); sqrt(x^3 + 156326*x^2 + x) in PARI/GP. Also, in PARI notation, curve448 = Mod([0, 156326, 0, 1, 0], 2^448-2^224-1) */ ecc_curve_init_str (ecc, ECC_TYPE_EDWARDS, "fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffeffffff" "fffffffffffffffffffffffffffffff" "fffffffffffffffffff", /* -39081 mod p, from PARI/GP c = Mod(-39081, p) */ "fffffffffffffffffffffffffffffff" "ffffffffffffffffffffffffeffffff" "fffffffffffffffffffffffffffffff" "fffffffffffffff6756", /* Order of the subgroup is 2^446 - q_0, where q_0 = 13818066809895115352007386748515426880336692474882178609894547503885, 224 bits. */ "3ffffffffffffffffffffffffffffff" "fffffffffffffffffffffffff7cca23" "e9c44edb49aed63690216cc2728dc58" "f552378c292ab5844f3", "4f1970c66bed0ded221d15a622bf36d" "a9e146570470f1767ea6de324a3d3a4" "6412ae1af72ab66511433b80e18b009" "38e2626a82bc70cc05e", "693f46716eb6bc248876203756c9c76" "24bea73736ca3984087789c1e05a0c2" "d73ad3ff1ce67c39c4fdbd132c4ed7c" "8ad9808795bf230fa14"); ecc->ref = ecc_alloc (3); ecc_set_str (&ecc->ref[0], /* 2 g */ "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "aaaaaaaaaaaaaaaaaaaaaaa955555555" "55555555555555555555555555555555" "5555555555555555", "ae05e9634ad7048db359d6205086c2b0" "036ed7a035884dd7b7e36d728ad8c4b8" "0d6565833a2a3098bbbcb2bed1cda06b" "daeafbcdea9386ed"); ecc_set_str (&ecc->ref[1], /* 3 g */ "865886b9108af6455bd64316cb694333" "2241b8b8cda82c7e2ba077a4a3fcfe8d" "aa9cbf7f6271fd6e862b769465da8575" "728173286ff2f8f", "e005a8dbd5125cf706cbda7ad43aa644" "9a4a8d952356c3b9fce43c82ec4e1d58" "bb3a331bdb6767f0bffa9a68fed02daf" "b822ac13588ed6fc"); ecc_set_str (&ecc->ref[2], /* 4 g */ "49dcbc5c6c0cce2c1419a17226f929ea" "255a09cf4e0891c693fda4be70c74cc3" "01b7bdf1515dd8ba21aee1798949e120" "e2ce42ac48ba7f30", "d49077e4accde527164b33a5de021b97" "9cb7c02f0457d845c90dc3227b8a5bc1" "c0d8f97ea1ca9472b5d444285d0d4f5b" "32e236f86de51839"); } else { fprintf (stderr, "No known curve with name %s\n", curve); exit(EXIT_FAILURE); } ecc->bit_size = mpz_sizeinbase (ecc->p, 2); } static void ecc_curve_clear (struct ecc_curve *ecc) { mpz_clear (ecc->p); mpz_clear (ecc->b); mpz_clear (ecc->q); ecc_clear (&ecc->g); if (ecc->table) { size_t i; for (i = 0; i < ecc->table_size; i++) ecc_clear (&ecc->table[i]); free (ecc->table); } if (ecc->ref) { size_t i; for (i = 0; i < 3; i++) ecc_clear (&ecc->ref[i]); free (ecc->ref); } } static unsigned ecc_table_size(unsigned bits, unsigned k, unsigned c) { unsigned p = (bits + k-1) / k; unsigned M = (p + c-1)/c; return M; } static void ecc_pippenger_precompute (struct ecc_curve *ecc, unsigned k, unsigned c) { unsigned M = ecc_table_size (ecc->bit_size, k, c); unsigned i, j; if (M < 2) { fprintf (stderr, "Invalid parameters, implies M = %u\n", M); exit (EXIT_FAILURE); } if (M == ecc_table_size (ecc->bit_size, k-1, c)) fprintf(stderr, "warn: Parameters k = %u, c = %d are suboptimal, could use smaller k\n", k, c); ecc->pippenger_k = k; ecc->pippenger_c = c; ecc->table_size = M << c; assert (ecc->table_size >= 2); ecc->table = ecc_alloc (ecc->table_size); /* Compute the first 2^c entries */ ecc_set_zero (ecc, &ecc->table[0]); ecc_set (&ecc->table[1], &ecc->g); for (j = 2; j < (1U<table_size); ecc_dup (ecc, &ecc->table[j], &ecc->table[j/2]); for (i = 1; i < k; i++) ecc_dup (ecc, &ecc->table[j], &ecc->table[j]); for (i = 1; i < j; i++) { assert (j + i < ecc->table_size); ecc_add (ecc, &ecc->table[j + i], &ecc->table[j], &ecc->table[i]); } } for (j = 1<table_size; j++) { /* T[j] = 2^{kc} T[j-2^c] */ ecc_dup (ecc, &ecc->table[j], &ecc->table[j - (1<table[j], &ecc->table[j]); } } static void ecc_mul_pippenger (const struct ecc_curve *ecc, struct ecc_point *r, const mpz_t n_input) { mpz_t n; unsigned k, c; unsigned i, j; unsigned bit_rows; mpz_init (n); mpz_mod (n, n_input, ecc->q); ecc_set_zero (ecc, r); k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->bit_size + k - 1) / k; for (i = k; i-- > 0; ) { ecc_dup (ecc, r, r); for (j = 0; j * c < bit_rows; j++) { unsigned bits; mp_size_t bit_index; /* Extract c bits of the exponent, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { bit_index -= k; bits = (bits << 1) | mpz_tstbit (n, bit_index); } ecc_add (ecc, r, r, &ecc->table[(j << c) | bits]); } } mpz_clear (n); } static void ecc_point_out (FILE *f, const struct ecc_point *p) { if (p->is_zero) fprintf (f, "zero"); else { fprintf (f, "("); mpz_out_str (f, 16, p->x); fprintf (f, ",\n "); mpz_out_str (f, 16, (p)->y); fprintf (f, ")"); } } #define ASSERT_EQUAL(p, q) do { \ if (!ecc_equal_p (p, q)) \ { \ fprintf (stderr, "%s:%d: ASSERT_EQUAL (%s, %s) failed.\n", \ __FILE__, __LINE__, #p, #q); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\nq = "); \ ecc_point_out (stderr, (q)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) #define ASSERT_ZERO(p) do { \ if (!ecc_zero_p (p)) \ { \ fprintf (stderr, "%s:%d: ASSERT_ZERO (%s) failed.\n", \ __FILE__, __LINE__, #p); \ fprintf (stderr, "p = "); \ ecc_point_out (stderr, (p)); \ fprintf (stderr, "\n"); \ abort(); \ } \ } while (0) static void ecc_curve_check (const struct ecc_curve *ecc) { struct ecc_point p, q; mpz_t n; ecc_init (&p); ecc_init (&q); mpz_init (n); ecc_dup (ecc, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&p, &ecc->ref[0]); else { fprintf (stderr, "g2 = "); mpz_out_str (stderr, 16, p.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, p.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &p, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[1]); else { fprintf (stderr, "g3 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_add (ecc, &q, &q, &ecc->g); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_dup (ecc, &q, &p); if (ecc->ref) ASSERT_EQUAL (&q, &ecc->ref[2]); else { fprintf (stderr, "g4 = "); mpz_out_str (stderr, 16, q.x); fprintf (stderr, "\n "); mpz_out_str (stderr, 16, q.y); fprintf (stderr, "\n"); } ecc_mul_binary (ecc, &p, ecc->q, &ecc->g); ASSERT_ZERO (&p); ecc_mul_pippenger (ecc, &q, ecc->q); ASSERT_ZERO (&q); ecc_clear (&p); ecc_clear (&q); mpz_clear (n); } static void output_digits (const mpz_t x, unsigned size, unsigned bits_per_limb) { mpz_t t; mpz_t mask; mpz_t limb; unsigned i; const char *suffix; mpz_init_set (t, x); mpz_init (mask); mpz_init (limb); mpz_setbit (mask, bits_per_limb); mpz_sub_ui (mask, mask, 1); suffix = bits_per_limb > 32 ? "ULL" : "UL"; for (i = 0; i < size; i++) { if ( (i % 8) == 0) printf("\n "); mpz_and (limb, mask, t); printf (" 0x"); mpz_out_str (stdout, 16, limb); printf ("%s,", suffix); mpz_tdiv_q_2exp (t, t, bits_per_limb); } mpz_clear (t); mpz_clear (mask); mpz_clear (limb); } static void output_bignum (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { printf ("static const mp_limb_t %s[%d] = {", name, size); output_digits (x, size, bits_per_limb); printf("\n};\n"); } static void output_bignum_redc (const char *name, const mpz_t x, const mpz_t p, unsigned size, unsigned bits_per_limb) { mpz_t t; mpz_init (t); mpz_mul_2exp (t, x, size * bits_per_limb); mpz_mod (t, t, p); output_bignum (name, t, size, bits_per_limb); mpz_clear (t); } static void output_point (const struct ecc_curve *ecc, const struct ecc_point *p, int use_redc, unsigned size, unsigned bits_per_limb) { mpz_t x, y, t; mpz_init (x); mpz_init (y); mpz_init (t); mpz_set (x, p->x); mpz_set (y, p->y); if (use_redc) { mpz_mul_2exp (x, x, size * bits_per_limb); mpz_mod (x, x, ecc->p); mpz_mul_2exp (y, y, size * bits_per_limb); mpz_mod (y, y, ecc->p); } output_digits (x, size, bits_per_limb); output_digits (y, size, bits_per_limb); mpz_clear (x); mpz_clear (y); mpz_clear (t); } static void string_toupper (char *buf, size_t size, const char *s) { size_t i; for (i = 0; i < size; i++) { buf[i] = toupper ((int)s[i]); if (!buf[i]) return; } fprintf (stderr, "string '%s' too large for buffer of size %u.\n", s, (unsigned) size); abort(); } static void output_modulo (const char *name, const mpz_t x, unsigned size, unsigned bits_per_limb) { unsigned bit_size; int shift; char buf[20]; mpz_t t; snprintf (buf, sizeof (buf), "ecc_%s", name); output_bignum (buf, x, size, bits_per_limb); mpz_init (t); mpz_setbit (t, bits_per_limb * size); mpz_mod (t, t, x); snprintf (buf, sizeof (buf), "ecc_Bmod%s", name); output_bignum (buf, t, size, bits_per_limb); string_toupper (buf, sizeof (buf), name); printf ("#define ECC_BMOD%s_SIZE %u\n", buf, (unsigned) ((mpz_sizeinbase (t, 2) + bits_per_limb - 1) / bits_per_limb)); bit_size = mpz_sizeinbase (x, 2); shift = size * bits_per_limb - bit_size; assert (shift >= 0); if (shift > 0) { mpz_set_ui (t, 0); mpz_setbit (t, size * bits_per_limb); mpz_submul_ui (t, x, 2); snprintf (buf, sizeof (buf), "ecc_Bm2%s", name); output_bignum (buf, t, size, bits_per_limb); if (bit_size == 253) { /* For curve25519, with q = 2^k + q', with a much smaller q' */ unsigned mbits; unsigned shift; /* Shift to align the one bit at B */ shift = bits_per_limb * size + 1 - bit_size; mpz_set (t, x); mpz_clrbit (t, bit_size-1); mbits = mpz_sizeinbase (t, 2); /* The shifted value must be a limb smaller than q. */ assert (mbits + shift + bits_per_limb <= bit_size); /* q of the form 2^k + q', with q' a limb smaller */ mpz_mul_2exp (t, t, shift); snprintf (buf, sizeof (buf), "ecc_mBmod%s_shifted", name); output_bignum (buf, t, size, bits_per_limb); } else { mpz_set_ui (t, 0); mpz_setbit (t, bit_size); mpz_sub (t, t, x); snprintf (buf, sizeof (buf), "ecc_Bmod%s_shifted", name); output_bignum (buf, t, size, bits_per_limb); /* Check condition for reducing hi limbs. If s is the normalization shift and n is the bit size (so that s + n = limb_size * bits_per_limb), then we need (2^n - 1) + (2^s - 1) (2^n - p) < 2p or equivalently, 2^s (2^n - p) <= p To a allow a carry limb to be added in at the same time, substitute s+1 for s. */ /* FIXME: For ecdsa verify, we actually need the stricter inequality < 2 q. */ mpz_mul_2exp (t, t, shift + 1); if (mpz_cmp (t, x) > 0) { fprintf (stderr, "Reduction condition failed for %u-bit %s.\n", bit_size, name); exit (EXIT_FAILURE); } } } else { printf ("#define ecc_Bm2%s ecc_Bmod%s\n", name, name); printf ("#define ecc_Bmod%s_shifted ecc_Bmod%s\n", name, name); } mpz_clear (t); } static void output_curve (const struct ecc_curve *ecc, unsigned bits_per_limb) { unsigned limb_size = (ecc->bit_size + bits_per_limb - 1)/bits_per_limb; unsigned i; int redc_limbs; mpz_t t; mpz_t z; mpz_init (t); mpz_init (z); printf ("/* For NULL. */\n#include \n"); printf ("#define ECC_LIMB_SIZE %u\n", limb_size); printf ("#define ECC_PIPPENGER_K %u\n", ecc->pippenger_k); printf ("#define ECC_PIPPENGER_C %u\n", ecc->pippenger_c); output_modulo ("p", ecc->p, limb_size, bits_per_limb); output_modulo ("q", ecc->q, limb_size, bits_per_limb); output_bignum ("ecc_b", ecc->b, limb_size, bits_per_limb); mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_pp1h", t, limb_size, bits_per_limb); mpz_add_ui (t, ecc->q, 1); mpz_fdiv_q_2exp (t, t, 1); output_bignum ("ecc_qp1h", t, limb_size, bits_per_limb); /* Trailing zeros in p+1 correspond to trailing ones in p. */ redc_limbs = mpz_scan0 (ecc->p, 0) / bits_per_limb; if (redc_limbs > 0) { mpz_add_ui (t, ecc->p, 1); mpz_fdiv_q_2exp (t, t, redc_limbs * bits_per_limb); output_bignum ("ecc_redc_ppm1", t, limb_size - redc_limbs, bits_per_limb); } else { /* Trailing zeros in p-1 correspond to zeros just above the low bit of p */ redc_limbs = mpz_scan1 (ecc->p, 1) / bits_per_limb; if (redc_limbs > 0) { printf ("#define ecc_redc_ppm1 (ecc_p + %d)\n", redc_limbs); redc_limbs = -redc_limbs; } else printf ("#define ecc_redc_ppm1 NULL\n"); } printf ("#define ECC_REDC_SIZE %d\n", redc_limbs); /* For mod p square root computation. */ if (mpz_fdiv_ui (ecc->p, 4) == 3) { /* x = a^{(p+1)/4} gives square root of a (if it exists, otherwise the square root of -a). We use no precomputed values for this. */ } else { /* p-1 = 2^e s, s odd, t = (s-1)/2*/ unsigned g, i, e; mpz_t s; mpz_init (s); mpz_sub_ui (s, ecc->p, 1); e = mpz_scan1 (s, 0); assert (e > 1); mpz_fdiv_q_2exp (s, s, e); /* Find a non-square g, g^{(p-1)/2} = -1, and z = g^{(p-1)/4 */ for (g = 2; ; g++) { mpz_set_ui (z, g); mpz_powm (z, z, s, ecc->p); mpz_mul (t, z, z); mpz_mod (t, t, ecc->p); for (i = 2; i < e; i++) { mpz_mul (t, t, t); mpz_mod (t, t, ecc->p); } if (mpz_cmp_ui (t, 1) != 0) break; } mpz_add_ui (t, t, 1); assert (mpz_cmp (t, ecc->p) == 0); mpz_fdiv_q_2exp (t, s, 1); mpz_clear (s); printf ("#define ECC_SQRT_E %u\n", e); } printf ("#if USE_REDC\n"); printf ("#define ecc_unit ecc_Bmodp\n"); if (mpz_sgn(z) > 0) output_bignum_redc ("ecc_sqrt_z", z, ecc->p, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (ecc, &ecc->table[i], 1, limb_size, bits_per_limb); printf("\n};\n"); printf ("#else\n"); mpz_set_ui (t, 1); output_bignum ("ecc_unit", t, limb_size, bits_per_limb); if (mpz_sgn(z) > 0) output_bignum ("ecc_sqrt_z", z, limb_size, bits_per_limb); printf ("static const mp_limb_t ecc_table[%lu] = {", (unsigned long) (2*ecc->table_size * limb_size)); for (i = 0; i < ecc->table_size; i++) output_point (ecc, &ecc->table[i], 0, limb_size, bits_per_limb); printf("\n};\n"); printf ("#endif\n"); mpz_clear (t); mpz_clear (z); } int main (int argc, char **argv) { struct ecc_curve ecc; if (argc < 4) { fprintf (stderr, "Usage: %s CURVE K C [BITS-PER-LIMB]\n", argv[0]); return EXIT_FAILURE; } ecc_curve_init (&ecc, argv[1]); ecc_pippenger_precompute (&ecc, atoi(argv[2]), atoi(argv[3])); fprintf (stderr, "Table size: %lu entries\n", (unsigned long) ecc.table_size); ecc_curve_check (&ecc); if (argc > 4) output_curve (&ecc, atoi(argv[4])); ecc_curve_clear (&ecc); return EXIT_SUCCESS; } nettle-3.10/ecc-pm1-redc.c0000644000175000017500000000400414633602171014261 0ustar nissenisse/* ecc-pm1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = - (p - 1) (mod p), and that at least one low limb of p - 1 is zero. */ void ecc_pm1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) xp[i] = mpn_submul_1 (xp + i + k, m->redc_mpm1, m->size - k, xp[i]); hi = mpn_sub_n (xp, xp + m->size, xp, m->size); cy = mpn_cnd_add_n (hi, rp, xp, m->m, m->size); assert_maybe (cy == hi); if (shift > 0) { /* Result is always < 2p, provided that 2^shift * Bmodp_shifted <= p */ hi = (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } } nettle-3.10/umac-internal.h0000644000175000017500000000464314633602172014677 0ustar nissenisse/* umac-internal.h UMAC message authentication code (RFC-4418). Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_UMAC_INTERNAL_H_INCLUDED #define NETTLE_UMAC_INTERNAL_H_INCLUDED #include "nettle-types.h" void _nettle_umac_set_key (uint32_t *l1_key, uint32_t *l2_key, uint64_t *l3_key1, uint32_t *l3_key2, struct aes128_ctx *pad, const uint8_t *key, unsigned n); uint64_t _nettle_umac_nh (const uint32_t *key, unsigned length, const uint8_t *msg); /* Equivalent to for (i = 0; i < n; i++) out[i] = _umac_nh (key + 4*i, length, msg); but processing input only once. */ void _nettle_umac_nh_n (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); /* Returns y*k + m (mod p), including "marker" processing. Return value is *not* in canonical representation, and must be normalized before the output is used. */ uint64_t _nettle_umac_poly64 (uint32_t kh, uint32_t kl, uint64_t y, uint64_t m); void _nettle_umac_poly128 (const uint32_t *k, uint64_t *y, uint64_t mh, uint64_t ml); void _nettle_umac_l2_init (unsigned size, uint32_t *k); void _nettle_umac_l2(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count, const uint64_t *m); void _nettle_umac_l2_final(const uint32_t *key, uint64_t *state, unsigned n, uint64_t count); void _nettle_umac_l3_init (unsigned size, uint64_t *k); uint32_t _nettle_umac_l3 (const uint64_t *key, const uint64_t *m); #endif /* NETTLE_UMAC_INTERNAL_H_INCLUDED */ nettle-3.10/gcm-aes256-meta.c0000644000175000017500000000342614633602171014625 0ustar nissenisse/* gcm-aes256-meta.c Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "gcm.h" static nettle_set_key_func gcm_aes256_set_nonce_wrapper; static void gcm_aes256_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { gcm_aes256_set_iv (ctx, GCM_IV_SIZE, nonce); } const struct nettle_aead nettle_gcm_aes256 = { "gcm_aes256", sizeof(struct gcm_aes256_ctx), GCM_BLOCK_SIZE, AES256_KEY_SIZE, GCM_IV_SIZE, GCM_DIGEST_SIZE, (nettle_set_key_func *) gcm_aes256_set_key, (nettle_set_key_func *) gcm_aes256_set_key, gcm_aes256_set_nonce_wrapper, (nettle_hash_update_func *) gcm_aes256_update, (nettle_crypt_func *) gcm_aes256_encrypt, (nettle_crypt_func *) gcm_aes256_decrypt, (nettle_hash_digest_func *) gcm_aes256_digest, }; nettle-3.10/rsa-sha512-verify.c0000644000175000017500000000340614633602171015216 0ustar nissenisse/* rsa-sha512-verify.c Verifying signatures created with RSA and SHA512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha512_verify(const struct rsa_public_key *key, struct sha512_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha512_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha512_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.10/config.make.in0000644000175000017500000000515514633602172014477 0ustar nissenisse# Makefile settings shared between Makefiles. CC = @CC@ CXX = @CXX@ CFLAGS = @CFLAGS@ CXXFLAGS = @CXXFLAGS@ CCPIC = @CCPIC@ CPPFLAGS = @CPPFLAGS@ DEFS = @DEFS@ LDFLAGS = @LDFLAGS@ ASM_FLAGS = @ASM_FLAGS@ LIBS = @LIBS@ LIBOBJS = @LIBOBJS@ EMULATOR = @EMULATOR@ NM = @NM@ OBJEXT = @OBJEXT@ EXEEXT = @EXEEXT@ CC_FOR_BUILD = @CC_FOR_BUILD@ EXEEXT_FOR_BUILD = @EXEEXT_FOR_BUILD@ DEP_FLAGS = @DEP_FLAGS@ DEP_PROCESS = @DEP_PROCESS@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_VERSION = @PACKAGE_VERSION@ LIBNETTLE_MAJOR = @LIBNETTLE_MAJOR@ LIBNETTLE_MINOR = @LIBNETTLE_MINOR@ LIBNETTLE_SONAME = @LIBNETTLE_SONAME@ LIBNETTLE_FILE = @LIBNETTLE_FILE@ LIBNETTLE_FILE_SRC = @LIBNETTLE_FILE_SRC@ LIBNETTLE_FORLINK = @LIBNETTLE_FORLINK@ LIBNETTLE_LIBS = @LIBNETTLE_LIBS@ LIBNETTLE_LINK = @LIBNETTLE_LINK@ LIBHOGWEED_MAJOR = @LIBHOGWEED_MAJOR@ LIBHOGWEED_MINOR = @LIBHOGWEED_MINOR@ LIBHOGWEED_SONAME = @LIBHOGWEED_SONAME@ LIBHOGWEED_FILE = @LIBHOGWEED_FILE@ LIBHOGWEED_FILE_SRC = @LIBHOGWEED_FILE_SRC@ LIBHOGWEED_FORLINK = @LIBHOGWEED_FORLINK@ LIBHOGWEED_LIBS = @LIBHOGWEED_LIBS@ LIBHOGWEED_LINK = @LIBHOGWEED_LINK@ NUMB_BITS = @NUMB_BITS@ AR = @AR@ ARFLAGS = cru AUTOCONF = autoconf AUTOHEADER = autoheader M4 = @M4@ MAKEINFO = makeinfo RANLIB = @RANLIB@ LN_S = @LN_S@ prefix = @prefix@ exec_prefix = @exec_prefix@ datarootdir = @datarootdir@ bindir = @bindir@ libdir = @libdir@ includedir = @includedir@ infodir = @infodir@ abs_top_builddir = @abs_top_builddir@ # Absolute name, since some systems require that for LD_LIBRARY_PATH. TEST_SHLIB_DIR = ${abs_top_builddir}/.lib # PRE_CPPFLAGS and PRE_LDFLAGS lets each Makefile.in prepend its own # flags before CPPFLAGS and LDFLAGS. While EXTRA_CFLAGS are added at the end. COMPILE = $(CC) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CFLAGS) $(EXTRA_CFLAGS) $(DEP_FLAGS) COMPILE_CXX = $(CXX) $(PRE_CPPFLAGS) $(CPPFLAGS) $(DEFS) $(CXXFLAGS) $(DEP_FLAGS) LINK = $(CC) $(CFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) LINK_CXX = $(CXX) $(CXXFLAGS) $(PRE_LDFLAGS) $(LDFLAGS) # Default rule. Must be here, since config.make is included before the # usual targets. default: all # Don't use any old-fashioned suffix rules. .SUFFIXES: # Disable builtin rule %$(EXEEXT) : %.c # Keep object files .PRECIOUS: %.o .PHONY: all check install uninstall clean distclean mostlyclean maintainer-clean distdir \ all-here check-here install-here clean-here distclean-here mostlyclean-here \ maintainer-clean-here distdir-here \ install-shared install-info install-headers \ uninstall-shared uninstall-info uninstall-headers \ dist distcleancheck nettle-3.10/gosthash94.c0000644000175000017500000003467514633602171014137 0ustar nissenisse/* gosthash94.c - an implementation of GOST Hash Function * * based on the Russian Standard GOST R 34.11-94. * English description in RFC 5831. * See also RFC 4357. * * Copyright: 2009-2012 Aleksey Kravchenko * Copyright: 2019 Dmitry Eremin-Solenikov * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ /* * Ported to nettle by Nikos Mavrogiannopoulos. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include "macros.h" #include "nettle-write.h" #include "gosthash94.h" #include "gost28147-internal.h" /** * Initialize algorithm context before calculating hash * with test parameters set. * * @param ctx context to initalize */ void gosthash94_init (struct gosthash94_ctx *ctx) { memset (ctx, 0, sizeof (struct gosthash94_ctx)); } /** * The core transformation. Process a 512-bit block. * * @param hash intermediate message hash * @param block the message block to process */ static void gost_block_compress (struct gosthash94_ctx *ctx, const uint32_t *block, const uint32_t sbox[4][256]) { unsigned i; uint32_t key[8], u[8], v[8], w[8], s[8]; /* u := hash, v := <256-bit message block> */ memcpy (u, ctx->hash, sizeof (u)); memcpy (v, block, sizeof (v)); /* w := u xor v */ w[0] = u[0] ^ v[0], w[1] = u[1] ^ v[1]; w[2] = u[2] ^ v[2], w[3] = u[3] ^ v[3]; w[4] = u[4] ^ v[4], w[5] = u[5] ^ v[5]; w[6] = u[6] ^ v[6], w[7] = u[7] ^ v[7]; /* calculate keys, encrypt hash and store result to the s[] array */ for (i = 0;; i += 2) { /* key generation: key_i := P(w) */ key[0] = (w[0] & 0x000000ff) | ((w[2] & 0x000000ff) << 8) | ((w[4] & 0x000000ff) << 16) | ((w[6] & 0x000000ff) << 24); key[1] = ((w[0] & 0x0000ff00) >> 8) | (w[2] & 0x0000ff00) | ((w[4] & 0x0000ff00) << 8) | ((w[6] & 0x0000ff00) << 16); key[2] = ((w[0] & 0x00ff0000) >> 16) | ((w[2] & 0x00ff0000) >> 8) | (w[4] & 0x00ff0000) | ((w[6] & 0x00ff0000) << 8); key[3] = ((w[0] & 0xff000000) >> 24) | ((w[2] & 0xff000000) >> 16) | ((w[4] & 0xff000000) >> 8) | (w[6] & 0xff000000); key[4] = (w[1] & 0x000000ff) | ((w[3] & 0x000000ff) << 8) | ((w[5] & 0x000000ff) << 16) | ((w[7] & 0x000000ff) << 24); key[5] = ((w[1] & 0x0000ff00) >> 8) | (w[3] & 0x0000ff00) | ((w[5] & 0x0000ff00) << 8) | ((w[7] & 0x0000ff00) << 16); key[6] = ((w[1] & 0x00ff0000) >> 16) | ((w[3] & 0x00ff0000) >> 8) | (w[5] & 0x00ff0000) | ((w[7] & 0x00ff0000) << 8); key[7] = ((w[1] & 0xff000000) >> 24) | ((w[3] & 0xff000000) >> 16) | ((w[5] & 0xff000000) >> 8) | (w[7] & 0xff000000); /* encryption: s_i := E_{key_i} (h_i) */ _nettle_gost28147_encrypt_block (key, sbox, &ctx->hash[i], &s[i]); if (i == 0) { /* w:= A(u) ^ A^2(v) */ w[0] = u[2] ^ v[4], w[1] = u[3] ^ v[5]; w[2] = u[4] ^ v[6], w[3] = u[5] ^ v[7]; w[4] = u[6] ^ (v[0] ^= v[2]); w[5] = u[7] ^ (v[1] ^= v[3]); w[6] = (u[0] ^= u[2]) ^ (v[2] ^= v[4]); w[7] = (u[1] ^= u[3]) ^ (v[3] ^= v[5]); } else if ((i & 2) != 0) { if (i == 6) break; /* w := A^2(u) xor A^4(v) xor C_3; u := A(u) xor C_3 */ /* C_3=0xff00ffff000000ffff0000ff00ffff0000ff00ff00ff00ffff00ff00ff00ff00 */ u[2] ^= u[4] ^ 0x000000ff; u[3] ^= u[5] ^ 0xff00ffff; u[4] ^= 0xff00ff00; u[5] ^= 0xff00ff00; u[6] ^= 0x00ff00ff; u[7] ^= 0x00ff00ff; u[0] ^= 0x00ffff00; u[1] ^= 0xff0000ff; w[0] = u[4] ^ v[0]; w[2] = u[6] ^ v[2]; w[4] = u[0] ^ (v[4] ^= v[6]); w[6] = u[2] ^ (v[6] ^= v[0]); w[1] = u[5] ^ v[1]; w[3] = u[7] ^ v[3]; w[5] = u[1] ^ (v[5] ^= v[7]); w[7] = u[3] ^ (v[7] ^= v[1]); } else { /* i==4 here */ /* w:= A( A^2(u) xor C_3 ) xor A^6(v) */ w[0] = u[6] ^ v[4], w[1] = u[7] ^ v[5]; w[2] = u[0] ^ v[6], w[3] = u[1] ^ v[7]; w[4] = u[2] ^ (v[0] ^= v[2]); w[5] = u[3] ^ (v[1] ^= v[3]); w[6] = (u[4] ^= u[6]) ^ (v[2] ^= v[4]); w[7] = (u[5] ^= u[7]) ^ (v[3] ^= v[5]); } } /* step hash function: x(block, hash) := psi^61(hash xor psi(block xor psi^12(S))) */ /* 12 rounds of the LFSR and xor in */ u[0] = block[0] ^ s[6]; u[1] = block[1] ^ s[7]; u[2] = block[2] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff) ^ (s[1] & 0xffff) ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[7] & 0xffff0000) ^ (s[7] >> 16); u[3] = block[3] ^ (s[0] & 0xffff) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[4] = block[4] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[1] & 0xffff0000) ^ (s[1] >> 16) ^ (s[2] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); u[5] = block[5] ^ (s[0] << 16) ^ (s[0] >> 16) ^ (s[0] & 0xffff0000) ^ (s[1] & 0xffff) ^ s[2] ^ (s[2] >> 16) ^ (s[3] << 16) ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff0000) ^ (s[7] << 16) ^ (s[7] >> 16); u[6] = block[6] ^ s[0] ^ (s[1] >> 16) ^ (s[2] << 16) ^ s[3] ^ (s[3] >> 16) ^ (s[4] << 16) ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ s[6] ^ (s[6] << 16) ^ (s[6] >> 16) ^ (s[7] << 16); u[7] = block[7] ^ (s[0] & 0xffff0000) ^ (s[0] << 16) ^ (s[1] & 0xffff) ^ (s[1] << 16) ^ (s[2] >> 16) ^ (s[3] << 16) ^ s[4] ^ (s[4] >> 16) ^ (s[5] << 16) ^ (s[5] >> 16) ^ (s[6] >> 16) ^ (s[7] & 0xffff) ^ (s[7] << 16) ^ (s[7] >> 16); /* 1 round of the LFSR (a mixing transformation) and xor with */ v[0] = ctx->hash[0] ^ (u[1] << 16) ^ (u[0] >> 16); v[1] = ctx->hash[1] ^ (u[2] << 16) ^ (u[1] >> 16); v[2] = ctx->hash[2] ^ (u[3] << 16) ^ (u[2] >> 16); v[3] = ctx->hash[3] ^ (u[4] << 16) ^ (u[3] >> 16); v[4] = ctx->hash[4] ^ (u[5] << 16) ^ (u[4] >> 16); v[5] = ctx->hash[5] ^ (u[6] << 16) ^ (u[5] >> 16); v[6] = ctx->hash[6] ^ (u[7] << 16) ^ (u[6] >> 16); v[7] = ctx-> hash[7] ^ (u[0] & 0xffff0000) ^ (u[0] << 16) ^ (u[1] & 0xffff0000) ^ (u[1] << 16) ^ (u[6] << 16) ^ (u[7] & 0xffff0000) ^ (u[7] >> 16); /* 61 rounds of LFSR, mixing up hash */ ctx->hash[0] = (v[0] & 0xffff0000) ^ (v[0] << 16) ^ (v[0] >> 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] >> 16) ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff); ctx->hash[1] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff) ^ v[2] ^ (v[2] >> 16) ^ (v[3] << 16) ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[6] << 16) ^ v[6] ^ (v[7] & 0xffff0000) ^ (v[7] >> 16); ctx->hash[2] = (v[0] & 0xffff) ^ (v[0] << 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[6] ^ (v[6] >> 16) ^ (v[7] & 0xffff) ^ (v[7] << 16) ^ (v[7] >> 16); ctx->hash[3] = (v[0] << 16) ^ (v[0] >> 16) ^ (v[0] & 0xffff0000) ^ (v[1] & 0xffff0000) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[7] & 0xffff) ^ (v[7] >> 16); ctx->hash[4] = (v[0] >> 16) ^ (v[1] << 16) ^ v[1] ^ (v[2] >> 16) ^ v[2] ^ (v[3] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16); ctx->hash[5] = (v[0] << 16) ^ (v[0] & 0xffff0000) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[1] & 0xffff0000) ^ (v[2] << 16) ^ v[2] ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ (v[4] >> 16) ^ v[4] ^ (v[5] << 16) ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ (v[7] >> 16) ^ (v[7] & 0xffff0000); ctx->hash[6] = v[0] ^ v[2] ^ (v[2] >> 16) ^ v[3] ^ (v[3] << 16) ^ v[4] ^ (v[4] >> 16) ^ (v[5] << 16) ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ v[6] ^ (v[7] << 16) ^ v[7]; ctx->hash[7] = v[0] ^ (v[0] >> 16) ^ (v[1] << 16) ^ (v[1] >> 16) ^ (v[2] << 16) ^ (v[3] >> 16) ^ v[3] ^ (v[4] << 16) ^ v[4] ^ (v[5] >> 16) ^ v[5] ^ (v[6] << 16) ^ (v[6] >> 16) ^ (v[7] << 16) ^ v[7]; } /** * This function calculates hash value by 256-bit blocks. * It updates 256-bit check sum as follows: * *(uint256_t)(ctx->sum) += *(uint256_t*)block; * and then updates intermediate hash value ctx->hash * by calling gost_block_compress(). * * @param ctx algorithm context * @param block the 256-bit message block to process */ static void gost_compute_sum_and_hash (struct gosthash94_ctx *ctx, const uint8_t *block, const uint32_t sbox[4][256]) { uint32_t block_le[8]; unsigned i, carry; /* compute the 256-bit sum */ for (i = carry = 0; i < 8; i++, block += 4) { block_le[i] = LE_READ_UINT32(block); ctx->sum[i] += carry; carry = (ctx->sum[i] < carry); ctx->sum[i] += block_le[i]; carry += (ctx->sum[i] < block_le[i]); } /* update message hash */ gost_block_compress (ctx, block_le, sbox); } #define COMPRESS(ctx, block) gost_compute_sum_and_hash((ctx), (block), sbox); /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ static void gosthash94_update_int (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg, const uint32_t sbox[4][256]) { MD_UPDATE(ctx, length, msg, COMPRESS, ctx->count++); } /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ void gosthash94_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, _nettle_gost28147_param_test_3411.sbox); } /** * Calculate message hash. * Can be called repeatedly with chunks of the message to be hashed. * * @param ctx the algorithm context containing current hashing state * @param msg message chunk * @param size length of the message chunk */ void gosthash94cp_update (struct gosthash94_ctx *ctx, size_t length, const uint8_t *msg) { gosthash94_update_int (ctx, length, msg, _nettle_gost28147_param_CryptoPro_3411.sbox); } /** * Finish hashing and store message digest into given array. * * @param ctx the algorithm context containing current hashing state * @param result calculated hash in binary form */ static void gosthash94_write_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result, const uint32_t sbox[4][256]) { uint32_t msg32[GOSTHASH94_BLOCK_SIZE / 4]; assert(length <= GOSTHASH94_DIGEST_SIZE); /* pad the last block with zeroes and hash it */ if (ctx->index > 0) { memset (ctx->block + ctx->index, 0, GOSTHASH94_BLOCK_SIZE - ctx->index); gost_compute_sum_and_hash (ctx, ctx->block, sbox); } /* hash the message length and the sum */ msg32[0] = (ctx->count << 8) | (ctx->index << 3); msg32[1] = ctx->count >> 24; memset (msg32 + 2, 0, sizeof (uint32_t) * 6); gost_block_compress (ctx, msg32, sbox); gost_block_compress (ctx, ctx->sum, sbox); /* convert hash state to result bytes */ _nettle_write_le32(length, result, ctx->hash); gosthash94_init (ctx); } void gosthash94_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result) { gosthash94_write_digest (ctx, length, result, _nettle_gost28147_param_test_3411.sbox); } void gosthash94cp_digest (struct gosthash94_ctx *ctx, size_t length, uint8_t *result) { gosthash94_write_digest (ctx, length, result, _nettle_gost28147_param_CryptoPro_3411.sbox); } nettle-3.10/cfb.c0000644000175000017500000001351514633602171012662 0ustar nissenisse/* cfb.c Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cfb.h" #include "memxor.h" #include "nettle-internal.h" void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { uint8_t *p; TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); if (src != dst) { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, dst, p); memxor(dst, src, block_size); } } else { for (p = iv; length >= block_size; p = dst, dst += block_size, src += block_size, length -= block_size) { f(ctx, block_size, buffer, p); memxor(dst, buffer, block_size); } } if (p != iv) memcpy(iv, p, block_size); if (length) { f(ctx, block_size, buffer, iv); memxor3(dst, buffer, src, length); /* We do not care about updating IV here. This is the last call in * message sequence and one has to set IV afterwards anyway */ } } /* Don't allocate any more space than this on the stack */ #define CFB_BUFFER_LIMIT 512 void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { if (src != dst) { size_t left = length % block_size; length -= left; if (length > 0) { /* Decrypt in ECB mode */ f(ctx, block_size, dst, iv); f(ctx, length - block_size, dst + block_size, src); memcpy(iv, src + length - block_size, block_size); memxor(dst, src, length); } if (left > 0) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size); f(ctx, block_size, buffer, iv); memxor3(dst + length, src + length, buffer, left); } } else { /* For in-place CFB, we decrypt into a temporary buffer of size * at most CFB_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CFB_BUFFER_LIMIT */ TMP_DECL(buffer, uint8_t, CFB_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; size_t left; buffer_size = CFB_BUFFER_LIMIT - (CFB_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); left = length % block_size; length -= left; while (length > 0) { size_t part = length > buffer_size ? buffer_size : length; /* length is greater that zero and is divided by block_size, so it is * not less than block_size. So does part */ f(ctx, block_size, buffer, iv); f(ctx, part - block_size, buffer + block_size, dst); memcpy(iv, dst + part - block_size, block_size); memxor(dst, buffer, part); length -= part; dst += part; } if (left > 0) { f(ctx, block_size, buffer, iv); memxor(dst, buffer, left); } } } /* CFB-8 uses slight optimization: it encrypts or decrypts up to block_size * bytes and does memcpy/memxor afterwards */ void cfb8_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); TMP_ALLOC(buffer, block_size * 2); TMP_ALLOC(outbuf, block_size); uint8_t pos; memcpy(buffer, iv, block_size); pos = 0; while (length) { uint8_t t; if (pos == block_size) { memcpy(buffer, buffer + block_size, block_size); pos = 0; } f(ctx, block_size, outbuf, buffer + pos); t = *(dst++) = *(src++) ^ outbuf[0]; buffer[pos + block_size] = t; length--; pos ++; } memcpy(iv, buffer + pos, block_size); } void cfb8_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { TMP_DECL(buffer, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_DECL(outbuf, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE * 2); TMP_ALLOC(buffer, block_size * 2); TMP_ALLOC(outbuf, block_size * 2); uint8_t i = 0; memcpy(buffer, iv, block_size); memcpy(buffer + block_size, src, length < block_size ? length : block_size); while (length) { for (i = 0; i < length && i < block_size; i++) f(ctx, block_size, outbuf + i, buffer + i); memxor3(dst, src, outbuf, i); length -= i; src += i; dst += i; if (i == block_size) { memcpy(buffer, buffer + block_size, block_size); memcpy(buffer + block_size, src, length < block_size ? length : block_size); } } memcpy(iv, buffer + i, block_size); } nettle-3.10/streebog-meta.c0000644000175000017500000000241614633602171014664 0ustar nissenisse/* streebog-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "streebog.h" const struct nettle_hash nettle_streebog512 = _NETTLE_HASH(streebog512, STREEBOG512); const struct nettle_hash nettle_streebog256 = _NETTLE_HASH(streebog256, STREEBOG256); nettle-3.10/rsa2sexp.c0000644000175000017500000000322614633602171013675 0ustar nissenisse/* rsa2sexp.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "sexp.h" int rsa_keypair_to_sexp(struct nettle_buffer *buffer, const char *algorithm_name, const struct rsa_public_key *pub, const struct rsa_private_key *priv) { if (!algorithm_name) algorithm_name = "rsa-pkcs1"; if (priv) return sexp_format(buffer, "(private-key(%0s(n%b)(e%b)" "(d%b)(p%b)(q%b)(a%b)(b%b)(c%b)))", algorithm_name, pub->n, pub->e, priv->d, priv->p, priv->q, priv->a, priv->b, priv->c); else return sexp_format(buffer, "(public-key(%0s(n%b)(e%b)))", algorithm_name, pub->n, pub->e); } nettle-3.10/base64-decode.c0000644000175000017500000000766014633602171014441 0ustar nissenisse/* base64-encode.c Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "base64.h" #define TABLE_INVALID -1 #define TABLE_SPACE -2 #define TABLE_END -3 void base64_decode_init(struct base64_decode_ctx *ctx) { static const signed char base64_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -3, -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; ctx->word = ctx->bits = ctx->padding = 0; ctx->table = base64_decode_table; } int base64_decode_single(struct base64_decode_ctx *ctx, uint8_t *dst, char src) { int data = ctx->table[(uint8_t) src]; switch(data) { default: assert(data >= 0 && data < 0x40); if (ctx->padding) return -1; ctx->word = ctx->word << 6 | data; ctx->bits += 6; if (ctx->bits >= 8) { ctx->bits -= 8; dst[0] = ctx->word >> ctx->bits; return 1; } else return 0; case TABLE_INVALID: return -1; case TABLE_SPACE: return 0; case TABLE_END: /* There can be at most two padding characters. */ if (!ctx->bits || ctx->padding > 2) return -1; if (ctx->word & ( (1<bits) - 1)) /* We shouldn't have any leftover bits */ return -1; ctx->padding++; ctx->bits -= 2; return 0; } } int base64_decode_update(struct base64_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src) { size_t done; size_t i; for (i = 0, done = 0; ibits == 0; } nettle-3.10/gost28147.c0000644000175000017500000007501314633602171013513 0ustar nissenisse/* gost28147.c - GOST 28147-89 cipher implementation * * based on Russian standard GOST 28147-89 * For English description, check RFC 5830. * S-Boxes are expanded from the tables defined in RFC4357: * https://tools.ietf.org/html/rfc4357 * * Copyright: 2019 Dmitry Eremin-Solenikov * Copyright: 2009-2012 Aleksey Kravchenko * * Permission is hereby granted, free of charge, to any person obtaining a * copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */ #if HAVE_CONFIG_H #include "config.h" #endif #include "macros.h" #include "gost28147-internal.h" /* pre-initialized GOST lookup tables based on rotated S-Box */ const struct gost28147_param _nettle_gost28147_param_test_3411 = { { { /* 0 */ 0x00072000, 0x00075000, 0x00074800, 0x00071000, 0x00076800, 0x00074000, 0x00070000, 0x00077000, 0x00073000, 0x00075800, 0x00070800, 0x00076000, 0x00073800, 0x00077800, 0x00072800, 0x00071800, 0x0005a000, 0x0005d000, 0x0005c800, 0x00059000, 0x0005e800, 0x0005c000, 0x00058000, 0x0005f000, 0x0005b000, 0x0005d800, 0x00058800, 0x0005e000, 0x0005b800, 0x0005f800, 0x0005a800, 0x00059800, 0x00022000, 0x00025000, 0x00024800, 0x00021000, 0x00026800, 0x00024000, 0x00020000, 0x00027000, 0x00023000, 0x00025800, 0x00020800, 0x00026000, 0x00023800, 0x00027800, 0x00022800, 0x00021800, 0x00062000, 0x00065000, 0x00064800, 0x00061000, 0x00066800, 0x00064000, 0x00060000, 0x00067000, 0x00063000, 0x00065800, 0x00060800, 0x00066000, 0x00063800, 0x00067800, 0x00062800, 0x00061800, 0x00032000, 0x00035000, 0x00034800, 0x00031000, 0x00036800, 0x00034000, 0x00030000, 0x00037000, 0x00033000, 0x00035800, 0x00030800, 0x00036000, 0x00033800, 0x00037800, 0x00032800, 0x00031800, 0x0006a000, 0x0006d000, 0x0006c800, 0x00069000, 0x0006e800, 0x0006c000, 0x00068000, 0x0006f000, 0x0006b000, 0x0006d800, 0x00068800, 0x0006e000, 0x0006b800, 0x0006f800, 0x0006a800, 0x00069800, 0x0007a000, 0x0007d000, 0x0007c800, 0x00079000, 0x0007e800, 0x0007c000, 0x00078000, 0x0007f000, 0x0007b000, 0x0007d800, 0x00078800, 0x0007e000, 0x0007b800, 0x0007f800, 0x0007a800, 0x00079800, 0x00052000, 0x00055000, 0x00054800, 0x00051000, 0x00056800, 0x00054000, 0x00050000, 0x00057000, 0x00053000, 0x00055800, 0x00050800, 0x00056000, 0x00053800, 0x00057800, 0x00052800, 0x00051800, 0x00012000, 0x00015000, 0x00014800, 0x00011000, 0x00016800, 0x00014000, 0x00010000, 0x00017000, 0x00013000, 0x00015800, 0x00010800, 0x00016000, 0x00013800, 0x00017800, 0x00012800, 0x00011800, 0x0001a000, 0x0001d000, 0x0001c800, 0x00019000, 0x0001e800, 0x0001c000, 0x00018000, 0x0001f000, 0x0001b000, 0x0001d800, 0x00018800, 0x0001e000, 0x0001b800, 0x0001f800, 0x0001a800, 0x00019800, 0x00042000, 0x00045000, 0x00044800, 0x00041000, 0x00046800, 0x00044000, 0x00040000, 0x00047000, 0x00043000, 0x00045800, 0x00040800, 0x00046000, 0x00043800, 0x00047800, 0x00042800, 0x00041800, 0x0000a000, 0x0000d000, 0x0000c800, 0x00009000, 0x0000e800, 0x0000c000, 0x00008000, 0x0000f000, 0x0000b000, 0x0000d800, 0x00008800, 0x0000e000, 0x0000b800, 0x0000f800, 0x0000a800, 0x00009800, 0x00002000, 0x00005000, 0x00004800, 0x00001000, 0x00006800, 0x00004000, 0x00000000, 0x00007000, 0x00003000, 0x00005800, 0x00000800, 0x00006000, 0x00003800, 0x00007800, 0x00002800, 0x00001800, 0x0003a000, 0x0003d000, 0x0003c800, 0x00039000, 0x0003e800, 0x0003c000, 0x00038000, 0x0003f000, 0x0003b000, 0x0003d800, 0x00038800, 0x0003e000, 0x0003b800, 0x0003f800, 0x0003a800, 0x00039800, 0x0002a000, 0x0002d000, 0x0002c800, 0x00029000, 0x0002e800, 0x0002c000, 0x00028000, 0x0002f000, 0x0002b000, 0x0002d800, 0x00028800, 0x0002e000, 0x0002b800, 0x0002f800, 0x0002a800, 0x00029800, 0x0004a000, 0x0004d000, 0x0004c800, 0x00049000, 0x0004e800, 0x0004c000, 0x00048000, 0x0004f000, 0x0004b000, 0x0004d800, 0x00048800, 0x0004e000, 0x0004b800, 0x0004f800, 0x0004a800, 0x00049800, }, { /* 1 */ 0x03a80000, 0x03c00000, 0x03880000, 0x03e80000, 0x03d00000, 0x03980000, 0x03a00000, 0x03900000, 0x03f00000, 0x03f80000, 0x03e00000, 0x03b80000, 0x03b00000, 0x03800000, 0x03c80000, 0x03d80000, 0x06a80000, 0x06c00000, 0x06880000, 0x06e80000, 0x06d00000, 0x06980000, 0x06a00000, 0x06900000, 0x06f00000, 0x06f80000, 0x06e00000, 0x06b80000, 0x06b00000, 0x06800000, 0x06c80000, 0x06d80000, 0x05280000, 0x05400000, 0x05080000, 0x05680000, 0x05500000, 0x05180000, 0x05200000, 0x05100000, 0x05700000, 0x05780000, 0x05600000, 0x05380000, 0x05300000, 0x05000000, 0x05480000, 0x05580000, 0x00a80000, 0x00c00000, 0x00880000, 0x00e80000, 0x00d00000, 0x00980000, 0x00a00000, 0x00900000, 0x00f00000, 0x00f80000, 0x00e00000, 0x00b80000, 0x00b00000, 0x00800000, 0x00c80000, 0x00d80000, 0x00280000, 0x00400000, 0x00080000, 0x00680000, 0x00500000, 0x00180000, 0x00200000, 0x00100000, 0x00700000, 0x00780000, 0x00600000, 0x00380000, 0x00300000, 0x00000000, 0x00480000, 0x00580000, 0x04280000, 0x04400000, 0x04080000, 0x04680000, 0x04500000, 0x04180000, 0x04200000, 0x04100000, 0x04700000, 0x04780000, 0x04600000, 0x04380000, 0x04300000, 0x04000000, 0x04480000, 0x04580000, 0x04a80000, 0x04c00000, 0x04880000, 0x04e80000, 0x04d00000, 0x04980000, 0x04a00000, 0x04900000, 0x04f00000, 0x04f80000, 0x04e00000, 0x04b80000, 0x04b00000, 0x04800000, 0x04c80000, 0x04d80000, 0x07a80000, 0x07c00000, 0x07880000, 0x07e80000, 0x07d00000, 0x07980000, 0x07a00000, 0x07900000, 0x07f00000, 0x07f80000, 0x07e00000, 0x07b80000, 0x07b00000, 0x07800000, 0x07c80000, 0x07d80000, 0x07280000, 0x07400000, 0x07080000, 0x07680000, 0x07500000, 0x07180000, 0x07200000, 0x07100000, 0x07700000, 0x07780000, 0x07600000, 0x07380000, 0x07300000, 0x07000000, 0x07480000, 0x07580000, 0x02280000, 0x02400000, 0x02080000, 0x02680000, 0x02500000, 0x02180000, 0x02200000, 0x02100000, 0x02700000, 0x02780000, 0x02600000, 0x02380000, 0x02300000, 0x02000000, 0x02480000, 0x02580000, 0x03280000, 0x03400000, 0x03080000, 0x03680000, 0x03500000, 0x03180000, 0x03200000, 0x03100000, 0x03700000, 0x03780000, 0x03600000, 0x03380000, 0x03300000, 0x03000000, 0x03480000, 0x03580000, 0x06280000, 0x06400000, 0x06080000, 0x06680000, 0x06500000, 0x06180000, 0x06200000, 0x06100000, 0x06700000, 0x06780000, 0x06600000, 0x06380000, 0x06300000, 0x06000000, 0x06480000, 0x06580000, 0x05a80000, 0x05c00000, 0x05880000, 0x05e80000, 0x05d00000, 0x05980000, 0x05a00000, 0x05900000, 0x05f00000, 0x05f80000, 0x05e00000, 0x05b80000, 0x05b00000, 0x05800000, 0x05c80000, 0x05d80000, 0x01280000, 0x01400000, 0x01080000, 0x01680000, 0x01500000, 0x01180000, 0x01200000, 0x01100000, 0x01700000, 0x01780000, 0x01600000, 0x01380000, 0x01300000, 0x01000000, 0x01480000, 0x01580000, 0x02a80000, 0x02c00000, 0x02880000, 0x02e80000, 0x02d00000, 0x02980000, 0x02a00000, 0x02900000, 0x02f00000, 0x02f80000, 0x02e00000, 0x02b80000, 0x02b00000, 0x02800000, 0x02c80000, 0x02d80000, 0x01a80000, 0x01c00000, 0x01880000, 0x01e80000, 0x01d00000, 0x01980000, 0x01a00000, 0x01900000, 0x01f00000, 0x01f80000, 0x01e00000, 0x01b80000, 0x01b00000, 0x01800000, 0x01c80000, 0x01d80000, }, { /* 2 */ 0x30000002, 0x60000002, 0x38000002, 0x08000002, 0x28000002, 0x78000002, 0x68000002, 0x40000002, 0x20000002, 0x50000002, 0x48000002, 0x70000002, 0x00000002, 0x18000002, 0x58000002, 0x10000002, 0xb0000005, 0xe0000005, 0xb8000005, 0x88000005, 0xa8000005, 0xf8000005, 0xe8000005, 0xc0000005, 0xa0000005, 0xd0000005, 0xc8000005, 0xf0000005, 0x80000005, 0x98000005, 0xd8000005, 0x90000005, 0x30000005, 0x60000005, 0x38000005, 0x08000005, 0x28000005, 0x78000005, 0x68000005, 0x40000005, 0x20000005, 0x50000005, 0x48000005, 0x70000005, 0x00000005, 0x18000005, 0x58000005, 0x10000005, 0x30000000, 0x60000000, 0x38000000, 0x08000000, 0x28000000, 0x78000000, 0x68000000, 0x40000000, 0x20000000, 0x50000000, 0x48000000, 0x70000000, 0x00000000, 0x18000000, 0x58000000, 0x10000000, 0xb0000003, 0xe0000003, 0xb8000003, 0x88000003, 0xa8000003, 0xf8000003, 0xe8000003, 0xc0000003, 0xa0000003, 0xd0000003, 0xc8000003, 0xf0000003, 0x80000003, 0x98000003, 0xd8000003, 0x90000003, 0x30000001, 0x60000001, 0x38000001, 0x08000001, 0x28000001, 0x78000001, 0x68000001, 0x40000001, 0x20000001, 0x50000001, 0x48000001, 0x70000001, 0x00000001, 0x18000001, 0x58000001, 0x10000001, 0xb0000000, 0xe0000000, 0xb8000000, 0x88000000, 0xa8000000, 0xf8000000, 0xe8000000, 0xc0000000, 0xa0000000, 0xd0000000, 0xc8000000, 0xf0000000, 0x80000000, 0x98000000, 0xd8000000, 0x90000000, 0xb0000006, 0xe0000006, 0xb8000006, 0x88000006, 0xa8000006, 0xf8000006, 0xe8000006, 0xc0000006, 0xa0000006, 0xd0000006, 0xc8000006, 0xf0000006, 0x80000006, 0x98000006, 0xd8000006, 0x90000006, 0xb0000001, 0xe0000001, 0xb8000001, 0x88000001, 0xa8000001, 0xf8000001, 0xe8000001, 0xc0000001, 0xa0000001, 0xd0000001, 0xc8000001, 0xf0000001, 0x80000001, 0x98000001, 0xd8000001, 0x90000001, 0x30000003, 0x60000003, 0x38000003, 0x08000003, 0x28000003, 0x78000003, 0x68000003, 0x40000003, 0x20000003, 0x50000003, 0x48000003, 0x70000003, 0x00000003, 0x18000003, 0x58000003, 0x10000003, 0x30000004, 0x60000004, 0x38000004, 0x08000004, 0x28000004, 0x78000004, 0x68000004, 0x40000004, 0x20000004, 0x50000004, 0x48000004, 0x70000004, 0x00000004, 0x18000004, 0x58000004, 0x10000004, 0xb0000002, 0xe0000002, 0xb8000002, 0x88000002, 0xa8000002, 0xf8000002, 0xe8000002, 0xc0000002, 0xa0000002, 0xd0000002, 0xc8000002, 0xf0000002, 0x80000002, 0x98000002, 0xd8000002, 0x90000002, 0xb0000004, 0xe0000004, 0xb8000004, 0x88000004, 0xa8000004, 0xf8000004, 0xe8000004, 0xc0000004, 0xa0000004, 0xd0000004, 0xc8000004, 0xf0000004, 0x80000004, 0x98000004, 0xd8000004, 0x90000004, 0x30000006, 0x60000006, 0x38000006, 0x08000006, 0x28000006, 0x78000006, 0x68000006, 0x40000006, 0x20000006, 0x50000006, 0x48000006, 0x70000006, 0x00000006, 0x18000006, 0x58000006, 0x10000006, 0xb0000007, 0xe0000007, 0xb8000007, 0x88000007, 0xa8000007, 0xf8000007, 0xe8000007, 0xc0000007, 0xa0000007, 0xd0000007, 0xc8000007, 0xf0000007, 0x80000007, 0x98000007, 0xd8000007, 0x90000007, 0x30000007, 0x60000007, 0x38000007, 0x08000007, 0x28000007, 0x78000007, 0x68000007, 0x40000007, 0x20000007, 0x50000007, 0x48000007, 0x70000007, 0x00000007, 0x18000007, 0x58000007, 0x10000007, }, { /* 3 */ 0x000000e8, 0x000000d8, 0x000000a0, 0x00000088, 0x00000098, 0x000000f8, 0x000000a8, 0x000000c8, 0x00000080, 0x000000d0, 0x000000f0, 0x000000b8, 0x000000b0, 0x000000c0, 0x00000090, 0x000000e0, 0x000007e8, 0x000007d8, 0x000007a0, 0x00000788, 0x00000798, 0x000007f8, 0x000007a8, 0x000007c8, 0x00000780, 0x000007d0, 0x000007f0, 0x000007b8, 0x000007b0, 0x000007c0, 0x00000790, 0x000007e0, 0x000006e8, 0x000006d8, 0x000006a0, 0x00000688, 0x00000698, 0x000006f8, 0x000006a8, 0x000006c8, 0x00000680, 0x000006d0, 0x000006f0, 0x000006b8, 0x000006b0, 0x000006c0, 0x00000690, 0x000006e0, 0x00000068, 0x00000058, 0x00000020, 0x00000008, 0x00000018, 0x00000078, 0x00000028, 0x00000048, 0x00000000, 0x00000050, 0x00000070, 0x00000038, 0x00000030, 0x00000040, 0x00000010, 0x00000060, 0x000002e8, 0x000002d8, 0x000002a0, 0x00000288, 0x00000298, 0x000002f8, 0x000002a8, 0x000002c8, 0x00000280, 0x000002d0, 0x000002f0, 0x000002b8, 0x000002b0, 0x000002c0, 0x00000290, 0x000002e0, 0x000003e8, 0x000003d8, 0x000003a0, 0x00000388, 0x00000398, 0x000003f8, 0x000003a8, 0x000003c8, 0x00000380, 0x000003d0, 0x000003f0, 0x000003b8, 0x000003b0, 0x000003c0, 0x00000390, 0x000003e0, 0x00000568, 0x00000558, 0x00000520, 0x00000508, 0x00000518, 0x00000578, 0x00000528, 0x00000548, 0x00000500, 0x00000550, 0x00000570, 0x00000538, 0x00000530, 0x00000540, 0x00000510, 0x00000560, 0x00000268, 0x00000258, 0x00000220, 0x00000208, 0x00000218, 0x00000278, 0x00000228, 0x00000248, 0x00000200, 0x00000250, 0x00000270, 0x00000238, 0x00000230, 0x00000240, 0x00000210, 0x00000260, 0x000004e8, 0x000004d8, 0x000004a0, 0x00000488, 0x00000498, 0x000004f8, 0x000004a8, 0x000004c8, 0x00000480, 0x000004d0, 0x000004f0, 0x000004b8, 0x000004b0, 0x000004c0, 0x00000490, 0x000004e0, 0x00000168, 0x00000158, 0x00000120, 0x00000108, 0x00000118, 0x00000178, 0x00000128, 0x00000148, 0x00000100, 0x00000150, 0x00000170, 0x00000138, 0x00000130, 0x00000140, 0x00000110, 0x00000160, 0x000001e8, 0x000001d8, 0x000001a0, 0x00000188, 0x00000198, 0x000001f8, 0x000001a8, 0x000001c8, 0x00000180, 0x000001d0, 0x000001f0, 0x000001b8, 0x000001b0, 0x000001c0, 0x00000190, 0x000001e0, 0x00000768, 0x00000758, 0x00000720, 0x00000708, 0x00000718, 0x00000778, 0x00000728, 0x00000748, 0x00000700, 0x00000750, 0x00000770, 0x00000738, 0x00000730, 0x00000740, 0x00000710, 0x00000760, 0x00000368, 0x00000358, 0x00000320, 0x00000308, 0x00000318, 0x00000378, 0x00000328, 0x00000348, 0x00000300, 0x00000350, 0x00000370, 0x00000338, 0x00000330, 0x00000340, 0x00000310, 0x00000360, 0x000005e8, 0x000005d8, 0x000005a0, 0x00000588, 0x00000598, 0x000005f8, 0x000005a8, 0x000005c8, 0x00000580, 0x000005d0, 0x000005f0, 0x000005b8, 0x000005b0, 0x000005c0, 0x00000590, 0x000005e0, 0x00000468, 0x00000458, 0x00000420, 0x00000408, 0x00000418, 0x00000478, 0x00000428, 0x00000448, 0x00000400, 0x00000450, 0x00000470, 0x00000438, 0x00000430, 0x00000440, 0x00000410, 0x00000460, 0x00000668, 0x00000658, 0x00000620, 0x00000608, 0x00000618, 0x00000678, 0x00000628, 0x00000648, 0x00000600, 0x00000650, 0x00000670, 0x00000638, 0x00000630, 0x00000640, 0x00000610, 0x00000660, } } }; const struct gost28147_param _nettle_gost28147_param_CryptoPro_3411 = { { { /* 0 */ 0x0002d000, 0x0002a000, 0x0002a800, 0x0002b000, 0x0002c000, 0x00028800, 0x00029800, 0x0002b800, 0x0002e800, 0x0002e000, 0x0002f000, 0x00028000, 0x0002c800, 0x00029000, 0x0002d800, 0x0002f800, 0x0007d000, 0x0007a000, 0x0007a800, 0x0007b000, 0x0007c000, 0x00078800, 0x00079800, 0x0007b800, 0x0007e800, 0x0007e000, 0x0007f000, 0x00078000, 0x0007c800, 0x00079000, 0x0007d800, 0x0007f800, 0x00025000, 0x00022000, 0x00022800, 0x00023000, 0x00024000, 0x00020800, 0x00021800, 0x00023800, 0x00026800, 0x00026000, 0x00027000, 0x00020000, 0x00024800, 0x00021000, 0x00025800, 0x00027800, 0x00005000, 0x00002000, 0x00002800, 0x00003000, 0x00004000, 0x00000800, 0x00001800, 0x00003800, 0x00006800, 0x00006000, 0x00007000, 0x00000000, 0x00004800, 0x00001000, 0x00005800, 0x00007800, 0x00015000, 0x00012000, 0x00012800, 0x00013000, 0x00014000, 0x00010800, 0x00011800, 0x00013800, 0x00016800, 0x00016000, 0x00017000, 0x00010000, 0x00014800, 0x00011000, 0x00015800, 0x00017800, 0x0006d000, 0x0006a000, 0x0006a800, 0x0006b000, 0x0006c000, 0x00068800, 0x00069800, 0x0006b800, 0x0006e800, 0x0006e000, 0x0006f000, 0x00068000, 0x0006c800, 0x00069000, 0x0006d800, 0x0006f800, 0x0005d000, 0x0005a000, 0x0005a800, 0x0005b000, 0x0005c000, 0x00058800, 0x00059800, 0x0005b800, 0x0005e800, 0x0005e000, 0x0005f000, 0x00058000, 0x0005c800, 0x00059000, 0x0005d800, 0x0005f800, 0x0004d000, 0x0004a000, 0x0004a800, 0x0004b000, 0x0004c000, 0x00048800, 0x00049800, 0x0004b800, 0x0004e800, 0x0004e000, 0x0004f000, 0x00048000, 0x0004c800, 0x00049000, 0x0004d800, 0x0004f800, 0x0000d000, 0x0000a000, 0x0000a800, 0x0000b000, 0x0000c000, 0x00008800, 0x00009800, 0x0000b800, 0x0000e800, 0x0000e000, 0x0000f000, 0x00008000, 0x0000c800, 0x00009000, 0x0000d800, 0x0000f800, 0x0003d000, 0x0003a000, 0x0003a800, 0x0003b000, 0x0003c000, 0x00038800, 0x00039800, 0x0003b800, 0x0003e800, 0x0003e000, 0x0003f000, 0x00038000, 0x0003c800, 0x00039000, 0x0003d800, 0x0003f800, 0x00035000, 0x00032000, 0x00032800, 0x00033000, 0x00034000, 0x00030800, 0x00031800, 0x00033800, 0x00036800, 0x00036000, 0x00037000, 0x00030000, 0x00034800, 0x00031000, 0x00035800, 0x00037800, 0x0001d000, 0x0001a000, 0x0001a800, 0x0001b000, 0x0001c000, 0x00018800, 0x00019800, 0x0001b800, 0x0001e800, 0x0001e000, 0x0001f000, 0x00018000, 0x0001c800, 0x00019000, 0x0001d800, 0x0001f800, 0x00065000, 0x00062000, 0x00062800, 0x00063000, 0x00064000, 0x00060800, 0x00061800, 0x00063800, 0x00066800, 0x00066000, 0x00067000, 0x00060000, 0x00064800, 0x00061000, 0x00065800, 0x00067800, 0x00075000, 0x00072000, 0x00072800, 0x00073000, 0x00074000, 0x00070800, 0x00071800, 0x00073800, 0x00076800, 0x00076000, 0x00077000, 0x00070000, 0x00074800, 0x00071000, 0x00075800, 0x00077800, 0x00055000, 0x00052000, 0x00052800, 0x00053000, 0x00054000, 0x00050800, 0x00051800, 0x00053800, 0x00056800, 0x00056000, 0x00057000, 0x00050000, 0x00054800, 0x00051000, 0x00055800, 0x00057800, 0x00045000, 0x00042000, 0x00042800, 0x00043000, 0x00044000, 0x00040800, 0x00041800, 0x00043800, 0x00046800, 0x00046000, 0x00047000, 0x00040000, 0x00044800, 0x00041000, 0x00045800, 0x00047800, }, { /* 1 */ 0x02380000, 0x02780000, 0x02600000, 0x02700000, 0x02480000, 0x02200000, 0x02080000, 0x02000000, 0x02180000, 0x02580000, 0x02280000, 0x02100000, 0x02300000, 0x02500000, 0x02400000, 0x02680000, 0x05380000, 0x05780000, 0x05600000, 0x05700000, 0x05480000, 0x05200000, 0x05080000, 0x05000000, 0x05180000, 0x05580000, 0x05280000, 0x05100000, 0x05300000, 0x05500000, 0x05400000, 0x05680000, 0x03b80000, 0x03f80000, 0x03e00000, 0x03f00000, 0x03c80000, 0x03a00000, 0x03880000, 0x03800000, 0x03980000, 0x03d80000, 0x03a80000, 0x03900000, 0x03b00000, 0x03d00000, 0x03c00000, 0x03e80000, 0x06380000, 0x06780000, 0x06600000, 0x06700000, 0x06480000, 0x06200000, 0x06080000, 0x06000000, 0x06180000, 0x06580000, 0x06280000, 0x06100000, 0x06300000, 0x06500000, 0x06400000, 0x06680000, 0x00380000, 0x00780000, 0x00600000, 0x00700000, 0x00480000, 0x00200000, 0x00080000, 0x00000000, 0x00180000, 0x00580000, 0x00280000, 0x00100000, 0x00300000, 0x00500000, 0x00400000, 0x00680000, 0x07b80000, 0x07f80000, 0x07e00000, 0x07f00000, 0x07c80000, 0x07a00000, 0x07880000, 0x07800000, 0x07980000, 0x07d80000, 0x07a80000, 0x07900000, 0x07b00000, 0x07d00000, 0x07c00000, 0x07e80000, 0x01380000, 0x01780000, 0x01600000, 0x01700000, 0x01480000, 0x01200000, 0x01080000, 0x01000000, 0x01180000, 0x01580000, 0x01280000, 0x01100000, 0x01300000, 0x01500000, 0x01400000, 0x01680000, 0x04380000, 0x04780000, 0x04600000, 0x04700000, 0x04480000, 0x04200000, 0x04080000, 0x04000000, 0x04180000, 0x04580000, 0x04280000, 0x04100000, 0x04300000, 0x04500000, 0x04400000, 0x04680000, 0x07380000, 0x07780000, 0x07600000, 0x07700000, 0x07480000, 0x07200000, 0x07080000, 0x07000000, 0x07180000, 0x07580000, 0x07280000, 0x07100000, 0x07300000, 0x07500000, 0x07400000, 0x07680000, 0x00b80000, 0x00f80000, 0x00e00000, 0x00f00000, 0x00c80000, 0x00a00000, 0x00880000, 0x00800000, 0x00980000, 0x00d80000, 0x00a80000, 0x00900000, 0x00b00000, 0x00d00000, 0x00c00000, 0x00e80000, 0x03380000, 0x03780000, 0x03600000, 0x03700000, 0x03480000, 0x03200000, 0x03080000, 0x03000000, 0x03180000, 0x03580000, 0x03280000, 0x03100000, 0x03300000, 0x03500000, 0x03400000, 0x03680000, 0x02b80000, 0x02f80000, 0x02e00000, 0x02f00000, 0x02c80000, 0x02a00000, 0x02880000, 0x02800000, 0x02980000, 0x02d80000, 0x02a80000, 0x02900000, 0x02b00000, 0x02d00000, 0x02c00000, 0x02e80000, 0x06b80000, 0x06f80000, 0x06e00000, 0x06f00000, 0x06c80000, 0x06a00000, 0x06880000, 0x06800000, 0x06980000, 0x06d80000, 0x06a80000, 0x06900000, 0x06b00000, 0x06d00000, 0x06c00000, 0x06e80000, 0x05b80000, 0x05f80000, 0x05e00000, 0x05f00000, 0x05c80000, 0x05a00000, 0x05880000, 0x05800000, 0x05980000, 0x05d80000, 0x05a80000, 0x05900000, 0x05b00000, 0x05d00000, 0x05c00000, 0x05e80000, 0x04b80000, 0x04f80000, 0x04e00000, 0x04f00000, 0x04c80000, 0x04a00000, 0x04880000, 0x04800000, 0x04980000, 0x04d80000, 0x04a80000, 0x04900000, 0x04b00000, 0x04d00000, 0x04c00000, 0x04e80000, 0x01b80000, 0x01f80000, 0x01e00000, 0x01f00000, 0x01c80000, 0x01a00000, 0x01880000, 0x01800000, 0x01980000, 0x01d80000, 0x01a80000, 0x01900000, 0x01b00000, 0x01d00000, 0x01c00000, 0x01e80000, }, { /* 2 */ 0xb8000003, 0xb0000003, 0xa0000003, 0xd8000003, 0xc8000003, 0xe0000003, 0x90000003, 0xd0000003, 0x88000003, 0xc0000003, 0x80000003, 0xf0000003, 0xf8000003, 0xe8000003, 0x98000003, 0xa8000003, 0x38000003, 0x30000003, 0x20000003, 0x58000003, 0x48000003, 0x60000003, 0x10000003, 0x50000003, 0x08000003, 0x40000003, 0x00000003, 0x70000003, 0x78000003, 0x68000003, 0x18000003, 0x28000003, 0x38000001, 0x30000001, 0x20000001, 0x58000001, 0x48000001, 0x60000001, 0x10000001, 0x50000001, 0x08000001, 0x40000001, 0x00000001, 0x70000001, 0x78000001, 0x68000001, 0x18000001, 0x28000001, 0x38000002, 0x30000002, 0x20000002, 0x58000002, 0x48000002, 0x60000002, 0x10000002, 0x50000002, 0x08000002, 0x40000002, 0x00000002, 0x70000002, 0x78000002, 0x68000002, 0x18000002, 0x28000002, 0xb8000006, 0xb0000006, 0xa0000006, 0xd8000006, 0xc8000006, 0xe0000006, 0x90000006, 0xd0000006, 0x88000006, 0xc0000006, 0x80000006, 0xf0000006, 0xf8000006, 0xe8000006, 0x98000006, 0xa8000006, 0xb8000004, 0xb0000004, 0xa0000004, 0xd8000004, 0xc8000004, 0xe0000004, 0x90000004, 0xd0000004, 0x88000004, 0xc0000004, 0x80000004, 0xf0000004, 0xf8000004, 0xe8000004, 0x98000004, 0xa8000004, 0xb8000007, 0xb0000007, 0xa0000007, 0xd8000007, 0xc8000007, 0xe0000007, 0x90000007, 0xd0000007, 0x88000007, 0xc0000007, 0x80000007, 0xf0000007, 0xf8000007, 0xe8000007, 0x98000007, 0xa8000007, 0x38000000, 0x30000000, 0x20000000, 0x58000000, 0x48000000, 0x60000000, 0x10000000, 0x50000000, 0x08000000, 0x40000000, 0x00000000, 0x70000000, 0x78000000, 0x68000000, 0x18000000, 0x28000000, 0x38000005, 0x30000005, 0x20000005, 0x58000005, 0x48000005, 0x60000005, 0x10000005, 0x50000005, 0x08000005, 0x40000005, 0x00000005, 0x70000005, 0x78000005, 0x68000005, 0x18000005, 0x28000005, 0xb8000000, 0xb0000000, 0xa0000000, 0xd8000000, 0xc8000000, 0xe0000000, 0x90000000, 0xd0000000, 0x88000000, 0xc0000000, 0x80000000, 0xf0000000, 0xf8000000, 0xe8000000, 0x98000000, 0xa8000000, 0xb8000002, 0xb0000002, 0xa0000002, 0xd8000002, 0xc8000002, 0xe0000002, 0x90000002, 0xd0000002, 0x88000002, 0xc0000002, 0x80000002, 0xf0000002, 0xf8000002, 0xe8000002, 0x98000002, 0xa8000002, 0xb8000005, 0xb0000005, 0xa0000005, 0xd8000005, 0xc8000005, 0xe0000005, 0x90000005, 0xd0000005, 0x88000005, 0xc0000005, 0x80000005, 0xf0000005, 0xf8000005, 0xe8000005, 0x98000005, 0xa8000005, 0x38000004, 0x30000004, 0x20000004, 0x58000004, 0x48000004, 0x60000004, 0x10000004, 0x50000004, 0x08000004, 0x40000004, 0x00000004, 0x70000004, 0x78000004, 0x68000004, 0x18000004, 0x28000004, 0x38000007, 0x30000007, 0x20000007, 0x58000007, 0x48000007, 0x60000007, 0x10000007, 0x50000007, 0x08000007, 0x40000007, 0x00000007, 0x70000007, 0x78000007, 0x68000007, 0x18000007, 0x28000007, 0x38000006, 0x30000006, 0x20000006, 0x58000006, 0x48000006, 0x60000006, 0x10000006, 0x50000006, 0x08000006, 0x40000006, 0x00000006, 0x70000006, 0x78000006, 0x68000006, 0x18000006, 0x28000006, 0xb8000001, 0xb0000001, 0xa0000001, 0xd8000001, 0xc8000001, 0xe0000001, 0x90000001, 0xd0000001, 0x88000001, 0xc0000001, 0x80000001, 0xf0000001, 0xf8000001, 0xe8000001, 0x98000001, 0xa8000001, }, { /* 3 */ 0x000000e8, 0x000000f0, 0x000000a0, 0x00000088, 0x000000b8, 0x00000080, 0x000000a8, 0x000000d0, 0x00000098, 0x000000e0, 0x000000c0, 0x000000f8, 0x000000b0, 0x00000090, 0x000000c8, 0x000000d8, 0x000001e8, 0x000001f0, 0x000001a0, 0x00000188, 0x000001b8, 0x00000180, 0x000001a8, 0x000001d0, 0x00000198, 0x000001e0, 0x000001c0, 0x000001f8, 0x000001b0, 0x00000190, 0x000001c8, 0x000001d8, 0x00000568, 0x00000570, 0x00000520, 0x00000508, 0x00000538, 0x00000500, 0x00000528, 0x00000550, 0x00000518, 0x00000560, 0x00000540, 0x00000578, 0x00000530, 0x00000510, 0x00000548, 0x00000558, 0x000004e8, 0x000004f0, 0x000004a0, 0x00000488, 0x000004b8, 0x00000480, 0x000004a8, 0x000004d0, 0x00000498, 0x000004e0, 0x000004c0, 0x000004f8, 0x000004b0, 0x00000490, 0x000004c8, 0x000004d8, 0x000002e8, 0x000002f0, 0x000002a0, 0x00000288, 0x000002b8, 0x00000280, 0x000002a8, 0x000002d0, 0x00000298, 0x000002e0, 0x000002c0, 0x000002f8, 0x000002b0, 0x00000290, 0x000002c8, 0x000002d8, 0x000005e8, 0x000005f0, 0x000005a0, 0x00000588, 0x000005b8, 0x00000580, 0x000005a8, 0x000005d0, 0x00000598, 0x000005e0, 0x000005c0, 0x000005f8, 0x000005b0, 0x00000590, 0x000005c8, 0x000005d8, 0x00000268, 0x00000270, 0x00000220, 0x00000208, 0x00000238, 0x00000200, 0x00000228, 0x00000250, 0x00000218, 0x00000260, 0x00000240, 0x00000278, 0x00000230, 0x00000210, 0x00000248, 0x00000258, 0x000007e8, 0x000007f0, 0x000007a0, 0x00000788, 0x000007b8, 0x00000780, 0x000007a8, 0x000007d0, 0x00000798, 0x000007e0, 0x000007c0, 0x000007f8, 0x000007b0, 0x00000790, 0x000007c8, 0x000007d8, 0x00000468, 0x00000470, 0x00000420, 0x00000408, 0x00000438, 0x00000400, 0x00000428, 0x00000450, 0x00000418, 0x00000460, 0x00000440, 0x00000478, 0x00000430, 0x00000410, 0x00000448, 0x00000458, 0x00000368, 0x00000370, 0x00000320, 0x00000308, 0x00000338, 0x00000300, 0x00000328, 0x00000350, 0x00000318, 0x00000360, 0x00000340, 0x00000378, 0x00000330, 0x00000310, 0x00000348, 0x00000358, 0x000003e8, 0x000003f0, 0x000003a0, 0x00000388, 0x000003b8, 0x00000380, 0x000003a8, 0x000003d0, 0x00000398, 0x000003e0, 0x000003c0, 0x000003f8, 0x000003b0, 0x00000390, 0x000003c8, 0x000003d8, 0x00000768, 0x00000770, 0x00000720, 0x00000708, 0x00000738, 0x00000700, 0x00000728, 0x00000750, 0x00000718, 0x00000760, 0x00000740, 0x00000778, 0x00000730, 0x00000710, 0x00000748, 0x00000758, 0x000006e8, 0x000006f0, 0x000006a0, 0x00000688, 0x000006b8, 0x00000680, 0x000006a8, 0x000006d0, 0x00000698, 0x000006e0, 0x000006c0, 0x000006f8, 0x000006b0, 0x00000690, 0x000006c8, 0x000006d8, 0x00000068, 0x00000070, 0x00000020, 0x00000008, 0x00000038, 0x00000000, 0x00000028, 0x00000050, 0x00000018, 0x00000060, 0x00000040, 0x00000078, 0x00000030, 0x00000010, 0x00000048, 0x00000058, 0x00000168, 0x00000170, 0x00000120, 0x00000108, 0x00000138, 0x00000100, 0x00000128, 0x00000150, 0x00000118, 0x00000160, 0x00000140, 0x00000178, 0x00000130, 0x00000110, 0x00000148, 0x00000158, 0x00000668, 0x00000670, 0x00000620, 0x00000608, 0x00000638, 0x00000600, 0x00000628, 0x00000650, 0x00000618, 0x00000660, 0x00000640, 0x00000678, 0x00000630, 0x00000610, 0x00000648, 0x00000658, } } }; /* * A macro that performs a full encryption round of GOST 28147-89. */ #define GOST_ENCRYPT_ROUND(l, r, key1, key2, sbox) \ do { \ uint32_t round_tmp; \ \ round_tmp = (key1) + r; \ l ^= (sbox)[0][(round_tmp & 0xff)] ^ \ (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ (sbox)[3][(round_tmp >> 24)]; \ round_tmp = (key2) + l; \ r ^= (sbox)[0][(round_tmp & 0xff)] ^ \ (sbox)[1][((round_tmp >> 8) & 0xff)] ^ \ (sbox)[2][((round_tmp >> 16) & 0xff)] ^ \ (sbox)[3][(round_tmp >> 24)]; \ } while (0) /* encrypt a block with the given key */ void _nettle_gost28147_encrypt_block (const uint32_t *key, const uint32_t sbox[4][256], const uint32_t *in, uint32_t *out) { uint32_t l, r; r = in[0], l = in[1]; GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[0], key[1], sbox); GOST_ENCRYPT_ROUND(l, r, key[2], key[3], sbox); GOST_ENCRYPT_ROUND(l, r, key[4], key[5], sbox); GOST_ENCRYPT_ROUND(l, r, key[6], key[7], sbox); GOST_ENCRYPT_ROUND(l, r, key[7], key[6], sbox); GOST_ENCRYPT_ROUND(l, r, key[5], key[4], sbox); GOST_ENCRYPT_ROUND(l, r, key[3], key[2], sbox); GOST_ENCRYPT_ROUND(l, r, key[1], key[0], sbox); *out = l, *(out + 1) = r; } nettle-3.10/sha1.c0000644000175000017500000000471314633602171012764 0ustar nissenisse/* sha1.c The sha1 hash function. Defined by http://www.itl.nist.gov/fipspubs/fip180-1.htm. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "sha1.h" #include "macros.h" #include "nettle-write.h" /* Initialize the SHA values */ void sha1_init(struct sha1_ctx *ctx) { /* FIXME: Put the buffer last in the struct, and arrange so that we can initialize with a single memcpy. */ static const uint32_t iv[_SHA1_DIGEST_LENGTH] = { /* SHA initial values, first 4 identical to md5's. */ 0x67452301L, 0xEFCDAB89L, 0x98BADCFEL, 0x10325476L, 0xC3D2E1F0L, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; /* Initialize buffer */ ctx->index = 0; } #define COMPRESS(ctx, data) (nettle_sha1_compress((ctx)->state, data)) void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE (ctx, length, data, COMPRESS, ctx->count++); } void sha1_digest(struct sha1_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= SHA1_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); /* append the 64 bit count */ WRITE_UINT64(ctx->block + (SHA1_BLOCK_SIZE - 8), bit_count); nettle_sha1_compress(ctx->state, ctx->block); _nettle_write_be32(length, digest, ctx->state); sha1_init(ctx); } nettle-3.10/yarrow.h0000644000175000017500000000714414633602172013462 0ustar nissenisse/* yarrow.h The yarrow pseudo-randomness generator. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_YARROW_H_INCLUDED #define NETTLE_YARROW_H_INCLUDED #include "aes.h" #include "sha2.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define yarrow256_init nettle_yarrow256_init #define yarrow256_seed nettle_yarrow256_seed #define yarrow256_update nettle_yarrow256_update #define yarrow256_random nettle_yarrow256_random #define yarrow256_is_seeded nettle_yarrow256_is_seeded #define yarrow256_needed_sources nettle_yarrow256_needed_sources #define yarrow256_fast_reseed nettle_yarrow256_fast_reseed #define yarrow256_slow_reseed nettle_yarrow256_slow_reseed #define yarrow_key_event_init nettle_yarrow_key_event_init #define yarrow_key_event_estimate nettle_yarrow_key_event_estimate /* Obsolete alias for backwards compatibility. Will be deleted in some later version. */ #define yarrow256_force_reseed yarrow256_slow_reseed enum yarrow_pool_id { YARROW_FAST = 0, YARROW_SLOW = 1 }; struct yarrow_source { /* Indexed by yarrow_pool_id */ uint32_t estimate[2]; /* The pool next sample should go to. */ enum yarrow_pool_id next; }; #define YARROW256_SEED_FILE_SIZE (2 * AES_BLOCK_SIZE) /* Yarrow-256, based on SHA-256 and AES-256 */ struct yarrow256_ctx { /* Indexed by yarrow_pool_id */ struct sha256_ctx pools[2]; int seeded; /* The current key and counter block */ struct aes256_ctx key; uint8_t counter[AES_BLOCK_SIZE]; /* The entropy sources */ unsigned nsources; struct yarrow_source *sources; }; void yarrow256_init(struct yarrow256_ctx *ctx, unsigned nsources, struct yarrow_source *sources); void yarrow256_seed(struct yarrow256_ctx *ctx, size_t length, const uint8_t *seed_file); /* Returns 1 on reseed */ int yarrow256_update(struct yarrow256_ctx *ctx, unsigned source, unsigned entropy, size_t length, const uint8_t *data); void yarrow256_random(struct yarrow256_ctx *ctx, size_t length, uint8_t *dst); int yarrow256_is_seeded(struct yarrow256_ctx *ctx); unsigned yarrow256_needed_sources(struct yarrow256_ctx *ctx); void yarrow256_fast_reseed(struct yarrow256_ctx *ctx); void yarrow256_slow_reseed(struct yarrow256_ctx *ctx); /* Key event estimator */ #define YARROW_KEY_EVENT_BUFFER 16 struct yarrow_key_event_ctx { /* Counter for initial priming of the state */ unsigned index; unsigned chars[YARROW_KEY_EVENT_BUFFER]; unsigned previous; }; void yarrow_key_event_init(struct yarrow_key_event_ctx *ctx); unsigned yarrow_key_event_estimate(struct yarrow_key_event_ctx *ctx, unsigned key, unsigned time); #ifdef __cplusplus } #endif #endif /* NETTLE_YARROW_H_INCLUDED */ nettle-3.10/gcm-sm4.c0000644000175000017500000000373514633602171013402 0ustar nissenisse/* gcm-sm4.c Galois counter mode using SM4 as the underlying cipher. Copyright (C) 2022 Tianjia Zhang This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" void gcm_sm4_set_key(struct gcm_sm4_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, sm4_set_encrypt_key, sm4_crypt, key); } void gcm_sm4_set_iv(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_sm4_update(struct gcm_sm4_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_sm4_encrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, sm4_crypt, length, dst, src); } void gcm_sm4_decrypt(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, sm4_crypt, length, dst, src); } void gcm_sm4_digest(struct gcm_sm4_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, sm4_crypt, length, digest); } nettle-3.10/sha1.h0000644000175000017500000000457114633602172012774 0ustar nissenisse/* sha1.h The sha1 hash function. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA1_H_INCLUDED #define NETTLE_SHA1_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sha1_init nettle_sha1_init #define sha1_update nettle_sha1_update #define sha1_digest nettle_sha1_digest #define sha1_compress nettle_sha1_compress /* SHA1 */ #define SHA1_DIGEST_SIZE 20 #define SHA1_BLOCK_SIZE 64 /* For backwards compatibility */ #define SHA1_DATA_SIZE SHA1_BLOCK_SIZE /* Digest is kept internally as 5 32-bit words. */ #define _SHA1_DIGEST_LENGTH 5 struct sha1_ctx { uint32_t state[_SHA1_DIGEST_LENGTH]; /* State variables */ uint64_t count; /* 64-bit block count */ unsigned int index; /* index into buffer */ uint8_t block[SHA1_BLOCK_SIZE]; /* SHA1 data buffer */ }; void sha1_init(struct sha1_ctx *ctx); void sha1_update(struct sha1_ctx *ctx, size_t length, const uint8_t *data); void sha1_digest(struct sha1_ctx *ctx, size_t length, uint8_t *digest); /* SHA1 compression function. STATE points to 5 uint32_t words, and DATA points to 64 bytes of input data, possibly unaligned. */ void sha1_compress(uint32_t *state, const uint8_t *data); /* Old name, for backwards compatibility. */ #define _nettle_sha1_compress nettle_sha1_compress #ifdef __cplusplus } #endif #endif /* NETTLE_SHA1_H_INCLUDED */ nettle-3.10/md2-meta.c0000644000175000017500000000222214633602171013527 0ustar nissenisse/* md2-meta.c Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "md2.h" const struct nettle_hash nettle_md2 = _NETTLE_HASH(md2, MD2); nettle-3.10/aes-internal.h0000644000175000017500000000566214633602172014524 0ustar nissenisse/* aes-internal.h The aes/rijndael block cipher. Copyright (C) 2001, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_AES_INTERNAL_H_INCLUDED #define NETTLE_AES_INTERNAL_H_INCLUDED #include "aes.h" /* Define to use only small tables. */ #ifndef AES_SMALL # define AES_SMALL 0 #endif #if AES_SMALL # define AES_TABLE_SIZE 1 #else # define AES_TABLE_SIZE 4 #endif struct aes_table { uint8_t sbox[0x100]; uint32_t table[AES_TABLE_SIZE][0x100]; }; void _nettle_aes_set_key(unsigned nr, unsigned nk, uint32_t *subkeys, const uint8_t *key); void _nettle_aes_invert(unsigned rounds, uint32_t *dst, const uint32_t *src); void _nettle_aes_encrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* The keys pointer points at the subkeys for the first decrypt round, located at the end of the array. */ void _nettle_aes_decrypt(unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); /* Macros */ /* Get the byte with index 0, 1, 2 and 3 */ #define B0(x) ((x) & 0xff) #define B1(x) (((x) >> 8) & 0xff) #define B2(x) (((x) >> 16) & 0xff) #define B3(x) (((x) >> 24) & 0xff) #define SUBBYTE(x, box) ((uint32_t)(box)[B0(x)] \ | ((uint32_t)(box)[B1(x)] << 8) \ | ((uint32_t)(box)[B2(x)] << 16) \ | ((uint32_t)(box)[B3(x)] << 24)) #define AES_ROUND(T, w0, w1, w2, w3, k) \ (( T->table[0][ B0(w0) ] \ ^ T->table[1][ B1(w1) ] \ ^ T->table[2][ B2(w2) ] \ ^ T->table[3][ B3(w3) ]) ^ (k)) #define AES_FINAL_ROUND(T, w0, w1, w2, w3, k) \ (( (uint32_t) T->sbox[ B0(w0) ] \ | ((uint32_t) T->sbox[ B1(w1) ] << 8) \ | ((uint32_t) T->sbox[ B2(w2) ] << 16) \ | ((uint32_t) T->sbox[ B3(w3) ] << 24)) ^ (k)) extern const struct aes_table _nettle_aes_encrypt_table; #define aes_sbox (_nettle_aes_encrypt_table.sbox) extern const struct aes_table _nettle_aes_decrypt_table; #endif /* NETTLE_AES_INTERNAL_H_INCLUDED */ nettle-3.10/ecc-pp1-redc.c0000644000175000017500000000373614633602171014277 0ustar nissenisse/* ecc-pp1-redc.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Use that 1 = p + 1 (mod p), and that at least one low limb of p + 1 is zero. */ void ecc_pp1_redc (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { unsigned i; mp_limb_t hi, cy; unsigned shift = m->size * GMP_NUMB_BITS - m->bit_size; mp_size_t k = m->redc_size; for (i = 0; i < m->size; i++) xp[i] = mpn_addmul_1 (xp + i + k, m->redc_mpm1, m->size - k, xp[i]); hi = mpn_add_n (rp, xp, xp + m->size, m->size); if (shift > 0) { hi = (hi << shift) | (rp[m->size - 1] >> (GMP_NUMB_BITS - shift)); rp[m->size - 1] = (rp[m->size - 1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (rp, m->B_shifted, m->size-1, hi); } else { cy = mpn_cnd_sub_n (hi, rp, rp, m->m, m->size); assert_maybe (cy == hi); } } nettle-3.10/rsa-decrypt.c0000644000175000017500000000326614633602171014367 0ustar nissenisse/* rsa-decrypt.c The RSA publickey algorithm. PKCS#1 encryption. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "pkcs1.h" int rsa_decrypt(const struct rsa_private_key *key, size_t *length, uint8_t *message, const mpz_t gibberish) { mpz_t m; int res; mpz_init(m); /* First check that input is in range. Since we don't have the public key available here, we need to reconstruct n. */ mpz_mul (m, key->p, key->q); if (mpz_sgn (gibberish) < 0 || mpz_cmp (gibberish, m) >= 0) { mpz_clear (m); return 0; } rsa_compute_root(key, m, gibberish); res = pkcs1_decrypt (key->size, m, length, message); mpz_clear(m); return res; } nettle-3.10/cmac-aes256.c0000644000175000017500000000310514633602171014030 0ustar nissenisse/* cmac-aes256.c CMAC using AES256 as the underlying cipher. Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "cmac.h" void cmac_aes256_set_key(struct cmac_aes256_ctx *ctx, const uint8_t *key) { CMAC128_SET_KEY(ctx, aes256_set_encrypt_key, aes256_encrypt, key); } void cmac_aes256_update (struct cmac_aes256_ctx *ctx, size_t length, const uint8_t *data) { CMAC128_UPDATE (ctx, aes256_encrypt, length, data); } void cmac_aes256_digest(struct cmac_aes256_ctx *ctx, size_t length, uint8_t *digest) { CMAC128_DIGEST(ctx, aes256_encrypt, length, digest); } nettle-3.10/camellia-table.c0000644000175000017500000003352214633602171014764 0ustar nissenisse/* camellia-table.c SBOX tables used by both encryption and key setup. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "camellia-internal.h" const struct camellia_table _nettle_camellia_table = { /* sp1110 */ { 0x70707000,0x82828200,0x2c2c2c00,0xececec00, 0xb3b3b300,0x27272700,0xc0c0c000,0xe5e5e500, 0xe4e4e400,0x85858500,0x57575700,0x35353500, 0xeaeaea00,0x0c0c0c00,0xaeaeae00,0x41414100, 0x23232300,0xefefef00,0x6b6b6b00,0x93939300, 0x45454500,0x19191900,0xa5a5a500,0x21212100, 0xededed00,0x0e0e0e00,0x4f4f4f00,0x4e4e4e00, 0x1d1d1d00,0x65656500,0x92929200,0xbdbdbd00, 0x86868600,0xb8b8b800,0xafafaf00,0x8f8f8f00, 0x7c7c7c00,0xebebeb00,0x1f1f1f00,0xcecece00, 0x3e3e3e00,0x30303000,0xdcdcdc00,0x5f5f5f00, 0x5e5e5e00,0xc5c5c500,0x0b0b0b00,0x1a1a1a00, 0xa6a6a600,0xe1e1e100,0x39393900,0xcacaca00, 0xd5d5d500,0x47474700,0x5d5d5d00,0x3d3d3d00, 0xd9d9d900,0x01010100,0x5a5a5a00,0xd6d6d600, 0x51515100,0x56565600,0x6c6c6c00,0x4d4d4d00, 0x8b8b8b00,0x0d0d0d00,0x9a9a9a00,0x66666600, 0xfbfbfb00,0xcccccc00,0xb0b0b000,0x2d2d2d00, 0x74747400,0x12121200,0x2b2b2b00,0x20202000, 0xf0f0f000,0xb1b1b100,0x84848400,0x99999900, 0xdfdfdf00,0x4c4c4c00,0xcbcbcb00,0xc2c2c200, 0x34343400,0x7e7e7e00,0x76767600,0x05050500, 0x6d6d6d00,0xb7b7b700,0xa9a9a900,0x31313100, 0xd1d1d100,0x17171700,0x04040400,0xd7d7d700, 0x14141400,0x58585800,0x3a3a3a00,0x61616100, 0xdedede00,0x1b1b1b00,0x11111100,0x1c1c1c00, 0x32323200,0x0f0f0f00,0x9c9c9c00,0x16161600, 0x53535300,0x18181800,0xf2f2f200,0x22222200, 0xfefefe00,0x44444400,0xcfcfcf00,0xb2b2b200, 0xc3c3c300,0xb5b5b500,0x7a7a7a00,0x91919100, 0x24242400,0x08080800,0xe8e8e800,0xa8a8a800, 0x60606000,0xfcfcfc00,0x69696900,0x50505000, 0xaaaaaa00,0xd0d0d000,0xa0a0a000,0x7d7d7d00, 0xa1a1a100,0x89898900,0x62626200,0x97979700, 0x54545400,0x5b5b5b00,0x1e1e1e00,0x95959500, 0xe0e0e000,0xffffff00,0x64646400,0xd2d2d200, 0x10101000,0xc4c4c400,0x00000000,0x48484800, 0xa3a3a300,0xf7f7f700,0x75757500,0xdbdbdb00, 0x8a8a8a00,0x03030300,0xe6e6e600,0xdadada00, 0x09090900,0x3f3f3f00,0xdddddd00,0x94949400, 0x87878700,0x5c5c5c00,0x83838300,0x02020200, 0xcdcdcd00,0x4a4a4a00,0x90909000,0x33333300, 0x73737300,0x67676700,0xf6f6f600,0xf3f3f300, 0x9d9d9d00,0x7f7f7f00,0xbfbfbf00,0xe2e2e200, 0x52525200,0x9b9b9b00,0xd8d8d800,0x26262600, 0xc8c8c800,0x37373700,0xc6c6c600,0x3b3b3b00, 0x81818100,0x96969600,0x6f6f6f00,0x4b4b4b00, 0x13131300,0xbebebe00,0x63636300,0x2e2e2e00, 0xe9e9e900,0x79797900,0xa7a7a700,0x8c8c8c00, 0x9f9f9f00,0x6e6e6e00,0xbcbcbc00,0x8e8e8e00, 0x29292900,0xf5f5f500,0xf9f9f900,0xb6b6b600, 0x2f2f2f00,0xfdfdfd00,0xb4b4b400,0x59595900, 0x78787800,0x98989800,0x06060600,0x6a6a6a00, 0xe7e7e700,0x46464600,0x71717100,0xbababa00, 0xd4d4d400,0x25252500,0xababab00,0x42424200, 0x88888800,0xa2a2a200,0x8d8d8d00,0xfafafa00, 0x72727200,0x07070700,0xb9b9b900,0x55555500, 0xf8f8f800,0xeeeeee00,0xacacac00,0x0a0a0a00, 0x36363600,0x49494900,0x2a2a2a00,0x68686800, 0x3c3c3c00,0x38383800,0xf1f1f100,0xa4a4a400, 0x40404000,0x28282800,0xd3d3d300,0x7b7b7b00, 0xbbbbbb00,0xc9c9c900,0x43434300,0xc1c1c100, 0x15151500,0xe3e3e300,0xadadad00,0xf4f4f400, 0x77777700,0xc7c7c700,0x80808000,0x9e9e9e00, }, /* sp0222 */ { 0x00e0e0e0,0x00050505,0x00585858,0x00d9d9d9, 0x00676767,0x004e4e4e,0x00818181,0x00cbcbcb, 0x00c9c9c9,0x000b0b0b,0x00aeaeae,0x006a6a6a, 0x00d5d5d5,0x00181818,0x005d5d5d,0x00828282, 0x00464646,0x00dfdfdf,0x00d6d6d6,0x00272727, 0x008a8a8a,0x00323232,0x004b4b4b,0x00424242, 0x00dbdbdb,0x001c1c1c,0x009e9e9e,0x009c9c9c, 0x003a3a3a,0x00cacaca,0x00252525,0x007b7b7b, 0x000d0d0d,0x00717171,0x005f5f5f,0x001f1f1f, 0x00f8f8f8,0x00d7d7d7,0x003e3e3e,0x009d9d9d, 0x007c7c7c,0x00606060,0x00b9b9b9,0x00bebebe, 0x00bcbcbc,0x008b8b8b,0x00161616,0x00343434, 0x004d4d4d,0x00c3c3c3,0x00727272,0x00959595, 0x00ababab,0x008e8e8e,0x00bababa,0x007a7a7a, 0x00b3b3b3,0x00020202,0x00b4b4b4,0x00adadad, 0x00a2a2a2,0x00acacac,0x00d8d8d8,0x009a9a9a, 0x00171717,0x001a1a1a,0x00353535,0x00cccccc, 0x00f7f7f7,0x00999999,0x00616161,0x005a5a5a, 0x00e8e8e8,0x00242424,0x00565656,0x00404040, 0x00e1e1e1,0x00636363,0x00090909,0x00333333, 0x00bfbfbf,0x00989898,0x00979797,0x00858585, 0x00686868,0x00fcfcfc,0x00ececec,0x000a0a0a, 0x00dadada,0x006f6f6f,0x00535353,0x00626262, 0x00a3a3a3,0x002e2e2e,0x00080808,0x00afafaf, 0x00282828,0x00b0b0b0,0x00747474,0x00c2c2c2, 0x00bdbdbd,0x00363636,0x00222222,0x00383838, 0x00646464,0x001e1e1e,0x00393939,0x002c2c2c, 0x00a6a6a6,0x00303030,0x00e5e5e5,0x00444444, 0x00fdfdfd,0x00888888,0x009f9f9f,0x00656565, 0x00878787,0x006b6b6b,0x00f4f4f4,0x00232323, 0x00484848,0x00101010,0x00d1d1d1,0x00515151, 0x00c0c0c0,0x00f9f9f9,0x00d2d2d2,0x00a0a0a0, 0x00555555,0x00a1a1a1,0x00414141,0x00fafafa, 0x00434343,0x00131313,0x00c4c4c4,0x002f2f2f, 0x00a8a8a8,0x00b6b6b6,0x003c3c3c,0x002b2b2b, 0x00c1c1c1,0x00ffffff,0x00c8c8c8,0x00a5a5a5, 0x00202020,0x00898989,0x00000000,0x00909090, 0x00474747,0x00efefef,0x00eaeaea,0x00b7b7b7, 0x00151515,0x00060606,0x00cdcdcd,0x00b5b5b5, 0x00121212,0x007e7e7e,0x00bbbbbb,0x00292929, 0x000f0f0f,0x00b8b8b8,0x00070707,0x00040404, 0x009b9b9b,0x00949494,0x00212121,0x00666666, 0x00e6e6e6,0x00cecece,0x00ededed,0x00e7e7e7, 0x003b3b3b,0x00fefefe,0x007f7f7f,0x00c5c5c5, 0x00a4a4a4,0x00373737,0x00b1b1b1,0x004c4c4c, 0x00919191,0x006e6e6e,0x008d8d8d,0x00767676, 0x00030303,0x002d2d2d,0x00dedede,0x00969696, 0x00262626,0x007d7d7d,0x00c6c6c6,0x005c5c5c, 0x00d3d3d3,0x00f2f2f2,0x004f4f4f,0x00191919, 0x003f3f3f,0x00dcdcdc,0x00797979,0x001d1d1d, 0x00525252,0x00ebebeb,0x00f3f3f3,0x006d6d6d, 0x005e5e5e,0x00fbfbfb,0x00696969,0x00b2b2b2, 0x00f0f0f0,0x00313131,0x000c0c0c,0x00d4d4d4, 0x00cfcfcf,0x008c8c8c,0x00e2e2e2,0x00757575, 0x00a9a9a9,0x004a4a4a,0x00575757,0x00848484, 0x00111111,0x00454545,0x001b1b1b,0x00f5f5f5, 0x00e4e4e4,0x000e0e0e,0x00737373,0x00aaaaaa, 0x00f1f1f1,0x00dddddd,0x00595959,0x00141414, 0x006c6c6c,0x00929292,0x00545454,0x00d0d0d0, 0x00787878,0x00707070,0x00e3e3e3,0x00494949, 0x00808080,0x00505050,0x00a7a7a7,0x00f6f6f6, 0x00777777,0x00939393,0x00868686,0x00838383, 0x002a2a2a,0x00c7c7c7,0x005b5b5b,0x00e9e9e9, 0x00eeeeee,0x008f8f8f,0x00010101,0x003d3d3d, }, /* sp3033 */ { 0x38003838,0x41004141,0x16001616,0x76007676, 0xd900d9d9,0x93009393,0x60006060,0xf200f2f2, 0x72007272,0xc200c2c2,0xab00abab,0x9a009a9a, 0x75007575,0x06000606,0x57005757,0xa000a0a0, 0x91009191,0xf700f7f7,0xb500b5b5,0xc900c9c9, 0xa200a2a2,0x8c008c8c,0xd200d2d2,0x90009090, 0xf600f6f6,0x07000707,0xa700a7a7,0x27002727, 0x8e008e8e,0xb200b2b2,0x49004949,0xde00dede, 0x43004343,0x5c005c5c,0xd700d7d7,0xc700c7c7, 0x3e003e3e,0xf500f5f5,0x8f008f8f,0x67006767, 0x1f001f1f,0x18001818,0x6e006e6e,0xaf00afaf, 0x2f002f2f,0xe200e2e2,0x85008585,0x0d000d0d, 0x53005353,0xf000f0f0,0x9c009c9c,0x65006565, 0xea00eaea,0xa300a3a3,0xae00aeae,0x9e009e9e, 0xec00ecec,0x80008080,0x2d002d2d,0x6b006b6b, 0xa800a8a8,0x2b002b2b,0x36003636,0xa600a6a6, 0xc500c5c5,0x86008686,0x4d004d4d,0x33003333, 0xfd00fdfd,0x66006666,0x58005858,0x96009696, 0x3a003a3a,0x09000909,0x95009595,0x10001010, 0x78007878,0xd800d8d8,0x42004242,0xcc00cccc, 0xef00efef,0x26002626,0xe500e5e5,0x61006161, 0x1a001a1a,0x3f003f3f,0x3b003b3b,0x82008282, 0xb600b6b6,0xdb00dbdb,0xd400d4d4,0x98009898, 0xe800e8e8,0x8b008b8b,0x02000202,0xeb00ebeb, 0x0a000a0a,0x2c002c2c,0x1d001d1d,0xb000b0b0, 0x6f006f6f,0x8d008d8d,0x88008888,0x0e000e0e, 0x19001919,0x87008787,0x4e004e4e,0x0b000b0b, 0xa900a9a9,0x0c000c0c,0x79007979,0x11001111, 0x7f007f7f,0x22002222,0xe700e7e7,0x59005959, 0xe100e1e1,0xda00dada,0x3d003d3d,0xc800c8c8, 0x12001212,0x04000404,0x74007474,0x54005454, 0x30003030,0x7e007e7e,0xb400b4b4,0x28002828, 0x55005555,0x68006868,0x50005050,0xbe00bebe, 0xd000d0d0,0xc400c4c4,0x31003131,0xcb00cbcb, 0x2a002a2a,0xad00adad,0x0f000f0f,0xca00caca, 0x70007070,0xff00ffff,0x32003232,0x69006969, 0x08000808,0x62006262,0x00000000,0x24002424, 0xd100d1d1,0xfb00fbfb,0xba00baba,0xed00eded, 0x45004545,0x81008181,0x73007373,0x6d006d6d, 0x84008484,0x9f009f9f,0xee00eeee,0x4a004a4a, 0xc300c3c3,0x2e002e2e,0xc100c1c1,0x01000101, 0xe600e6e6,0x25002525,0x48004848,0x99009999, 0xb900b9b9,0xb300b3b3,0x7b007b7b,0xf900f9f9, 0xce00cece,0xbf00bfbf,0xdf00dfdf,0x71007171, 0x29002929,0xcd00cdcd,0x6c006c6c,0x13001313, 0x64006464,0x9b009b9b,0x63006363,0x9d009d9d, 0xc000c0c0,0x4b004b4b,0xb700b7b7,0xa500a5a5, 0x89008989,0x5f005f5f,0xb100b1b1,0x17001717, 0xf400f4f4,0xbc00bcbc,0xd300d3d3,0x46004646, 0xcf00cfcf,0x37003737,0x5e005e5e,0x47004747, 0x94009494,0xfa00fafa,0xfc00fcfc,0x5b005b5b, 0x97009797,0xfe00fefe,0x5a005a5a,0xac00acac, 0x3c003c3c,0x4c004c4c,0x03000303,0x35003535, 0xf300f3f3,0x23002323,0xb800b8b8,0x5d005d5d, 0x6a006a6a,0x92009292,0xd500d5d5,0x21002121, 0x44004444,0x51005151,0xc600c6c6,0x7d007d7d, 0x39003939,0x83008383,0xdc00dcdc,0xaa00aaaa, 0x7c007c7c,0x77007777,0x56005656,0x05000505, 0x1b001b1b,0xa400a4a4,0x15001515,0x34003434, 0x1e001e1e,0x1c001c1c,0xf800f8f8,0x52005252, 0x20002020,0x14001414,0xe900e9e9,0xbd00bdbd, 0xdd00dddd,0xe400e4e4,0xa100a1a1,0xe000e0e0, 0x8a008a8a,0xf100f1f1,0xd600d6d6,0x7a007a7a, 0xbb00bbbb,0xe300e3e3,0x40004040,0x4f004f4f, }, /* sp4404 */ { 0x70700070,0x2c2c002c,0xb3b300b3,0xc0c000c0, 0xe4e400e4,0x57570057,0xeaea00ea,0xaeae00ae, 0x23230023,0x6b6b006b,0x45450045,0xa5a500a5, 0xeded00ed,0x4f4f004f,0x1d1d001d,0x92920092, 0x86860086,0xafaf00af,0x7c7c007c,0x1f1f001f, 0x3e3e003e,0xdcdc00dc,0x5e5e005e,0x0b0b000b, 0xa6a600a6,0x39390039,0xd5d500d5,0x5d5d005d, 0xd9d900d9,0x5a5a005a,0x51510051,0x6c6c006c, 0x8b8b008b,0x9a9a009a,0xfbfb00fb,0xb0b000b0, 0x74740074,0x2b2b002b,0xf0f000f0,0x84840084, 0xdfdf00df,0xcbcb00cb,0x34340034,0x76760076, 0x6d6d006d,0xa9a900a9,0xd1d100d1,0x04040004, 0x14140014,0x3a3a003a,0xdede00de,0x11110011, 0x32320032,0x9c9c009c,0x53530053,0xf2f200f2, 0xfefe00fe,0xcfcf00cf,0xc3c300c3,0x7a7a007a, 0x24240024,0xe8e800e8,0x60600060,0x69690069, 0xaaaa00aa,0xa0a000a0,0xa1a100a1,0x62620062, 0x54540054,0x1e1e001e,0xe0e000e0,0x64640064, 0x10100010,0x00000000,0xa3a300a3,0x75750075, 0x8a8a008a,0xe6e600e6,0x09090009,0xdddd00dd, 0x87870087,0x83830083,0xcdcd00cd,0x90900090, 0x73730073,0xf6f600f6,0x9d9d009d,0xbfbf00bf, 0x52520052,0xd8d800d8,0xc8c800c8,0xc6c600c6, 0x81810081,0x6f6f006f,0x13130013,0x63630063, 0xe9e900e9,0xa7a700a7,0x9f9f009f,0xbcbc00bc, 0x29290029,0xf9f900f9,0x2f2f002f,0xb4b400b4, 0x78780078,0x06060006,0xe7e700e7,0x71710071, 0xd4d400d4,0xabab00ab,0x88880088,0x8d8d008d, 0x72720072,0xb9b900b9,0xf8f800f8,0xacac00ac, 0x36360036,0x2a2a002a,0x3c3c003c,0xf1f100f1, 0x40400040,0xd3d300d3,0xbbbb00bb,0x43430043, 0x15150015,0xadad00ad,0x77770077,0x80800080, 0x82820082,0xecec00ec,0x27270027,0xe5e500e5, 0x85850085,0x35350035,0x0c0c000c,0x41410041, 0xefef00ef,0x93930093,0x19190019,0x21210021, 0x0e0e000e,0x4e4e004e,0x65650065,0xbdbd00bd, 0xb8b800b8,0x8f8f008f,0xebeb00eb,0xcece00ce, 0x30300030,0x5f5f005f,0xc5c500c5,0x1a1a001a, 0xe1e100e1,0xcaca00ca,0x47470047,0x3d3d003d, 0x01010001,0xd6d600d6,0x56560056,0x4d4d004d, 0x0d0d000d,0x66660066,0xcccc00cc,0x2d2d002d, 0x12120012,0x20200020,0xb1b100b1,0x99990099, 0x4c4c004c,0xc2c200c2,0x7e7e007e,0x05050005, 0xb7b700b7,0x31310031,0x17170017,0xd7d700d7, 0x58580058,0x61610061,0x1b1b001b,0x1c1c001c, 0x0f0f000f,0x16160016,0x18180018,0x22220022, 0x44440044,0xb2b200b2,0xb5b500b5,0x91910091, 0x08080008,0xa8a800a8,0xfcfc00fc,0x50500050, 0xd0d000d0,0x7d7d007d,0x89890089,0x97970097, 0x5b5b005b,0x95950095,0xffff00ff,0xd2d200d2, 0xc4c400c4,0x48480048,0xf7f700f7,0xdbdb00db, 0x03030003,0xdada00da,0x3f3f003f,0x94940094, 0x5c5c005c,0x02020002,0x4a4a004a,0x33330033, 0x67670067,0xf3f300f3,0x7f7f007f,0xe2e200e2, 0x9b9b009b,0x26260026,0x37370037,0x3b3b003b, 0x96960096,0x4b4b004b,0xbebe00be,0x2e2e002e, 0x79790079,0x8c8c008c,0x6e6e006e,0x8e8e008e, 0xf5f500f5,0xb6b600b6,0xfdfd00fd,0x59590059, 0x98980098,0x6a6a006a,0x46460046,0xbaba00ba, 0x25250025,0x42420042,0xa2a200a2,0xfafa00fa, 0x07070007,0x55550055,0xeeee00ee,0x0a0a000a, 0x49490049,0x68680068,0x38380038,0xa4a400a4, 0x28280028,0x7b7b007b,0xc9c900c9,0xc1c100c1, 0xe3e300e3,0xf4f400f4,0xc7c700c7,0x9e9e009e, } }; nettle-3.10/ecc-gost-gc512a.c0000644000175000017500000000526514633602171014617 0ustar nissenisse/* ecc-gost-gc512a.c Copyright (C) 2016-2020 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-gost-gc512a.h" static void ecc_gost_gc512a_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t mn = m->size; mp_limb_t hi; hi = mpn_addmul_1(xp, xp + mn, mn, 0x239); hi = sec_add_1 (xp, xp, mn, hi * 0x239); hi = sec_add_1 (rp, xp, mn, hi * 0x239); assert(hi == 0); } #define ecc_gost_gc512a_modp ecc_gost_gc512a_modp #define ecc_gost_gc512a_modq ecc_mod const struct ecc_curve _nettle_gost_gc512a = { { 512, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_gost_gc512a_modp, ecc_gost_gc512a_modp, ecc_mod_inv, NULL, NULL, }, { 512, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_gost_gc512a_modq, ecc_gost_gc512a_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_gost_gc512a(void) { return &_nettle_gost_gc512a; } nettle-3.10/ctr-internal.h0000644000175000017500000000320314633602172014531 0ustar nissenisse/* ctr-internal.h Copyright (C) 2018 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CTR_INTERNAL_H_INCLUDED #define NETTLE_CTR_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Size limit for temporary stack buffers. */ #define CTR_BUFFER_LIMIT 512 /* Fill BUFFER (n blocks) with incrementing CTR values. It would be nice if CTR was always 64-bit aligned, but it isn't when called from ctr_crypt. */ typedef void nettle_fill16_func(uint8_t *ctr, size_t n, union nettle_block16 *buffer); void _nettle_ctr_crypt16(const void *ctx, nettle_cipher_func *f, nettle_fill16_func *fill, uint8_t *ctr, size_t length, uint8_t *dst, const uint8_t *src); #endif /* NETTLE_CTR_INTERNAL_H_INCLUDED */ nettle-3.10/sha3-internal.h0000644000175000017500000000414614633602172014606 0ustar nissenisse/* sha3-internal.h The sha3 hash function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA3_INTERNAL_H_INCLUDED #define NETTLE_SHA3_INTERNAL_H_INCLUDED #include "nettle-types.h" #define SHA3_HASH_MAGIC 6 #define SHA3_SHAKE_MAGIC 0x1f unsigned _nettle_sha3_update (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, size_t length, const uint8_t *data); void _nettle_sha3_pad (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned pos, uint8_t magic); #define _sha3_pad_hash(state, block_size, block, pos) do { \ _nettle_sha3_pad (state, block_size, block, pos, SHA3_HASH_MAGIC); \ sha3_permute (state); \ } while (0) #define _sha3_pad_shake(state, block_size, block, pos) \ _nettle_sha3_pad (state, block_size, block, pos, SHA3_SHAKE_MAGIC) void _nettle_sha3_shake (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned index, size_t length, uint8_t *dst); unsigned _nettle_sha3_shake_output (struct sha3_state *state, unsigned block_size, uint8_t *block, unsigned index, size_t length, uint8_t *dst); #endif nettle-3.10/ecc-gost-gc256b.c0000644000175000017500000000526514633602171014625 0ustar nissenisse/* ecc-gost-gc256b.c Copyright (C) 2016-2020 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #define USE_REDC 0 #include "ecc-gost-gc256b.h" static void ecc_gost_gc256b_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_size_t mn = m->size; mp_limb_t hi; hi = mpn_addmul_1(xp, xp + mn, mn, 0x269); hi = sec_add_1 (xp, xp, mn, hi * 0x269); hi = sec_add_1 (rp, xp, mn, hi * 0x269); assert(hi == 0); } #define ecc_gost_gc256b_modp ecc_gost_gc256b_modp #define ecc_gost_gc256b_modq ecc_mod const struct ecc_curve _nettle_gost_gc256b = { { 256, ECC_LIMB_SIZE, ECC_BMODP_SIZE, ECC_REDC_SIZE, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_gost_gc256b_modp, ecc_gost_gc256b_modp, ecc_mod_inv, NULL, NULL, }, { 256, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_gost_gc256b_modq, ecc_gost_gc256b_modq, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH (ECC_LIMB_SIZE, ECC_MOD_INV_ITCH(ECC_LIMB_SIZE)), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_gost_gc256b(void) { return &_nettle_gost_gc256b; } nettle-3.10/poly1305-internal.h0000644000175000017500000000435514633602172015246 0ustar nissenisse/* poly1305-internal.h Poly1305 message authentication code. Copyright (C) 2013 Nikos Mavrogiannopoulos Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_POLY1305_INTERNAL_H_INCLUDED #define NETTLE_POLY1305_INTERNAL_H_INCLUDED #include "poly1305.h" #ifdef __cplusplus extern "C" { #endif /* Low level functions/macros for the poly1305 construction. */ #define POLY1305_DIGEST_SIZE 16 #define POLY1305_KEY_SIZE 16 /* Low-level internal interface. */ void _nettle_poly1305_set_key(struct poly1305_ctx *ctx, const uint8_t key[POLY1305_KEY_SIZE]); /* Extracts digest, and adds it to s, the encrypted nonce. */ void _nettle_poly1305_digest (struct poly1305_ctx *ctx, union nettle_block16 *s); /* Process one block. */ void _nettle_poly1305_block (struct poly1305_ctx *ctx, const uint8_t *m, unsigned high); /* Updates CTX by hashing M, which must be an integral number of blocks. For convenience, returns a pointer to the end of the data. Implies 128 set on all input blocks. */ const uint8_t * _nettle_poly1305_blocks (struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); unsigned _nettle_poly1305_update (struct poly1305_ctx *ctx, uint8_t *buffer, unsigned index, size_t length, const uint8_t *m); #ifdef __cplusplus } #endif #endif /* NETTLE_POLY1305_INTERNAL_H_INCLUDED */ nettle-3.10/rsa-sign-tr.c0000644000175000017500000002241414633602171014274 0ustar nissenisse/* rsa-sign-tr.c Creating RSA signatures, with some additional checks. Copyright (C) 2001, 2015 Niels Möller Copyright (C) 2012 Nikos Mavrogiannopoulos Copyright (C) 2018 Red Hat Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gmp-glue.h" #include "rsa.h" #include "rsa-internal.h" #define MAX(a, b) ((a) > (b) ? (a) : (b)) #if NETTLE_USE_MINI_GMP /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. */ static void rsa_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mpz_t c, mpz_t ri, const mpz_t m) { mpz_t r; mpz_init(r); /* c = m*(r^e) * ri = r^(-1) */ do { nettle_mpz_random(r, random_ctx, random, pub->n); /* invert r */ } while (!mpz_invert (ri, r, pub->n)); /* c = c*(r^e) mod n */ mpz_powm_sec(r, r, pub->e, pub->n); mpz_mul(c, m, r); mpz_fdiv_r(c, c, pub->n); mpz_clear(r); } /* m = c ri mod n */ static void rsa_unblind (const struct rsa_public_key *pub, mpz_t m, const mpz_t ri, const mpz_t c) { mpz_mul(m, c, ri); mpz_fdiv_r(m, m, pub->n); } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { int res; mpz_t t, mb, xb, ri; /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) return 0; mpz_init (mb); mpz_init (xb); mpz_init (ri); mpz_init (t); rsa_blind (pub, random_ctx, random, mb, ri, m); rsa_compute_root (key, xb, mb); mpz_powm_sec(t, xb, pub->e, pub->n); res = (mpz_cmp(mb, t) == 0); if (res) rsa_unblind (pub, x, ri, xb); mpz_clear (mb); mpz_clear (xb); mpz_clear (ri); mpz_clear (t); return res; } int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m) { mp_size_t nn; mpz_t mz; mpz_t xz; int res; mpz_init(xz); nn = mpz_size (pub->n); res = rsa_compute_root_tr(pub, key, random_ctx, random, xz, mpz_roinit_n(mz, m, nn)); if (res) mpz_limbs_copy(x, xz, nn); mpz_clear(xz); return res; } #else /* Blinds m, by computing c = m r^e (mod n), for a random r. Also returns the inverse (ri), for use by rsa_unblind. Must have c != m, no in-place operation.*/ static void rsa_sec_blind (const struct rsa_public_key *pub, void *random_ctx, nettle_random_func *random, mp_limb_t *c, mp_limb_t *ri, const mp_limb_t *m) { const mp_limb_t *ep = mpz_limbs_read (pub->e); const mp_limb_t *np = mpz_limbs_read (pub->n); mp_bitcnt_t ebn = mpz_sizeinbase (pub->e, 2); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL (tp, mp_limb_t); TMP_GMP_DECL (rp, mp_limb_t); TMP_GMP_DECL (r, uint8_t); TMP_GMP_ALLOC (rp, nn); TMP_GMP_ALLOC (r, nn * sizeof(mp_limb_t)); /* c = m*(r^e) mod n */ itch = mpn_sec_powm_itch(nn, ebn, nn); i2 = mpn_sec_mul_itch(nn, nn); itch = MAX(itch, i2); i2 = mpn_sec_div_r_itch(2*nn, nn); itch = MAX(itch, i2); i2 = mpn_sec_invert_itch(nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, 2*nn + itch); scratch = tp + 2*nn; /* ri = r^(-1) */ do { random(random_ctx, nn * sizeof(mp_limb_t), (uint8_t *)r); mpn_set_base256(rp, nn, r, nn * sizeof(mp_limb_t)); mpn_copyi(tp, rp, nn); /* invert r */ } while (!mpn_sec_invert (ri, tp, np, nn, 2 * nn * GMP_NUMB_BITS, scratch)); mpn_sec_powm (c, rp, nn, ep, ebn, np, nn, scratch); mpn_sec_mul (tp, c, nn, m, nn, scratch); mpn_sec_div_r (tp, 2*nn, np, nn, scratch); mpn_copyi(c, tp, nn); TMP_GMP_FREE (r); TMP_GMP_FREE (rp); TMP_GMP_FREE (tp); } /* m = c ri mod n. Allows x == c. */ static void rsa_sec_unblind (const struct rsa_public_key *pub, mp_limb_t *x, mp_limb_t *ri, const mp_limb_t *c) { const mp_limb_t *np = mpz_limbs_read (pub->n); mp_size_t nn = mpz_size (pub->n); size_t itch; size_t i2; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_mul_itch(nn, nn); i2 = mpn_sec_div_r_itch(nn + nn, nn); itch = MAX(itch, i2); TMP_GMP_ALLOC (tp, nn + nn + itch); scratch = tp + nn + nn; mpn_sec_mul (tp, c, nn, ri, nn, scratch); mpn_sec_div_r (tp, nn + nn, np, nn, scratch); mpn_copyi(x, tp, nn); TMP_GMP_FREE (tp); } static int sec_equal(const mp_limb_t *a, const mp_limb_t *b, size_t limbs) { volatile mp_limb_t z = 0; size_t i; for (i = 0; i < limbs; i++) { z |= (a[i] ^ b[i]); } return z == 0; } static int rsa_sec_check_root(const struct rsa_public_key *pub, const mp_limb_t *x, const mp_limb_t *m) { mp_size_t nn = mpz_size (pub->n); mp_size_t ebn = mpz_sizeinbase (pub->e, 2); const mp_limb_t *np = mpz_limbs_read (pub->n); const mp_limb_t *ep = mpz_limbs_read (pub->e); int ret; mp_size_t itch; mp_limb_t *scratch; TMP_GMP_DECL(tp, mp_limb_t); itch = mpn_sec_powm_itch (nn, ebn, nn); TMP_GMP_ALLOC (tp, nn + itch); scratch = tp + nn; mpn_sec_powm(tp, x, nn, ep, ebn, np, nn, scratch); ret = sec_equal(tp, m, nn); TMP_GMP_FREE (tp); return ret; } static void cnd_mpn_zero (int cnd, volatile mp_ptr rp, mp_size_t n) { volatile mp_limb_t c; volatile mp_limb_t mask = (mp_limb_t) cnd - 1; while (--n >= 0) { c = rp[n]; c &= mask; rp[n] = c; } } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is side-channel silent even in case of error, * the destination buffer is always overwritten */ int _rsa_sec_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mp_limb_t *x, const mp_limb_t *m) { TMP_GMP_DECL (c, mp_limb_t); TMP_GMP_DECL (ri, mp_limb_t); TMP_GMP_DECL (scratch, mp_limb_t); size_t key_limb_size; int ret; key_limb_size = mpz_size(pub->n); /* mpz_powm_sec handles only odd moduli. If p, q or n is even, the key is invalid and rejected by rsa_private_key_prepare. However, some applications, notably gnutls, don't use this function, and we don't want an invalid key to lead to a crash down inside mpz_powm_sec. So do an additional check here. */ if (mpz_even_p (pub->n) || mpz_even_p (key->p) || mpz_even_p (key->q)) { mpn_zero(x, key_limb_size); return 0; } assert(mpz_size(pub->n) == key_limb_size); TMP_GMP_ALLOC (c, key_limb_size); TMP_GMP_ALLOC (ri, key_limb_size); TMP_GMP_ALLOC (scratch, _rsa_sec_compute_root_itch(key)); rsa_sec_blind (pub, random_ctx, random, c, ri, m); _rsa_sec_compute_root(key, x, c, scratch); ret = rsa_sec_check_root(pub, x, c); rsa_sec_unblind(pub, x, ri, x); cnd_mpn_zero(1 - ret, x, key_limb_size); TMP_GMP_FREE (scratch); TMP_GMP_FREE (ri); TMP_GMP_FREE (c); return ret; } /* Checks for any errors done in the RSA computation. That avoids * attacks which rely on faults on hardware, or even software MPI * implementation. * This version is maintained for API compatibility reasons. It * is not completely side-channel silent. There are conditionals * in buffer copying both in case of success or error. */ int rsa_compute_root_tr(const struct rsa_public_key *pub, const struct rsa_private_key *key, void *random_ctx, nettle_random_func *random, mpz_t x, const mpz_t m) { TMP_GMP_DECL (l, mp_limb_t); mp_size_t nn = mpz_size(pub->n); int res; TMP_GMP_ALLOC (l, nn); mpz_limbs_copy(l, m, nn); res = _rsa_sec_compute_root_tr (pub, key, random_ctx, random, l, l); if (res) { mp_limb_t *xp = mpz_limbs_write (x, nn); mpn_copyi (xp, l, nn); mpz_limbs_finish (x, nn); } TMP_GMP_FREE (l); return res; } #endif nettle-3.10/camellia128-set-encrypt-key.c0000644000175000017500000000624214633602171017172 0ustar nissenisse/* camellia128-set-encrypt-key.c Key setup for the camellia block cipher. Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" void camellia128_set_encrypt_key (struct camellia128_ctx *ctx, const uint8_t *key) { uint64_t k0, k1; uint64_t subkey[_CAMELLIA128_NKEYS + 2]; uint64_t w; k0 = READ_UINT64(key); k1 = READ_UINT64(key + 8); /** * generate KL dependent subkeys */ subkey[0] = k0; subkey[1] = k1; ROTL128(15, k0, k1); subkey[4] = k0; subkey[5] = k1; ROTL128(30, k0, k1); subkey[10] = k0; subkey[11] = k1; ROTL128(15, k0, k1); subkey[13] = k1; ROTL128(17, k0, k1); subkey[16] = k0; subkey[17] = k1; ROTL128(17, k0, k1); subkey[18] = k0; subkey[19] = k1; ROTL128(17, k0, k1); subkey[22] = k0; subkey[23] = k1; /* generate KA. D1 is k0, d2 is k1. */ /* FIXME: Make notation match the spec better. */ /* For the 128-bit case, KR = 0, the construction of KA reduces to: D1 = KL >> 64; W = KL & MASK64; D2 = F(D1, Sigma1); W = D2 ^ W D1 = F(W, Sigma2) D2 = D2 ^ F(D1, Sigma3); D1 = D1 ^ F(D2, Sigma4); KA = (D1 << 64) | D2; */ k0 = subkey[0]; w = subkey[1]; CAMELLIA_F(k0, SIGMA1, k1); w ^= k1; CAMELLIA_F(w, SIGMA2, k0); CAMELLIA_F(k0, SIGMA3, w); k1 ^= w; CAMELLIA_F(k1, SIGMA4, w); k0 ^= w; /* generate KA dependent subkeys */ subkey[2] = k0; subkey[3] = k1; ROTL128(15, k0, k1); subkey[6] = k0; subkey[7] = k1; ROTL128(15, k0, k1); subkey[8] = k0; subkey[9] = k1; ROTL128(15, k0, k1); subkey[12] = k0; ROTL128(15, k0, k1); subkey[14] = k0; subkey[15] = k1; ROTL128(34, k0, k1); subkey[20] = k0; subkey[21] = k1; ROTL128(17, k0, k1); subkey[24] = k0; subkey[25] = k1; /* Common final processing */ _nettle_camellia_absorb (_CAMELLIA128_NKEYS, ctx->keys, subkey); } nettle-3.10/eax.h0000644000175000017500000001317014633602172012710 0ustar nissenisse/* eax.h EAX mode, see http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_EAX_H_INCLUDED #define NETTLE_EAX_H_INCLUDED #include "aes.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define eax_set_key nettle_eax_set_key #define eax_set_nonce nettle_eax_set_nonce #define eax_update nettle_eax_update #define eax_encrypt nettle_eax_encrypt #define eax_decrypt nettle_eax_decrypt #define eax_digest nettle_eax_digest #define eax_aes128_set_key nettle_eax_aes128_set_key #define eax_aes128_set_nonce nettle_eax_aes128_set_nonce #define eax_aes128_update nettle_eax_aes128_update #define eax_aes128_encrypt nettle_eax_aes128_encrypt #define eax_aes128_decrypt nettle_eax_aes128_decrypt #define eax_aes128_digest nettle_eax_aes128_digest /* Restricted to block ciphers with 128 bit block size. FIXME: Reflect this in naming? */ #define EAX_BLOCK_SIZE 16 #define EAX_DIGEST_SIZE 16 /* FIXME: Reasonable default? */ #define EAX_IV_SIZE 16 /* Values independent of message and nonce */ struct eax_key { union nettle_block16 pad_block; union nettle_block16 pad_partial; }; struct eax_ctx { union nettle_block16 omac_nonce; union nettle_block16 omac_data; union nettle_block16 omac_message; union nettle_block16 ctr; }; void eax_set_key (struct eax_key *key, const void *cipher, nettle_cipher_func *f); void eax_set_nonce (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t nonce_length, const uint8_t *nonce); void eax_update (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t data_length, const uint8_t *data); void eax_encrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_decrypt (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src); void eax_digest (struct eax_ctx *eax, const struct eax_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest); /* Put the cipher last, to get cipher-independent offsets for the EAX * state. */ #define EAX_CTX(type) \ { struct eax_key key; struct eax_ctx eax; type cipher; } #define EAX_SET_KEY(ctx, set_key, encrypt, data) \ do { \ (set_key)(&(ctx)->cipher, (data)); \ if (0) (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0); \ eax_set_key (&(ctx)->key, &(ctx)->cipher, (nettle_cipher_func *) encrypt); \ } while (0) #define EAX_SET_NONCE(ctx, encrypt, length, nonce) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_set_nonce (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (nonce))) #define EAX_UPDATE(ctx, encrypt, length, data) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_update (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (data))) #define EAX_ENCRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_encrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DECRYPT(ctx, encrypt, length, dst, src) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_decrypt (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (dst), (src))) #define EAX_DIGEST(ctx, encrypt, length, digest) \ (0 ? (encrypt) (&(ctx)->cipher, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0) \ : eax_digest (&(ctx)->eax, &(ctx)->key, \ &(ctx)->cipher, (nettle_cipher_func *) (encrypt), \ (length), (digest))) struct eax_aes128_ctx EAX_CTX(struct aes128_ctx); void eax_aes128_set_key(struct eax_aes128_ctx *ctx, const uint8_t *key); void eax_aes128_set_nonce(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *iv); void eax_aes128_update(struct eax_aes128_ctx *ctx, size_t length, const uint8_t *data); void eax_aes128_encrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_decrypt(struct eax_aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void eax_aes128_digest(struct eax_aes128_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_EAX_H_INCLUDED */ nettle-3.10/memxor.h0000644000175000017500000000063714633602172013446 0ustar nissenisse/* memxor.h * */ #ifndef NETTLE_MEMXOR_H_INCLUDED #define NETTLE_MEMXOR_H_INCLUDED #include #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define memxor nettle_memxor #define memxor3 nettle_memxor3 void *memxor(void *dst, const void *src, size_t n); void *memxor3(void *dst, const void *a, const void *b, size_t n); #ifdef __cplusplus } #endif #endif /* NETTLE_MEMXOR_H_INCLUDED */ nettle-3.10/curve448-mul-g.c0000644000175000017500000000370414633602172014533 0ustar nissenisse/* curve448-mul-g.c Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "curve448.h" #include "ecc.h" #include "ecc-internal.h" /* Intended to be compatible with NaCl's crypto_scalarmult_base. */ void curve448_mul_g (uint8_t *r, const uint8_t *n) { const struct ecc_curve *ecc = &_nettle_curve448; uint8_t t[CURVE448_SIZE]; mp_limb_t *scratch; mp_size_t itch; #define ng scratch #define x (scratch + 3*ecc->p.size) #define scratch_out (scratch + 4*ecc->p.size) memcpy (t, n, sizeof(t)); t[0] &= ~3; t[CURVE448_SIZE-1] = (t[CURVE448_SIZE-1] & 0x7f) | 0x80; itch = 5*ecc->p.size + ecc->mul_g_itch; scratch = gmp_alloc_limbs (itch); mpn_set_base256_le (x, ecc->p.size, t, CURVE448_SIZE); ecc_mul_g_eh (ecc, ng, x, scratch_out); curve448_eh_to_x (x, ng, scratch_out); mpn_get_base256_le (r, CURVE448_SIZE, x, ecc->p.size); gmp_free_limbs (scratch, itch); #undef ng #undef x #undef scratch_out } nettle-3.10/ripemd160-compress.c0000644000175000017500000002136314633602171015470 0ustar nissenisse/* ripemd160-compress.c RIPE-MD160 (Transform function) Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Ported from libgcrypt by Andres Mejia */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ripemd160.h" #include "ripemd160-internal.h" #include "macros.h" /**************** * Transform the message X which consists of 16 32-bit-words */ void _nettle_ripemd160_compress(uint32_t *state, const uint8_t *data) { register uint32_t a,b,c,d,e; uint32_t aa,bb,cc,dd,ee,t; uint32_t x[16]; #ifdef WORDS_BIGENDIAN { int i; for (i=0; i < 16; i++, data += 4 ) x[i] = LE_READ_UINT32(data); } #else /* memcpy seems a bit faster. Benchmarked on Intel SU4100, it makes the entire update function roughly 6% faster. */ memcpy(x, data, sizeof(x)); #endif #define K0 0x00000000 #define K1 0x5A827999 #define K2 0x6ED9EBA1 #define K3 0x8F1BBCDC #define K4 0xA953FD4E #define KK0 0x50A28BE6 #define KK1 0x5C4DD124 #define KK2 0x6D703EF3 #define KK3 0x7A6D76E9 #define KK4 0x00000000 #define F0(x,y,z) ( (x) ^ (y) ^ (z) ) #define F1(x,y,z) ( ((x) & (y)) | (~(x) & (z)) ) #define F2(x,y,z) ( ((x) | ~(y)) ^ (z) ) #define F3(x,y,z) ( ((x) & (z)) | ((y) & ~(z)) ) #define F4(x,y,z) ( (x) ^ ((y) | ~(z)) ) #define R(a,b,c,d,e,f,k,r,s) do { t = a + f(b,c,d) + k + x[r]; \ a = ROTL32(s,t) + e; \ c = ROTL32(10,c); \ } while(0) /* left lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F0, K0, 0, 11 ); R( e, a, b, c, d, F0, K0, 1, 14 ); R( d, e, a, b, c, F0, K0, 2, 15 ); R( c, d, e, a, b, F0, K0, 3, 12 ); R( b, c, d, e, a, F0, K0, 4, 5 ); R( a, b, c, d, e, F0, K0, 5, 8 ); R( e, a, b, c, d, F0, K0, 6, 7 ); R( d, e, a, b, c, F0, K0, 7, 9 ); R( c, d, e, a, b, F0, K0, 8, 11 ); R( b, c, d, e, a, F0, K0, 9, 13 ); R( a, b, c, d, e, F0, K0, 10, 14 ); R( e, a, b, c, d, F0, K0, 11, 15 ); R( d, e, a, b, c, F0, K0, 12, 6 ); R( c, d, e, a, b, F0, K0, 13, 7 ); R( b, c, d, e, a, F0, K0, 14, 9 ); R( a, b, c, d, e, F0, K0, 15, 8 ); R( e, a, b, c, d, F1, K1, 7, 7 ); R( d, e, a, b, c, F1, K1, 4, 6 ); R( c, d, e, a, b, F1, K1, 13, 8 ); R( b, c, d, e, a, F1, K1, 1, 13 ); R( a, b, c, d, e, F1, K1, 10, 11 ); R( e, a, b, c, d, F1, K1, 6, 9 ); R( d, e, a, b, c, F1, K1, 15, 7 ); R( c, d, e, a, b, F1, K1, 3, 15 ); R( b, c, d, e, a, F1, K1, 12, 7 ); R( a, b, c, d, e, F1, K1, 0, 12 ); R( e, a, b, c, d, F1, K1, 9, 15 ); R( d, e, a, b, c, F1, K1, 5, 9 ); R( c, d, e, a, b, F1, K1, 2, 11 ); R( b, c, d, e, a, F1, K1, 14, 7 ); R( a, b, c, d, e, F1, K1, 11, 13 ); R( e, a, b, c, d, F1, K1, 8, 12 ); R( d, e, a, b, c, F2, K2, 3, 11 ); R( c, d, e, a, b, F2, K2, 10, 13 ); R( b, c, d, e, a, F2, K2, 14, 6 ); R( a, b, c, d, e, F2, K2, 4, 7 ); R( e, a, b, c, d, F2, K2, 9, 14 ); R( d, e, a, b, c, F2, K2, 15, 9 ); R( c, d, e, a, b, F2, K2, 8, 13 ); R( b, c, d, e, a, F2, K2, 1, 15 ); R( a, b, c, d, e, F2, K2, 2, 14 ); R( e, a, b, c, d, F2, K2, 7, 8 ); R( d, e, a, b, c, F2, K2, 0, 13 ); R( c, d, e, a, b, F2, K2, 6, 6 ); R( b, c, d, e, a, F2, K2, 13, 5 ); R( a, b, c, d, e, F2, K2, 11, 12 ); R( e, a, b, c, d, F2, K2, 5, 7 ); R( d, e, a, b, c, F2, K2, 12, 5 ); R( c, d, e, a, b, F3, K3, 1, 11 ); R( b, c, d, e, a, F3, K3, 9, 12 ); R( a, b, c, d, e, F3, K3, 11, 14 ); R( e, a, b, c, d, F3, K3, 10, 15 ); R( d, e, a, b, c, F3, K3, 0, 14 ); R( c, d, e, a, b, F3, K3, 8, 15 ); R( b, c, d, e, a, F3, K3, 12, 9 ); R( a, b, c, d, e, F3, K3, 4, 8 ); R( e, a, b, c, d, F3, K3, 13, 9 ); R( d, e, a, b, c, F3, K3, 3, 14 ); R( c, d, e, a, b, F3, K3, 7, 5 ); R( b, c, d, e, a, F3, K3, 15, 6 ); R( a, b, c, d, e, F3, K3, 14, 8 ); R( e, a, b, c, d, F3, K3, 5, 6 ); R( d, e, a, b, c, F3, K3, 6, 5 ); R( c, d, e, a, b, F3, K3, 2, 12 ); R( b, c, d, e, a, F4, K4, 4, 9 ); R( a, b, c, d, e, F4, K4, 0, 15 ); R( e, a, b, c, d, F4, K4, 5, 5 ); R( d, e, a, b, c, F4, K4, 9, 11 ); R( c, d, e, a, b, F4, K4, 7, 6 ); R( b, c, d, e, a, F4, K4, 12, 8 ); R( a, b, c, d, e, F4, K4, 2, 13 ); R( e, a, b, c, d, F4, K4, 10, 12 ); R( d, e, a, b, c, F4, K4, 14, 5 ); R( c, d, e, a, b, F4, K4, 1, 12 ); R( b, c, d, e, a, F4, K4, 3, 13 ); R( a, b, c, d, e, F4, K4, 8, 14 ); R( e, a, b, c, d, F4, K4, 11, 11 ); R( d, e, a, b, c, F4, K4, 6, 8 ); R( c, d, e, a, b, F4, K4, 15, 5 ); R( b, c, d, e, a, F4, K4, 13, 6 ); aa = a; bb = b; cc = c; dd = d; ee = e; /* right lane */ a = state[0]; b = state[1]; c = state[2]; d = state[3]; e = state[4]; R( a, b, c, d, e, F4, KK0, 5, 8); R( e, a, b, c, d, F4, KK0, 14, 9); R( d, e, a, b, c, F4, KK0, 7, 9); R( c, d, e, a, b, F4, KK0, 0, 11); R( b, c, d, e, a, F4, KK0, 9, 13); R( a, b, c, d, e, F4, KK0, 2, 15); R( e, a, b, c, d, F4, KK0, 11, 15); R( d, e, a, b, c, F4, KK0, 4, 5); R( c, d, e, a, b, F4, KK0, 13, 7); R( b, c, d, e, a, F4, KK0, 6, 7); R( a, b, c, d, e, F4, KK0, 15, 8); R( e, a, b, c, d, F4, KK0, 8, 11); R( d, e, a, b, c, F4, KK0, 1, 14); R( c, d, e, a, b, F4, KK0, 10, 14); R( b, c, d, e, a, F4, KK0, 3, 12); R( a, b, c, d, e, F4, KK0, 12, 6); R( e, a, b, c, d, F3, KK1, 6, 9); R( d, e, a, b, c, F3, KK1, 11, 13); R( c, d, e, a, b, F3, KK1, 3, 15); R( b, c, d, e, a, F3, KK1, 7, 7); R( a, b, c, d, e, F3, KK1, 0, 12); R( e, a, b, c, d, F3, KK1, 13, 8); R( d, e, a, b, c, F3, KK1, 5, 9); R( c, d, e, a, b, F3, KK1, 10, 11); R( b, c, d, e, a, F3, KK1, 14, 7); R( a, b, c, d, e, F3, KK1, 15, 7); R( e, a, b, c, d, F3, KK1, 8, 12); R( d, e, a, b, c, F3, KK1, 12, 7); R( c, d, e, a, b, F3, KK1, 4, 6); R( b, c, d, e, a, F3, KK1, 9, 15); R( a, b, c, d, e, F3, KK1, 1, 13); R( e, a, b, c, d, F3, KK1, 2, 11); R( d, e, a, b, c, F2, KK2, 15, 9); R( c, d, e, a, b, F2, KK2, 5, 7); R( b, c, d, e, a, F2, KK2, 1, 15); R( a, b, c, d, e, F2, KK2, 3, 11); R( e, a, b, c, d, F2, KK2, 7, 8); R( d, e, a, b, c, F2, KK2, 14, 6); R( c, d, e, a, b, F2, KK2, 6, 6); R( b, c, d, e, a, F2, KK2, 9, 14); R( a, b, c, d, e, F2, KK2, 11, 12); R( e, a, b, c, d, F2, KK2, 8, 13); R( d, e, a, b, c, F2, KK2, 12, 5); R( c, d, e, a, b, F2, KK2, 2, 14); R( b, c, d, e, a, F2, KK2, 10, 13); R( a, b, c, d, e, F2, KK2, 0, 13); R( e, a, b, c, d, F2, KK2, 4, 7); R( d, e, a, b, c, F2, KK2, 13, 5); R( c, d, e, a, b, F1, KK3, 8, 15); R( b, c, d, e, a, F1, KK3, 6, 5); R( a, b, c, d, e, F1, KK3, 4, 8); R( e, a, b, c, d, F1, KK3, 1, 11); R( d, e, a, b, c, F1, KK3, 3, 14); R( c, d, e, a, b, F1, KK3, 11, 14); R( b, c, d, e, a, F1, KK3, 15, 6); R( a, b, c, d, e, F1, KK3, 0, 14); R( e, a, b, c, d, F1, KK3, 5, 6); R( d, e, a, b, c, F1, KK3, 12, 9); R( c, d, e, a, b, F1, KK3, 2, 12); R( b, c, d, e, a, F1, KK3, 13, 9); R( a, b, c, d, e, F1, KK3, 9, 12); R( e, a, b, c, d, F1, KK3, 7, 5); R( d, e, a, b, c, F1, KK3, 10, 15); R( c, d, e, a, b, F1, KK3, 14, 8); R( b, c, d, e, a, F0, KK4, 12, 8); R( a, b, c, d, e, F0, KK4, 15, 5); R( e, a, b, c, d, F0, KK4, 10, 12); R( d, e, a, b, c, F0, KK4, 4, 9); R( c, d, e, a, b, F0, KK4, 1, 12); R( b, c, d, e, a, F0, KK4, 5, 5); R( a, b, c, d, e, F0, KK4, 8, 14); R( e, a, b, c, d, F0, KK4, 7, 6); R( d, e, a, b, c, F0, KK4, 6, 8); R( c, d, e, a, b, F0, KK4, 2, 13); R( b, c, d, e, a, F0, KK4, 13, 6); R( a, b, c, d, e, F0, KK4, 14, 5); R( e, a, b, c, d, F0, KK4, 0, 15); R( d, e, a, b, c, F0, KK4, 3, 13); R( c, d, e, a, b, F0, KK4, 9, 11); R( b, c, d, e, a, F0, KK4, 11, 11); t = state[1] + d + cc; state[1] = state[2] + e + dd; state[2] = state[3] + a + ee; state[3] = state[4] + b + aa; state[4] = state[0] + c + bb; state[0] = t; } nettle-3.10/ecc-a-to-j.c0000644000175000017500000000317114633602171013744 0ustar nissenisse/* ecc-a-to-j.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc.h" #include "ecc-internal.h" void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p) { if (ecc->use_redc) { mpn_copyd (r + ecc->p.size, p, 2*ecc->p.size); mpn_zero (r, ecc->p.size); ecc->p.mod (&ecc->p, r, r); mpn_zero (r + ecc->p.size, ecc->p.size); ecc->p.mod (&ecc->p, r + ecc->p.size, r + ecc->p.size); } else if (r != p) mpn_copyi (r, p, 2*ecc->p.size); mpn_copyi (r + 2*ecc->p.size, ecc->unit, ecc->p.size); } nettle-3.10/dsa-sha1-sign.c0000644000175000017500000000361414633602171014466 0ustar nissenisse/* dsa-sha1-sign.c The original DSA publickey algorithm, using SHA-1. Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha1_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature) { return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, SHA1_DIGEST_SIZE, digest, signature); } int dsa_sha1_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, struct dsa_signature *signature) { uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); return dsa_sign((const struct dsa_params *) pub, key->x, random_ctx, random, sizeof(digest), digest, signature); } nettle-3.10/camellia256-meta.c0000644000175000017500000000274614633602171015064 0ustar nissenisse/* camellia256-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia256 = { "camellia256", sizeof(struct camellia256_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA256_KEY_SIZE, (nettle_set_key_func *) camellia256_set_encrypt_key, (nettle_set_key_func *) camellia256_set_decrypt_key, (nettle_cipher_func *) camellia256_crypt, (nettle_cipher_func *) camellia256_crypt }; nettle-3.10/dsa-compat.h0000644000175000017500000001221714633602172014164 0ustar nissenisse/* dsa-compat.h Old DSA publickey interface. Copyright (C) 2002, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_DSA_COMPAT_H_INCLUDED #define NETTLE_DSA_COMPAT_H_INCLUDED #include "dsa.h" #include "sha1.h" #include "sha2.h" /* Name mangling */ #define dsa_public_key_init nettle_dsa_public_key_init #define dsa_public_key_clear nettle_dsa_public_key_clear #define dsa_private_key_init nettle_dsa_private_key_init #define dsa_private_key_clear nettle_dsa_private_key_clear #define dsa_sha1_sign nettle_dsa_sha1_sign #define dsa_sha1_verify nettle_dsa_sha1_verify #define dsa_sha256_sign nettle_dsa_sha256_sign #define dsa_sha256_verify nettle_dsa_sha256_verify #define dsa_sha1_sign_digest nettle_dsa_sha1_sign_digest #define dsa_sha1_verify_digest nettle_dsa_sha1_verify_digest #define dsa_sha256_sign_digest nettle_dsa_sha256_sign_digest #define dsa_sha256_verify_digest nettle_dsa_sha256_verify_digest #define dsa_compat_generate_keypair nettle_dsa_compat_generate_keypair /* Switch meaning of dsa_generate_keypair */ #undef dsa_generate_keypair #define dsa_generate_keypair nettle_dsa_compat_generate_keypair #ifdef __cplusplus extern "C" { #endif struct dsa_public_key { /* Same as struct dsa_params, but can't use that struct here without breaking backwards compatibility. Layout must be identical, since this is cast to a struct dsa_param pointer for calling _dsa_sign and _dsa_verify */ mpz_t p; mpz_t q; mpz_t g; /* Public value */ mpz_t y; }; struct dsa_private_key { /* Unlike an rsa public key, private key operations will need both * the private and the public information. */ mpz_t x; }; /* Signing a message works as follows: * * Store the private key in a dsa_private_key struct. * * Initialize a hashing context, by callling * sha1_init * * Hash the message by calling * sha1_update * * Create the signature by calling * dsa_sha1_sign * * The signature is represented as a struct dsa_signature. This call also * resets the hashing context. * * When done with the key and signature, don't forget to call * dsa_signature_clear. */ /* Calls mpz_init to initialize bignum storage. */ void dsa_public_key_init(struct dsa_public_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_public_key_clear(struct dsa_public_key *key); /* Calls mpz_init to initialize bignum storage. */ void dsa_private_key_init(struct dsa_private_key *key); /* Calls mpz_clear to deallocate bignum storage. */ void dsa_private_key_clear(struct dsa_private_key *key); int dsa_sha1_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha1_ctx *hash, struct dsa_signature *signature); int dsa_sha256_sign(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, struct sha256_ctx *hash, struct dsa_signature *signature); int dsa_sha1_verify(const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature); int dsa_sha256_verify(const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature); int dsa_sha1_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature); int dsa_sha256_sign_digest(const struct dsa_public_key *pub, const struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, const uint8_t *digest, struct dsa_signature *signature); int dsa_sha1_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature); int dsa_sha256_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature); /* Key generation */ int dsa_generate_keypair(struct dsa_public_key *pub, struct dsa_private_key *key, void *random_ctx, nettle_random_func *random, void *progress_ctx, nettle_progress_func *progress, unsigned p_bits, unsigned q_bits); #ifdef __cplusplus } #endif #endif /* NETTLE_DSA_COMPAT_H_INCLUDED */ nettle-3.10/md2.h0000644000175000017500000000354514633602172012622 0ustar nissenisse/* md2.h The MD2 hash function, described in RFC 1319. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_MD2_H_INCLUDED #define NETTLE_MD2_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define md2_init nettle_md2_init #define md2_update nettle_md2_update #define md2_digest nettle_md2_digest #define MD2_DIGEST_SIZE 16 #define MD2_BLOCK_SIZE 16 /* For backwards compatibility */ #define MD2_DATA_SIZE MD2_BLOCK_SIZE struct md2_ctx { uint8_t C[MD2_BLOCK_SIZE]; uint8_t X[3 * MD2_BLOCK_SIZE]; unsigned index; /* Into buffer */ uint8_t block[MD2_BLOCK_SIZE]; /* Block buffer */ }; void md2_init(struct md2_ctx *ctx); void md2_update(struct md2_ctx *ctx, size_t length, const uint8_t *data); void md2_digest(struct md2_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_MD2_H_INCLUDED */ nettle-3.10/ecc-secp224r1.c0000644000175000017500000001661614633602171014312 0ustar nissenisse/* ecc-secp224r1.c Compile time constant (but machine dependent) tables. Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" #if HAVE_NATIVE_ecc_secp224r1_modp #define USE_REDC 0 #define ecc_secp224r1_modp _nettle_ecc_secp224r1_modp void ecc_secp224r1_modp (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); #else #define USE_REDC (ECC_REDC_SIZE != 0) #define ecc_secp224r1_modp ecc_mod #endif #include "ecc-secp224r1.h" #if ECC_REDC_SIZE < 0 # define ecc_secp224r1_redc ecc_pm1_redc #elif ECC_REDC_SIZE == 0 # define ecc_secp224r1_redc NULL #else # error Configuration error #endif /* Computes a^{2^{127} - 1} mod m. Also produces the intermediate value a^{2^{96} - 1}. Needs 3*ECC_LIMB_SIZE scratch. */ static void ecc_mod_pow_127m1 (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *a96m1, const mp_limb_t *ap, mp_limb_t *scratch) { /* Addition chain for 2^127 - 1: 7 = 1 + 2 (2+1) 2 S + 2 M 2^{31} - 1 = 1 + 2 (2^{15} + 1)(1 + 2 (2^7 + 1) (1 + 2 (2^3+1) * 7)) 28 S + 6 M 2^{34} - 1 = 2^3 (2^{31} - 1) + 7 3 S + M 2^{65} - 1 = 2^{31}(2^{34} - 1) + 2^{31} - 1 31 S + M 2^{96} - 1 = 2^{31}(2^{65} - 1) + 2^{31} - 1 31 S + M 2^{127} - 1 = 2^{31}(2^{96} - 1) + 2^{31} - 1 31 S + M This addition chain needs 126 squarings and 12 multiplies. */ #define a7 a96m1 #define t0 scratch #define a31m1 t0 #define tp (scratch + ECC_LIMB_SIZE) ecc_mod_sqr (m, rp, ap, tp); /* a^2 */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^3 */ ecc_mod_sqr (m, rp, rp, tp); /* a^6 */ ecc_mod_mul (m, a7, rp, ap, tp); /* a^{2^3-1} a7 */ ecc_mod_pow_2kp1 (m, rp, a7, 3, tp); /* a^{2^6 - 1} */ ecc_mod_sqr (m, rp, rp, tp); /* a^{2^7 - 2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^7 - 1} */ ecc_mod_pow_2kp1 (m, t0, rp, 7, tp); /* a^{2^14 - 1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^15 - 2} */ ecc_mod_mul (m, rp, rp, ap, tp); /* a^{2^15 - 1} */ ecc_mod_pow_2kp1 (m, t0, rp, 15, tp); /* a^{2^30 - 1} */ ecc_mod_sqr (m, rp, t0, tp); /* a^{2^31 - 2} */ ecc_mod_mul (m, a31m1, rp, ap, tp); /* a^{2^31 - 1} a7, a31m1 */ ecc_mod_pow_2k_mul (m, rp, a31m1, 3, a7, tp); /* a^{2^34 - 1} a31m1 */ ecc_mod_pow_2k_mul (m, rp, rp, 31, a31m1, tp); /* a^{2^65 - 1} a31m1 */ ecc_mod_pow_2k_mul (m, a96m1, rp, 31, a31m1, tp); /* a^{2^96 - 1} a31m1, a96m1 */ ecc_mod_pow_2k_mul (m, rp, a96m1, 31, a31m1, tp); /* a^{2^{127} - 1} a96m1 */ #undef a7 #undef t0 #undef a31m1 #undef tp } #define ECC_SECP224R1_INV_ITCH (4*ECC_LIMB_SIZE) static void ecc_secp224r1_inv (const struct ecc_modulo *p, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *scratch) { #define a96m1 scratch #define tp (scratch + ECC_LIMB_SIZE) /* Compute a^{p - 2}, with p-2 = 2^{224} - 2^{96} - 1 = 2^{97}(2^{127} - 1) + 2^{96} - 1 This addition chain needs 97 squarings and one multiply in addition to ecc_mod_pow_127m1, for a total of 223 squarings and 13 multiplies. */ ecc_mod_pow_127m1 (p, rp, a96m1, ap, tp); ecc_mod_pow_2k_mul (p, rp, rp, 97, a96m1, tp); /* a^{2^{224} - 2^{96} - 1 */ #undef a96m1 #undef tp } #define ECC_SECP224R1_SQRT_ITCH (5*ECC_LIMB_SIZE) static int ecc_secp224r1_sqrt (const struct ecc_modulo *p, mp_limb_t *xp, const mp_limb_t *cp, mp_limb_t *scratch) { unsigned r; #define bp scratch #define yp (scratch + ECC_LIMB_SIZE) #define t0 (scratch + 2*ECC_LIMB_SIZE) #define tp (scratch + 3*ECC_LIMB_SIZE) /* Uses Tonnelli-Shanks' algorithm, and which isn't side-channel silent. We have p - 1 = 2^e q, with e = 2^{96} and q = 2^{128} - 1. Initially, we need b = c^q and x = c^{(q+1)/2}, and to get both, we start with c^{(q-1)/2} = a^{2^{127}-1} */ /* Needs total 4 * ECC_LIMB_SIZE scratch space */ ecc_mod_pow_127m1 (p, xp, scratch, cp, scratch + ECC_LIMB_SIZE); ecc_mod_sqr (p, bp, xp, tp); /* b <-- c^{2^{128} - 2 */ ecc_mod_mul (p, bp, bp, cp, tp); /* b <-- c^{2^{128} - 1 */ ecc_mod_mul (p, xp, xp, cp, tp); /* x <-- c^{2^{127}} */ mpn_copyi (yp, ecc_sqrt_z, p->size); r = ECC_SQRT_E; /* The algoritm maintains x^2 = c b; when b == 1, we are done. We also have the invariants b^{2^{r-1}} = 1 (assuming square root exists), and y^{2^{r-1}} = -1. */ for (;;) { unsigned m; if (ecc_mod_equal_p (p, bp, ecc_unit, tp)) return 1; ecc_mod_sqr (p, t0, bp, tp); for (m = 1; m < r && !ecc_mod_equal_p (p, t0, ecc_unit, tp); m++) ecc_mod_sqr (p, t0, t0, tp); if (m == r) { /* We get here if there is no square root, or input is zero. Will always be detected on first round in the outer loop. */ assert (r == ECC_SQRT_E); return ecc_mod_zero_p (p, xp); } if (m < r - 1) ecc_mod_pow_2k (p, yp, yp, r - m - 1, tp); r = m; ecc_mod_mul (p, xp, xp, yp, tp); /* x' <-- x y^{2^{r-m-1} */ ecc_mod_sqr (p, yp, yp, tp); /* y' <-- y^{2^{r-m}} */ ecc_mod_mul (p, bp, bp, yp, tp); /* b' <-- b y^{2^{r-m}} */ } #undef bp #undef yp #undef tp } const struct ecc_curve _nettle_secp_224r1 = { { 224, ECC_LIMB_SIZE, ECC_BMODP_SIZE, -ECC_REDC_SIZE, ECC_SECP224R1_INV_ITCH, ECC_SECP224R1_SQRT_ITCH, 0, ecc_p, ecc_Bmodp, ecc_Bmodp_shifted, ecc_Bm2p, ecc_redc_ppm1, ecc_pp1h, ecc_secp224r1_modp, USE_REDC ? ecc_secp224r1_redc : ecc_secp224r1_modp, ecc_secp224r1_inv, ecc_secp224r1_sqrt, NULL, }, { 224, ECC_LIMB_SIZE, ECC_BMODQ_SIZE, 0, ECC_MOD_INV_ITCH (ECC_LIMB_SIZE), 0, 0, ecc_q, ecc_Bmodq, ecc_Bmodq_shifted, ecc_Bm2q, NULL, ecc_qp1h, ecc_mod, ecc_mod, ecc_mod_inv, NULL, NULL, }, USE_REDC, ECC_PIPPENGER_K, ECC_PIPPENGER_C, ECC_ADD_JJA_ITCH (ECC_LIMB_SIZE), ECC_ADD_JJJ_ITCH (ECC_LIMB_SIZE), ECC_DUP_JJ_ITCH (ECC_LIMB_SIZE), ECC_MUL_A_ITCH (ECC_LIMB_SIZE), ECC_MUL_G_ITCH (ECC_LIMB_SIZE), ECC_J_TO_A_ITCH(ECC_LIMB_SIZE, ECC_SECP224R1_INV_ITCH), ecc_add_jja, ecc_add_jjj, ecc_dup_jj, ecc_mul_a, ecc_mul_g, ecc_j_to_a, ecc_b, ecc_unit, ecc_table }; const struct ecc_curve *nettle_get_secp_224r1(void) { return &_nettle_secp_224r1; } nettle-3.10/nettle.texinfo0000644000175000017500000113206614633602172014662 0ustar nissenisse\input texinfo @c -*-texinfo-*- @c %**start of header @setfilename nettle.info @settitle Nettle: a low-level cryptographic library @documentencoding UTF-8 @footnotestyle separate @syncodeindex fn cp @syncodeindex tp cp @c %**end of header @set UPDATED-FOR 3.9 @set AUTHOR Niels Möller @copying This manual is for the Nettle library (version @value{UPDATED-FOR}), a low-level cryptographic library. Originally written 2001 by @value{AUTHOR}, updated 2023. @quotation This manual is placed in the public domain. You may freely copy it, in whole or in part, with or without modification. Attribution is appreciated, but not required. @end quotation @end copying @ifnottex @macro pmod {m} (mod \m\) @end macro @end ifnottex @titlepage @title Nettle Manual @subtitle For the Nettle Library version @value{UPDATED-FOR} @author @value{AUTHOR} @page @vskip 0pt plus 1filll @insertcopying @end titlepage @dircategory Encryption @direntry * Nettle: (nettle). A low-level cryptographic library. @end direntry @contents @ifnottex @node Top @top Nettle This document describes the Nettle low-level cryptographic library. You can use the library directly from your C programs, or write or use an object-oriented wrapper for your favorite language or application. @insertcopying @menu * Introduction:: What is Nettle? * Copyright:: Your rights. * Conventions:: General interface conventions. * Example:: An example program. * Linking:: Linking with libnettle and libhogweed. * Compatibility:: On API and ABI compatibility between versions. * Reference:: All Nettle functions and features. * Nettle soup:: For the serious nettle hacker. * Installation:: How to install Nettle. * Index:: Function and concept index. @detailmenu --- The Detailed Node Listing --- Reference * Hash functions:: * Cipher functions:: * Cipher modes:: * Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: Hash functions * Recommended hash functions:: * Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: Cipher functions * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction:: Cipher modes * CBC:: * CTR:: * CFB and CFB8:: * XTS:: Authenticated encryption with associated data * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction:: Keyed Hash Functions * HMAC:: * UMAC:: * CMAC:: * Poly1305:: Public-key algorithms * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA Elliptic curves * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448:: @end detailmenu @end menu @end ifnottex @node Introduction @chapter Introduction Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms, you also need some way to keep track of available algorithms, their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context. And that is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a @emph{simple} but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application and context specific interfaces on top of Nettle, and share the code, test cases, benchmarks, documentation, etc. Examples are the Nettle module for the Pike language, and LSH, which both use an object-oriented abstraction on top of the library. This manual explains how to use the Nettle library. It also tries to provide some background on the cryptography, and advice on how to best put it to use. @node Copyright @chapter Copyright Nettle is dual licenced under the GNU General Public License version 2 or later, and the GNU Lesser General Public License version 3 or later. When using Nettle, you must comply fully with all conditions of at least one of these licenses. A few of the individual files are licensed under more permissive terms, or in the public domain. To find the current status of particular files, you have to read the copyright notices at the top of the files. This manual is in the public domain. You may freely copy it in whole or in part, e.g., into documentation of programs that build on Nettle. Attribution, as well as contribution of improvements to the text, is of course appreciated, but it is not required. @node Conventions @chapter Conventions For each supported algorithm, there is an include file that defines a @emph{context struct}, a few constants, and declares functions for operating on the context. The context struct encapsulates all information needed by the algorithm, and it can be copied or moved in memory with no unexpected effects. For consistency, functions for different algorithms are very similar, but there are some differences, for instance reflecting if the key setup or encryption function differ for encryption and decryption, and whether or not key setup can fail. There are also differences between algorithms that don't show in function prototypes, but which the application must nevertheless be aware of. There is no big difference between the functions for stream ciphers and for block ciphers, although they should be used quite differently by the application. If your application uses more than one algorithm of the same type, you should probably create an interface that is tailor-made for your needs, and then write a few lines of glue code on top of Nettle. By convention, for an algorithm named @code{foo}, the struct tag for the context struct is @code{foo_ctx}, constants and functions uses prefixes like @code{FOO_BLOCK_SIZE} (a constant) and @code{foo_set_key} (a function). In all functions, strings are represented with an explicit length, of type @code{size_t}, and a pointer of type @code{uint8_t *} or @code{const uint8_t *}. For functions that transform one string to another, the argument order is length, destination pointer and source pointer. Source and destination areas are usually of the same length. When they differ, e.g., for @code{ccm_encrypt_message}, the length argument specifies the size of the destination area. Source and destination pointers may be equal, so that you can process strings in place, but source and destination areas @emph{must not} overlap in any other way. Many of the functions lack return value and can never fail. Those functions which can fail, return one on success and zero on failure. @c FIXME: Say something about the name mangling. @node Example @chapter Example A simple example program that reads a file from standard input and writes its SHA1 check-sum on standard output should give the flavor of Nettle. @example @verbatiminclude sha-example.c @end example On a typical Unix system, this program can be compiled and linked with the command line @example gcc sha-example.c -o sha-example -lnettle @end example @node Linking @chapter Linking Nettle actually consists of two libraries, @file{libnettle} and @file{libhogweed}. The @file{libhogweed} library contains those functions of Nettle that uses bignum operations, and depends on the GMP library. With this division, linking works the same for both static and dynamic libraries. If an application uses only the symmetric crypto algorithms of Nettle (i.e., block ciphers, hash functions, and the like), it's sufficient to link with @code{-lnettle}. If an application also uses public-key algorithms, the recommended linker flags are @code{-lhogweed -lnettle -lgmp}. If the involved libraries are installed as dynamic libraries, it may be sufficient to link with just @code{-lhogweed}, and the loader will resolve the dependencies automatically. @node Compatibility @chapter Compatibility @cindex ABI compatibility @cindex API compatibility @cindex Binary compatibility When you write a program using the Nettle library, it's desirable to have it work together not only with exactly the same version of Nettle you had at hand, but with other current and future versions. If a different version of Nettle is used at compile time, i.e., you recompile it using the header and library files belonging to a different version, we talk about API compatibility (for Application Programming Interface). If a different version of Nettle isn't used until link time, we talk about ABI compatibility (Application Binary Interface) or binary compatibility. ABI compatibility matters mainly when using dynamic linking with a shared library. E.g., a user has an executable linking at run-time with @file{libnettle.so}, and then updates to a later version of the shared library, without updating or recompiling the executable. Nettle aims to provide backwards compatibility, i.e., a program written for a particular version of the Nettle library should usually work fine with later version of the library. Note that the opposite is not supported: The program should @emph{not} be expected to work with older versions of the Nettle library; and ABI breakage can be unobvious. E.g, the later version may define a new library symbol, and let header files redefine an old API name as an alias for the new symbol. If the later version ensures that the old symbol is still defined in the library, this change is backwards compatible: A program compiled using headers from the older version can be successfully linked with either version of the library. But if you compile the same program using headers from the later version of the library, and attempt to link with the older version, you'll get an undefined reference to the new symbol. API compatibility is rarely broken; exceptions are noted in the NEWS file. For example, the key size argument to the function @code{cast128_set_key} was dropped in the Nettle-3.0 release, and all programs using that function had to be updated to work with the new version. ABI compatibility is broken occasionally. This is also noted in the NEWS file, and the name of the shared library is updated to prevent accidental run-time linking with the wrong version. All programs have to be recompiled before they can link with the new version. Since names are different, multiple versions can be installed on the same system, with a mix of programs linking to one version or the other. Under some circumstances, it is possible to have a single program linking dynamically with two binary incompatible versions of the Nettle library, thanks to the use of symbol versioning. Consider a program calling functions in both Nettle and GnuTLS. For the direct dependency on Nettle, the program is linked with a particular version of the Nettle shared library. GnuTLS uses Nettle internally, but does not expose any Nettle data structures or the like in its own ABI. In this situation, the GnuTLS shared library may link with a different version of the Nettle library. Then both versions of the Nettle library will be loaded into the program's address space, and each reference to a symbol will be resolved to the correct version. Finally, some of Nettle's symbols are internal. They carry a leading underscore, and are not declared in installed header files. They can be used for local or experimental purposes, but programs referring directly to those symbols get neither API nor ABI compatibility, not even between minor versions. @node Reference @chapter Reference This chapter describes all the Nettle functions, grouped by family. @menu * Hash functions:: * Cipher functions:: * Cipher modes:: * Authenticated encryption:: * Keyed hash functions:: * Key derivation functions:: * Public-key algorithms:: * Randomness:: * ASCII encoding:: * Miscellaneous functions:: * Compatibility functions:: @end menu @node Hash functions @section Hash functions @cindex Hash function A cryptographic @dfn{hash function} is a function that takes variable size strings, and maps them to strings of fixed, short, length. There are naturally lots of collisions, as there are more possible 1MB files than 20 byte strings. But the function is constructed such that is hard to find the collisions. More precisely, a cryptographic hash function @code{H} should have the following properties: @table @emph @item One-way @cindex One-way Given a hash value @code{H(x)} it is hard to find a string @code{x} that hashes to that value. @item Collision-resistant @cindex Collision-resistant It is hard to find two different strings, @code{x} and @code{y}, such that @code{H(x)} = @code{H(y)}. @end table Hash functions are useful as building blocks for digital signatures, message authentication codes, pseudo random generators, association of unique ids to documents, and many other things. The most commonly used hash functions are MD5 and SHA1. Unfortunately, both these fail the collision-resistance requirement; cryptologists have found ways to construct colliding inputs. The recommended hash functions for new applications are SHA2 (with main variants SHA256 and SHA512). At the time of this writing (Autumn 2015), SHA3 has recently been standardized, and the new SHA3 and other top SHA3 candidates may also be reasonable alternatives. @menu * Recommended hash functions:: * Miscellaneous hash functions:: * Legacy hash functions:: * nettle_hash abstraction:: @end menu @node Recommended hash functions @subsection Recommended hash functions The following hash functions have no known weaknesses, and are suitable for new applications. The SHA2 family of hash functions were specified by @dfn{NIST}, intended as a replacement for @acronym{SHA1}. @subsubsection @acronym{SHA256} SHA256 is a member of the SHA2 family. It outputs hash values of 256 bits, or 32 octets. Nettle defines SHA256 in @file{}. @deftp {Context struct} {struct sha256_ctx} @end deftp @defvr Constant SHA256_DIGEST_SIZE The size of a SHA256 digest, i.e. 32. @end defvr @defvr Constant SHA256_BLOCK_SIZE The internal block size of SHA256. Useful for some special constructions, in particular HMAC-SHA256. @end defvr @deftypefun void sha256_init (struct sha256_ctx *@var{ctx}) Initialize the SHA256 state. @end deftypefun @deftypefun void sha256_update (struct sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha256_digest (struct sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha256_init}. @end deftypefun @deftypefun void sha256_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA256 compress on SHA256_BLOCK_SIZE bytes from@var{input} using @var{state} as IV (an array of 8 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA256). @end deftypefun Earlier versions of nettle defined SHA256 in the header file @file{}, which is now deprecated, but kept for compatibility. @subsubsection @acronym{SHA224} SHA224 is a variant of SHA256, with a different initial state, and with the output truncated to 224 bits, or 28 octets. Nettle defines SHA224 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha224_ctx} @end deftp @defvr Constant SHA224_DIGEST_SIZE The size of a SHA224 digest, i.e. 28. @end defvr @defvr Constant SHA224_BLOCK_SIZE The internal block size of SHA224. Useful for some special constructions, in particular HMAC-SHA224. @end defvr @deftypefun void sha224_init (struct sha224_ctx *@var{ctx}) Initialize the SHA224 state. @end deftypefun @deftypefun void sha224_update (struct sha224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha224_digest (struct sha224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA224_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha224_init}. @end deftypefun @subsubsection @acronym{SHA512} SHA512 is a larger sibling to SHA256, with a very similar structure but with both the output and the internal variables of twice the size. The internal variables are 64 bits rather than 32, making it significantly slower on 32-bit computers. It outputs hash values of 512 bits, or 64 octets. Nettle defines SHA512 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha512_ctx} @end deftp @defvr Constant SHA512_DIGEST_SIZE The size of a SHA512 digest, i.e. 64. @end defvr @defvr Constant SHA512_BLOCK_SIZE The internal block size of SHA512, 128. Useful for some special constructions, in particular HMAC-SHA512. @end defvr @deftypefun void sha512_init (struct sha512_ctx *@var{ctx}) Initialize the SHA512 state. @end deftypefun @deftypefun void sha512_update (struct sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha512_digest (struct sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha512_init}. @end deftypefun @deftypefun void sha512_compress (const uint64_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA512 compress on SHA512_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 8 uint64_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA512). @end deftypefun @subsubsection @acronym{SHA384 and other variants of SHA512} Several variants of SHA512 have been defined, with a different initial state, and with the output truncated to shorter length than 512 bits. Naming is a bit confused, these algorithms are called SHA512-224, SHA512-256 and SHA384, for output sizes of 224, 256 and 384 bits, respectively. Nettle defines these in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha512_224_ctx} @deftpx {Context struct} {struct sha512_256_ctx} @deftpx {Context struct} {struct sha384_ctx} These context structs are all the same as sha512_ctx. They are defined as simple preprocessor aliases, which may cause some problems if used as identifiers for other purposes. So avoid doing that. @end deftp @defvr Constant SHA512_224_DIGEST_SIZE @defvrx Constant SHA512_256_DIGEST_SIZE @defvrx Constant SHA384_DIGEST_SIZE The digest size for each variant, i.e., 28, 32, and 48, respectively. @end defvr @defvr Constant SHA512_224_BLOCK_SIZE @defvrx Constant SHA512_256_BLOCK_SIZE @defvrx Constant SHA384_BLOCK_SIZE The internal block size, same as SHA512_BLOCK_SIZE, i.e., 128. Useful for some special constructions, in particular HMAC-SHA384. @end defvr @deftypefun void sha512_224_init (struct sha512_224_ctx *@var{ctx}) @deftypefunx void sha512_256_init (struct sha512_256_ctx *@var{ctx}) @deftypefunx void sha384_init (struct sha384_ctx *@var{ctx}) Initialize the context struct. @end deftypefun @deftypefun void sha512_224_update (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha512_256_update (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void sha384_update (struct sha384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. These are all aliases for sha512_update, which does the same thing. @end deftypefun @deftypefun void sha512_224_digest (struct sha512_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void sha512_256_digest (struct sha512_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void sha384_digest (struct sha384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than the specified digest size, in which case only the first @var{length} octets of the digest are written. These function also reset the context in the same way as the corresponding init function. @end deftypefun @subsubsection @acronym{SHA3-224} @cindex SHA3 The SHA3 hash functions were specified by NIST in response to weaknesses in SHA1, and doubts about SHA2 hash functions which structurally are very similar to SHA1. SHA3 is a result of a competition, where the winner, also known as Keccak, was designed by Guido Bertoni, Joan Daemen, Michaël Peeters and Gilles Van Assche. It is structurally very different from all widely used earlier hash functions. Like SHA2, there are several variants, with output sizes of 224, 256, 384 and 512 bits (28, 32, 48 and 64 octets, respectively). In August 2015, it was formally standardized by NIST, as FIPS 202, @url{https://dx.doi.org/10.6028/NIST.FIPS.202}. Note that the SHA3 implementation in earlier versions of Nettle was based on the specification at the time Keccak was announced as the winner of the competition, which is incompatible with the final standard and hence with current versions of Nettle. The @file{nette/sha3.h} defines a preprocessor symbol @code{NETTLE_SHA3_FIPS202} to indicate conformance with the standard. @defvr Constant NETTLE_SHA3_FIPS202 Defined to 1 in Nettle versions supporting FIPS 202. Undefined in earlier versions. @end defvr Nettle defines SHA3-224 in @file{}. @deftp {Context struct} {struct sha3_224_ctx} @end deftp @defvr Constant SHA3_224_DIGEST_SIZE The size of a SHA3_224 digest, i.e., 28. @end defvr @defvr Constant SHA3_224_BLOCK_SIZE The internal block size of SHA3_224. @end defvr @deftypefun void sha3_224_init (struct sha3_224_ctx *@var{ctx}) Initialize the SHA3-224 state. @end deftypefun @deftypefun void sha3_224_update (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_224_digest (struct sha3_224_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_224_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-256} This is SHA3 with 256-bit output size, and possibly the most useful of the SHA3 hash functions. Nettle defines SHA3-256 in @file{}. @deftp {Context struct} {struct sha3_256_ctx} @end deftp @defvr Constant SHA3_256_DIGEST_SIZE The size of a SHA3_256 digest, i.e., 32. @end defvr @defvr Constant SHA3_256_BLOCK_SIZE The internal block size of SHA3_256. @end defvr @deftypefun void sha3_256_init (struct sha3_256_ctx *@var{ctx}) Initialize the SHA3-256 state. @end deftypefun @deftypefun void sha3_256_update (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_256_digest (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_256_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-384} This is SHA3 with 384-bit output size. Nettle defines SHA3-384 in @file{}. @deftp {Context struct} {struct sha3_384_ctx} @end deftp @defvr Constant SHA3_384_DIGEST_SIZE The size of a SHA3_384 digest, i.e., 48. @end defvr @defvr Constant SHA3_384_BLOCK_SIZE The internal block size of SHA3_384. @end defvr @deftypefun void sha3_384_init (struct sha3_384_ctx *@var{ctx}) Initialize the SHA3-384 state. @end deftypefun @deftypefun void sha3_384_update (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_384_digest (struct sha3_384_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_384_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHA3-512} This is SHA3 with 512-bit output size. Nettle defines SHA3-512 in @file{}. @deftp {Context struct} {struct sha3_512_ctx} @end deftp @defvr Constant SHA3_512_DIGEST_SIZE The size of a SHA3_512 digest, i.e. 64. @end defvr @defvr Constant SHA3_512_BLOCK_SIZE The internal block size of SHA3_512. @end defvr @deftypefun void sha3_512_init (struct sha3_512_ctx *@var{ctx}) Initialize the SHA3-512 state. @end deftypefun @deftypefun void sha3_512_update (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_512_digest (struct sha3_512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA3_512_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context. @end deftypefun @subsubsection @acronym{SHAKE} @cindex SHAKE In addition to those SHA-3 hash functions, Nettle also supports a SHA-3 extendable-output function (XOF) called SHAKE. Unlike hash functions, SHAKE can produce an output digest of any desired length. There are two variants, SHAKE-128 and SHAKE-256, with different security strengths in terms of collision or preimage resistance: SHAKE-128 internally uses a SHA-3 hash function with 128-bit security, while SHAKE-256 corresponds to SHA3-256 which provides 256-bit security. To use SHAKE, the context struct needs to be initialized with the @code{init} function and data is hashed using the @code{update} function. Afterwards, a digest can be generated using either the @code{shake} or @code{shake_ouput} function, where the former generates the digest at once and resets the context, while the latter can be called multiple times to generate the digest in an incremental manner. For SHAKE-128 they are defined as follows. @deftp {Context struct} {struct sha3_128_ctx} @end deftp @deftypefun void sha3_128_init (struct sha3_128_ctx *@var{ctx}) Initialize the SHA3-256 state. @end deftypefun @deftypefun void sha3_128_update (struct sha3_128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha3_128_shake (struct sha3_128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-128 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function also resets the context. @end deftypefun @deftypefun void sha3_128_shake_output (struct sha3_128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-128 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function does not reset the context. @end deftypefun For SHAKE-256, the corresponding context struct and the @code{init} and @code{update} functions are the same as SHA3-256. To generate a digest, use either the @code{shake} or @code{shake_output} function. @deftypefun void sha3_256_shake (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-256 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function also resets the context. @end deftypefun @deftypefun void sha3_256_shake_output (struct sha3_256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and produces a SHAKE-256 digest, writing it to @var{digest}. @var{length} can be of arbitrary size. This function does not reset the context. @end deftypefun @node Miscellaneous hash functions @subsection Miscellaneous hash functions @subsubsection @acronym{STREEBOG512} STREEBOG512 is a member of the Streebog (GOST R 34.11-2012) family. It outputs hash values of 512 bits, or 64 octets. Nettle defines STREEBOG512 in @file{}. @deftp {Context struct} {struct streebog512_ctx} @end deftp @defvr Constant STREEBOG512_DIGEST_SIZE The size of a STREEBOG512 digest, i.e. 64. @end defvr @defvr Constant STREEBOG512_BLOCK_SIZE The internal block size of STREEBOG512. Useful for some special constructions, in particular HMAC-STREEBOG512. @end defvr @deftypefun void streebog512_init (struct streebog512_ctx *@var{ctx}) Initialize the STREEBOG512 state. @end deftypefun @deftypefun void streebog512_update (struct streebog512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void streebog512_digest (struct streebog512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{STREEBOG512_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{streebog512_init}. @end deftypefun @subsubsection @acronym{STREEBOG256} STREEBOG256 is a variant of STREEBOG512, with a different initial state, and with the output truncated to 256 bits, or 32 octets. Nettle defines STREEBOG256 in @file{}. @deftp {Context struct} {struct streebog256_ctx} @end deftp @defvr Constant STREEBOG256_DIGEST_SIZE The size of a STREEBOG256 digest, i.e. 32. @end defvr @defvr Constant STREEBOG256_BLOCK_SIZE The internal block size of STREEBOG256. Useful for some special constructions, in particular HMAC-STREEBOG256. @end defvr @deftypefun void streebog256_init (struct streebog256_ctx *@var{ctx}) Initialize the STREEBOG256 state. @end deftypefun @deftypefun void streebog256_update (struct streebog256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void streebog256_digest (struct streebog256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{STREEBOG256_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{streebog256_init}. @end deftypefun @subsubsection @acronym{SM3} SM3 is a cryptographic hash function standard adopted by the government of the People's Republic of China, which was issued by the Cryptography Standardization Technical Committee of China on December 17, 2010. The corresponding standard is GM/T 0004-2012 "SM3 Cryptographic Hash Algorithm". SM3 algorithm is a hash algorithm in ShangMi cryptosystems. SM3 is mainly used for digital signature and verification, message authentication code generation and verification, random number generation, and the RFC 8998 specification defines the usage of ShangMi algorithm suite in TLS 1.3, etc. According to the State Cryptography Administration of China, its security and efficiency are equivalent to SHA-256. Nettle defines SM3 in @file{}. @deftp {Context struct} {struct sm3_ctx} @end deftp @defvr Constant SM3_DIGEST_SIZE The size of a SM3 digest, i.e. 32. @end defvr @defvr Constant SM3_BLOCK_SIZE The internal block size of SM3. Useful for some special constructions, in particular HMAC-SM3. @end defvr @deftypefun void sm3_init (struct sm3_ctx *@var{ctx}) Initialize the SM3 state. @end deftypefun @deftypefun void sm3_update (struct sm3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sm3_digest (struct sm3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SM3_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sm3_init}. @end deftypefun @node Legacy hash functions @subsection Legacy hash functions The hash functions in this section all have some known weaknesses, and should be avoided for new applications. These hash functions are mainly useful for compatibility with old applications and protocols. Some are still considered safe as building blocks for particular constructions, e.g., there seems to be no known attacks against HMAC-SHA1 or even HMAC-MD5. In some important cases, use of a ``legacy'' hash function does not in itself make the application insecure; if a known weakness is relevant depends on how the hash function is used, and on the threat model. @subsubsection @acronym{MD5} MD5 is a message digest function constructed by Ronald Rivest, and described in @cite{RFC 1321}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD5 in @file{}. @deftp {Context struct} {struct md5_ctx} @end deftp @defvr Constant MD5_DIGEST_SIZE The size of an MD5 digest, i.e. 16. @end defvr @defvr Constant MD5_BLOCK_SIZE The internal block size of MD5. Useful for some special constructions, in particular HMAC-MD5. @end defvr @deftypefun void md5_init (struct md5_ctx *@var{ctx}) Initialize the MD5 state. @end deftypefun @deftypefun void md5_update (struct md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md5_digest (struct md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md5_init}. @end deftypefun @deftypefun void md5_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw MD5 compress on MD5_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 4 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard MD5). @end deftypefun The normal way to use MD5 is to call the functions in order: First @code{md5_init}, then @code{md5_update} zero or more times, and finally @code{md5_digest}. After @code{md5_digest}, the context is reset to its initial state, so you can start over calling @code{md5_update} to hash new data. To start over, you can call @code{md5_init} at any time. @subsubsection @acronym{MD2} MD2 is another hash function of Ronald Rivest's, described in @cite{RFC 1319}. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD2 in @file{}. @deftp {Context struct} {struct md2_ctx} @end deftp @defvr Constant MD2_DIGEST_SIZE The size of an MD2 digest, i.e. 16. @end defvr @defvr Constant MD2_BLOCK_SIZE The internal block size of MD2. @end defvr @deftypefun void md2_init (struct md2_ctx *@var{ctx}) Initialize the MD2 state. @end deftypefun @deftypefun void md2_update (struct md2_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md2_digest (struct md2_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD2_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md2_init}. @end deftypefun @subsubsection @acronym{MD4} MD4 is a predecessor of MD5, described in @cite{RFC 1320}. Like MD5, it is constructed by Ronald Rivest. It outputs message digests of 128 bits, or 16 octets. Nettle defines MD4 in @file{}. Use of MD4 is not recommended, but it is sometimes needed for compatibility with existing applications and protocols. @deftp {Context struct} {struct md4_ctx} @end deftp @defvr Constant MD4_DIGEST_SIZE The size of an MD4 digest, i.e. 16. @end defvr @defvr Constant MD4_BLOCK_SIZE The internal block size of MD4. @end defvr @deftypefun void md4_init (struct md4_ctx *@var{ctx}) Initialize the MD4 state. @end deftypefun @deftypefun void md4_update (struct md4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void md4_digest (struct md4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{MD4_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{md4_init}. @end deftypefun @subsubsection @acronym{RIPEMD160} RIPEMD160 is a hash function designed by Hans Dobbertin, Antoon Bosselaers, and Bart Preneel, as a strengthened version of RIPEMD (which, like MD4 and MD5, fails the collision-resistance requirement). It produces message digests of 160 bits, or 20 octets. Nettle defined RIPEMD160 in @file{nettle/ripemd160.h}. @deftp {Context struct} {struct ripemd160_ctx} @end deftp @defvr Constant RIPEMD160_DIGEST_SIZE The size of a RIPEMD160 digest, i.e. 20. @end defvr @defvr Constant RIPEMD160_BLOCK_SIZE The internal block size of RIPEMD160. @end defvr @deftypefun void ripemd160_init (struct ripemd160_ctx *@var{ctx}) Initialize the RIPEMD160 state. @end deftypefun @deftypefun void ripemd160_update (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void ripemd160_digest (struct ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{ripemd160_init}. @end deftypefun @subsubsection @acronym{SHA1} SHA1 is a hash function specified by @dfn{NIST} (The U.S. National Institute for Standards and Technology). It outputs hash values of 160 bits, or 20 octets. Nettle defines SHA1 in @file{} (and in @file{}, for backwards compatibility). @deftp {Context struct} {struct sha1_ctx} @end deftp @defvr Constant SHA1_DIGEST_SIZE The size of a SHA1 digest, i.e. 20. @end defvr @defvr Constant SHA1_BLOCK_SIZE The internal block size of SHA1. Useful for some special constructions, in particular HMAC-SHA1. @end defvr @deftypefun void sha1_init (struct sha1_ctx *@var{ctx}) Initialize the SHA1 state. @end deftypefun @deftypefun void sha1_update (struct sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void sha1_digest (struct sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{sha1_init}. @end deftypefun @deftypefun void sha1_compress (const uint32_t *@var{state}, uint8_t *@var{input}) Perform a raw SHA1 compress on SHA1_BLOCK_SIZE bytes from @var{input} using @var{state} as IV (an array of 5 uint32_t). The output is stored in @var{state}. This function provides access to the underlying compression function, for the rare applications that need that (e.g., using different IV from standard SHA1). @end deftypefun @subsubsection @acronym{GOSTHASH94 and GOSTHASH94CP} @cindex GOST hash @anchor{GOSTHASH94CP} The GOST94 or GOST R 34.11-94 hash algorithm is a Soviet-era algorithm used in Russian government standards (see @cite{RFC 4357}). It outputs message digests of 256 bits, or 32 octets. The standard itself does not fix the S-box used by the hash algorith, so there are two popular variants (the testing S-box from the standard itself and the S-box defined by CryptoPro company, see RFC 4357). Nettle provides support for the former S-box in the form of GOSTHASH94 hash algorithm and for the latter in the form of GOSTHASH94CP hash algorithm. Nettle defines GOSTHASH94 and GOSTHASH94CP in @file{}. @deftp {Context struct} {struct gosthash94_ctx} @end deftp @defvr Constant GOSTHASH94_DIGEST_SIZE The size of a GOSTHASH94 digest, i.e. 32. @end defvr @defvr Constant GOSTHASH94_BLOCK_SIZE The internal block size of GOSTHASH94, i.e., 32. @end defvr @deftypefun void gosthash94_init (struct gosthash94_ctx *@var{ctx}) Initialize the GOSTHASH94 state. @end deftypefun @deftypefun void gosthash94_update (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void gosthash94_digest (struct gosthash94_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{GOSTHASH94_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{gosthash94_init}. @end deftypefun @deftp {Context struct} {struct gosthash94cp_ctx} @end deftp @defvr Constant GOSTHASH94CP_DIGEST_SIZE The size of a GOSTHASH94CP digest, i.e. 32. @end defvr @defvr Constant GOSTHASH94CP_BLOCK_SIZE The internal block size of GOSTHASH94CP, i.e., 32. @end defvr @deftypefun void gosthash94cp_init (struct gosthash94cp_ctx *@var{ctx}) Initialize the GOSTHASH94CP state. @end deftypefun @deftypefun void gosthash94cp_update (struct gosthash94cp_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Hash some more data. @end deftypefun @deftypefun void gosthash94cp_digest (struct gosthash94cp_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Performs final processing and extracts the message digest, writing it to @var{digest}. @var{length} may be smaller than @code{GOSTHASH94CP_DIGEST_SIZE}, in which case only the first @var{length} octets of the digest are written. This function also resets the context in the same way as @code{gosthash94cp_init}. @end deftypefun @node nettle_hash abstraction @subsection The @code{struct nettle_hash} abstraction @cindex nettle_hash Nettle includes a struct including information about the supported hash functions. It is defined in @file{}, and is used by Nettle's implementation of @acronym{HMAC} (@pxref{Keyed hash functions}). @deftp {Meta struct} @code{struct nettle_hash} name context_size digest_size block_size init update digest The last three attributes are function pointers, of types @code{nettle_hash_init_func *}, @code{nettle_hash_update_func *}, and @code{nettle_hash_digest_func *}. The first argument to these functions is @code{void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_hash} nettle_md2 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md4 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_md5 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_ripemd160 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha1 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha224 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha384 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha512 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sha3_256 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94 @deftypevrx {Constant Struct} {struct nettle_hash} nettle_gosthash94cp @deftypevrx {Constant Struct} {struct nettle_hash} nettle_sm3 These are all the hash functions that Nettle implements. @end deftypevr Nettle also exports a list of all these hashes. @deftypefun {const struct nettle_hash **} nettle_get_hashes (void) Returns a NULL-terminated list of pointers to supported hash functions. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_hashes A macro expanding to a call to nettle_get_hashes, so that one could write, e.g., @code{nettle_hashes[0]->name} for the name of the first hash function on the list. In earlier versions, this was not a macro but the actual array of pointers. However, referring directly to the array makes the array size leak into the ABI in some cases. @end deffn @node Cipher functions @section Cipher functions @cindex Cipher A @dfn{cipher} is a function that takes a message or @dfn{plaintext} and a secret @dfn{key} and transforms it to a @dfn{ciphertext}. Given only the ciphertext, but not the key, it should be hard to find the plaintext. Given matching pairs of plaintext and ciphertext, it should be hard to find the key. @cindex Block Cipher @cindex Stream Cipher There are two main classes of ciphers: Block ciphers and stream ciphers. A block cipher can process data only in fixed size chunks, called @dfn{blocks}. Typical block sizes are 8 or 16 octets. To encrypt arbitrary messages, you usually have to pad it to an integral number of blocks, split it into blocks, and then process each block. The simplest way is to process one block at a time, independent of each other. That mode of operation is called @dfn{ECB}, Electronic Code Book mode. However, using @acronym{ECB} is usually a bad idea. For a start, plaintext blocks that are equal are transformed to ciphertext blocks that are equal; that leaks information about the plaintext. Usually you should apply the cipher is some ``feedback mode'', @dfn{CBC} (Cipher Block Chaining) and @dfn{CTR} (Counter mode) being two of of the most popular. See @xref{Cipher modes}, for information on how to apply @acronym{CBC} and @acronym{CTR} with Nettle. A stream cipher can be used for messages of arbitrary length. A typical stream cipher is a keyed pseudo-random generator. To encrypt a plaintext message of @var{n} octets, you key the generator, generate @var{n} octets of pseudo-random data, and XOR it with the plaintext. To decrypt, regenerate the same stream using the key, XOR it to the ciphertext, and the plaintext is recovered. @strong{Caution:} The first rule for this kind of cipher is the same as for a One Time Pad: @emph{never} ever use the same key twice. A common misconception is that encryption, by itself, implies authentication. Say that you and a friend share a secret key, and you receive an encrypted message. You apply the key, and get a plaintext message that makes sense to you. Can you then be sure that it really was your friend that wrote the message you're reading? The answer is no. For example, if you were using a block cipher in ECB mode, an attacker may pick up the message on its way, and reorder, delete or repeat some of the blocks. Even if the attacker can't decrypt the message, he can change it so that you are not reading the same message as your friend wrote. If you are using a block cipher in @acronym{CBC} mode rather than ECB, or are using a stream cipher, the possibilities for this sort of attack are different, but the attacker can still make predictable changes to the message. It is recommended to @emph{always} use an authentication mechanism in addition to encrypting the messages. Popular choices are Message Authentication Codes like @acronym{HMAC-SHA1} (@pxref{Keyed hash functions}), or digital signatures like @acronym{RSA}. Some ciphers have so called ``weak keys'', keys that results in undesirable structure after the key setup processing, and should be avoided. In Nettle, most key setup functions have no return value, but for ciphers with weak keys, the return value indicates whether or not the given key is weak. For good keys, key setup returns 1, and for weak keys, it returns 0. When possible, avoid algorithms that have weak keys. There are several good ciphers that don't have any weak keys. To encrypt a message, you first initialize a cipher context for encryption or decryption with a particular key. You then use the context to process plaintext or ciphertext messages. The initialization is known as @dfn{key setup}. With Nettle, it is recommended to use each context struct for only one direction, even if some of the ciphers use a single key setup function that can be used for both encryption and decryption. @menu * AES:: * Arcfour:: * Arctwo:: * Blowfish:: * Camellia:: * CAST128:: * ChaCha:: * DES:: * DES3:: * Salsa20:: * Serpent:: * SM4:: * Twofish:: * nettle_cipher abstraction:: @end menu @node AES @subsection AES @cindex AES AES is a block cipher, specified by NIST as a replacement for the older DES standard. The standard is the result of a competition between cipher designers. The winning design, also known as RIJNDAEL, was constructed by Joan Daemen and Vincent Rijnmen. Like all the AES candidates, the winning design uses a block size of 128 bits, or 16 octets, and three possible key-size, 128, 192 and 256 bits (16, 24 and 32 octets) being the allowed key sizes. It does not have any weak keys. Nettle defines AES in @file{}, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, @code{struct aes_ctx}, for all key sizes. This interface kept for backwards compatibility). @deftp {Context struct} {struct aes128_ctx} @deftpx {Context struct} {struct aes192_ctx} @deftpx {Context struct} {struct aes256_ctx} @end deftp @deftp {Context struct} {struct aes_ctx} Alternative struct, for the old AES interface. @end deftp @defvr Constant AES_BLOCK_SIZE The AES block-size, 16. @end defvr @defvr Constant AES128_KEY_SIZE @defvrx Constant AES192_KEY_SIZE @defvrx Constant AES256_KEY_SIZE @defvrx Constant AES_MIN_KEY_SIZE @defvrx Constant AES_MAX_KEY_SIZE @end defvr @defvr Constant AES_KEY_SIZE Default AES key size, 32. @end defvr @deftypefun void aes128_set_encrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes128_set_decrypt_key (struct aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_encrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes192_set_decrypt_key (struct aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_encrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes256_set_decrypt_key (struct aes256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void aes_set_encrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void aes_set_decrypt_key (struct aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void aes128_invert_key (struct aes128_ctx *@var{dst}, const struct aes128_ctx *@var{src}) @deftypefunx void aes192_invert_key (struct aes192_ctx *@var{dst}, const struct aes192_ctx *@var{src}) @deftypefunx void aes256_invert_key (struct aes256_ctx *@var{dst}, const struct aes256_ctx *@var{src}) @deftypefunx void aes_invert_key (struct aes_ctx *@var{dst}, const struct aes_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key, because calling, e.g., @code{aes128_set_encrypt_key} and @code{aes128_invert_key}, is more efficient than calling @code{aes128_set_encrypt_key} and @code{aes128_set_decrypt_key}. @end deftypefun @deftypefun void aes128_encrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_encrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_encrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes_encrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void aes128_decrypt (struct aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes192_decrypt (struct aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes256_decrypt (struct aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void aes_decrypt (struct aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to the encryption functions above. @end deftypefun @node Arcfour @subsection Arcfour @cindex Arcfour @cindex RC4 ARCFOUR is a historic stream cipher, also known under the trade marked name RC4, and was a widely used fast stream cipher. We do not recommend the use of ARCFOUR; the Nettle implementation is provided primarily for interoperability with existing applications and standards. One problem is that the key setup of ARCFOUR is quite weak, you should never use keys with structure, keys that are ordinary passwords, or sequences of keys like ``secret:1'', ``secret:2'', @enddots{}. If you have keys that don't look like random bit strings, and you want to use ARCFOUR, always hash the key before feeding it to ARCFOUR. Another problem is that the output is distinguishable from random data, and that the initial bytes of the generated key stream leak information about the key; for this reason, it was sometimes recommended to discard the first 512, 768 or 1024 bytes of the key stream. @example /* A more robust key setup function for ARCFOUR */ void arcfour_set_key_hashed(struct arcfour_ctx *ctx, size_t length, const uint8_t *key) @{ struct sha256_ctx hash; uint8_t digest[SHA256_DIGEST_SIZE]; uint8_t buffer[0x200]; sha256_init(&hash); sha256_update(&hash, length, key); sha256_digest(&hash, SHA256_DIGEST_SIZE, digest); arcfour_set_key(ctx, SHA256_DIGEST_SIZE, digest); arcfour_crypt(ctx, sizeof(buffer), buffer, buffer); @} @end example Nettle defines ARCFOUR in @file{}. @deftp {Context struct} {struct arcfour_ctx} @end deftp @defvr Constant ARCFOUR_MIN_KEY_SIZE Minimum key size, 1. @end defvr @defvr Constant ARCFOUR_MAX_KEY_SIZE Maximum key size, 256. @end defvr @defvr Constant ARCFOUR_KEY_SIZE Default ARCFOUR key size, 16. @end defvr @deftypefun void arcfour_set_key (struct arcfour_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void arcfour_crypt (struct arcfour_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypt some data. The same function is used for both encryption and decryption. Unlike the block ciphers, this function modifies the context, so you can split the data into arbitrary chunks and encrypt them one after another. The result is the same as if you had called @code{arcfour_crypt} only once with all the data. @end deftypefun @node Arctwo @subsection Arctwo @cindex Arctwo @cindex RC2 ARCTWO (also known as the trade marked name RC2) is a block cipher specified in RFC 2268. Nettle also include a variation of the ARCTWO set key operation that lack one step, to be compatible with the reverse engineered RC2 cipher description, as described in a Usenet post to @code{sci.crypt} by Peter Gutmann. ARCTWO uses a block size of 64 bits, and variable key-size ranging from 1 to 128 octets. Besides the key, ARCTWO also has a second parameter to key setup, the number of effective key bits, @code{ekb}. This parameter can be used to artificially reduce the key size. In practice, @code{ekb} is usually set equal to the input key size. Nettle defines ARCTWO in @file{}. We do not recommend the use of ARCTWO; the Nettle implementation is provided primarily for interoperability with existing applications and standards. @deftp {Context struct} {struct arctwo_ctx} @end deftp @defvr Constant ARCTWO_BLOCK_SIZE The ARCTWO block-size, 8. @end defvr @defvr Constant ARCTWO_MIN_KEY_SIZE @end defvr @defvr Constant ARCTWO_MAX_KEY_SIZE @end defvr @defvr Constant ARCTWO_KEY_SIZE Default ARCTWO key size, 8. @end defvr @deftypefun void arctwo_set_key_ekb (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}, unsigned @var{ekb}) @deftypefunx void arctwo_set_key (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void arctwo_set_key_gutmann (struct arctwo_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. The first function is the most general one, which lets you provide both the variable size key, and the desired effective key size (in bits). The maximum value for @var{ekb} is 1024, and for convenience, @code{ekb = 0} has the same effect as @code{ekb = 1024}. @code{arctwo_set_key(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 8*length)}, and @code{arctwo_set_key_gutmann(ctx, length, key)} is equivalent to @code{arctwo_set_key_ekb(ctx, length, key, 1024)} @end deftypefun @deftypefun void arctwo_encrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void arctwo_decrypt (struct arctwo_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{arctwo_encrypt} @end deftypefun @node Blowfish @subsection Blowfish @cindex Blowfish BLOWFISH is a block cipher designed by Bruce Schneier. It uses a block size of 64 bits (8 octets), and a variable key size, up to 448 bits. It has some weak keys. Nettle defines BLOWFISH in @file{}. @deftp {Context struct} {struct blowfish_ctx} @end deftp @defvr Constant BLOWFISH_BLOCK_SIZE The BLOWFISH block-size, 8. @end defvr @defvr Constant BLOWFISH_MIN_KEY_SIZE Minimum BLOWFISH key size, 8. @end defvr @defvr Constant BLOWFISH_MAX_KEY_SIZE Maximum BLOWFISH key size, 56. @end defvr @defvr Constant BLOWFISH_KEY_SIZE Default BLOWFISH key size, 16. @end defvr @deftypefun int blowfish_set_key (struct blowfish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @code{blowfish_encrypt} or @code{blowfish_decrypt} with a weak key will crash with an assert violation. @end deftypefun @deftypefun void blowfish_encrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void blowfish_decrypt (struct blowfish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{blowfish_encrypt} @end deftypefun @deftypefun int blowfish_bcrypt_hash (char *@var{dst}, size_t @var{lenkey}, const char *@var{key}, size_t @var{lenscheme}, const char *@var{scheme}, int @var{log2rounds}, const uint8_t *@var{salt}) Compute the bcrypt password hash. The function will return @code{0} if the hash cannot be computed due to invalid input. The function will return @code{1} and store the computed hash in the array pointed to by @var{dst}. The hash is computed based on the chosen @var{scheme}, number of rounds @var{log2rounds} and specified @var{salt}. @var{dst} must point to a character array of at least @code{BLOWFISH_BCRYPT_HASH_SIZE} bytes. @var{key} contains the plaintext password string of size @var{lenkey}. @var{scheme} is of size @var{lenscheme} and contains either just the chosen scheme (valid schemes are: @code{2a}, @code{2b}, @code{2x} or @code{2y}), or (the prefix of) an existing hashed password (typically @code{$2b$10$...}). @var{log2rounds} contains the log2 of the number of encryption rounds that must be used to compute the hash. If it is @code{-1} the value will be extracted from @var{scheme}. @var{salt} should point to an array of @code{BLOWFISH_BCRYPT_BINSALT_SIZE} random bytes to be used to perturb the hash computation. If it is @code{NULL} the salt will be extracted from @var{scheme}. Sample code to generate a bcrypt hash: @example char password[] = "ExamplePassword"; char scheme[] = "2b"; uint8_t salt[BLOWFISH_BCRYPT_BINSALT_SIZE]; @dots{} /* Make sure that salt is filled with random bytes */ @dots{} char hash[BLOWFISH_BCRYPT_HASH_SIZE]; int result = blowfish_bcrypt(hash, sizeof(password) - 1, password, sizeof(scheme) - 1, scheme, 10, salt); if (result) printf("%s\n", hash); @end example @end deftypefun @deftypefun int blowfish_bcrypt_verify (size_t @var{lenkey}, const char *@var{key}, size_t @var{lenhashed}, const char *@var{hashed}) Verifies the bcrypt password hash against the supplied plaintext password. The function will return @code{0} if the password does not match. The function will return @code{1} if the password matches. @var{key} contains the plaintext password string of size @var{lenkey}. @var{hashed} contains the hashed string of size @var{lenhashed} to compare with. Sample code to verify a bcrypt hash: @example char password[] = "ExamplePassword"; char hash[] = "$2y$" /* Hash algorithm version */ "10" /* 2^10 hash rounds (strength) */ "$" /* separator */ "1b2lPgo4XumibnJGN3r3sO" /* base64 encoded 16-byte salt */ "u7wE7xNfYDKlAxZffJDCJdVfFTAyevu"; /* Hashedpart */ if (blowfish_bcrypt_verify(sizeof(password) - 1, password, sizeof(hash) - 1, hash)) printf("Password is correct."); else printf("Password is incorrect."); @end example @end deftypefun @node Camellia @subsection Camellia @cindex Camellia Camellia is a block cipher developed by Mitsubishi and Nippon Telegraph and Telephone Corporation, described in @cite{RFC3713}. It is recommended by some Japanese and European authorities as an alternative to AES, and it is one of the selected algorithms in the New European Schemes for Signatures, Integrity and Encryption (NESSIE) project. The algorithm is patented. The implementation in Nettle is derived from the implementation released by NTT under the GNU LGPL (v2.1 or later), and relies on the implicit patent license of the LGPL. There is also a statement of royalty-free licensing for Camellia at @url{https://www.ntt.co.jp/news/news01e/0104/010417.html}, but this statement has some limitations which seem problematic for free software. Camellia uses a the same block size and key sizes as AES: The block size is 128 bits (16 octets), and the supported key sizes are 128, 192, and 256 bits. The variants with 192 and 256 bit keys are identical, except for the key setup. Nettle defines Camellia in @file{}, and there is one context struct for each key size. (Earlier versions of Nettle used a single context struct, @code{struct camellia_ctx}, for all key sizes. This interface kept for backwards compatibility). @deftp {Context struct} {struct camellia128_ctx} @deftpx {Context struct} {struct camellia192_ctx} @deftpx {Context struct} {struct camellia256_ctx} Contexts structs. Actually, @code{camellia192_ctx} is an alias for @code{camellia256_ctx}. @end deftp @deftp {Context struct} {struct camellia_ctx} Alternative struct, for the old Camellia interface. @end deftp @defvr Constant CAMELLIA_BLOCK_SIZE The CAMELLIA block-size, 16. @end defvr @defvr Constant CAMELLIA128_KEY_SIZE @defvrx Constant CAMELLIA192_KEY_SIZE @defvrx Constant CAMELLIA256_KEY_SIZE @defvrx Constant CAMELLIA_MIN_KEY_SIZE @defvrx Constant CAMELLIA_MAX_KEY_SIZE @end defvr @defvr Constant CAMELLIA_KEY_SIZE Default CAMELLIA key size, 32. @end defvr @deftypefun void camellia128_set_encrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia128_set_decrypt_key (struct camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_encrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia192_set_decrypt_key (struct camellia192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_encrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia256_set_decrypt_key (struct camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void camellia_set_encrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) @deftypefunx void camellia_set_decrypt_key (struct camellia_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher, for encryption or decryption, respectively. @end deftypefun @deftypefun void camellia128_invert_key (struct camellia128_ctx *@var{dst}, const struct camellia128_ctx *@var{src}) @deftypefunx void camellia192_invert_key (struct camellia192_ctx *@var{dst}, const struct camellia192_ctx *@var{src}) @deftypefunx void camellia256_invert_key (struct camellia256_ctx *@var{dst}, const struct camellia256_ctx *@var{src}) @deftypefunx void camellia_invert_key (struct camellia_ctx *@var{dst}, const struct camellia_ctx *@var{src}) Given a context @var{src} initialized for encryption, initializes the context struct @var{dst} for decryption, using the same key. If the same context struct is passed for both @code{src} and @code{dst}, it is converted in place. These functions are mainly useful for applications which needs to both encrypt and decrypt using the @emph{same} key. @end deftypefun @deftypefun void camellia128_crypt (struct camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia192_crypt (struct camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia256_crypt (struct camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void camellia_crypt (struct camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) The same function is used for both encryption and decryption. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @node CAST128 @subsection CAST128 @cindex CAST CAST-128 is a block cipher, specified in @cite{RFC 2144}. It uses a 64 bit (8 octets) block size, and a key size of 128 bits. It is possible, but discouraged, to use the same algorithm with shorter keys. Nettle refers to the variant with variable key size as CAST-5. Keys for CAST-5 are zero padded to 128 bits, and with very short keys, less than 80 bits, encryption also uses fewer rounds than CAST128. Nettle defines cast128 in @file{}. @deftp {Context struct} {struct cast128_ctx} @end deftp @defvr Constant CAST128_BLOCK_SIZE The CAST128 block-size, 8. @end defvr @defvr Constant CAST128_KEY_SIZE The CAST128 key size, 16. @end defvr @defvr Constant CAST5_MIN_KEY_SIZE Minimum CAST5 key size, 5. @end defvr @defvr Constant CAST5_MAX_KEY_SIZE Maximum CAST5 key size, 16. With 16 octets key (128 bits), CAST-5 is the same as CAST-128. @end defvr @deftypefun void cast128_set_key (struct cast128_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void cast128_encrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void cast128_decrypt (struct cast128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{cast128_encrypt} @end deftypefun @deftypefun void cast5_set_key (struct cast128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. This variant of the key setup takes the key size as argument. The same function is used for both encryption and decryption. @end deftypefun @node ChaCha @subsection ChaCha @cindex ChaCha ChaCha is a variant of the stream cipher Salsa20 (@pxref{Salsa20}), below, also designed by D. J. Bernstein. Nettle defines ChaCha in @file{}. @deftp {Context struct} {struct chacha_ctx} @end deftp @defvr Constant CHACHA_KEY_SIZE ChaCha key size, 32. @end defvr @defvr Constant CHACHA_BLOCK_SIZE ChaCha block size, 64. @end defvr @defvr Constant CHACHA_NONCE_SIZE Size of the nonce, 8. @end defvr @defvr Constant CHACHA_COUNTER_SIZE Size of the counter, 8. @end defvr @deftypefun void chacha_set_key (struct chacha_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Before using the cipher, you @emph{must} also call @code{chacha_set_nonce}, see below. @end deftypefun @deftypefun void chacha_set_nonce (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{CHACHA_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void chacha_set_counter (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) Sets the block counter. It is always of size @code{CHACHA_COUNTER_SIZE}, 8 octets. This is rarely needed since @code{chacha_set_nonce} initializes the block counter to zero. When it is still necessary, this function must be called after @code{chacha_set_nonce}. @end deftypefun @deftypefun void chacha_crypt (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. When a message is encrypted using a sequence of calls to @code{chacha_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{CHACHA_BLOCK_SIZE}. @end deftypefun @subsubsection 32-bit counter variant While the original paper uses 64-bit counter value, the variant defined in @cite{RFC 8439} uses 32-bit counter value. This variant is particularly useful for @pxref{ChaCha-Poly1305} AEAD construction, which supports 12-octet nonces. @defvr Constant CHACHA_NONCE96_SIZE Size of the nonce, 12. @end defvr @defvr Constant CHACHA_COUNTER32_SIZE Size of the counter, 4. @end defvr @deftypefun void chacha_set_nonce96 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. This is similar to the above @code{chacha_set_nonce}, but the input is always of size @code{CHACHA_NONCE96_SIZE}, 12 octets. @end deftypefun @deftypefun void chacha_set_counter32 (struct chacha_ctx *@var{ctx}, const uint8_t *@var{counter}) Sets the block counter. This is similar to the above @code{chacha_set_counter}, but the input is always of size @code{CHACHA_COUNTER32_SIZE}, 4 octets. @end deftypefun @deftypefun void chacha_crypt32 (struct chacha_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using ChaCha. This is similar to the above @code{chacha_crypt}, but it assumes the internal counter value is 32-bit long and the nonce is 96-bit long. @end deftypefun @node DES @subsection DES @cindex DES DES is the old Data Encryption Standard, specified by NIST. It uses a block size of 64 bits (8 octets), and a key size of 56 bits. However, the key bits are distributed over 8 octets, where the least significant bit of each octet may be used for parity. A common way to use DES is to generate 8 random octets in some way, then set the least significant bit of each octet to get odd parity, and initialize DES with the resulting key. The key size of DES is so small that keys can be found by brute force, using specialized hardware or lots of ordinary work stations in parallel. One shouldn't be using plain DES at all today, if one uses DES at all one should be using ``triple DES'', see DES3 below. DES also has some weak keys. Nettle defines DES in @file{}. @deftp {Context struct} {struct des_ctx} @end deftp @defvr Constant DES_BLOCK_SIZE The DES block-size, 8. @end defvr @defvr Constant DES_KEY_SIZE DES key size, 8. @end defvr @deftypefun int des_set_key (struct des_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 for good keys and 0 for weak keys. Applications that don't care about weak keys can ignore the return value. @end deftypefun @deftypefun void des_encrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des_decrypt (struct des_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @deftypefun int des_check_parity (size_t @var{length}, const uint8_t *@var{key}) Checks that the given key has correct, odd, parity. Returns 1 for correct parity, and 0 for bad parity. @end deftypefun @deftypefun void des_fix_parity (size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Adjusts the parity bits to match DES's requirements. You need this function if you have created a random-looking string by a key agreement protocol, and want to use it as a DES key. @var{dst} and @var{src} may be equal. @end deftypefun @node DES3 @subsection DES3 @cindex DES3 @cindex 3DES @cindex Triple-DES The inadequate key size of DES has already been mentioned. One way to increase the key size is to pipe together several DES boxes with independent keys. It turns out that using two DES ciphers is not as secure as one might think, even if the key size of the combination is a respectable 112 bits. The standard way to increase DES's key size is to use three DES boxes. The mode of operation is a little peculiar: the middle DES box is wired in the reverse direction. To encrypt a block with DES3, you encrypt it using the first 56 bits of the key, then @emph{decrypt} it using the middle 56 bits of the key, and finally encrypt it again using the last 56 bits of the key. This is known as ``ede'' triple-DES, for ``encrypt-decrypt-encrypt''. The ``ede'' construction provides some backward compatibility, as you get plain single DES simply by feeding the same key to all three boxes. That should help keeping down the gate count, and the price, of hardware circuits implementing both plain DES and DES3. DES3 has a key size of 168 bits, but just like plain DES, useless parity bits are inserted, so that keys are represented as 24 octets (192 bits). As a 112 bit key is large enough to make brute force attacks impractical, some applications uses a ``two-key'' variant of triple-DES. In this mode, the same key bits are used for the first and the last DES box in the pipe, while the middle box is keyed independently. The two-key variant is believed to be secure, i.e. there are no known attacks significantly better than brute force. Naturally, it's simple to implement triple-DES on top of Nettle's DES functions. Nettle includes an implementation of three-key ``ede'' triple-DES, it is defined in the same place as plain DES, @file{}. @deftp {Context struct} {struct des3_ctx} @end deftp @defvr Constant DES3_BLOCK_SIZE The DES3 block-size is the same as DES_BLOCK_SIZE, 8. @end defvr @defvr Constant DES3_KEY_SIZE DES key size, 24. @end defvr @deftypefun int des3_set_key (struct des3_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. Parity bits are ignored. Checks for weak keys, returning 1 if all three keys are good keys, and 0 if one or more key is weak. Applications that don't care about weak keys can ignore the return value. @end deftypefun For random-looking strings, you can use @code{des_fix_parity} to adjust the parity bits before calling @code{des3_set_key}. @deftypefun void des3_encrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void des3_decrypt (struct des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{des_encrypt} @end deftypefun @node Salsa20 @subsection Salsa20 @cindex Salsa20 Salsa20 is a fairly recent stream cipher designed by D. J. Bernstein. It is built on the observation that a cryptographic hash function can be used for encryption: Form the hash input from the secret key and a counter, xor the hash output and the first block of the plaintext, then increment the counter to process the next block (similar to CTR mode, @pxref{CTR}). Bernstein defined an encryption algorithm, Snuffle, in this way to ridicule United States export restrictions which treated hash functions as nice and harmless, but ciphers as dangerous munitions. Salsa20 uses the same idea, but with a new specialized hash function to mix key, block counter, and a couple of constants. It's also designed for speed; on x86_64, it is currently the fastest cipher offered by nettle. It uses a block size of 512 bits (64 octets) and there are two specified key sizes, 128 and 256 bits (16 and 32 octets). @strong{Caution:} The hash function used in Salsa20 is @emph{not} directly applicable for use as a general hash function. It's @emph{not} collision resistant if arbitrary inputs are allowed, and furthermore, the input and output is of fixed size. When using Salsa20 to process a message, one specifies both a key and a @dfn{nonce}, the latter playing a similar rôle to the initialization vector (@acronym{IV}) used with @acronym{CBC} or @acronym{CTR} mode. One can use the same key for several messages, provided one uses a unique random @acronym{iv} for each message. The @acronym{iv} is 64 bits (8 octets). The block counter is initialized to zero for each message, and is also 64 bits (8 octets). Nettle defines Salsa20 in @file{}. @deftp {Context struct} {struct salsa20_ctx} @end deftp @defvr Constant SALSA20_128_KEY_SIZE @defvrx Constant SALSA20_256_KEY_SIZE The two supported key sizes, 16 and 32 octets. @end defvr @defvr Constant SALSA20_KEY_SIZE Recommended key size, 32. @end defvr @defvr Constant SALSA20_BLOCK_SIZE Salsa20 block size, 64. @end defvr @defvr Constant SALSA20_NONCE_SIZE Size of the nonce, 8. @end defvr @deftypefun void salsa20_128_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_256_set_key (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void salsa20_set_key (struct salsa20_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @code{salsa20_128_set_key} and @code{salsa20_128_set_key} use a fix key size each, 16 and 32 octets, respectively. The function @code{salsa20_set_key} is provided for backwards compatibility, and the @var{length} argument must be either 16 or 32. Before using the cipher, you @emph{must} also call @code{salsa20_set_nonce}, see below. @end deftypefun @deftypefun void salsa20_set_nonce (struct salsa20_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. It is always of size @code{SALSA20_NONCE_SIZE}, 8 octets. This function also initializes the block counter, setting it to zero. @end deftypefun @deftypefun void salsa20_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20. When a message is encrypted using a sequence of calls to @code{salsa20_crypt}, all but the last call @emph{must} use a length that is a multiple of @code{SALSA20_BLOCK_SIZE}. @end deftypefun The full salsa20 cipher uses 20 rounds of mixing. Variants of Salsa20 with fewer rounds are possible, and the 12-round variant is specified by eSTREAM, see @url{https://www.ecrypt.eu.org/stream/finallist.html}. Nettle calls this variant @code{salsa20r12}. It uses the same context struct and key setup as the full salsa20 cipher, but a separate function for encryption and decryption. @deftypefun void salsa20r12_crypt (struct salsa20_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message, using salsa20 reduced to 12 rounds. @end deftypefun @node Serpent @subsection Serpent @cindex Serpent SERPENT is one of the AES finalists, designed by Ross Anderson, Eli Biham and Lars Knudsen. Thus, the interface and properties are similar to AES'. One peculiarity is that it is quite pointless to use it with anything but the maximum key size, smaller keys are just padded to larger ones. Nettle defines SERPENT in @file{}. @deftp {Context struct} {struct serpent_ctx} @end deftp @defvr Constant SERPENT_BLOCK_SIZE The SERPENT block-size, 16. @end defvr @defvr Constant SERPENT_MIN_KEY_SIZE Minimum SERPENT key size, 16. @end defvr @defvr Constant SERPENT_MAX_KEY_SIZE Maximum SERPENT key size, 32. @end defvr @defvr Constant SERPENT_KEY_SIZE Default SERPENT key size, 32. @end defvr @deftypefun void serpent_set_key (struct serpent_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void serpent_encrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void serpent_decrypt (struct serpent_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{serpent_encrypt} @end deftypefun @node SM4 @subsection SM4 @cindex SM4 SM4 is a block cipher standard adopted by the government of the People's Republic of China, and it was issued by the State Cryptography Administration on March 21, 2012. The standard is GM/T 0002-2012 "SM4 block cipher algorithm". Nettle defines it in @file{}. @deftp {Context struct} {struct sm4_ctx} @end deftp @defvr Constant SM4_BLOCK_SIZE The SM4 block-size, 16. @end defvr @defvr Constant SM4_KEY_SIZE Default SM4 key size, 16. @end defvr @deftypefun void sm4_set_encrypt_key (struct sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The function is used for encryption. @end deftypefun @deftypefun void sm4_set_decrypt_key (struct sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the cipher. The function is used for decryption. @end deftypefun @deftypefun void sm4_crypt (const struct sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Cryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. The same function is used for both encryption and decryption. @end deftypefun @node Twofish @subsection Twofish @cindex Twofish Another AES finalist, this one designed by Bruce Schneier and others. Nettle defines it in @file{}. @deftp {Context struct} {struct twofish_ctx} @end deftp @defvr Constant TWOFISH_BLOCK_SIZE The TWOFISH block-size, 16. @end defvr @defvr Constant TWOFISH_MIN_KEY_SIZE Minimum TWOFISH key size, 16. @end defvr @defvr Constant TWOFISH_MAX_KEY_SIZE Maximum TWOFISH key size, 32. @end defvr @defvr Constant TWOFISH_KEY_SIZE Default TWOFISH key size, 32. @end defvr @deftypefun void twofish_set_key (struct twofish_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Initialize the cipher. The same function is used for both encryption and decryption. @end deftypefun @deftypefun void twofish_encrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encryption function. @var{length} must be an integral multiple of the block size. If it is more than one block, the data is processed in ECB mode. @code{src} and @code{dst} may be equal, but they must not overlap in any other way. @end deftypefun @deftypefun void twofish_decrypt (struct twofish_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Analogous to @code{twofish_encrypt} @end deftypefun @node nettle_cipher abstraction @subsection The @code{struct nettle_cipher} abstraction @cindex nettle_cipher Nettle includes a struct including information about some of the more regular cipher functions. It can be useful for applications that need a simple way to handle various algorithms. Nettle defines these structs in @file{}. @deftp {Meta struct} @code{struct nettle_cipher} name context_size block_size key_size set_encrypt_key set_decrypt_key encrypt decrypt The last four attributes are function pointers, of types @code{nettle_set_key_func *} and @code{nettle_cipher_func *}. The first argument to these functions is a @code{const void *} pointer to a context struct, which is of size @code{context_size}. @end deftp @deftypevr {Constant Struct} {struct nettle_cipher} nettle_aes128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_aes256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo40 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo64 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arctwo_gutmann128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_arcfour128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_camellia256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_cast128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_serpent256 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish128 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish192 @deftypevrx {Constant Struct} {struct nettle_cipher} nettle_twofish256 Nettle includes such structs for all the @emph{regular} ciphers, i.e. ones without weak keys or other oddities. @end deftypevr Nettle also exports a list of all these ciphers without weak keys or other oddities. @deftypefun {const struct nettle_cipher **} nettle_get_ciphers (void) Returns a NULL-terminated list of pointers to supported block ciphers. This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_ciphers A macro expanding to a call to nettle_get_ciphers. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Cipher modes @section Cipher modes Cipher modes of operation specifies the procedure to use when encrypting a message that is larger than the cipher's block size. As explained in @xref{Cipher functions}, splitting the message into blocks and processing them independently with the block cipher (Electronic Code Book mode, @acronym{ECB}), leaks information. Besides @acronym{ECB}, Nettle provides several other modes of operation: Cipher Block Chaining (@acronym{CBC}), Counter mode (@acronym{CTR}), Cipher Feedback (@acronym{CFB} and @acronym{CFB8}), XEX-based tweaked-codebook mode with ciphertext stealing (@acronym{XTS}) and a couple of @acronym{AEAD} modes (@pxref{Authenticated encryption}). @acronym{CBC} is widely used, but there are a few subtle issues of information leakage, see, e.g., @url{https://www.kb.cert.org/vuls/id/958563, @acronym{SSH} @acronym{CBC} vulnerability}. Today, @acronym{CTR} is usually preferred over @acronym{CBC}. Modes like @acronym{CBC}, @acronym{CTR}, @acronym{CFB} and @acronym{CFB8} provide @emph{no} message authentication, and should always be used together with a @acronym{MAC} (@pxref{Keyed hash functions}) or signature to authenticate the message. @menu * CBC:: * CTR:: * CFB and CFB8:: * XTS:: @end menu @node CBC @subsection Cipher Block Chaining @cindex Cipher Block Chaining @cindex CBC Mode When using @acronym{CBC} mode, plaintext blocks are not encrypted independently of each other, like in Electronic Cook Book mode. Instead, when encrypting a block in @acronym{CBC} mode, the previous ciphertext block is XORed with the plaintext before it is fed to the block cipher. When encrypting the first block, a random block called an @dfn{IV}, or Initialization Vector, is used as the ``previous ciphertext block''. The IV should be chosen randomly, but it need not be kept secret, and can even be transmitted in the clear together with the encrypted data. In symbols, if @code{E_k} is the encryption function of a block cipher, and @code{IV} is the initialization vector, then @code{n} plaintext blocks @code{M_1},@dots{} @code{M_n} are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV XOR M_1) C_2 = E_k(C_1 XOR M_2) @dots{} C_n = E_k(C_(n-1) XOR M_n) @end example Nettle provides two main functions for applying a block cipher in Cipher Block Chaining (@acronym{CBC}) mode, one for encryption and one for decryption. These functions uses @code{const void *} to pass cipher contexts around. The @acronym{CBC} interface is defined in @file{}. @deftypefun {void} cbc_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cbc_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CBC} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cbc_encrypt}. The function @var{f} is of type @code{void @var{f} (const void *@var{ctx}, size_t @var{length}, uint8_t @var{dst}, const uint8_t *@var{src})}, @noindent and the @code{cbc_encrypt} and @code{cbc_decrypt} functions pass their argument @var{ctx} on to @var{f}. @end deftypefun @subsubsection Utility macros There are also some macros to help use these functions correctly. @deffn Macro CBC_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn It can be used to define a @acronym{CBC} context struct, either directly, @example struct CBC_CTX(struct aes_ctx, AES_BLOCK_SIZE) ctx; @end example or to give it a struct tag, @example struct aes_cbc_ctx CBC_CTX (struct aes_ctx, AES_BLOCK_SIZE); @end example @deffn Macro CBC_SET_IV (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second is a pointer to an Initialization Vector (IV) that is copied into that context. @end deffn @deffn Macro CBC_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) @deffnx Macro CBC_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cbc_encrypt} and @code{cbc_decrypt}. The first argument is a pointer to a context struct as defined by @code{CBC_CTX}, and the second argument is an encryption or decryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn These macros use some tricks to make the compiler display a warning if the types of @var{f} and @var{ctx} don't match, e.g. if you try to use an @code{struct aes_ctx} context with the @code{des_encrypt} function. @subsubsection Cipher-specific functions Encryption in @acronym{CBC} mode (but not decryption!) is inherently serial. It can pass only one block at a time to the block cipher's encrypt function. Optimizations to process several blocks in parallel can't be applied, and on platforms where the underlying cipher is fast, per-function-call overhead, e.g., loading subkeys from memory into registers, can be significant. Depending on platform and cipher used, @code{cbc_encrypt} can be considerably slower than both @code{cbc_decrypt} and @acronym{CTR} mode. The second reason for poor performance can be addressed by having a combined @acronym{CBC} and encrypt function, for ciphers where the overhead is significant. Nettle currently includes such special functions only for AES. @deftypefun void cbc_aes128_encrypt (const struct aes128_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void cbc_aes192_encrypt (const struct aes192_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void cbc_aes256_encrypt (const struct aes256_ctx *@var{ctx}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Calling @code{cbc_aes128_encrypt(ctx, iv, length, dst, src)} does the same thing as calling @code{cbc_encrypt(ctx, aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src)}, but is more efficient on certain platforms. @end deftypefun @node CTR @subsection Counter mode @cindex Counter Mode @cindex CTR Mode Counter mode (@acronym{CTR}) uses the block cipher as a keyed pseudo-random generator. The output of the generator is XORed with the data to be encrypted. It can be understood as a way to transform a block cipher to a stream cipher. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IC} is the initial counter, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IC) XOR M_1 C_2 = E_k(IC + 1) XOR M_2 @dots{} C_(n-1) = E_k(IC + n - 2) XOR M_(n-1) C_n = E_k(IC + n - 1) [1..m] XOR M_n @end example The @acronym{IC} is the initial value for the counter, it plays a similar rôle as the @acronym{IV} for @acronym{CBC}. When adding, @code{IC + x}, @acronym{IC} is interpreted as an integer, in network byte order. For the last block, @code{E_k(IC + n - 1) [1..m]} means that the cipher output is truncated to @code{m} bytes. @deftypefun {void} ctr_crypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{ctr}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{f} in @acronym{CTR} mode. Note that for @acronym{CTR} mode, encryption and decryption is the same operation, and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{ctr_crypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CTR_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t ctr[block_size]; @} @end example @end deffn @deffn Macro CTR_SET_COUNTER (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second is a pointer to an initial counter that is copied into that context. @end deffn @deffn Macro CTR_CRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{ctr_crypt}. The first argument is a pointer to a context struct as defined by @code{CTR_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node CFB and CFB8 @subsection Cipher Feedback mode @cindex Cipher Feedback Mode @cindex Cipher Feedback 8-bit Mode @cindex CFB Modes @cindex CFB8 Mode Cipher Feedback mode (@acronym{CFB}) and Cipher Feedback 8-bit mode (@acronym{CFB8}) being close relatives to both @acronym{CBC} mode and @acronym{CTR} mode borrow some characteristics from stream ciphers. For CFB the message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. Except for the last block, all the message blocks must be of size equal to the cipher's block size. If @code{E_k} is the encryption function of a block cipher, @code{IV} is the initialization vector, then the @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows: @example C_1 = E_k(IV) XOR M_1 C_2 = E_k(C_1) XOR M_2 @dots{} C_(n-1) = E_k(C_(n - 2)) XOR M_(n-1) C_n = E_k(C_(n - 1)) [1..m] XOR M_n @end example Cipher Feedback 8-bit mode (@acronym{CFB8}) transforms block cipher into a stream cipher. The message is encrypted byte after byte, not requiring any padding. If @code{E_k} is the encryption function of a block cipher, @code{b} is @code{E_k} block size, @code{IV} is the initialization vector, then the @code{n} plaintext bytes are transformed into @code{n} ciphertext bytes @code{C_1},@dots{} @code{C_n} as follows: @example I_1 = IV C_1 = E_k(I_1) [1..8] XOR M_1 I_2 = I_1 [9..b] << 8 | C_1 C_2 = E_k(I_2) [1..8] XOR M_2 @dots{} I_(n-1) = I_(n-2) [9..b] << 8 | C_(n-2) C_(n-1) = E_k(I_(n-1)) [1..8] XOR M_(n-1) I_n = I_(n-1) [9..b] << 8 | C_(n-1) C_n = E_k(I_n) [1..8] XOR M_n @end example Nettle's includes functions for applying a block cipher in Cipher Feedback (@acronym{CFB}) and Cipher Feedback 8-bit (@acronym{CFB8}) modes. These functions uses @code{void *} to pass cipher contexts around. @deftypefun {void} cfb_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CFB} mode. The final ciphertext block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cfb_encrypt}. Note that for @acronym{CFB} mode internally uses encryption only function and hence @var{f} should always be the encryption function for the underlying block cipher. When a message is encrypted using a sequence of calls to @code{cfb_encrypt}, all but the last call @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun {void} cfb8_encrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx {void} cfb8_decrypt (const void *@var{ctx}, nettle_cipher_func *@var{f}, size_t @var{block_size}, uint8_t *@var{iv}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption or decryption function @var{f} in @acronym{CFB8} mode. The final IV block processed is copied into @var{iv} before returning, so that a large message can be processed by a sequence of calls to @code{cfb8_encrypt}. Note that for @acronym{CFB8} mode internally uses encryption only function and hence @var{f} should always be the encryption function for the underlying block cipher. @end deftypefun Like for @acronym{CBC}, there are also a couple of helper macros. @deffn Macro CFB_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn @deffn Macro CFB_SET_IV(@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second is a pointer to an initialization vector that is copied into that context. @end deffn @deffn Macro CFB_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_encrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb_decrypt}. The first argument is a pointer to a context struct as defined by @code{CFB_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB8_CTX (@var{context_type}, @var{block_size}) Expands to @example @{ context_type ctx; uint8_t iv[block_size]; @} @end example @end deffn @deffn Macro CFB8_SET_IV (@var{ctx}, @var{iv}) First argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second is a pointer to an initialization vector that is copied into that context. @end deffn @deffn Macro CFB8_ENCRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb8_encrypt}. The first argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @deffn Macro CFB8_DECRYPT (@var{ctx}, @var{f}, @var{length}, @var{dst}, @var{src}) A simpler way to invoke @code{cfb8_decrypt}. The first argument is a pointer to a context struct as defined by @code{CFB8_CTX}, and the second argument is an encryption function following Nettle's conventions. The last three arguments define the source and destination area for the operation. @end deffn @node XTS @subsection XEX-based tweaked-codebook mode with ciphertext stealing @cindex XEX-based tweaked-codebook mode with ciphertext stealing @cindex XTS Mode XEX-based tweaked-codebook mode with ciphertext stealing (@acronym{XTS}) is a block mode like (@acronym{CBC}) but tweaked to be able to encrypt partial blocks via a technique called ciphertext stealing, where the last complete block of ciphertext is split and part returned as the last block and part used as plaintext for the second to last block. This mode is principally used to encrypt data at rest where it is not possible to store additional metadata or blocks larger than the plain text. The most common usage is for disk encryption. Due to the fact that ciphertext expansion is not possible, data is not authenticated. This mode should not be used where authentication is critical. The message is divided into @code{n} blocks @code{M_1},@dots{} @code{M_n}, where @code{M_n} is of size @code{m} which may be smaller than the block size. XTS always uses a fixed blocksize of 128 bit (16 bytes) length. Unlike other modes, the key is double the size of that for the used cipher mode (for example 256bit for AES-128 and 512bit for AES-256). @acronym{XTS} encryption mode operates given: @itemize @item A multiplication by a primitive element alpha. @code{MUL a^j} here represents the multiplication, where @code{j} is the power of alpha, and the input value is converted into a 16 bytes array @code{a_0[k], k = 0,1,..,15}. The multiplication is calculated as @code{a_(j+1)[0] = (2(a_j[0] mod 128)) XOR (135 * floor(a_j[15]/128)} @code{a_(j+1)[k] = (2(a_j[k] mod 128)) XOR (floor(a_j[k-1]/128), k = 1,2,..15} Note that this operation is practically a 1 bit left shift operation with carry propagating from one byte to the next, and if the last bit shift results in a carry the decimal value 135 is XORed into the first byte. @item The encryption key is provided as the @code{Key = K1 | K2}, where @code{|} denotes string concatenation. @code{E_k1} is the encryption function of the block cipher using @code{K1} as the key, and @code{E_k2} is the same encryption function using @code{K2} @item A 128 bit tweak value is provided as input and is denoted as @code{IV} @end itemize The @code{n} plaintext blocks are transformed into @code{n} ciphertext blocks @code{C_1},@dots{} @code{C_n} as follows. For a plaintext length that is a perfect multiple of the XTS block size: @example T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 @dots{} T_n = T_(n-1) MUL a C_n = E_k1(P_n XOR T_n) XOR T_n @end example For any other plaintext lengths: @example T_1 = E_k2(IV) C_1 = E_k1(P_1 XOR T_1) XOR T_1 @dots{} T_(n-2) = T_(n-3) MUL a C_(n-2) = E_k1(P_(n-2) XOR T_(n-2)) XOR T_(n-2) T_(n-1) = T_(n-2) MUL a CC_(n-1) = E_k1(P_(n-1) XOR T_(n-1)) XOR T_(n-1) T_n = T_(n-1) MUL a PP = [1..m]Pn | [m+1..128]CC_(n-1) C_(n-1) = E_k1(PP XOR T_n) XOR T_n C_n = [1..m]CC_(n-1) @end example @subsubsection General (@acronym{XTS}) interface. The two general functions to encrypt and decrypt using the @acronym{XTS} block cipher mode are the following: @deftypefun void xts_encrypt_message (const void *@var{enc_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_decrypt_message (const void *@var{dec_ctx}, const void *@var{twk_ctx}, nettle_cipher_func *@var{decf}, nettle_cipher_func *@var{encf}, const uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Applies the encryption function @var{encf} or the decryption function @var{decf} in @acronym{XTS} mode. At least one block (16 bytes) worth of data must be available therefore specifying a length less than 16 bytes is illegal. The functions @var{encf} @var{decf} are of type @code{void f (const void *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src})}, @noindent and the @code{xts_encrypt_message} and @code{xts_decrypt_message} functions pass their arguments @var{enc_ctx}, @var{twk_ctx} and @var{dec_ctx} to the functions @var{encf}, @var{decf} as @var{ctx}. @end deftypefun @subsubsection @acronym{XTS}-@acronym{AES} interface The @acronym{AES} @acronym{XTS} functions provide an API for using the @acronym{XTS} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general interface, except that the @var{enc_ctx}, @var{dec_ctx}, @var{twk_ctx}, @var{encf} and @var{decf} are replaced with an @acronym{AES} context structure called @var{ctx}, and a appropriate set-key function must be called before using any of the encryption or decryption functions in this interface. @deftp {Context struct} {struct xts_aes128_key} Holds state corresponding to the AES-128 block cipher. @end deftp @deftp {Context struct} {struct xts_aes256_key} Holds state corresponding to the AES-256 block cipher. @end deftp @deftypefun void xts_aes128_set_encrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes256_set_encrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes128_set_decrypt_key (struct xts_aes128_key *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void xts_aes256_set_decrypt_key (struct xts_aes256_key *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption or decryption key for the AES block cipher. The length of the key must be double the size of the key for the corresponding cipher (256 bits for AES-128 and 512 bits for AES-256). One of these functions must be called before any of the other functions. @end deftypefun @deftypefun void xts_aes128_encrypt_message (struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes256_encrypt_message (struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes128_decrypt_message (struct xts_aes128_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void xts_aes256_decrypt_message (struct xts_aes256_key *@var{ctx}, uint8_t *@var{tweak}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{xts_encrypt_message} and @code{xts_decrypt_message}, except that @var{enc_ctx}, @var{dec_ctx}, @var{twk_ctx}, @var{encf} and @var{decf} are replaced by the @var{ctx} context structure. @end deftypefun @node Authenticated encryption @section Authenticated encryption with associated data @cindex AEAD @cindex Authenticated encryption Since there are some subtle design choices to be made when combining a block cipher mode with out authentication with a @acronym{MAC}. In recent years, several constructions that combine encryption and authentication have been defined. These constructions typically also have an additional input, the ``associated data'', which is authenticated but not included with the message. A simple example is an implicit message number which is available at both sender and receiver, and which needs authentication in order to detect deletions or replay of messages. This family of building blocks are therefore called @acronym{AEAD}, Authenticated encryption with associated data. The aim is to provide building blocks that it is easier for designers of protocols and applications to use correctly. There is also some potential for improved performance, if encryption and authentication can be done in a single step, although that potential is not realized for the constructions currently supported by Nettle. For encryption, the inputs are: @itemize @item The key, which can be used for many messages. @item A nonce, which must be unique for each message using the same key. @item Additional associated data to be authenticated, but not included in the message. @item The cleartext message to be encrypted. @end itemize The outputs are: @itemize @item The ciphertext, of the same size as the cleartext. @item A digest or ``authentication tag''. @end itemize Decryption works the same, but with cleartext and ciphertext interchanged. All currently supported @acronym{AEAD} algorithms always use the encryption function of the underlying block cipher, for both encryption and decryption. Usually, the authentication tag should be appended at the end of the ciphertext, producing an encrypted message which is slightly longer than the cleartext. However, Nettle's low level @acronym{AEAD} functions produce the authentication tag as a separate output for both encryption and decryption. Both associated data and the message data (cleartext or ciphertext) can be processed incrementally. In general, all associated data must be processed before the message data, and all calls but the last one must use a length that is a multiple of the block size, although some @acronym{AEAD} may implement more liberal conventions. The @acronym{CCM} mode is a bit special in that it requires the message lengths up front, other @acronym{AEAD} constructions don't have this restriction. The supported @acronym{AEAD} constructions are Galois/Counter mode (@acronym{GCM}), @acronym{EAX}, ChaCha-Poly1305, and Counter with @acronym{CBC}-@acronym{MAC} (@acronym{CCM}). There are some weaknesses in @acronym{GCM} authentication, see @url{https://csrc.nist.gov/groups/ST/toolkit/BCM/documents/comments@//CWC-GCM/Ferguson2.pdf}. @acronym{CCM} and @acronym{EAX} use the same building blocks, but the @acronym{EAX} design is cleaner and avoids a couple of inconveniences of @acronym{CCM}. Therefore, @acronym{EAX} seems like a good conservative choice. The more recent ChaCha-Poly1305 may also be an attractive but more adventurous alternative, in particular if performance is important. @menu * EAX:: * GCM:: * CCM:: * ChaCha-Poly1305:: * OCB:: * SIV-CMAC:: * SIV-GCM:: * nettle_aead abstraction:: @end menu @node EAX @subsection EAX The @acronym{EAX} mode is an @acronym{AEAD} mode which combines @acronym{CTR} mode encryption, @xref{CTR}, with a message authentication based on @acronym{CBC}, @xref{CBC}. The implementation in Nettle is restricted to ciphers with a block size of 128 bits (16 octets). @acronym{EAX} was defined as a reaction to the @acronym{CCM} mode, @xref{CCM}, which uses the same primitives but has some undesirable and inelegant properties. @acronym{EAX} supports arbitrary nonce size; it's even possible to use an empty nonce in case only a single message is encrypted for each key. Nettle's support for @acronym{EAX} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{EAX} interface @deftp {Context struct} {struct eax_key} @acronym{EAX} state which depends only on the key, but not on the nonce or the message. @end deftp @deftp {Context struct} {struct eax_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant EAX_BLOCK_SIZE @acronym{EAX}'s block size, 16. @end defvr @defvr Constant EAX_DIGEST_SIZE Size of the @acronym{EAX} digest, also 16. @end defvr @deftypefun void eax_set_key (struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void eax_set_nonce (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce. @end deftypefun @deftypefun void eax_update (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{data_length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. Unlike many other @acronym{AEAD} constructions, for @acronym{EAX} it's not necessary to complete the processing of all associated data before encrypting or decrypting the message data. @end deftypefun @deftypefun void eax_encrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_decrypt (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_digest (struct eax_ctx *@var{eax}, const struct eax_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @subsubsection @acronym{EAX} helper macros The following macros are defined. @deffn Macro EAX_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher and all @acronym{EAX} state. It expands to @example @{ struct eax_key key; struct eax_ctx eax; context_type cipher; @} @end example @end deffn For all these macros, @var{ctx}, is a context struct as defined by @code{EAX_CTX}, and @var{encrypt} is the encryption function of the underlying cipher. @deffn Macro EAX_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) @var{set_key} is the function for setting the encryption key for the underlying cipher, and @var{key} is the key. @end deffn @deffn Macro EAX_SET_NONCE (@var{ctx}, @var{encrypt}, @var{length}, @var{nonce}) Sets the nonce to be used for the message. @end deffn @deffn Macro EAX_UPDATE (@var{ctx}, @var{encrypt}, @var{length}, @var{data}) Process associated data for authentication. @end deffn @deffn Macro EAX_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro EAX_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) Process message data for encryption or decryption. @end deffn @deffn Macro EAX_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) Extract the authentication tag for the message. @end deffn @subsubsection @acronym{EAX}-@acronym{AES}128 interface The following functions implement @acronym{EAX} using @acronym{AES}-128 as the underlying cipher. @deftp {Context struct} {struct eax_aes128_ctx} The context struct, defined using @code{EAX_CTX}. @end deftp @deftypefun void eax_aes128_set_key (struct eax_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void eax_aes128_set_nonce (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void eax_aes128_update (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_encrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void eax_aes128_decrypt (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void eax_aes128_digest (struct eax_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{EAX_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @node GCM @subsection Galois counter mode @cindex Galois Counter Mode @cindex GCM Galois counter mode is an @acronym{AEAD} constructions combining counter mode with message authentication based on universal hashing. The main objective of the design is to provide high performance for hardware implementations, where other popular @acronym{MAC} algorithms (@pxref{Keyed hash functions}) become a bottleneck for high-speed hardware implementations. It was proposed by David A. McGrew and John Viega in 2005, and recommended by NIST in 2007, @url{https://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf, NIST Special Publication 800-38D}. It is constructed on top of a block cipher which must have a block size of 128 bits. The authentication in @acronym{GCM} has some known weaknesses, see @url{https://csrc.nist.gov@//groups/ST/toolkit/BCM/documents/comments/CWC-GCM/Ferguson2.pdf}. In particular, don't use @acronym{GCM} with short authentication tags. Nettle's support for @acronym{GCM} consists of a low-level general interface, some convenience macros, and specific functions for @acronym{GCM} using @acronym{AES} or Camellia as the underlying cipher. These interfaces are defined in @file{} @subsubsection General @acronym{GCM} interface @deftp {Context struct} {struct gcm_key} Message independent hash sub-key, and related tables. @end deftp @deftp {Context struct} {struct gcm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant GCM_BLOCK_SIZE @acronym{GCM}'s block size, 16. @end defvr @defvr Constant GCM_DIGEST_SIZE Size of the @acronym{GCM} digest, also 16. @end defvr @defvr Constant GCM_IV_SIZE Recommended size of the @acronym{IV}, 12. Arbitrary sizes are allowed. @end defvr @deftypefun void gcm_set_key (struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes @var{key}. @var{cipher} gives a context struct for the underlying cipher, which must have been previously initialized for encryption, and @var{f} is the encryption function. @end deftypefun @deftypefun void gcm_set_iv (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{iv}) Initializes @var{ctx} using the given @acronym{IV}. The @var{key} argument is actually needed only if @var{length} differs from @code{GCM_IV_SIZE}. @end deftypefun @deftypefun void gcm_update (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_encrypt} or @code{gcm_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_encrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_decrypt (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_digest (struct gcm_ctx *@var{ctx}, const struct gcm_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun To encrypt a message using @acronym{GCM}, first initialize a context for the underlying block cipher with a key to use for encryption. Then call the above functions in the following order: @code{gcm_set_key}, @code{gcm_set_iv}, @code{gcm_update}, @code{gcm_encrypt}, @code{gcm_digest}. The decryption procedure is analogous, just calling @code{gcm_decrypt} instead of @code{gcm_encrypt} (note that @acronym{GCM} decryption still uses the encryption function of the underlying block cipher). To process a new message, using the same key, call @code{gcm_set_iv} with a new @acronym{iv}. @subsubsection @acronym{GCM} helper macros The following macros are defined. @deffn Macro GCM_CTX (@var{context_type}) This defines an all-in-one context struct, including the context of the underlying cipher, the hash sub-key, and the per-message state. It expands to @example @{ struct gcm_key key; struct gcm_ctx gcm; context_type cipher; @} @end example @end deffn Example use: @example struct gcm_aes128_ctx GCM_CTX(struct aes128_ctx); @end example The following macros operate on context structs of this form. @deffn Macro GCM_SET_KEY (@var{ctx}, @var{set_key}, @var{encrypt}, @var{key}) First argument, @var{ctx}, is a context struct as defined by @code{GCM_CTX}. @var{set_key} and @var{encrypt} are functions for setting the encryption key and for encrypting data using the underlying cipher. @end deffn @deffn Macro GCM_SET_IV (@var{ctx}, @var{length}, @var{data}) First argument is a context struct as defined by @code{GCM_CTX}. @var{length} and @var{data} give the initialization vector (@acronym{IV}). @end deffn @deffn Macro GCM_UPDATE (@var{ctx}, @var{length}, @var{data}) Simpler way to call @code{gcm_update}. First argument is a context struct as defined by @code{GCM_CTX} @end deffn @deffn Macro GCM_ENCRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DECRYPT (@var{ctx}, @var{encrypt}, @var{length}, @var{dst}, @var{src}) @deffnx Macro GCM_DIGEST (@var{ctx}, @var{encrypt}, @var{length}, @var{digest}) Simpler way to call @code{gcm_encrypt}, @code{gcm_decrypt} or @code{gcm_digest}. First argument is a context struct as defined by @code{GCM_CTX}. Second argument, @var{encrypt}, is the encryption function of the underlying cipher. @end deffn @subsubsection @acronym{GCM}-@acronym{AES} interface The following functions implement the common case of @acronym{GCM} using @acronym{AES} as the underlying cipher. The variants with a specific @acronym{AES} flavor are recommended, while the fucntinos using @code{struct gcm_aes_ctx} are kept for compatibility with older versiosn of Nettle. @deftp {Context struct} {struct gcm_aes128_ctx} @deftpx {Context struct} {struct gcm_aes192_ctx} @deftpx {Context struct} {struct gcm_aes256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftp {Context struct} {struct gcm_aes_ctx} Alternative context struct, using the old @acronym{AES} interface. @end deftp @deftypefun void gcm_aes128_set_key (struct gcm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes192_set_key (struct gcm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_aes256_set_key (struct gcm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_aes_set_key (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{key}) Corresponding function, using the old @acronym{AES} interface. All valid @acronym{AES} key sizes can be used. @end deftypefun @deftypefun void gcm_aes128_set_iv (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes192_set_iv (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes256_set_iv (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_aes_set_iv (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_aes128_update (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes192_update (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes256_update (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_aes_update (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_aes_encrypt} or @code{gcm_aes_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_encrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_encrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_encrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes_encrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes128_decrypt (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes192_decrypt (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes256_decrypt (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_aes_decrypt (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_aes128_digest (struct gcm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes192_digest (struct gcm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes256_digest (struct gcm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_aes_digest (struct gcm_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun @subsubsection @acronym{GCM}-Camellia interface The following functions implement the case of @acronym{GCM} using Camellia as the underlying cipher. @deftp {Context struct} {struct gcm_camellia128_ctx} @deftpx {Context struct} {struct gcm_camellia256_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_camellia128_set_key (struct gcm_camellia128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void gcm_camellia256_set_key (struct gcm_camellia256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_camellia128_set_iv (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) @deftypefunx void gcm_camellia256_set_iv (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_camellia128_update (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void gcm_camellia256_update (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_camellia_encrypt} or @code{gcm_camellia_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_encrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_encrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia128_decrypt (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_camellia256_decrypt (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_camellia128_digest (struct gcm_camellia128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia192_digest (struct gcm_camellia192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia256_digest (struct gcm_camellia256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void gcm_camellia_digest (struct gcm_camellia_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun @subsubsection @acronym{GCM}-SM4 interface The following functions implement the case of @acronym{GCM} using SM4 as the underlying cipher. @deftp {Context struct} {struct gcm_sm4_ctx} Context structs, defined using @code{GCM_CTX}. @end deftp @deftypefun void gcm_sm4_set_key (struct gcm_sm4_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. @end deftypefun @deftypefun void gcm_sm4_set_iv (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{iv}) Initializes the per-message state, using the given @acronym{IV}. @end deftypefun @deftypefun void gcm_sm4_update (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. If used, must be called before @code{gcm_sm4_encrypt} or @code{gcm_sm4_decrypt}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_sm4_encrypt (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void gcm_sm4_decrypt (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void gcm_sm4_digest (struct gcm_sm4_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. It's strongly recommended that @var{length} is @code{GCM_DIGEST_SIZE}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun @node CCM @subsection Counter with CBC-MAC mode @cindex Counter with CBC-MAC Mode @cindex CCM Mode @acronym{CCM} mode is a combination of counter mode with message authentication based on cipher block chaining, the same building blocks as @acronym{EAX}, @pxref{EAX}. It is constructed on top of a block cipher which must have a block size of 128 bits. @acronym{CCM} mode is recommended by NIST in @url{https://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf, NIST Special Publication 800-38C}. Nettle's support for CCM consists of a low-level general interface, a message encryption and authentication interface, and specific functions for CCM using AES as the underlying block cipher. These interfaces are defined in @file{}. In @acronym{CCM}, the length of the message must be known before processing. The maximum message size depends on the size of the nonce, since the message size is encoded in a field which must fit in a single block, together with the nonce and a flag byte. E.g., with a nonce size of 12 octets, there are three octets left for encoding the message length, the maximum message length is @math{2^24 - 1} octets. @acronym{CCM} mode encryption operates as follows: @itemize @item The nonce and message length are concatenated to create @code{B_0 = flags | nonce | mlength} @item The authenticated data and plaintext is formatted into the string @code{B = L(adata) | adata | padding | plaintext | padding} with @code{padding} being the shortest string of zero bytes such that the length of the string is a multiple of the block size, and @code{L(adata)} is an encoding of the length of @code{adata}. @item The string @code{B} is separated into blocks @code{B_1} ... @code{B_n} @item The authentication tag @code{T} is calculated as @code{T=0, for i=0 to n, do T = E_k(B_i XOR T)} @item An initial counter is then initialized from the nonce to create @code{IC = flags | nonce | padding}, where @code{padding} is the shortest string of zero bytes such that @code{IC} is exactly one block in length. @item The authentication tag is encrypted using using @acronym{CTR} mode: @code{MAC = E_k(IC) XOR T} @item The plaintext is then encrypted using @acronym{CTR} mode with an initial counter of @code{IC+1}. @end itemize @acronym{CCM} mode decryption operates similarly, except that the ciphertext and @acronym{MAC} are first decrypted using CTR mode to retrieve the plaintext and authentication tag. The authentication tag can then be recalculated from the authenticated data and plaintext, and compared to the value in the message to check for authenticity. @subsubsection General @acronym{CCM} interface For all of the functions in the @acronym{CCM} interface, @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. The cipher's encryption key must be set before calling any of the @acronym{CCM} functions. The cipher's decryption function and key are never used. @deftp {Context struct} {struct ccm_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant CCM_BLOCK_SIZE @acronym{CCM}'s block size, 16. @end defvr @defvr Constant CCM_DIGEST_SIZE Size of the @acronym{CCM} digest, 16. @end defvr @defvr Constant CCM_MIN_NONCE_SIZE @defvrx Constant CCM_MAX_NONCE_SIZE The the minimum and maximum sizes for an @acronym{CCM} nonce, 7 and 14, respectively. @end defvr @deffn Macro CCM_MAX_MSG_SIZE (@var{nonce_size}) The largest allowed plaintext length, when using @acronym{CCM} with a nonce of the given size. @end deffn @deftypefun void ccm_set_nonce (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) Initializes @var{ctx} using the given nonce and the sizes of the authenticated data, message, and @acronym{MAC} to be processed. @end deftypefun @deftypefun void ccm_update (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) Provides associated data to be authenticated. Must be called after @code{ccm_set_nonce}, and before @code{ccm_encrypt}, @code{ccm_decrypt}, or @code{ccm_digest}. @end deftypefun @deftypefun void ccm_encrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_decrypt (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the message data. Must be called after @code{ccm_set_nonce} and before @code{ccm_digest}. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ccm_digest (struct ccm_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. @var{length} is usually equal to the @var{taglen} parameter supplied to @code{ccm_set_nonce}, but if you provide a smaller value, only the first @var{length} octets of the digest are written. @end deftypefun To encrypt a message using the general @acronym{CCM} interface, set the message nonce and length using @code{ccm_set_nonce} and then call @code{ccm_update} to generate the digest of any authenticated data. After all of the authenticated data has been digested use @code{ccm_encrypt} to encrypt the plaintext. Finally, use @code{ccm_digest} to return the encrypted @acronym{MAC}. To decrypt a message, use @code{ccm_set_nonce} and @code{ccm_update} the same as you would for encryption, and then call @code{ccm_decrypt} to decrypt the ciphertext. After decrypting the ciphertext @code{ccm_digest} will return the encrypted @acronym{MAC} which should be identical to the @acronym{MAC} in the received message. @subsubsection @acronym{CCM} message interface The @acronym{CCM} message fuctions provides a simple interface that will perform authentication and message encryption in a single function call. The length of the cleartext is given by @var{mlength} and the length of the ciphertext is given by @var{clength}, always exactly @var{tlength} bytes longer than the corresponding plaintext. The length argument passed to a function is always the size for the result, @var{clength} for the encryption functions, and @var{mlength} for the decryption functions. @deftypefun void ccm_encrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the encrypted @acronym{MAC} to ciphertext and outputs it to @var{dst}. @end deftypefun @deftypefun int ccm_decrypt_message (void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the @acronym{MAC} from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated @acronym{MAC}s are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @subsubsection @acronym{CCM}-@acronym{AES} interface The @acronym{AES} @acronym{CCM} functions provide an API for using @acronym{CCM} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure, and a set-key function must be called before using any of the other functions in this interface. @deftp {Context struct} {struct ccm_aes128_ctx} Holds state corresponding to a particular message encrypted using the AES-128 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes192_ctx} Holds state corresponding to a particular message encrypted using the AES-192 block cipher. @end deftp @deftp {Context struct} {struct ccm_aes256_ctx} Holds state corresponding to a particular message encrypted using the AES-256 block cipher. @end deftp @deftypefun void ccm_aes128_set_key (struct ccm_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes192_set_key (struct ccm_aes192_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void ccm_aes256_set_key (struct ccm_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the @acronym{AES} @acronym{CCM} interface. @end deftypefun @deftypefun void ccm_aes128_set_nonce (struct ccm_aes128_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes192_set_nonce (struct ccm_aes192_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) @deftypefunx void ccm_aes256_set_nonce (struct ccm_aes256_ctx *@var{ctx}, size_t @var{noncelen}, const uint8_t *@var{nonce}, size_t @var{authlen}, size_t @var{msglen}, size_t @var{taglen}) These are identical to @code{ccm_set_nonce}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_update (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes192_update (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void ccm_aes256_update (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These are identical to @code{ccm_set_update}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_encrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes128_decrypt (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_decrypt (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_decrypt (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_set_encrypt} and @code{ccm_set_decrypt}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_digest (struct ccm_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void ccm_aes192_digest (struct ccm_aes192_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void ccm_aes256_digest (struct ccm_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) These are identical to @code{ccm_set_digest}, except that @var{cipher}, @var{f}, and @var{ctx} are replaced with a context structure. @end deftypefun @deftypefun void ccm_aes128_encrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes192_encrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void ccm_aes256_encrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes128_decrypt_message (struct ccm_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes192_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int ccm_aes192_decrypt_message (struct ccm_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) These are identical to @code{ccm_encrypt_message} and @code{ccm_decrypt_message} except that @var{cipher} and @var{f} are replaced with a context structure. @end deftypefun @node ChaCha-Poly1305 @subsection ChaCha-Poly1305 ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which defines a similar construction but with Salsa20 instead of ChaCha. Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 8439}, where the ChaCha cipher is initialized with a 12-byte nonce and a 4-byte block counter. This allows up to 256 gigabytes of data to be encrypted using the same key and nonce. For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream (counter all zero) is set aside for the authentication subkeys. Of this 64-octet block, the first 16 octets specify the poly1305 evaluation point, and the next 16 bytes specify the value to add in for the final digest. The final 32 bytes of this block are unused. Note that unlike poly1305-aes, the evaluation point depends on the nonce. This is preferable, because it leaks less information in case the attacker for some reason is lucky enough to forge a valid authentication tag, and observe (from the receiver's behaviour) that the forgery succeeded. The ChaCha key stream, starting with counter value 1, is then used to encrypt the message. For authentication, poly1305 is applied to the concatenation of the associated data, the cryptotext, and the lengths of the associated data and the message, each a 64-bit number (eight octets, little-endian). Nettle defines ChaCha-Poly1305 in @file{}. @defvr Constant CHACHA_POLY1305_BLOCK_SIZE Same as the ChaCha block size, 64. @end defvr @defvr Constant CHACHA_POLY1305_KEY_SIZE ChaCha-Poly1305 key size, 32. @end defvr @defvr Constant CHACHA_POLY1305_NONCE_SIZE ChaCha-Poly1305 nonce size, 12. @end defvr @defvr Constant CHACHA_POLY1305_DIGEST_SIZE Digest size, 16. @end defvr @deftp {Context struct} {struct chacha_poly1305_ctx} @end deftp @deftypefun void chacha_poly1305_set_key (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes @var{ctx} using the given key. Before using the context, you @emph{must} also call @code{chacha_poly1305_set_nonce}, see below. @end deftypefun @deftypefun void chacha_poly1305_set_nonce (struct chacha_poly1305_ctx *@var{ctx}, const uint8_t *@var{nonce}) Initializes the per-message state, using the given nonce. @end deftypefun @deftypefun void chacha_poly1305_update (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. @end deftypefun @deftypefun void chacha_poly1305_encrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void chacha_poly1305_decrypt (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts or decrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void chacha_poly1305_digest (struct chacha_poly1305_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. If @var{length} is smaller than @code{CHACHA_POLY1305_DIGEST_SIZE}, only the first @var{length} octets of the digest are written. @end deftypefun @node OCB @subsection @acronym{OCB} (Offset Code Book) Mode @cindex OCB @cindex OCB mode @cindex Offset Code Book The @acronym{OCB} mode is an @acronym{AEAD} construction, featuring particularly fast and simple authentication; it needs one block cipher operation per data block, and almost free authentication. It is constructed on top of a block cipher which must have a block size of 128 bits. There have been several versions of the OCB scheme, the implementation in Nettle follows @cite{RFC 7253}, which is almost the same as the scheme OCB3. @subsubsection General interface @deftp {Context struct} {struct ocb_key} @acronym{OCB} state which depends only on the key, but not on the nonce or the message. @end deftp @deftp {Context struct} {struct ocb_ctx} Holds state corresponding to a particular message. @end deftp @defvr Constant OCB_BLOCK_SIZE The block size for @acronym{OCB}'s block size, 16. @end defvr @defvr Constant OCB_MAX_NONCE_SIZE The maximum nonce size for @acronym{OCB}, 15. @end defvr @defvr Constant OCB_DIGEST_SIZE Size of the @acronym{OCB} authentication tag. @end defvr @deftypefun void ocb_set_key (struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}) Initializes the @var{key} struct. The @var{cipher} context must be initialized for encryption, and @var{f} should be the corresponding encryption function. @end deftypefun @deftypefun void ocb_set_nonce (struct ocb_ctx *@var{ctx}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{tag_length}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce. The @var{cipher} must be initialized for encryption, and @var{f} should be the corresponding encryption function. The @var{tag_length} (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to @code{ocb_digest}. Nonce is optional, and length at most 15 bytes. @end deftypefun @deftypefun void ocb_update (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_encrypt (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts the data of a message. @var{cipher} is the context struct for the underlying cipher and @var{f} is the encryption function. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_decrypt (struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{encrypt_ctx}, nettle_cipher_func *@var{encrypt}, const void *@var{decrypt_ctx}, nettle_cipher_func *@var{decrypt}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the data of a message. @var{encrypt_ctx} and @var{encrypt} define the encryption operation of the underlying cipher, while @var{decrypt_ctx} and @var{decrypt} represent the decryption operation (for some ciphers, one of context pointer and function pointer may be the same). All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_digest (const struct ocb_ctx *@var{ctx}, const struct ocb_key *@var{key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. The @var{length} value @emph{should} be the same as the tag length passed to the preceding @code{ocb_set_nonce} call (using a different length is possible, but incompatible with @cite{RFC 7253}). @end deftypefun @deftypefun void ocb_encrypt_message (const struct ocb_key *@var{ocb_key}, const void *@var{cipher}, nettle_cipher_func *@var{f}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the tag to the ciphertext and writes it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @var{tlength}. @end deftypefun @deftypefun int ocb_decrypt_message (const struct ocb_key *@var{ocb_key}, const void *@var{encrypt_ctx}, nettle_cipher_func *@var{encrypt}, const void *@var{decrypt_ctx}, nettle_cipher_func *@var{decrypt}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}. Like @code{ocb_decrypt}, it needs both the encrypt and the decrypt function of the underlying cipher. It also recalculates the authentication tag from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @subsubsection @acronym{OCB-AES} interface @deftp {Context struct} {struct ocb_aes128_encrypt_key} Key-dependent state for encryption using @acronym{OCB-AES128}. For decryption, a separate @code{struct aes128_ctx}, initialized for decryption, is needed as well. @end deftp @deftypefun void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *@var{ocb}, const uint8_t *@var{key}) Initializes @var{ocb} and the underlying AES cipher with the given key. @end deftypefun @deftypefun void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *@var{ocb}, struct aes128_ctx *@var{decrypt}, const uint8_t *@var{key}) Initializes @var{ocb} and the underlying AES cipher with the given key. In addition, initialize @var{decrypt} for decryption using the same key; this is needed for @code{ocb_aes128_decrypt} and @code{ocb_aes128_decrypt_message}. @end deftypefun @deftypefun void ocb_aes128_set_nonce (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{tag_length}, size_t @var{nonce_length}, const uint8_t *@var{nonce}) Initializes @var{ctx} for processing a new message, using the given nonce and key. The @var{tag_length} (non-zero, and at most 16) is included when initializing the state, and should be the same value later passed to @code{ocb_digest}. Nonce is optional, and length at most 15 bytes. @end deftypefun @deftypefun void ocb_aes128_update (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{length}, const uint8_t *@var{data}) Process associated data for authentication. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_encrypt (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Encrypts the data of a message. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_decrypt (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, const struct aes128_ctx *@var{decrypt}, size_t @var{length}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the data of a message. @var{decrypt} is an AES context initialized for decryption using the same key. All but the last call for each message @emph{must} use a length that is a multiple of the block size. @end deftypefun @deftypefun void ocb_aes128_digest (struct ocb_ctx *@var{ctx}, const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{length}, uint8_t *@var{digest}) Extracts the message digest (also known ``authentication tag''). This is the final operation when processing a message. The @var{length} value @emph{should} be the same as the tag length passed to the preceding @code{ocb_aes128_set_nonce} call (using a different length is possible, but incompatible with @cite{RFC 7253}). @end deftypefun @deftypefun void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *@var{key}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the tag to the ciphertext and writes it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @var{tlength}. @end deftypefun @deftypefun int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *@var{key}, const struct aes128_ctx *@var{decrypt}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{tlength}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}. Like @code{ocb_aes128_decrypt}, it needs an AES context initialized for decryption using the same key. It also recalculates the authentication tag from @var{adata} and the plaintext, and compares it to the final @var{tlength} bytes of @var{src}. If the values of the received and calculated tags are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node SIV-CMAC @subsection Synthetic Initialization Vector AEAD @cindex SIV mode @cindex SIV-CMAC mode @acronym{SIV-CMAC} mode is a combination of counter mode with message authentication based on @acronym{CMAC}. Unlike other counter @acronym{AEAD} modes, it provides protection against accidental nonce misuse, making it a good choice for stateless-servers that cannot ensure nonce uniqueness. It is constructed on top of a block cipher which must have a block size of 128 bits. Nettle's support for @acronym{SIV-CMAC} consists of a message encryption and authentication interface, for @acronym{SIV-CMAC} using AES as the underlying block cipher. When a nonce is re-used with this mode, message authenticity is retained however an attacker can determine whether the same plaintext was protected with the two messages sharing the nonce. These interfaces are defined in @file{}. Unlike other @acronym{AEAD} mode in @acronym{SIV-CMAC} the initialization vector serves as the tag. That means that in the generated ciphertext the tag precedes the ciphertext. Note also, that the @acronym{SIV-CMAC} algorithm, as specified in @cite{RFC 5297}, introduces the notion of authenticated data which consist of multiple components. For example with @acronym{SIV-CMAC} the authentication tag of data @code{X} followed by @code{Y}, is different than the concatenated data @code{X || Y}. The interfaces described below follow the @acronym{AEAD} paradigm and do not allow access to this feature and also require the use of a non-empty nonce. In the terminology of the RFC, the input to the S2V function is always a vector of three elements, where S1 is the authenticated data, S2 is the nonce, and S3 is the plaintext. @subsubsection General interface @defvr Constant SIV_BLOCK_SIZE @acronym{SIV-CMAC}'s block size, 16. @end defvr @defvr Constant SIV_DIGEST_SIZE Size of the @acronym{SIV-CMAC} digest or initialization vector, 16. @end defvr @defvr Constant SIV_MIN_NONCE_SIZE The the minimum size for an @acronym{SIV-CMAC} nonce, 1. @end defvr @subsubsection @acronym{SIV-CMAC}-@acronym{AES} interface The @acronym{AES} @acronym{SIV-CMAC} functions provide an API for using @acronym{SIV-CMAC} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure, and a set-key function must be called before using any of the other functions in this interface. @deftp {Context struct} {struct siv_cmac_aes128_ctx} Holds state corresponding to a particular message encrypted using the AES-128 block cipher. @end deftp @deftp {Context struct} {struct siv_cmac_aes256_ctx} Holds state corresponding to a particular message encrypted using the AES-256 block cipher. @end deftp @deftypefun void siv_cmac_aes128_set_key (struct siv_cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void siv_cmac_aes256_set_key (struct siv_cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) Initializes the encryption key for the AES block cipher. One of these functions must be called before any of the other functions in the @acronym{AES} @acronym{SIV-CMAC} interface. @end deftypefun @deftypefun void siv_cmac_aes128_encrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void siv_cmac_aes256_encrypt_message (struct siv_cmac_aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, prepends the initialization vector to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_cmac_aes128_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int siv_cmac_aes256_decrypt_message (struct siv_cmac_aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node SIV-GCM @subsection SIV-GCM @acronym{SIV-GCM}, described in @cite{RFC 8452}, is an @acronym{AEAD} construction similar to @acronym{AES-GCM}, but provides protection against accidental nonce misuse like @acronym{SIV-CMAC} mode. It is constructed on top of a block cipher which must have a block size of 128 bits and a nonce size of 12 bytes. Nettle's support for @acronym{SIV-GCM} consists of a message encryption and authentication interface, for @acronym{SIV-GCM} using AES as the underlying block cipher. These interfaces are defined in @file{}. Unlike other @acronym{AEAD} mode in @acronym{SIV-GCM} the tag is calculated over the encoded additional authentication data and plaintext instead of the ciphertext. @subsubsection General interface @defvr Constant SIV_GCM_BLOCK_SIZE @acronym{SIV-GCM}'s block size, 16. @end defvr @defvr Constant SIV_GCM_DIGEST_SIZE Size of the @acronym{SIV-GCM} digest for tags, 16. @end defvr @defvr Constant SIV_GCM_NONCE_SIZE Size of the @acronym{SIV-GCM} nonce, 12. @end defvr @deftypefun void siv_gcm_encrypt_message (const struct nettle_cipher *@var{nc}, const void *@var{ctx}, void *@var{ctr_ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the authentication tag to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_GCM_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_gcm_decrypt_message (const struct nettle_cipher *@var{nc}, const void *@var{ctx}, void *@var{ctr_ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun In the above interface, @var{nc} must point to a cipher that works with 16-byte block size and the key sizes that are multiple of 8-bytes. The @var{ctx} context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. While the @var{ctr_ctx} context structure must have the same size as @var{ctx}, it does not need to be initialized before calling those functions as it is used as working storage. These structures can point to the same area; in that case the contents of *@var{ctx} is destroyed by the call. For convenience, Nettle provides wrapper functions that works with @acronym{AES} described in the following section. @subsubsection @acronym{SIV-GCM}-@acronym{AES} interface The @acronym{SIV-GCM} functions provide an API for using @acronym{SIV-GCM} mode with the @acronym{AES} block ciphers. The parameters all have the same meaning as the general and message interfaces, except that the @var{cipher}, @var{f}, and @var{ctx} parameters are replaced with an @acronym{AES} context structure. The @acronym{AES} context structure must be initialized for encryption mode using a set-key function, before using any of the functions in this interface. @deftypefun void siv_gcm_aes128_encrypt_message (const struct aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx void siv_gcm_aes256_encrypt_message (const struct aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{clength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Computes the message digest from the @var{adata} and @var{src} parameters, encrypts the plaintext from @var{src}, appends the authentication tag to the ciphertext and outputs it to @var{dst}. The @var{clength} variable must be equal to the length of @var{src} plus @code{SIV_GCM_DIGEST_SIZE}. @end deftypefun @deftypefun int siv_gcm_aes128_decrypt_message (const struct aes128_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) @deftypefunx int siv_gcm_aes256_decrypt_message (const struct aes256_ctx *@var{ctx}, size_t @var{nlength}, const uint8_t *@var{nonce}, size_t @var{alength}, const uint8_t *@var{adata}, size_t @var{mlength}, uint8_t *@var{dst}, const uint8_t *@var{src}) Decrypts the ciphertext from @var{src}, outputs the plaintext to @var{dst}, recalculates the initialization vector from @var{adata} and the plaintext. If the values of the received and calculated initialization vector are equal, this will return 1 indicating a valid and authenticated message. Otherwise, this function will return zero. @end deftypefun @node nettle_aead abstraction @subsection The @code{struct nettle_aead} abstraction @cindex nettle_aead Nettle includes a struct including information about the supported hash functions. It is defined in @file{}. @deftp {Meta struct} @code{struct nettle_aead} name context_size block_size key_size nonce_size digest_size set_encrypt_key set_decrypt_key set_nonce update encrypt decrypt digest The last seven attributes are function pointers. @end deftp @deftypevr {Constant Struct} {struct nettle_aead} nettle_gcm_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes192 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_aes256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_gcm_camellia256 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_eax_aes128 @deftypevrx {Constant Struct} {struct nettle_aead} nettle_chacha_poly1305 These are most of the @acronym{AEAD} constructions that Nettle implements. Note that @acronym{CCM} is missing; it requirement that the message size is specified in advance makes it incompatible with the @code{nettle_aead} abstraction. @end deftypevr Nettle also exports a list of all these constructions. @deftypefun {const struct nettle_aead **} nettle_get_aeads (void) Returns a NULL-terminated list of pointers to supported algorithms.This list can be used to dynamically enumerate or search the supported algorithms. @end deftypefun @deffn Macro nettle_aeads A macro expanding to a call to nettle_get_aeads. In earlier versions, this was not a macro but the actual array of pointers. @end deffn @node Keyed hash functions @section Keyed Hash Functions @cindex Keyed Hash Function @cindex Message Authentication Code @cindex MAC A @dfn{keyed hash function}, or @dfn{Message Authentication Code} (@acronym{MAC}) is a function that takes a key and a message, and produces fixed size @acronym{MAC}. It should be hard to compute a message and a matching @acronym{MAC} without knowledge of the key. It should also be hard to compute the key given only messages and corresponding @acronym{MAC}s. Keyed hash functions are useful primarily for message authentication, when Alice and Bob shares a secret: The sender, Alice, computes the @acronym{MAC} and attaches it to the message. The receiver, Bob, also computes the @acronym{MAC} of the message, using the same key, and compares that to Alice's value. If they match, Bob can be assured that the message has not been modified on its way from Alice. However, unlike digital signatures, this assurance is not transferable. Bob can't show the message and the @acronym{MAC} to a third party and prove that Alice sent that message. Not even if he gives away the key to the third party. The reason is that the @emph{same} key is used on both sides, and anyone knowing the key can create a correct @acronym{MAC} for any message. If Bob believes that only he and Alice knows the key, and he knows that he didn't attach a @acronym{MAC} to a particular message, he knows it must be Alice who did it. However, the third party can't distinguish between a @acronym{MAC} created by Alice and one created by Bob. Keyed hash functions are typically a lot faster than digital signatures as well. @menu * HMAC:: * UMAC:: * CMAC:: * Poly1305:: @end menu @node HMAC @subsection @acronym{HMAC} @cindex HMAC One can build keyed hash functions from ordinary hash functions. Older constructions simply concatenate secret key and message and hashes that, but such constructions have weaknesses. A better construction is @acronym{HMAC}, described in @cite{RFC 2104}. For an underlying hash function @code{H}, with digest size @code{l} and internal block size @code{b}, @acronym{HMAC-H} is constructed as follows: From a given key @code{k}, two distinct subkeys @code{k_i} and @code{k_o} are constructed, both of length @code{b}. The @acronym{HMAC-H} of a message @code{m} is then computed as @code{H(k_o | H(k_i | m))}, where @code{|} denotes string concatenation. @acronym{HMAC} keys can be of any length, but it is recommended to use keys of length @code{l}, the digest size of the underlying hash function @code{H}. Keys that are longer than @code{b} are shortened to length @code{l} by hashing with @code{H}, so arbitrarily long keys aren't very useful. Nettle's @acronym{HMAC} functions are defined in @file{}. There are abstract functions that use a pointer to a @code{struct nettle_hash} to represent the underlying hash function and @code{void *} pointers that point to three different context structs for that hash function. There are also concrete functions for @acronym{HMAC-MD5}, @acronym{HMAC-RIPEMD160} @acronym{HMAC-SHA1}, @acronym{HMAC-SHA256}, @acronym{HMAC-SHA512}, and @acronym{HMAC-SM3}. First, the abstract functions: @deftypefun void hmac_set_key (void *@var{outer}, void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{key}) Initializes the three context structs from the key. The @var{outer} and @var{inner} contexts corresponds to the subkeys @code{k_o} and @code{k_i}. @var{state} is used for hashing the message, and is initialized as a copy of the @var{inner} context. @end deftypefun @deftypefun void hmac_update (void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. Actually, @code{hmac_update(state, H, length, data)} is equivalent to @code{H->update(state, length, data)}, so if you wish you can use the ordinary update function of the underlying hash function instead. @end deftypefun @deftypefun void hmac_digest (const void *@var{outer}, const void *@var{inner}, void *@var{state}, const struct nettle_hash *@var{H}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{outer} and @var{inner} are not modified. @var{length} is usually equal to @code{H->digest_size}, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the @var{state} context so that you can start over processing a new message (with the same key). @end deftypefun Like for @acronym{CBC}, there are some macros to help use these functions correctly. @deffn Macro HMAC_CTX (@var{type}) Expands to @example @{ type outer; type inner; type state; @} @end example @end deffn It can be used to define a @acronym{HMAC} context struct, either directly, @example struct HMAC_CTX(struct md5_ctx) ctx; @end example or to give it a struct tag, @example struct hmac_md5_ctx HMAC_CTX (struct md5_ctx); @end example @deffn Macro HMAC_SET_KEY (@var{ctx}, @var{H}, @var{length}, @var{key}) @var{ctx} is a pointer to a context struct as defined by @code{HMAC_CTX}, @var{H} is a pointer to a @code{const struct nettle_hash} describing the underlying hash function (so it must match the type of the components of @var{ctx}). The last two arguments specify the secret key. @end deffn @deffn Macro HMAC_DIGEST (@var{ctx}, @var{H}, @var{length}, @var{digest}) @var{ctx} is a pointer to a context struct as defined by @code{HMAC_CTX}, @var{H} is a pointer to a @code{const struct nettle_hash} describing the underlying hash function. The last two arguments specify where the digest is written. @end deffn Note that there is no @code{HMAC_UPDATE} macro; simply call @code{hmac_update} function directly, or the update function of the underlying hash function. Now we come to the specialized @acronym{HMAC} functions, which are easier to use than the general @acronym{HMAC} functions. @subsubsection @acronym{HMAC-MD5} @deftp {Context struct} {struct hmac_md5_ctx} @end deftp @deftypefun void hmac_md5_set_key (struct hmac_md5_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_md5_update (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_md5_digest (struct hmac_md5_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{MD5_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-RIPEMD160} @deftp {Context struct} {struct hmac_ripemd160_ctx} @end deftp @deftypefun void hmac_ripemd160_set_key (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_ripemd160_update (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_ripemd160_digest (struct hmac_ripemd160_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{RIPEMD160_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA1} @deftp {Context struct} {struct hmac_sha1_ctx} @end deftp @deftypefun void hmac_sha1_set_key (struct hmac_sha1_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha1_update (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha1_digest (struct hmac_sha1_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA1_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA256} @deftp {Context struct} {struct hmac_sha256_ctx} @end deftp @deftypefun void hmac_sha256_set_key (struct hmac_sha256_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha256_update (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha256_digest (struct hmac_sha256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA256_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SHA512} @deftp {Context struct} {struct hmac_sha512_ctx} @end deftp @deftypefun void hmac_sha512_set_key (struct hmac_sha512_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sha512_update (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sha512_digest (struct hmac_sha512_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SHA512_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @subsubsection @acronym{HMAC-SM3} @deftp {Context struct} {struct hmac_sm3_ctx} @end deftp @deftypefun void hmac_sm3_set_key (struct hmac_sm3_ctx *@var{ctx}, size_t @var{key_length}, const uint8_t *@var{key}) Initializes the context with the key. @end deftypefun @deftypefun void hmac_sm3_update (struct hmac_sm3_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process some more data. @end deftypefun @deftypefun void hmac_sm3_digest (struct hmac_sm3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC}, writing it to @var{digest}. @var{length} may be smaller than @code{SM3_DIGEST_SIZE}, in which case only the first @var{length} octets of the @acronym{MAC} are written. This function also resets the context for processing new messages, with the same key. @end deftypefun @node UMAC @subsection @acronym{UMAC} @cindex UMAC @acronym{UMAC} is a message authentication code based on universal hashing, and designed for high performance on modern processors (in contrast to GCM, @xref{GCM}, which is designed primarily for hardware performance). On processors with good integer multiplication performance, it can be 10 times faster than SHA256 and SHA512. @acronym{UMAC} is specified in @cite{RFC 4418}. The secret key is always 128 bits (16 octets). The key is used as an encryption key for the @acronym{AES} block cipher. This cipher is used in counter mode to generate various internal subkeys needed in @acronym{UMAC}. Messages are of arbitrary size, and for each message, @acronym{UMAC} also needs a unique nonce. Nonce values must not be reused for two messages with the same key, but they need not be kept secret. The nonce must be at least one octet, and at most 16; nonces shorter than 16 octets are zero-padded. Nettle's implementation of @acronym{UMAC} increments the nonce automatically for each message, so explicitly setting the nonce for each message is optional. This auto-increment uses network byte order and it takes the length of the nonce into account. E.g., if the initial nonce is ``abc'' (3 octets), this value is zero-padded to 16 octets for the first message. For the next message, the nonce is incremented to ``abd'', and this incremented value is zero-padded to 16 octets. @acronym{UMAC} is defined in four variants, for different output sizes: 32 bits (4 octets), 64 bits (8 octets), 96 bits (12 octets) and 128 bits (16 octets), corresponding to different trade-offs between speed and security. Using a shorter output size sometimes (but not always!) gives the same result as using a longer output size and truncating the result. So it is important to use the right variant. For consistency with other hash and @acronym{MAC} functions, Nettle's @code{_digest} functions for @acronym{UMAC} accept a length parameter so that the output can be truncated to any desired size, but it is recommended to stick to the specified output size and select the @acronym{umac} variant corresponding to the desired size. The internal block size of @acronym{UMAC} is 1024 octets, and it also generates more than 1024 bytes of subkeys. This makes the size of the context struct quite a bit larger than other hash functions and @acronym{MAC} algorithms in Nettle. Nettle defines @acronym{UMAC} in @file{}. @deftp {Context struct} {struct umac32_ctx} @deftpx {Context struct} {struct umac64_ctx} @deftpx {Context struct} {struct umac96_ctx} @deftpx {Context struct} {struct umac128_ctx} Each @acronym{UMAC} variant uses its own context struct. @end deftp @defvr Constant UMAC_KEY_SIZE The UMAC key size, 16. @end defvr @defvr Constant UMAC_MIN_NONCE_SIZE @defvrx Constant UMAC_MAX_NONCE_SIZE The the minimum and maximum sizes for an UMAC nonce, 1 and 16, respectively. @end defvr @defvr Constant UMAC32_DIGEST_SIZE The size of an UMAC32 digest, 4. @end defvr @defvr Constant UMAC64_DIGEST_SIZE The size of an UMAC64 digest, 8. @end defvr @defvr Constant UMAC96_DIGEST_SIZE The size of an UMAC96 digest, 12. @end defvr @defvr Constant UMAC128_DIGEST_SIZE The size of an UMAC128 digest, 16. @end defvr @defvr Constant UMAC_BLOCK_SIZE The internal block size of UMAC. @end defvr @deftypefun void umac32_set_key (struct umac32_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac64_set_key (struct umac64_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac96_set_key (struct umac96_ctx *@var{ctx}, const uint8_t *@var{key}) @deftypefunx void umac128_set_key (struct umac128_ctx *@var{ctx}, const uint8_t *@var{key}) These functions initialize the @acronym{UMAC} context struct. They also initialize the nonce to zero (with length 16, for auto-increment). @end deftypefun @deftypefun void umac32_set_nonce (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac64_set_nonce (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac96_set_nonce (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) @deftypefunx void umac128_set_nonce (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{nonce}) Sets the nonce to be used for the next message. In general, nonces should be set before processing of the message. This is not strictly required for @acronym{UMAC} (the nonce only affects the final processing generating the digest), but it is nevertheless recommended that this function is called @emph{before} the first @code{_update} call for the message. @end deftypefun @deftypefun void umac32_update (struct umac32_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac64_update (struct umac64_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac96_update (struct umac96_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) @deftypefunx void umac128_update (struct umac128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) These functions are called zero or more times to process the message. @end deftypefun @deftypefun void umac32_digest (struct umac32_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac64_digest (struct umac64_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac96_digest (struct umac96_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) @deftypefunx void umac128_digest (struct umac128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. These functions reset the context for processing of a new message with the same key. The nonce is incremented as described above, the new value is used unless you call the @code{_set_nonce} function explicitly for each message. @end deftypefun @node CMAC @subsection @acronym{CMAC} @cindex CMAC @cindex CMAC-128 @cindex CMAC-64 @acronym{CMAC} is a message authentication code based on CBC encryption mode. It is suitable for systems where block ciphers are preferrable and perform better than hash functions. @acronym{CMAC-128} is specified in @cite{RFC4493}. The block size is always 128 bits (16 octets). @acronym{CMAC-64} is specified by @url{https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38B.pdf, NIST Special Publication 800-38B}. The block size is always 64 bits (8 octets). Nettle provides helper functions for @acronym{CMAC-128} with the @acronym{AES} block cipher and for @acronym{CMAC-64} with the @acronym{Tripple-DES} block cipher. Nettle defines @acronym{CMAC} in @file{}. @deftp {Context struct} {struct cmac_aes128_ctx} @deftpx {Context struct} {struct cmac_aes256_ctx} @end deftp @defvr Constant CMAC128_DIGEST_SIZE The size of an CMAC-128 digest, 16. @end defvr @deftypefun void cmac_aes128_set_key (struct cmac_aes128_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for AES-128. @end deftypefun @deftypefun void cmac_aes128_update (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_aes128_digest (struct cmac_aes128_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. This function resets the context for processing of a new message with the same key. @end deftypefun @deftypefun void cmac_aes256_set_key (struct cmac_aes256_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for AES-256. @end deftypefun @deftypefun void cmac_aes256_update (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_aes256_digest (struct cmac_aes256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. This function resets the context for processing of a new message with the same key. @end deftypefun @deftp {Context struct} {struct cmac_des3_ctx} @end deftp @defvr Constant CMAC64_DIGEST_SIZE The size of an CMAC-64 digest, 8. @end defvr @deftypefun void cmac_des3_set_key (struct cmac_des3_ctx *@var{ctx}, const uint8_t *@var{key}) This function initializes the @acronym{CMAC} context struct for @acronym{Tripple-DES}. @end deftypefun @deftypefun void cmac_des3_update (struct cmac_des3_ctx *@var{ctx},size_t @var{length}, const uint8_t *@var{data}) This function is called zero or more times to process the message. @end deftypefun @deftypefun void cmac_des3_digest (struct cmac_des3_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the @acronym{MAC} of the message, writing it to @var{digest}. @var{length} is usually equal to the specified output size, but if you provide a smaller value, only the first @var{length} octets of the @acronym{MAC} are written. This function resets the context for processing of a new message with the same key. @end deftypefun @node Poly1305 @subsection Poly1305 Poly1305-@acronym{AES} is a message authentication code designed by D. J. Bernstein. It treats the message as a polynomial modulo the prime number @math{2^130 - 5}. The key, 256 bits, consists of two parts, where the first half is an @acronym{AES}-128 key, and the second half specifies the point where the polynomial is evaluated. Of the latter half, 22 bits are set to zero, to enable high-performance implementation, leaving 106 bits for specifying an evaluation point @code{r}. For each message, one must also provide a 128-bit nonce. The nonce is encrypted using the @acronym{AES} key, and that's the only thing @acronym{AES} is used for. The message is split into 128-bit chunks (with final chunk possibly being shorter), each read as a little-endian integer. Each chunk has a one-bit appended at the high end. The resulting integers are treated as polynomial coefficients modulo @math{2^130 - 5}, and the polynomial is evaluated at the point @code{r}. Finally, this value is reduced modulo @math{2^128}, and added (also modulo @math{2^128}) to the encrypted nonce, to produce an 128-bit authenticator for the message. See @url{https://cr.yp.to/mac/poly1305-20050329.pdf} for further details. Clearly, variants using a different cipher than @acronym{AES} could be defined. Another variant is the ChaCha-Poly1305 @acronym{AEAD} construction (@pxref{ChaCha-Poly1305}). Nettle defines Poly1305-@acronym{AES} in @file{nettle/poly1305.h}. @defvr Constant POLY1305_AES_KEY_SIZE Key size, 32 octets. @end defvr @defvr Constant POLY1305_AES_DIGEST_SIZE Size of the digest or ``authenticator'', 16 octets. @end defvr @defvr Constant POLY1305_AES_NONCE_SIZE Nonce size, 16 octets. @end defvr @deftp {Context struct} {struct poly1305_aes_ctx} The poly1305-aes context struct. @end deftp @deftypefun void poly1305_aes_set_key (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{key}) Initialize the context struct. Also sets the nonce to zero. @end deftypefun @deftypefun void poly1305_aes_set_nonce (struct poly1305_aes_ctx *@var{ctx}, const uint8_t *@var{nonce}) Sets the nonce. Calling this function is optional, since the nonce is incremented automatically for each message. @end deftypefun @deftypefun void poly1305_aes_update (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, const uint8_t *@var{data}) Process more data. @end deftypefun @deftypefun void poly1305_aes_digest (struct poly1305_aes_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{digest}) Extracts the digest. If @var{length} is smaller than @code{POLY1305_AES_DIGEST_SIZE}, only the first @var{length} octets are written. Also increments the nonce, and prepares the context for processing a new message. @end deftypefun @node Key derivation functions @section Key derivation Functions @cindex Key Derivation Function A @dfn{key derivation function} (@acronym{KDF}) is a function that from a given symmetric key derives other symmetric keys. A sub-class of KDFs is the @dfn{password-based key derivation functions} (@acronym{PBKDFs}), which take as input a password or passphrase, and its purpose is typically to strengthen it and protect against certain pre-computation attacks by using salting and expensive computation. @subsection HKDF: HMAC-based Extract-and-Expand @cindex HKDF HKDF is a key derivation function used as a building block of higher-level protocols like TLS 1.3. It is a derivation function based on HMAC described in @cite{RFC 5869}, and is split into two logical modules, called 'extract' and 'expand'. The extract module takes an initial secret and a random salt to "extract" a fixed-length pseudorandom key (PRK). The second stage takes as input the previous PRK and some informational data (e.g., text) and expands them into multiple keys. Nettle's @acronym{HKDF} functions are defined in @file{}. There are two abstract functions for the extract and expand operations that operate on any HMAC implemented via the @code{nettle_hash_update_func}, and @code{nettle_hash_digest_func} interfaces. @deftypefun void hkdf_extract (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size,size_t secret_size, const uint8_t *secret, uint8_t *dst) Extract a Pseudorandom Key (PRK) from a secret and a salt according to HKDF. The HMAC must have been initialized, with its key being the salt for the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the secret @var{secret} of length @var{secret_length}. The output length is fixed to @var{digest_size} octets, thus the output buffer @var{dst} must have room for at least @var{digest_size} octets. @end deftypefun @deftypefun void hkdf_expand (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst) Expand a Pseudorandom Key (PRK) to an arbitrary size according to HKDF. The HMAC must have been initialized, with its key being the PRK from the Extract operation. This function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the info @var{info} of length @var{info_length}, and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsection @acronym{PBKDF2} @cindex Password Based Key Derivation Function @cindex PKCS #5 @cindex KDF @cindex PBKDF The most well known PBKDF is the @code{PKCS #5 PBKDF2} described in @cite{RFC 2898} which uses a pseudo-random function such as @acronym{HMAC-SHA1}. Nettle's @acronym{PBKDF2} functions are defined in @file{}. There is an abstract function that operate on any PRF implemented via the @code{nettle_hash_update_func}, @code{nettle_hash_digest_func} interfaces. There is also helper macros and concrete functions PBKDF2-HMAC-SHA1, PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA384 and PBKDF2-HMAC-SHA512. First, the abstract function: @deftypefun void pbkdf2 (void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) Derive symmetric key from a password according to PKCS #5 PBKDF2. The PRF is assumed to have been initialized and this function will call the @var{update} and @var{digest} functions passing the @var{mac_ctx} context parameter as an argument in order to compute digest of size @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun Like for CBC and HMAC, there is a macro to help use the function correctly. @deffn Macro PBKDF2 (@var{ctx}, @var{update}, @var{digest}, @var{digest_size}, @var{iterations}, @var{salt_length}, @var{salt}, @var{length}, @var{dst}) @var{ctx} is a pointer to a context struct passed to the @var{update} and @var{digest} functions (of the types @code{nettle_hash_update_func} and @code{nettle_hash_digest_func} respectively) to implement the underlying PRF with digest size of @var{digest_size}. Inputs are the salt @var{salt} of length @var{salt_length}, the iteration counter @var{iterations} (> 0), and the desired derived output length @var{length}. The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deffn @subsection Concrete @acronym{PBKDF2} functions Now we come to the specialized @acronym{PBKDF2} functions, which are easier to use than the general @acronym{PBKDF2} function. @subsubsection @acronym{PBKDF2-HMAC-SHA1} @deftypefun void pbkdf2_hmac_sha1 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA1. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA256} @deftypefun void pbkdf2_hmac_sha256 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA256. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA384} @deftypefun void pbkdf2_hmac_sha384 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA384. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsubsection @acronym{PBKDF2-HMAC-SHA512} @deftypefun void pbkdf2_hmac_sha512 (size_t @var{key_length}, const uint8_t *@var{key}, unsigned @var{iterations}, size_t @var{salt_length}, const uint8_t *@var{salt}, size_t @var{length}, uint8_t *@var{dst}) PBKDF2 with HMAC-SHA512. Derive @var{length} bytes of key into buffer @var{dst} using the password @var{key} of length @var{key_length} and salt @var{salt} of length @var{salt_length}, with iteration counter @var{iterations} (> 0). The output buffer is @var{dst} which must have room for at least @var{length} octets. @end deftypefun @subsection @acronym{BALLOON} @cindex Balloon password-hashing algorithm Balloon is a memory-hard password-hashing algorithm. An in-depth description of the algorithm and its properties can be found in an online research paper: Boneh, D., Corrigan-Gibbs, H., Schechter, S. (2017, May 12). Balloon Hashing: A Memory-Hard Function Providing Provable Protection Against Sequential Attacks. Retrieved Sep 1, 2022, from @url{https://eprint.iacr.org/2016/027.pdf} Nettle's definition of the @acronym{BALLOON} algorithm can be found in @file{}. There is a general @acronym{BALLOON} function where the user can specify desired hash algorithm that will be used by the function. There are also concrete, more user-friendly functions that use common hash algorithms like SHA1, SHA256, SHA384 and SHA512. There is also a utility function which helps to determine the size of the working buffer that must be provided as one of the inputs. Each @acronym{BALLOON} function takes as an input a password and a salt of arbitrary lengths, a time and a space parameters, and a scratch buffer. The space parameter @var{s_cost} determines how many blocks of working space the algorithm will require during its computation. It is common to set @var{s_cost} to a high value in order to increase the cost of hardware accelerators built by the adversary. The time parameter @var{t_cost} determines the number of rounds of computation that the algorithm will perform. This can be used to further increase the cost of computation without raising the memory requirement. Scratch buffer @var{scratch} is a user allocated working space required by the algorithm. To determine the required size of the scratch buffer use the utility function @code{balloon_itch}. Output of @acronym{BALLOON} algorithm will be written into the output buffer @var{dst} that has to be at least @var{digest_size} bytes long. Note that it is safe to use the same buffer for both @var{scratch} and @var{dst}. Next follows the description of the general @acronym{BALLOON} function. @deftypefun void balloon (void *@var{hash_ctx}, nettle_hash_update_func *@var{update}, nettle_hash_digest_func *@var{digest}, size_t @var{digest_size}, size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) Compute hash of given password @var{passwd} of length @var{passwd_length} salted with @var{salt} of length @var{salt_length} and write @var{digest_size} bytes into the output buffer @var{dst}. Parameter @var{hash_ctx} is a context for the underlying hash function, which much be initialized by the caller. @var{update} and @var{digest} are the update and digest functions of the chosen hash algorithm. @var{digest_size} is the digest size of the chosen hash algorithm and determines the size of the output. @end deftypefun @deftypefun size_t balloon_itch (size_t @var{digest_size}, size_t @var{s_cost}) Compute the size of the scratch buffer @var{scratch}. @var{digest_size} is the digest size of the chosen hash algorithm. @var{s_cost} is the space parameter used by the @code{balloon} function. @end deftypefun @subsection Concrete @acronym{BALLOON} functions Here follows a list of the specialized @acronym{BALLOON} functions, which are more user-friendly variants of the general function. @subsubsection @acronym{BALLOON-SHA1} @deftypefun void balloon_sha1 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA1 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA256} @deftypefun void balloon_sha256 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA256 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA384} @deftypefun void balloon_sha384 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA384 as the underlying hash function. @end deftypefun @subsubsection @acronym{BALLOON-SHA512} @deftypefun void balloon_sha512 (size_t @var{s_cost}, size_t @var{t_cost}, size_t @var{passwd_length}, const uint8_t *@var{passwd}, size_t @var{salt_length}, const uint8_t *@var{salt}, uint8_t *@var{scratch}, uint8_t *@var{dst}) @acronym{BALLOON} algorithm using SHA512 as the underlying hash function. @end deftypefun @node Public-key algorithms @section Public-key algorithms Nettle uses @acronym{GMP}, the GNU bignum library, for all calculations with large numbers. In order to use the public-key features of Nettle, you must install @acronym{GMP}, at least version 3.0, before compiling Nettle, and you need to link your programs with @code{-lhogweed -lnettle -lgmp}. The concept of @dfn{Public-key} encryption and digital signatures was discovered by Whitfield Diffie and Martin E. Hellman and described in a paper 1976. In traditional, ``symmetric'', cryptography, sender and receiver share the same keys, and these keys must be distributed in a secure way. And if there are many users or entities that need to communicate, each @emph{pair} needs a shared secret key known by nobody else. @cindex Public Key Cryptography @cindex One-way function Public-key cryptography uses trapdoor one-way functions. A @dfn{one-way function} is a function @code{F} such that it is easy to compute the value @code{F(x)} for any @code{x}, but given a value @code{y}, it is hard to compute a corresponding @code{x} such that @code{y = F(x)}. Two examples are cryptographic hash functions, and exponentiation in certain groups. A @dfn{trapdoor one-way function} is a function @code{F} that is one-way, unless one knows some secret information about @code{F}. If one knows the secret, it is easy to compute both @code{F} and it's inverse. If this sounds strange, look at the @acronym{RSA} example below. Two important uses for one-way functions with trapdoors are public-key encryption, and digital signatures. The public-key encryption functions in Nettle are not yet documented; the rest of this chapter is about digital signatures. To use a digital signature algorithm, one must first create a @dfn{key-pair}: A public key and a corresponding private key. The private key is used to sign messages, while the public key is used for verifying that that signatures and messages match. Some care must be taken when distributing the public key; it need not be kept secret, but if a bad guy is able to replace it (in transit, or in some user's list of known public keys), bad things may happen. There are two operations one can do with the keys. The signature operation takes a message and a private key, and creates a signature for the message. A signature is some string of bits, usually at most a few thousand bits or a few hundred octets. Unlike paper-and-ink signatures, the digital signature depends on the message, so one can't cut it out of context and glue it to a different message. The verification operation takes a public key, a message, and a string that is claimed to be a signature on the message, and returns true or false. If it returns true, that means that the three input values matched, and the verifier can be sure that someone went through with the signature operation on that very message, and that the ``someone'' also knows the private key corresponding to the public key. The desired properties of a digital signature algorithm are as follows: Given the public key and pairs of messages and valid signatures on them, it should be hard to compute the private key, and it should also be hard to create a new message and signature that is accepted by the verification operation. Besides signing meaningful messages, digital signatures can be used for authorization. A server can be configured with a public key, such that any client that connects to the service is given a random nonce message. If the server gets a reply with a correct signature matching the nonce message and the configured public key, the client is granted access. So the configuration of the server can be understood as ``grant access to whoever knows the private key corresponding to this particular public key, and to no others''. @menu * RSA:: The RSA public key algorithm. * DSA:: The DSA digital signature algorithm. * Elliptic curves:: Elliptic curves and ECDSA @end menu @node RSA @subsection @acronym{RSA} The @acronym{RSA} algorithm was the first practical digital signature algorithm that was constructed. It was described 1978 in a paper by Ronald Rivest, Adi Shamir and L.M. Adleman, and the technique was also patented in the @acronym{USA} in 1983. The patent expired on September 20, 2000, and since that day, @acronym{RSA} can be used freely, even in the @acronym{USA}. It's remarkably simple to describe the trapdoor function behind @acronym{RSA}. The ``one-way''-function used is @example F(x) = x^e mod n @end example I.e. raise x to the @code{e}'th power, while discarding all multiples of @code{n}. The pair of numbers @code{n} and @code{e} is the public key. @code{e} can be quite small, even @code{e = 3} has been used, although slightly larger numbers are recommended. @code{n} should be about 2000 bits or larger. If @code{n} is large enough, and properly chosen, the inverse of F, the computation of @code{e}'th roots modulo @code{n}, is very difficult. But, where's the trapdoor? Let's first look at how @acronym{RSA} key-pairs are generated. First @code{n} is chosen as the product of two large prime numbers @code{p} and @code{q} of roughly the same size (so if @code{n} is 2000 bits, @code{p} and @code{q} are about 1000 bits each). One also computes the number @code{phi = (p-1)(q-1)}, in mathematical speak, @code{phi} is the order of the multiplicative group of integers modulo n. Next, @code{e} is chosen. It must have no factors in common with @code{phi} (in particular, it must be odd), but can otherwise be chosen more or less randomly. @code{e = 65537} is a popular choice, because it makes raising to the @code{e}'th power particularly efficient, and being prime, it usually has no factors common with @code{phi}. Finally, a number @code{d}, @code{d < n} is computed such that @code{e d mod phi = 1}. It can be shown that such a number exists (this is why @code{e} and @code{phi} must have no common factors), and that for all x, @example (x^e)^d mod n = x^(ed) mod n = (x^d)^e mod n = x @end example Using Euclid's algorithm, @code{d} can be computed quite easily from @code{phi} and @code{e}. But it is still hard to get @code{d} without knowing @code{phi}, which depends on the factorization of @code{n}. So @code{d} is the trapdoor, if we know @code{d} and @code{y = F(x)}, we can recover x as @code{y^d mod n}. @code{d} is also the private half of the @acronym{RSA} key-pair. The most common signature operation for @acronym{RSA} is defined in @cite{PKCS#1}, a specification by RSA Laboratories. The message to be signed is first hashed using a cryptographic hash function, e.g. @acronym{MD5} or @acronym{SHA1}. Next, some padding, the @acronym{ASN.1} ``Algorithm Identifier'' for the hash function, and the message digest itself, are concatenated and converted to a number @code{x}. The signature is computed from @code{x} and the private key as @code{s = x^d mod n}@footnote{Actually, the computation is not done like this, it is done more efficiently using @code{p}, @code{q} and the Chinese remainder theorem (@acronym{CRT}). But the result is the same.}. The signature, @code{s} is a number of about the same size of @code{n}, and it usually encoded as a sequence of octets, most significant octet first. The verification operation is straight-forward, @code{x} is computed from the message in the same way as above. Then @code{s^e mod n} is computed, the operation returns true if and only if the result equals @code{x}. The @acronym{RSA} algorithm can also be used for encryption. RSA encryption uses the public key @code{(n,e)} to compute the ciphertext @code{m^e mod n}. The @cite{PKCS#1} padding scheme will use at least 8 random and non-zero octets, using @var{m} of the form @code{[00 02 padding 00 plaintext]}. It is required that @code{m < n}, and therefor the plaintext must be smaller than the octet size of the modulo @code{n}, with some margin. To decrypt the message, one needs the private key to compute @code{m = c^e mod n} followed by checking and removing the padding. @subsubsection Nettle's @acronym{RSA} support Nettle represents @acronym{RSA} keys using two structures that contain large numbers (of type @code{mpz_t}). @deftp {Context struct} {rsa_public_key} size n e @code{size} is the size, in octets, of the modulo, and is used internally. @code{n} and @code{e} is the public key. @end deftp @deftp {Context struct} {rsa_private_key} size d p q a b c @code{size} is the size, in octets, of the modulo, and is used internally. @code{d} is the secret exponent, but it is not actually used when signing. Instead, the factors @code{p} and @code{q}, and the parameters @code{a}, @code{b} and @code{c} are used. They are computed from @code{p}, @code{q} and @code{e} such that @code{a e mod (p - 1) = 1, b e mod (q - 1) = 1, c q mod p = 1}. @end deftp Before use, these structs must be initialized by calling one of @deftypefun void rsa_public_key_init (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_init (struct rsa_private_key *@var{key}) Calls @code{mpz_init} on all numbers in the key struct. @end deftypefun and when finished with them, the space for the numbers must be deallocated by calling one of @deftypefun void rsa_public_key_clear (struct rsa_public_key *@var{pub}) @deftypefunx void rsa_private_key_clear (struct rsa_private_key *@var{key}) Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun In general, Nettle's @acronym{RSA} functions deviates from Nettle's ``no memory allocation''-policy. Space for all the numbers, both in the key structs above, and temporaries, are allocated dynamically. For information on how to customize allocation, see @xref{Custom Allocation,,GMP Allocation,gmp, GMP Manual}. When you have assigned values to the attributes of a key, you must call @deftypefun int rsa_public_key_prepare (struct rsa_public_key *@var{pub}) @deftypefunx int rsa_private_key_prepare (struct rsa_private_key *@var{key}) Computes the octet size of the key (stored in the @code{size} attribute, and may also do other basic sanity checks. Returns one if successful, or zero if the key can't be used, for instance if the modulo is smaller than the minimum size needed for @acronym{RSA} operations specified by PKCS#1. @end deftypefun For each operation using the private key, there are two variants, e.g., @code{rsa_sha256_sign} and @code{rsa_sha256_sign_tr}. The former function is older, and it should be avoided, because it provides no defenses against side-channel attacks. The latter function use randomized @acronym{RSA} blinding, which defends against timing attacks using chosen-ciphertext, and it also checks the correctness of the private key computation using the public key, which defends against software or hardware errors which could leak the private key. Before signing or verifying a message, you first hash it with the appropriate hash function. You pass the hash function's context struct to the @acronym{RSA} signature function, and it will extract the message digest and do the rest of the work. There are also alternative functions that take the hash digest as argument. There is currently no support for using SHA224 or SHA384 with @acronym{RSA} signatures, since there's no gain in either computation time nor message size compared to using SHA256 and SHA512, respectively. Creating an @acronym{RSA} signature is done with one of the following functions: @deftypefun int rsa_md5_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. The @var{random_ctx} and @var{random} pointers are used to generate the @acronym{RSA} blinding. Returns one on success, or zero on failure. Signing fails if an error in the computation was detected, or if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature from the given hash digest. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{signature}) Similar to the above @code{_sign_digest_tr} functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun @deftypefun int rsa_md5_sign (const struct rsa_private_key *@var{key}, struct md5_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign (const struct rsa_private_key *@var{key}, struct sha1_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign (const struct rsa_private_key *@var{key}, struct sha256_ctx *@var{hash}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign (const struct rsa_private_key *@var{key}, struct sha512_ctx *@var{hash}, mpz_t @var{signature}) The signature is stored in @var{signature} (which must have been @code{mpz_init}'ed earlier). The hash context is reset so that it can be used for new messages. Returns one on success, or zero on failure. Signing fails if the key is too small for the given hash size, e.g., it's not possible to create a signature using SHA512 and a 512-bit @acronym{RSA} key. @end deftypefun @deftypefun int rsa_md5_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha1_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha256_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_sha512_sign_digest (const struct rsa_private_key *@var{key}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature from the given hash digest; otherwise analoguous to the above signing functions. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}, respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun @deftypefun int rsa_pkcs1_sign (const struct rsa_private_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, mpz_t @var{s}) Similar to the above _sign_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', an ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun Verifying an RSA signature is done with one of the following functions: @deftypefun int rsa_md5_verify (const struct rsa_public_key *@var{key}, struct md5_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify (const struct rsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify (const struct rsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify (const struct rsa_public_key *@var{key}, struct sha512_ctx *@var{hash}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. In either case, the hash context is reset so that it can be used for new messages. @end deftypefun @deftypefun int rsa_md5_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha1_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha256_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_sha512_verify_digest (const struct rsa_public_key *@var{key}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{MD5_DIGEST_SIZE}, @code{SHA1_DIGEST_SIZE}, @code{SHA256_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun @deftypefun int rsa_pkcs1_verify (const struct rsa_public_key *@var{key}, size_t @var{length}, const uint8_t *@var{digest_info}, const mpz_t @var{signature}) Similar to the above _verify_digest functions, but the input is not the plain hash digest, but a PKCS#1 ``DigestInfo'', and ASN.1 DER-encoding of the digest together with an object identifier for the used hash algorithm. @end deftypefun While the above functions for the RSA signature operations use the @cite{PKCS#1} padding scheme, Nettle also provides the variants based on the PSS padding scheme, specified in @cite{RFC 8017}. These variants take advantage of a randomly choosen salt value, which could enhance the security by causing output to be different for equivalent inputs. However, assuming the same security level as inverting the @acronym{RSA} algorithm, a longer salt value does not always mean a better security @url{https://www.iacr.org/archive/eurocrypt2002/23320268/coron.pdf}. The typical choices of the length are between 0 and the digest size of the underlying hash function. Creating an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_sign_digest_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{salt_length}, const uint8_t *@var{salt}, const uint8_t *@var{digest}, mpz_t @var{signature}) Creates a signature using the PSS padding scheme. @var{salt} should point to a salt string of size @var{salt_length}. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE}respectively. The signature is stored in @var{signature} (which must have been @code{mpz_init}:ed earlier). Returns one on success, or zero on failure. @end deftypefun Verifying an RSA signature with the PSS padding scheme is done with one of the following functions: @deftypefun int rsa_pss_sha256_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha384_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) @deftypefunx int rsa_pss_sha512_verify_digest (const struct rsa_public_key *@var{key}, size_t @var{salt_length}, const uint8_t *@var{digest}, const mpz_t @var{signature}) Returns 1 if the signature is valid, or 0 if it isn't. @var{digest} should point to a digest of size @code{SHA256_DIGEST_SIZE}, @code{SHA384_DIGEST_SIZE}, or @code{SHA512_DIGEST_SIZE} respectively. @end deftypefun The following function is used to encrypt a clear text message using RSA. @deftypefun int rsa_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{length}, const uint8_t *@var{cleartext}, mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. If the message is too long then this will lead to a failure. @end deftypefun The following function is used to decrypt a cipher text message using RSA. @deftypefun int rsa_decrypt (const struct rsa_private_key *@var{key}, size_t *@var{length}, uint8_t *@var{cleartext}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. Causes of failure include decryption failing or the resulting message being to large. The message buffer pointed to by @var{cleartext} must be of size *@var{length}. After decryption, *@var{length} will be updated with the size of the message. @end deftypefun There is also a timing resistant version of decryption that utilizes randomized RSA blinding. @deftypefun int rsa_decrypt_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t *@var{length}, uint8_t *@var{message}, const mpz_t @var{ciphertext}) Returns 1 on success, 0 on failure. @end deftypefun While the above functions for the RSA encryption operations use the @cite{PKCS#1} padding scheme, Nettle also provides the variants based on the OAEP padding scheme, specified in @cite{RFC 8017}. These variants take advantage of a randomly choosen seed value, which could enhance the security by causing output to be different for equivalent inputs. Encrypting a clear text message using RSA with the OAEP padding scheme is done with one of the following functions: @deftypefun int rsa_oaep_sha256_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha384_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha512_encrypt (const struct rsa_public_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t @var{length}, const uint8_t *@var{message}, uint8_t *@var{ciphertext}) Returns 1 on success, 0 on failure. The label is optional and if omitted, @var{label_length} and @var{label} is set to 0 and @code{NULL} respectively. The maximum size of @var{message} can be calculated with @code{k - 2 * hLen - 2}, where @code{k} is the key size in octets obtained with @var{key}->size, and @code{hLen} is the output size of the underlying hash function (e.g., @code{SHA256_DIGEST_SIZE} for @code{rsa_oaep_sha256_encrypt}). @end deftypefun Decrypting a cipher text message using RSA with the OAEP padding scheme is done with one of the following functions: @deftypefun int rsa_oaep_sha256_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha384_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) @deftypefunx int rsa_oaep_sha512_decrypt (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{label_length}, const uint8_t *@var{label}, size_t *@var{length}, uint8_t *@var{message}, const uint8_t *@var{ciphertext}) Returns 1 on success, 0 on failure. These function utilize randomized RSA blinding similarly to @code{rsa_decrypt_tr}. The message buffer pointed to by @var{cleartext} must be of size *@var{length}. After decryption, *@var{length} will be updated with the size of the message. @end deftypefun If you need to use the @acronym{RSA} trapdoor, the private key, in a way that isn't supported by the above functions Nettle also includes a function that computes @code{x^d mod n} and nothing more, using the @acronym{CRT} optimization. @deftypefun int rsa_compute_root_tr (const struct rsa_public_key *@var{pub}, const struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. Returns one on success, or zero if a failure in the computation was detected. @end deftypefun @deftypefun void rsa_compute_root (struct rsa_private_key *@var{key}, mpz_t @var{x}, const mpz_t @var{m}) Computes @code{x = m^d}. @end deftypefun At last, how do you create new keys? @deftypefun int rsa_generate_keypair (struct rsa_public_key *@var{pub}, struct rsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{n_size}, unsigned @var{e_size}) There are lots of parameters. @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, but you don't need to call @code{rsa_public_key_prepare} or @code{rsa_private_key_prepare} after key generation. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{size_n} is the desired size of the modulo, in bits. If @var{size_e} is non-zero, it is the desired size of the public exponent and a random exponent of that size is selected. But if @var{e_size} is zero, it is assumed that the caller has already chosen a value for @code{e}, and stored it in @var{pub}. Returns one on success, and zero on failure. The function can fail for example if if @var{n_size} is too small, or if @var{e_size} is zero and @code{pub->e} is an even number. @end deftypefun @node DSA @subsection @acronym{DSA} The @acronym{DSA} digital signature algorithm is more complex than @acronym{RSA}. It was specified during the early 1990s, and in 1994 NIST published @acronym{FIPS} 186 which is the authoritative specification. Sometimes @acronym{DSA} is referred to using the acronym @acronym{DSS}, for Digital Signature Standard. The most recent revision of the specification, FIPS186-3, was issued in 2009, and it adds support for larger hash functions than @acronym{sha1}. For @acronym{DSA}, the underlying mathematical problem is the computation of discrete logarithms. The public key consists of a large prime @code{p}, a small prime @code{q} which is a factor of @code{p-1}, a number @code{g} which generates a subgroup of order @code{q} modulo @code{p}, and an element @code{y} in that subgroup. In the original @acronym{DSA}, the size of @code{q} is fixed to 160 bits, to match with the @acronym{SHA1} hash algorithm. The size of @code{p} is in principle unlimited, but the standard specifies only nine specific sizes: @code{512 + l*64}, where @code{l} is between 0 and 8. Thus, the maximum size of @code{p} is 1024 bits, and sizes less than 1024 bits are considered obsolete and not secure. The subgroup requirement means that if you compute @example g^t mod p @end example for all possible integers @code{t}, you will get precisely @code{q} distinct values. The private key is a secret exponent @code{x}, such that @example g^x = y mod p @end example In mathematical speak, @code{x} is the @dfn{discrete logarithm} of @code{y} mod @code{p}, with respect to the generator @code{g}. The size of @code{x} will also be about the same size as @code{q}. The security of the @acronym{DSA} algorithm relies on the difficulty of the discrete logarithm problem. Current algorithms to compute discrete logarithms in this setting, and hence crack @acronym{DSA}, are of two types. The first type works directly in the (multiplicative) group of integers mod @code{p}. The best known algorithm of this type is the Number Field Sieve, and it's complexity is similar to the complexity of factoring numbers of the same size as @code{p}. The other type works in the smaller @code{q}-sized subgroup generated by @code{g}, which has a more difficult group structure. One good algorithm is Pollard-rho, which has complexity @code{sqrt(q)}. The important point is that security depends on the size of @emph{both} @code{p} and @code{q}, and they should be chosen so that the difficulty of both discrete logarithm methods are comparable. Today, the security margin of the original @acronym{DSA} may be uncomfortably small. Using a @code{p} of 1024 bits implies that cracking using the number field sieve is expected to take about the same time as factoring a 1024-bit @acronym{RSA} modulo, and using a @code{q} of size 160 bits implies that cracking using Pollard-rho will take roughly @code{2^80} group operations. With the size of @code{q} fixed, tied to the @acronym{SHA1} digest size, it may be tempting to increase the size of @code{p} to, say, 4096 bits. This will provide excellent resistance against attacks like the number field sieve which works in the large group. But it will do very little to defend against Pollard-rho attacking the small subgroup; the attacker is slowed down at most by a single factor of 10 due to the more expensive group operation. And the attacker will surely choose the latter attack. The signature generation algorithm is randomized; in order to create a @acronym{DSA} signature, you need a good source for random numbers (@pxref{Randomness}). Let us describe the common case of a 160-bit @code{q}. To create a signature, one starts with the hash digest of the message, @code{h}, which is a 160 bit number, and a random number @code{k, 0}. A @acronym{DSA} group is represented using the following struct. @deftp {Context struct} {dsa_params} p q g Parameters of the @acronym{DSA} group. @end deftp @deftypefun void dsa_params_init (struct dsa_params *@var{params}) Calls @code{mpz_init} on all numbers in the struct. @end deftypefun @deftypefun void dsa_params_clear (struct dsa_params *@var{params}params) Calls @code{mpz_clear} on all numbers in the struct. @end deftypefun @deftypefun int dsa_generate_params (struct dsa_params *@var{params}, void *@var{random_ctx}, nettle_random_func *@var{random}, void *@var{progress_ctx}, nettle_progress_func *@var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) Generates parameters of a new group. The @var{params} struct should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and @code{q}. To generate keys that conform to the original @acronym{DSA} standard, you must use @code{q_bits = 160} and select @var{p_bits} of the form @code{p_bits = 512 + l*64}, for @code{0 <= l <= 8}, where the smaller sizes are no longer recommended, so you should most likely stick to @code{p_bits = 1024}. Non-standard sizes are possible, in particular @code{p_bits} larger than 1024, although @acronym{DSA} implementations can not in general be expected to support such keys. Also note that using very large @var{p_bits}, with @var{q_bits} fixed at 160, doesn't make much sense, because the security is also limited by the size of the smaller prime. To generate @acronym{DSA} keys for use with @acronym{SHA256}, use @code{q_bits = 256} and, e.g., @code{p_bits = 2048}. Returns one on success, and zero on failure. The function will fail if @var{q_bits} is too small, or too close to @var{p_bits}. @end deftypefun Signatures are represented using the structure below. @deftp {Context struct} {dsa_signature} r s The @var{r} and @var{s} fields are both of type @code{mpz_t}. @end deftp @deftypefun void dsa_signature_init (struct dsa_signature *@var{signature}) @deftypefunx void dsa_signature_clear (struct dsa_signature *@var{signature}) You must call @code{dsa_signature_init} before creating or using a signature, and call @code{dsa_signature_clear} when you are finished with it. @end deftypefun Keys are represented as bignums, of type @code{mpz_t}. A public key represents a group element, and is of the same size as @code{p}, while a private key is an exponent, of the same size as @code{q}. @deftypefun int dsa_sign (const struct dsa_params *@var{params}, const mpz_t @var{x}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_size}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Creates a signature from the given hash digest, using the private key @var{x}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. Returns one on success, or zero on failure. Signing can fail only if the key is invalid, so that inversion modulo @code{q} fails. @end deftypefun @deftypefun int dsa_verify (const struct dsa_params *@var{params}, const mpz_t @var{y}, size_t @var{digest_size}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Verifies a signature, using the public key y. Returns 1 if the signature is valid, otherwise 0. @end deftypefun To generate a keypair, first generate a @acronym{DSA} group using @code{dsa_generate_params}. A keypair in this group is then created using @deftypefun void dsa_generate_keypair (const struct dsa_params *@var{params}, mpz_t @var{pub}, mpz_t @var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) Generates a new keypair, using the group @var{params}. The public key is stored in @var{pub}, and the private key in @var{key}. Both variables must be initialized using @code{mpz_init} before this call. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @subsubsection Old, deprecated, @acronym{DSA} interface Versions before nettle-3.0 used a different interface for @acronym{DSA} signatures, where the group parameters and the public key was packed together as @code{struct dsa_public_key}. Most of this interface is kept for backwards compatibility, and declared in @file{nettle/dsa-compat.h}. Below is the old documentation. The old and new interface use distinct names and don't confict, with one exception: The key generation function. The @file{nettle/dsa-compat.h} redefines @code{dsa_generate_keypair} as an alias for @code{dsa_compat_generate_keypair}, compatible with the old interface and documented below. The old @acronym{DSA} functions are very similar to the corresponding @acronym{RSA} functions, but there are a few differences pointed out below. For a start, there are no functions corresponding to @code{rsa_public_key_prepare} and @code{rsa_private_key_prepare}. @deftp {Context struct} {dsa_public_key} p q g y The public parameters described above. @end deftp @deftp {Context struct} {dsa_private_key} x The private key @code{x}. @end deftp Before use, these structs must be initialized by calling one of @deftypefun void dsa_public_key_init (struct dsa_public_key *@var{pub}) @deftypefunx void dsa_private_key_init (struct dsa_private_key *@var{key}) Calls @code{mpz_init} on all numbers in the key struct. @end deftypefun When finished with them, the space for the numbers must be deallocated by calling one of @deftypefun void dsa_public_key_clear (struct dsa_public_key *@var{pub}) @deftypefunx void dsa_private_key_clear (struct dsa_private_key *@var{key}) Calls @code{mpz_clear} on all numbers in the key struct. @end deftypefun Signatures are represented using @code{struct dsa_signature}, described earlier. For signing, you need to provide both the public and the private key (unlike @acronym{RSA}, where the private key struct includes all information needed for signing), and a source for random numbers. Signatures can use the @acronym{SHA1} or the @acronym{SHA256} hash function, although the implementation of @acronym{DSA} with @acronym{SHA256} should be considered somewhat experimental due to lack of official test vectors and interoperability testing. @deftypefun int dsa_sha1_sign (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, struct sha1_ctx *@var{hash}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha1_sign_digest (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_sign (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, struct sha256_ctx *@var{hash}, struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_sign_digest (const struct dsa_public_key *@var{pub}, const struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Creates a signature from the given hash context or digest. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. Returns one on success, or zero on failure. Signing fails if the key size and the hash size don't match. @end deftypefun Verifying signatures is a little easier, since no randomness generator is needed. The functions are @deftypefun int dsa_sha1_verify (const struct dsa_public_key *@var{key}, struct sha1_ctx *@var{hash}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha1_verify_digest (const struct dsa_public_key *@var{key}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_verify (const struct dsa_public_key *@var{key}, struct sha256_ctx *@var{hash}, const struct dsa_signature *@var{signature}) @deftypefunx int dsa_sha256_verify_digest (const struct dsa_public_key *@var{key}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Verifies a signature. Returns 1 if the signature is valid, otherwise 0. @end deftypefun Key generation uses mostly the same parameters as the corresponding @acronym{RSA} function. @deftypefun int dsa_compat_generate_keypair (struct dsa_public_key *@var{pub}, struct dsa_private_key *@var{key}, void *@var{random_ctx}, nettle_random_func @var{random}, void *@var{progress_ctx}, nettle_progress_func @var{progress}, unsigned @var{p_bits}, unsigned @var{q_bits}) @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @var{progress} and @var{progress_ctx} can be used to get callbacks during the key generation process, in order to uphold an illusion of progress. @var{progress} can be NULL, in that case there are no callbacks. @var{p_bits} and @var{q_bits} are the desired sizes of @code{p} and @code{q}. See @code{dsa_generate_keypair} for details. @end deftypefun @node Elliptic curves @subsection Elliptic curves For cryptographic purposes, an elliptic curve is a mathematical group of points, and computing logarithms in this group is computationally difficult problem. Nettle uses additive notation for elliptic curve groups. If @math{P} and @math{Q} are two points, and @math{k} is an integer, the point sum, @math{P + Q}, and the multiple @math{k P} can be computed efficiently, but given only two points @math{P} and @math{Q}, finding an integer @math{k} such that @math{Q = k P} is the elliptic curve discrete logarithm problem. Nettle supports standard curves which are all of the form @math{y^2 = x^3 - 3 x + b @pmod{p}}, i.e., the points have coordinates @math{(x,y)}, both considered as integers modulo a specified prime @math{p}. Curves are represented as a @code{struct ecc_curve}. It also supports curve25519, which uses a different form of curve. Supported curves are declared in @file{}, e.g., call @code{nettle_get_secp_256r1} for a standardized curve using the 256-bit prime @math{p = 2^{256} - 2^{224} + 2^{192} + 2^{96} - 1}. The contents of these structs is not visible to nettle users. The ``bitsize of the curve'' is used as a shorthand for the bitsize of the curve's prime @math{p}, e.g., 256 bits for the SECP 256R1 curve. @menu * Side-channel silence:: * ECDSA:: * GOSTDSA:: * Curve 25519 and Curve 448:: @end menu @node Side-channel silence @subsubsection Side-channel silence @cindex Side-channel attack Nettle's implementation of the elliptic curve operations is intended to be side-channel silent. The side-channel attacks considered are: @itemize @item Timing attacks If the timing of operations depends on secret values, an attacker interacting with your system can measure the response time, and infer information about your secrets, e.g., a private signature key. @item Attacks using memory caches Assume you have some secret data on a multi-user system, and that this data is properly protected so that other users get no direct access to it. If you have a process operating on the secret data, and this process does memory accesses depending on the data, e.g, an internal lookup table in some cryptographic algorithm, an attacker running a separate process on the same system may use behavior of internal CPU caches to get information about your secrets. This type of attack can even cross virtual machine boundaries. @end itemize Nettle's ECC implementation is designed to be @dfn{side-channel silent}, and not leak any information to these attacks. Timing and memory accesses depend only on the size of the input data and its location in memory, not on the actual data bits. This implies a performance penalty in several of the building blocks. @node ECDSA @subsubsection ECDSA ECDSA is a variant of the DSA digital signature scheme (@pxref{DSA}), which works over an elliptic curve group rather than over a (subgroup of) integers modulo @math{p}. Like DSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). Unlike DSA, signatures are in general not tied to any particular hash function or even hash size. Any hash function can be used, and the hash value is truncated or padded as needed to get a size matching the curve being used. It is recommended to use a strong cryptographic hash function with digest size close to the bit size of the curve, e.g., SHA256 is a reasonable choice when using ECDSA signature over the curve secp256r1. A protocol or application using ECDSA has to specify which curve and which hash function to use, or provide some mechanism for negotiating. Nettle defines ECDSA in @file{}. We first need to define the data types used to represent public and private keys. @deftp {struct} {struct ecc_point} Represents a point on an elliptic curve. In particular, it is used to represent an ECDSA public key. @end deftp @deftypefun void ecc_point_init (struct ecc_point *@var{p}, const struct ecc_curve *@var{ecc}) Initializes @var{p} to represent points on the given curve @var{ecc}. Allocates storage for the coordinates, using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_point_clear (struct ecc_point *@var{p}) Deallocate storage allocated by previous ecc_point_init. @end deftypefun @deftypefun int ecc_point_set (struct ecc_point *@var{p}, const mpz_t @var{x}, const mpz_t @var{y}) Check that the given coordinates represent a point on the curve. If so, the coordinates are copied and converted to internal representation, and the function returns 1. Otherwise, it returns 0. Currently, the infinity point (or zero point, with additive notation) is not allowed. @end deftypefun @deftypefun void ecc_point_get (const struct ecc_point *@var{p}, mpz_t @var{x}, mpz_t @var{y}) Extracts the coordinate of the point @var{p}. The output parameters @var{x} or @var{y} may be NULL if the caller doesn't want that coordinate. @end deftypefun @deftp {struct} {struct ecc_scalar} Represents an integer in the range @math{0 < x < group order}, where the ``group order'' refers to the order of an ECC group. In particular, it is used to represent an ECDSA private key. @end deftp @deftypefun void ecc_scalar_init (struct ecc_scalar *@var{s}, const struct ecc_curve *@var{ecc}) Initializes @var{s} to represent a scalar suitable for the given curve @var{ecc}. Allocates storage using the same allocation functions as GMP. @end deftypefun @deftypefun void ecc_scalar_clear (struct ecc_scalar *@var{s}) Deallocate the storage allocated by previous ecc_scalar_init. @end deftypefun @deftypefun int ecc_scalar_set (struct ecc_scalar *@var{s}, const mpz_t @var{z}) Check that @var{z} is in the correct range. If so, copies the value to @var{s} and returns 1, otherwise returns 0. @end deftypefun @deftypefun void ecc_scalar_get (const struct ecc_scalar *@var{s}, mpz_t @var{z}) Extracts the scalar, in GMP @code{mpz_t} representation. @end deftypefun To create and verify ECDSA signatures, the following functions are used. @deftypefun void ecdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature of @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same way as for plain DSA. @end deftypefun @deftypefun int ecdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @end deftypefun Finally, generating a new ECDSA key pair: @deftypefun void ecdsa_generate_keypair (struct ecc_point *@var{pub}, struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}) @var{pub} and @var{key} is where the resulting key pair is stored. The structs should be initialized, for the desired ECC curve, before you call this function. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. For advice, see @xref{Randomness}. @end deftypefun @node GOSTDSA @subsubsection GOSTDSA @cindex GOST DSA GOSTDSA (GOST R 34.10-2001, GOST R 34.10-2012) is a variant of the DSA (@pxref{DSA}) and ECDSA (@pxref{ECDSA}) digital signature schemes, which works over an elliptic curve group. Original documents are written in Russian. English translations are provided in @cite{RFC 5832} and @cite{RFC 7091}. While technically nothing stops one from using GOSTDSA over any curve, it is defined only over several 256 and 512-bit curves. Like DSA and ECDSA, creating a signature requires a unique random nonce (repeating the nonce with two different messages reveals the private key, and any leak or bias in the generation of the nonce also leaks information about the key). GOST R 34.10-2001 was defined to use GOST R 34.11-94 hash function (GOSTHASH94 and GOSTHASH94CP, @cite{RFC 5831}). GOST R 34.10-2012 is defined to use GOST R 34.11-2012 hash function (Streebog, @cite{RFC 6986}) of corresponding size (256 or 512) depending on curve size. Nettle defines GOSTDSA in @file{}. GOSTDSA reuses ECDSA data types (@code{struct ecc_point}, @code{struct ecc_scalar}) to represent public and private keys. Also to generate a new GOSTDSA key pair one has to use @code{ecdsa_generate_keypair()} function. To create and verify GOSTDSA signatures, the following functions are used. @deftypefun void gostdsa_sign (const struct ecc_scalar *@var{key}, void *@var{random_ctx}, nettle_random_func *@var{random}, size_t @var{digest_length}, const uint8_t *@var{digest}, struct dsa_signature *@var{signature}) Uses the private key @var{key} to create a signature of @var{digest}. @var{random_ctx} and @var{random} is a randomness generator. @code{random(random_ctx, length, dst)} should generate @code{length} random octets and store them at @code{dst}. The signature is stored in @var{signature}, in the same was as for plain DSA. @end deftypefun @deftypefun int gostdsa_verify (const struct ecc_point *@var{pub}, size_t @var{length}, const uint8_t *@var{digest}, const struct dsa_signature *@var{signature}) Uses the public key @var{pub} to verify that @var{signature} is a valid signature for the message digest @var{digest} (of @var{length} octets). Returns 1 if the signature is valid, otherwise 0. @end deftypefun For historical reason several curve IDs (OIDs) may correspond to a single curve/generator combination. Following list defines correspondence between nettle's view on curves and actual identifiers defined in @cite{RFC 4357} and @cite{RFC 7836}. @deftypefun {const struct ecc_curve} nettle_get_gost_gc256b (void) Returns curve corresponding to following identifiers: @itemize @item id-GostR3410-2001-CryptoPro-A-ParamSet (@cite{RFC 4357}) @item id-GostR3410-2001-CryptoPro-XchA-ParamSet (@cite{RFC 4357}) @item id-tc26-gost-3410-12-256-paramSetB @end itemize @end deftypefun @deftypefun {const struct ecc_curve} nettle_get_gost_gc512a (void) Returns curve corresponding to following identifiers: @itemize @item id-tc26-gost-3410-12-512-paramSetA (@cite{RFC 7836}) @end itemize @end deftypefun For GOST key pairs key derivation/key agreement function (VKO) is defined in @cite{RFC 4357} and @cite{RFC 7836}. Basically shared key is equal to hash(cofactor * ukm * priv * pub). Nettle library provides a function that does multiplication. Caller should do hashing on his own (it will be either GOST R 34.11-94 (@pxref{GOSTHASH94CP}) or GOST R 34.11-2012, Streebog, which nor part of the library yet). @deftypefun void gostdsa_vko (const struct ecc_scalar *@var{priv}, const struct ecc_point *@var{pub}, size_t @var{ukm_length}, const uint8_t *@var{ukm}, uint8_t *@var{out}) Uses private key @var{priv}, public ket @var{pub} and shared key material @var{ukm} to generate shared secret, written to buffer @var{out}. The buffer should be of the size equal to 2 private key lengths: 64 bytes for 256 bit curves and 128 bytes for 512 bit ones. UKM is a shared key material, usually transferred in cleartext. It does not have to be secret. @end deftypefun @node Curve 25519 and Curve 448 @subsubsection Curve25519 and Curve448 @cindex Curve 25519 @cindex Curve 448 @c FIXME: Make 2^255 pretty in all output formats. Use @sup? @c There are other places too (2^32, 2^130). Curve25519 is an elliptic curve of Montgomery type, @math{y^2 = x^3 + 486662 x^2 + x @pmod{p}}, with @math{p = 2^255 - 19}. Montgomery curves have the advantage of simple and efficient point addition based on the x-coordinate only. This particular curve was proposed by D. J. Bernstein in 2006, for fast Diffie-Hellman key exchange, and is also described in @cite{RFC 7748}. The group generator is defined by @math{x = 9} (there are actually two points with @math{x = 9}, differing by the sign of the y-coordinate, but that doesn't matter for the curve25519 operations which work with the x-coordinate only). The curve25519 functions are defined as operations on octet strings, representing 255-bit scalars or x-coordinates, in little-endian byte order. The most significant input bit, i.e, the most significant bit of the last octet, is always ignored. For scalars, in addition, the least significant three bits are ignored, and treated as zero, and the second most significant bit is ignored too, and treated as one. Then the scalar input string always represents 8 times a number in the range @math{2^251 <= s < 2^252}. Of all the possible input strings, only about half correspond to x-coordinates of points on curve25519, i.e., a value @math{x} for which the the curve equation can be solved for @math{y}. The other half correspond to points on a related ``twist curve''. The function @code{curve25519_mul} uses a Montgomery ladder for the scalar multiplication, as suggested in the curve25519 literature, and required by @cite{RFC 7748}. The output is therefore well defined for @emph{all} possible inputs, no matter if the input string represents a valid point on the curve or not. Note that the curve25519 implementation in earlier versions of Nettle deviates slightly from @cite{RFC 7748}, in that bit 255 of the @math{x} coordinate of the point input to curve25519_mul was not ignored. The @file{nette/curve25519.h} defines a preprocessor symbol @code{NETTLE_CURVE25519_RFC7748} to indicate conformance with the standard. Nettle defines Curve 25519 in @file{}. @defvr Constant NETTLE_CURVE25519_RFC7748 Defined to 1 in Nettle versions conforming to RFC 7748. Undefined in earlier versions. @end defvr @defvr Constant CURVE25519_SIZE The size of the strings representing curve25519 points and scalars, 32. @end defvr @deftypefun void curve25519_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) Computes @math{Q = N G}, where @math{G} is the group generator and @math{N} is an integer. The input argument @var{n} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult_base} in the NaCl library. @end deftypefun @deftypefun void curve25519_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) Computes @math{Q = N P}, where @math{P} is an input point and @math{N} is an integer. The input arguments @var{n} and @var{p} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size @code{CURVE25519_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult} in the NaCl library. @end deftypefun Similarly, Nettle also implements Curve448, an elliptic curve of Montgomery type, @math{y^2 = x^3 + 156326 x^2 + x @pmod{p}}, with @math{p = 2^448 - 2^224 - 1}. This particular curve was proposed by Mike Hamburg in 2015, for fast Diffie-Hellman key exchange, and is also described in @cite{RFC 7748}. Nettle defines Curve 448 in @file{}. @defvr Constant CURVE448_SIZE The octet length of the strings representing curve448 points and scalars, 56. @end defvr @deftypefun void curve448_mul_g (uint8_t *@var{q}, const uint8_t *@var{n}) Computes @math{Q = N G}, where @math{G} is the group generator and @math{N} is an integer. The input argument @var{n} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinate, respectively. They are both of size @code{CURVE448_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult_base} in the NaCl library. @end deftypefun @deftypefun void curve448_mul (uint8_t *@var{q}, const uint8_t *@var{n}, const uint8_t *@var{p}) Computes @math{Q = N P}, where @math{P} is an input point and @math{N} is an integer. The input arguments @var{n} and @var{p} and the output argument @var{q} use a little-endian representation of the scalar and the x-coordinates, respectively. They are all of size @code{CURVE448_SIZE}. This function is intended to be compatible with the function @code{crypto_scalar_mult} in the NaCl library. @end deftypefun @subsubsection EdDSA @cindex eddsa EdDSA is a signature scheme proposed by D. J. Bernstein et al. in 2011. It is defined using a ``Twisted Edwards curve'', of the form @math{-x^2 + y^2 = 1 + d x^2 y^2}. The specific signature scheme Ed25519 uses a curve which is equivalent to curve25519: The two groups used differ only by a simple change of coordinates, so that the discrete logarithm problem is of equal difficulty in both groups. Unlike other signature schemes in Nettle, the input to the EdDSA sign and verify functions is the possibly large message itself, not a hash digest. EdDSA is a variant of Schnorr signatures, where the message is hashed together with other data during the signature process, providing resilience to hash-collisions: A successful attack finding collisions in the hash function does not automatically translate into an attack to forge signatures. EdDSA also avoids the use of a randomness source by generating the needed signature nonce from a hash of the private key and the message, which means that the message is actually hashed twice when creating a signature. If signing huge messages, it is possible to hash the message first and pass the short message digest as input to the sign and verify functions, however, the resilience to hash collision is then lost. @defvr Constant ED25519_KEY_SIZE The size of a private or public Ed25519 key, 32 octets. @end defvr @defvr Constant ED25519_SIGNATURE_SIZE The size of an Ed25519 signature, 64 octets. @end defvr @deftypefun void ed25519_sha512_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) Computes the public key corresponding to the given private key. Both input and output are of size @code{ED25519_KEY_SIZE}. @end deftypefun @deftypefun void ed25519_sha512_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. @end deftypefun @deftypefun int ed25519_sha512_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun Nettle also provides Ed448, an EdDSA signature scheme based on an Edwards curve equivalent to curve448. @defvr Constant ED448_KEY_SIZE The size of a private or public Ed448 key, 57 octets. @end defvr @defvr Constant ED448_SIGNATURE_SIZE The size of an Ed448 signature, 114 octets. @end defvr @deftypefun void ed448_shake256_public_key (uint8_t *@var{pub}, const uint8_t *@var{priv}) Computes the public key corresponding to the given private key. Both input and output are of size @code{ED448_KEY_SIZE}. @end deftypefun @deftypefun void ed448_shake256_sign (const uint8_t *@var{pub}, const uint8_t *@var{priv}, size_t @var{length}, const uint8_t *@var{msg}, uint8_t *@var{signature}) Signs a message using the provided key pair. @end deftypefun @deftypefun int ed448_shake256_verify (const uint8_t *@var{pub}, size_t @var{length}, const uint8_t *@var{msg}, const uint8_t *@var{signature}) Verifies a message using the provided public key. Returns 1 if the signature is valid, otherwise 0. @end deftypefun @node Randomness @section Randomness @cindex Randomness A crucial ingredient in many cryptographic contexts is randomness: Let @code{p} be a random prime, choose a random initialization vector @code{iv}, a random key @code{k} and a random exponent @code{e}, etc. In the theories, it is assumed that you have plenty of randomness around. If this assumption is not true in practice, systems that are otherwise perfectly secure, can be broken. Randomness has often turned out to be the weakest link in the chain. In non-cryptographic applications, such as games as well as scientific simulation, a good randomness generator usually means a generator that has good statistical properties, and is seeded by some simple function of things like the current time, process id, and host name. However, such a generator is inadequate for cryptography, for at least two reasons: @itemize @item It's too easy for an attacker to guess the initial seed. Even if it will take some 2^32 tries before he guesses right, that's far too easy. For example, if the process id is 16 bits, the resolution of ``current time'' is one second, and the attacker knows what day the generator was seeded, there are only about 2^32 possibilities to try if all possible values for the process id and time-of-day are tried. @item The generator output reveals too much. By observing only a small segment of the generator's output, its internal state can be recovered, and from there, all previous output and all future output can be computed by the attacker. @end itemize A randomness generator that is used for cryptographic purposes must have better properties. Let's first look at the seeding, as the issues here are mostly independent of the rest of the generator. The initial state of the generator (its seed) must be unguessable by the attacker. So what's unguessable? It depends on what the attacker already knows. The concept used in information theory to reason about such things is called ``entropy'', or ``conditional entropy'' (not to be confused with the thermodynamic concept with the same name). A reasonable requirement is that the seed contains a conditional entropy of at least some 80-100 bits. This property can be explained as follows: Allow the attacker to ask @code{n} yes-no-questions, of his own choice, about the seed. If the attacker, using this question-and-answer session, as well as any other information he knows about the seeding process, still can't guess the seed correctly, then the conditional entropy is more than @code{n} bits. @cindex Entropy @cindex Conditional entropy Let's look at an example. Say information about timing of received network packets is used in the seeding process. If there is some random network traffic going on, this will contribute some bits of entropy or ``unguessability'' to the seed. However, if the attacker can listen in to the local network, or if all but a small number of the packets were transmitted by machines that the attacker can monitor, this additional information makes the seed easier for the attacker to figure out. Even if the information is exactly the same, the conditional entropy, or unguessability, is smaller for an attacker that knows some of it already before the hypothetical question-and-answer session. Seeding of good generators is usually based on several sources. The key point here is that the amount of unguessability that each source contributes, depends on who the attacker is. Some sources that have been used are: @table @asis @item High resolution timing of i/o activities Such as completed blocks from spinning hard disks, network packets, etc. Getting access to such information is quite system dependent, and not all systems include suitable hardware. If available, it's one of the better randomness source one can find in a digital, mostly predictable, computer. @item User activity Timing and contents of user interaction events is another popular source that is available for interactive programs (even if I suspect that it is sometimes used in order to make the user feel good, not because the quality of the input is needed or used properly). Obviously, not available when a machine is unattended. Also beware of networks: User interaction that happens across a long serial cable, @acronym{TELNET} session, or even @acronym{SSH} session may be visible to an attacker, in full or partially. @item Audio input Any room, or even a microphone input that's left unconnected, is a source of some random background noise, which can be fed into the seeding process. @item Specialized hardware Hardware devices with the sole purpose of generating random data have been designed. They range from radioactive samples with an attached Geiger counter, to amplification of the inherent noise in electronic components such as diodes and resistors, to low-frequency sampling of chaotic systems. Hashing successive images of a Lava lamp is a spectacular example of the latter type. @item Secret information Secret information, such as user passwords or keys, or private files stored on disk, can provide some unguessability. A problem is that if the information is revealed at a later time, the unguessability vanishes. Another problem is that this kind of information tends to be fairly constant, so if you rely on it and seed your generator regularly, you risk constructing almost similar seeds or even constructing the same seed more than once. @end table For all practical sources, it's difficult but important to provide a reliable lower bound on the amount of unguessability that it provides. Two important points are to make sure that the attacker can't observe your sources (so if you like the Lava lamp idea, remember that you have to get your own lamp, and not put it by a window or anywhere else where strangers can see it), and that hardware failures are detected. What if the bulb in the Lava lamp, which you keep locked into a cupboard following the above advice, breaks after a few months? So let's assume that we have been able to find an unguessable seed, which contains at least 80 bits of conditional entropy, relative to all attackers that we care about (typically, we must at the very least assume that no attacker has root privileges on our machine). How do we generate output from this seed, and how much can we get? Some generators (notably the Linux @file{/dev/random} generator) tries to estimate available entropy and restrict the amount of output. The goal is that if you read 128 bits from @file{/dev/random}, you should get 128 ``truly random'' bits. This is a property that is useful in some specialized circumstances, for instance when generating key material for a one time pad, or when working with unconditional blinding, but in most cases, it doesn't matter much. For most application, there's no limit on the amount of useful ``random'' data that we can generate from a small seed; what matters is that the seed is unguessable and that the generator has good cryptographic properties. At the heart of all generators lies its internal state. Future output is determined by the internal state alone. Let's call it the generator's key. The key is initialized from the unguessable seed. Important properties of a generator are: @table @dfn @item Key-hiding An attacker observing the output should not be able to recover the generator's key. @item Independence of outputs Observing some of the output should not help the attacker to guess previous or future output. @item Forward secrecy Even if an attacker compromises the generator's key, he should not be able to guess the generator output @emph{before} the key compromise. @item Recovery from key compromise If an attacker compromises the generator's key, he can compute @emph{all} future output. This is inevitable if the generator is seeded only once, at startup. However, the generator can provide a reseeding mechanism, to achieve recovery from key compromise. More precisely: If the attacker compromises the key at a particular time @code{t_1}, there is another later time @code{t_2}, such that if the attacker observes all output generated between @code{t_1} and @code{t_2}, he still can't guess what output is generated after @code{t_2}. @end table Nettle includes one randomness generator that is believed to have all the above properties, and two simpler ones. @acronym{ChaCha} (@pxref{ChaCha}), like any stream cipher, can be used as a randomness generator. Its output should be of reasonable quality. There's no single natural way to reseed it, but if you need reseeding, you should be using Yarrow instead. Historically ARCFOUR (@pxref{Arcfour}) has been used as a randomness generator, however it is known to be distinguishable from random data and the output leaks information about the key. The ``lagged Fibonacci'' generator in @file{} is a fast generator with good statistical properties, but is @strong{not} for cryptographic use, and therefore not documented here. It is included mostly because the Nettle test suite needs to generate some test data from a small seed. The recommended generator to use is Yarrow, described below. @subsection Yarrow Yarrow is a family of pseudo-randomness generators, designed for cryptographic use, by John Kelsey, Bruce Schneier and Niels Ferguson. Yarrow-160 is described in a paper at @url{https://www.schneier.com/academic/yarrow/}, and it uses @acronym{SHA1} and triple-DES, and has a 160-bit internal state. Nettle implements Yarrow-256, which is similar, but uses @acronym{SHA256} and @acronym{AES} to get an internal state of 256 bits. Yarrow was an almost finished project, the paper mentioned above is the closest thing to a specification for it, but some smaller details are left out. There is no official reference implementation or test cases. This section includes an overview of Yarrow, but for the details of Yarrow-256, as implemented by Nettle, you have to consult the source code. Maybe a complete specification can be written later. Yarrow can use many sources (at least two are needed for proper reseeding), and two randomness ``pools'', referred to as the ``slow pool'' and the ``fast pool''. Input from the sources is fed alternatingly into the two pools. When one of the sources has contributed 100 bits of entropy to the fast pool, a ``fast reseed'' happens and the fast pool is mixed into the internal state. When at least two of the sources have contributed at least 160 bits each to the slow pool, a ``slow reseed'' takes place. The contents of both pools are mixed into the internal state. These procedures should ensure that the generator will eventually recover after a key compromise. The output is generated by using @acronym{AES} to encrypt a counter, using the generator's current key. After each request for output, another 256 bits are generated which replace the key. This ensures forward secrecy. Yarrow can also use a @dfn{seed file} to save state across restarts. Yarrow is seeded by either feeding it the contents of the previous seed file, or feeding it input from its sources until a slow reseed happens. Nettle defines Yarrow-256 in @file{}. @deftp {Context struct} {struct yarrow256_ctx} @end deftp @deftp {Context struct} {struct yarrow_source} Information about a single source. @end deftp @defvr Constant YARROW256_SEED_FILE_SIZE Recommended size of the Yarrow-256 seed file. @end defvr @deftypefun void yarrow256_init (struct yarrow256_ctx *@var{ctx}, unsigned @var{nsources}, struct yarrow_source *@var{sources}) Initializes the yarrow context, and its @var{nsources} sources. It's possible to call it with @var{nsources}=0 and @var{sources}=NULL, if you don't need the update features. @end deftypefun @deftypefun void yarrow256_seed (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{seed_file}) Seeds Yarrow-256 from a previous seed file. @var{length} should be at least @code{YARROW256_SEED_FILE_SIZE}, but it can be larger. The generator will trust you that the @var{seed_file} data really is unguessable. After calling this function, you @emph{must} overwrite the old seed file with newly generated data from @code{yarrow256_random}. If it's possible for several processes to read the seed file at about the same time, access must be coordinated using some locking mechanism. @end deftypefun @deftypefun int yarrow256_update (struct yarrow256_ctx *@var{ctx}, unsigned @var{source}, unsigned @var{entropy}, size_t @var{length}, const uint8_t *@var{data}) Updates the generator with data from source @var{SOURCE} (an index that must be smaller than the number of sources). @var{entropy} is your estimated lower bound for the entropy in the data, measured in bits. Calling update with zero @var{entropy} is always safe, no matter if the data is random or not. Returns 1 if a reseed happened, in which case an application using a seed file may want to generate new seed data with @code{yarrow256_random} and overwrite the seed file. Otherwise, the function returns 0. @end deftypefun @deftypefun void yarrow256_random (struct yarrow256_ctx *@var{ctx}, size_t @var{length}, uint8_t *@var{dst}) Generates @var{length} octets of output. The generator must be seeded before you call this function. If you don't need forward secrecy, e.g. if you need non-secret randomness for initialization vectors or padding, you can gain some efficiency by buffering, calling this function for reasonably large blocks of data, say 100-1000 octets at a time. @end deftypefun @deftypefun int yarrow256_is_seeded (struct yarrow256_ctx *@var{ctx}) Returns 1 if the generator is seeded and ready to generate output, otherwise 0. @end deftypefun @deftypefun unsigned yarrow256_needed_sources (struct yarrow256_ctx *@var{ctx}) Returns the number of sources that must reach the threshold before a slow reseed will happen. Useful primarily when the generator is unseeded. @end deftypefun @deftypefun void yarrow256_fast_reseed (struct yarrow256_ctx *@var{ctx}) @deftypefunx void yarrow256_slow_reseed (struct yarrow256_ctx *@var{ctx}) Causes a fast or slow reseed to take place immediately, regardless of the current entropy estimates of the two pools. Use with care. @end deftypefun Nettle includes an entropy estimator for one kind of input source: User keyboard input. @deftp {Context struct} {struct yarrow_key_event_ctx} Information about recent key events. @end deftp @deftypefun void yarrow_key_event_init (struct yarrow_key_event_ctx *@var{ctx}) Initializes the context. @end deftypefun @deftypefun unsigned yarrow_key_event_estimate (struct yarrow_key_event_ctx *@var{ctx}, unsigned @var{key}, unsigned @var{time}) @var{key} is the id of the key (ASCII value, hardware key code, X keysym, @dots{}, it doesn't matter), and @var{time} is the timestamp of the event. The time must be given in units matching the resolution by which you read the clock. If you read the clock with microsecond precision, @var{time} should be provided in units of microseconds. But if you use @code{gettimeofday} on a typical Unix system where the clock ticks 10 or so microseconds at a time, @var{time} should be given in units of 10 microseconds. Returns an entropy estimate, in bits, suitable for calling @code{yarrow256_update}. Usually, 0, 1 or 2 bits. @end deftypefun @subsection DRBG-CTR The Deterministic Random Bit Generator (DRBG) family is a complex family of deterministic randomness generators published by NIST in SP 800-90A. We support what we believe is the reasonable parts of the CTR_DRBG algorithm for AES256. Re-seeding, personalization strings, derivation functions and support for non-AES256 is not implemented. Personalization strings can be implemented by the caller, if desired, with xor. If you need re-seeding or entropy derivation, we suggest that you use Yarrow instead. The security bounds of DRBG-CTR are not intuitive, see ``Security Bounds for the NIST Codebook-based Deterministic Random Bit Generator'' by Matthew J. Campagna, from @url{https://eprint.iacr.org/2006/379.pdf}. Our suggested use-case for DRBG-CTR is to deterministically generate known values from a seed when comparing against expected values for some other algorithm. Nettle defines DRBG-CTR in @file{}. @deftp {Context struct} {struct drbg_ctr_aes256_ctx} @end deftp @defvr Constant DRBG_CTR_AES256_SEED_SIZE The size of the seeding material. @end defvr @deftypefun void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *@var{ctx}, uint8_t *@var{seed_material}) Initialize the DRBG-CTR-AES256 context using @code{DRBG_CTR_AES256_SEED_SIZE} bytes of @var{seed_material}. @end deftypefun @deftypefun void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *@var{ctx}, size_t n, uint8_t *@var{dst}) Generates @var{n} octets of output into @var{dst}. The generator must be initialized before you call this function. @end deftypefun @node ASCII encoding @section ASCII encoding Encryption will transform your data from text into binary format, and that may be a problem if, for example, you want to send the data as if it was plain text in an email, or store it along with descriptive text in a file. You may then use an encoding from binary to text: each binary byte is translated into a number of bytes of plain text. A base-N encoding of data is one representation of data that only uses N different symbols (instead of the 256 possible values of a byte). The base64 encoding will always use alphanumeric (upper and lower case) characters and the '+', '/' and '=' symbols to represent the data. Four output characters are generated for each three bytes of input. In case the length of the input is not a multiple of three, padding characters are added at the end. There's also a ``URL safe'' variant, which is useful for encoding binary data into URLs and filenames. See @cite{RFC 4648}. The base16 encoding, also known as ``hexadecimal'', uses the decimal digits and the letters from A to F. Two hexadecimal digits are generated for each input byte. Nettle supports both base64 and base16 encoding and decoding. Encoding and decoding uses a context struct to maintain its state (with the exception of base16 encoding, which doesn't need any). To encode or decode the data, first initialize the context, then call the update function as many times as necessary, and complete the operation by calling the final function. The following functions can be used to perform base64 encoding and decoding. They are defined in @file{}. @deftp {Context struct} {struct base64_encode_ctx} @end deftp @deftypefun {void} base64_encode_init (struct base64_encode_ctx *@var{ctx}) @deftypefunx {void} base64url_encode_init (struct base64_encode_ctx *@var{ctx}) Initializes a base64 context. This is necessary before starting an encoding session. @code{base64_encode_init} selects the standard base64 alphabet, while @code{base64url_encode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {size_t} base64_encode_single (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Returns amount of output (always 1 or 2). @end deftypefun @deffn Macro BASE64_ENCODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_encode_update}. @end deffn @deftypefun {size_t} base64_encode_update (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to encode @var{length} bytes from @var{src}. The result will be placed in @var{dst}, and the return value will be the number of bytes generated. Note that @var{dst} must be at least of size BASE64_ENCODE_LENGTH(@var{length}). @end deftypefun @defvr Constant BASE64_ENCODE_FINAL_LENGTH The maximum amount of output from @code{base64_encode_final}. @end defvr @deftypefun {size_t} base64_encode_final (struct base64_encode_ctx *@var{ctx}, uint8_t *@var{dst}) After calling base64_encode_update one or more times, this function should be called to generate the final output bytes, including any needed paddding. The return value is the number of output bytes generated. @end deftypefun @deftp {Context struct} {struct base64_decode_ctx} @end deftp @deftypefun {void} base64_decode_init (struct base64_decode_ctx *@var{ctx}) @deftypefunx {void} base64url_decode_init (struct base64_decode_ctx *@var{ctx}) Initializes a base64 decoding context. This is necessary before starting a decoding session. @code{base64_decode_init} selects the standard base64 alphabet, while @code{base64url_decode_init} selects the URL safe alphabet. @end deftypefun @deftypefun {int} base64_decode_single (struct base64_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte (@var{src}) and stores the result in @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE64_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base64_decode_update}. @end deffn @deftypefun {void} base64_decode_update (struct base64_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. @var{dst} should point to an area of size at least BASE64_DECODE_LENGTH(@var{src_length}). The amount of data generated is returned in *@var{dst_length}. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base64_decode_final (struct base64_decode_ctx *@var{ctx}) Check that final padding is correct. Returns 1 on success, and 0 on error. @end deftypefun Similarly to the base64 functions, the following functions perform base16 encoding, and are defined in @file{}. Note that there is no encoding context necessary for doing base16 encoding. @deftypefun {void} base16_encode_single (uint8_t *@var{dst}, uint8_t @var{src}) Encodes a single byte. Always stores two digits in @var{dst}[0] and @var{dst}[1]. @end deftypefun @deffn Macro BASE16_ENCODE_LENGTH (@var{length}) The number of output bytes when passing @var{length} input bytes to @code{base16_encode_update}. @end deffn @deftypefun {void} base16_encode_update (uint8_t *@var{dst}, size_t @var{length}, const uint8_t *@var{src}) Always stores BASE16_ENCODE_LENGTH(@var{length}) digits in @var{dst}. @end deftypefun @deftp {Context struct} {struct base16_decode_ctx} @end deftp @deftypefun {void} base16_decode_init (struct base16_decode_ctx *@var{ctx}) Initializes a base16 decoding context. This is necessary before starting a decoding session. @end deftypefun @deftypefun {int} base16_decode_single (struct base16_decode_ctx *@var{ctx}, uint8_t *@var{dst}, uint8_t @var{src}) Decodes a single byte from @var{src} into @var{dst}. Returns amount of output (0 or 1), or -1 on errors. @end deftypefun @deffn Macro BASE16_DECODE_LENGTH (@var{length}) The maximum number of output bytes when passing @var{length} input bytes to @code{base16_decode_update}. @end deffn @deftypefun {int} base16_decode_update (struct base16_decode_ctx *@var{ctx}, size_t *@var{dst_length}, uint8_t *@var{dst}, size_t @var{src_length}, const uint8_t *@var{src}) After @var{ctx} is initialized, this function may be called to decode @var{src_length} bytes from @var{src}. @var{dst} should point to an area of size at least BASE16_DECODE_LENGTH(@var{src_length}). The amount of data generated is returned in *@var{dst_length}. Returns 1 on success and 0 on error. @end deftypefun @deftypefun {int} base16_decode_final (struct base16_decode_ctx *@var{ctx}) Checks that the end of data is correct (i.e., an even number of hexadecimal digits have been seen). Returns 1 on success, and 0 on error. @end deftypefun @node Miscellaneous functions @section Miscellaneous functions @deftypefun {void *} memxor (void *@var{dst}, const void *@var{src}, size_t @var{n}) XORs the source area on top of the destination area. The interface doesn't follow the Nettle conventions, because it is intended to be similar to the ANSI-C @code{memcpy} function. @end deftypefun @deftypefun {void *} memxor3 (void *@var{dst}, const void *@var{a}, const void *@var{b}, size_t @var{n}) Like @code{memxor}, but takes two source areas and separate destination area. @end deftypefun @deftypefun int memeql_sec (const void *@var{a}, const void *@var{b}, size_t @var{n}) Side-channel silent comparison of the @var{n} bytes at @var{a} and @var{b}. I.e., instructions executed and memory accesses are identical no matter where the areas differ, @pxref{Side-channel silence}. Return non-zero if the areas are equal, and zero if they differ. @end deftypefun These functions are declared in @file{}. For compatibility with earlier versions of Nettle, @code{memxor} and @code{memxor3} are also declared in @file{}. @node Compatibility functions @section Compatibility functions For convenience, Nettle includes alternative interfaces to some algorithms, for compatibility with some other popular crypto toolkits. These are not fully documented here; refer to the source or to the documentation for the original implementation. MD5 is defined in [RFC 1321], which includes a reference implementation. Nettle defines a compatible interface to MD5 in @file{}. This file defines the typedef @code{MD5_CTX}, and declares the functions @code{MD5Init}, @code{MD5Update} and @code{MD5Final}. @node Nettle soup @chapter Traditional Nettle Soup For the serious nettle hacker, here is a recipe for nettle soup. 4 servings. @itemize @w{} @item 1 liter fresh nettles (urtica dioica) @item 2 tablespoons butter @item 3 tablespoons flour @item 1 liter stock (meat or vegetable) @item 1/2 teaspoon salt @item a tad white pepper @item some cream or milk @end itemize Gather 1 liter fresh nettles. Use gloves! Small, tender shoots are preferable but the tops of larger nettles can also be used. Rinse the nettles very well. Boil them for 10 minutes in lightly salted water. Strain the nettles and save the water. Hack the nettles. Melt the butter and mix in the flour. Dilute with stock and the nettle-water you saved earlier. Add the hacked nettles. If you wish you can add some milk or cream at this stage. Bring to a boil and let boil for a few minutes. Season with salt and pepper. Serve with boiled egg-halves. @c And the original Swedish version. @ignore Recept på nässelsoppa 4 portioner 1 l färska nässlor 2 msk smör 3 msk vetemjöl 1 l kött- eller grönsaksbuljong 1/2 tsk salt 1-2 krm peppar (lite grädde eller mjölk) Plocka 1 liter färska nässlor. Använd handskar! Helst små och späda skott, men topparna av större nässlor går också bra. Skölj nässlorna väl. Förväll dem ca 10 minuter i lätt saltat vatten. Häll av och spara spadet. Hacka nässlorna. Smält smöret, rör i mjöl och späd med buljong och nässelspad. Lägg i de hackade nässlorna. Om så önskas, häll i en skvätt mjölk eller grädde. Koka några minuter, och smaksätt med salt och peppar. Servera med kokta ägghalvor. @end ignore @node Installation @chapter Installation Nettle uses @command{autoconf}. To build it, unpack the source and run @example ./configure make make check make install @end example @noindent to install it under the default prefix, @file{/usr/local}. Using GNU make is strongly recommended. By default, both static and shared libraries are built and installed. To get a list of configure options, use @code{./configure --help}. Some of the more interesting are: @table @option @item --enable-fat Include multiple versions of certain functions in the library, and select the ones to use at run-time, depending on available processor features. Supported for ARM and x86_64. @item --enable-mini-gmp Use the smaller and slower ``mini-gmp'' implementation of the bignum functions needed for public-key cryptography, instead of the real GNU GMP library. This option is intended primarily for smaller embedded systems. Note that builds using mini-gmp are @strong{not} binary compatible with regular builds of Nettle, and more likely to leak side-channel information. @item --disable-shared Omit building the shared libraries. @item --disable-dependency-tracking Disable the automatic dependency tracking. You will likely need this option to be able to build with BSD make. @end table @node Index @unnumbered Function and Concept Index @printindex cp @bye Local Variables: ispell-local-dictionary: "american" End: @c LocalWords: cryptographics crypto LSH GNUPG API GPL LGPL aes rijndael ller @c LocalWords: Sevilla arcfour RC Niels Dassen Colin Kuchling Biham sha Ruud @c LocalWords: Gutmann twofish de Rooij struct MB Rivest RFC Nettle's ECB CBC @c LocalWords: RSA Daemen Rijnmen Schneier DES's ede structs oddnesses HMAC @c LocalWords: NIST Alice's GMP bignum Diffie Adi Shamir Adleman Euclid's ASN @c LocalWords: PKCS callbacks Young's urtica dioica autoconf SSH tad @c LocalWords: unguessability reseeding reseed alternatingly keysym subkeys @c LocalWords: DSA gmp FIPS DSS libdes OpenSSL ARCTWO Josefsson Nikos Andreas @c LocalWords: Mavroyanopoulos Sigfridsson Comstedt interoperability Sparc IC @c LocalWords: DES FIXME Rivest's plaintext ciphertext CTR XORed timestamp @c LocalWords: XORs cryptologists libnettle libhogweed GCM ECDSA NTT @c LocalWords: toolkits BLOWFISH Möller RIPEMD libgcrypt PBKDF Shishi @c LocalWords: GnuTLS Gutmann's GOSTHASH GOST Aleksey Kravchenko ECC @c LocalWords: rhash Mavrogiannopoulos Keccak Bertoni @c LocalWords: Michaël Peeters Assche Dobbertin Antoon Bosselaers KDF @c LocalWords: Preneel rôle McGrew Viega KDFs PBKDFs passphrase PRF @c LocalWords: th deallocate pre bitsize multi lookup secp startup @c LocalWords: typedef typedef nettle-3.10/cfb.h0000644000175000017500000000664714633602172012700 0ustar nissenisse/* cfb.h Cipher feedback mode. Copyright (C) 2015, 2017 Dmitry Eremin-Solenikov Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CFB_H_INCLUDED #define NETTLE_CFB_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cfb_encrypt nettle_cfb_encrypt #define cfb_decrypt nettle_cfb_decrypt #define cfb8_encrypt nettle_cfb8_encrypt #define cfb8_decrypt nettle_cfb8_decrypt void cfb_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb8_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); void cfb8_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); #define CFB_CTX(type, size) \ { type ctx; uint8_t iv[size]; } #define CFB_SET_IV(ctx, data) \ memcpy((ctx)->iv, (data), sizeof((ctx)->iv)) #define CFB8_CTX CFB_CTX #define CFB8_SET_IV CFB_SET_IV /* NOTE: Avoid using NULL, as we don't include anything defining it. */ #define CFB_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB8_ENCRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb8_encrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #define CFB8_DECRYPT(self, f, length, dst, src) \ (0 ? ((f)(&(self)->ctx, ~(size_t) 0, \ (uint8_t *) 0, (const uint8_t *) 0)) \ : cfb8_decrypt((void *) &(self)->ctx, \ (nettle_cipher_func *) (f), \ sizeof((self)->iv), (self)->iv, \ (length), (dst), (src))) #ifdef __cplusplus } #endif #endif /* NETTLE_CFB_H_INCLUDED */ nettle-3.10/rsa-verify.c0000644000175000017500000000326014633602171014213 0ustar nissenisse/* rsa-verify.c Verifying RSA signatures. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" int _rsa_verify(const struct rsa_public_key *key, const mpz_t m, const mpz_t s) { int res; mpz_t m1; if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_init(m1); mpz_powm(m1, s, key->e, key->n); res = !mpz_cmp(m, m1); mpz_clear(m1); return res; } int _rsa_verify_recover(const struct rsa_public_key *key, mpz_t m, const mpz_t s) { if ( (mpz_sgn(s) <= 0) || (mpz_cmp(s, key->n) >= 0) ) return 0; mpz_powm(m, s, key->e, key->n); return 1; } nettle-3.10/nettle-meta-ciphers.c0000644000175000017500000000320314633602171015773 0ustar nissenisse/* nettle-meta-ciphers.c Copyright (C) 2011 Daniel Kahn Gillmor This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" const struct nettle_cipher * const _nettle_ciphers[] = { &nettle_aes128, &nettle_aes192, &nettle_aes256, &nettle_camellia128, &nettle_camellia192, &nettle_camellia256, &nettle_cast128, &nettle_serpent128, &nettle_serpent192, &nettle_serpent256, &nettle_twofish128, &nettle_twofish192, &nettle_twofish256, &nettle_arctwo40, &nettle_arctwo64, &nettle_arctwo128, &nettle_arctwo_gutmann128, &nettle_sm4, NULL }; const struct nettle_cipher * const * nettle_get_ciphers (void) { return _nettle_ciphers; } nettle-3.10/sha3-256-meta.c0000644000175000017500000000230214633602171014214 0ustar nissenisse/* sha3-256-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_256 = _NETTLE_HASH(sha3_256, SHA3_256); nettle-3.10/dsa-sha1-verify.c0000644000175000017500000000327314633602171015033 0ustar nissenisse/* dsa-sha1-verify.c The original DSA publickey algorithm, using SHA-1. Copyright (C) 2002, 2003, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha1_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { return dsa_verify((const struct dsa_params *) key, key->y, SHA1_DIGEST_SIZE, digest, signature); } int dsa_sha1_verify(const struct dsa_public_key *key, struct sha1_ctx *hash, const struct dsa_signature *signature) { uint8_t digest[SHA1_DIGEST_SIZE]; sha1_digest(hash, sizeof(digest), digest); return dsa_verify((const struct dsa_params *) key, key->y, sizeof(digest), digest, signature); } nettle-3.10/sha2-internal.h0000644000175000017500000000336714633602172014611 0ustar nissenisse/* sha2-internal.h The sha2 family of hash functions. Copyright (C) 2001, 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA2_INTERNAL_H_INCLUDED #define NETTLE_SHA2_INTERNAL_H_INCLUDED #include "nettle-types.h" /* Internal compression function. STATE points to 8 uint32_t words, DATA points to 64 bytes of input data, possibly unaligned, and K points to the table of constants. */ const uint8_t * _nettle_sha256_compress_n(uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *data); /* Internal compression function. STATE points to 8 uint64_t words, DATA points to 128 bytes of input data, possibly unaligned, and K points to the table of constants. */ void _nettle_sha512_compress(uint64_t *state, const uint8_t *data, const uint64_t *k); #endif /* NETTLE_SHA2_INTERNAL_H_INCLUDED */ nettle-3.10/sexp.h0000644000175000017500000001352614633602172013117 0ustar nissenisse/* sexp.h Parsing s-expressions. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SEXP_H_INCLUDED #define NETTLE_SEXP_H_INCLUDED #include #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define sexp_iterator_first nettle_sexp_iterator_first #define sexp_transport_iterator_first nettle_sexp_transport_iterator_first #define sexp_iterator_next nettle_sexp_iterator_next #define sexp_iterator_enter_list nettle_sexp_iterator_enter_list #define sexp_iterator_exit_list nettle_sexp_iterator_exit_list #define sexp_iterator_subexpr nettle_sexp_iterator_subexpr #define sexp_iterator_get_uint32 nettle_sexp_iterator_get_uint32 #define sexp_iterator_check_type nettle_sexp_iterator_check_type #define sexp_iterator_check_types nettle_sexp_iterator_check_types #define sexp_iterator_assoc nettle_sexp_iterator_assoc #define sexp_format nettle_sexp_format #define sexp_vformat nettle_sexp_vformat #define sexp_transport_format nettle_sexp_transport_format #define sexp_transport_vformat nettle_sexp_transport_vformat #define sexp_token_chars nettle_sexp_token_chars enum sexp_type { SEXP_ATOM, SEXP_LIST, SEXP_END }; struct sexp_iterator { size_t length; const uint8_t *buffer; /* Points at the start of the current sub expression. */ size_t start; /* If type is SEXP_LIST, pos points at the start of the current * element. Otherwise, it points at the end. */ size_t pos; unsigned level; enum sexp_type type; size_t display_length; const uint8_t *display; size_t atom_length; const uint8_t *atom; }; /* All these functions return 1 on success, 0 on failure */ /* Initializes the iterator. */ int sexp_iterator_first(struct sexp_iterator *iterator, size_t length, const uint8_t *input); /* NOTE: Decodes the input string in place */ int sexp_transport_iterator_first(struct sexp_iterator *iterator, size_t length, uint8_t *input); int sexp_iterator_next(struct sexp_iterator *iterator); /* Current element must be a list. */ int sexp_iterator_enter_list(struct sexp_iterator *iterator); /* Skips the rest of the current list */ int sexp_iterator_exit_list(struct sexp_iterator *iterator); #if 0 /* Skips out of as many lists as necessary to get back to the given * level. */ int sexp_iterator_exit_lists(struct sexp_iterator *iterator, unsigned level); #endif /* Gets start and length of the current subexpression. Implies * sexp_iterator_next. */ const uint8_t * sexp_iterator_subexpr(struct sexp_iterator *iterator, size_t *length); int sexp_iterator_get_uint32(struct sexp_iterator *iterator, uint32_t *x); /* Checks the type of the current expression, which should be a list * * ( ...) */ int sexp_iterator_check_type(struct sexp_iterator *iterator, const char *type); const char * sexp_iterator_check_types(struct sexp_iterator *iterator, unsigned ntypes, const char * const *types); /* Current element must be a list. Looks up element of type * * (key rest...) * * For a matching key, the corresponding iterator is initialized * pointing at the start of REST. * * On success, exits the current list. */ int sexp_iterator_assoc(struct sexp_iterator *iterator, unsigned nkeys, const char * const *keys, struct sexp_iterator *values); /* Output functions. What is a reasonable API for this? It seems * ugly to have to reimplement string streams. */ /* Declared for real in buffer.h */ struct nettle_buffer; /* Returns the number of output characters, or 0 on out of memory. If * buffer == NULL, just compute length. * * Format strings can contained matched parentheses, tokens ("foo" in * the format string is formatted as "3:foo"), whitespace (which * separates tokens but is otherwise ignored) and the following * formatting specifiers: * * %s String represented as size_t length, const uint8_t *data. * * %t Optional display type, represented as * size_t display_length, const uint8_t *display, * display == NULL means no display type. * * %i Non-negative small integer, uint32_t. * * %b Non-negative bignum, mpz_t. * * %l Literal string (no length added), typically a balanced * subexpression. Represented as size_t length, const uint8_t * *data. * * %(, %) Allows insertion of unbalanced parenthesis. * * Modifiers: * * %0 For %s, %t and %l, says that there's no length argument, * instead the string is NUL-terminated, and there's only one * const uint8_t * argument. */ size_t sexp_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_vformat(struct nettle_buffer *buffer, const char *format, va_list args); size_t sexp_transport_format(struct nettle_buffer *buffer, const char *format, ...); size_t sexp_transport_vformat(struct nettle_buffer *buffer, const char *format, va_list args); #ifdef __cplusplus } #endif #endif /* NETTLE_SEXP_H_INCLUDED */ nettle-3.10/gcm-aes.c0000644000175000017500000000413714633602171013444 0ustar nissenisse/* gcm-aes.c Galois counter mode using AES as the underlying cipher. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif /* This file implements and uses deprecated functions */ #define _NETTLE_ATTRIBUTE_DEPRECATED #include "gcm.h" void gcm_aes_set_key(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *key) { aes_set_encrypt_key (&ctx->cipher, length, key); gcm_set_key (&ctx->key, &ctx->cipher, (nettle_cipher_func *) aes_encrypt); } void gcm_aes_set_iv(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV(ctx, length, iv); } void gcm_aes_update(struct gcm_aes_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE(ctx, length, data); } void gcm_aes_encrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_ENCRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_decrypt(struct gcm_aes_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { GCM_DECRYPT(ctx, aes_encrypt, length, dst, src); } void gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes_encrypt, length, digest); } nettle-3.10/shadata.c0000644000175000017500000000210114633602172013523 0ustar nissenisse#include #include static const unsigned primes[64] = { 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137, 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227, 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311 }; int main(int argc, char **argv) { int i; static const double third = 1.0/3; printf("SHA-256 constants: \n"); for (i = 0; i < 64; ) { double root = pow(primes[i++], third); double fraction = root - floor(root); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } printf("\nSHA-256 initial values: \n"); for (i = 0; i < 8; ) { double root = pow(primes[i++], 0.5); double fraction = root - (floor(root)); double value = floor(ldexp(fraction, 32)); printf("0x%08lxUL, ", (unsigned long) value); if (!(i % 4)) printf("\n"); } return 0; } nettle-3.10/streebog.h0000644000175000017500000000514314633602172013746 0ustar nissenisse/* streebog.h The Streebog family of hash functions. Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_STREEBOG_H_INCLUDED #define NETTLE_STREEBOG_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define streebog256_init nettle_streebog256_init #define streebog256_digest nettle_streebog256_digest #define streebog512_init nettle_streebog512_init #define streebog512_update nettle_streebog512_update #define streebog512_digest nettle_streebog512_digest /* STREEBOG512 */ #define STREEBOG512_DIGEST_SIZE 64 #define STREEBOG512_BLOCK_SIZE 64 /* Digest is kept internally as 8 64-bit words. */ #define _STREEBOG512_DIGEST_LENGTH 8 struct streebog512_ctx { uint64_t state[_STREEBOG512_DIGEST_LENGTH]; /* State variables */ uint64_t count[_STREEBOG512_DIGEST_LENGTH]; uint64_t sigma[_STREEBOG512_DIGEST_LENGTH]; unsigned int index; /* index into buffer */ uint8_t block[STREEBOG512_BLOCK_SIZE]; /* STREEBOG512 data buffer */ }; void streebog512_init(struct streebog512_ctx *ctx); void streebog512_update(struct streebog512_ctx *ctx, size_t length, const uint8_t *data); void streebog512_digest(struct streebog512_ctx *ctx, size_t length, uint8_t *digest); #define STREEBOG256_DIGEST_SIZE 32 #define STREEBOG256_BLOCK_SIZE STREEBOG512_BLOCK_SIZE #define streebog256_ctx streebog512_ctx void streebog256_init(struct streebog256_ctx *ctx); #define streebog256_update nettle_streebog512_update void streebog256_digest(struct streebog256_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_STREEBOG_H_INCLUDED */ nettle-3.10/md5.c0000644000175000017500000001450114633602171012611 0ustar nissenisse/* md5.c The MD5 hash function, described in RFC 1321. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on public domain code hacked by Colin Plumb, Andrew Kuchling, and * Niels Möller. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md5.h" #include "macros.h" #include "nettle-write.h" void md5_init(struct md5_ctx *ctx) { const uint32_t iv[_MD5_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (nettle_md5_compress((ctx)->state, (data))) void md5_update(struct md5_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void md5_digest(struct md5_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= MD5_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 512 = 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); LE_WRITE_UINT64(ctx->block + (MD5_BLOCK_SIZE - 8), bit_count); nettle_md5_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); md5_init(ctx); } /* A block, treated as a sequence of 32-bit words. */ #define MD5_DATA_LENGTH 16 /* MD5 functions */ #define F1(x, y, z) ((z) ^ ((x) & ((y) ^ (z)))) #define F2(x, y, z) F1((z), (x), (y)) #define F3(x, y, z) ((x) ^ (y) ^ (z)) #define F4(x, y, z) ((y) ^ ((x) | ~(z))) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) /* Perform the MD5 transformation on one full block of 16 32-bit * words. * * Compresses 20 (_MD5_DIGEST_LENGTH + MD5_DATA_LENGTH) words into 4 * (_MD5_DIGEST_LENGTH) words. */ void nettle_md5_compress(uint32_t *digest, const uint8_t *input) { uint32_t data[MD5_DATA_LENGTH]; uint32_t a, b, c, d; unsigned i; for (i = 0; i < MD5_DATA_LENGTH; i++, input += 4) data[i] = LE_READ_UINT32(input); a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; ROUND(F1, a, b, c, d, data[ 0] + 0xd76aa478, 7); ROUND(F1, d, a, b, c, data[ 1] + 0xe8c7b756, 12); ROUND(F1, c, d, a, b, data[ 2] + 0x242070db, 17); ROUND(F1, b, c, d, a, data[ 3] + 0xc1bdceee, 22); ROUND(F1, a, b, c, d, data[ 4] + 0xf57c0faf, 7); ROUND(F1, d, a, b, c, data[ 5] + 0x4787c62a, 12); ROUND(F1, c, d, a, b, data[ 6] + 0xa8304613, 17); ROUND(F1, b, c, d, a, data[ 7] + 0xfd469501, 22); ROUND(F1, a, b, c, d, data[ 8] + 0x698098d8, 7); ROUND(F1, d, a, b, c, data[ 9] + 0x8b44f7af, 12); ROUND(F1, c, d, a, b, data[10] + 0xffff5bb1, 17); ROUND(F1, b, c, d, a, data[11] + 0x895cd7be, 22); ROUND(F1, a, b, c, d, data[12] + 0x6b901122, 7); ROUND(F1, d, a, b, c, data[13] + 0xfd987193, 12); ROUND(F1, c, d, a, b, data[14] + 0xa679438e, 17); ROUND(F1, b, c, d, a, data[15] + 0x49b40821, 22); ROUND(F2, a, b, c, d, data[ 1] + 0xf61e2562, 5); ROUND(F2, d, a, b, c, data[ 6] + 0xc040b340, 9); ROUND(F2, c, d, a, b, data[11] + 0x265e5a51, 14); ROUND(F2, b, c, d, a, data[ 0] + 0xe9b6c7aa, 20); ROUND(F2, a, b, c, d, data[ 5] + 0xd62f105d, 5); ROUND(F2, d, a, b, c, data[10] + 0x02441453, 9); ROUND(F2, c, d, a, b, data[15] + 0xd8a1e681, 14); ROUND(F2, b, c, d, a, data[ 4] + 0xe7d3fbc8, 20); ROUND(F2, a, b, c, d, data[ 9] + 0x21e1cde6, 5); ROUND(F2, d, a, b, c, data[14] + 0xc33707d6, 9); ROUND(F2, c, d, a, b, data[ 3] + 0xf4d50d87, 14); ROUND(F2, b, c, d, a, data[ 8] + 0x455a14ed, 20); ROUND(F2, a, b, c, d, data[13] + 0xa9e3e905, 5); ROUND(F2, d, a, b, c, data[ 2] + 0xfcefa3f8, 9); ROUND(F2, c, d, a, b, data[ 7] + 0x676f02d9, 14); ROUND(F2, b, c, d, a, data[12] + 0x8d2a4c8a, 20); ROUND(F3, a, b, c, d, data[ 5] + 0xfffa3942, 4); ROUND(F3, d, a, b, c, data[ 8] + 0x8771f681, 11); ROUND(F3, c, d, a, b, data[11] + 0x6d9d6122, 16); ROUND(F3, b, c, d, a, data[14] + 0xfde5380c, 23); ROUND(F3, a, b, c, d, data[ 1] + 0xa4beea44, 4); ROUND(F3, d, a, b, c, data[ 4] + 0x4bdecfa9, 11); ROUND(F3, c, d, a, b, data[ 7] + 0xf6bb4b60, 16); ROUND(F3, b, c, d, a, data[10] + 0xbebfbc70, 23); ROUND(F3, a, b, c, d, data[13] + 0x289b7ec6, 4); ROUND(F3, d, a, b, c, data[ 0] + 0xeaa127fa, 11); ROUND(F3, c, d, a, b, data[ 3] + 0xd4ef3085, 16); ROUND(F3, b, c, d, a, data[ 6] + 0x04881d05, 23); ROUND(F3, a, b, c, d, data[ 9] + 0xd9d4d039, 4); ROUND(F3, d, a, b, c, data[12] + 0xe6db99e5, 11); ROUND(F3, c, d, a, b, data[15] + 0x1fa27cf8, 16); ROUND(F3, b, c, d, a, data[ 2] + 0xc4ac5665, 23); ROUND(F4, a, b, c, d, data[ 0] + 0xf4292244, 6); ROUND(F4, d, a, b, c, data[ 7] + 0x432aff97, 10); ROUND(F4, c, d, a, b, data[14] + 0xab9423a7, 15); ROUND(F4, b, c, d, a, data[ 5] + 0xfc93a039, 21); ROUND(F4, a, b, c, d, data[12] + 0x655b59c3, 6); ROUND(F4, d, a, b, c, data[ 3] + 0x8f0ccc92, 10); ROUND(F4, c, d, a, b, data[10] + 0xffeff47d, 15); ROUND(F4, b, c, d, a, data[ 1] + 0x85845dd1, 21); ROUND(F4, a, b, c, d, data[ 8] + 0x6fa87e4f, 6); ROUND(F4, d, a, b, c, data[15] + 0xfe2ce6e0, 10); ROUND(F4, c, d, a, b, data[ 6] + 0xa3014314, 15); ROUND(F4, b, c, d, a, data[13] + 0x4e0811a1, 21); ROUND(F4, a, b, c, d, data[ 4] + 0xf7537e82, 6); ROUND(F4, d, a, b, c, data[11] + 0xbd3af235, 10); ROUND(F4, c, d, a, b, data[ 2] + 0x2ad7d2bb, 15); ROUND(F4, b, c, d, a, data[ 9] + 0xeb86d391, 21); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; } nettle-3.10/cnd-copy.c0000644000175000017500000000257314633602171013646 0ustar nissenisse/* cnd-copy.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ecc-internal.h" void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t mask, keep; mp_size_t i; mask = -(mp_limb_t) cnd; keep = ~mask; for (i = 0; i < n; i++) rp[i] = (rp[i] & keep) + (ap[i] & mask); } nettle-3.10/blowfish-bcrypt.c0000644000175000017500000004310614633602171015245 0ustar nissenisse/* blowfish-bcrypt.c The blowfish bcrypt implementation. Copyright (c) 2020 Stephen R. van den Berg This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H #include "config.h" #endif #include #include #include #include "blowfish.h" #include "blowfish-internal.h" #include "base64.h" #include "bswap-internal.h" #include "macros.h" #define CRYPTPLEN 7 #define SALTLEN ((BLOWFISH_BCRYPT_BINSALT_SIZE*8+5) / 6) #define HASHOFFSET (CRYPTPLEN + SALTLEN) static const signed char radix64_decode_table[0x100] = { /* White space is HT, VT, FF, CR, LF and SPC */ -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -2, -2, -2, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -2, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, -1, -3, -1, -1, -1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, -1, -1, -1, -1, -1, -1, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, }; static const char radix64_encode_table[64] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789"; int blowfish_bcrypt_verify(size_t lenkey, const uint8_t *key, size_t lenhashed, const uint8_t *hashed) { uint8_t newhash[BLOWFISH_BCRYPT_HASH_SIZE]; return blowfish_bcrypt_hash(newhash, lenkey, key, lenhashed, hashed, -1, (void*)0) && !strcmp((const char*)newhash, (const char*)hashed); } static char *encode_radix64(char *dst, size_t len, const uint8_t *src) { struct base64_encode_ctx ctx; base64_encode_init(&ctx); ctx.alphabet = radix64_encode_table; dst += base64_encode_update(&ctx, dst, len, src); dst += base64_encode_final(&ctx, dst); *--dst = '\0'; /* Strip the trailing = */ return dst; } /* * Large parts of the code below are based on public domain sources. * The comments and copyright notices have been preserved. * Any code added or modified by me is licensed under the * licenses listed above. -- Stephen R. van den Berg */ /* * This code comes from John the Ripper password cracker, with reentrant * and crypt(3) interfaces added, but optimizations specific to password * cracking removed. * * Written by Solar Designer in 1998-2015. * No copyright is claimed, and the software is hereby placed in the public * domain. In case this attempt to disclaim copyright and place the software * in the public domain is deemed null and void, then the software is * Copyright (c) 1998-2015 Solar Designer and it is hereby released to the * general public under the following terms: * * Redistribution and use in source and binary forms, with or without * modification, are permitted. * * There's ABSOLUTELY NO WARRANTY, express or implied. * * It is my intent that you should be able to use this on your system, * as part of a software package, or anywhere else to improve security, * ensure compatibility, or for any other purpose. I would appreciate * it if you give credit where it is due and keep your modifications in * the public domain as well, but I don't require that in order to let * you place this code and any modifications you make under a license * of your choice. * * This implementation is fully compatible with OpenBSD's bcrypt.c for prefix * "$2b$", originally by Niels Provos , and it uses * some of his ideas. The password hashing algorithm was designed by David * Mazieres . For information on the level of * compatibility for bcrypt hash prefixes other than "$2b$", please refer to * the comments in set_key() below and to the included crypt(3) man page. */ typedef uint32_t bf_key[_BLOWFISH_ROUNDS + 2]; /* * Magic IV for 64 Blowfish encryptions that we do at the end. * The string is "OrpheanBeholderScryDoubt" on big-endian. */ static uint32_t magic_w[6] = { 0x4F727068, 0x65616E42, 0x65686F6C, 0x64657253, 0x63727944, 0x6F756274 }; static void set_xkey(size_t lenkey, const uint8_t *key, bf_key expanded, bf_key initial, unsigned bug, uint32_t safety) { const uint8_t *ptr = key; size_t n = lenkey; unsigned i, j; uint32_t sign, diff, tmp[2]; /* * There was a sign extension bug in older revisions of this function. While * we would have liked to simply fix the bug and move on, we have to provide * a backwards compatibility feature (essentially the bug) for some systems and * a safety measure for some others. The latter is needed because for certain * multiple inputs to the buggy algorithm there exist easily found inputs to * the correct algorithm that produce the same hash. Thus, we optionally * deviate from the correct algorithm just enough to avoid such collisions. * While the bug itself affected the majority of passwords containing * characters with the 8th bit set (although only a percentage of those in a * collision-producing way), the anti-collision safety measure affects * only a subset of passwords containing the '\xff' character (not even all of * those passwords, just some of them). This character is not found in valid * UTF-8 sequences and is rarely used in popular 8-bit character encodings. * Thus, the safety measure is unlikely to cause much annoyance, and is a * reasonable tradeoff to use when authenticating against existing hashes that * are not reliably known to have been computed with the correct algorithm. * * We use an approach that tries to minimize side-channel leaks of password * information - that is, we mostly use fixed-cost bitwise operations instead * of branches or table lookups. (One conditional branch based on password * length remains. It is not part of the bug aftermath, though, and is * difficult and possibly unreasonable to avoid given the use of C strings by * the caller, which results in similar timing leaks anyway.) * * For actual implementation, we set an array index in the variable "bug" * (0 means no bug, 1 means sign extension bug emulation) and a flag in the * variable "safety" (bit 16 is set when the safety measure is requested). * Valid combinations of settings are: * * Prefix "$2a$": bug = 0, safety = 0x10000 * Prefix "$2b$": bug = 0, safety = 0 * Prefix "$2x$": bug = 1, safety = 0 * Prefix "$2y$": bug = 0, safety = 0 */ sign = diff = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i++) { tmp[0] = tmp[1] = 0; for (j = 0; j < 4; j++) { tmp[0] <<= 8; tmp[0] |= (unsigned char)*ptr; /* correct */ tmp[1] <<= 8; tmp[1] |= (signed char)*ptr; /* bug */ /* * Sign extension in the first char has no effect - nothing to overwrite yet, * and those extra 24 bits will be fully shifted out of the 32-bit word. For * chars 2, 3, 4 in each four-char block, we set bit 7 of "sign" if sign * extension in tmp[1] occurs. Once this flag is set, it remains set. */ if (j) sign |= tmp[1] & 0x80; if (n--) ptr++; else ptr = key, n = lenkey; } diff |= tmp[0] ^ tmp[1]; /* Non-zero on any differences */ expanded[i] = tmp[bug]; initial[i] = _nettle_blowfish_initial_ctx.p[i] ^ tmp[bug]; } /* * At this point, "diff" is zero if the correct and buggy algorithms produced * exactly the same result. If so and if "sign" is non-zero, which indicates * that there was a non-benign sign extension, this means that we have a * collision between the correctly computed hash for this password and a set of * passwords that could be supplied to the buggy algorithm. Our safety measure * is meant to protect from such many-buggy to one-correct collisions, by * deviating from the correct algorithm in such cases. Let's check for this. */ diff |= diff >> 16; /* still zero if exact match */ diff &= 0xffff; /* ditto */ diff += 0xffff; /* bit 16 set if "diff" was non-zero (on non-match) */ sign <<= 9; /* move the non-benign sign extension flag to bit 16 */ sign &= ~diff & safety; /* action needed? */ /* * If we have determined that we need to deviate from the correct algorithm, * flip bit 16 in initial expanded key. (The choice of 16 is arbitrary, but * let's stick to it now. It came out of the approach we used above, and it's * not any worse than any other choice we could make.) * * It is crucial that we don't do the same to the expanded key used in the main * Eksblowfish loop. By doing it to only one of these two, we deviate from a * state that could be directly specified by a password to the buggy algorithm * (and to the fully correct one as well, but that's a side-effect). */ initial[0] ^= sign; } static int ibcrypt(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int minlog2rounds, int log2rounds, const uint8_t *salt) { struct { struct blowfish_ctx ctx; bf_key expanded_key; union { uint32_t salt[4]; uint32_t output[6]; } binary; } data; uint8_t psalt[BLOWFISH_BCRYPT_BINSALT_SIZE]; uint32_t L, R; uint32_t *ptr; uint32_t count; int i; unsigned cscheme; unsigned bug = 0; uint32_t safety = 0; if (lenscheme < 2) return 0; if (lenscheme >= 3 && *scheme++ != '$') return 0; if (*scheme++ != '2') return 0; switch (cscheme = *scheme++) { default: return 0; case 'a': safety = 0x10000; break; case 'x': bug = 1; break; case 'b': case 'y': break; } if (lenscheme >= 4) { if (*scheme++ != '$') return 0; if (lenscheme >= 6) { if (log2rounds < 0) { unsigned c = *scheme++ - '0'; if (c > 9) return 0; log2rounds = c * 10; c = *scheme++ - '0'; if (c > 9) return 0; log2rounds += c; } else scheme += 2; if (lenscheme >= CRYPTPLEN && *scheme++ != '$') return 0; if (lenscheme >= HASHOFFSET && !salt) { struct base64_decode_ctx ctx; size_t saltlen = BLOWFISH_BCRYPT_BINSALT_SIZE; base64_decode_init(&ctx); ctx.table = radix64_decode_table; if (!base64_decode_update(&ctx, &saltlen, (uint8_t *) data.binary.salt, SALTLEN, (const char*) scheme) || saltlen != BLOWFISH_BCRYPT_BINSALT_SIZE) return 0; } } } if (salt) memcpy(data.binary.salt, salt, BLOWFISH_BCRYPT_BINSALT_SIZE); else if (lenscheme < HASHOFFSET) return 0; memcpy(psalt, data.binary.salt, BLOWFISH_BCRYPT_BINSALT_SIZE); bswap32_n_if_le (4, data.binary.salt); if (log2rounds < minlog2rounds || log2rounds > 31) return 0; count = (uint32_t)1 << log2rounds; set_xkey(lenkey, key, data.expanded_key, data.ctx.p, bug, safety); memcpy(data.ctx.s, _nettle_blowfish_initial_ctx.s, sizeof(data.ctx.s)); L = R = 0; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { L ^= data.binary.salt[i & 2]; R ^= data.binary.salt[(i & 2) + 1]; _nettle_blowfish_encround(&data.ctx, &L, &R); data.ctx.p[i] = L; data.ctx.p[i + 1] = R; } ptr = data.ctx.s[0]; do { ptr += 4; L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 2) & 3]; R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 3) & 3]; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 4) = L; *(ptr - 3) = R; L ^= data.binary.salt[(_BLOWFISH_ROUNDS + 4) & 3]; R ^= data.binary.salt[(_BLOWFISH_ROUNDS + 5) & 3]; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.s[3][0xFF]); do { int done; for (i = 0; i < _BLOWFISH_ROUNDS + 2; i += 2) { data.ctx.p[i] ^= data.expanded_key[i]; data.ctx.p[i + 1] ^= data.expanded_key[i + 1]; } done = 0; do { uint32_t tmp1, tmp2, tmp3, tmp4; L = R = 0; ptr = data.ctx.p; do { ptr += 2; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.p[_BLOWFISH_ROUNDS + 2]); ptr = data.ctx.s[0]; do { ptr += 2; _nettle_blowfish_encround(&data.ctx, &L, &R); *(ptr - 2) = L; *(ptr - 1) = R; } while (ptr < &data.ctx.s[3][0xFF]); if (done) break; done = 1; tmp1 = data.binary.salt[0]; tmp2 = data.binary.salt[1]; tmp3 = data.binary.salt[2]; tmp4 = data.binary.salt[3]; for (i = 0; i < _BLOWFISH_ROUNDS; i += 4) { data.ctx.p[i] ^= tmp1; data.ctx.p[i + 1] ^= tmp2; data.ctx.p[i + 2] ^= tmp3; data.ctx.p[i + 3] ^= tmp4; } data.ctx.p[16] ^= tmp1; data.ctx.p[17] ^= tmp2; } while (1); } while (--count); for (i = 0; i < 6; i += 2) { L = magic_w[i]; R = magic_w[i + 1]; count = 64; do _nettle_blowfish_encround(&data.ctx, &L, &R); while (--count); data.binary.output[i] = L; data.binary.output[i + 1] = R; } *dst++ = '$'; *dst++ = '2'; *dst++ = cscheme; *dst++ = '$'; *dst++ = '0' + log2rounds / 10; *dst++ = '0' + log2rounds % 10; *dst++ = '$'; dst = (uint8_t*) encode_radix64((char*) dst, BLOWFISH_BCRYPT_BINSALT_SIZE, psalt) - 1; bswap32_n_if_le (6, data.binary.output); /* This has to be bug-compatible with the original implementation, so only encode 23 of the 24 bytes. */ encode_radix64((char*) dst, 23, (uint8_t *) data.binary.output); return cscheme; } /* * Please preserve the runtime self-test. It serves two purposes at once: * * 1. We really can't afford the risk of producing incompatible hashes e.g. * when there's something like gcc bug 26587 again, whereas an application or * library integrating this code might not also integrate our external tests or * it might not run them after every build. Even if it does, the miscompile * might only occur on the production build, but not on a testing build (such * as because of different optimization settings). It is painful to recover * from incorrectly-computed hashes - merely fixing whatever broke is not * enough. Thus, a proactive measure like this self-test is needed. * * 2. We don't want to leave sensitive data from our actual password hash * computation on the stack or in registers. Previous revisions of the code * would do explicit cleanups, but simply running the self-test after hash * computation is more reliable. * * The performance cost of this quick self-test is around 0.6% at the "$2a$08" * setting. */ int blowfish_bcrypt_hash(uint8_t *dst, size_t lenkey, const uint8_t *key, size_t lenscheme, const uint8_t *scheme, int log2rounds, const uint8_t *salt) { const uint8_t test_pw[] = "8b \xd0\xc1\xd2\xcf\xcc\xd8"; const uint8_t test_scheme[] = "$2a$00$abcdefghijklmnopqrstuu"; static const char * const test_hashes[2] = {"i1D709vfamulimlGcq0qq3UvuUasvEa\0\x55", /* 'a', 'b', 'y' */ "VUrPmXD6q/nVSSp7pNDhCR9071IfIRe\0\x55"}; /* 'x' */ const char *test_hash = test_hashes[0]; int cscheme; int ok; uint8_t bufs[sizeof(test_scheme) - 1]; uint8_t bufo[BLOWFISH_BCRYPT_HASH_SIZE]; *dst = '\0'; /* Hash the supplied password */ cscheme = ibcrypt(dst, lenkey, key, lenscheme, scheme, 4, log2rounds, salt); /* * Do a quick self-test. It is important that we make both calls to ibcrypt() * from the same scope such that they likely use the same stack locations, * which makes the second call overwrite the first call's sensitive data on the * stack and makes it more likely that any alignment related issues would be * detected by the self-test. */ memcpy(bufs, test_scheme, sizeof(test_scheme) - 1); if (cscheme) test_hash = test_hashes[(bufs[2] = cscheme) == 'x']; *bufo = 0; ok = ibcrypt(bufo, sizeof(test_pw) - 1, test_pw, sizeof(bufs), bufs, 0, -1, (void*)0); ok = (ok && !memcmp(bufo, bufs, sizeof(bufs)) && !memcmp(bufo + HASHOFFSET, test_hash, sizeof(test_hash) - 1)); { const uint8_t k[] = "\xff\xa3" "34" "\xff\xff\xff\xa3" "345"; bf_key ae, ai, ye, yi; set_xkey(sizeof(k) - 1, k, ae, ai, 0, 0x10000); /* $2a$ */ set_xkey(sizeof(k) - 1, k, ye, yi, 0, 0); /* $2y$ */ ai[0] ^= 0x10000; /* undo the safety (for comparison) */ ok = ok && ai[0] == 0xdb9c59bc && ye[17] == 0x33343500 && !memcmp(ae, ye, sizeof(ae)) && !memcmp(ai, yi, sizeof(ai)); } return ok && !!cscheme; } nettle-3.10/ChangeLog0000644000175000017500000176075014633602172013552 0ustar nissenisse2024-06-16 Niels Möller * examples/rsa-encrypt-test: Consistently add $EXEEXT to executable names. * examples/rsa-sign-test: Likewise. * examples/rsa-verify-test: Likewise. * examples/setup-env: Likewise. * tools/nettle-pbkdf2-test: Likewise. * tools/pkcs1-conv-test: Likewise * tools/sexp-conv-test: Likewise. * configure.ac: When cross-compiling targetting windows, always use "wine" as EMULATOR; using "wine64" for 64-bit windows seems no longer needed. 2024-06-15 Niels Möller * testsuite/Makefile.in (TS_SC_NETTLE): New variable. (DISTFILES): Unconditionally include side-channel tests, fix accidental dependence on IF_VALGRIND. 2024-06-11 Niels Möller * fat-arm64.c: Enable use of getauxval on android, for __ANDROID_API__ >= 18. 2024-06-10 Niels Möller From Eric Richter: * powerpc64/p8/sha256-compress-n.asm: New file. * powerpc64/fat/sha256-compress-n-2.asm: New file. * fat-ppc.c: Add fat setup for _nettle_sha256_compress_n. 2024-06-09 Niels Möller * ecc-internal.h (assert_maybe) [!WITH_EXTRA_ASSERTS]: Cast to void, to avoid warnings. 2024-06-05 Niels Möller * config.guess: Update to 2024-01-01 version. * config.sub: Update to 2024-01-01 version. 2024-06-02 Niels Möller * configure.ac: Bump package version, to 3.10. (LIBNETTLE_MINOR): Bump minor number, to 8.9. (LIBHOGWEED_MINOR): Bump minor number, to 6.9. 2024-06-01 Niels Möller * eddsa-hash.c (_eddsa_hash): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. * ecc-hash.c (ecc_hash, gost_hash): Deleted file, moved functions to... * dsa-hash.c (_nettle_dsa_hash): Change to use mpn interface instead of mpz, replacing ecc_hash. (_nettle_gostdsa_hash): Moved here, renamed from gost_hash. * dsa-internal.h (_nettle_dsa_hash): Update declaration. (_nettle_gostdsa_hash): Moved declaration here. * ecc-internal.h (ecc_hash, gost_hash): Delete old declarations. * gmp-glue.h (NETTLE_BIT_SIZE_TO_LIMB_SIZE): New macro. * dsa-sign.c (dsa_sign): Adapt to _nettle_dsa_hash change. * dsa-verify.c (dsa_verify): Likewise. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use _nettle_dsa_hash. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Use _nettle_gostdsa_hash. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. * Makefile.in (hogweed_SOURCES): Delete ecc-hash.c 2024-05-15 Niels Möller * powerpc64/p8/gcm-aes-encrypt.asm: Reduce register usage. * powerpc64/p8/gcm-aes-decrypt.asm: Analogous changes. 2024-04-14 Niels Möller From Danny Tsen: Combined gcm-aes implementation for powerpc64. * configure.ac: Define HAVE_NATIVE_gcm_aes_encrypt and HAVE_NATIVE_gcm_aes_decrypt. (asm_nettle_optional_list): Add gcm-aes-encrypt.asm, gcm-aes-encrypt-2.asm, gcm-aes-decrypt.asm, and gcm-aes-decrypt-2.asm. * gcm-internal.h (_gcm_aes_encrypt, _gcm_aes_decrypt): Declare internal functions, and define as dummy macros when not supported. * gcm-aes128.c (gcm_aes128_encrypt): Use _gcm_aes_encrypt. (gcm_aes128_decrypt): Use _gcm_aes_encrypt. * gcm-aes192.c (gcm_aes192_encrypt, gcm_aes128_decrypt): Likewise. * gcm-aes256.c (gcm_aes256_encrypt, gcm_aes256_decrypt): Likewise. * Makefile.in (DISTFILES): Add gcm-internal.h. * powerpc64/machine.m4 (GF_MUL): New macro. * powerpc64/fat/gcm-aes-decrypt-2.asm: New file. * powerpc64/fat/gcm-aes-encrypt-2.asm: New file. * powerpc64/p8/gcm-aes-decrypt.asm: New file. * powerpc64/p8/gcm-aes-encrypt.asm: New file. * fat-setup.h (gcm_aes_crypt_func): New typedef. * fat-ppc.c: Fat setup for gcm_aes_encrypt and gcm_aes_decrypt. (gcm_aes_crypt_c): New nop implementation. 2024-03-29 Niels Möller * bswap-internal.h (nettle_bswap32_n): New inline function. (bswap32_n_if_le): New macro, to reduce code duplication. * blowfish-bcrypt.c (bswap32_if_le_n): Deleted, usage replaced with shared bswap32_n_if_le. * umac-set-key.c (bswap32_if_le_n): Likewise. 2024-03-28 Niels Möller * sha512-224-meta.c (nettle_sha512_224): Change name to "sha512_224", with underscore rather than dash. * sha512-256-meta.c (nettle_sha512_256): Analogous change. * nettle-meta-hashes.c (_nettle_hashes): Add nettle_sha512_224 and nettle_sha512_256. * testsuite/meta-hash-test.c: Update test. 2024-03-24 Niels Möller * testsuite/gcm-test.c (test_main): Add a test case that triggers 32-bit counter wraparound for gcm_aes256, and a larger 719 byte message. 2024-03-28 Niels Möller From Daiki Ueno: * shake128.c (sha3_128_init, sha3_128_update, sha3_128_shake) (sha3_128_shake_output): New file, new functions. * testsuite/shake128-test.c: New testcases. * Makefile.in (nettle_SOURCES): Add shake128.c. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake128-test.c. 2024-03-24 Niels Möller * sha3-shake.c (_nettle_sha3_shake, _nettle_sha3_shake_output): New file, new functions. Generalizations of sha3_256_shake and sha3_256_shake_output, respectively. (_nettle_sha3_shake_output): Use one's complement of index, instead of just setting high bit. * shake256.c (sha3_256_shake, sha3_256_shake_output): Implement in terms of calls to the new functions. * Makefile.in (nettle_SOURCES): Add sha3-shake.c. * sha3.c (_nettle_sha3_update): Use MD_FILL_OR_RETURN_INDEX. (sha3_xor_block): New function, taken out from sha3_absorb. (_nettle_sha3_pad): Call sha3_xor_block, not sha3_absorb. * sha3-internal.h (_sha3_pad_shake): By above change, no longer implies sha3_permute. (_sha3_pad_hash): Update, to still include a call to sha3_permute. * shake256.c (sha3_256_shake, sha3_256_shake_output): Update to call sha3_permute before generating output. 2024-03-20 Niels Möller * testsuite/gcm-test.c (test_main): Add a test case that triggers 32-bit counter wraparound for gcm_aes128. 2024-03-10 Niels Möller From Daiki Ueno: * shake256.c (sha3_256_shake_output): New function, incremental shake256 output. * testsuite/shake256-test.c (test_incremental): New function, for testing sha3_256_shake_output. (test_main): Use it. 2024-03-10 Niels Möller * poly1305-update.c (_nettle_poly1305_update): Explicitly check for empty input and return. * testsuite/testutils.c (test_aead): Test with associated split data into two pieces in different ways, respecting block boundaries. Also add a call to update(ctx, 0, NULL) in the middle, and encrypt and decrypt calls with empty input. 2024-03-08 Niels Möller Fix ubsan issues for empty hash updates. * macros.h (MD_UPDATE): Check upfront if length is zero. Avoids calling memcpy(dst, NULL, 0), which is undefined behavior. * sha256.c (sha256_update): Likewise. * sha3.c (_nettle_sha3_update): Likewise. * testsuite/testutils.c (test_hash): Test with message split into two pieces in different ways, and also add an call to update(ctx, 0, NULL) in the middle. 2024-02-16 Niels Möller RSA-OAEP support contributed by Nicolas Mora and Daiki Ueno: * rsa-oaep-encrypt.c (_rsa_oaep_encrypt) (rsa_oaep_sha256_encrypt, rsa_oaep_sha384_encrypt) (rsa_oaep_sha512_encrypt): New file, new functions. * rsa-oaep-decrypt.c (_rsa_oaep_decrypt) (rsa_oaep_sha256_decrypt, rsa_oaep_sha384_decrypt) (rsa_oaep_sha512_decrypt): New file, new functions. * rsa.h: Declare new RSA OAEP functions. * rsa-internal.h: Declare internal RSA OAEP functions. * oaep.c (_oaep_sec_decrypt_variable, _oaep_decode_mgf1) (_oaep_encode_mgf1): New file, new functions. * oaep.h: New file, declaring internal functions. * Makefile.in (hogweed_SOURCES): Add oaep.c, rsa-oaep-encrypt.c rsa-oaep-decrypt.c. (DISTFILES): Add oaep.h. * nettle.texinfo (RSA): Document RSA-OAEP functions. * testsuite/rsa-oaep-encrypt-test.c: New tests. * testsuite/testutils.c (test_rsa_set_key_2): New function. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add rsa-oaep-encrypt-test.c (TS_SC_HOGWEED): Add sc-rsa-oaep-encrypt-test. 2024-02-02 Niels Möller Optimize powerpc64 aes decrypt. Speedup of 80%-100%, depending on key size, when benchmarked on Power 10: * configure.ac (asm_replace_list): Add aes-invert-internal.asm. (asm_nettle_optional_list): Add aes-invert-internal-2.asm. * powerpc64/p8/aes-invert-internal.asm (_aes_invert): New file. Implementat _aes_invert as just a memcpy. * powerpc64/p8/aes-decrypt-internal.asm: Rework to use unmixed encryption subkeys, which fits better with the vncipher instruction, and eliminates lots of vxor instructions. * powerpc64/fat/aes-invert-internal-2.asm: New file. * aes-invert-internal.c: Check HAVE_NATIVE_aes_invert, and define _nettle_aes_invert_c wen needed. * fat-setup.h (aes_invert_internal_func): New typedef. * fat-ppc.c: Add fat setup for _aes_invert. 2024-01-28 Niels Möller * powerpc64/p8/aes-encrypt-internal.asm: Use r10-r12 consistently for indexing, and reducing number of used callee-save registers. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. 2024-01-27 Niels Möller * aes-invert-internal.c (_nettle_aes_invert): Don't reorder the subkeys. * aes-decrypt-internal.c (_nettle_aes_decrypt): Updated to process subkeys starting from the end, and let subkeys pointer point at the subkey for the first decrypt round, located at the end of the array. * aes128-decrypt.c (nettle_aes128_decrypt): Updated accordingly. * aes192-decrypt.c (nettle_aes192_decrypt): Likewise. * aes256-decrypt.c (nettle_aes256_decrypt): Likewise. * arm/aes.m4 (AES_LOAD_INCR): New macro, specifying desired increment of key pointer. * arm/aes-decrypt-internal.asm: Updated for new conventions. * arm/v6/aes-decrypt-internal.asm: Likewise. * arm64/crypto/aes128-decrypt.asm: Likewise. * arm64/crypto/aes192-decrypt.asm: Likewise. * arm64/crypto/aes256-decrypt.asm: Likewise. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. * sparc64/aes-decrypt-internal.asm: Likewise. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aesni/aes128-decrypt.asm: Likewise. * x86_64/aesni/aes192-decrypt.asm: Likewise. * x86_64/aesni/aes256-decrypt.asm: Likewise. 2024-01-26 Niels Möller Delete all sparc32 assembly. * sparc32/aes-decrypt-internal.asm: Deleted file. * sparc32/aes-encrypt-internal.asm: Deleted file. * configure.ac: Don't enable any assembly for 32-bit sparc. * Makefile.in (distdir): Don't distribute sparc32 files. * sparc64/aes.m4: Moved file, from... * sparc32/aes.m4: ... old location. * sparc64/aes-encrypt-internal.asm: Update for location of aes.m4. * sparc64/aes-decrypt-internal.asm: Likewise. 2024-01-23 Niels Möller * powerpc64/machine.m4 (GHASH_REDUCE): New macro. Improve scheduling, adding vpmsumd result last. * powerpc64/p8/ghash-update.asm: Use GHASH_REDUCE, slightly reduce vector register usage, simplify use of index registers. 2024-01-21 Niels Möller * powerpc64/machine.m4 (OPN_XXY, OPN_XXXY): New macros. * powerpc64/p8/aes-encrypt-internal.asm: Use macros for repeated instruction patterns. * powerpc64/p8/aes-decrypt-internal.asm: Likewise. 2023-12-27 Niels Möller * testsuite/gcm-test.c (test_main): Additional gcm test case, with 719 byte message, contributed by Danny Tsen. 2023-12-08 Niels Möller Delete all md5 assembly code. * md5.c (nettle_md5_compress): Move function and related macros here, from... * md5-compress.c: ... deleted file. * x86/md5-compress.asm: Deleted file. * x86_64/md5-compress.asm: Deleted file. * configure.ac: When checking for openssl, use AC_LINK_IFELSE to check if needed functions really are available. Just using AC_CHECK_LIB to check for, e.g., EVP_RSA_gen, doesn't work, since that is a macro that depends on including openssl/rsa.h.' 2023-12-06 Niels Möller * drbg-ctr-aes256.c (drbg_ctr_aes256_output): New helper function. (drbg_ctr_aes256_update, drbg_ctr_aes256_random): Use it. From Simon Josefsson: * drbg-ctr.h (struct drbg_ctr_aes256_ctx): New context struct. (DRBG_CTR_AES256_SEED_SIZE): New constant. * drbg-ctr-aes256.c (drbg_ctr_aes256_update) (drbg_ctr_aes256_init, drbg_ctr_aes256_random): New file, new functions. * testsuite/drbg-ctr-aes256-test.c: New testcase. * nettle.texinfo (Randomness): Document DRBG-CTR. 2023-12-05 Niels Möller From Tim Kosse: * fat-arm64.c (check_sysctlbyname) [__APPLE__]: New function. (get_arm64_features) [__APPLE__]: Fix feature detection for Apple M1 devices. * configure.ac: In openssl tests, check for the headers actually used by the benchmarking code, and for a subset of the relevant functions. * examples/nettle-openssl.c: Trim openssl includes and defines, and use Nettle's definition of sha1 and md5 constants. (nettle_openssl_init): Deleted. * examples/nettle-benchmark.c (main): Delete call to nettle_openssl_init. 2023-12-04 Niels Möller * examples/nettle-openssl.c (nettle_openssl_blowfish128) (nettle_openssl_des, openssl_cast128_set_encrypt_key): Deleted, since these algorithms are now available in openssl only via the "legacy provider". Also deleted declarations and usage. * examples/hogweed-benchmark.c (struct openssl_ctx): Unified struct, replacing openssl_rsa_ctx and openssl_ecdsa_ctx. (bench_openssl_init, bench_openssl_sign, bench_openssl_verify) (bench_openssl_clear): New functions, using EVP interfaces to signing, replacing rsa- and ecdsa-specific functions. (bench_openssl_rsa_init, bench_openssl_ecdsa_init): Use bench_openssl_init. 2023-11-23 Niels Möller * nettle-internal.h: Keep only declarations actually used internally in the library. * non-nettle.h: New file, contents extracted from nettle-internal.h, for use in test and benchmark code. * non-nettle.c: New file, renamed from ... * nettle-internal.c: ... old name, deleted. * Makefile.in (internal_SOURCES, DISTFILES): Updated accordingly. * testsuite/Makefile.in (TEST_OBJS): Replace ../nettle-internal.o with ../non-nettle.o, and update corresponding make rule. * examples/Makefile.in (BENCH_OBJS): Likewise. 2023-11-22 Niels Möller Revert part of the 2023-08-05 change. * rsa-sec-decrypt.c (rsa_sec_decrypt): Merge with _rsa_sec_decrypt, including input range check. (_rsa_sec_decrypt): Deleted. * rsa-internal.h (_rsa_sec_decrypt): Delete declaration. * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Always call rsa_sec_decrypt, but don't annotate the ciphertext input as undefined/secret. 2023-11-15 Niels Möller * ecc-mod-arith.c (ecc_mod_addmul_1): Use assert_maybe. * ecc-curve448.c (ecc_curve448_modp): Likewise. * ecc-curve25519.c (ecc_curve25519_modq): Likewise. * eddsa-hash.c (_eddsa_hash): Likewise. * eddsa-sign.c (_eddsa_sign): Likewise. * testsuite/curve25519-dh-test.c (test_g): Add calls to mark_bytes_undefined and mark_bytes_defined. (test_a): Likewise. (test_main): Skip side-channel tests in builds with mini-gmp or extra asserts enabled. * testsuite/curve448-dh-test.c: Analogous changes. * testsuite/ed448-test.c (test_one): Analogous changes. * testsuite/ed25519-test.c: Analogous changes. * testsuite/Makefile.in (TS_SC_HOGWEED): New make variable. Added sc-curve25519-dh-test, sc-curve448-dh-test, sc-ed25519-test, and sc-ed448-test to list. * testsuite/sc-curve25519-dh-test: New testcase. * testsuite/sc-curve448-dh-test: New testcase. * testsuite/sc-ed448-test: New testcase. * testsuite/sc-ed25519-test: New testcase. 2023-11-14 Niels Möller Add a first side-channel test for the ECC code. * configure.ac: New option --enable-extra-asserts. Enables asserts that are disabled by default, due to conflict with tests of side-channel silence. (WITH_EXTRA_ASSERTS): Corresponding new define. * ecc-internal.h (assert_maybe): Conditionally define this assert macro, depending on WITH_EXTRA_ASSERTS. * ecc-mod-arith.c: Convert most asserts to assert_maybe. * ecc-mod-inv.c (ecc_mod_inv): Likewise. * ecc-mod.c (ecc_mod): Likewise. * ecc-pm1-redc.c (ecc_pm1_redc): Likewise. * ecc-pp1-redc.c (ecc_pp1_redc): Likewise. * ecc-secp192r1.c (ecc_secp192r1_modp): Likewise. * ecc-secp384r1.c (ecc_secp384r1_modp): Likewise. * testsuite/ecdsa-sign-test.c (test_ecdsa): Add calls to mark_bytes_undefined and mark_bytes_defined. (test_main): Skip side-channel tests in builds with mini-gmp or extra asserts enabled. * testsuite/sc-ecdsa-sign-test: New testcase. * testsuite/Makefile.in (TS_SC): Add sc-ecdsa-sign-test. 2023-11-12 Niels Möller * gmp-glue.h (GMP_LIMB_BITS) [NETTLE_USE_MINI_GMP]: Define as alias for GMP_NUMB_BITS. (is_zero_limb): Move inline function here. Add static, for compatibility with c89. and mini-gmp builds. * gmp-glue.c (sec_zero_p): Use is_zero_limb. 2023-11-06 Niels Möller Avoid comparison like cnd = (x == 0) in code intended to be side-channel silent, since to eliminate branches with some compilers/architectures, in particular 32-bit x86 and the msvc compiler. * nettle-internal.h (IS_ZERO_SMALL): New macro. * memeql-sec.c (memeql_sec): Use IS_ZERO_SMALL. * pkcs1-sec-decrypt.c (EQUAL): Likewise. * cnd-copy.c (cnd_copy): Require that cnd argument is 1 or 0. * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS == 0]: Rearrange loop to pass 0 or 1 to cnd_copy. * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Likewise. * ecc-mul-a.c (ecc_mul_a) [ECC_MUL_A_WBITS > 0]: Use IS_ZERO_SMALL, and pass 0 or 1 to cnd_copy. * ecc-mul-g.c (ecc_mul_g): Likewise. * ecc-internal.h (is_zero_limb): New inline function. * eddsa-decompress.c (_eddsa_decompress): Likewise. * ecc-gostdsa-sign.c (ecc_gostdsa_sign): Likewise. * ecc-mod-arith.c (ecc_mod_zero_p): Likewise. (ecc_mod_equal_p): Avoid comparison cy == 0. * ecc-j-to-a.c (ecc_j_to_a): Avoid comparison cy == 0. 2023-10-06 Niels Möller * testsuite/rsa-sec-decrypt-test.c (test_main): Skip side-channel test if built with mini-gmp. * testsuite/sc-valgrind.sh (with_valgrind): Pass --exit-on-first-error=yes. * aclocal.m4 (NETTLE_PROG_VALGRIND): New macro. * configure.ac: Use it. * testsuite/Makefile.in (TS_SH): Include side-channel tests only if we have a working valgrind. * misc/c89: New wrapper script to force compiling in c89 mode. 2023-10-04 Niels Möller * bswap-internal.h (bswap32_if_be, bswap32_if_le): New macros. * blowfish-bcrypt.c (bswap32_if_le_n): Rename, to not collide with new macro. (bswap32_if_le): ... old name, deleted. * umac-set-key.c (bswap32_if_le_n): Define in the same way as for bcrypt, replacing... (BE_SWAP32_N): ...deleted macro. * umac-l3.c (_nettle_umac_l3_init): Use bswap64_if_le. * umac-l2.c (_nettle_umac_l2_init): Use bswap32_if_le. * chacha-core-internal.c (_nettle_chacha_core): Use bswap32_if_be. * salsa20-core-internal.c (_nettle_salsa20_core): Likewise * umac-l2.c (_nettle_umac_l2_final): Delete redundant assignment. 2023-10-03 Niels Möller * Makefile.in (check-fat): Reduce tests to run to TS_FAT, to speed up tests. * testsuite/Makefile.in (TS_FAT): Define list of tests relevant for testing algorithm variants in fat builds. * testsuite/ecc-mod-arith-test.c: Reduce test count, aiming to get test to complete in roughly 0.1s. * testsuite/ecc-mod-test.c: Likewise. * testsuite/ecc-modinv-test.c: Likewise. * testsuite/ecc-mul-a-test.c: Likewise. * testsuite/ecc-redc-test.c: Likewise. * testsuite/ecc-sqrt-test.c: Likewise. * testsuite/eddsa-compress-test.c: Likewise. * testsuite/poly1305-test.c: Likewise. * testsuite/random-prime-test.c: Likewise. * testsuite/rsa-compute-root-test.c: Likewise. * testsuite/rsa-sec-decrypt-test.c: Likewise. * testsuite/Makefile.in (TS_SH): Delete tools tests from list. * tools/Makefile.in (check): Run tools tests from this target. (TS_ALL): New variable. (DISTFILES): Add TS_ALL files. * testsuite/teardown-env: Deleted, intead let make clean delete test files. * tools/nettle-pbkdf2-test: Moved, from testseuite/. * tools/sexp-conv-test: Likewise. * tools/pkcs1-conv-test: Likewise. 2023-08-05 Niels Möller * testsuite/testutils.c (mark_bytes_undefined) (mark_bytes_defined): New functions. Update side-channel related tests to use them. (main): Check environment variable NETTLE_TEST_SIDE_CHANNEL. (test_side_channel): New global variable. * testsuite/sc-valgrind.sh (with_valgrind): New file, new shell utility function. * testsuite/sc-pkcs1-sec-decrypt-test: New test, for side channel silence. * testsuite/sc-memeql-test: Likewise. * testsuite/sc-gcm-test: Likewise. * testsuite/sc-cnd-memcpy-test: Likewise. * testsuite/rsa-sec-decrypt-test: Likewise. * rsa-sec-decrypt.c (_rsa_sec_decrypt): New internal function, without input range checks. (rsa_sec_decrypt): Use it. 2023-08-02 Niels Möller * configure.ac: Replace obsoleted macros, require autoconf-2.69, from 2012, or later. * aclocal.m4: Likewise. * aclocal.m4 (LSH_FUNC_STRERROR): Delete macro. (LSH_FUNC_STRSIGNAL): Delete unused macro. * configure.ac: Delete usage of LSH_FUNC_STRERROR. * tools/nettle-hash.c (main): Use strerror unconditionally. * tools/nettle-pbkdf2.c (main): Likewise. 2023-08-01 Niels Möller * configure.ac: Delete special handling of rntcl; it should be treated like any other cross compiler. Delete obsolete check of ac_cv_prog_cc_stdc. 2023-06-01 Niels Möller * Released Nettle-3.9.1. 2023-05-26 Niels Möller * configure.ac: Bump package version, to 3.9.1. (LIBNETTLE_MINOR): Bump minor number, to 8.8. (LIBHOGWEED_MINOR): Bump minor number, to 6.8. 2023-05-19 Niels Möller From Jussi Kivilinna: * ocb.c (ocb_crypt_n): Fix broken loop logic. * testsuite/ocb-test.c (test_main): Add test vector from libgcrypt, with larger message, to exercise above loop. 2023-05-16 Niels Möller * x86_64/ghash-update.asm: Use separate unaligned load instructions (movups) to load the tabulated values, since they are only 8-byte aligned and pand memory operands require 16-byte alignment. 2023-05-15 Niels Möller * eccdata.c (output_bignum_redc): Add missing mpz_clear, reported by Noah Watkins. (output_digits): Delete a gratuitous mpz_init. 2023-05-14 Niels Möller * Released nettle-3.9. 2023-05-12 Niels Möller * texinfo.tex: Delete unused file. Copy files from https://git.savannah.gnu.org/cgit/gnulib.git/plain/build-aux/ * install-sh: Update to 2020-11-14.01 version. * config.guess: Update to 2023-01-01 version. * config.sub: Update to 2023-01-21 version. 2023-05-10 Niels Möller Fix compile error in --disable-public-key configuration. * testsuite/sha1-test.c: Add missing include of sha1.h. * testsuite/sha256-test.c: Add missing include of sha2.h. 2023-05-07 Niels Möller * configure.ac: Bump package version, to 3.9. (LIBNETTLE_MINOR): Bump minor number, to 8.7 (8.6 was used for Nettle-3.8.1). (LIBHOGWEED_MINOR): Bump minor number, to 6.7. 2023-04-25 Niels Möller Rework tests of SIV message functions. * testsuite/siv-gcm-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Delete typedefs. (test_compare_results, test_cipher_siv_gcm): Delete functions. (test_siv_gcm_aes128, test_siv_gcm_aes256): Delete macros. (siv_gcm_aes128, siv_gcm_aes256): New algorithm structs. (test_main): Use test_aead_message. * testsuite/siv-cmac-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Delete typedefs. (test_compare_results, test_cipher_siv): Delete functions. (test_siv_aes128, test_siv_aes256): Delete macros. (siv_cmac_aes128, siv_cmac_aes256): New algorithm structs. (test_main): Use test_aead_message. 2023-04-24 Niels Möller Rework tests of OCB message functions. * testsuite/testutils.c (test_aead_message): New function, for testing AEAD message functions. * testsuite/testutils.h (nettle_encrypt_message_func) (nettle_decrypt_message_func): New typedefs. (struct nettle_aead_message): New struct. * testsuite/ocb-test.c (nettle_encrypt_message_func) (nettle_decrypt_message_func): Deleted typedefs. (test_compare_results): Deleted function. (test_ocb_aes128): Deleted macro. (struct ocb_aes128_message_key): New struct. (ocb_aes128_set_encrypt_key_wrapper) (ocb_aes128_set_decrypt_key_wrapper) (ocb_aes128_encrypt_message_wrapper) (ocb_aes128_decrypt_message_wrapper): New wrapper functions, using above ocb_aes128_message_key for both encrypt and decrypt, and a fix tag length of 16 octets. (ocb_aes128_message): New algorithm struct, with above wrappers. (test_main): Use test_aead_message. 2023-04-23 Niels Möller * testsuite/siv-cmac-test.c: Renamed file, from... * testsuite/siv-test.c: ... old name. 2023-04-13 Niels Möller * ghash-update.c (gcm_gf_mul): Rewrite to avoid side-channel leakage. Now processes the message bits one at a time, using tabulated values of the key premultiplied by appropriate powers of x, so that the table is accessed in a fixed sequential order. Performance penalty, on x86_64, is roughly 3 times. (shift_table): Deleted table. (gcm_gf_shift_8): Deleted function. * ghash-set-key.c (_ghash_set_key): Rewrite table generation. * gcmdata.c: Deleted. * Makefile.in: Delete references to gcmdata. * x86_64/ghash-update.asm: Rewritten, similar side-channel silent method as the C implementation, with same table layout, but using sse2 instructions. * testsuite/gcm-test.c (test_ghash_internal): Add valgrind annotations, to verify that the ghash implementation makes no data-dependent branches or memory accesses. * examples/nettle-benchmark.c (bench_ghash_update): New function. 2023-04-03 Niels Möller From Mamone Tarsha: * x86_64/pclmul/ghash-update.asm: New loop to process two blocks at a time. * x86_64/pclmul/ghash-set-key.asm: Likewise. 2023-03-25 Niels Möller * ocb.h (OCB_MAX_NONCE_SIZE): New constant. 2023-02-16 Niels Möller * x86_64/sha256-compress-n.asm: Fix incorrect w64 setup. Report and fix from Gisle Vanem. 2023-02-08 Niels Möller * examples/nettle-benchmark.c (main): Benchmark ocb_aes128. 2023-02-07 Niels Möller Implement OCB mode. RFC 7253. * block-internal.h (block16_set): New function. * ocb.c (ocb_set_key, ocb_set_nonce, ocb_update, ocb_encrypt) (ocb_decrypt, ocb_encrypt_message, ocb_decrypt_message): New public functions. (MEM_ROTATE_RIGHT, MEM_MASK): New macros. (extract, update_offset, pad_block, ocb_fill_n, ocb_crypt_n) (ocb_checksum_n): New helper functions. * ocb-aes128.c (ocb_aes128_set_encrypt_key) (ocb_aes128_set_decrypt_key, ocb_aes128_set_nonce) (ocb_aes128_update, ocb_aes128_encrypt, ocb_aes128_decrypt) (ocb_aes128_digest, ocb_aes128_encrypt_message) (ocb_aes128_decrypt_message): New file, new functions. * ocb.h: Declare ocb functions. (struct ocb_key): New struct. (struct ocb_ctx): New struct. (struct ocb_aes128_encrypt_key): New struct. * Makefile.in (nettle_SOURCES): Add ocb.c ocb-aes128.c. (HEADERS): Add ocb.h. * nettle-internal.c (nettle_ocb_aes128) (ocb_aes128_set_encrypt_key_wrapper) (ocb_aes128_set_decrypt_key_wrapper) (ocb_aes128_set_nonce_wrapper, ocb_aes128_update_wrapper) (ocb_aes128_encrypt_wrapper, ocb_aes128_decrypt_wrapper) (ocb_aes128_digest_wrapper): New aead algorithm, and related wrapper functions. * nettle-internal.h (OCB_NONCE_SIZE): New constant. (struct ocb_aes128_ctx): New struct. * testsuite/ocb-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add ocb-test.c. 2023-02-06 Niels Möller * testsuite/testutils.c (test_aead): Always use set_nonce function pointer if non-NULL, test varying alignment, output the unexpected data when test fails. 2022-12-05 Niels Möller * xts-aes128.c (xts_aes128_encrypt_message) (xts_aes128_decrypt_message): const-declare the xts_key argument. * xts-aes256.c (xts_aes256_encrypt_message) (xts_aes256_decrypt_message): Likewise. 2022-11-09 Niels Möller From Mamone Tarsha: * powerpc64/p9/poly1305-blocks.asm: New file, multi-block radix 2^44 implementation. Benchmarked to give a speedup of 3.2 times on Power9. * powerpc64/p9/poly1305.m4 (DEFINES_BLOCK_R64, BLOCK_R64): New file, new macros. * powerpc64/p9/poly1305-internal.asm: Use BLOCK_R64 macro. * powerpc64/machine.m4 (INC_GPR, INC_VR): New macros. * powerpc64/fat/poly1305-blocks.asm: New file. * poly1305-update.c: Check HAVE_NATIVE_fat_poly1305_blocks, and define _nettle_poly1305_blocks_c when needed. * fat-ppc.c: Fat setup for _nettle_poly1305_blocks. 2022-11-07 Niels Möller * configure.ac (ASM_FLAGS): New configure environment variable. * aclocal.m4 (GMP_TRY_ASSEMBLE): Use $ASM_FLAGS. * config.make.in (ASM_FLAGS): Add substitution. * Makefile.in: Use $(ASM_FLAGS) when compiling .asm files. 2022-10-31 Niels Möller * configure.ac: (asm_file_list): Add HAVE_NATIVE_poly1305_blocks. (asm_nettle_optional_list): Add poly1305-blocks.asm. * x86_64/poly1305-blocks.asm: New file. * md-internal.h (MD_FILL_OR_RETURN_INDEX): New macro. * poly1305-update.c (_nettle_poly1305_update): New file and function. * poly1305-internal.h: Declare _nettle_poly1305_blocks and _nettle_poly1305_update. * chacha-poly1305.c (poly1305_update): Use _nettle_poly1305_update. * poly1305-aes.c (poly1305_aes_update): Likewise. * Makefile.in (nettle_SOURCES): Add poly1305-update.c. 2022-10-13 Niels Möller * gmp-glue.c (mpn_sec_tabselect) [NETTLE_USE_MINI_GMP]: Add back here, to support mini-gmp builds. Updated signature to be compatible with the gmp version. * gmp-glue.h: Add declaration. 2022-10-11 Niels Möller * sec-tabselect.c (sec_tabselect): Delete file and function. All callers updated to use gmp's mpn_sec_tabselect instead, which is implemented in assembly on many platforms. 2022-10-02 Niels Möller * examples/ecc-benchmark.c (bench_curve): Add benchmarking of modulo q inversion. 2022-09-29 Niels Möller * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Call ecc_mul_g and ecc_mul_a directly, not via function pointers. (ecc_ecdsa_verify_itch): Use ECC_MUL_A_ITCH rather than ecc->mul_itch. * ecc-gostdsa-verify.c (ecc_gostdsa_verify_itch) (ecc_gostdsa_verify): Analogous changes. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Call ecc_mul_g and ecc_j_to_a directly, not via function pointers. (ecc_ecdsa_sign_itch): Use ECC_MUL_G_ITCH rather than ecc->mul_g_itch. * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): Analogous changes. 2022-09-28 Niels Möller * testsuite/meta-hash-test.c (test_main): Add check of NETTLE_MAX_HASH_BLOCK_SIZE. * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE): Increase to 144, to accommodate sha3_224. * testsuite/meta-cipher-test.c (test_main): Check that cipher metadata doesn't exceed NETTLE_MAX_CIPHER_BLOCK_SIZE or NETTLE_MAX_CIPHER_KEY_SIZE. From Daiki Ueno: * siv-gcm.c (siv_gcm_encrypt_message, siv_gcm_decrypt_message): New file, implementation of SIV-GCM. * siv-gcm.h (SIV_GCM_BLOCK_SIZE, SIV_GCM_DIGEST_SIZE) (SIV_GCM_NONCE_SIZE): New header file, new constants and declarations. * siv-gcm-aes128.c (siv_gcm_aes128_encrypt_message) (siv_gcm_aes128_decrypt_message): New file and functions. * siv-gcm-aes256.c (siv_gcm_aes256_encrypt_message) (siv_gcm_aes256_decrypt_message): Likewise. * siv-ghash-set-key.c (_siv_ghash_set_key): New file, new internal function. * siv-ghash-update.c (_siv_ghash_update): Likewise. * block-internal.h (block16_bswap): New inline function. * bswap-internal.h (bswap64_if_be): New macro. * nettle-internal.h (NETTLE_MAX_CIPHER_KEY_SIZE): New constant. * Makefile.in (nettle_SOURCES): Add new source files. (HEADERS): Add siv-gcm.h. * testsuite/siv-gcm-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add siv-gcm-test.c. * nettle.texinfo (SIV-GCM): Documentation. From Zoltan Fridrich: * balloon.c (balloon, balloon_itch): Implementation of balloon password hash. * balloon.h: New header file. * balloon-sha1.c (balloon_sha1): New file and function. * balloon-sha256.c (balloon_sha256): Likewise. * balloon-sha384.c (balloon_sha384): Likewise. * balloon-sha512.c (balloon_sha512): Likewise. * Makefile.in (nettle_SOURCES): Add balloon source files. (HEADERS): Add ballon.h. * testsuite/balloon-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add balloon-test.c. 2022-09-14 Niels Möller * ecc-nonsec-add-jjj.c (ecc_nonsec_add_jjj): New file and function. * ecc-internal.h: Declare it. * Makefile.in (hogweed_SOURCES): Add ecc-nonsec-add-jjj.c. * testsuite/ecc-add-test.c (test_main): Add tests for ecc_nonsec_add_jjj. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_nonsec_add_jjj, to produce correct result in a corner case where point addition needs to use point duplication. Also use ecc_j_to_a rather than ecc->h_to_a, since ecdsa supports only weierstrass curves. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Analogous change. * testsuite/ecdsa-verify-test.c (test_main): Add corresponding test. * testsuite/ecdsa-sign-test.c (test_main): And a test producing the problematic signature. 2022-09-08 Niels Möller * eccdata.c (string_toupper): New utility function. (output_modulo): Move more of the per-modulo output here. (output_curve): Remove corresponding code. 2022-08-31 Niels Möller * bswap-internal.h (nettle_bswap64, nettle_bswap32) (bswap64_if_le): New header file, new inline functions/macros. * gcm.c (gcm_hash_sizes): Use bswap64_if_le, and bswap-internal.h, replacing local definition of bswap_if_le. * nist-keywrap.c (nist_keywrap16): Likewise. * blowfish-bcrypt.c (swap32): Renamed function, to... (bswap32_if_le): ...new name, rewritten to use nettle_bswap32. Update call sites. * Makefile.in (DISTFILES): Add bswap-internal.h. 2022-08-18 Niels Möller * Makefile.in (HEADERS): Add sm4.h. From Tianjia Zhang: SM4 block cipher. * sm4.c: New file. * sm4.h: New file. * sm4-meta.c: New file. * gcm-sm4.c: New file * gcm-sm4-meta.c: New file. * nettle.texinfo: Document SM4. * testsuite/gcm-test.c (test_main): Add SM4 tests. * testsuite/sm4-test.c: New file. * configure.ac (ABI): Change mips abi check to apply only to mips64. 2022-08-17 Niels Möller * testsuite/testutils.c (mpz_urandomm) [NETTLE_USE_MINI_GMP]: New fallback definition when building with mini-gmp. 2022-08-16 Niels Möller * ecc-mod-arith.c (ecc_mod_sub): Ensure that if inputs are in the range 0 <= a, b < 2m, then output is in the same range. * eccdata.c (output_curve): New outputs ecc_Bm2p and ecc_Bm2q. * ecc-internal.h (struct ecc_modulo): New member Bm2m (B^size - 2m), needed by ecc_mod_sub. Update all curves. * testsuite/ecc-mod-arith-test.c: New tests for ecc_mod_add and ecc_mod_sub. * eccdata.c (output_modulo): Output the limb size, delete return value. (output_curve): Update calls to output_modulo, other minor cleanup. 2022-08-07 Niels Möller Delete all arcfour assembly code. * arcfour.c (arcfour_crypt): Moved function here, from... * arcfour-crypt.c: ... deleted file. * sparc32/arcfour-crypt.asm: Deleted. * sparc64/arcfour-crypt.asm: Deleted. * x86/arcfour-crypt.asm: Deleted. * asm.m4: Delete arcfour structure offsets. 2022-08-07 Niels Möller Based on patch from Corentin Labbe: * nettle.texinfo: Document sha256_compress, sha512_compress, md5_compress and sha1_compress. * configure.ac: Refer to nettle-types.h, rather than arcfour.c, for AC_CONFIG_SRCDIR. 2022-08-05 Niels Möller * nettle-internal.h: Include stdlib.h, fix alloca warnings on BSD. * hmac.c: Delete corresponding include here, no longer needed. * getopt.c: Include stdlib.h and unistd.h unconditionally, similarly to the gnulib version of this file. 2022-08-04 Niels Möller From Brad Smith: * configure.ac: Fix 64-bit MIPS ABI check for other OS's like *BSD / Linux. * aclocal.m4 (LSH_CCPIC): Use proper PIC flag for *BSD OS's. * blowfish-bcrypt.c (swap32): Eliminate conflict with OpenBSD's swap32 macro. 2022-07-29 Niels Möller * s390x/msa_x1/sha256-compress-n.asm: New file. replacing... * s390x/msa_x1/sha256-compress.asm: ...deleted file. * s390x/fat/sha256-compress-n-2.asm: New file. replacing... * s390x/fat/sha256-compress-2.asm: ...deleted file. * fat-s390x.c: Update fat setup. 2022-07-26 Niels Möller * arm/v6/sha256-compress-n.asm: New file. replacing... * arm/v6/sha256-compress.asm: ...deleted file. * arm/fat/sha256-compress-n-2.asm: New file. replacing... * arm/fat/sha256-compress-2.asm: ...deleted file. * fat-arm.c: Update fat setup. 2022-07-11 Niels Möller * arm64/crypto/sha256-compress-n.asm: New file. replacing... * arm64/crypto/sha256-compress.asm: ...deleted file. * arm64/fat/sha256-compress-n-2.asm: New file. replacing... * arm64/fat/sha256-compress-2.asm: ...deleted file. * fat-arm64.c: Update fat setup. 2022-07-05 Niels Möller * md-internal.h (MD_FILL_OR_RETURN): New file, new macro. * sha256-compress-n.c (_nettle_sha256_compress_n): New file and function, replacing... * sha256-compress.c (_nettle_sha256_compress): ...deleted file and function. * sha2-internal.h (_nettle_sha256_compress_n): Declare new function.. * sha256.c (sha256_compress): Update to use _nettle_sha256_compress_n and MD_FILL_OR_RETURN. * x86_64/sha256-compress-n.asm: New file. replacing... * x86_64/sha256-compress.asm: ...deleted file. * x86_64/sha_ni/sha256-compress-n.asm: New file. replacing... * x86_64/sha_ni/sha256-compress.asm: ...deleted file. * fat-setup.h (sha256_compress_n_func): New typedef, replacing... (sha256_compress_func): ... deleted typedef. * fat-x86_64.c: Update fat setup. 2022-06-20 Niels Möller * testsuite/sha1-test.c (test_sha1_compress): New function. (test_main): Add tests for compressing 0, 1 or 2 blocks. * testsuite/sha256-test.c (test_sha256_compress): New function. (test_main): Add tests for compressing 0, 1 or 2 blocks. 2022-06-12 Niels Möller From Christian Weisgerber: * fat-arm64.c (get_arm64_features): Enable runtime feature detection for openbsd. 2022-06-09 Niels Möller * md5.h (md5_compress): New public name for compression function. * sha1.h (sha1_compress): Likewise. Based on patches from Corentin Labbe: * sha2.h: Declare new functions. * sha256.c (sha256_compress): New function. (COMPRESS): Updated to use sha256_compress. (sha256_write_digest): Use sha256_compress directly. * sha512.c (sha512_compress): New function. (COMPRESS): Updated to use sha512_compress. (sha512_write_digest): Use sha512_compress directly. 2022-06-02 Niels Möller * Released nettle-3.8. 2022-05-23 Niels Möller * Makefile.in (OPT_SOURCES): Add missing file fat-arm64.c. * config.guess: Update to 2022-05-08 version. * config.sub: Update to 2022-01-03 version. 2022-05-20 Niels Möller * configure.ac: Bump package version, to 3.8. (LIBNETTLE_MINOR): Bump minor number, to 8.5. (LIBHOGWEED_MINOR): Bump minor number, to 6.5. 2022-05-05 Niels Möller * nettle.texinfo (CBC): Document cbc_aes128_encrypt, cbc_aes192_encrypt and cbc_aes256_encrypt. 2022-04-28 Niels Möller * nettle.texinfo (Copyright): Deleted incomplete and out of date list of authors. Replaced by... * AUTHORS: New updated list of authors and contributions. 2022-02-23 Niels Möller Analogous s390x update, by Mamone Tarsha: * fat-s390x.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * s390x/fat/ghash-update-2.asm: New file. * s390x/fat/ghash-set-key-2.asm: New file. * s390x/fat/gcm-hash.asm: Deleted. * s390x/msa_x4/gcm-hash.asm: Deleted, split into two new files... * s390x/msa_x4/ghash-update.asm: New file. * s390x/msa_x4/ghash-set-key.asm: New file 2022-02-22 Niels Möller * fat-ppc.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * powerpc64/fat/ghash-update-2.asm: New file. * powerpc64/fat/ghash-set-key-2.asm: New file. * powerpc64/fat/gcm-hash.asm: Deleted. * powerpc64/p8/gcm-hash.asm: Deleted, split into two new files... * powerpc64/p8/ghash-update.asm: New file. * powerpc64/p8/ghash-set-key.asm: New file 2022-02-21 Niels Möller * fat-arm64.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * arm64/fat/ghash-update-2.asm: New file. * arm64/fat/ghash-set-key-2.asm: New file. * arm64/fat/gcm-hash.asm: Deleted. * ghash-update.c (_nettle_ghash_update_c): New name, for fat builds. * arm64/crypto/gcm-hash.asm: Deleted, split into two new files... * arm64/crypto/ghash-set-key.asm: New file. * arm64/crypto/ghash-update.asm: New file. 2022-02-19 Niels Möller * fat-x86_64.c (fat_init): Update fat init for new _ghash_set_key and _ghash_update functions, delete setup for old gcm functions. * fat-setup.h (ghash_set_key_func, ghash_update_func): New typedefs. (gcm_init_key_func, gcm_hash_func): Deleted typedefs. * x86_64/fat/ghash-update.asm: New file. * x86_64/fat/ghash-update-2.asm: New file. * x86_64/fat/ghash-set-key-2.asm: New file. * x86_64/fat/gcm-hash.asm: Deleted. * ghash-set-key.c (_nettle_ghash_set_key_c): New name, for fat builds. * configure.ac (asm_nettle_optional_list): Add ghash-set-key-2.asm ghash-update-2.asm. * ghash-set-key.c (_ghash_digest): Deleted, and also deleted assembly implementations. * gcm.c (gcm_digest): Replace call to _ghash_digest with block16_xor. * x86_64/pclmul/gcm-hash.asm: Deleted, split into two new files... * x86_64/pclmul/ghash-set-key.asm: New file. * x86_64/pclmul/ghash-update.asm: New file. * configure.ac (asm_replace_list): Add ghash-set-key.asm ghash-update.asm. (asm_nettle_optional_list): Delete gcm-hash.asm gcm-hash8.asm. * x86_64/ghash-update.asm: New file, based on old gcm-hash8.asm, but without any handling of partial blocks. * x86_64/gcm-hash8.asm: Deleted. * ghash-set-key.c (_ghash_digest): Moved function from... * ghash-update.c (_ghash_digest): ...old location. 2022-02-18 Niels Möller * block-internal.h (block16_zero): New function. * ghash-internal.h: New file, declaring new internal ghash interface. * gcm-internal.h: Deleted file. * ghash-update.c (gcm_gf_shift_8): Moved here (from gcm.c) (gcm_gf_mul): Likewise. (_ghash_update): New function, extracted from _nettle_gcm_hash_c. (_ghash_digest): New function. * ghash-set-key.c (_ghash_set_key): New file and function. Extracted from _nettle_gcm_init_key_c and _nettle_gcm_set_key. * gcm.c (INC32): Deleted macro, used in only one place. (gcm_set_key): Update to use _ghash_set_key. (gcm_hash): Renamed, was _gcm_hash, and implemented in terms of _ghash_update. (bswap_if_le): New function (copied from nist-keywrap.c). (gcm_hash_sizes): Use bswap_if_le and _ghash_update. (gcm_set_iv): Updated to use gcm_hash and block16_zero. (gcm_digest): Use _ghash_digest. * testsuite/gcm-test.c (test_ghash_internal): Updated to use _ghash_set_key and _ghash_update. * Makefile.in (nettle_SOURCES): Add ghash-set-key.c ghash-update.c. (DISTFILES): Replaced gcm-internal.h with ghash-internal.h. 2022-02-17 Niels Möller * gcm.c: Require that GCM_TABLE_BITS == 8. Delete old code for GCM_TABLE_BITS == 0 and GCM_TABLE_BITS == 4. * gcm-internal.h: Delete checks for GCM_TABLE_BITS != 8. * fat-x86_64.c: Likewise. * fat-s390x.c: Likewise. * fat-ppc.c: Likewise. * fat-arm64.c: Likewise. 2022-02-15 Niels Möller * fat-x86_64.c: Add fat setup for gcm. * x86_64/fat/gcm-hash.asm: New file. * Makefile.in (distdir): Add x86_64/pclmul directory. * configure.ac: New configure option --enable-x86-pclmul. (asm_path): Add x86_64/pclmul, if above option is set. * x86_64/pclmul/gcm-hash.asm: New file, initial implementation of GCM using the pclmulqdq instructions. 2022-02-08 Niels Möller * gcm-internal.h (_gcm_hash): Arrange so that this is an alias for the appropriate implementation. Updated all users. * gcm.c (_nettle_gcm_set_key): New internal function, intended to make tests of internal ghash functions easier. (gcm_set_key): Use it. * testsuite/gcm-test.c (test_ghash_internal): New function. (test_main): Add tests of internal ghash functions, with keys corresponding to various single-bit polynomials. 2022-01-28 Niels Möller * testsuite/poly1305-test.c (poly1305_internal): Renamed function, was test_poly1305_internal. (test_poly1305_internal): New helper function. (test_fixed): New function, to test internal functions with fixed test inputs. (test_random): Use test_poly1305_internal. (test_main): Call test_fixed. * misc/poly1305-gen-example.pike: Program to generate poly1305 inputs with a given digest. 2022-01-27 Niels Möller * x86_64/poly1305-internal.asm: Rewrote. Rearrange folding, so that all the multiply instructions needed to process a block are independent of each other. Measured speedup of 16% on AMD zen2 and 28% on Intel broadwell, and expected to be generally faster. * asm.m4 (P1305): Rearrange struct contents, to fit 64-bit entries S0 and H2. Total struct size unchanged. 2022-01-25 Niels Möller Chacha implementation for arm64, contributed by Mamone Tarsha. * arm64/chacha-core-internal.asm: New file. * arm64/chacha-2core.asm: New file. * arm64/chacha-4core.asm: New file 2022-01-24 Niels Möller * powerpc64/ecc-secp224r1-modp.asm: New file, contributed by Amitay Isaacs. * powerpc64/ecc-curve25519-modp.asm: New file, contributed by Martin Schwenke & Alastair D´Silva * powerpc64/ecc-curve448-modp.asm: New file, contributed by Martin Schwenke & Amitay Isaacs. 2022-01-23 Niels Möller * testsuite/poly1305-test.c (test_poly1305_internal): New function. (ref_poly1305_internal): New function. (test_random): New function. (test_main): Call test_random. Arrange so that GMP or mini-gmp is always available for tests. * testsuite/testutils.h [!WITH_HOGWEED]: Include mini-gmp.h. * testsuite/testutils.c [!WITH_HOGWEED]: Include mini-gmp.c. 2022-01-21 Niels Möller * powerpc64/ecc-secp192r1-modp.asm: New file, contributed by Amitay Isaacs. * powerpc64/ecc-secp384r1-modp.asm: New file, contributed by Martin Schwenke, Amitay Isaacs & Alastair D´Silva. * powerpc64/ecc-secp521r1-modp.asm: New file, contributed by Martin Schwenke & Alastair D´Silva. 2022-01-17 Niels Möller * testsuite/testutils.c (test_ecc_point_valid_p): New function, moved from... * testsuite/ecdsa-keygen-test.c (ecc_valid_p): ... old copy. * testsuite/gostdsa-keygen-test.c (ecc_valid_p): ... old copy. * testsuite/testutils.h: Declare it. (test_randomize) [NETTLE_USE_MINI_GMP]: Use inline function rather than macro for dummy definition, to avoid compile time warnings. 2022-01-10 Niels Möller * powerpc64/ecc-secp256r1-redc.asm: Reduce number of registers used, eliminating save and restore of callee-save registers. Speedup of 7% reported for POWER9 (and marginal speedup of secp256 sign and verify operations). 2022-01-04 Niels Möller * configure.ac (ELFV2_ABI): New substituted variable, set on powerpc64 based on the _CALL_ELF define. * config.m4.in (ELFV2_ABI): Substituted here. * powerpc64/machine.m4: Use ELFV2_ABI rather than WORDS_BIGENDIAN to select abi flavor. Intended to support ppc64be + musl, which, unlike other big-endian configurations, uses ELFv2. 2021-12-09 Niels Möller * x86_64/ecc-secp256r1-redc.asm: New folding scheme with one less carry propagation phase, and fewer registers, avoiding save and restore of callee-save registers. 17% speedup of this function on AMD Ryzen 5, resulting in a modest improvement in ecdsa performance. * powerpc64/ecc-secp256r1-redc.asm: New file, contributed by Amitay Isaacs. 2021-11-29 Niels Möller From Tianjia Zhang: SM3 hash function. * sm3.h: New file. * sm3.c: New file. * sm3-meta.c: New file. * hmac-sm3.c: New file. * hmac-sm3-meta.c: New file. * testsuite/sm3-test.c: New file. * nettle.texinfo: Document SM3. 2021-11-19 Niels Möller * gmp-glue.c (mpz_limbs_cmp): Deleted function. Usage replaced with mpz_roinit_n and mpz_cmp. (mpz_limbs_read_n): Deleted function. Usage in tests only, replaced with mpz_limbs_copy. 2021-11-15 Niels Möller * testsuite/eddsa-compress-test.c (test_main): Use test_randomize. * testsuite/ecc-redc-test.c (test_main): Likewise. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * testsuite/ecc-mul-a-test.c (test_main): Likewise. * testsuite/ecc-modinv-test.c (test_modulo): Trim allocation for result area. (test_main): Use test_randomize. * testsuite/ecc-sqrt-test.c (test_sqrt): Trim allocation. (test_sqrt_ratio): Trim allocation. Fix sqrt_ratio test for v = 0, failure is expected. (test_main): Use test_randomize. 2021-11-13 Niels Möller * testsuite/testutils.c (get_random_seed): Move function here. (test_randomize): New function. * testsuite/ecc-mod-test.c (get_random_seed): Delete old copy. (test_main): Use test_randomize. * testsuite/rsa-compute-root-test.c (get_random_seed): Delete old copy. (test_main): Use test_randomize. * ecc-secp224r1.c (ecc_secp224r1_sqrt): Fix result for zero input, which needs handling as a special case in the Tonelli-Shanks algorithm. * testsuite/ecc-sqrt-test.c (test_sqrt_ratio): Check that sqrt(0) returns 0. (test_sqrt_ratio): Check that sqrt (0/1) returns 0. 2021-11-11 Niels Möller * eccdata.c (output_curve): Output ecc_sqrt_z and ECC_SQRT_E only when computed. Fixes uninitialized value bug from previous change. * ecc-secp384r1.c (ecc_mod_pow_288m32m1): New function. (ecc_secp384r1_inv): Use ecc_mod_pow_288m32m1. (ecc_secp384r1_sqrt): Likewise. * eccdata.c (output_curve): Delete generation of unused values ecc_sqrt_t and ECC_SQRT_T_BITS. 2021-11-10 Niels Möller * eccdata.c (output_bignum_redc): New function. (output_curve): Generate both redc and non-redc versions of ecc_sqrt_z. Fixes secp224r1 sqrt, in configs using redc. 2021-11-08 Niels Möller Square root functions, based on patch by Wim Lewis. * ecc-internal.h (ecc_mod_sqrt_func): New typedef. (struct ecc_modulo): Add sqrt function pointer and sqrt_itch. Update all curve definitions. * ecc-secp192r1.c (ECC_SECP192R1_SQRT_ITCH): New constant. (ecc_secp192r1_sqrt): New function. * ecc-secp256r1.c (ecc_secp256r1_sqrt): New function. * ecc-secp384r1.c (ecc_secp384r1_sqrt): New function. * ecc-secp521r1.c (ecc_secp521r1_sqrt): New function. * ecc-secp224r1.c (ecc_secp224r1_sqrt): New function, using Tonelli-Shanks' algorithm. * testsuite/ecc-sqrt-test.c (test_sqrt): New function. (test_sqrt_ratio): Renamed function (was test_modulo). (test_main): Test sqrt function, for curves that define it. * ecc-secp224r1.c (ecc_mod_pow_127m1): New function. 2021-11-07 Niels Möller * ecc-internal.h (struct ecc_modulo): Renamed sqrt_itch to sqrt_ratio_itch. * eddsa-decompress.c (_eddsa_decompress_itch): Updated. * ecc-curve448.c (ECC_CURVE448_SQRT_RATIO_ITCH): Renamed, from ... (ECC_CURVE448_SQRT_ITCH): ... old name. (ecc_curve448_sqrt_ratio): Renamed, from ... (ecc_curve448_sqrt): ... old name. (_nettle_curve448): Updated. * ecc-curve25519.c (ECC_25519_SQRT_RATIO_ITCH): Renamed, from ... (ECC_25519_SQRT_ITCH): ... old name (ecc_curve25519_sqrt_ratio): Renamed, from ... (ecc_curve25519_sqrt): ... old name. (_nettle_curve25519): Updated. * ecc-internal.h (ecc_mod_sqrt_ratio_func): Renamed typedef... (ecc_mod_sqrt_func): ... from old name. (struct ecc_modulo): Renamed corresponding function pointer to sqrt_ratio. Updated all uses. 2021-10-28 Niels Möller * ecc-mod-arith.c (ecc_mod_equal_p): New function, moved from ecc-modinv-test.c. Based on patch by Wim Lewis. * testsuite/ecc-modinv-test.c (mod_eq_p): Deleted, replaced with ecc_mod_equal_p. 2021-10-26 Niels Möller * ecc-mod-arith.c (ecc_mod_zero_p): New function. * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. * ecc-curve448.c (ecc_curve448_zero_p): Deleted, usage replaced with ecc_mod_zero_p. * testsuite/ecc-modinv-test.c (mod_eq_p): Rewritten to use ecc_mod_zero_p, and require that one input is canonically reduced. (zero_p): Deleted, usage replaced with ecc_mod_zero_p. 2021-10-23 Niels Möller * gmp-glue.c (sec_zero_p): New function. * ecc-curve25519.c (ecc_curve25519_zero_p): Use it. * ecc-curve448.c (ecc_curve448_zero_p): Use it. * ecc-random.c (ecdsa_in_range): Use it. (zero_p): Delete static function. 2021-10-22 Niels Möller * ecc-secp256r1.c: Rework ad-hoc reduction functions. In particular, arranged to always use single-limb quotients, no q2 quotient carry. (ecc_secp256r1_modp): Reimplemented, closer to 2/1 division, (ecc_secp256r1_modq): Reimplemented, closer to divappr2 division. 2021-10-06 Niels Möller * testsuite/ecc-mod-test.c: Extend tests to give better coverage of corner cases, with input close to a multiple of the modulo. 2021-09-21 Niels Möller * Makefile.in (nettle.pdf): Generate pdf manual using texi2pdf, rather than texi2dvi + dvips + ps2pdf, which makes hyperlinks work better. * nettle.texinfo: Delete explicit node pointers in nettle.texinfo Instead, rely on makeinfo's automatic pointer creation. (Cipher functions): Split into nodes, with proper menu. 2021-09-14 Niels Möller * cbc.h (cbc_aes128_encrypt, cbc_aes192_encrypt) (cbc_aes256_encrypt): Change interface, take cipher context pointer and iv as separate arguments. Update C and x86_64 implementations and corresponding glue code. * testsuite/testutils.c (test_aead): Test encrypt/decrypt with message split into pieces. 2021-09-12 Niels Möller * Merged CBC-AES changes into master branch. 2021-09-09 Niels Möller Implementation of CBC-AES for x86_64 aesni. Roughly 40%-50% speedup benchmarked on Ryzen 5. * x86_64/aesni/cbc-aes128-encrypt.asm: New file. * x86_64/aesni/cbc-aes192-encrypt.asm: New file. * x86_64/aesni/cbc-aes256-encrypt.asm: New file. * x86_64/fat/cbc-aes128-encrypt-2.asm: New file. * x86_64/fat/cbc-aes192-encrypt-2.asm: New file. * x86_64/fat/cbc-aes256-encrypt-2.asm: New file. * configure.ac (asm_nettle_optional_list, asm_replace_list): Add new asm files. * fat-setup.h (cbc_aes128_encrypt_func, cbc_aes192_encrypt_func) (cbc_aes256_encrypt_func): New typedefs. * fat-x86_64.c (fat_init): Use new functions, when aesni is available 2021-09-08 Niels Möller * cbc-aes128-encrypt.c (nettle_cbc_aes128_encrypt): New file and function. * cbc-aes192-encrypt.c (cbc_aes192_set_encrypt_key): New file. * cbc-aes256-encrypt.c (cbc_aes256_set_encrypt_key): New file. * cbc.h (cbc_aes128_ctx, struct cbc_aes192_ctx, cbc_aes256_ctx): New context structs. Declare new functions. * Makefile.in (nettle_SOURCES): Add new files. * nettle-internal.c (nettle_cbc_aes128, nettle_cbc_aes192) (nettle_cbc_aes256): New algorithm structs, for tests and benchmarking. * testsuite/testutils.c (test_aead): Skip tests of decryption and authentication, if corresponding function pointers are NULL. * testsuite/cbc-test.c (test_main): Add tests of new cbc functions. * examples/nettle-benchmark.c (time_aead): Skip decrypt benchmark, if corresponding function pointer is NULL. 2021-09-09 Niels Möller * x86_64/fat/cpuid.asm: Fix usage of W64_ENTRY and W64_EXIT, to make fat builds work on 64-bit windows. 2021-08-16 Niels Möller S390x functions for sha1, sha256 and sha512, from Mamone Tarsha: * s390x/msa/sha1-compress.asm: New file. * s390x/msa_x1/sha256-compress.asm: Likewise. * s390x/msa_x2/sha512-compress.asm: Likewise. * s390x/fat/sha1-compress-2.asm: Likewise. * s390x/fat/sha256-compress-2.asm: Likewise. * s390x/fat/sha512-compress-2.asm: Likewise. * fat-s390x.c: Update fat setup. * Makefile.in (distdir): Add s390x/msa_x1. 2021-08-10 Niels Möller * x86_64/aesni/aes128-encrypt.asm: New file, with 2-way loop. * x86_64/aesni/aes128-decrypt.asm: Likewise. * x86_64/aesni/aes192-encrypt.asm: Likewise. * x86_64/aesni/aes192-decrypt.asm: Likewise. * x86_64/aesni/aes256-encrypt.asm: Likewise. * x86_64/aesni/aes256-decrypt.asm: Likewise. * x86_64/aesni/aes-encrypt-internal.asm: Deleted. * x86_64/aesni/aes-decrypt-internal.asm: Deleted. * x86_64/fat/: Corresponding new and deleted files. * fat-x86_64.c: Update fat setup accordingly. 2021-08-09 Niels Möller Arm64 AES functions, from Mamone Tarsha: * arm64/crypto/aes128-decrypt.asm: New file. * arm64/crypto/aes128-encrypt.asm: New file. * arm64/crypto/aes192-decrypt.asm: New file. * arm64/crypto/aes192-encrypt.asm: New file. * arm64/crypto/aes256-decrypt.asm: New file. * arm64/crypto/aes256-encrypt.asm: New file. * arm64/fat/aes128-decrypt-2.asm: New file. * arm64/fat/aes128-encrypt-2.asm: New file. * arm64/fat/aes192-decrypt-2.asm: New file. * arm64/fat/aes192-encrypt-2.asm: New file. * arm64/fat/aes256-decrypt-2.asm: New file. * arm64/fat/aes256-encrypt-2.asm: New file. * configure.ac: Add aes to arm64 FAT_TEST_LIST. * fat-arm64.c: Update fat setup. 2021-08-06 Niels Möller S390x xor functions, from Mamone Tarsha: * configure.ac: New configure option --enable-s390x-vf. * fat-s390x.c: Fat setup for memxor3. * s390x/vf/memxor3.asm: New file. * s390x/memxor.asm: New file. * s390x/machine.m4 (XOR_LEN): New macro. * s390x/fat/memxor3-2.asm: New file. 2021-07-24 Niels Möller Merged s390x code. GCM and fat build support for s390x, contributed by Mamone Tarsha: * s390x/machine.m4: New file. * s390x/msa_x4/gcm-hash.asm: New file. * fat-s390x.c: New file. * s390x/fat/cpu-facility.asm: New file. * s390x/fat/: New wrapper files for aes and gcm assembly. 2021-07-21 Niels Möller * Makefile.in (OPT_SOURCES): Add fat-s390x.c. 2021-05-09 Niels Möller Implementation of AES using s390x "message security assist" extensions. Contributed by Mamone Tarsha: * s390x/msa_x1/aes128-decrypt.asm: New file. * s390x/msa_x1/aes128-encrypt.asm: New file. * s390x/msa_x1/aes128-set-decrypt-key.asm: New file. * s390x/msa_x1/aes128-set-encrypt-key.asm: New file. * s390x/msa_x2/aes192-decrypt.asm: New file. * s390x/msa_x2/aes192-encrypt.asm: New file. * s390x/msa_x2/aes192-set-decrypt-key.asm: New file. * s390x/msa_x2/aes192-set-encrypt-key.asm: New file. * s390x/msa_x2/aes256-decrypt.asm: New file. * s390x/msa_x2/aes256-encrypt.asm: New file. * s390x/msa_x2/aes256-set-decrypt-key.asm: New file. * s390x/msa_x2/aes256-set-encrypt-key.asm: New file. * configure.ac: Renamed option to --enable-s390x-msa. Enables both mas_x1 and msa_x2. (asm_replace_list): Add more aes files. * Makefile.in (distdir): Add s390x/msa_x1 s390x/msa_x2 directories. 2021-04-01 Niels Möller Move aes128_encrypt and similar functions to their own files. To make it easier for assembly implementations to override specific AES variants. * aes-decrypt.c: Split file, keep only legacy function aes_decrypt here. * aes-decrypt-table.c (_nettle_aes_decrypt_table): New file, moved table here. * aes128-decrypt.c (aes128_decrypt): New file, moved function here. * aes192-decrypt.c (aes192_decrypt): New file, moved function here. * aes256-decrypt.c (aes256_decrypt): New file, moved function here. * aes-encrypt.c: Split file, keep only legacy function aes_encrypt here. * aes128-encrypt.c (aes128_encrypt): New file, moved function here. * aes192-encrypt.c (aes192_encrypt): New file, moved function here. * aes256-encrypt.c (aes256_encrypt): New file, moved function here. * Makefile.in (nettle_SOURCES): Add new files. 2021-03-28 Niels Möller Initial config for s390x, contributed by Mamone Tarsha. * configure.ac: Add flag --enable-s390x-msa-x1. Add ABI check for s390x, and setup asm_path. * Makefile.in (distdir): Add s390x directory. * s390x/README: New file 2021-07-08 Niels Möller * configure.ac (FAT_TEST_LIST): Add sha2 to aarch64 fat tests. From Mamone Tarsha: * arm64/fat/sha256-compress-2.asm: New file. * arm64/crypto/sha256-compress.asm: New file. * fat-arm64.c: Add setup for nettle_sha1_compress. 2021-06-30 Niels Möller * configure.ac (FAT_TEST_LIST): Add sha1 to aarch64 fat tests. From Mamone Tarsha: * fat-arm64.c: Add setup for nettle_sha1_compress. * arm64/fat/sha1-compress-2.asm: New file. 2021-06-01 Niels Möller From Mamone Tarsha: * arm64/crypto/sha1-compress.asm: New file. 2021-05-17 Niels Möller Bug fixes merged from from 3.7.3 release (starting from 2021-05-06). * rsa-decrypt-tr.c (rsa_decrypt_tr): Check up-front that input is in range. * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. * rsa-decrypt.c (rsa_decrypt): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Add tests with input > n. 2021-05-14 Niels Möller * rsa-sign-tr.c (rsa_sec_blind): Delete mn argument. (_rsa_sec_compute_root_tr): Delete mn argument, instead require that input size matches key size. Rearrange use of temporary storage, to support in-place operation, x == m. Update all callers. * rsa-decrypt-tr.c (rsa_decrypt_tr): Make zero-padded copy of input, for calling _rsa_sec_compute_root_tr. * rsa-sec-decrypt.c (rsa_sec_decrypt): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Test calling all of rsa_decrypt, rsa_decrypt_tr, and rsa_sec_decrypt with zero input. 2021-05-06 Niels Möller * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): Check that message length is valid, for given key size. * testsuite/rsa-sec-decrypt-test.c (test_main): Add test cases for calls to rsa_sec_decrypt specifying a too large message length. 2021-05-23 Niels Möller From Nicolas Mora: Implement aes key wrap and key unwrap (RFC 3394). * nist-keywrap.c (bswap_if_le, nist_keywrap16, nist_keyunwrap16) (aes128_keywrap, aes192_keywrap, aes256_keywrap) (aes128_keyunwrap, aes192_keyunwrap, aes256_keyunwrap): New file, new functions. * nist-keywrap.h: New header file. * Makefile.in (nettle_SOURCES): Add nist-keywrap.c. (HEADERS): Add nist-keywrap.h. * testsuite/aes-keywrap-test.c (test_main): New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add aes-keywrap-test.c. 2021-04-13 Niels Möller * powerpc64/p8/aes-encrypt-internal.asm (SWAP_MASK): Change macro name to use all uppercase. * powerpc64/p8/aes-decrypt-internal.asm (SWAP_MASK): Likewise. 2021-04-11 Niels Möller * config.guess: Update to 2021-01-25 version, from savannah's config.git. Needed to recognize M1 Macs. * config.sub: Similarly update to 2021-03-10 version. 2021-03-24 Niels Möller * .gitlab-ci.yml: Add remote tests for s390x. 2021-03-22 Niels Möller Arm64 improvements, including fat build support. Contributed by Mamone Tarsha: * configure.ac (asm_path): Setup for arm64 fat builds. * fat-arm64.c: New file. * fat-arm64.c: New file. * arm64/fat/gcm-hash.asm: New file. * arm64/crypto/gcm-hash.asm: Improved docs. Use m4 macros rather than as macros. (LOAD_REV_PARTIAL_BLOCK): New macro. * arm64/README: Improved docs. 2021-03-21 Niels Möller * Released nettle-3.7.2 with ecc bug-fixes only. * NEWS: NEWS entries for 3.7.2. 2021-03-13 Niels Möller * gostdsa-vko.c (gostdsa_vko): Use ecc_mod_mul_canonical to compute the scalar used for ecc multiplication. * eddsa-hash.c (_eddsa_hash): Ensure result is canonically reduced. Two of the three call sites need that. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Use ecc_mod_mul_canonical to compute the scalars used for ecc multiplication. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Ensure s output is reduced to canonical range. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use ecc_mod_mul_canonical to compute the scalars used for ecc multiplication. * testsuite/ecdsa-verify-test.c (test_main): Add test case that triggers an assert on 64-bit platforms, without above fix. * testsuite/ecdsa-sign-test.c (test_main): Test case generating the same signature. 2021-03-13 Niels Möller * eddsa-verify.c (equal_h): Use ecc_mod_mul_canonical. 2021-03-11 Niels Möller * ecc-mod-arith.c (ecc_mod_mul_canonical, ecc_mod_sqr_canonical): New functions. * ecc-internal.h: Declare and document new functions. * curve448-eh-to-x.c (curve448_eh_to_x): Use ecc_mod_sqr_canonical. * curve25519-eh-to-x.c (curve25519_eh_to_x): Use ecc_mod_mul_canonical. * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. * ecc-j-to-a.c (ecc_j_to_a): Likewise. * ecc-mul-m.c (ecc_mul_m): Likewise. 2021-03-04 Niels Möller Merged initial arm64 code. 2021-02-03 Niels Möller * arm64/crypto/gcm-hash.asm: Renamed directory, moved file,... * arm64/v8/gcm-hash.asm: ... old name. 2021-02-02 Niels Möller * arm64/v8/gcm-hash.asm: Add ".arch armv8-a+crypto" directive. Supported by both GNU as and clang (the latter at least from version 3.9.1). * configure.ac: Don't add -march=armv8-a+crypto to CFLAGS. 2021-01-31 Niels Möller * arm64/v8/gcm-hash.asm: New file, contributed by Maamoun TK and Michael Weiser. * arm64/README: New file. Document endianness issues, contributed by Michael Weiser. 2021-02-17 Niels Möller * Released Nettle-3.7.1. 2021-02-15 Niels Möller * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted glue to openssl arcfour. (openssl_arcfour128_set_encrypt_key) (openssl_arcfour128_set_decrypt_key): Deleted. * nettle-internal.h: Deleted declaration. * examples/nettle-benchmark.c (aeads): Delete benchmarking. 2021-02-13 Niels Möller * configure.ac: Bump package version, to 3.7.1. (LIBNETTLE_MINOR): Bump minor number, to 8.2. (LIBHOGWEED_MINOR): Bump minor number, to 6.2. 2021-02-10 Niels Möller * chacha-crypt.c (_nettle_chacha_crypt_4core): Fix for the case that counter increment should be 3 (129 <= message length <= 192). (_nettle_chacha_crypt32_4core): Likewise. * testsuite/chacha-test.c (test_chacha_rounds): New function, for tests with non-standard round count. Extracted from _test_chacha. (_test_chacha): Deleted rounds argument. Reorganized crypt/crypt32 handling. When testing message prefixes of varying length, also encrypt the remainder of the message, to catch errors in counter value update. (test_main): Add a few tests with large messages (16 blocks, 1024 octets), to improve test coverage for _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core. 2021-01-25 Niels Möller * arm/neon/salsa20-core-internal.asm: Deleted file. This ARM Neon implementation reportedly gave a speedup of 45% on Cortex A9, compared to the C implementation, when it was added back in 2013. That appears to no longer be the case with more recent processors and compilers. And it's even significantly slower than the C implementation on some platforms, including the Raspberry Pi 4. With the introduction of salsa20-2core.asm, performance of this function is also less important. * arm/neon/chacha-core-internal.asm: Deleted file, for analogous reasons. * arm/fat/salsa20-core-internal-2.asm: Deleted file. * arm/fat/chacha-core-internal-2.asm: Deleted file. * fat-arm.c (_nettle_salsa20_core, _nettle_chacha_core): Delete fat setup. 2021-01-31 Niels Möller New variants, contributed by Nicolas Mora. * pbkdf2-hmac-sha384.c (pbkdf2_hmac_sha384): New file and function. * pbkdf2-hmac-sha512.c (pbkdf2_hmac_sha512): New file and function. * testsuite/pbkdf2-test.c (test_main): Corresponding tests. 2021-01-20 Niels Möller * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Fix corner case with all-zero hash. Reported by Guido Vranken. * testsuite/ecdsa-verify-test.c: Add corresponding test case. 2021-01-10 Niels Möller * fat-ppc.c: Don't use __GLIBC_PREREQ in the same preprocessor conditional as defined(__GLIBC_PREREQ), but move to a nested #if conditional. Fixes compile error on OpenBSD/powerpc64, reported by Jasper Lievisse Adriaanse. 2021-01-04 Niels Möller * Released Nettle-3.7. 2020-12-27 Niels Möller * configure.ac: Enable fat build by default. 2020-12-26 Niels Möller * NEWS: News entries for Nettle-3.7. * Makefile.in (distdir): Distribute the README files in assembly directories. * configure.ac: Bump package version, to 3.7. (LIBNETTLE_MINOR): Bump minor number, to 8.1. (LIBHOGWEED_MINOR): Bump minor number, to 6.1. 2020-12-21 Niels Möller From Mamone Tarsha: * fat-ppc.c: Check glibc version, and use getauxval only when available. 2020-12-12 Niels Möller * powerpc64/p7/chacha-4core.asm: More interleaving of independent instructions, gives slight speedup on Power9. 2020-12-01 Niels Möller * powerpc64/p7/chacha-4core.asm: Use protected zone below stack pointer to save registers, without modifying the stack pointer. (QR): Instruction level interleaving in the main loop, written by Torbjörn Granlund. 2020-11-30 Niels Möller * m4-utils.m4 (m4_unquote): New macro, copied from GMP's mpn/asm-defs.m4. * chacha-crypt.c: (_nettle_chacha_crypt_4core) (_nettle_chacha_crypt32_4core): New functions. (_nettle_chacha_crypt_2core, _nettle_chacha_crypt32_2core): Deleted, no longer needed. * chacha-internal.h: Add prototypes for _nettle_chacha_4core and related functions. * configure.ac (asm_nettle_optional_list): Add chacha-4core.asm. * powerpc64/fat/chacha-4core.asm: New file. * powerpc64/p7/chacha-4core.asm: New file. * fat-ppc.c (fat_init): When altivec is available, use _nettle_chacha_crypt_4core and _nettle_chacha_crypt32_4core instead of _2core variants. * chacha-crypt.c (_nettle_chacha_crypt32_3core): Fix bug in handling of counter; this function should not propagate any carry. * aes-internal.h: Delete name mangling of internal symbols. Update all internal references to use _nettle prefix. * camellia-internal.h: Likewise. * chacha-internal.h: Likewise. * ctr-internal.h: Likewise. * dsa-internal.h: Likewise. * gost28147-internal.h: Likewise. * poly1305-internal.h: Likewise. * salsa20-internal.h: Likewise. * sha3-internal.h: Likewise. * umac-internal.h: Likewise. 2020-11-26 Niels Möller Enable powerpc64 gcm code in fat builds. Based on patch contributed by Mamone Tarsha: * powerpc64/fat/gcm-hash.asm: New file. * configure.ac: Add HAVE_NATIVE_fat_gcm_init_key and HAVE_NATIVE_fat_gcm_hash. * gcm.c (gcm_init_key): Renamed, to ... (_nettle_gcm_init_key_c): ... new name. Add fat setup conditionals. (gcm_hash): Renamed, to... (_nettle_gcm_hash_c): ... new name. Add fat setup conditionals. * fat-setup.h (gcm_init_key_func, gcm_hash_func): New typedefs. * fat-ppc.c: Select implementations of _nettle_gcm_init_key and _nettle_gcm_hash. * gcm-internal.h: New file. * Makefile.in (DISTFILES): Add gcm-internal.h. * powerpc64/p8/gcm-hash.asm: New file, contributed by Mamone Tarsha. Implements _nettle_gcm_init_key and _nettle_gcm_hash. 2020-11-28 Niels Möller * powerpc64/p7/chacha-2core.asm: Simplify counter carry handling using the vaddcuw instruction. Merge changes by Marco Bodrato and Torbjorn Granlund, from the gmp/mini-gmp copy of this file. * run-tests: Delete special handling of zero arguments. Update WINEPATH, instead of overwriting it. 2020-11-27 Niels Möller * aclocal.m4: Replace some calls to exit with return, since exit requires stdlib.h. Including patch contributed by Adrien Béraud. * testsuite/version-test.c: Include version.h. Patch contributed by Brian Smith. 2020-11-25 Niels Möller * powerpc64/p7/chacha-2core.asm: Add byte swapping of output, for big-endian builds. 2020-11-24 Niels Möller Enable ppc chacha_2core in fat builds. * configure.ac: Add HAVE_NATIVE_fat_chacha_2core. * chacha-crypt.c: Check HAVE_NATIVE_fat_chacha_2core. * chacha-internal.h (_chacha_crypt_2core, _chacha_crypt32_2core): Add declarations. * fat-ppc.c (fat_init): Use _nettle_chacha_crypt_2core and _nettle_chacha_crypt32_2core when altivec is available. * powerpc64/fat/chacha-2core.asm: New file, including p7 version. 2020-11-23 Niels Möller * powerpc64/p7/chacha-2core.asm: New file. * chacha-crypt.c (_chacha_crypt_2core, _chacha_crypt32_2core): New variants of chacha_crypt, using _chacha_2core to do two blocks at a time. * chacha-internal.h (_chacha_2core, _chacha_2core32): Add declarations. * configure.ac (asm_nettle_optional_list): Add chacha-2core.asm. 2020-11-14 Niels Möller * ecc-mod-inv.c (ecc_mod_inv): Use passed in scratch for all scratch needs, don't use memory after the result area. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Update invert call. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * ecc-eh-to-a.c (ecc_eh_to_a): Likewise. * ecc-j-to-a.c (ecc_j_to_a): Likewise. * ecc-gostdsa-verify.c (ecc_gostdsa_verify): Likewise. * curve25519-eh-to-x.c (curve25519_eh_to_x): Likewise. * curve448-eh-to-x.c (curve448_eh_to_x): Update invert call, and reduce scratch need from 9*size to 5*size. * ecc-internal.h (ECC_MOD_INV_ITCH, ECC_J_TO_A_ITCH) (ECC_EH_TO_A_ITCH): Update accordingly, but no change in total scratch need. 2020-11-13 Niels Möller * ecc-internal.h (ECC_J_TO_A_ITCH): Generalize, and take invert itch as an argument, similarly to ECC_EH_TO_A_ITCH. Updated all secp and gost curve definitions to use it. 2020-10-21 Niels Möller * ecc-secp384r1.c (ecc_secp384r1_inv): New function, modular inverse using powering. (_nettle_secp_384r1): Analogous updates. Increases signing performance roughly 15% on x86_64. 2020-10-20 Niels Möller * ecc-mod-inv.c (ecc_mod_inv_redc): Deleted, no longer needed. (ecc_mod_inv_destructive): Deleted, merged with ecc_mod_inv. * ecc-secp256r1.c (ecc_secp256r1_inv): New function, modular inverse using powering. (_nettle_secp_256r1): Analogous updates. Increases signing performance roughly 6% on x86_64. * ecc-secp224r1.c (ecc_secp224r1_inv): New function, modular inverse using powering. (_nettle_secp_224r1): Analogous updates. Increases signing performance roughly 17% on x86_64. 2020-10-19 Niels Möller * ecc-secp521r1.c (ecc_secp521r1_inv): New function, modular inverse using powering. (_nettle_secp_521r1): Analogous updates. Increases signing performance roughly 15% on x86_64. 2020-10-15 Niels Möller * ecc-secp192r1.c (ecc_secp192r1_inv): New function, modular inverse using powering. (_nettle_secp_192r1): Use it for p.invert, and also update h_to_a_itch. Increases signing performance roughly 25% on x86_64. * testsuite/ecc-modinv-test.c (test_modulo): Allow invert function to return a non-canonical representation. 2020-11-08 Niels Möller Merge refactoring of ecc modulo and reduce functions. * eddsa-sign.c (_eddsa_sign_itch): Update, since now point multiplication needs less scratch than point compression. * eddsa-pubkey.c (_eddsa_public_key_itch): Likewise. * ecc-internal.h: Update *_ITCH macros for point multiplication and signatures. They need slightly less scratch after optimization of the point addition functions. * ecc-mul-m.c (ecc_mul_m): Reduce scratch need. (ecc_mul_m): Optimize swapping, with only a single mpn_cnd_swap per iteration. * ecc-add-jja.c (ecc_add_jja): Reduce scratch need. * ecc-add-jjj.c (ecc_add_jjj): Reduce scratch need. * ecc-internal.h (ECC_ADD_JJA_ITCH, ECC_ADD_JJJ_ITCH): Now 5*size. (ECC_MUL_M_ITCH): New 8*size. 2020-11-06 Niels Möller After these changes, both curve25519 and curve448 need 4*size for invert and 6*size for sqrt. * ecc-curve448.c (ecc_mod_pow_446m224m1): Reduce scratch need. (ecc_curve448_inv): Likewise. (ecc_curve448_sqrt): Likewise. * ecc-curve25519.c (ecc_curve25519_sqrt): Reduce scratch need. * ecc-add-jja.c (ecc_add_jja): Delete an unneeded copy. 2020-11-05 Niels Möller * ecc-dup-jj.c (ecc_dup_jj): Reduce scratch need. * ecc-internal.h (ECC_DUP_JJ_ITCH): Now 4*size. 2020-11-03 Niels Möller * ecc-dup-eh.c (ecc_dup_eh): Reduce scratch need. * ecc-dup-th.c (ecc_dup_th): Analogous changes. * ecc-internal.h (ECC_DUP_EH_ITCH, ECC_DUP_TH_ITCH): Now 3*size. * ecc-internal.h (ecc_add_func): Document in-place operation. * ecc-mul-a-eh.c (ecc_mul_a_eh): Fix call to ecc->add_hhh accordingly. * testsuite/ecc-add-test.c (test_main): Likewise. * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. * ecc-add-th.c (ecc_add_th): Analogous changes. * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. * ecc-add-thh.c (ecc_add_thh): Analogous changes. * ecc-internal.h (ECC_ADD_EH_ITCH, ECC_ADD_EHH_ITCH) (ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): Now 4*size. 2020-11-02 Niels Möller * ecc-curve25519.c (ecc_mod_pow_252m3): Reduce scratch need. (ecc_curve25519_inv): Likewise. (ecc_curve25519_sqrt): Likewise. 2020-11-01 Niels Möller * ecc-mod-arith.c (ecc_mod_mul, ecc_mod_sqr): Separate argument for scratch area, reducing required size of result area. Update all callers to naïvely keep using result in scratch area. (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Simplified, also reducing required size of result area. * testsuite/testutils.c (test_ecc_point): Show curve bits on failure. 2020-10-31 Niels Möller * ecc-internal.h (typedef ecc_mod_func): Updated all assembly implementations. * testsuite/ecc-mod-test.c (test_one): Extend tests, to also test with different destination area. * testsuite/ecc-redc-test.c (test_main): Likewise. 2020-10-30 Niels Möller * ecc-internal.h (typedef ecc_mod_func): Add separate result argument. Updated all C implementations and callers. 2020-10-29 Niels Möller * ecc-mod.c (ecc_mod): More unified handling of final carry folding. Also eliminates a goto statement. 2020-11-07 Niels Möller Merged initial powerpc64 implementation of chacha. * configure.ac: New command line option --enable-power-altivec. Update asm_path logic, and add altivec to FAT_TEST_LIST. * fat-ppc.c (get_ppc_features): Add logic to check for altivec and vsx support, and select aither C or altivec implementation of chacha_core. * powerpc64/p7/chacha-core-internal.asm: New file. 2020-09-25 Niels Möller * powerpc64/p7/chacha-core-internal.asm: New file. * Makefile.in (distdir): Add powerpc64/p7. 2020-10-29 Niels Möller * blowfish.c (blowfish_set_key): Add casts to uint32_t. Avoids undefined behavior, since shifting an 8-bit value left by 24 bits overflows the range of signed int. Reported by Guido Vranken. 2020-10-28 Niels Möller * gmp-glue.h (cnd_add_n, cnd_sub_n, cnd_swap): Deleted, use corresponding functions mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap, available from GMP version 6.1.0. Update all callers, in particular, mpn_cnd_add_n and mpn_cnd_sub_n has one more argument than the old functions. * gmp-glue.c (mpn_cnd_add_n, mpn_cnd_sub_n, mpn_cnd_swap) [NETTLE_USE_MINI_GMP]: Fallback definitions or mini-gmp builds. 2020-10-14 Niels Möller * ecc-mod-arith.c (ecc_mod_pow_2k, ecc_mod_pow_2k_mul): Moved functions here. * ecc-internal.h (ecc_mod_pow_2kp1): New macro, calling the more general ecc_mod_pow_2k_mul. * ecc-curve25519.c (ecc_mod_pow_2kp1): Deleted static function. * ecc-curve448.c (ecc_mod_pow_2k, ecc_mod_pow_2kp1): Deleted static functions. 2020-10-13 Niels Möller * ecc-mod-inv.c (ecc_mod_inv_destructive): New helper function, not preserving input argument. Extracted from old ecc_mod_inv. (ecc_mod_inv): Call ecc_mod_inv_destructive. (ecc_mod_inv_redc): New inversion function, with input and output in redc form. * ecc-secp224r1.c: Select between ecc_mod_inv and ecc_mod_inv_redc. * ecc-secp256r1.c: Likewise. * ecc-j-to-a.c (ecc_j_to_a): Simplify redc-related logic, taking advantage of ecc->p.invert handling redc, when appropriate. Reduce scratch need from 5n to 4n in the process (assuming inversion needs 2n). * testsuite/ecc-modinv-test.c (ref_modinv): Updated to do redc, if appropriate. 2020-09-25 Niels Möller * gcm.c (gcm_fill): Added separate implementations for big- and little-endian, to use uint64_t stores and less overhead. 2020-09-24 Niels Möller * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): Prefer to use register names. Can be tested by configuring with CC='gcc -Wa,-mregnames'. 2020-09-21 Niels Möller * m4-utils.m4: New file with m4 utilities, copied from GMP's mpn/asm-defs.m4. * Makefile.in (DISTFILES): Add m4-utils.m4. (%.asm): Include m4-utils.m4 for preprocessing of .asm files, and include config.m4 before machine.m4. * aclocal.m4 (GMP_ASM_POWERPC_R_REGISTERS): New configure test, adapted from corresponding test in GMP's acinlude.m4. * configure.ac (ASM_PPC_WANT_R_REGISTERS): New substituted variable. Set using GMP_ASM_POWERPC_R_REGISTERS, when powerpc64 assembly code is enabled. * config.m4.in: Substituted here. * powerpc64/machine.m4: Check ASM_PPC_WANT_R_REGISTERS, and if needed, replace register names like r0, r1, ... with integers. 2020-09-15 Niels Möller * Makefile.in (DISTFILES): Add missing file blowfish-internal.h. 2020-09-14 Niels Möller * asm.m4: Delete use of changequote, stick to the m4 default quoting characters `'. Updated all assembly and m4 files. * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): Delete quoting workaround. 2020-09-12 Niels Möller * x86_64/salsa20-2core.asm: Fix incorrect W64_EXIT. 2020-08-29 Niels Möller Initial powerpc64 assembly support, contributed by Mamone Tarsha: * configure.ac: New configure option --enable-power-crypto-ext. (asm_path): Setup this and related variables for powerpc64. * powerpc64/machine.m4: New file. * powerpc64/README: New file. * powerpc64/p8/aes-encrypt-internal.asm: New file. * powerpc64/p8/aes-decrypt-internal.asm: New file. * powerpc64/fat/aes-encrypt-internal-2.asm: New file. * powerpc64/fat/aes-decrypt-internal-2.asm: New file. * fat-ppc.c: New file. * Makefile.in (OPT_SOURCES): Add fat-ppc.c. (distdir): Add powerpc64 directories. * aes-decrypt-internal.c (_nettle_aes_decrypt_c): Alternative name, for fat builds. * aes-encrypt-internal.c (_nettle_aes_encrypt_c): Likewise. 2020-07-28 Niels Möller * configure.ac (FAT_TEST_LIST): New substituted variable. Set for fat builds, otherwise empty. * Makefile.in (check-fat): New target, using $(FAT_TEST_LIST). 2020-07-13 Niels Möller * chacha-crypt.c (chacha_crypt) [HAVE_NATIVE_chacha_3core]: Use _chacha_3core. * arm/neon/chacha-3core.asm: New file, 3-way interleaving of chacha. 2020-07-11 Niels Möller * testsuite/chacha-test.c (test_main): Delete obsolete tests for chacha with 128-bit keys. #if:ed out since 2014-03-04, see below. (test_chacha_core): New function, test chacha with simple input structure. 2020-07-10 Niels Möller * x86_64/salsa20-2core.asm: New file. * x86_64/salsa20-crypt.asm: Deleted, since the 2core assembly is faster. 2020-07-08 Niels Möller Rearrange salsa20, enabling ARM fat builds to use sala20_2core. * salsa20-crypt-internal.c (_salsa20_crypt_2core) (_salsa20_crypt_1core): New file, new functions. One or the other is used for implementing salsa20_crypt and salsa20r12_crypt, depending on availability of salsa20_2core. * salsa20-crypt.c (salsa20_crypt): Call _salsa20_crypt. * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. * salsa20-internal.h: Declare new internal functions. * Makefile.in (nettle_SOURCES): Add salsa20-crypt-internal.c. * fat-setup.h (salsa20_crypt_func): New typedef. * fat-arm.c (_salsa20_crypt): Select _salsa20_crypt implementation, use 2core version when Neon instructions are available. * arm/fat/salsa20-2core.asm: New file, including Neon implementation. Trigger configure's HAVE_NATIVE_fat_salsa20_2core, * configure.ac: Add HAVE_NATIVE_fat_salsa20_2core, to identify the case that salsa20_2core is defined, but runtime checks are needed to determine if it is usable. 2020-07-06 Niels Möller * testsuite/salsa20-test.c (test_salsa20_core): New function, test salsa20 with simple input structure. * configure.ac: Obey --enable-arm-neon=yes, even if not explicitly targetting ARM v6 or later. 2020-07-01 Niels Möller * testsuite/bcrypt-test.c: New file. Moved bcrypt tests here. Support for bcrypt, contributed by Stephen R. van den Berg. * blowfish-bcrypt.c (blowfish_bcrypt_hash) (blowfish_bcrypt_verify): New file, new functions. * blowfish-internal.h: New header file, declaring internals needed for bcrypt. * testsuite/blowfish-test.c: Add bcrypt tests. * nettle.texinfo (Cipher functions): Document bcrypt. 2020-06-30 Niels Möller * nettle.texinfo (Miscellaneous hash functions): New section, with Streebog documentation, contributed by Dmitry Baryshkov. (Top): Added some missing entries to the detailed node listing 2020-06-29 Niels Möller * .gitlab-ci.yml: Add cross tests for powerpc64le, based on patch by Maamoun TK. 2020-06-25 Niels Möller * x86_64/chacha-core-internal.asm (QROUND): Fix use of macro arguments. Spotted by Torbjörn Granlund. 2020-06-02 Niels Möller * examples/nettle-benchmark.c (main): Delete call to time_overhead. The attempt to measure function call overhead is not very useful or accurate. The benchmarking loop is optimized away by gcc-10, making the benchmark program hang. (bench_nothing, time_overhead): Deleted. 2020-04-29 Niels Möller * Released Nettle-3.6. 2020-04-27 Niels Möller * configure.ac: Tweak gcc command line options. Delete checks for older gcc versions. Add -Wno-sign-compare, since warnings for signed/unsigned comparisons adds a lot of noise, in particular when building mini-gmp. * mini-gmp.c: Updated mini-gmp from the gmp repository, latest change from 2020-04-20. * mini-gmp.h: Likewise. 2020-04-25 Niels Möller * gmp-glue.c (mpz_limbs_read, mpz_limbs_write, mpz_limbs_modify) (mpz_limbs_finish, mpz_roinit_n): Delete compatibility definitions. These functions available in GMP since version 6.0.0. * gmp-glue.h: Delete corresponding declarations, and preprocessor conditions. * configure.ac: Update required version of GMP to 6.1.0, needed for mpn_zero_p. * ecc-ecdsa-verify.c (zero_p): Deleted static function, usage replaced with mpn_zero_p. * testsuite/testutils.c (mpn_zero_p): Delete conditional definition. * testsuite/testutils.h: Delete corresponding declarations. * Makefile.in (DISTFILES): Add poly1305-internal.h. * testsuite/Makefile.in (DISTFILES): Delete setup-env. 2020-04-23 Niels Möller * run-tests: Set WINEPATH, since it appears wine doesn't search for dlls in the unix PATH. * examples/setup-env: Delete creation of extra dll symlinks. * examples/teardown-env: Delete corresponding cleanup. * testsuite/setup-env: Deleted file (same symlink creation). * testsuite/teardown-env: Delete corresponding cleanup. * testsuite/ecc-add-test.c (test_main): Delete ASSERTs with functions pointer comparisons. They provide little value, and fail when linking with hogweed.dll on windows. * testsuite/ecc-dup-test.c (test_main): Likewise. 2020-04-22 Niels Möller * testsuite/Makefile.in: Use pattern rules for test executables, replacing... (test-rules): ...deleted rule. * testsuite/.test-rules.make: Deleted file. 2020-04-21 Niels Möller From Dmitry Baryshkov: * gostdsa-vko.c (gostdsa_vko): New file and function. * testsuite/gostdsa-vko-test.c (test_vko): New test. * nettle.texinfo (GOSTDSA): Document it. 2020-04-19 Niels Möller From Dmitry Baryshkov: * gosthash94.h (struct gosthash94_ctx): Rearrange struct to enable use of MD_UPDATE macro, in particular, replacing byte count with block count and index. Also move buffer last, for consistency with other hash functions. * gosthash94.c (gosthash94_update_int): Use MD_UPDATE macro. (gosthash94_write_digest): Update for block count rather than byte count. 2020-04-17 Niels Möller * configure.ac (LIBNETTLE_MAJOR): Increase libnettle version number to 8.0, for move of internal poly1305 functions. (LIBNETTLE_MINOR): Reset to zero. 2020-04-15 Niels Möller From Dmitry Baryshkov: * poly1305.h (poly1305_set_key, poly1305_digest, _poly1305_block): Removed declarations from this public header file. * poly1305-internal.h: New file, with declarations of internal poly1305 functions. (_poly1305_set_key, _poly1305_digest): Renamed, with leading underscore. Updated definitions and all uses. 2020-04-12 Niels Möller * Makefile.in (DISTFILES): Reorder to ensure that generated des headers can't be older than desdata.stamp. * testsuite/ed448-test.c: Define _GNU_SOURCE, for getline with gcc -std=c89. 2020-04-06 Niels Möller * configure.ac (LIBHOGWEED_MAJOR): Increase libhogweed version number to 6.0, at request of Gnutls team. (LIBHOGWEED_MINOR): Reset to zero. 2020-04-01 Niels Möller * config.guess: Update to 2020-01-01 version, from savannah's config.git. * config.sub: Likewise. 2020-03-31 Niels Möller * aclocal.m4 (LSH_TYPE_SOCKLEN_T, LSH_CHECK_KRB_LIB, LSH_LIB_ARGP) (LSH_MAKE_CONDITIONAL): Delete unused macros. * config.make.in (abs_top_builddir, TEST_SHLIB_DIR): New variables. * run-tests: Check TEST_SHLIB_DIR, and set up LD_LIBRARY_PATH and related member variables. * testsuite/Makefile.in (check): Pass only TEST_SHLIB_DIR to the run-tests script, and leave setting of LD_LIBRARY_PATH and related variables to that script. * examples/Makefile.in (check): Likewise. 2020-03-26 Niels Möller * configure.ac: Bump package version to 3.6. (LIBNETTLE_MINOR): Bump minor number, now 7.1. (LIBHOGWEED_MINOR): Bump minor numbers, now 5.1 2020-03-14 Niels Möller From H.J. Lu: * configure.ac (ASM_X86_ENDBR, ASM_X86_MARK_CET_ALIGN): New substituted variables. * config.m4.in: Substituted here. Add ASM_X86_MARK_CET to diversion inserted at end of assembly files. * asm.m4 (PROLOGUE): Add ASM_X86_ENDBR at entry point. 2020-03-09 Niels Möller From Daiki Ueno: * chacha-crypt.c (chacha_crypt32): New function. * chacha-set-nonce.c (chacha_set_counter, chacha_set_counter32): New functions. * chacha.h (CHACHA_COUNTER_SIZE, CHACHA_COUNTER32_SIZE): New constants. * chacha-poly1305.c (chacha_poly1305_encrypt) (chacha_poly1305_decrypt): Use chacha_crypt32. * testsuite/chacha-test.c: Update tests to use new functions. * nettle.texinfo: Document new chacha functions, and update out-of-date chacha-poly1305 documentation. 2020-03-08 Niels Möller From Dmitry Baryshkov: * cmac-des3-meta.c (nettle_cmac_des): New file, moving definition from... * testsuite/cmac-test.c: ... old location. * nettle-meta.h (nettle_cmac_des): Declare it. 2020-02-15 Niels Möller From Dmitry Baryshkov: * ecc-internal.h (ecc_modq_add, ecc_modq_mul, ecc_modp_sqr) (ecc_modp_mul, ecc_mod_submul_1, ecc_modp_mul_1, ecc_modp_add) (ecc_modp_sub): Deleted macros. Updated callers to use respective functions instead. (ecc_modp_addmul_1): Delete unused macro. 2020-02-09 Niels Möller Addition of struct nettle_mac based on patches by Daiki Ueno. * nettle-meta-macs.c (nettle_get_macs): New file, new function. * testsuite/meta-mac-test.c: New test. * nettle-meta.h (_NETTLE_HMAC): New macro. (nettle_hmac_md5, nettle_hmac_ripemd160, nettle_hmac_sha1) (nettle_hmac_sha224, nettle_hmac_sha256, nettle_hmac_sha384) (nettle_hmac_sha512): Declare. (struct nettle_mac): New public struct, * testsuite/testutils.h: ...moved from this file. * hmac-md5-meta.c: New file. * hmac-ripemd160-meta.c: Likewise. * hmac-sha1-meta.c: Likewise. * hmac-sha224-meta.c: Likewise. * hmac-sha256-meta.c: Likewise. * hmac-sha384-meta.c: Likewise. * hmac-sha512-meta.c: Likewise. * Makefile.in (nettle_SOURCES): Add new files. * testsuite/testutils.h (_NETTLE_HMAC): Delete unused version of this macro. * testsuite/testutils.c (test_mac): Allow testing with smaller digest size. * testsuite/hmac-test.c (test_main): Use test_mac for tests using key size == digest size. * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): Moved to... * cmac-aes128-meta.c: New file. * cmac-aes256-meta.c: New file. * nettle-meta.h (struct nettle_mac): New public struct, * testsuite/testutils.h: ...moved from this file. 2020-02-06 Niels Möller From Dmitry Baryshkov: * gost28147.h: Deleted, move declarations to gost28147-internal.h. 2020-02-05 Niels Möller * configure.ac: On Solaris, link shared libraries with --shared rather than -G. For gcc, --shared is the proper way. For Solaris' proprietary cc, according to docs, it accepts --shared as an alias for -G since Oracle Solaris Studio 12.4, and it was made more gcc compatible in later versions. Since 12.4 was released in 2014, don't attempt to cater for older versions. 2020-01-26 Niels Möller * ecc-internal.h (struct ecc_curve): Delete g, the curve generator, since it was used only by tests. Update all curve instances. * eccdata.c (output_curve): Delete output of ecc_g. (output_point): Delete name argument, and update callers. * testsuite/testutils.c (ecc_ref): Table of reference points moved out of test_ecc_mul_a. Add generator to the list of points. (test_ecc_mul_a): Use ecc_ref table also for the n == 1 case. (test_ecc_ga, test_ecc_get_g, test_ecc_get_ga): New functions, using the tabulated generator. * testsuite/ecc-add-test.c: Use test_ecc_get_g, instead of accessing ecc->g. * testsuite/ecc-dup-test.c: Likewise. * testsuite/ecc-mul-a-test.c: Use test_ecc_get_ga and test_ecc_ga. Delete special case for n == 1. * testsuite/ecc-mul-g-test.c: Use test_ecc_ga. Support for GOST DSA, contributed by Dmitry Baryshkov. * gostdsa-verify.c (gostdsa_verify): New file and function. * gostdsa-sign.c (gostdsa_sign): New file and function. * ecc-gostdsa-verify.c (ecdsa_in_range, ecc_gostdsa_verify_itch) (ecc_gostdsa_verify): New file and functions. * ecc-gostdsa-sign.c (ecc_gostdsa_sign_itch, ecc_gostdsa_sign): New file and functions. * ecc-internal.h (ECC_GOSTDSA_SIGN_ITCH): New macro. * ecc-hash.c (gost_hash): New function. * testsuite/gostdsa-verify-test.c: New test. * testsuite/gostdsa-sign-test.c: New test. * testsuite/gostdsa-keygen-test.c: New test. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add new tests. Support for GOST gc256b and gc512a curves, contributed by Dmitry Baryshkov. * eccdata.c (ecc_curve_init): Add parameters for gost_gc256b and gost_gc512a. * ecc-gost-gc256b.c: New file, define _nettle_gost_gc256b. * ecc-gost-gc512a.c: New file, define _nettle_gost_gc512a. * Makefile.in: Add rules to generate ecc-gost-gc256b.h and ecc-gost-gc512a.h. (hogweed_SOURCES): Add ecc-gost-gc256b.c ecc-gost-gc512a.c. * examples/ecc-benchmark.c (curves): Add to list. * testsuite/testutils.c (ecc_curves): Add to list. (test_ecc_mul_a): Reference points for new curves. * NEWS: Started on entries for Nettle-3.6. 2020-01-25 Niels Möller * examples/hogweed-benchmark.c (bench_curve_init): Pass correct sizes to knuth_lfib_random. Patch contributed by Dmitry Baryshkov. 2020-01-15 Niels Möller * Makefile.in: Replace suffix rules by pattern rules. Move .asm rule above .c rule, since now the order of rules in the Makefile matters, rather than the order in the .SUFFIXES list. (aesdata, desdata, twofishdata, shadata, gcmdata, eccparams): Individual rules replaced by a pattern rule. (eccdata): Add explicit dependencies, to complement the pattern rule. * examples/Makefile.in: Replace suffix rules by pattern rules. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * config.make.in: Empty .SUFFIXES, to not accidentally use any suffix rules. * aclocal.m4 (DEP_INCLUDE): Delete substituted variable. * Makefile.in: Use the GNU make directive -include to include dependency .d files. Delete dependency files on make clean. * examples/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. Also use $(OBJEXT) properly. * tools/Makefile.in: Likewise. * configure.ac (dummy-dep-files): Delete these config commands. 2020-01-10 Niels Möller From Dmitry Eremin-Solenikov: Consistently rename ecc files and internal functions to include curve name rather than just number of bits. E.g., * ecc-256.c (nettle_ecc_256_redc): File and function renamed to... * ecc-secp256r1.c (_nettle_ecc_256_redc): ... new names. * eccdata.c (ecc_curve_init, main): Take curve name as input, not bit size. 2020-01-03 Niels Möller Add benchmarking of ed25519, ed448 and curve448. * examples/hogweed-benchmark.c: (struct eddsa_ctx): New struct. (bench_eddsa_init, bench_eddsa_sign, bench_eddsa_verify) (bench_eddsa_clear): New functions. (struct curve_ctx): New struct, generalizing struct curve25519_ctx. (bench_curve_init, bench_curve_mul_g, bench_curve_mul) (bench_curve_clear): New functions. (struct curve25519_ctx, bench_curve25519_mul_g) (bench_curve25519_mul, bench_curve25519): Deleted. (alg_list): Add eddsa and curve entries. (main): Delete call to bench_curve25519. 2020-01-02 Niels Möller * eddsa-internal.h (nettle_eddsa_dom_func): New typedef. (struct ecc_eddsa): Use function pointer to represent eddsa dom string. To avoid calling sha512_update with empty input for ed25519. * ed448-shake256.c (ed448_dom): New function, calling sha3_256_update with the magic dom prefix. (_nettle_ed448_shake256): Point to it. * ed25519-sha512.c (_nettle_ed25519_sha512): Add do-nothing dom function. * eddsa-sign.c (_eddsa_sign): Update to use dom function pointer. * eddsa-verify.c (_eddsa_verify): Likewise. * eddsa-internal.h (struct ecc_eddsa): Add magic dom string, needed for ed448. * ed25519-sha512.c (_nettle_ed25519_sha512): Empty dom string. * ed448-shake256.c (_nettle_ed448_shake256): New file and parameter struct. * eddsa-hash.c (_eddsa_hash): Add digest_size as input argument. Handle ed448 digests with two extra bytes. Update callers. * eddsa-verify.c (_eddsa_verify): Hash dom string. * eddsa-sign.c (_eddsa_sign_itch): Assert that _eddsa_compress_itch isn't too large. (_eddsa_sign): New argument k1, with the hash prefix. Add hashing of this prefix and the dom string. Update callers. Fix final reduction, it's different for ed25519, with q slightly larger than a power of two, and ed448, with q slightly smaller. * eddsa-pubkey.c (_eddsa_public_key_itch): Assert that _eddsa_compress_itch isn't too large. Implementation of ed448-shake256, based on patch by Daiki Ueno. * ed448-shake256-pubkey.c (ed448_shake256_public_key): New file and function. * ed448-shake256-sign.c (ed448_shake256_sign): New file and function. * ed448-shake256-verify.c (ed448_shake256_verify): New file and function. * Makefile.in (hogweed_SOURCES): Add new ed448 files. * testsuite/eddsa-verify-test.c (test_ed448): New function. (test_main): New ed448 tests. * testsuite/eddsa-sign-test.c (test_ed448_sign): New function. (test_main): New ed448 tests. * testsuite/ed448-test.c: New tests. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add ed448-test.c. * nettle.texinfo (Curve 25519 and Curve 448): Document ed448. 2020-01-01 Niels Möller * ecc-448.c (ecc_mod_pow_2kp1): New function. (ecc_mod_pow_446m224m1): Reduce scratch usage from 6*n to 5*n, at the cost of one copy operation. Also use ecc_mod_pow_2kp1 where applicable. (ECC_448_INV_ITCH): Reduce to 5*ECC_LIMB_SIZE. (ECC_448_SQRT_ITCH): Reduce to 9*ECC_LIMB_SIZE. * testsuite/eddsa-compress-test.c: Test also with curve448. 2019-12-30 Niels Möller Preparation for ed448, based on patch by Daiki Ueno. * eddsa-internal.h (struct ecc_eddsa): New struct for eddsa parameters. * ed25519-sha512.c (_nettle_ed25519_sha512): New parameter struct. * eddsa-expand.c (_eddsa_expand_key): Replace input struct nettle_hash with struct ecc_eddsa, and generalize for ed448. Update all callers. * eddsa-sign.c (_eddsa_sign): Likewise. * eddsa-verify.c (_eddsa_verify): Likewise. * eddsa-compress.c (_eddsa_compress): Store sign bit in most significant bit of last byte, as specified by RFC 8032. * eddsa-decompress.c (_eddsa_decompress): Corresponding update. Also generalize to support ed448, and make validity checks stricter. * testsuite/eddsa-sign-test.c (test_ed25519_sign): New function. (test_main): Use it. * testsuite/eddsa-verify-test.c (test_ed25519): New function. (test_main): Use it. 2019-12-28 Niels Möller * bignum.h: Drop unrelated include of nettle-meta.h. * pss.h: Include nettle-meta.h explicitly. * eddsa-internal.h: Likewise. 2019-12-25 Niels Möller Support for SHAKE256, based on patch by Daiki Ueno. * shake256.c (sha3_256_shake): New file and function. * Makefile.in (nettle_SOURCES): Add shake256.c. * testsuite/testutils.c (test_hash): Allow arbitrary digest size, if hash->digest_size == 0. * testsuite/shake.awk: New script to extract test vectors. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add shake256-test.c. (DISTFILES): Add shake.awk. * nettle.texinfo (Recommended hash functions): Document SHAKE-256. * sha3.c (_sha3_pad): Generalized with an argument for the magic suffix defining the sha3 instance. * sha3-internal.h (_sha3_pad_hash): New macro, for SHA3 hashes. Updated all callers of _sha3_pad. (_sha3_pad_shake): New macro, using the SHAKE magic byte 0x1f. 2019-12-19 Niels Möller * ecc-mul-a-eh.c (ecc_mul_a_eh) [ECC_MUL_A_EH_WBITS == 0]: Use add_hh rather than add_hhh. (table_init) [[ECC_MUL_A_EH_WBITS > 0]: Likewise. * ecc-internal.h (ECC_MUL_A_EH_ITCH) [ECC_MUL_A_EH_WBITS == 0]: Reduced from 13*n to 12*n. 2019-12-18 Niels Möller Rename add and dup functions for Edwards curves. * ecc-dup-th.c (ecc_dup_th): New file, move and rename ecc_dup_eh. * ecc-add-th.c (ecc_add_th): New file, move and rename ecc_add_eh. * ecc-add-thh.c (ecc_add_thh): New file, move and rename ecc_add_ehh. * ecc-dup-eh.c (ecc_dup_eh_untwisted): Rename to just ecc_dup_eh. * ecc-add-eh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_eh. * ecc-add-ehh.c (ecc_add_ehh_untwisted): Rename to just ecc_add_ehh. * ecc-internal.h (ecc_dup_th, ecc_add_th, ecc_add_thh): Declare new functions, delete declarations of ecc_*_untwisted variants. (ECC_DUP_TH_ITCH, ECC_ADD_TH_ITCH, ECC_ADD_THH_ITCH): New macros. * ecc-25519.c (_nettle_curve25519): Update, use ecc_dup_th and friends. * ecc-448.c (_nettle_curve448): Update for rename, without _untwisted suffix. * Makefile.in (hogweed_SOURCES): Added ecc-dup-th.c, ecc-add-th.c, and ecc-add-thh.c * testsuite/ecc-dup-test.c (test_main): Update asserts. * testsuite/ecc-add-test.c (test_main): Likewise. * eddsa-verify.c (_eddsa_verify): Use function pointer rather than calling ecc_add_eh directly. Preparation for eddsa over curve448. 2019-12-17 Niels Möller * examples/ecc-benchmark.c (bench_dup_hh): Rename, and use ecc->dup pointer. (bench_dup_jj): ... old name. (bench_add_hh): Rename, and use ecc->addd_hh pointer. (bench_add_jja): ... old name. (bench_dup_eh, bench_add_eh): Deleted. (bench_curve): Update, and delete curve25519 special case. (main): Update table headers accordingly. 2019-12-15 Niels Möller * ecc-dup-eh.c (ecc_dup_eh): Eliminate one unneeded ecc_modp_add. 2019-12-14 Niels Möller * ecc-mul-m.c (ecc_mul_m): New file and function. Implements multipliction for curves in Montgomery representation, as used for curve25519 and curve448. Extracted from curve25519_mul. * ecc-internal.h (ecc_mul_m): Declare. (ECC_MUL_M_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Add ecc-mul-m.c. * curve25519-mul.c (curve25519_mul): Use ecc_mul_m. * curve448-mul.c (curve448_mul): Likewise. 2019-12-13 Niels Möller * Merge curve448 implementation. 2019-12-09 Niels Möller * ecc-internal.h: Revert itch macro changes. We now have h_to_a_itch <= mul_itch, mul_g_itch. Add asserts at a few places relying on this. (ECC_ECDSA_KEYGEN_ITCH, ECC_MAX): Delete macros. (ECC_ECDSA_SIGN_ITCH): Revert previous change. * ecc-448.c (ecc_mod_pow_446m224m1): Reduce scratch space from 9*n to 6*n. (ECC_448_INV_ITCH, ECC_448_SQRT_ITCH): Reduce accordingly. * curve448-mul.c (curve448_mul): Reduce allocation from 14*n to 12*n. 2019-12-08 Niels Möller * x86_64/ecc-curve448-modp.asm (nettle_ecc_curve448_modp): New assembly function. * ecc-448.c (ecc_448_modp) [HAVE_NATIVE_ecc_curve448_modp]: Use native nettle_ecc_curve448_modp if available. * configure.ac (asm_hogweed_optional_list): Add ecc-curve448-modp.asm. (HAVE_NATIVE_ecc_curve448_modp): New config.h define. 2019-12-03 Niels Möller * ecc-448.c (ecc_448_modp) [GMP_NUMB_BITS == 64]: New function. 2019-12-01 Niels Möller Curve 448 support contributed by Daiki Ueno. * eccdata.c (enum ecc_type): Add ECC_TYPE_EDWARDS. (ecc_add): Support untwisted edwards curves. (ecc_curve_init): Add curve448 parameters. * ecc-internal.h (ECC_ECDSA_KEYGEN_ITCH): New macro. (ECC_ECDSA_SIGN_ITCH): Increased from 12*size to 13*size. (ECC_MAX): New macro. * ecc-448.c: New file. (ecc_mod_pow_2k, ecc_mod_pow_446m224m1, ecc_448_inv) (ecc_448_zero_p, ecc_448_sqrt): New functions. (_nettle_curve448): New curve definition. * curve448.h (CURVE448_SIZE): New constant. (curve448_mul_g, curve448_mul): Declare new public functions. * ecc-eh-to-a.c (ecc_eh_to_a): Update assert to allow the curve448 Edwards curve. * curve448-mul.c (curve448_mul): New file and function. * curve448-mul-g.c (curve448_mul_g): New file and function. * curve448-eh-to-x.c (curve448_eh_to_x): New file and function. * ecc-dup-eh.c (ecc_dup_eh_untwisted): New function. * ecc-add-ehh.c (ecc_add_ehh_untwisted): New function. * ecc-add-eh.c (ecc_add_eh_untwisted): New function. * ecc-point.c (ecc_point_set): Add point validation for curve448. * ecc-point-mul.c (ecc_point_mul): Allow h_to_a_itch larger than mul_itch. * ecc-point-mul-g.c (ecc_point_mul_g): Allow h_to_a_itch larger than mul_g_itch. Switch from TMP_DECL/_ALLOC/_FREE to gmp_alloc_limbs/gmp_free_limbs. * ecdsa-keygen.c (ecdsa_generate_keypair): Use ECC_ECDSA_KEYGEN_ITCH. * Makefile.in (hogweed_SOURCES): Add ecc-448.c, curve448-mul-g.c, curve448-mul.c, and curve448-eh-to-x.c. (HEADERS): Add curve448.h. (ecc-448.h): New generated file. * testsuite/testutils.c (ecc_curves): Add _nettle_curve448 to list of tested curves. (test_ecc_mul_a): Add curve448. * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add curve448 support. * testsuite/ecdh-test.c (test_main): Add tests for (non-standard) curve448 diffie-hellman. * testsuite/ecc-add-test.c (test_main): Update for testing of curve448. * testsuite/ecc-dup-test.c (test_main): Likewise. * testsuite/ecc-mul-a-test.c (test_main): Likewise. Also increase scratch allocation for h_to_a_itch. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * testsuite/curve448-dh-test.c: Test for curve448. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Add curve448-dh-test.c. * examples/ecc-benchmark.c: Add curve448 to list of benchmarked curves. * nettle.texinfo (Curve 25519 and Curve 448): Add docs. 2019-12-07 Niels Möller * ecc-eh-to-a.c (ecc_eh_to_a): Require op == 0, delete code only used for non-standard ecdsa over curve25519. * testsuite/ecdsa-sign-test.c (test_main): Delete test of ecdsa over curve25519. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * testsuite/ecdsa-keygen-test.c (test_main): Exclude curve25519 from test. 2019-12-05 Niels Möller * configure.ac: Use AC_TRY_LINK rather than AC_TRY_COMPILE to check for __builtin_bswap64. Since calling an non-existing function typically results in a warning only at compile time, but fails at link time. Patch contributed by by George Koehler. 2019-12-04 Niels Möller * testsuite/testutils.c (test_cipher_cfb8): Add cast of size_t to unsigned long for argument to fprintf. 2019-11-21 Niels Möller * eccdata.c (ecc_curve_init_str): Delete unused t and d arguments. Related to the the edwards_root member of struct ecc_curve, which was used by ecc_a_to_eh before it was deleted, see 2014-09-17 entry below. (ecc_curve_init): Delete corresponding curve25519 constants, and NULL arguments passed for the other curves. * Merge curve448 preparations, from September 2017. 2017-09-23 Niels Möller * eccdata.c: Reorganize curve25519 precomputation to work directly with the twisted Edwards curve, with new point addition based on a patch from Daiki Ueno. * ecc-25519.c (_nettle_curve25519): Update for removed Montgomery curve constant. * ecc-internal.h (struct ecc_curve): Delete unused pointer edwards_root. Update all instances. * eccdata.c (output_curve): Don't output it. * testsuite/ecc-add-test.c (test_main): Reduce test duplication. Use ecc->add_hhh_itch. * testsuite/ecc-dup-test.c (test_main): Reduce test duplication. Use ecc->dup_itch. 2017-09-23 Daiki Ueno * ecc-eh-to-a.c (ecc_eh_to_a): Use ecc->q.bit_size, instead of hard-coded value for curve25519. * eddsa-sign.c (_eddsa_sign): Likewise. * ecc-internal.h (ecc_dup_func): New typedef. (struct ecc_curve): New constants add_hh_itch and dup_itch, new function pointers add_hh and dup. * ecc-192.c, ecc-224.c, ecc-256.c, ecc-384.c, ecc-521.c, ecc-25519.c: Update accordingly. * ecc-mul-g-eh.c (ecc_mul_g_eh): Use new function pointers. * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init, ecc_mul_a_eh): Likewise. * testsuite/ecc-dup-test.c (test_main): Likewise. * testsuite/ecc-add-test.c (test_main): Likewise. 2019-10-01 Niels Möller * testsuite/testutils.c (test_cipher_cfb8): Reset destination area between tests. Encrypt/decrypt final partial block. From Daiki Ueno, fixing bug reported by Stephan Mueller: * cfb.c (cfb8_decrypt): Don't truncate output IV if input is shorter than block size. * testsuite/testutils.c (test_cipher_cfb8): Test splitting input into multiple calls to cfb8_encrypt and cfb8_decrypt. 2019-09-30 Niels Möller * testsuite/siv-test.c (test_cipher_siv): Fix out-of-bounds read. Trim allocation size for de_data, drop some uses of SIV_DIGEST_SIZE, call FAIL for unexpected returned values. (test_compare_results): Delete digest argument. 2019-09-15 Niels Möller From Dmitry Eremin-Solenikov: * gost28147.c (_gost28147_encrypt_block): New file, encrypt function and sbox tables moved here. * gosthash94.c: Update functions to take sbox array as argument. (gost_block_compress): Use _gost28147_encrypt_block. (gosthash94cp_update,gosthash94cp_digest): New functions. * gost28147-internal.h: New file. * gost28147.h: New file. * gosthash94-meta.c (nettle_gosthash94cp): New hash algorithm. * nettle-meta-hashes.c (_nettle_hashes): Add nettle_gosthash94 and nettle_gosthash94cp. * hmac-gosthash94.c (hmac_gosthash94_set_key) (hmac_gosthash94_update, hmac_gosthash94_digest) (hmac_gosthash94cp_set_key, hmac_gosthash94cp_update) (hmac_gosthash94cp_digest): New file and functions. * pbkdf2-hmac-gosthash94.c (pbkdf2_hmac_gosthash94cp): New file and function. * testsuite/pbkdf2-test.c (test_main): Add pbkdf2-hmac-gosthash94cp tests. * testsuite/hmac-test.c (test_main): Add hmac-gosthash94 tests. * testsuite/gosthash94-test.c (test_main): Add gosthash94cp tests. * nettle.texinfo (Legacy hash functions): Document gosthash94cp. * testsuite/dlopen-test.c (main): Use libnettle.dylib on MacOS. 2019-07-08 Niels Möller * nettle-types.h (union nettle_block16): Mark w member as deprecated. * eax.c (block16_xor): Use uint64_t member of nettle_block16. * gcm.c (gcm_gf_add, gcm_gf_shift, gcm_gf_shift_8): Likewise. 2019-07-10 Niels Möller From Dmitry Eremin-Solenikov: * cmac64.c (_cmac64_block_mulx, cmac64_set_key, cmac64_init) (cmac64_update, cmac64_digest): New file, new functions. * cmac-des3.c (cmac_des3_set_key, cmac_des3_update) (cmac_des3_digest): New file, new functions. * cmac.h: Add cmac64 and cmac_des3 declarations. * Makefile.in (nettle_SOURCES): Add cmac64.c and cmac-des3.c. * testsuite/cmac-test.c (test_main): Add tests for cmac_des3. 2019-07-02 Niels Möller From Dmitry Eremin-Solenikov: * testsuite/testutils.c (test_mac): New function. * testsuite/cmac-test.c (nettle_cmac_aes128, nettle_cmac_aes256): New algorithm structs. (test_cmac_aes128, test_cmac_aes256): Use test_mac. 2019-06-06 Niels Möller Update for cmac changes, enabling const for the _message functions. * siv-cmac.c (_siv_s2v): Take a const struct cmac128_key as argument, and use a local struct cmac128_ctx for message-specific state. (siv_cmac_set_key): Take a struct cmac128_key as argument. Updated callers. (siv_cmac_encrypt_message, siv_cmac_decrypt_message): Take a const struct cmac128_key as argument. Updated callers. * siv-cmac.h (SIV_CMAC_CTX): Changed to use struct cmac128_key rather than struct cmac128_ctx. * siv-cmac-aes256.c (siv_cmac_aes256_encrypt_message) (siv_cmac_aes256_decrypt_message): Likewise. * siv-cmac-aes128.c (siv_cmac_aes128_encrypt_message) (siv_cmac_aes128_decrypt_message): The ctx argument made const. 2019-05-15 Niels Möller * siv-cmac.h (SIV_CMAC_AES128_KEY_SIZE, SIV_CMAC_AES256_KEY_SIZE): New constants. * testsuite/siv-test.c: Simplify tests a little. * siv-cmac.h (SIV_MIN_NONCE_SIZE): New constant, 1. * siv-cmac.c (_siv_s2v): Require non-empty nonce. * nettle.texinfo (SIV-CMAC): Update documentation. 2019-05-06 Niels Möller SIV-CMAC mode, based on patch by Nikos Mavrogiannopoulos: * siv-cmac.h (SIV_BLOCK_SIZE, SIV_DIGEST_SIZE): New constants. (SIV_CMAC_CTX): New macro. (struct siv_cmac_aes128_ctx, struct siv_cmac_aes256_ctx): New context structs. * siv-cmac.c (_siv_s2v, siv_cmac_set_key) (siv_cmac_encrypt_message) (siv_cmac_decrypt_message): New file, new functions. * siv-cmac-aes128.c (siv_cmac_aes128_set_key) (siv_cmac_aes128_encrypt_message) (siv_cmac_aes128_decrypt_message): New file, new functions. * siv-cmac-aes256.c (siv_cmac_aes256_set_key) (siv_cmac_aes256_encrypt_message) (siv_cmac_aes256_decrypt_message): New file, new functions. * Makefile.in (nettle_SOURCES): Add siv-cmac source files. (HEADERS): Add siv-cmac.h. * testsuite/siv-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added siv-test.c * nettle.texinfo (SIV-CMAC): Documentation. 2019-04-30 Niels Möller Based on a patch contributed by Nikos Mavrogiannopoulos. * cmac.c (_cmac128_block_mulx): Renamed function... (block_mulx): ... from old name. * cmac-internal.h (_cmac128_block_mulx): New file, declare function. * Makefile.in (DISTFILES): Added cmac-internal.h. 2019-06-26 Niels Möller * Released nettle-3.5.1. * configure.ac: Update version number to 3.5.1. * Makefile.in (distdir): Add x86_64/sha_ni to list of distributed directories. * Released nettle-3.5. 2019-06-25 Niels Möller * config.sub: Update to 2019-05-23 version, from savannah's config.git. * config.guess: Update to 2019-06-10 version, from savannah's config.git. Adds recognition of mips R6 and riscv. 2019-06-05 Niels Möller Further separation of CMAC per-message state from the message-independent subkeys, analogous to the gcm implementation. * cmac.h (struct cmac128_ctx): Remove key, instead a struct cmac128_key should be passed separately to functions that need it. (CMAC128_CTX): Include both a struct cmac128_key and a struct cmac128_ctx. (CMAC128_SET_KEY, CMAC128_DIGEST): Updated accordingly. * cmac.c (cmac128_set_key): Change argument type from cmac128_ctx to cmac128_key. Use a nettle_block16 for the constant zero block. (cmac128_init): New function, to initialize a cmac128_ctx. (cmac128_digest): Add cmac128_key argument. Move padding memset into the block handling a partial block. Call cmac128_init to reset state. 2019-06-01 Niels Möller * cmac.h (struct cmac128_key): New struct. * cmac.h (struct cmac128_ctx): Use struct cmac128_key. * cmac.c (cmac128_set_key, cmac128_digest): Update accordingly. 2019-05-12 Niels Möller Delete old libdes/openssl compatibility interface. * des-compat.c: Delete file. * des-compat.h: Delete file. * testsuite/des-compat-test.c: Delete file. * nettle.texinfo (Compatibility functions): Delete mention in documentation. 2019-05-11 Niels Möller * NEWS: More updates for Nettle-3.5. 2019-04-27 Niels Möller From Simo Sorce: * x86_64/poly1305-internal.asm: Add missing EPILOGUE. * x86_64/serpent-decrypt.asm: Likewise. * x86_64/serpent-encrypt.asm: Likewise. 2019-04-14 Niels Möller * tools/nettle-pbkdf2.c (main): Check strdup return value. 2019-03-29 Niels Möller * aes.h (struct aes_ctx): Redefine using a union of key-size specific contexts. * aes-decrypt.c (aes_decrypt): Use switch on key_size. * aes-encrypt.c (aes_encrypt): Likewise. * aes-set-decrypt-key.c (aes_invert_key): Likewise. * aes-set-encrypt-key.c (aes_set_encrypt_key): Likewise. 2019-03-27 Niels Möller * xts.c (xts_shift): Arrange with a single write to u64[1]. * cmac.c (block_mulx): Rewrite to work in the same way as xts_shift, with 64-bit operations. XTS and CMAC use opposite endianness, but otherwise, these two functions are identical. 2019-03-24 Niels Möller From Simo Sorce: * xts.h: New file. * xts.c: New file. (BE_SHIFT): New macro. (xts_shift, check_length, xts_encrypt_message) (xts_decrypt_message): New functions. * xts-aes128.c (xts_aes128_set_encrypt_key) (xts_aes128_set_decrypt_key, xts_aes128_encrypt_message) (xts_aes128_decrypt_message): New file, new functions. * xts-aes256.c (xts_aes256_set_encrypt_key) (xts_aes256_set_decrypt_key, xts_aes256_encrypt_message) (xts_aes256_decrypt_message): New file, new functions. * nettle.texinfo (XTS): Document XTS mode. * Makefile.in (nettle_SOURCES): Add xts sourcce files. (HEADERS): New installed header xts.h. * testsuite/xts-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add xts-test.c. 2019-02-06 Niels Möller * gosthash94.h (struct gosthash94_ctx): Move block buffer last in struct. * md2.h (struct md2_ctx): Likewise. * md4.h (struct md4_ctx): Likewise. * md5.h (struct md5_ctx): Likewise. * ripemd160.h (struct ripemd160_ctx): Likewise. * sha1.h (struct sha1_ctx): Likewise. * sha2.h (struct sha256_ctx, struct sha512_ctx): Likewise. 2019-01-19 Niels Möller * examples/Makefile.in (TARGETS): Delete eratosthenes, left over from earlier change. * fat-arm.c: Fix declarations of chacha_core functions. From Yuriy M. Kaminskiy: * fat-setup.h (chacha_core_func): New typedef. * fat-arm.c (fat_init): Enable choice between _nettle_chacha_core_c and _nettle_chacha_core_neon. * configure.ac (asm_nettle_optional_list): Add chacha-core-internal-2.asm. * chacha-core-internal.c: Enable fat build with C and asm version. * arm/fat/chacha-core-internal-2.asm: New file. 2019-01-12 Niels Möller * examples/eratosthenes.c: Deleted program. * examples/Makefile.in: Delete rule to build and distribute it. 2019-01-10 Niels Möller * testsuite/rsa-compute-root-test.c (test_one): Use %u and corresponding cast, when printing bit sizes. 2019-01-09 Niels Möller * examples/nettle-benchmark.c (GET_CYCLE_COUNTER): Add volatile to inline asm. 2019-01-08 Niels Möller * sha512-compress.c: Add missing include of sha2-internal.h. 2019-01-06 Niels Möller * testsuite/rsa-compute-root-test.c (generate_keypair): Fix assert call with side-effects. 2019-01-06 Niels Möller * nettle-types.h: Don't use nettle-stdint.h, include directly. * nettle-write.h: Likewise. * configure.ac: Delete use of AX_CREATE_STDINT_H. * aclocal.m4 (AX_CREATE_STDINT_H): Delete. * Makefile.in (INSTALL_HEADERS, distclean-here): Delete mention of nettle-stdint.h. 2018-12-26 Niels Möller * examples/hogweed-benchmark.c (make_openssl_rsa_ctx): New helper function. Call openssl's RSA_generate_key_ex rather then the deprecated RSA_generate_key. (bench_openssl_rsa_init, bench_openssl_rsa_tr_init): Use it. * eccdata.c (ecc_pippenger_precompute): Check that table size is at least 2. Intended to silence warning from the clang static analyzer. * configure.ac: Bump package version to 3.5. (LIBNETTLE_MAJOR): Bump major number, now 7. (LIBHOGWEED_MAJOR): Bump major number, now 5. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Reset to zero. * pkcs1-internal.h: New header file, moved declarations of _pkcs1_sec_decrypt and _pkcs1_sec_decrypt_variable here. * rsa-internal.h: ... old location. * Makefile.in (DISTFILES): Added pkcs1-internal.h. * pkcs1-decrypt.c: Include new file. * pkcs1-sec-decrypt.c: Likewise. * rsa-decrypt-tr.c: Likewise. * rsa-sec-decrypt.c: Likewise. * testsuite/pkcs1-sec-decrypt-test.c: Likewise. * tools/nettle-pbkdf2.c: Add #define _GNU_SOURCE, needed for strdup with gcc -std=c89. * testsuite/ed25519-test.c: Add #define _GNU_SOURCE, needed for getline with gcc -std=c89. * rsa-sign-tr.c (sec_equal): Fix accidental use of C99 for loop. Reported by Andreas Gustafsson. * testsuite/rsa-sec-decrypt-test.c (test_main): Likewise. 2018-12-04 Niels Möller * Released nettle-3.4.1. 2018-11-28 Niels Möller * configure.ac: Update GMP check. Check for the function mpn_sec_div_r, available since GMP-6.0.0. * testsuite/rsa-encrypt-test.c (test_main): Fix allocation of decrypted storage. Update test of rsa_decrypt, to allow clobbering of all of the passed in message area. * pkcs1-decrypt.c (pkcs1_decrypt): Rewrite as a wrapper around _pkcs1_sec_decrypt_variable. Improves side-channel silence of the only caller, rsa_decrypt. * Makefile.in (DISTFILES): Add rsa-internal.h, needed for make dist. Patch from Simo Sorce. * rsa-internal.h: Add include of rsa.h. 2018-11-27 Niels Möller * rsa-sec-compute-root.c (sec_mul, sec_mod_mul, sec_powm): New local helper functions, with their own itch functions. (_rsa_sec_compute_root_itch, _rsa_sec_compute_root): Rewrote to use helpers, for clarity. 2018-11-26 Niels Möller * testsuite/rsa-compute-root-test.c (generate_keypair): Simplify selection of psize and qsize, and fix so that qsize is used. (test_main): Add outer loop, to test with more than one key. Deallocate storage before exiting. 2018-11-25 Niels Möller * testsuite/rsa-compute-root-test.c: Renamed, from ... * testsuite/rsa-sec-compute-root-test.c: ... old name. * rsa.h (rsa_sec_compute_root_tr): Deleted declaration, moved to ... * rsa-internal.h (_rsa_sec_compute_root_tr): ... new location. * rsa-sign-tr.c (_rsa_sec_compute_root_tr): Renamed, from... (rsa_sec_compute_root_tr): ... old name. Updated callers. (cnd_mpn_zero): Use a volatile-declared mask variable. * testsuite/testutils.c (mpz_urandomb) [NETTLE_USE_MINI_GMP]: Fix masking of most significant bits. * rsa-decrypt-tr.c (rsa_decrypt_tr): Use NETTLE_OCTET_SIZE_TO_LIMB_SIZE. * testsuite/rsa-sec-decrypt-test.c (rsa_decrypt_for_test): Tweak valgrind marking, and document potential leakage of lowest and highest bits of p and q. * rsa-sec-compute-root.c (_rsa_sec_compute_root): Avoid calls to mpz_sizeinbase, since that potentially leaks most significant bits of private key parameters a and b. * testsuite/pkcs1-sec-decrypt-test.c (pkcs1_decrypt_for_test): Fix valgrind marking of return value. Merged below changes from Simo Sorce, to make RSA private key operations side-channel silent. 2018-11-08 Simo Sorce * rsa-sign.c (rsa_compute_root) [!NETTLE_USE_MINI_GMP]: Use _rsa_sec_compute_root. * testsuite/rsa-sec-compute-root-test.c: Add more tests for new side-channel silent functions. * rsa-sign.c (rsa_private_key_prepare): Check that qn + cn >= pn, since that is required for one of the GMP calls in _rsa_sec_compute_root. * rsa-decrypt-tr.c: Switch to use side-channel silent functions. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt_variable): New private function. Variable size version for backwards compatibility. * testsuite/rsa-sec-decrypt-test.c: Adds more tests. * rsa-sec-decrypt.c (rsa_sec_decrypt): New function. Fixed length side-channel silent version of rsa-decrypt. * testsuite/rsa-encrypt-test.c: add tests for the new fucntion. * testsuite/pkcs1-sec-decrypt-test.c: Adds tests for _pkcs1_sec_decrypt. * gmp-glue.c (mpn_get_base256): New function. * pkcs1-sec-decrypt.c (_pkcs1_sec_decrypt): New private function. Fixed length side-channel silent version of pkcs1-decrypt. * cnd-memcpy.c (cnd_memcpy): New function. * memops.h: Declare it. * testsuite/cnd-memcpy-test.c: New test case. * rsa-sign-tr.c (rsa_sec_compute_root_tr): New function that uses _rsa_sec_compute_root, as well as side-channel silent RSA blinding. (rsa_compute_root_tr) Rewritten as a wrapper around rsa_sec_compute_root_tr. (rsa_sec_blind, rsa_sec_unblind, sec_equal, rsa_sec_check_root) (cnd_mpn_zero): New helper functions. (rsa_sec_compute_root_tr) [NETTLE_USE_MINI_GMP]: Defined as a not side-channel silent wrapper around rsa_compute_root_tr, and the latter function left unchanged. * rsa-sec-compute-root.c (_rsa_sec_compute_root_itch) (_rsa_sec_compute_root): New file, new private functions. Side-channel silent version of rsa_compute_root. * rsa-internal.h: New header file with declarations. * gmp-glue.h (NETTLE_OCTET_SIZE_TO_LIMB_SIZE): New macro. 2018-11-24 Niels Möller * configure.ac: Bump package version to 3.4.1. (LIBNETTLE_MINOR): Bump library version to 6.5. (LIBHOGWEED_MINOR): Bump library version to 4.5. 2018-11-17 Niels Möller * examples/hogweed-benchmark.c (bench_rsa_verify) (bench_openssl_rsa_tr_init): New functions. (alg_list): Benchmark timing-resistant RSA functions, i.e., including RSA blinding. (main): Increase width of first column, here and in other printouts. 2018-10-10 Dmitry Eremin-Solenikov * ctr16.c (_ctr_crypt16): Bugfix for the src == dst case, when processing more than on full block of size CTR_BUFFER_LIMIT, src and dst arguments to memxor3 were not properly updated. 2018-10-10 Niels Möller * aes-set-encrypt-key.c: Add missing include of stdlib.h. * des-compat.c: Likewise. 2018-09-13 Niels Möller * rsa-keygen.c (rsa_generate_keypair): Delete unlikely and redundant check for p == q. 2018-08-09 Niels Möller * rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with _NETTLE_ATTRIBUTE_DEPRECATED. * nettle-types.h (_NETTLE_ATTRIBUTE_PURE) (_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and lookalikes. * ecc-curve.h: Include nettle-types.h, and use _NETTLE_ATTRIBUTE_PURE instead of local definition. * nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit #ifdefs. * aes.h: Mark functions using struct aes_ctx interface as deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where the functions are implemented or tested. * gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated. * nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper) (blowfish128_set_key_wrapper): Wrapper functions, to avoid cast between incompatible function types (which gcc-8 warns about). Wrappers are expected to compile to a single jmp instruction. * des-compat.c (des_compat_des3_encrypt) (des_compat_des3_decrypt): Change length argument type to size_t. 2018-08-08 Niels Möller * nettle.texinfo (Compatibility): New section on ABI and API compatibility. 2018-07-25 Dmitry Eremin-Solenikov * examples/nettle-benchmark.c: Add benchmarking for HMAC functions. 2018-07-13 Niels Möller * examples/eratosthenes.c (vector_alloc): Add assert related to overflow in the size calculation. Fixes a corner case identified by static analysis. (vector_init): Analogous assert. 2018-07-12 Niels Möller * examples/eratosthenes.c (main): Don't allocate bitmap storage for limit == 2 (early exit), closing memory leak at exit. (main): Fix handling of short -q option. * eccdata.c (output_curve): Replace mpz_init_set_ui by mpz_set_ui, to fix memory leak. (ecc_curve_clear): New function. (main): Call it, to deallocate storage before exit. 2018-07-08 Niels Möller * fat-x86_64.c (fat_init): Fix setup for nettle_sha1_compress. * x86_64/fat/sha1-compress.asm: Add leading underscore to symbol name. * x86_64/fat/sha1-compress-2.asm: Likewise. 2018-07-07 Niels Möller From Nikos Mavrogiannopoulos. * sha1-compress.c (nettle_sha1_compress): Renamed, and promoted to public function, since there's known appliation usage (filezilla). * sha1.h (_nettle_sha1_compress): Old name, now a preprocessor alias for the new name. * md5-compress.c (nettle_md5_compress): Similarly renamed (used by sogo). * md5.h (_nettle_md5_compress): Old name,, now a preprocessor alias for the new name. * chacha-internal.h, dsa-internal.h, eddsa-internal.h: * hogweed-internal.h, ripemd160-internal.h, rsa-internal.h: * salsa20-internal.h, sha2-internal.h, sha3-internal.h: * umac-internal.h: Internal declarations moved to new header files, which are not installed.. * Makefile.in (DISTFILES): Added above files. * libnettle.map.in: Use a different symbol version for _nettle_* symbols, depending on the minor release. This marks these symbols explicitly not part of the public Nettle ABI. * libhogweed.map.in: Analogous change. 2018-06-17 Niels Möller * aclocal.m4 (NETTLE_CHECK_IFUNC): Fix quoting. Patch contributed by Dmitry Eremin-Solenikov. * testsuite/symbols-test: Exclude ____chkstk_darwin symbols, produced by Apple's Xcode 10 compiler. Patch contributed by Dominyk Tiller. 2018-03-25 Niels Möller From Michael Weiser. * configure.ac (ASM_WORDS_BIGENDIAN): New substution, set from AC_C_BIGENDIAN. * config.m4.in: Use it to set WORDS_BIGENDIAN. * asm.m4 (IF_BE, IF_LE): New macros. * arm/memxor.asm: Support big-endian ARM. * arm/memxor3.asm: Likewise. * arm/neon/chacha-core-internal.asm: Likewise. * arm/neon/salsa20-core-internal.asm: Likewise. * arm/neon/umac-nh.asm: Likewise. * arm/v6/sha1-compress.asm: Likewise. * arm/v6/sha256-compress.asm: Likewise. * arm/README: Document big-endian considerations. 2018-03-17 Niels Möller Discourage direct access to data symbols with non-public size. Direct references to these symbols may result in copy-relocations like R_X86_64_COPY, which make the symbol size leak into the ABI. * ecc-curve.h (_nettle_secp_192r1, _nettle_secp_224r1) (_nettle_secp_256r1, _nettle_secp_384r1, _nettle_secp_521r1): Add leading underscore on these data symbols. * nettle-meta.h (_nettle_ciphers, _nettle_hashes, _nettle_aeads) (_nettle_armors): Add leading underscore on these data symbols. Update all internal use. Macros without leading underscore remain, and expand to access via accessor functions nettle_get_ciphers and similar. 2018-03-10 Niels Möller * eccdata.c (ecc_table_size): New helper function. (ecc_pippenger_precompute): Display warning for poor parameters. * eccparams.c (main): New program, to list parameter alternatives for Pippenger's algorithm. * Makefile.in: Tweak parameters for ecc tables. (ecc-192.h): Change parameters from k = 7, c = 6 to k = 8, c = 6. Reduces table size from 15 KB to 12 KB. Modest speedup, appr. 3% for ecdsa signatures. (ecc-224.h): Change parameters from k = 12, c = 6 to k = 16, c = 7. Table size unchanged (14 KB in 32-bit platforms, 18 KB on 64-bit platforms. Minor speedup, appr. 1% for ecdsa signatures. (ecc-256.h): Change parameters from k = 14, c = 6 to k = 11, c = 6. Table size unchanged, 16 KB. 14% speedup for ecdsa signatures. (ecc-384.h): Changed parameters from k = 41, c = 6 to k = 32, c = 6. Table size unchanged. 12% speedup for ecdsa signatures. (ecc-521.h): Changed parameters from k = 56, c = 6 to k 44, c = 6. Table size unchanged (17 KB on 32-bit platforms, 18 KB on 64-bit platforms). 15% speedup for ecdsa signatures. (ecc-255.h): Change parameters from k = 14, c = 6 to k = 11, c = 6. Table size unchanged, 16 KB. 24% speedup for eddsa signatures. 2018-03-14 Niels Möller Merge sha256 code using the x86_64 sha_ni instructions, starting 2018-02-21. 2018-03-11 Niels Möller * x86_64/fat/sha256-compress.asm: New file. * x86_64/fat/sha256-compress-2.asm: New file. * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or sha_ni version for sha256_compress. 2018-02-21 Niels Möller * x86_64/sha_ni/sha256-compress.asm: New implementation using sha_ni instructions. 2018-02-20 Niels Möller * testsuite/cmac-test.c (test_cmac_hash): Deallocate ctx properly. 2018-02-19 Niels Möller Mostly aesthetic changes. Besides indentation: * cmac.h (struct cmac128): Rename, to cmac128_ctx. (CMAC128_CTX): Rename first member from data to ctx. * cmac.c: Use const void * as the type for cipher arguments. (block_mulx): Un-inline. (cmac128_set_key): Make a constant function local. * testsuite/cmac-test.c: Delete local typedefs. 2018-02-19 Nikos Mavrogiannopoulos Add support for CMAC. * cmac.h: New file. (struct cmac128): New struct. * cmac.c (block_mulx, cmac128_set_key, cmac128_update) (cmac128_digest): New file, new functions. * cmac-aes128.c (cmac_aes128_set_key, cmac_aes128_update) (cmac_aes128_digest): New file, new functions. * cmac-aes256.c (cmac_aes256_set_key, cmac_aes256_update) (cmac_aes256_digest): New file, new functions. * Makefile.in (nettle_SOURCES): Added cmac.c cmac-aes128.c cmac-aes256.c. (HEADERS): Added cmac.h. * testsuite/cmac-test.c: New tests. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add cmac-test.c. * examples/nettle-benchmark.c (time_cmac): New function. (main): Use it. * nettle.texinfo: Document CMAC. 2018-02-20 Niels Möller * testsuite/cbc-test.c (test_cbc_bulk): Use struct aes256_ctx, instead of the deprecated struct aes_ctx. * testsuite/cfb-test.c (test_cfb_bulk): Likewise. * examples/rsa-session.h (struct rsa_session): Likewise. * examples/rsa-encrypt.c (rsa_session_set_encrypt_key) (process_file): Use aes256_* functions. * examples/rsa-decrypt.c (rsa_session_set_decrypt_key) (process_file): Likewise. 2018-02-19 Niels Möller * nettle-internal.h: Include sha3.h, needed for the definition of NETTLE_MAX_HASH_CONTEXT_SIZE. (TMP_DECL_ALIGN, TMP_ALLOC_ALIGN): New macros, to support allocation of context structs with alignment requirements. [!HAVE_ALLOCA]: Also use assert, rather than calling abort directly. * pss.c (pss_encode_mgf1, pss_verify_mgf1): Use new macros. * pss-mgf1.c (pss_mgf1): Likewise. 2018-02-18 Niels Möller * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved pss-mgf1-test.c... (TS_HOGWEED_SOURCES): ...to here. Fixes link failure in builds without public-key support. 2018-02-18 Dmitry Eremin-Solenikov * examples/nettle-openssl.c): Move expressions with side effects out of asserts. 2018-02-17 Dmitry Eremin-Solenikov (openssl_evp_set_encrypt_key, openssl_evp_set_decrypt_key): Use EVP_CipherInit_ex. * examples/nettle-openssl.c (nettle_openssl_gcm_aes128) (nettle_openssl_gcm_aes192, nettle_openssl_gcm_aes256): New aead algorithms, for benchmarking purposes, and supporting wrapper functions. * nettle-internal.h: Corresponding declarations. * examples/nettle-benchmark.c (main): Include openssl's gcm aes in benchmark. 2018-02-16 Niels Möller * nettle.texinfo: Improved index entries. (Cipher functions): Update CAST128/CAST5 docs. Inconsistencies spotted by Henrik Rindlöw. 2018-02-10 Niels Möller * configure.ac: New configure option --enable-x86-sha-ni. 2018-02-07 Niels Möller * x86_64/fat/sha1-compress.asm: New file. * x86_64/fat/sha1-compress-2.asm: New file. * fat-x86_64.c (fat_init): Select plain x86_64 assembly version or sha_ni version for sha1_compress. 2018-02-05 Niels Möller * x86_64/sha_ni/sha1-compress.asm: New implementation using sha_ni instructions. * fat-x86_64.c (get_x86_features): Check for sha_ni extension. * x86_64/fat/cpuid.asm: Clear %ecx input to cpuid instruction. 2018-02-01 Nikos Mavrogiannopoulos * gcm.c (gcm_fill): New function, for use with _ctr_crypt16. (gcm_encrypt, gcm_decrypt): Use _ctr_crypt16. 50% speedup of gcm_aes128, benchmarked on x86_64 with aesni instructions. 2018-02-01 Niels Möller Based on a patch contributed by Nikos Mavrogiannopoulos. * ctr16.c (_ctr_crypt16): New file, renamed and generalized function. New function pointer argument, used to fill a block with counter values. Use nettle_block16 * as the type for the buffer to be filled. Always process any final and partial block, and return no value. * ctr.c (ctr_crypt): ... previous, replaced, function. (ctr_fill16): Updated to new argument type. (ctr_crypt): Return immediately after using _ctr_crypt16. * ctr-internal.h: New file, declaring _ctr_crypt16. (nettle_fill16_func): New function typedef. * Makefile.in (nettle_SOURCES): Added ctr16.c. (DISTFILES): Added ctr-internal.h. 2018-01-30 Niels Möller * Makefile.in (clean-here): Don't delete desdata.stamp. 2018-01-24 Jay Foad * Makefile.in (TARGETS): Delete dependencies on aesdata, desdata, twofishdata, shadata and gcmdata. They are not needed for a normal build. (clean-here): Explicitly delete of above files. (desdata.stamp): New stamp target, to avoid building desdata twice in a parallell build. 2018-01-23 Niels Möller * configure.ac (asm_path): Recognize "x86", in addition to "i?86", for 32-bit x86 processors. Reportedly needed for x86 android builds. 2018-01-20 Niels Möller CFB8 support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb8_encrypt, cfb8_decrypt): New functions. * cfb.h: Declare them. (CFB8_ENCRYPT, CFB8_DECRYPT): New macros. * testsuite/cfb-test.c: New tests for CFB8. * nettle.texinfo (CFB and CFB8): Documentation. 2018-01-16 Niels Möller * tools/pkcs1-conv.c (convert_file): Add missing break statements. 2018-01-09 Niels Möller * testsuite/testutils.c (test_cipher_ctr): Test operations with shorter sizes. * testsuite/ctr-test.c: Additional unofficial test vectors, to exercise carry propagation in the counter, and block size different from 16. 2018-01-08 Niels Möller * ctr.c (ctr_crypt16): New function, with optimizations specific to 16-byte block size. (ctr_fill16): New helper function, definition depending on WORDS_BIGENDIAN, and little endian version requiring HAVE_BUILTIN_BSWAP64. (ctr_crypt): Use ctr_crypt16, when appropriate. * nettle-types.h (union nettle_block16): Add uint64_t field. * configure.ac: Check for __builtin_bswap64, define HAVE_BUILTIN_BSWAP64 if available. * ctr.c (ctr_fill): New function. Use in ctr_crypt. * ctr.c (ctr_crypt): For in-place operation, increase max buffer size from 4 blocks to 512 bytes, similarly to CBC and CFB. Improves in-place aes128 CTR performance by 25% on x86_64. * examples/nettle-benchmark.c (time_cipher): Benchmark in-place operation separately, for cbc_decrypt and ctr_crypt. * cbc.c (cbc_decrypt): For in-place operation (src == dst case), eliminate use of src variable. * cfb.c (cfb_decrypt): Likewise. * gcm.c (gcm_crypt): Likewise, and replace one memxor3 by memxor. 2018-01-03 Niels Möller * x86_64/aesni/aes-encrypt-internal.asm: Read subkeys into xmm registers before the block loop, and completely unroll the round loop. * x86_64/aesni/aes-decrypt-internal.asm: Likewise. 2017-11-19 Niels Möller * Released nettle-3.4. 2017-11-12 Niels Möller * configure.ac: Update check of GMP_NUMB_BITS declaration in assembly files. Was broken by rename of configure variable GMP_NUMB_BITS --> NUMB_BITS. 2017-11-11 Niels Möller * nettle.texinfo: Document nettle_get_hashes, nettle_get_ciphers and nettle_get_aeads, and replace nettle_secp_256r1 by nettle_get_secp_256r1. Update version numbers. Delete ancient setting of ispell-skip-region-alist as an emacs file-local variable. 2017-11-08 Niels Möller * ecc-curve.h (nettle_secp_192r1, nettle_secp_224r1) (nettle_secp_256r1, nettle_secp_384r1, nettle_secp_521r1): Delete macro wrappers, partially reverting below 2017-04-09 change. They didn't work at all for applications that only see a forward declaration of struct ecc_curve. Instead, we will have to make an ABI and API break and delete these symbols, when the size of struct ecc_curve is increased. 2017-11-05 Niels Möller * configure.ac Bump package version to 3.4. (LIBNETTLE_MINOR): Bump library version to 6.4. (LIBHOGWEED_MINOR): Bump library version to 4.4. 2017-10-23 Niels Möller * examples/Makefile.in (check): Also set DYLD_LIBRARY_PATH in the environment, to support Mac OSX shared libraries. * testsuite/Makefile.in (LD_LIBRARY_PATH): Likewise. 2017-10-23 Niels Möller Merge API fixes, starting at 2017-01-12. 2017-04-09 Niels Möller * ecc-curve.h (nettle_get_secp_192r1, nettle_get_secp_224r1) (nettle_get_secp_256r1, nettle_get_secp_384r1) (nettle_get_secp_521r1): New functions, returning a pointer to corresponding structure. (nettle_secp_192r1, nettle_secp_224r1, nettle_secp_256r1) (nettle_secp_384r1, nettle_secp_521r1): Redefined as macros, calling the corresponding function. * nettle-meta.h (nettle_ciphers, nettle_aeads, nettle_armors): New macros, analogous to below change to nettle_hashes. * nettle-meta-ciphers.c (nettle_get_ciphers): New function. * nettle-meta-aeads.c (nettle_get_aeads): New function. * nettle-meta-armors.c (nettle_get_armors): New function. 2017-01-12 Niels Möller * tools/nettle-hash.c (find_algorithm): Deleted function. (main): Replaced by call to nettle_lookup_hash. * testsuite/meta-hash-test.c (test_main): Use nettle_lookup_hash. * nettle-meta.h (nettle_hashes): New macro, expanding to a call to nettle_get_hashes. Direct access to the array causes the array size to leak into the ABI, since a plain un-relocatable executable linking with libnettle.so gets copy relocations for any referenced data items in the shared library. * nettle-meta-hashes.c (nettle_get_hashes): New function. 2017-10-16 Niels Möller CFB support, contributed by Dmitry Eremin-Solenikov. * cfb.c (cfb_encrypt, cfb_decrypt): New file, new functions. * cfb.h: New header file. (CFB_CTX, CFB_SET_IV, CFB_ENCRYPT, CFB_DECRYPT): New macros. * Makefile.in (nettle_SOURCES): Add cfb.c. (HEADERS): Add cfb.h. * testsuite/cfb-test.c: New test case. * testsuite/testutils.c (test_cipher_cfb): New function. * nettle.texinfo (CFB): Documentation. 2017-10-16 Niels Möller * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): Add -g when compiling with gcc. 2017-09-27 Niels Möller Merged armor-signedness branch, starting 2017-08-27. 2017-09-24 Niels Möller * tools/pkcs1-conv.c (base64_decode_in_place): New helper function. (decode_base64): Use it. * sexp-transport-format.c (base64_encode_in_place): New helper function. (sexp_transport_vformat): Use it. * testsuite/base64-test.c (test_fuzz_once): Update to use char type where appropriate. (test_main): Use helper functions base64_encode_in_place and base64_decode_in_place (copied to this file). * testsuite/testutils.c (tstring_data): Use uint8_t for data argument. * testsuite/testutils.h (SDATA): Use US macro to cast data argument. 2017-08-27 Niels Möller * base64-encode.c (base64_encode_raw, base64_encode_group) (base64_encode_single, base64_encode_update) (base64_encode_final): Change type of destination to char *. * base16-encode.c (base16_encode_single, base16_encode_update): Likewise. * base64-decode.c (base64_decode_single, base64_decode_update): Change type of source argument to const char *. Update (almost) all callers. * base16-decode.c (base16_decode_single, base16_decode_update): Likewise. * nettle-types.h (nettle_armor_encode_update_func) (nettle_armor_encode_final_func, nettle_armor_decode_update_func): Corresponding updates to typedefs. 2017-09-14 Niels Möller * hkdf.c: Delete unneeded includes. Use Nettle licensing notice. * hkdf.h: Include only nettle-types.h, not nettle-meta.h. * ecc-mod.c (ecc_mod): Workaround to silence a false positive from the clang static analyzer. 2017-09-12 Niels Möller * testsuite/testutils.h (mpn_zero_p): Avoid redefining mpn_zero_p when building with mini-gmp. Since the mini-gmp update, this function is defined by mini-gmp, causing link errors if nettle is configured with --enable-mini-gmp --disable-shared. Reported by Tim Rühsen. 2017-09-09 Daiki Ueno * testsuite/ecc-mul-g-test.c (test_main): Fixed mpn_cmp call. * testsuite/ecc-mul-a-test.c (test_main): Likewise. * eccdata.c (ecc_point_out): Write to given stream, instead of stderr. * eccdata.c (output_curve): In curve448, the bit size of the order is slightly smaller than the one of p's. Adjust ecc_Bmodq_shifted accordingly. 2017-09-09 Niels Möller * mini-gmp.c: Updated mini-gmp from the gmp repository, latest change from 2017-07-23. * mini-gmp.h: Likewise. 2017-09-06 Niels Möller * hkdf.c (hkdf_expand): Eliminate a (signed) ssize_t variable, use break rather than return at loop termination. 2017-09-06 Niels Möller HKDF implementation, contributed by Nikos Mavrogiannopoulos. * hkdf.c (hkdf_extract, hkdf_expand): New file, new functions. * hkdf.h: New file. * Makefile.in (nettle_SOURCES): Add hkdf.c. (HEADERS): Add hkdf.h. * testsuite/hkdf-test.c: Tests for hkdf-sha256 and hkdf-sha1. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added hkdf-test.c. * nettle.texinfo (Key derivation functions): Document HKDF. 2017-09-04 Andreas Schneider * fat-arm.c: Add missing define for _GNU_SOURCE. 2017-08-27 Niels Möller * configure.ac (GMP_NUMB_BITS): Set to dummy value "n/a" in mini-gmp builds. (NUMB_BITS): New substituted variable which always holds the configured value. * Makefile.in (GMP_NUMB_BITS): Renamed variable... (NUMB_BITS): ...new name * config.make.in: Update corresponding substitution. 2017-08-26 Niels Möller * ecc-mod-inv.c (ecc_mod_inv): Add missing assert. Fixes a "dead increment" warning from the clang static analyzer. 2017-08-26 Niels Möller * examples/nettle-openssl.c (struct openssl_cipher_ctx): New struct. Use everywhere, instead of typing EVP_CIPHER_CTX pointers directly. * configure.ac: Update openssl-related tests. Checks for cipher-specific headers are replaced by a check for openssl/evp.h, and the check for the BF_ecb_encrypt function is replaced by a check for EVP_CIPHER_CTX_new. 2017-08-03 Daniel P. Berrange * examples/nettle-openssl.c: Rewritten to use openssl's EVP APIs. The older cipher-specific functions always use openssl's generic software implementation, while the EVP functions enables platform-specific code, e.g., using the x86 AES-NI instructions. (nettle_openssl_init): New function. 2017-07-18 Niels Möller * ecc-add-eh.c (ecc_add_eh): Fix in-place operation by reordering two multiplies. Previously, in-place operation resulted in an invalid call to mpn_mul with overlapping operands. Reported by Sergei Trofimovich. 2017-06-09 Niels Möller * pss.c (pss_verify_mgf1): Check for m being too large, fixing an assertion failure for certain invalid signatures. Based on a patch contributed by Daiki Ueno. * testsuite/rsa-pss-sign-tr-test.c (test_main): Add test case contributed by Daiki Ueno. Problem originally found by oss-fuzz, see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132. That problem report is currently embargoed, but will hopefully be public in a month or two. 2017-05-23 Niels Möller Rework the previous change, which had the unintended effect of always regenerating .test-rules.make after ./configure is run. * testsuite/Makefile.in (test-rules.stamp): New stamp file target, depend on Makefile.in, and run $(MAKE) test-rules. (.test-rules.make): Add a level of indirection, by depending on test-rules.stamp. 2017-05-20 Niels Möller * testsuite/Makefile.in (test-rules): Use $(srddir)/-prefix for .test-rules.make target, and change dependency from Makefile.in to Makefile. 2017-05-17 Nikos Mavrogiannopoulos * testsuite/Makefile.in: Ensure .test-rules.make is regenerated when Makefile.in is modified. 2017-04-09 Niels Möller * testsuite/dlopen-test.c (main): Call dlclose, to fix memory leak on success. * testsuite/pss-test.c: Delete magic to let valgrind to check if pss_encode_mgf1 is side-channel silent with respect to the salt and digest inputs. It turns out that the most significant bits of the padded bignum, and hence its size, depends on these inputs. Which results in a data-dependent branch in the normalization code of at the end of gmp's mpz_import. 2017-04-04 Niels Möller * pss.c (pss_verify_mgf1): Use const for input mpz_t argument. (pss_encode_mgf1): Avoid unnecessary memset and xor operations. Merged RSA-PSS support, contributed by Daiki Ueno. * pss-mgf1.h, pss.h: New header files. * pss-mgf1.c (pss_mgf1): New file and function. * pss.c (pss_encode_mgf1, pss_verify_mgf1): New file and functions. * rsa-verify.c (_rsa_verify_recover): New function. * rsa-pss-sha256-sign-tr.c: (rsa_pss_sha256_sign_digest_tr): New file and function. * rsa-pss-sha256-verify.c (rsa_pss_sha256_verify_digest): New file and function. * rsa-pss-sha512-sign-tr.c (rsa_pss_sha384_sign_digest_tr) (rsa_pss_sha512_sign_digest_tr): New file and functions. * rsa-pss-sha512-verify.c (rsa_pss_sha384_verify_digest) (rsa_pss_sha512_verify_digest): New file and functions. * rsa.h: Prototypes for new functions. * testsuite/rsa-pss-sign-tr-test.c: New test case. * testsuite/pss-test.c: New test case. * testsuite/pss-mgf1-test.c: New test case. * Makefile.in, testsuite/Makefile.in: Added new files. * nettle.texinfo: Documentation of rsa-pss functions. 2017-03-20 Niels Möller * nettle-internal.h (NETTLE_MAX_HASH_CONTEXT_SIZE): New constant. * testsuite/meta-hash-test.c (test_main): Add sanity check for NETTLE_MAX_HASH_CONTEXT_SIZE. * tools/nettle-hash.c (list_algorithms): Also display the internal context size. 2017-01-03 Nikos Mavrogiannopoulos * ecdsa-verify.c (ecdsa_verify): Eliminated memory leak on error path. 2016-10-10 Niels Möller * write-be32.c (_nettle_write_be32): Use const for source argument. * write-le32.c (_nettle_write_le32): Likewise. * write-le64.c (_nettle_write_le64): Likewise. * nettle-write.h: Update prototypes. 2016-10-01 Niels Möller * Released nettle-3.3. 2016-09-13 Niels Möller * nettle-meta-hashes.c (nettle_hashes): Added SHA3 hashes. Reported missing by Thomas Walter. * testsuite/meta-hash-test.c: Update test accordingly. 2016-09-07 Niels Möller * nettle.texinfo (Elliptic curves): Split into sub-nodes. (Miscellaneous functions): Document memeql_sec. * NEWS: Mention memeql_sec. 2016-09-06 Niels Möller * NEWS: Update for 3.3. * configure.ac: Bump package version to 3.3. (LIBNETTLE_MINOR): Bump library version to 6.3. (LIBHOGWEED_MINOR): Bump library version to 4.3. 2016-09-05 Niels Möller * curve25519.h (NETTLE_CURVE25519_RFC7748): New preprocessor constant. * nettle.texinfo: Document it. 2016-09-03 Niels Möller * config.make.in (.SUFFIXES): Delete no longer used .p$(OBJEXT). * sexp.h (TOKEN_CHAR): Delete macro and declaration of sexp_token_chars. They belong in tools/misc.h, not here. * examples/ecc-benchmark.c (die): Deleted unused function. * testsuite/testutils.h (US): New macro, for unsigned string literals. (LDATA): Use the US macro, to eliminate pointer signedness warnings. * testsuite/eddsa-verify-test.c (test_eddsa): Use LDATA. * testsuite/pbkdf2-test.c (test_main): Likewise. * testsuite/pkcs1-test.c (test_main): Likewise. * testsuite/md5-compat-test.c (test_main): Use US macro. * testsuite/sexp-test.c (test_main): Use const char * for assoc keys. Overlooked in 2016-08-16 change. * testsuite/yarrow-test.c (test_main): Fix pointer signednesss warnings. * testsuite/sexp-format-test.c (test_main): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * tools/nettle-lfib-stream.c (main): Likewise. * tools/output.c (sexp_put_string): Likewise. * testsuite/testutils.c (test_armor): Change ascii argument to const char *. * testsuite/base16-test.c (test_main): Use LDATA for the non-ascii argument to test_armor. * testsuite/base64-test.c (test_main): Likewise. * tools/nettle-pbkdf2.c (main): Fix some pointer signedness warning. * tools/nettle-hash.c (hash_file): Likewise. * examples/rsa-decrypt.c (process_file): Use memeql_sec to check the digest. * memeql-sec.c (memeql_sec): New public function, moved from... * ccm.c (memeql_sec): ... previous location. * memops.h: New header file, generalizing memxor.h. * testsuite/memeql-test.c (test_main): New test case. (memeql_sec_for_test): Wrapper to get valgrind to check for side-channel silence. 2016-08-29 Niels Möller * sexp-format.c (strlen_u8): New helper function. (sexp_vformat): Use uint8_t * for strings instead of char *. 2016-08-16 Niels Möller * examples/io.c (hash_file): Use uint8_t for buffer. * sexp.c (sexp_iterator_check_type, sexp_iterator_check_types) (sexp_iterator_assoc): Use const char * for caller's expression types. Updated all callers. * rsa2openpgp.c (rsa_keypair_to_openpgp): Added cast to const uint8_t *. * pgp-encode.c (write_string): New helper function, replacing... (WRITE): ... deleted macro. * examples/io.c (write_data): Renamed, and use const void * for the input data. Updated all callers. (write_string): ... old name. (write_file): Use const void * for the input data. 2016-08-05 Niels Möller * examples/hogweed-benchmark.c: Use uint8_t for curve25519 values. (bench_rsa_init): Use unsigned char for sexp strings. (bench_dsa_init): Likewise. (hash_string): Delete length argument, calling strlen instead. Cast string to const uint8_t *. Updated callers. * examples/io.c (read_file): Use size_t for sizes, and uint8_t for the contents. 2016-08-04 Niels Möller * dsa-sign.c (dsa_sign): Return failure if p is even, so that an invalid key doesn't result in a crash inside mpz_powm_sec. * rsa-sign-tr.c (rsa_compute_root_tr): Return failure if any of p, q or n is even, to avoid crashing inside mpz_powm_sec. Invalid keys with even modulo are rejected by rsa_public_key_prepare and rsa_private_key_prepare, but some applications, notably gnutls, don't use them. 2016-07-31 Niels Möller * rsa.c (_rsa_check_size): Check that n is odd. Otherwise, using an invalid key may crash in mpz_powm_sec. Problem reported by Hanno Böck. 2016-07-13 Niels Möller * bignum.c (nettle_mpz_from_octets): Unconditionally use mpz_import. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): Deleted compatibility definitions for older versions of GMP. * gmp-glue.h (mpn_sqr): Deleted compatibility definition. * testsuite/testutils.c (mpz_combit): Deleted compatibility definition. 2016-07-12 Niels Möller * configure.ac: Check for mpz_powm_sec, and require GMP-5.0 or later. * bignum.h (mpz_powm_sec): Fall back to plain mpz_powm for mini-gmp build. * dsa-sign.c (dsa_sign): Use mpz_powm_sec. * rsa-sign.c (rsa_compute_root): Likewise. * rsa-sign-tr.c (rsa_blind, rsa_compute_root_tr): Likewise. * rsa-blind.c (_rsa_blind): Likewise. 2016-05-02 Niels Möller * nettle.texinfo: Update Curve25519 documentation. * testsuite/curve25519-dh-test.c: Test that inputs bits which must be ignored really are ignored. 2016-04-25 Niels Möller * curve25519-mul.c (curve25519_mul): Ignore top bit of the input x coordinate, as required by RFC 7748. 2016-03-30 Niels Möller From Nikos Mavrogiannopoulos. * configure.ac: Change dll names to follow the libtool convention with only major version number in the name. 2016-03-15 Niels Möller * twofish.c (gf_multiply): Change return value to uint32_t, to make shifting of the return value well defined, without any type casts. Fixes an undefined shift in compute_s, reported by Nikos Mavrogiannopoulos. (h_byte): Deleted type casts. * blowfish.c (blowfish_encrypt, blowfish_decrypt): Use READ_UINT32 macro. Fixes an undefined shift, reported by Nikos Mavrogiannopoulos. From Nikos Mavrogiannopoulos. * configure.ac (HOGWEED_EXTRA_SYMBOLS): Add "mp_*", when building with mini-gmp. * des.c (des_weak_p): Check that the hash value is in the proper range before using it. Fixes an out-of-bounds read. 2016-03-14 Niels Möller * getopt.c (_getopt_internal_r): Fix c99-ism, move declarations to top of block. Reported by Henrik Grubbström. 2016-02-16 Niels Möller * tools/input.c (sexp_get_string_length): Process advanced string syntax only when in advanced mode. Fixes an assertion failure reported by Hanno Böck, for input where advanced syntax is improperly wrapped inside transport syntax. * tools/parse.c (sexp_parse): Fail with an error message for unexpected ']' characters. Fixes crash reported by Hanno Böck. Also handle SEXP_DISPLAY (internal error) explicitly, without a default clause. 2016-01-28 Niels Möller * Released nettle-3.2. 2016-01-26 Niels Möller * tools/nettle-pbkdf2.c (main): Fix handling of unrecognized options. Bug reported by Dongsheng Zhang. Display usage message and exit non-zero. Also added "Usage: "-prefix to the message. * tools/nettle-hash.c (usage): New function, extracted from main. (main): Analogous fix for unrecognized options. 2016-01-23 Niels Möller * nettle.texinfo: Set UPDATED-FOR to 3.2. 2016-01-21 Niels Möller * .gitlab-ci.yml: New file. Configuration for gitlab's continuous integration system. 2016-01-20 Niels Möller * testsuite/dlopen-test.c (main): Mark arguments as UNUSED. * testsuite/Makefile.in (clean): Delete dlopen-test. * configure.ac: Bump package version, to nettle-3.2. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.2 and and libhogweed.so.4.2. 2016-01-10 Niels Möller * base64-encode.c (encode_raw): Use const uint8_t * for the alphabet argument. * nettle.texinfo (RSA): Document the rsa_pkcs1_verify and rsa_pkcs1_sign functions, and the new rsa_*_tr functions. 2015-12-18 Niels Möller * testsuite/testutils.h: Fix include order, system headers before nettle headers. Always include version.h, needed by version-test.c. It was included indirectly via bignum.h, but only if configured with publickey support. * configure.ac (IF_DLOPEN_TEST): Fixed shell conditional. * testsuite/ecc-mod-test.c (test_main): Handle random seeding if NETTLE_TEST_SEED is set in the environment. 2015-12-15 Niels Möller * x86_64/ecc-384-modp.asm: Fixed carry propagation bug. Problem reported by Hanno Böck. Simplified the folding to always use non-negative carry, the old code attempted to add in a carry which could be either positive or negative, but didn't get that case right. 2015-12-10 Niels Möller * ecc-256.c (ecc_256_modp): Fixed carry propagation bug. Problem reported by Hanno Böck. (ecc_256_modq): Fixed another carry propagation bug. 2015-11-23 Niels Möller * nettle.texinfo: Document rsa_encrypt, rsa_decrypt and rsa_decrypt_tr. Text contributed by Andy Lawrence. 2015-11-15 Niels Möller * rsa.h (_rsa_blind, _rsa_unblind): Mark as deprecated. 2015-09-17 Niels Möller * rsa-md5-sign-tr.c (rsa_md5_sign_tr, rsa_md5_sign_digest_tr): New file, new functions. * rsa-sha1-sign-tr.c (rsa_sha1_sign_tr, rsa_sha1_sign_digest_tr): Likewise. * rsa-sha256-sign-tr.c (rsa_sha256_sign_tr) (rsa_sha256_sign_digest_tr): Likewise. * rsa-sha512-sign-tr.c (rsa_sha512_sign_tr) (rsa_sha512_sign_digest_tr): Likewise. * rsa.h: Added corresponding prototypes. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/testutils.c (SIGN): Extend macro to test new functions, and the rsa_*_sign_digest functions. Updated callers. 2015-09-14 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Use rsa_compute_root_tr. Mainly for simplicity and consistency, I'm not aware of any CRT fault attacks on RSA decryption. * testsuite/rsa-encrypt-test.c (test_main): Added test with invalid private key. * rsa-sign-tr.c (rsa_compute_root_tr): New file and function. * rsa.h: Declare it. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Use rsa_compute_root_tr. (rsa_verify_res): Deleted, replaced by rsa_compute_root_tr. * testsuite/rsa-sign-tr-test.c (test_rsa_sign_tr): Check that signature argument is unchanged on failure. * Makefile.in (hogweed_SOURCES): Added rsa-sign-tr.c. 2015-09-07 Niels Möller * testsuite/rsa-sign-tr-test.c: Drop include of nettle-internal.h. (test_main): Fix incorrect use of sizeof, and use LDATA macro. From Nikos Mavrogiannopoulos. * rsa-pkcs1-sign-tr.c (rsa_verify_res): New function. (rsa_pkcs1_sign_tr): Check result of private key operation, to protect against hardware or software errors leaking the private key. * testsuite/rsa-sign-tr-test.c: New testcase. 2015-09-06 Niels Möller * nettle.texinfo: Updated SHA3 documentation. 2015-09-02 Niels Möller * testsuite/dlopen-test.c: New test program, exposing the problem with ifunc and RTLD_NOW. * testsuite/Makefile.in (TS_ALL): Conditionally add dlopen-test. (SOURCES): Added dlopen-test.c. (dlopen-test): New target, unlike other test programs, *not* linked with -lnettle. * configure.ac: Check for dlfcn.h and the dlopen function. (IF_DLOPEN_TEST): New substituted variable, true if dlopen is available and we are building a shared library. * fat-setup.h: Disable use of ifunc, since it breaks dlopen with RTLD_NOW. 2015-08-25 Niels Möller * NEWS: Started on entries for Nettle-3.2. * sha3.h (NETTLE_SHA3_FIPS202): New preprocessor constant. 2015-08-24 Niels Möller * testsuite/sha3.awk: Document origin of test vectors. From Nikos Mavrogiannopoulos. * sha3.c (_sha3_pad): Update for NIST version. * testsuite/sha3-224-test.c: Updated test vectors. * testsuite/sha3-256-test.c: Likewise. * testsuite/sha3-384-test.c: Likewise. * testsuite/sha3-512-test.c: Likewise. 2015-06-03 Niels Möller * arm/neon/chacha-core-internal.asm: New file. 55% speedup over C version on Cortex-A9. 2015-05-19 Niels Möller * configure.ac: ABI detection (n32 or n64) on Irix, and appropriate default for libdir. Patch from Klaus Ziegler. 2015-05-12 Niels Möller * version.c (nettle_version_major, nettle_version_minor): New file. New functions, returning the value of the corresponding preprocessor constant. * Makefile.in (nettle_SOURCES): Added version.c. * testsuite/version-test.c: New testcase. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added version-test.c. 2015-04-29 Niels Möller * arm/v6/sha256-compress.asm: Fix syntax error in offset addressing. Spotted by Jukka Ukkonen. * arm/v6/aes-decrypt-internal.asm: Drop %-prefix on r12 register. * arm/v6/aes-encrypt-internal.asm: Likewise. 2015-04-24 Niels Möller * Released nettle-3.1.1. * configure.ac: Bump package version, to nettle-3.1.1. (LIBNETTLE_MINOR, LIBHOGWEED_MINOR): Bump minor versions, to libnettle.so.6.1 and and libhogweed.so.4.1. 2015-04-22 Niels Möller * x86_64/gcm-hash8.asm: Use ".value" instead of ".short", since the latter is not supported by the Sun/Oracle assembler. 2015-04-13 Niels Möller * configure.ac: Fix shell quoting in test of GMP_NUMB_BITS asm compatibility. Reported by Edward Sheldrake. 2015-04-07 Niels Möller * Released nettle-3.1. 2015-03-31 Niels Möller * x86_64/ecc-224-modp.asm: Require that GMP_NUMB_BITS == 64. * x86_64/ecc-521-modp.asm: Likewise. Note that the other ecc-*-modp.asm files happen to work fine on x86_64, with either 32 or 64 bits. * asm.m4 (GMP_NUMB_BITS): New macro, expanding to nothing. * configure.ac: Move tests for compiler characteristics, libraries, and GMP_NUMB_BITS, before assembler-related tests. For files in $asm_hogweed_optional_list, check if they declare a GMP_NUMB_BITS requirement, and skip files which are incompatible with the configuration. Needed for --enable-mini-gmp om w64. * Makefile.in (clean-here): Unconditionally delete *.a (including stub libraries like *.dll.a). 2015-03-30 Niels Möller * version.h.in (GMP_NUMB_BITS) [NETTLE_USE_MINI_GMP]: Move definition here (uses configure substitution). * bignum.h (GMP_NUMB_BITS): ...old location. * nettle.texinfo: Updated version number. (Installation): Document some more configure options. * testsuite/symbols-test: Look for NETTLE_USE_MINI_GMP in version.h, not bignum.h. Allow leading underscore on mini-gmp symbols. 2015-03-26 Niels Möller * Makefile.in (PRE_CPPFLAGS): Drop -I$(srcdir), no longer needed. (HEADERS): Added bignum.h. Removed version.h. (INSTALL_HEADERS): Added version.h. (DISTFILES): Removed bignum.h.in. (bignum.h): Deleted make target. (distclean-here): Don't delete bignum.h. * configure.ac: No longer generate bignum.h. * bignum.h: Renamed. Removed substitution of NETTLE_USE_MINI_GMP, and include version.h instead. * bignum.h.in: ... old name. * version.h.in (NETTLE_USE_MINI_GMP): Substitute here. 2015-03-25 Niels Möller * configure.ac (MAJOR_VERSION, MINOR_VERSION): Tweak sed expressions, to tolerate version suffixes. * Makefile.in (distdir): Include assembly files from the new x86_64/aesni, x86_64/fat, and arm/fat directories. * ed25519-sha512-pubkey.c: Fix stack overwrite. The digest array must have room for a complete sha512 digest. 2015-03-19 Niels Möller * Makefile.in (OPT_HOGWEED_SOURCES): Deleted make variable. (nettle_SOURCES, hogweed_SOURCES): Don't include optional sources here. (OPT_SOURCES): New variable. (SOURCES): Include OPT_SOURCES. (DISTFILES): Drop mini-gmp.c here, included via OPT_SOURCES. (nettle_OBJS, hogweed_OBJS): Add the object files corresponding to the optional source files included in the build. * ecc-curve.h (nettle_curve25519): Removed public declaration. * ecc-internal.h (_nettle_curve25519): New location, new name. Updated all users. * nettle.texinfo: Updated EdDSA documentation. * Makefile.in (DISTFILES): Added version.h.in, libnettle.map.in, and libhogweed.map.in (latter two patch by Nikos). (version.h): New make target. (distclean-here): Added version.h, libnettle.map, and libhogweed.map. From Nikos Mavrogiannopoulos. * configure.ac (MAJOR_VERSION, MINOR_VERSION): New substituted variables. * version.h.in: New file, defining version numbers. 2015-03-18 Niels Möller EdDSA interface change, use plain strings to represent keys. * eddsa.h (_ED25519_LIMB_SIZE): Deleted constant. (struct ed25519_private_key, ed25519_public_key): Deleted. * eddsa-expand.c (_eddsa_expand_key): Don't compute the public key. (_eddsa_expand_key_itch): Deleted function. * eddsa-pubkey.c (_eddsa_public_key, _eddsa_public_key_itch): New file, new functions. * ed25519-sha512-pubkey.c (ed25519_sha512_public_key): New file and function. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key): Deleted function. (ed25519_sha512_verify): Use a string to represent the public key. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key): Deleted function. (ed25519_sha512_sign): Use strings for the input key pair. * Makefile.in (hogweed_SOURCES): Added eddsa-pubkey.c and ed25519-sha512-pubkey.c. * testsuite/eddsa-sign-test.c (test_eddsa_sign): Adapt to _eddsa_expand_key changes, and use _eddsa_public_key. * testsuite/ed25519-test.c (test_one): Test ed25519_sha512_public_key, and adapt to new ed25519 interface. 2015-03-14 Niels Möller * ccm.c (memeql_sec): New function, more side-channel silent than memcmp. (ccm_decrypt_message): Use it. 2015-03-12 Niels Möller * base64.h (struct base64_encode_ctx): Micro optimization of struct layout, saving a few bytes. (struct base64_decode_ctx): Likewise. * base16.h (struct base16_decode_ctx): Likewise. * nettle.texinfo (ASCII encoding): Document base64url functions. 2015-03-10 Niels Möller * nettle.texinfo: Update documentation of curve25519_mul. Say that the output is undefined for points belonging to the twist rather than the proper curve. * curve25519-mul.c (curve25519_mul): Changed return type to void. * curve25519.h (curve25519_mul): Updated prototype. * examples/hogweed-benchmark.c (bench_curve25519_mul): Drop check of curve25519_mul return value. * testsuite/curve25519-dh-test.c (test_a): Likewise. 2015-02-26 Niels Möller * nettle.texinfo: Document curve25519 and eddsa. 2015-02-10 Niels Möller * base64url-meta.c (nettle_base64url): New file. * nettle-meta.h (nettle_base64url): Declare it. * nettle-meta-armors.c (nettle_armors): Added nettle_base64url. * testsuite/meta-armor-test.c: Updated testcase. * testsuite/base64-test.c (test_main): Additional tests, using nettle_base64url. * Makefile.in (nettle_SOURCES): Added base64url-meta.c. Base-64 generalization to support RFC4648 URL safe alphabet, contributed by Amos Jeffries. * base64url-decode.c (base64url_decode_init): New file and function. * base64url-encode.c (base64url_encode_init): New file and function. * Makefile.in (nettle_SOURCES): Added base64url-encode.c and base64url-decode.c. * base64.h: Declare new functions. * testsuite/base64-test.c (test_fuzz): Test base64url encoding and decoding. * base64.h (struct base64_encode_ctx): Added pointer to alphabet. (struct base64_decode_ctx): Added pointer to decoding table. * base64-decode.c (base64_decode_init): Initialize table pointer. Moved definition of table to local scope. (base64_decode_single): Use the context's decoding table. * base64-encode.c (ENCODE): Added alphabet argument. Updated all uses. (encode_raw): New static function, like base64_encode_raw but with an alphabet argument. (base64_encode_raw): Call encode_raw. (base64_encode_init): Initialize alphabet pointer. (base64_encode_single, base64_encode_update, base64_encode_final): Use the context's alphabet. 2015-02-09 Niels Möller * base64-encode.c (base64_encode): Deleted old #if:ed out function. * testsuite/base64-test.c (test_fuzz_once, test_fuzz): Additional tests, based on contribution by Amos Jeffries. 2015-02-05 Niels Möller * configure.ac (LIBHOGWEED_MAJOR): Undo latest bump, 4 should be enough (previous release, nettle-3.0, used 3). 2015-01-30 Niels Möller Update chacha-poly1305 for draft-irtf-cfrg-chacha20-poly1305-08. * chacha-poly1305.h (CHACHA_POLY1305_NONCE_SIZE): Increase to 12 bytes, i.e., CHACHA_NONCE96_SIZE. * chacha-poly1305.c (chacha_poly1305_set_nonce): Use chacha_set_nonce96. (poly1305_pad): New function. (chacha_poly1305_encrypt): Use poly1305_pad. (chacha_poly1305_digest): Call poly1305_pad, and format length fields as a single poly1305 block. * chacha-set-nonce.c (chacha_set_nonce96): New function. * chacha.h (CHACHA_NONCE96_SIZE): New constant. * testsuite/chacha-test.c: Add test for chacha with 96-bit nonce. 2015-01-27 Niels Möller * ecc.h: Deleted declarations of unused itch functions. Moved declarations of internal functions to... * ecc-internal.h: ...new location. Also added a leading under score on the symbols. (ecc_a_to_j, ecc_j_to_a, ecc_eh_to_a, ecc_dup_jj, ecc_add_jja) (ecc_add_jjj, ecc_dup_eh, ecc_add_eh, ecc_add_ehh, ecc_mul_g) (ecc_mul_a, ecc_mul_g_eh, ecc_mul_a_eh): Affected functions. 2015-01-26 Niels Möller * ecc-add-eh.c (ecc_add_eh_itch): Deleted. * ecc-add-ehh.c (ecc_add_ehh_itch): Deleted. * ecc-add-jja.c (ecc_add_jja_itch): Deleted. * ecc-add-jjj.c (ecc_add_jjj_itch): Deleted. * ecc-dup-eh.c (ecc_dup_eh_itch): Deleted. * ecc-dup-jj.c (ecc_dup_jj_itch): Deleted. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Deleted. * ecc-j-to-a.c (ecc_j_to_a_itch): Deleted. * ecc-mul-a-eh.c (ecc_mul_a_eh_itch): Deleted. * ecc-mul-a.c (ecc_mul_a_itch): Deleted. * ecc-mul-g-eh.c (ecc_mul_g_eh_itch): Deleted. * ecc-mul-g.c (ecc_mul_g_itch): Deleted. 2015-01-25 Niels Möller * arm/fat/sha1-compress-2.asm: New file. * arm/fat/sha256-compress-2.asm: Likewise. * fat-arm.c (fat_init): Setup for use of additional v6 assembly functions. * sha1-compress.c: Prepare for fat build with C and assembly implementations. * sha256-compress.c: Likewise. * fat-setup.h (sha1_compress_func, sha256_compress_func): New typedefs. * configure.ac (asm_nettle_optional_list): Added sha1-compress-2.asm and sha256-compress-2.asm, and corresponding HAVE_NATIVE_*. From Martin Storsjö: * arm: Add .arch directives for armv6. This allows building these files as part of a fat build, even if the assembler by default targets a lower architecture version. 2015-01-23 Niels Möller * fat-setup.h (DEFINE_FAT_FUNC): Check value of function pointer, before calling fat_init. Should be correct even without memory barrier. * fat-x86_64.c (fat_init): Deleted static variable initialized. The checks of the relevant pointer in DEFINE_FAT_FUNC is more robust. * fat-arm.c (fat_init): Likewise. 2015-01-21 Niels Möller * fat-arm.c (fat_init): Setup for use of neon assembly functions. * arm/fat/salsa20-core-internal-2.asm: New file. * arm/fat/sha3-permute-2.asm: New file. * arm/fat/sha512-compress-2.asm: New file. * arm/fat/umac-nh-2.asm: New file. * arm/fat/umac-nh-n-2.asm: New file. * salsa20-core-internal.c: Prepare for fat build with C and assembly implementations. * sha512-compress.c: Likewise. * sha3-permute.c: Likewise. * umac-nh.c: Likewise. * umac-nh-n.c: Likewise. * configure.ac (asm_nettle_optional_list): Added more *-2.asm files, and corresponding HAVE_NATIVE_* defines. Recognize PROLOGUE macro in asm files, also when not at the start of the line. 2015-01-20 Niels Möller * fat-arm.c (get_arm_features): Check NETTLE_FAT_OVERRIDE environment variable. * fat-x86_64.c (get_x86_features): New function. Check NETTLE_FAT_OVERRIDE environment variable. (fat_init): Use it. * fat-setup.h (secure_getenv) [!HAVE_SECURE_GETENV]: Dummy definition, returning NULL. (ENV_OVERRIDE): New constant. * configure.ac: Check for secure_getenv function. 2015-01-19 Niels Möller * configure.ac: Fat library setup for arm. * fat-arm.c: New file. * arm/fat/aes-encrypt-internal.asm: New files. * arm/fat/aes-encrypt-internal-2.asm: New file. * arm/fat/aes-decrypt-internal.asm: New file. * arm/fat/aes-decrypt-internal-2.asm: New file. * Makefile.in (DISTFILES): Added fat-setup.h. * fat-setup.h: New file, declarations moved from... * fat-x86_64.c: ... old location 2015-01-17 Niels Möller * fat-x86_64.c (DECLARE_FAT_FUNC, DEFINE_FAT_FUNC) (DECLARE_FAT_FUNC_VAR): New macros, to define needed resolver and wrapper functions. * config.m4.in (SYMBOL_PREFIX): Define from from autoconf ASM_SYMBOL_PREFIX. (C_NAMS): move definition to... * asm.m4 (C_NAME): Define here, also take fat_transform. (fat_suffix): Replaced by... (fat_transform): New macro, taking symbol name as argument. Updated all uses of fat_suffix. * fat-x86_64.c: Updated for internal "_nettle" prefix on cpu-specific memxor functions. * fat-x86_64.c: Set up for sse2 vs non-sse2 memxor. Patch by Nikos Mavrogiannopoulos. * configure.ac (asm_nettle_optional_list): Added memxor-2.asm. * x86_64/fat/memxor-2.asm: New file. * x86_64/fat/memxor.asm: New file. * x86_64/memxor.asm: Use ifdef, not ifelse, for testing USE_SSE2. 2015-01-16 Niels Möller * configure.ac (OPT_NETTLE_SOURCES): New substituted variable. (asm_path): Fixed x86_64 fat setup. Include only x86_64 and x86_64/fat in the asm_path. Put fat-x86_64.c in OPT_NETTLE_SOURCES, with no symlinking. * fat-x86_64.c: Renamed,... * x86_64/fat/fat.c: ... from old name. 2015-01-13 Niels Möller * x86_64/fat/fat.c: For constructor hack, check HAVE_GCC_ATTRIBUTE, not __GNUC__. Also support sun compilers, as suggested by Nikos Mavrogiannopoulos, and attch the constructor attribute directly to fat_init. (fat_constructor): Deleted wrapper function. * x86_64/fat/fat.c: New file, initialization for x86_64 fat library. * x86_64/fat/cpuid.asm (_nettle_cpuid): New file and function. * x86_64/fat/aes-encrypt-internal.asm: New file, including x86_64/aes-encrypt-internal.asm, after setting fat_suffix to _x86_64. * x86_64/fat/aes-decrypt-internal.asm: New file, analogous setup. * x86_64/fat/aes-encrypt-internal-2.asm: New file, including x86_64/aesni/aes-encrypt-internal.asm, after setting fat_suffix to _aesni. * x86_64/fat/aes-decrypt-internal.asm-2: New file, analogous setup. * configure.ac: New command line option --enable-fat. (asm_nettle_optional_list): Added cpuid.asm, fat.c, aes-encrypt-internal-2.asm, and aes-decrypt-internal-2.asm. * asm.m4 (fat_suffix): New suffix added to symbol names. * x86_64/aesni/aes-encrypt-internal.asm: Use explicit .byte sequences for aes instructions, don't rely on assembler support. * x86_64/aesni/aes-decrypt-internal.asm: Likewise. * aclocal.m4 (NETTLE_CHECK_IFUNC): New macro, checking for ifunc and settting HAVE_LINK_IFUNC if working. * configure.ac: Use it. 2015-01-12 Niels Möller * asm.m4 (DECLARE_FUNC): New macro, extracted from PROLOGUE. (PROLOGUE): Use it. * configure.ac (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Renamed substituted variables, and list the object files rather than source files. (OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES): ...Old names. * Makefile.in (OPT_NETTLE_OBJS, OPT_HOGWEED_OBJS): Use new variables. 2015-01-11 Niels Möller * x86_64/aesni/aes-decrypt-internal.asm: New file. * x86_64/aesni/aes-encrypt-internal.asm: New file. * configure.ac: New configure flag --enable-x86-aesni. * aclocal.m4 (LSH_RPATH_INIT): Handle freebsd, in the same way as gnu/linux, with -Wl,-rpath,. Merged memxor-reorg changes, starting at 2014-10-23. 2015-01-10 Niels Möller * arm/memxor.asm (memxor3): Moved to new file. * arm/memxor3.asm: New file. 2014-11-24 Niels Möller * x86_64/memxor3.asm (memxor3): New file, code moved from old memxor.asm. * x86_64/memxor.asm (memxor): Rewritten, no longer jumps into memxor3. * configure.ac (asm_replace_list): Added memxor.asm and memxor3.asm. 2014-10-23 Niels Möller * configure.ac (IF_ASM): New substituted variable. * testsuite/Makefile.in (VALGRIND): Allow partial loads only when build includes assembly files. * memxor-internal.h (READ_PARTIAL): New macro. * memxor.c (memxor_different_alignment): Avoid out-of-bounds reads, corresponding to valgrind's --partial-loads-ok. Use READ_PARTIAL. * memxor3.c: Analogous changes for unaligned operations. * configure.ac (asm_replace_list): Deleted memxor.asm, now incompatible with the memxor/memxor3 split. * memxor3.c: New file, split off from memxor.c. * memxor-internal.h: New file, declarations shared by memxor.c and memxor3.c. * memxor.c: memxor3 functions moved out from this file. * Makefile.in (nettle_SOURCES): Added memxor3.c. (DISTFILES): Added memxor-internal.h. * memxor.c (memxor_common_alignment, memxor_different_alignment) (memxor): Change loop order, iterate from the end. (memxor3_common_alignment): Unroll twice. (word_t): On x86_64, unconditionally define as uint64_t, to get 64 bits also in M$ windows. Replaced all uses of SIZEOF_LONG. 2014-12-12 Niels Möller * cbc.h (CBC_ENCRYPT, CBC_DECRYPT): Make type-checking hack stricter, warn if type of length argument is smaller than size_t. * ctr.h (CTR_CRYPT): Likewise. * eax.h (EAX_SET_KEY, EAX_SET_NONCE, EAX_UPDATE, EAX_ENCRYPT) (EAX_DECRYPT, EAX_DIGEST): Likewise. * gcm.h (GCM_SET_KEY, GCM_ENCRYPT, GCM_DECRYPT, GCM_DIGEST): Likewise. 2014-12-08 Niels Möller * aclocal.m4 (LD_VERSION_SCRIPT): Linker scripts no longer located in the source tree. * configure.ac (LIBNETTLE_MAJOR): Bump major number, now 6. (LIBHOGWEED_MAJOR): Bump major number, now 5. From Nikos Mavrogiannopoulos. Support for versioned symbols. * aclocal.m4 (LD_VERSION_SCRIPT): New macro. Substitute EXTRA_LINKER_FLAGS and EXTRA_HOGWEED_LINKER_FLAGS. * configure.ac: Use LD_VERSION_SCRIPT. Generate libnettle.map and libhogweed.map. (HOGWEED_EXTRA_SYMBOLS): New substituted variable. * libnettle.map.in: New file, libnettle.so linker script * libhogweed.map.in: New file, libhogweed.so linker script. * Makefile.in ($(LIBNETTLE_FORLINK)): Use EXTRA_LINKER_FLAGS. ($(LIBHOGWEED_FORLINK)): Use EXTRA_HOGWEED_LINKER_FLAGS. 2014-11-24 Niels Möller * gcm.h (GCM_SET_KEY): Rename macro argument KEY to avoid collision with a struct tag. Spotted by Nikos Mavrogiannopoulos. * testsuite/eddsa-verify-test.c (test_eddsa): Fixed test case bug, showing up as use of uninitialized data with valgrind. 2014-10-23 Niels Möller * examples/nettle-benchmark.c (time_memxor): Allocate buffers as arrays of unsigned long, for more reliable alignment. 2014-10-22 Niels Möller * configure.ac: Check for getline function. * testsuite/ed25519-test.c (getline) [!HAVE_GETLINE]: Fallback definition. * Makefile.in (clean-here): Unconditionally delete .so and .dll files. (IMPLICIT_TARGETS): Deleted variable. 2014-10-21 Niels Möller * testsuite/ed25519-test.c: New test case. Optionally reads the file pointed to by $ED25519_SIGN_INPUT. * testsuite/testutils.c (tstring_hex): Rewrite, using Nettle's base16 functions. (decode_hex, decode_hex_length): Deleted functions. 2014-10-20 Niels Möller * eddsa.h (ED25519_KEY_SIZE): New constant. (ED25519_SIGNATURE_SIZE): New constant. (struct ed25519_private_key): New struct. (struct ed25519_public_key): New struct. * ed25519-sha512-sign.c (ed25519_sha512_set_private_key) (ed25519_sha512_sign): New file and functions. * ed25519-sha512-verify.c (ed25519_sha512_set_public_key) (ed25519_sha512_verify): New file and functions. * Makefile.in (hogweed_SOURCES): Added ed25519-sha512-sign.c and ed25519-sha512-verify.c. 2014-10-18 Niels Möller * eddsa-verify.c (_eddsa_verify): Change argument order, putting A before ctx. * eddsa.h: Updated prototype. * testsuite/eddsa-verify-test.c (test_eddsa): Updated _eddsa_verify calls. 2014-10-14 Niels Möller * eddsa-verify.c (equal_h): New function. (_eddsa_verify): Use it for a proper point compare, replacing an ecc_add_ehh. * testsuite/eddsa-verify-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-verify-test.c. * eddsa-verify.c (_eddsa_verify, eddsa_verify_itch): New file, new functions. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-verify.c. 2014-10-08 Niels Möller * testsuite/eddsa-sign-test.c (test_eddsa_sign): Use _eddsa_expand_key, and check its public key output. * eddsa-expand.c (_eddsa_expand_key): New file, new function. * eddsa.h (_eddsa_expand_key): Declare it. * Makefile.in (hogweed_SOURCES): Added eddsa-expand.c. * eddsa-sign.c: Drop unneeded include of nettle-internal.h. 2014-10-04 Niels Möller * testsuite/eddsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-sign-test.c. * eddsa-sign.c (_eddsa_sign, _eddsa_sign_itch): New file, new functions. * eddsa-hash.c (_eddsa_hash): New file and function. * eddsa.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added eddsa-hash.c and eddsa-sign.c. 2014-10-03 Niels Möller * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Enable test. (test_main): Replace gmp_fprintf calls. * testsuite/ecc-mul-a-test.c: Likewise. * testsuite/ecc-mul-g-test.c: Likewise. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_modinv): Use mpz_gcdext, instead of mpn_gcdext. (test_modulo): Replace gmp_fprintf calls. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Enable test. (ref_mod): Use mpz_mod and mpz_limbs_copy, instead of mpn_tdiv_qr. (test_modulo): Replace gmp_fprintf calls by plain fprintf and mpn_out_str. * testsuite/testutils.c (mpn_out_str): New function, needed to replace uses of gmp_fprintf. * testsuite/ecc-sqrt-test.c (mpz_ui_kronecker) [NETTLE_USE_MINI_GMP]: New fallback definition when building with mini-gmp. * testsuite/testutils.c (gmp_randinit_default) [NETTLE_USE_MINI_GMP]: Likewise. (mpz_urandomb): Likewise. * testsuite/testutils.h (gmp_randstate_t) [NETTLE_USE_MINI_GMP]: Fallback typedef, using knuth_lfib_ctx. 2014-10-02 Niels Möller * testsuite/eddsa-compress-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added eddsa-compress-test.c. * eddsa-decompress.c (_eddsa_decompress): New file, new function. * eddsa-compress.c (_eddsa_compress): New file, new function. * eddsa.h: New file. * Makefile.in (HEADERS): Added eddsa.h. (hogweed_SOURCES): Added eddsa-compress.c and eddsa-decompress.c. * testsuite/ecc-sqrt-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-sqrt-test.c. * ecc-25519.c (PHIGH_BITS): Always define this constant. (ecc_25519_zero_p): New function. (ecc_25519_sqrt): Take a ratio u/v as input. Added scratch argument. Made static. * ecc-internal.h (ecc_mod_sqrt_func): New typedef. (struct ecc_modulo): Added sqrt_itch and sqrt function pointer. Updated all instances. (ecc_25519_sqrt): Deleted declaration, function now static. 2014-09-24 Niels Möller * curve25519.h [__cplusplus]: Fixed extern "C" block. 2014-09-23 Niels Möller * ecc-hash.c (ecc_hash): Changed argument type from struct ecc_curve to struct ecc_modulo. Updated callers. * testsuite/ecdsa-sign-test.c (test_main): Updated curve25519 signature s. Changed since the hash value is truncated a few bits more, to match the size of q. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * testsuite/ecc-modinv-test.c (zero_p): New function, checking for zero modulo p. (test_modulo): Use zero_p. Switch to dynamic allocation. Updated for larger modinv result area, and use invert_itch. * ecc-25519.c (ecc_mod_pow_2kp1): Renamed, and take a struct ecc_modulo * as argument. (ecc_modp_powm_2kp1): ... old name. (ecc_mod_pow_252m3): New function, extracted from ecc_25519_sqrt. (ecc_25519_inv): New modp invert function, about 5.5 times faster then ecc_mod_inv. (ecc_25519_sqrt): Use ecc_mod_pow_252m3. (nettle_curve25519): Point to ecc_25519_inv. Updated p.invert_itch and h_to_a_itch. * ecc-internal.h (struct ecc_modulo): New field invert_itch. Updated all implementations. (ECC_EH_TO_A_ITCH): Updated, and take invert itch as an argument. * ecc-eh-to-a.c (ecc_eh_to_a_itch): Take invert scratch into account. * testsuite/testutils.c (test_ecc_mul_h): Use ecc->h_to_a_itch. * ecc-mod-inv.c (ecc_mod_inv): Interface change, make ap input const, and require 2n limbs at rp. Preparing for powm-based alternative implementations. Drop #if:ed out code and dp temporary. Updated all callers, more complicated cases described below. * ecc-internal.h (typedef ecc_mod_inv_func): Added const to input argument. (ECC_MOD_INV_ITCH): Renamed, was ECC_MODINV_ITCH, and reduced to 2*n. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Overhauled allocation, putting mod_inv scratch at the end. 2014-09-22 Niels Möller * ecc-random.c (ecc_mod_random): Renamed, and take a const struct ecc_modulo * as argument. Updated callers. (ecc_modq_random): ... old name. * ecc-mod-arith.c: New file, replacing ecc-modp.c and ecc-modq.c. All functions take a struct ecc_modulo as argument. (ecc_mod_add, ecc_mod_sub, ecc_mod_mul_1, ecc_mod_addmul_1) (ecc_mod_submul_1, ecc_mod_mul, ecc_mod_sqr): New functions, replacing the corresponding ecc_modp_* functions. For convenience, old names are defined as macros wrapping the new functions. * ecc-modp.c: Deleted file. * ecc-modq.c: Deleted file. * Makefile.in (hogweed_SOURCES): Updated accordingly. * testsuite/ecc-redc-test.c (test_main): Relaxed tests for which tests to run. * testsuite/ecc-modinv-test.c (test_modulo): New function, same organization as in ecc-mod-test.c below. * testsuite/ecc-mod-test.c (test_modulo): New function, testing one modulo. Replacing... (test_curve): ... old function. (test_main): Invoke test_modulo for p and q of each curve. * ecc-internal.h (ecc_mod_inv_func): New typedef. (struct ecc_modulo): Added mp1h constant and invert function pointer. Updated all callers. * ecc-modp.c (ecc_modp_inv): Deleted wrapper function. * ecc-modq.c (ecc_modq_inv): Deleted wrapper function. * ecc-mod-inv.c (ecc_mod_inv): Renamed file and function. Also take a struct ecc_modulo * as argument. * sec-modinv.c (sec_modinv): ... the old names. Deleted. * Makefile.in (hogweed_SOURCES): Updated accordingly. * examples/ecc-benchmark.c (bench_modinv_powm, bench_curve): Updated benchmarking of mpn_sec_powm. * ecc-internal.h (struct ecc_curve): Deleted redc function pointer. Use only reduce pointer, which is redc or modp as applicable. Updated all users. (struct ecc_modulo): Moved mod and reduce function pointers to this struct. * ecc-generic-modp.c (ecc_generic_modp): Deleted file and function. We no longer need a wrapper around ecc_mod. * ecc-generic-modq.c (ecc_generic_modq): Likewise deleted. * Makefile.in (hogweed_SOURCES): Removed ecc-generic-modp.c and ecc-generic-modq.c. * ecc-internal.h (typedef ecc_mod_func): Take a const struct ecc_modulo * argument, not const struct ecc_curve *. Updated all implementations and all callers. * ecc-mod.c (ecc_mod): Use struct ecc_modulo to specify the modulo. Drop input size argument, always reduce from 2*size to size. * ecc-internal.h (struct ecc_modulo): New struct, collecting constants needed for modulo arithmetic. (struct ecc_curve): Use struct ecc_modulo for p and q arithmetic. Updated all ecc-related files. 2014-09-17 Niels Möller * gmp-glue.c (mpn_get_base256_le): Fixed missing update of rn counter, making the function clear some bytes beyond the end of the output buffer. The bug triggered a make check failure on ARM. * testsuite/testutils.c (ecc_curves): Include curve25519 in list. (test_ecc_mul_a): Include reference points for curve25519 (with Edwards coordinates). Allow n == 0 and n == 1, comparing to zero and the generator, respectively. * testsuite/ecc-add-test.c (point_zero_p): Deleted function. (test_main): Replace calls to point_zero_p by calls to test_ecc_mul_h with n == 0. * testsuite/ecc-dup-test.c: Likewise. * testsuite/ecc-modinv-test.c (mpn_zero_p): Moved function, to... * testsuite/testutils.c (mpn_zero_p): New location. Also make non-static. * testsuite/ecdsa-keygen-test.c (ecc_valid_p): Add special case for curve25519. * testsuite/ecc-mul-a-test.c (test_main): Fix point negation to support curve25519. * testsuite/ecc-mul-g-test.c (test_main): Likewise. * ecc-a-to-eh.c (ecc_a_to_eh_itch, ecc_a_to_eh): Deleted file and functions. * ecc.h: Deleted corresponding declarations. * ecc-internal.h (ECC_A_TO_EH_ITCH): Deleted macro. * Makefile.in (hogweed_SOURCES): Removed ecc-a-to-eh.c. * testsuite/ecdh-test.c (test_main): Update curve25519 test to use Edwards coordinates. * testsuite/ecdsa-sign-test.c (test_main): Likewise. * testsuite/ecdsa-verify-test.c (test_main): Likewise. * ecc-point.c (ecc_point_set): Use Edwards rather than Montgomery curve. * ecc-mul-a-eh.c (ecc_mul_a_eh, table_init): Take an Edwards point as input, not a Montgomery point. Hence, use ecc_a_to_j, not ecc_a_to_eh. * ecc-eh-to-a.c (ecc_eh_to_a): Just convert to affine coordinates, don't transform from Edwards to Montgomery form. Also reduces scratch need slightly. * ecc-internal.h (ECC_EH_TO_A_ITCH): Reduced. * ecdsa-keygen.c (ecdsa_generate_keypair): Use struct ecc_curve function pointers. * testsuite/curve25519-dup-test.c: Deleted file. In the way for conversion to Edwards coordinate convention, and in the end the tests will be done by ecc-dup-test.c. * testsuite/curve25519-add-test.c: Similarly deleted. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Removed curve25519-dup-test.c and curve25519-add-test.c. 2014-09-16 Niels Möller * testsuite/ecc-add-test.c: New generalized testcase, to replace curve25519-add-test.c. * testsuite/ecc-dup-test.c: New generalized testcase, to replace curve25519-dup-test.c. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-add-test.c and ecc-dup-test.c. 2014-09-14 Niels Möller * testsuite/ecc-mul-a-test.c (test_main): Use struct ecc_curve function pointers. * testsuite/ecc-mul-g-test.c (test_main): Likewise. 2014-09-09 Niels Möller * curve25519-mul.c (curve25519_mul): Switch to use Montgomery ladder. About 20% faster than current Edwards curve operations. Difference is expected to shrink when Edwards operations are optimized to take advantage of the twist, but it seems unlikely to get significantly faster than the Montgomery ladder. * gmp-glue.c (cnd_swap): Moved function here, made non-static. Changed cnd type to mp_limb_t, for consistency with GMP mpn_cnd_add_n. * sec-modinv.c (cnd_swap): ... old location. * gmp-glue.h (cnd_swap): Declare function. 2014-09-06 Niels Möller * examples/hogweed-benchmark.c (bench_curve25519_mul_g) (bench_curve25519_mul, bench_curve25519): New functions. (main): Added benchmarking of curve25519 functions. 2014-09-03 Niels Möller * Makefile.in: Revert 2013-02-06 Makefile changes: use a single rule for transforming .asm to .o, and drop include of asm.d. Possible now since we generate a single object file from each asm file. This change also helps Solaris' make recognize .asm files. * config.make.in (.SUFFIXES): Drop .s from list. * configure.ac: Delete code to generate asm.d. * Makefile.in: Delete all uses of *.po files, use the same object files for both shared and static libraries. * configure.ac (dummy-dep-files): Don't create any .po.d files. * aclocal.m4 (LSH_CCPIC): Don't substitute CCPIC here, let configure.ac do that if needed. * configure.ac (CCPIC_MAYBE, SHLIBCFLAGS): Deleted substituted variables. Instead, use CCPIC directly when compiling all library files. (CCPIC): Set to empty, if --disable-pic is used. * config.make.in (SHLIBCFLAGS, CCPIC_MAYBE): Deleted. (COMPILE, COMPILE_CXX): Drop CCPIC. New variable EXTRA_CFLAGS, which can be set by individual Makefiles. * Makefile.in (EXTRA_CFLAGS): Set using CCPIC. Also delete all uses of CCPIC_MAYBE and SHLIBCFLAGS. 2014-09-02 Niels Möller * curve25519-eh-to-x.c (curve25519_eh_to_x): New file, new function. The curve25519 transform currently done by ecc_eh_to_a, but which should eventually be eliminted from that function. * Makefile.in (hogweed_SOURCES): Added curve25519-eh-to-x.c. * ecc-internal.h (curve25519_eh_to_x): Declare it. * curve25519-mul.c (curve25519_mul): Use it. * curve25519-mul-g.c (curve25519_mul_g): Likewise. Also introduce local variable ecc, and use ecc->mul_g_itch. 2014-08-29 Niels Möller * testsuite/testutils.c (test_ecc_mul_j): Renamed, to ... (test_ecc_mul_h): ... new name. Use ecc->h_to_a function pointer. Updated callers. * examples/ecc-benchmark.c (bench_add_jjj): Renamed, to ... (bench_add_hhh): ... new name. Use ecc->add_hhh function pointer. (bench_add_ehh): Deleted. (bench_curve): Use bench_add_hhh for all curves. Use ecc->mul_itch for scratch size. Switch the curve25519 implementation to use the isomorphism to the twisted Edwards curve which is used for Ed25519 signatures. * eccdata.c (ecc_curve_init): Tweaked the transformation constant for the isomorphism between curve25519 and the twisted Edwards curve. * ecc-add-ehh.c (ecc_add_ehh): Updated formulas for the twist curve. * ecc-add-eh.c (ecc_add_eh): Likewise. * ecc-dup-eh.c (ecc_dup_eh): Likewise. 2014-08-28 Niels Möller * ecdsa-verify.c (ecdsa_verify): Drop include of ecc-internal.h, use ecc_size function instead. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Use the struct ecc_curve function pointers: mul, mul_g, add_hhh, h_to_a. * ecc-internal.h (ECC_ECDSA_VERIFY_ITCH): Deleted macro. Needed scratch depends on curve type, not just size. (ecc_add_func): New typedef. (struct ecc_curve): New function pointer add_hhh, and constant add_hhh_itch. Updated all instances. * ecdsa-verify.c (ecdsa_verify): Use the ecc_ecdsa_verify_itch function, not the corresponding macro. * ecc-ecdsa-verify.c (ecc_ecdsa_verify_itch): Take ecc->mul_itch into account. Also reduce to 5*ecc->size + ecc->mul_itch. * testsuite/ecdsa-sign-test.c (test_main): Added test for the obscure case of ecdsa using curve25519. * testsuite/ecdsa-verify-test.c (test_main): Likewise (depends on above changes). * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use mul_g and h_to_a function pointers. Implies (obscure) support for curve25519. * ecc-25519.c (ecc_25519_modq): Access q via the ecc struct. * ecc-eh-to-a.c (ecc_eh_to_a): Analogous change as for ecc_j_to_a. The modulo q case (op == 2) is hardcoded for curve25519. * ecc-j-to-a.c (ecc_j_to_a): For curves using redc, always convert back from redc form. When producing x coordinate only, optionally reduce it modulo q. Completely changes the meaning of the "flags" argument, and renames it to "op". Update all users of this function or ecc->h_to_a. * ecc-ecdsa-sign.c (ecc_ecdsa_sign): Use new ecc_j_to_a modulo q feature. * ecc-ecdsa-verify.c (ecc_ecdsa_verify): Likewise. * testsuite/symbols-test: Regexp fixes, to better filter out get_pc_thunk functions. * ecc-generic-redc.c (ecc_generic_redc): Deleted file and function. Split into... * ecc-pp1-redc.c (ecc_pp1_redc): New file and function. * ecc-pm1-redc.c (ecc_pm1_redc): New file and function. * ecc-internal.h: Updated declarations. * Makefile.in (hogweed_SOURCES): Replace ecc-generic-redc.c by ecc-pp1-redc.c and ecc-pm1-redc.c. * ecc-192.c: Use ecc_pp1_redc (benchmarking only). * ecc-224.c: Use ecc_pm1_redc when applicable. * ecc-256.c: Use ecc_pp1_redc when applicable. * ecc-384.c: Use ecc_pp1_redc (benchmarking only). * ecc-521.c: Use ecc_pp1_redc (benchmarking only). * testsuite/ecc-redc-test.c (test_main): Replace use of ecc_generic_redc by ecc_pp1_redc and ecc_pm1_redc. * eccdata.c (output_curve): Don't output ecc_redc_g. * ecc-internal.h (struct ecc_curve): Deleted unused field redc_g. Updated all instances. 2014-08-27 Niels Möller * ecc-modq.c (ecc_modq_inv): Use q_bit_size. * ecc-internal.h (struct ecc_curve): New field q_bit_size. Updated all instances. * configure.ac: Bumped package version number to 3.1. (LIBHOGWEED_MAJOR): Bumped library version to 4.0. Merged curve25519 changes (starting at 2014-07-04). * Makefile.in (clean-here): Added ecc-25519.h. 2014-08-26 Niels Möller * examples/ecc-benchmark.c (bench_mul_g, bench_mul_a): Use struct ecc_curve function pointers. (bench_mul_g_eh, bench_mul_a_eh): Deleted. (bench_curve): Make modq benchmark unconditional. Use bench_mul_g and bench_mul_a also for curve25519. * testsuite/ecc-mod-test.c (test_curve): Make modq test unconditional, partially reverting 2014-07-04 change. * ecc-25519.c (ecc_25519_modq): New function. * eccdata.c (output_curve): Precomputation for curve25519 mod q. * mini-gmp.c (mpz_abs_sub_bit): Do full normalization, needed in case the most significant bit is cleared. 2014-08-25 Niels Möller * testsuite/ecdh-test.c (set_point): Check return value of ecc_point_set. (test_main): Enable curve25519 test. * ecc-point-mul-g.c (ecc_point_mul_g): Use ecc->mul_g and ecc->h_to_a function pointers. * ecc-point-mul.c (ecc_point_mul): Use the ecc->mul and ecc->h_to_a function pointers. * ecc-internal.h (ecc_mul_g_func, ecc_mul_func, ecc_h_to_a_func): New typedefs. (struct ecc_curve): New function pointers mul, mul_g, h_to_a, and constans for their scratch requirements. Updated all instances. * ecc-point.c (ecc_point_set): Handle curve25519 as a special case, when checking if the point is on the curve. 2014-08-24 Niels Möller * testsuite/ecdh-test.c: Test ecc_point_mul and ecc_point_mul_g, using test data generated by ecc-ref.gp. Tests for all curves except curve25519, which doesn't yet work with the general ecc_point interface. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdh-test.c. * misc/ecc-ref.gp: Script to generate ECDH test data. 2014-08-23 Niels Möller * ecc-a-to-j.c (ecc_a_to_j): Deleted INITIAL argument. * ecc.h (ecc_a_to_j): Updated prototype. * ecc-mul-a.c (ecc_mul_a, table_init): Updated calls to ecc_a_to_j. * ecc-mul-a.c (ecc_mul_a): Deleted INITIAL argument, all callers, except the tests, pass 1. Updated all callers. (table_init): Likewise deleted INITIAL. * ecc.h (ecc_mul_a): Updated prototype. * testsuite/ecc-mul-a-test.c (test_main): Deleted tests for ecc_mul_a with INITIAL == 0. * ecc-internal.h (struct ecc_curve): Reordered struct, moved function pointers before pointers to bignum constants. * sec-modinv.c (sec_modinv): Document that for a == 0 (mod m), we should produce the "inverse" 0. * testsuite/ecc-modinv-test.c (test_main): Check that ecc_modp_inv produces 0 if a == 0 or a == p. 2014-08-22 Niels Möller * x86_64/ecc-25519-modp.asm: New file. Assembly implementation, initial version yields 30% speedup of ecc_25519_modp. Early folding eliminates one pass of carry propagation, and yields almost 20% additional speedup. * ecc-25519.c [HAVE_NATIVE_ecc_25519_modp]: Use assembly version if available. * configure.ac (asm_hogweed_optional_list): Added ecc-25519-modp.asm. Also add HAVE_NATIVE_ecc_25519_modp to config.h.in. 2014-08-19 Niels Möller * examples/ecc-benchmark.c (bench_curve): Support benchmarking of curve25519, for now handled as a special case. (curves): Added nettle_curve25519. (bench_dup_eh, bench_add_eh, bench_add_ehh, bench_mul_g_eh): New functions. 2014-08-18 Niels Möller * testsuite/curve25519-dh-test.c (test_a): Use curve25519_mul. (test_main): Use little-endian inputs for test_a. (curve25519_sqrt, curve_25519): Deleted static helper functions, no longer needed. * curve25519-mul.c (curve25519_mul): New file and function. * curve25519.h (curve25519_mul): Declare it. * Makefile.in (hogweed_SOURCES): Added curve25519-mul.c. * curve25519-mul-g.c (curve25519_mul_g): Renamed file and function, updated callers. * curve25519-base.c (curve25519_base): ... old names. * Makefile.in (hogweed_SOURCES): Updated for rename. * eccdata.c (output_curve): Compute constants needed for Shanks-Tonelli. * ecc-25519.c (ecc_modp_powm_2kp1, ecc_25519_sqrt): New functions. * ecc-internal.h (ecc_25519_sqrt): Declare it. 2014-08-06 Niels Möller * testsuite/curve25519-dh-test.c (test_g): Use curve25519_base. (test_main): Use little-endian inputs for test_g. * curve25519-base.c (curve25519_base): New file, new function. Analogous to NaCl's crypto_scalarmult_base. * curve25519.h: New file. * Makefile.in (hogweed_SOURCES): Added curve25519-base.c. (HEADERS): Added curve25519.h. * gmp-glue.c (mpn_set_base256_le, mpn_get_base256_le): New functions. * gmp-glue.h: Declare them. 2014-08-02 Niels Möller * testsuite/curve25519-dh-test.c (curve25519_sqrt): Fixed memory leak, a mpz_clear call was missing. * ecc-internal.h (ECC_MUL_A_EH_WBITS): Set to 4, to enable window-based scalar multiplication. * ecc-mul-a-eh.c (table_init) [ECC_MUL_A_EH_WBITS > 0]: Fixed initialization of TABLE(1). 2014-07-29 Niels Möller * ecc-internal.h (ECC_MUL_A_EH_WBITS): New constant. (ECC_A_TO_EH_ITCH, ECC_MUL_A_EH_ITCH): New macros. * ecc-a-to-eh.c (ecc_a_to_eh, ecc_a_to_eh_itch): New file, new functions. * ecc-mul-a-eh.c: New file. (ecc_mul_a_eh): New function. The case [ECC_MUL_A_EH_WBITS > 0] not yet working). (ecc_mul_a_eh_itch): New function. * ecc.h: Declare new functions. * Makefile.in (hogweed_SOURCES): Added ecc-a-to-eh.c and ecc-mul-a-eh.c. * testsuite/curve25519-dh-test.c (curve25519_sqrt): New function. (curve_25519): Use ecc_mul_a_eh. (test_a): New function. (test_main): Test construction of shared secret, using scalar multiplication with points other than the fix generator. 2014-07-26 Niels Möller * ecc-add-ehh.c (ecc_add_ehh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EHH_ITCH): Reduced to 7*size. 2014-07-23 Niels Möller * testsuite/curve25519-dh-test.c: New test case, based on draft-josefsson-tls-curve25519-05 test vectors. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dh-test.c. 2014-07-18 Niels Möller * ecc-mul-g-eh.c (ecc_mul_g_eh, ecc_mul_g_eh_itch): New file and functions. Untested. * ecc.h (ecc_mul_g_eh_itch): Declare new functions. * ecc-internal.h (ECC_MUL_G_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-mul-g-eh.c. 2014-07-17 Niels Möller * ecc-add-eh.c (ecc_add_eh): Reduce scratch need. * ecc-internal.h (ECC_ADD_EH_ITCH): Reduced to 6*size. * testsuite/curve25519-dup-test.c (test_main): Free allocated storage. 2014-07-15 Niels Möller * ecc-add-eh.c (ecc_add_eh, ecc_add_eh_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_ADD_EH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-eh.c. * testsuite/curve25519-add-test.c (test_main): Test ecc_add_eh. Additional test for g2+g2. Free allocated storage. 2014-07-14 Niels Möller * testsuite/curve25519-add-test.c: New test case. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-add-test.c. * ecc-add-ehh.c (ecc_add_ehh, ecc_add_ehh_itch): New file, new functions. * ecc.h (ecc_add_ehh, ecc_add_ehh_itch): Declare them. * ecc-internal.h (ECC_ADD_EHH_ITCH): New macro. * Makefile.in (hogweed_SOURCES): Added ecc-add-ehh.c. * ecc-25519.c (nettle_curve25519): Use ecc_d instead of ecc_b. * eccdata.c: For curve25519, output the Edwards curve constant, ecc_d = (121665/121666) mod p. * testsuite/curve25519-dup-test.c (test_main): Add test for 4g. Delete some left-over debug output. 2014-07-11 Niels Möller * misc/ecc-formulas.tex: Some ECC notes. * testsuite/curve25519-dup-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added curve25519-dup-test.c. * testsuite/testutils.c (test_ecc_point): Made non-static. * testsuite/testutils.h (struct ecc_ref_point): Moved here, from testutils.h. (test_ecc_point): Declare it. * ecc-dup-eh.c (ecc_dup_eh, ecc_dup_eh_itch): New file, new functions. * ecc-eh-to-a.c (ecc_eh_to_a, ecc_eh_to_a_itch): New file, new functions. * ecc.h: Declare new functions. * ecc-internal.h (ECC_EH_TO_A_ITCH, ECC_DUP_EH_ITCH): New macros. * Makefile.in (hogweed_SOURCES): Added ecc-dup-eh.c and ecc-eh-to-a.c. * ecc-internal.h (struct ecc_curve): New constant edwards_root. * ecc-192.c (nettle_secp_192r1): Updated accordingly, additional NULL pointer. * ecc-224.c (nettle_secp_224r1): Likewise. * ecc-256.c (nettle_secp_256r1): Likewise. * ecc-384.c (nettle_secp_384r1): Likewise. * ecc-521.c (nettle_secp_521r1): Likewise. * ecc-25519.c (nettle_curve25519): Initialize new constant. * eccdata.c (ecc_curve_init): For curve 25519, use correct constant for edwards coordinate transform, and output the constant as ecc_edwards. 2014-07-06 Niels Möller * eccdata.c: Use separate is_zero flag to represent the neutral element. (output_point, output_point_redc): Unified to a single function, with a use_redc flag argument. Also support conversion to Edwards form. (ecc_curve_init_str): New argument for Edwards curve conversion constant. 2014-07-04 Niels Möller Started curve25519 branch. * ecc-25519.c: New file. (ecc_25519_modp): New function. (nettle_curve25519): New curve. * ecc-curve.h (nettle_curve25519): Declare it. * Makefile.in (hogweed_SOURCES): Added ecc-25519.c. (ecc-25519.h): New generated file. Add as explicit dependency for ecc-25519.o. * testsuite/ecc-mod-test.c (test_curve): New function, extracted from test_main. Tolerate NULL modq function pointer. (test_main): Use test_curve, iterate over supported curves, and also test curve_25519 for the new modp function. 2014-08-23 Niels Möller * ecc-modp.c (ecc_modp_sub_1): Deleted unused function. * ecc-internal.h: Deleted corresponding declaration. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls, amending the totally broken change from 2014-02-06. 2014-07-02 Niels Möller * eccdata.c (ecc_dup): Use mpz_submul_ui, now available in mini-gmp. (ecc_type): New enum, for Weierstrass and Montgomery curves (ecc_curve): New field type. (ecc_dup): Support montgomery curves. (ecc_add): Likewise. (ecc_curve_init_str): New argument, for the curve type. (ecc_curve_init): Pass curve type to all ecc_curve_init_str calls. Recognize curve25519, for bit_size 255. (output_modulo): Deleted assert, which isn't true for curve25519. 2014-06-30 Niels Möller * camellia-absorb.c: Include , needed for correct use of HAVE_NATIVE_64_BIT. Reported and debugged by Magnus Holmgren. Fixes debian build failure on s390x. 2014-06-26 Niels Möller From Martin Storsjö: * configure.ac (IF_NOT_SHARED): New substituted variable. * hogweed.pc.in: Use @LIBS@, instead of hardcoding -lgmp. When shared libraries are disabled, move needed libraries from Requires.private: to Requires: and from Libs.private: to Libs:. From Nikos Mavrogiannopoulos. * examples/hogweed-benchmark.c (bench_alg): Tolerate alg->init returning NULL. (bench_openssl_ecdsa_init): Return NULL if EC_KEY_new_by_curve_name fails, indicating the curve is not supported. 2014-06-25 Niels Möller Support for building with mini-gmp instead of the real GMP. Loosely based on work by Nikos Mavrogiannopoulos. * configure.ac: New command line option --enable-mini-gmp. Also disable all libgmp-related checks when enabled. (NETTLE_USE_MINI_GMP): New substituted variable. (LIBHOGWEED_LIBS): Use $(LIBS) instead of -lgmp. (IF_MINI_GMP): New Makefile conditional. (GMP_NUMB_BITS): Alternative test for the mini-gmp case. Substituted also in bignum.h. (HAVE_MPZ_POWM_SEC): Drop this unused check. * bignum.h: Renamed, to... * bignum.h.in: New name. (NETTLE_USE_MINI_GMP): Substituted by configure. (GMP_NUMB_BITS): Substituted by configure, for the mini-gmp case. * Makefile.in (OPT_HOGWEED_SOURCES): New variable, value conditional on @IF_MINI_GMP@. (hogweed_SOURCES): Add $(OPT_HOGWEED_SOURCES). (PRE_CPPFLAGS): Add -I$(srcdir). (HEADERS): Delete bignum.h. (INSTALL_HEADERS): Add bignum.h. Also add mini-gmp.h, if mini-gmp is enabled. (DISTFILES): Added bignum.h.in. (bignum.h): New target. (distclean-here): Delete bignum.h. * examples/ecc-benchmark.c (modinv_gcd) [NETTLE_USE_MINI_GMP]: Disable this benchmark. (mpn_random) [NETTLE_USE_MINI_GMP]: Provide a simple implementation. * testsuite/ecc-mod-test.c [NETTLE_USE_MINI_GMP]: Skip test, it depends on gmp_randstate_t. * testsuite/ecc-modinv-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-a-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-mul-g-test.c [NETTLE_USE_MINI_GMP]: Likewise. * testsuite/ecc-redc-test.c [NETTLE_USE_MINI_GMP]: Likewise. Various preparations for mini-gmp support. * testsuite/bignum-test.c: Use WITH_HOGWEED instead of HAVE_LIBGMP for preprocessor conditionals. * testsuite/testutils.h: Likewise. * testsuite/sexp-format-test.c: Likewise. * testsuite/ecdsa-keygen-test.c (test_main): Use printf, mpz_out_str and write_mpn instead of gmp_fprintf. * testsuite/ecdsa-sign-test.c (test_ecdsa): Likewise. * testsuite/ecdsa-verify-test.c (test_ecdsa): Likewise. * dsa.h: Include bignum.h instead of gmp.h. * ecc-internal.h: Likewise. * ecc.h: Likewise. * gmp-glue.h: Likewise. * pkcs1.h: Likewise. * rsa.h: Likewise. * testsuite/testutils.c (die): Use plain vfprintf, not gmp_vfprintf. (write_mpn): New function. (test_ecc_point): Use it, replacing gmp_fprintf. * testsuite/testutils.h (write_mpn): Declare it. * der-iterator.c: Deleted HAVE_LIBGMP conditionals. 2014-06-07 Niels Möller * Released nettle-3.0. 2014-06-04 Niels Möller * NEWS: List des-compat.h as a candidate for removal in the next release. * testsuite/des-compat-test.c (test_main): Fixed out of bounds memory read, reported by Nikos Mavrogiannopoulos. * nettle-write.h: Include , fixing compilation on freebsd. * aclocal.m4 (ac_stdint): Fixed "unsinged" typo, spotted by Andy Goth. 2014-06-01 Niels Möller * x86_64/gcm-hash8.asm: Pass correct argument count to W64_EXIT. * x86_64/camellia-crypt-internal.asm: Pass correct argument count to W64_ENTRY and W64_EXIT. * x86_64/machine.m4 [W64_ABI]: Fix for the case of 6 function arguments. Also push %rdi unconditionally, and use aligned accesses for save and restore %xmm registers (movdqa). 2014-05-31 Niels Möller * configure.ac: Check for COFF type directives. (ASM_COFF_STYLE): New substituted variable. * config.m4.in: Set COFF_STYLE from configure. * asm.m4 (PROLOGUE): Use COFF type directive, if enabled by configure. Fixes problem with windows dll linking. * asm.m4: Deleted unused offsets for struct aes_ctx. 2014-05-28 Niels Möller * testsuite/nettle-pbkdf2-test: Delete carriage return characters from output. * configure.ac (LIBHOGWEED_LIBS): Be explicit and link libhogweed.so with libnettle.so, not -lnettle. (LIBHOGWEED_LINK): Drop -L. flag, no longer needed, and previously not at the correct position in the link command line. 2014-05-27 Niels Möller * examples/ecc-benchmark.c: If mpn_sec_powm is available, benchmark it, for modinv. (bench_modinv_powm): New function. (bench_curve): Use it. 2014-05-22 Niels Möller From Claudio Bley: * Makefile.in ($(des_headers)): Use the EXEEXT_FOR_BUILD. 2014-05-15 Niels Möller * NEWS: Updated with library version numbers. * configure.ac (dummy-dep-files): Use simpler and more portable sed expression. Problem reported by Peter Eriksson. (LIBHOGWEED_MAJOR): Bumped shared library version to 3.0. (LIBHOGWEED_MINOR): Reset to zero. Also increased the package version number to 3.0. * getopt.c: Don't use gettext. 2014-05-14 Niels Möller * testsuite/nettle-pbkdf2-test: Avoid the bash construction ${#foo}. * getopt.c: Copied from glibc tree, tag glibc-2.19. * getopt.h: Likewise. * getopt1.c: Likewise. * getopt_int.h: New file, also copied from glibc. * Makefile.in (DISTFILES): Added getopt_int.h. 2014-05-09 Niels Möller * mini-gmp.c: Updated, use version from gmp-6.0.0. * mini-gmp.h: Likewise. * testsuite/Makefile.in (all): Drop dependency on $(TARGETS), to delay building of test programs until make check. 2014-05-08 Niels Möller * nettle.texinfo (nettle_aead abstraction): Document nettle_aead. * Makefile.in (nettle_SOURCES): Added nettle-meta-aeads.c. * nettle-meta.h (nettle_aeads): Declare array. * nettle-meta-aeads.c (nettle_aeads): New file, new array. * testsuite/meta-aead-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-aead-test.c. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD): If CC_FOR_BUILD is gcc, add -O option. This makes eccdata twice as fast. 2014-05-06 Niels Möller * nettle.texinfo: Document SHA3 and ChaCha-Poly1305 as experimental. 2014-05-05 Niels Möller * nettle.texinfo (POLY1305): Document poly1305-aes. (Authenticated encryption): Move AEAD algorithms to their own section. (RSA, DSA, ECDSA): Change some subsections to subsubsections. (ChaCha-Poly1305): Document ChaCha-Poly1305. 2014-05-04 Niels Möller * nettle.texinfo (DSA): Document new DSA interface. (Salsa20): Update salsa20 docs. (ChaCha): Document ChaCha. 2014-05-03 Niels Möller * configure.ac: Check for SIZEOF_SIZE_T. * ccm.c (ccm_set_nonce): Skip code for 64-bit encoding when size_t is only 32 bits. * nettle.texinfo (CCM): Document new ccm macros and constants. Describe ccm restrictions. * ccm.h (CCM_DIGEST_SIZE): New constant. 2014-04-30 Niels Möller * ccm.c (CCM_IV_MAX_SIZE, CCM_IV_MIN_SIZE): Deleted, replaced by public constants CCM_MIN_NONCE_SIZE and CCM_MAX_NONCE_SIZE. (ccm_build_iv): Updated for above rename. (CCM_L_MAX_SIZE): Deleted, no longer used. * ccm.h (CCM_MIN_NONCE_SIZE, CCM_MAX_NONCE_SIZE): New constants. (CCM_MAX_MSG_SIZE): New macro. 2014-04-27 Niels Möller * nettle.texinfo (Cipher modes): Subsection on AEAD constructions. (GCM): Update GCM documentation, including functions for gcm_aes128, gcm_camellia128, ... 2014-04-26 Niels Möller * nettle.texinfo: Update for introduction of nettle_cipher_func. (GCM): Document GCM_DIGEST_SIZE. (UMAC): Document new UMAC constants. (Keyed hash functions): Make HMAC and UMAC their own info nodes. (EAX): Document EAX. * umac.h (UMAC_MIN_NONCE_SIZE, UMAC_MAX_NONCE_SIZE): New constants. 2014-04-25 Niels Möller * All hash-related files: Renamed all _DATA_SIZE constants to _BLOCK_SIZE, for consistency. Old names kept for backwards compatibility. * nettle.texinfo (CCM): Documentation for CCM mode, contributed by Owen Kirby. * testsuite/ccm-test.c (test_cipher_ccm): And tests. * ccm.c (ccm_decrypt_message): Change length argument, should now be clear text (dst) length. * ccm-aes128.c (ccm_aes128_decrypt_message): Likewise. * ccm-aes192.c (ccm_aes192_decrypt_message): Likewise. * ccm-aes256.c (ccm_aes256_decrypt_message): Likewise. * ccm.h: Updated prototypes. 2014-04-22 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha512 variants. * sha2.h (sha512_224_ctx, sha512_256_ctx): New aliases for the sha512_ctx struct tag. 2014-04-17 Niels Möller * examples/Makefile.in (SOURCES): Deleted next-prime.c (forgotten in 2014-04-13 change). 2014-04-16 Niels Möller * testsuite/ccm-test.c (test_cipher_ccm): Deleted check for NULL authdata. * sha3-224.c (sha3_224_init): Pass pointer to context struct, not pointer to first element, to memset. * sha3-256.c (sha3_256_init): Likewise. * sha3-384.c (sha3_384_init): Likewise. * sha3-512.c (sha3_512_init): Likewise. * examples/eratosthenes.c (vector_alloc): Use sizeof(*vector) instead of explicit type in malloc call. (vector_init): Make constant explicitly unsigned long. * tools/input.c (sexp_get_quoted_char): Deleted useless for loop. 2014-04-13 Niels Möller * rsa-compat.c: Deleted file. * rsa-compat.h: Deleted file. * Makefile.in (hogweed_SOURCES): Deleted rsa-compat.c. (HEADERS): Deleted rsa-compat.h. * examples/next-prime.c: Deleted file. * bignum-next-prime.c (nettle_next_prime): Deleted file and function. * prime-list.h: Deleted file. * bignum.h (nettle_next_prime): Deleted prototype. * Makefile.in (hogweed_SOURCES): Deleted bignum-next-prime.c. (DISTFILES): Deleted prime-list.h. * examples/Makefile.in (HOGWEED_TARGETS): Deleted next-prime, and corresponding make target. 2014-04-12 Niels Möller * nettle.texinfo (Copyright): Updated licensing info. * README: Likewise. * Makefile.in (DISTFILES): Distribute new COPYING* files. * COPYING.LESSERv3: New file. * COPYINGv3: New file. * COPYING.LIB: Deleted. * COPYINGv2: New name for GPL version 2 file. * COPYING: Old name, deleted. * Update license headers for LGPL3+ and GPL2+ dual licensing. 2014-04-11 Niels Möller * testsuite/testutils.c (test_aead): Use aead->digest_size. * configure.ac: Skip GMP tests if public key support is disabled. * eax.c (block16_xor): Fixed bug effecting 32-bit platforms. * Makefile.in (DISTFILES): Deleted memxor.c, already included via nettle_SOURCES. * tools/Makefile.in (SOURCES): Add nettle-pbkdf2.c. 2014-04-10 Niels Möller From Nikos Mavrogiannopoulos: * examples/hogweed-benchmark.c (bench_openssl_ecdsa_init): Support for secp192r1 and secp256r1. (alg_list): Add them. 2014-04-09 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha512_224 and sha512_256. * testsuite/sha512-224-test.c: New file. * testsuite/sha512-256-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new files. * nettle-meta.h (nettle_sha512_224, nettle_sha512_256): Declare. * sha512-224-meta.c (nettle_sha512_224): New file, new nettle_hash. * sha512-256-meta.c (nettle_sha512_256): New file, new nettle_hash. * sha2.h (SHA512_224_DIGEST_SIZE, SHA512_224_DATA_SIZE) (SHA512_256_DIGEST_SIZE, SHA512_256_DATA_SIZE): New constants. * sha512.c (sha512_256_digest): Typo fix, call sha512_256_init. * testsuite/testutils.c (test_hash): Removed redundant init call. Tests that digest implies init. 2014-03-28 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Explicitly use dsa_compat_generate_keypair. (test_main): Test dsa_generate_params and dsa_generate_keypair with a large q; p_bits = 1024, q_bits = 768. * testsuite/testutils.h: Undo dsa-compat.h name mangling. * dsa-keygen.c (dsa_generate_keypair): New interface, generating only a keypair, and no new parameters. * dsa-compat-keygen.c (dsa_compat_generate_keypair): New file. Moved old key generation function here. Use dsa_generate_keypair. 2014-03-27 Niels Möller * dsa-compat.c (dsa_public_key_init, dsa_public_key_clear) (dsa_private_key_init, dsa_private_key_clear): : Move deprecated DSA functions to a separate file... * dsa.c: ...from here. * dsa-compat.h: New file, declaring deprecated DSA interface. Include in corresponding C files. * Makefile.in (hogweed_SOURCES): Add dsa-compat.c. (HEADERS): Add dsa-compat.h. * dsa-gen-params.c (dsa_generate_params): New file and function, extracted from DSA key generation. * dsa-keygen.c (dsa_generate_keypair): Use dsa_generate_params. 2014-03-26 Niels Möller * der2dsa.c (dsa_params_from_der_iterator): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_public_key_from_der_iterator): Converted to new DSA interface. Also check that the public value is in the correct range. (dsa_openssl_private_key_from_der_iterator): Converted to new DSA interface. Additional validity checks. (dsa_openssl_private_key_from_der): Converted to new DSA interface. * tools/pkcs1-conv.c (convert_dsa_private_key): Update to use struct dsa_params, and adapt to the der decoding changes. (convert_public_key): Likewise. * examples/hogweed-benchmark.c: Update dsa benchmarking to use new DSA interface. * dsa.c (dsa_params_init, dsa_params_clear): New functions. (dsa_public_key_init): Use dsa_params_init. (dsa_public_key_clear): Use dsa_params_clear. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Converted to new DSA interface. Allow q_size == 0, meaning any q < p is allowed. Additional validity checks. (dsa_sha1_keypair_from_sexp, dsa_sha256_keypair_from_sexp): Converted to new DSA interface. * dsa2sexp.c (dsa_keypair_to_sexp): Converted to new DSA interface. * tools/pkcs1-conv.c: Updated uses of dsa_keypair_to_sexp. * dsa.h (struct dsa_params): New struct. * dsa-sign.c (dsa_sign): Use struct dsa_params, with key as a separate mpz_t. * dsa-verify.c (dsa_verify): Likewise. * dsa-sha1-verify.c (dsa_sha1_verify_digest, dsa_sha1_verify): Use dsa_verify, cast the struct dsa_public_key * input to a struct dsa_params * * dsa-sha256-verify.c (dsa_sha256_verify_digest) (dsa_sha256_verify): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise use dsa_sign, with a cast from struct dsa_public_key * to struct dsa_params *. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * testsuite/testutils.c (test_dsa_verify): Use struct dsa_params. (test_dsa_key): Likewise. * testsuite/dsa-test.c (test_main): Adapt to test_dsa_key and test_dsa_verify changes. * testsuite/dsa-keygen-test.c (test_main): Adapt to test_dsa_key change. * testsuite/testutils.c (test_dsa_sign): #if out, currently unused. 2014-03-23 Niels Möller From Owen Kirby: * ccm.c: New file. * ccm.h: New file. * ccm-aes128.c: New file. * ccm-aes192.c: New file. * ccm-aes256.c: New file. * Makefile.in (nettle_SOURCES): Added ccm source files. (HEADERS): Added ccm.h. * testsuite/ccm-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ccm-test.c. 2014-03-20 Niels Möller From Joachim Strömbergson: * sha512.c (K): Indentation fix. (sha512_224_init, sha512_224_digest, sha512_256_init) (sha512_256_digest): New functions. * sha2.h: Add prototypes. (sha512_224_update, sha512_256_update): New aliases for sha512_update. 2014-03-18 Niels Möller * examples/nettle-benchmark.c (main): Add benchmarking of arcfour, salsa20 and chacha, via time_aead. * nettle-internal.c (nettle_arcfour128): Define, as a struct nettle_aead (with NULL set_nonce, update, and digest methods). * examples/nettle-openssl.c (nettle_openssl_arcfour128): Likewise. * nettle-internal.h (nettle_arcfour128) (nettle_openssl_arcfour128): Declare. * nettle-types.h (nettle_cipher_func): New typedef, similar to nettle_crypt_func, but with a const context, intended for block ciphers. * nettle-meta.h (struct nettle_cipher): Use the nettle_cipher_func type. * Many other files affected: aes*-meta.c, camellia*-meta.c, cast128-meta.c, serpent-meta.c, twofish-meta.c, cbc.[ch], ctr.[ch], ctr.[ch], des-compat.c, eax.[ch], gcm*.[ch], nettle-internal.*, testsuite/aes-test.c, examples/nettle-benchmark.c, examples/nettle-openssl.c. 2014-03-16 Niels Möller * chacha-set-key.c: Include string.h. * arcfour-meta.c: Deleted file. * nettle-meta.h (nettle_arcfour128): Deleted declaration. * nettle-meta-ciphers.c (nettle_ciphers): Deleted nettle_arcfour128 from list. * Makefile.in (nettle_SOURCES): Deleted arcfour-meta.c. * examples/nettle-openssl.c (nettle_openssl_arcfour128): Deleted. * testsuite/meta-cipher-test.c: Adjust test for removal of nettle_arcfour128. 2014-03-15 Niels Möller * examples/nettle-benchmark.c (struct bench_aead_info): New struct. (bench_aead_crypt, bench_aead_update, init_nonce, time_aead): New functions, for benchmarking aead algorithms. (time_gcm, time_eax): Deleted functions. (main): Use time_aead to benchmark gcm, eax and chacha-poly1305. * salsa20.h (SALSA20_NONCE_SIZE): Renamed constant, old name SALSA20_IV_SIZE kept as an alias. (salsa20_set_nonce): Update prototype for the 2014-01-20 rename. * Makefile.in (.asm.s): Add dependencies. (.s.o, .s.po): Empty any dependency .d file. 2014-03-04 Niels Möller * testsuite/chacha-test.c (test_main): Additional test cases, for 256-bit keys. * Makefile.in (nettle_SOURCES): Deleted chacha128-set-key.c and chacha256-set-key.c. * chacha.h (CHACHA256_KEY_SIZE): Deleted. (chacha_set_key): Updated prototype. * chacha256-set-key.c (chacha256_set_key): Deleted file and function, moved to... * chacha-set-key.c (chacha_set_key): Do 256-bit keys only. Deleted length argument. Updated all callers. * chacha128-set-key.c (chacha128_set_key): Deleted file and function. Support for 128-bit chacha keys may be reintroduced later, if really needed. * chacha.h: Deleted chacha128-related declarations. * chacha-set-key.c (chacha_set_key): Drop support for 128-bit keys. * testsuite/chacha-test.c (test_main): #if:ed out all tests with 128-bit keys. 2014-02-16 Niels Möller * gcm.h: Declarations for gcm-camellia256. * gcm-camellia256.c: New file. * gcm-camellia256-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia256): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia256.c and gcm-camellia256-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia256. * gcm.h: Include camellia.h. Declarations for gcm-camellia128. * gcm-camellia128.c: New file. * gcm-camellia128-meta.c: New file. * nettle-meta.h (nettle_gcm_camellia128): Declare. * Makefile.in (nettle_SOURCES): Added gcm-camellia128.c and gcm-camellia128-meta.c. * testsuite/gcm-test.c (test_main): Test cases for nettle_gcm_camellia128. From Nikos Mavrogiannopoulos. 2014-02-13 Niels Möller * Makefile.in (nettle_SOURCES): Added eax-aes128.c eax-aes128-meta.c. * examples/nettle-benchmark.c: Include eax.h. * nettle-meta.h (nettle_eax_aes128): Declare, moved from nettle-internal.h. * eax.h: Declare eax_aes128_ctx and related functions. Moved from nettle-internal.h (EAX_IV_SIZE): New constant. * eax-aes128-meta.c (nettle_eax_aes128): Moved definition to new file. * eax-aes128.c (eax_aes128_set_key, eax_aes128_set_nonce) (eax_aes128_update, eax_aes128_encrypt, eax_aes128_decrypt) (eax_aes128_digest): Moved functions to a new file. * nettle-internal.c: ... from old location. * nettle-internal.h: Moved eax declarations elsewhere. * tools/nettle-pbkdf2.c (main): Added missing deallocation. 2014-02-12 Niels Möller * chacha-poly1305.h: New file. * chacha-poly1305.c: New file. * chacha-poly1305-meta.c (nettle_chacha_poly1305): New file, new aead algorithm. * nettle-meta.h (nettle_chacha_poly1305): Declare. * Makefile.in (nettle_SOURCES): Added chacha-poly1305.c and chacha-poly1305-meta.c. (HEADERS): Added chacha-poly1305.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-poly1305-test.c. * testsuite/chacha-poly1305-test.c: New file. * nettle-meta.h (struct nettle_aead): New generalized version if this struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256) (nettle_eax_aes128): Declare, moved from nettle-internal.h. * nettle-internal.h (struct nettle_aead): Deleted struct, moved to nettle-meta.h. Deleted declarations of unused instances. (_NETTLE_AEAD): Deleted macro. * nettle-internal.c (nettle_eax_aes128): Updated for new nettle_aead struct. (nettle_gcm_aes128, nettle_gcm_aes192, nettle_gcm_aes256): Deleted, moved to new files. * gcm-aes128-meta.c (nettle_gcm_aes128): Moved to new file, updated for new nettle_aead struct. * gcm-aes192-meta.c (nettle_gcm_aes192): Likewise. * gcm-aes256-meta.c (nettle_gcm_aes256): Likewise. * testsuite/testutils.c (test_aead): Take alternative set_nonce function as argument, and use it when nonce size differs from aead->nonce_length. * testsuite/testutils.h (test_aead): Updated prototype. * testsuite/gcm-test.c (nettle_gcm_unified_aes128): Updated for new nettle_aead struct. (test_main): Pass additional argument to test_aead. * testsuite/eax-test.c (test_main): Pass additional NULL argument to test_aead. * eax.h (EAX_DIGEST_SIZE): New constant. * gcm.h (GCM_DIGEST_SIZE): Likewise. 2014-02-10 Niels Möller * chacha-set-nonce.c (chacha_set_nonce): Renamed file and function, updated callers and Makefile.in. * chacha-set-iv.c (chacha_set_iv): ... from old names. 2014-02-08 Niels Möller * testsuite/chacha-test.c (test_chacha): For 20 rounds, use chacha_crypt, and test varying the message length. (test_main): Add second key stream block, for all testcases with 20 rounds. * chacha-crypt.c (chacha_crypt): Fixed block counter update. 2014-02-07 Niels Möller * nettle.texinfo (ASCII encoding): Document that base16_encode_update and base64_encode_update now uses dst_length as an output only. * testsuite/base64-test.c (test_main): Updated base64_decode_update test case. * sexp-transport.c (sexp_transport_iterator_first): For base64_decode_update, omit initialization of coded_length. * examples/base64dec.c (main): Likewise. * examples/base16dec.c (main): Likewise, for base16_decode_update. * base64-decode.c (base64_decode_update): Use *dst_length for output only. Don't require callers to pass a sane value. * base16-decode.c (base16_decode_update): Likewise. 2014-02-06 Niels Möller * NEWS: List _set_key incompatibilities. * nettle-meta.h (_NETTLE_CIPHER_SEP, _NETTLE_CIPHER_SEP_SET_KEY) (_NETTLE_CIPHER_FIX, _NETTLE_CIPHER): Deleted unused macros. * nettle-internal.c (nettle_blowfish128): Deleted only use of _NETTLE_CIPHER. * blowfish.c (blowfish128_set_key): New function. * blowfish.h (BLOWFISH128_KEY_SIZE): New constant. * cast128-meta.c (nettle_cast128): Deleted only use of _NETTLE_CIPHER_FIX. * examples/nettle-benchmark.c (time_cipher): Fixed memset calls. 2014-01-30 Niels Möller * Makefile.in (nettle_SOURCES): Arrange in alphabetic order. * nettle.texinfo: Updated, document size_t for length arguments. Document new AES and Camellia interfaces. * ecc-size.c (ecc_bit_size): New function. * ecc.h (ecc_bit_size): Declare it. 2014-01-29 Niels Möller * nettle-types.h (typedef nettle_set_key_func): Deleted length argument. * arctwo.c (arctwo40_set_key, arctwo64_set_key) (arctwo128_set_key, arctwo128_set_key_gutmann): New functions. * arctwo.h: Declare them. * arctwo-meta.c (ARCTWO): New macro. (nettle_arctwo40, nettle_arctwo64, nettle_arctwo128) (nettle_arctwo_gutmann128): Use new _set_key functions. * arcfour.h (ARCFOUR128_KEY_SIZE): New constant. * arcfour.c (arcfour128_set_key): New function. * arcfour-meta.c (nettle_arcfour128): Use arcfour128_set_key and ARCFOUR128_KEY_SIZE. * cast128.c (cast5_set_key): Renamed, was cast128_set_key. (cast128_set_key): New definition, with fixed key size. * cast128.h (CAST128_MIN_KEY_SIZE, CAST128_MAX_KEY_SIZE): Renamed constants, to... (CAST5_MIN_KEY_SIZE, CAST5_MAX_KEY_SIZE): ... new names. * eax.h (EAX_SET_KEY): Deleted length argument. * aes128-meta.c: Deleted _set_key wrappers. * aes192-meta.c: Likewise. * aes256-meta.c: Likewise. * camellia128-meta.c: Likewise. * camellia192-meta.c: Likewise. * camellia256-meta.c: Likewise. * gcm-aes128.c (gcm_aes128_set_key): Deleted length argument. * gcm-aes192.c (gcm_aes192_set_key): Likewise. * gcm-aes256.c (gcm_aes256_set_key): Likewise. * gcm.h: Updated prototypes. * serpent-set-key.c (serpent128_set_key, serpent192_set_key) (serpent256_set_key): New functions. * serpent.h: Declare new functions. (SERPENT128_KEY_SIZE, SERPENT192_KEY_SIZE) (SERPENT256_KEY_SIZE): New constants. * serpent-meta.c (SERPENT): New macro. (nettle_serpent128, nettle_serpent192, nettle_serpent256): Use new _set_key functions. * twofish-set-key.c (twofish128_set_key, twofish192_set_key) (twofish256_set_key): New functions. * twofish.h: Declare new functions. (TWOFISH128_KEY_SIZE, TWOFISH192_KEY_SIZE) (TWOFISH256_KEY_SIZE): New constants. * twofish-meta.c (TWOFISH): New macro. (nettle_twofish128, nettle_twofish192, nettle_twofish256): Use new _set_key functions. * nettle-internal.h (struct nettle_aead): Use nettle_hash_update_func for the set_iv function pointer. * nettle-internal.c (des_set_key_hack, des3_set_key_hack): Deleted wrapper functions. (chacha_set_key_hack): Deleted length argument. Use chacha256_set_key. (salsa20_set_key_hack): Deleted length argument. Use salsa20_256_set_key. (nettle_unified_aes128, nettle_unified_aes192) (nettle_unified_aes256): Deleted, moved to test program. (eax_aes128_set_key): Deleted length argument. Use EAX_SET_KEY. * examples/nettle-benchmark.c: Updated for _set_key changes. * examples/nettle-openssl.c: Likewise. * testsuite/testutils.c: Likewise. * testsuite/gcm-test.c: Likewise. * testsuite/aes-test.c (UNIFIED_AES): New macro. Moved glue for testing the old aes interface (struct aes_ctx) here. * testsuite/arcfour-test.c (test_arcfour): New function, for key sizes != 128 bits. (test_main): Use it. * testsuite/blowfish-test.c (test_blowfish): New function. (test_main): Use it. Also deleted old #if:ed out code. * testsuite/cast128-test.c (test_cast5): New function. (test_main): Use it, for 40-bit and 80-bit tests. * testsuite/serpent-test.c (test_serpent): New function. (test_main): Use it. 2014-01-27 Niels Möller * eax.h (struct eax_key, struct eax_ctx): Use union nettle_block16, for alignment. * eax.c: Updated everything to use nettle_block16. (block16_xor): New function. * examples/nettle-benchmark.c (time_eax): New function. (main): Use it. * x86_64/chacha-core-internal.asm: Use pshufhw + pshuflw for the 16-bit rotate. * configure.ac (asm_replace_list): Added chacha-core-internal.asm. * x86_64/chacha-core-internal.asm: New file. * examples/nettle-benchmark.c (main): Add benchmarking of chacha. * nettle-internal.c (nettle_chacha): New const struct, for the benchmark. Chacha implementation, based on contribution by Joachim Strömbergson. * chacha.h: New file. * chacha256-set-key.c (chacha256_set_key): New file and function. * chacha128-set-key.c (chacha128_set_key): New file and function. * chacha-set-key.c (chacha_set_key): New file and function. * chacha-set-iv.c (chacha_set_iv): New file and function. * chacha-core-internal.c (_chacha_core): New file and function. * chacha-crypt.c (chacha_crypt): New file and function. * Makefile.in (nettle_SOURCES): Added chacha files. (HEADERS): Added chacha.h. * testsuite/chacha-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added chacha-test.c. 2014-01-26 Niels Möller * nettle-internal.h (_NETTLE_AEAD_FIX): Renamed to... (_NETTLE_AEAD): ... new name, and deleted old definition. Also use _set_nonce instead of _set_iv. * nettle-internal.c (nettle_gcm_aes128, nettle_gcm_aes192) (nettle_gcm_aes256): Define in terms of new interface. (nettle_eax_aes128): Updated for _NETTLE_AEAD changes. * testsuite/gcm-test.c (test_gcm_hash): Likewise use struct gcm_aes128_ctx. (test_main): Added a testcase using the old interface based on struct gcm_aes_ctx. * examples/nettle-benchmark.c (time_gcm): Update to use new struct gcm_aes128_ctx. Also use name "gcm-aes128" in output. * gcm.h: New interface for gcm_aes128, gcm_aes192, gcm_aes256, using the new AES interface. (GCM_CTX): Reorder fields, putting the cipher context last. * Makefile.in (nettle_SOURCES): Added gcm-aes128.c, gcm-aes192.c, and gcm-aes256.c. * gcm-aes128.c: New file. * gcm-aes192.c: New file * gcm-aes256.c: New file. 2014-01-25 Niels Möller * gcm.h (GCM_SET_KEY): Deleted length argument. * gcm-aes.c (gcm_aes_set_key): Use aes_set_encrypt_key and gcm_set_key, can no longer use GCM_SET_KEY macro. 2014-01-23 Niels Möller * testsuite/gcm-test.c (test_main): Use the correct nettle_gcm_aes128/192/256 object. 2014-01-21 Niels Möller Merged camellia-reorg changes (starting at 2013-10-07). 2013-10-10 Niels Möller * Makefile.in (nettle_SOURCES): Updated list of camellia files. * testsuite/camellia-test.c (test_invert): Updated for new camellia interface. * camellia.h: Reorganized camellia interface, with distinct context structs and functions for camellia128 and camellia256. * camellia-meta.c: Deleted file. * camellia256-meta.c: New file. * camellia192-meta.c: New file. * camellia128-meta.c: New file. * camellia-set-decrypt-key.c: Deleted file, code moved to: * camellia128-set-decrypt-key.c: New file. (camellia128_invert_key, camellia128_set_decrypt_key): New functions. * camellia256-set-decrypt-key.c: New file. (camellia256_invert_key, camellia256_set_decrypt_key) (camellia192_set_decrypt_key): New functions. * camellia-invert-key.c (_camellia_invert_key): New file and function. * camellia-set-encrypt-key.c: Deleted file, code moved to: * camellia128-set-encrypt-key.c: New file. (camellia128_set_encrypt_key): New function. * camellia256-set-encrypt-key.c: New file. (_camellia256_set_encrypt_key, camellia256_set_encrypt_key) (camellia192_set_encrypt_key): New functions. * camellia-absorb.c (_camellia_absorb): New file and function. * camellia-internal.h: Moved key schedule macros here. * camellia-crypt.c: Deleted file, code moved to: * camellia128-crypt.c (camellia128_crypt): New file and function. * camellia256-crypt.c (camellia256_crypt): New file and function. 2013-10-07 Niels Möller * configure.ac: Delete check for ALIGNOF_UINT64_T, no longer needed. * config.m4.in: Likewise delete ALIGNOF_UINT64_T. * camellia-crypt.c (camellia_crypt): Updated call to _camellia_crypt. * camellia-internal.h (_camellia_crypt): Updated prototype. * camellia-crypt-internal.c (_camellia_crypt): Take separate arguments for rounds and subkey array. * x86_64/camellia-crypt-internal.asm: Likewise. Also corrected .file pseudo-ops. * x86/camellia-crypt-internal.asm: Likewise. 2014-01-20 Niels Möller * poly1305-internal.c (poly1305_digest): Use union nettle_block16 for s argument. * poly1305-aes.c (poly1305_aes_digest): Update for poly1305_digest change. Merged poly1305 changes (starting at 2013-11-08). * x86_64/poly1305-internal.asm: Update to new interface. poly1305_digest much simplified. * poly1305.h (struct poly1305_ctx): Moved block and index fields... (struct poly1305_aes_ctx): ... to here. * asm.m4: Delete also from the assembly definition of struct poly1305_ctx. * poly1305-internal.c (poly1305_digest): Don't do final padding here, leave that to caller. Add digest to the provided nonce s, and deleted length and dst arguments. Also reset h0-h4 to zero when done. (_poly1305_block): Renamed, from... (poly1305_block): ...old name. * poly1305-aes.c (poly1305_aes_update): New function. (poly1305_aes_digest): Update for poly1305_digest changes, do final padding here. * poly1305.c (poly1305_update): Deleted file and function. Moved to poly1305-aes.c. * Makefile.in (nettle_SOURCES): Deleted poly1305.c. 2014-01-17 Niels Möller * poly1305-internal.c (poly1305_block): Additional argument with the high bit. (poly1305_block_internal): Deleted function, code moved into the poly1305_block. (poly1305_digest): Simplified padding code, call poly1305_block with high bit 0. * poly1305.h (poly1305_block): Update prototype. * poly1305.c (poly1305_update): Call poly1305_block with high bit 1. * x86_64/poly1305-internal.asm (poly1305_block): Handle new argument. * poly1305.h (struct poly1305_ctx): Moved nonce field from here... (struct poly1305_aes_ctx): ... to here. * poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest): Updated for above. * poly1305.c (poly1305_set_nonce): Deleted function. * asm.m4: Delete nonce also from the assembly definition of struct poly1305_ctx. 2014-01-16 Niels Möller * poly1305-aes.c: Include poly1305.h. Rewrite functions without using the POLY1305_* macros. * Makefile.in (HEADERS): Deleted poly1305-aes.h. * poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE) (POLY1305_DIGEST): Deleted macros. Only implemented variant is poly1305-aes. (POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE): New constants. (POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here, from poly1305-aes.h. (struct poly1305_aes_ctx): Likewise. (poly1305_aes_set_key, poly1305_aes_set_nonce) (poly1305_aes_update, poly1305_aes_digest): Likewise. * poly1305-aes.h: Deleted file, declarations moved to poly1305.h. Update all users. * poly1305-internal.c (s2, s3, s4): Fixed macros. * poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx by struct aes128_ctx. * poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest): Update to use aes128_* functions. * poly1305.h (POLY1305_SET_KEY): Drop key size argument when calling set_key. 2013-12-19 Niels Möller * poly1305-aes.h (poly1305_aes_update): Define as an alias for poly1305_update, using preprocessor and a type cast. * poly1305-aes.c (poly1305_aes_update): Deleted function. * poly1305.h (poly1305_update): Declare. (_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros. * poly1305.c (poly1305_update): New function. 2013-11-21 Niels Möller * x86_64/poly1305-internal.asm: New file. Almost a factor of two speedup. * configure.ac (asm_replace_list): Added poly1305-internal.asm. * asm.m4: Define struct offsets for 64-bit poly1305_ctx. * poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an additional argument to poly1305_digest. (struct poly1305_ctx): Introduce unions, to support either 26-bit or 64-bit implementation. * poly1305-internal.c (poly1305_digest): Added s argument. * poly1305.c (poly1305_set_s): Deleted function. 2013-11-12 Niels Möller * poly1305-internal.c: New file, for poly1305 functions depending on the internal mod (2^130 - 5) representation. (poly1305_block_internal): New helper function. (poly1305_block, poly1305_digest): Use it. 2013-11-08 Nikos Mavrogiannopoulos * poly1305.h: New file. * poly1305.c: New file. * poly1305-aes.h: New file. * poly1305-aes.c: New file. * Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c. (HEADERS): Added poly1305-aes.h and poly1305.h. * testsuite/poly1305-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c. * examples/nettle-benchmark.c (time_poly1305_aes): New function. (main): Benchmark poly1305. 2014-01-20 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c, salsa20-128-set-key.c, and salsa20-256-set-key.c. * salsa20.h: Declare new functions. (SALSA20_128_KEY_SIZE, SALSA20_256_KEY_SIZE): New constants. (salsa20_set_iv): Define as an alias for salsa20_set_nonce. * salsa20-set-key.c (salsa20_set_key): Use salsa20_128_set_key and salsa20_256_set_key. (salsa20_set_iv): Renamed and moved... * salsa20-set-nonce.c (salsa20_set_nonce): ... new file, new name. * salsa20-256-set-key.c (salsa20_256_set_key): New file and function. * salsa20-128-set-key.c (salsa20_128_set_key): New file and function. 2014-01-13 Niels Möller * nettle-types.h (union nettle_block16): New type, replacing union gcm_block. * gcm.h (union gcm_block): Deleted. Replaced by nettle_block16. * gcm.c: Replaced all use of gcm_block by nettle_block16. 2014-01-04 Niels Möller * config.guess: Updated to 2014-01-01 version, from git://git.sv.gnu.org/config.git. * config.sub: Likewise. * testsuite/memxor-test.c [HAVE_VALGRIND_MEMCHECK_H] (test_mark): New function. (test_memxor, test_memxor3): Use test_mark to tell valgrind the start and end of src and destination areas. * configure.ac: Check for valgrind/memcheck.h. * testsuite/Makefile.in (VALGRIND): Added --partial-loads-ok=yes, needed for the way unaligned data is handled in, e.g., memxor. 2014-01-03 Niels Möller * shadata.c (main): Zero-pad output values to 8 hex digits. * sha256.c (K): Updated table. 2013-12-17 Niels Möller * configure.ac (ASM_RODATA): New substituted variable. Needed for portability to darwin. * config.m4.in: Define RODATA, using configure variable ASM_RODATA * x86_64/gcm-hash8.asm: Use RODATA macro. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Use stronger variants of Pocklington's theorem, to allow p0 of size down to bits/3. 2013-12-15 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_BITS) (NETTLE_MAX_BIGNUM_SIZE): Deleted arbitrary limits. 2013-12-15 Nikos Mavrogiannopoulos Introduced TMP_GMP_ALLOC macro for temporary allocations of potentially large data, e.g, sized as an RSA key. * gmp-glue.h (TMP_GMP_DECL, TMP_GMP_ALLOC, TMP_GMP_FREE): New macros. * gmp-glue.c (gmp_alloc, gmp_free): New functions. * bignum-next-prime.c (nettle_next_prime): Use TMP_GMP_ALLOC. * bignum-random.c (nettle_mpz_random_size): Likewise. * pkcs1-decrypt.c (pkcs1_decrypt): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Likewise. 2013-12-14 Niels Möller * x86_64/gcm-hash8.asm: Use .short rather than .hword, for compatibility with apple's assembler. 2013-12-03 Niels Möller * x86_64/sha1-compress.asm: Reorganized, to get closer to the x86 version. No difference in running time. * configure.ac (dummy-dep-files): Don't overwrite any existing dependency files. * x86_64/md5-compress.asm: New file, similar to the x86 version. 35% speedup on AMD, 15% speedup on Intel. 2013-11-25 Niels Möller * testsuite/dsa-test.c (test_main): Additional tests from NIST test vectors. * testsuite/testutils.c (test_dsa_sign, test_dsa_verify): New functions, supporting arbitrary digest size. * testsuite/testutils.h (ASSERT): Improved failure message. * dsa-verify.c (dsa_verify): Renamed, from _dsa_verify. * dsa-sign.c (dsa_sign): Renamed, from _dsa_sign. 2013-11-24 Niels Möller * testsuite/dsa-keygen-test.c (test_main): Test generating a key with 224-bit q. * dsa-verify.c (_dsa_verify): Use _dsa_hash. * dsa-sign.c (_dsa_sign): Use _dsa_hash. Fix memory leak in error case, spotted by Nikos. * dsa-keygen.c (dsa_generate_keypair): Allow q_bits == 224. * dsa-hash.c (_dsa_hash): New file and function. Allows digest sizes not matching the bitsize of q. * dsa.h (_dsa_hash): Declare it. * Makefile.in (hogweed_SOURCES): Added dsa-hash.c. 2013-11-23 Niels Möller * configure.ac: Check also for openssl/ecdsa.h. 2013-10-05 Niels Möller * Makefile.in (nettle_SOURCES): Added eax.c. (HEADERS): Added eax.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added eax-test.c. * testsuite/eax-test.c: New file. * nettle-internal.c (nettle_eax_aes128): New aead algorithm. (eax_aes128_set_key, eax_aes128_set_nonce, eax_aes128_update) (eax_aes128_encrypt, eax_aes128_decrypt, eax_aes128_digest): New functions. * eax.c: New file. * eax.h: New file. * aes.h: Fixed typo in name mangling for new aes functions. 2013-09-28 Niels Möller * Merge aes-reorg branch. Changes below, dated 2013-05-17 - 2013-08-13. 2013-08-13 Niels Möller * yarrow.h (struct yarrow256_ctx): Use aes256_ctx, not aes_ctx. * yarrow256.c: Adapted to use new aes256 interface. 2013-08-07 Niels Möller * umac.h (_UMAC_STATE): Use struct aes128_ctx, not aes_ctx. * umac-set-key.c (umac_kdf, _umac_set_key): Use aes128 interface. * umac32.c (umac32_digest): Likewise. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. 2013-06-25 Niels Möller * aes-meta.c: Deleted file. Analogous changes for new aes192 and aes256 interface. * aes.h (struct aes128_ctx): New aes128 declarations. * aes-decrypt.c (aes128_decrypt): New function. * aes-encrypt.c (aes128_encrypt): New function. * aes128-meta.c: New file. * aes128-set-encrypt-key.c (aes128_set_encrypt_key): New file and function. * aes128-set-decrypt-key.c (aes128_set_decrypt_key) (aes128_invert_key): New file and functions. * Makefile.in (nettle_SOURCES): Added aes128-set-encrypt-key.c, aes128-set-decrypt-key.c and aes128-meta.c. * nettle-internal.c (nettle_unified_aes128): For testing the old AES interface. * testsuite/aes-test.c (test_cipher2): New function. (test_main): Test both nettle_aes128 and nettle_unified_aes128. 2013-05-22 Niels Möller * Makefile.in (nettle_SOURCES): Added aes-invert-internal.c and aes-set-key-internal.c. * aes.h (AES128_KEY_SIZE, _AES128_ROUNDS): New constants. Similarly also for aes192 and aes256. * aes-internal.h: Declare new functions. * aes-set-key-internal.c (_aes_set_key): New file and funxtion extracted from aes_set_encrypt_key. * aes-set-encrypt-key.c (aes_set_encrypt_key): Use _aes_set_key. * aes-invert-internal.c (_aes_invert): New file and function, extracted from aes_invert_key. * aes-set-decrypt-key.c (aes_invert_key): Use _aes_invert. * arm/v6/aes-encrypt-internal.asm: Adapted to new interface. Unfortunately, 4% slowdown on Cortex-A9, for unknown reason. * arm/v6/aes-decrypt-internal.asm: Likewise. * arm/aes-encrypt-internal.asm: Adapted to new interface. * arm/aes-decrypt-internal.asm: Likewise. 2013-05-21 Niels Möller * sparc32/aes-encrypt-internal.asm: Adapted to new interface. * sparc32/aes-decrypt-internal.asm: Likewise. * sparc64/aes-encrypt-internal.asm: Likewise. * sparc64/aes-decrypt-internal.asm: Likewise. * x86/aes-encrypt-internal.asm: Adapted to new interface. * x86/aes-decrypt-internal.asm: Likewise. 2013-05-20 Niels Möller * x86_64/aes-encrypt-internal.asm: Adapted to new interface. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-05-17 Niels Möller * aes.h (struct aes_ctx): Renamed nrounds to rounds, and moved first in the structure. * aes-set-encrypt-key.c (aes_set_encrypt_key): Updated for renaming. * aes-set-decrypt-key.c (aes_invert_key): Likewise. * aes-encrypt-internal.c (_nettle_aes_encrypt): Take rounds and subkeys as separate arguments, not a struct aes_ctx *. Updated callers. * aes-decrypt-internal.c (_nettle_aes_decrypt): Likewise. * aes-internal.h: Updated prototypes. * Start of aes-reorg changes. 2013-09-28 Niels Möller * md4.h (struct md4_ctx): Use single uint64_t variable for block count. * md4.c: Use new block count variable. * md5.c, md5.h (struct md5_ctx): Likewise. * ripemd160.c, ripemd160.h (struct ripemd160_ctx): Likewise. * sha1.c, sha1.h (struct sha1_ctx): Likewise. * sha256.c, sha2.h (struct sha256_ctx): Likewise. * testsuite/testutils.c (test_hash_large): Added simple progress indicator. * macros.h (MD_PAD): Use size argument, don't depend on sizeof of the count field(s). 2013-09-22 Niels Möller * x86_64/gcm-hash8.asm: New file. * x86_64/gcm-gf-mul-8.asm: Deleted. * configure.ac (asm_nettle_optional_list): Look for gcm-hash8.asm, not gcm-gf-mul-8.asm. * gcm.c [HAVE_NATIVE_gcm_hash8]: Make use of (optional) assembly implementation. 2013-09-21 Niels Möller * Makefile.in (des.po): Add same dependencies as for des.o. Reported by Vincent Torri. 2013-09-20 Niels Möller * testsuite/gcm-test.c: Added tests with associated data of varying size. * testsuite/testutils.c (tstring_alloc): Add NUL-termination. 2013-09-18 Niels Möller * Makefile.in: New stampfiles, libnettle.stamp and libhogweed.stamp, updated when both static and shared libraries are rebuilt. Used as link dependencies in subdirectories. * examples/Makefile.in: Make executable targets depend on ../libnettle.stamp and libhogweed.stamp, not directly on the static library files. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. 2013-09-09 Niels Möller * gcm.c [HAVE_NATIVE_gcm_gf_mul_8]: Make use of (optional) assembly implementation. * configure.ac: Support optional assembly files for both nettle and hogweed. Replaced OPT_ASM_SOURCES with OPT_ASM_NETTLE_SOURCES, OPT_ASM_HOGWEED_SOURCES, and asm_optional_list with asm_nettle_optional_list and asm_hogweed_optional_list. (asm_nettle_optional_list): Added gcm-gf-mul-8.asm. 2013-06-25 Niels Möller * testsuite/gcm-test.c: Deleted redundant include of aes.h. * testsuite/testutils.c (test_aead): Allow digest size smaller than the block size. * tools/nettle-pbkdf2.c: New command line tool. * tools/Makefile.in (TARGETS): Added nettle-pbkdf2. (nettle-pbkdf2$(EXEEXT)): New target. * testsuite/nettle-pbkdf2-test: New test case. * testsuite/Makefile.in (TS_SH): Added nettle-pbkdf2-test. * tools/nettle-hash.c (digest_file): Use stack allocation for the small hex output buffer. * examples/io.c (MIN): Deleted unused macro. 2013-05-21 Niels Möller From nettle-2.7-fixes branch: * Makefile.in (distdir): Distribute files in arm/v6 subdirectory. 2013-05-20 Niels Möller * arm/v6/sha1-compress.asm: Moved into v6 directory, since it uses the v6 instruction uadd8, sel and rev. * arm/v6/sha256-compress.asm: Likewise. * nettle-types.h: Include , for size_t. 2013-05-17 Niels Möller * macros.h (ROTL32, ROTL64): Avoid undefined behaviour for zero rotation count. Unfortunately makes CAST128 a bit slower with gcc-4.6.3. * ecc-j-to-a.c (ecc_j_to_a): Fixed ecc_modp_mul call, to avoid invalid overlap of arguments to mpn_mul_n. Problem tracked down by Magnus Holmgren. 2013-05-16 Niels Möller * arm/aes-encrypt-internal.asm: New file, for pre-v6 processors. * arm/aes-decrypt-internal.asm: New file, likewise. * arm/aes.m4 (AES_FINAL_ROUND_V5): Variant without using uxtb. (AES_FINAL_ROUND_V6): New name, updated callers. (AES_FINAL_ROUND): ... old name. Also eliminated one uxtb instruction. (AES_ENCRYPT_ROUND, AES_DECRYPT): Moved macros to the files using them. * arm/v6/aes-encrypt-internal.asm: Use ALIGN macro. Use 16-byte alignment for loops. * arm/v6/aes-decrypt-internal.asm: Likewise. Also added a nop which mysteriously improves benchmark performance on Cortex-A9. 2013-05-15 Niels Möller * configure.ac (asm_path): Handle armv6 and armv7 differently from older ARMs. Add the arm/v6 directory to asm_path when appropriate. * arm/v6/aes-encrypt-internal.asm: Moved into v6 directory. Uses the uxtb instruction which is not available for older ARMs. * arm/v6/aes-decrypt-internal.asm: Likewise. 2013-05-03 Niels Möller * cast128.c: Adapt to new struct cast128_ctx. (cast128_set_key): Rewrite, eliminating lots of conditions and some false warnings. * cast128.h (struct cast128_ctx): Separate the small 5-bit rotation subkeys and the larger 32-bit masking subkeys. 2013-05-02 Niels Möller * testsuite/testutils.c (mpz_combit): Renamed. Define only if not provided GMP. Updated all uses. (mpz_togglebit): ... old name. * sexp-format.c (sexp_vformat): Use type mpz_srcptr rather than the old MP_INT *. 2013-04-26 Niels Möller * Many files: Use size_t rather than unsigned for data sizes. * x86_64/aes-encrypt-internal.asm: Accept 64-bit length. * x86_64/aes-decrypt-internal.asm: Likewise. 2013-04-25 Niels Möller * configure.ac: Changed version number, to 2.8. (LIBNETTLE_MAJOR): Bumped major number, following nettle_memxor ABI break. (LIBNETTLE_MINOR): Reset to zero. * examples/hogweed-benchmark.c: Add benchmarking of OpenSSL's RSA functions. (all functions): Deleted unneeded casts. 2013-04-24 Niels Möller * nettle.texinfo (Miscellaneous functions): Updated memxor prototype. Document memxor3. * salsa20-crypt.c (salsa20_crypt): Deleted cast of memxor argument, no longer needed. * salsa20r12-crypt.c (salsa20r12_crypt): Likewise. * sha3.c (sha3_absorb): Likewise. * memxor.h: Updated prototypes. Drop include of nettle-types.h. * memxor.c: Include nettle-types.h, for uintptr_t. Replace all internal uses of uint8_t by plain char. (memxor): Use void * rather than uint8_t * for arguments. (memxor3): Likewise. * x86_64/memxor.asm: Added nettle_ prefix to symbols. * arm/memxor.asm: Likewise. * testsuite/symbols-test: Don't allow memxor functions without nettle prefix, * memxor.h (memxor3): Added name mangling to add "nettle_" prefix to memxor and memxor3 symbols. * Makefile.in (nettle_OBJS): Deleted $(LIBOBJS), and also deleted LIBOBJS substitution. (nettle_SOURCES): Added memxor.c, to include it in the library unconditionally. * configure.ac: Deleted AC_REPLACE_FUNCS for memxor. * Released nettle-2.7. 2013-04-23 Niels Möller From Martin Storsjö: * x86_64/sha256-compress.asm: Add forgotten W64_EXIT. * x86_64/sha512-compress.asm: Likewise. * x86_64/salsa20-crypt.asm (Lpartial): Don't return via W64_EXIT within this subfunction. * x86_64/machine.m4 (W64_ENTRY): Use movdqu instead of movdqa for saving xmm registers, since the stack is not guaranteed to be 16-byte aligned on win64. Take pushed xmm registers into account when reading the fifth parameter from the stack. * Makefile.in: Consistently use EXEEXT_FOR_BUILD. 2013-04-21 Niels Möller * Makefile.in (DISTFILES): Added mini-gmp.c and mini-gmp.h. (distdir): Use find, for identifying assembly files to copy. 2013-04-18 Niels Möller * configure.ac: Recognize cpu type "arm*", not just "armv7*'. * arm/aes-encrypt-internal.asm: Updated include of aes.m4. * arm/aes-decrypt-internal.asm: Likewise. * Makefile.in (distdir): Updated for ARM reorganization. * configure.ac (asm_path): Generalized, can now be a list of directories. On ARM, check for neon instructions, and add arm/neon if appropriate. New command line options --enable-arm-neon/--disable-arm-neon, for overriding the default. arm/neon: New subdirectory, for assembly files making use of neon instructions. arm: Renamed directory, from... armv7: ...old name. * aclocal.m4 (NETTLE_CHECK_ARM_NEON): New macro. * nettle.texinfo (Keyed hash functions): Document UMAC. * umac.h (UMAC32_DIGEST_SIZE, UMAC64_DIGEST_SIZE) (UMAC96_DIGEST_SIZE, UMAC128_DIGEST_SIZE): New constants. (UMAC_DATA_SIZE): New name, for consistency with hash functions. Updated all uses. (UMAC_BLOCK_SIZE): ... old name. 2013-04-17 Niels Möller * examples/nettle-benchmark.c (main): Benchmark salsa20r12. * nettle-internal.c (nettle_salsa20r12): Cipher struct for benchmarking only. * nettle-internal.h (nettle_salsa20): Declare it. * Makefile.in (eccdata): Depend on mini-gmp files. Drop -lgmp. * eccdata.c: Use mini-gmp, to avoid gmp dependency and associated configure tests for the *build* system. Replaced mpz_submul_ui by mpz_mul_ui + mpz_sub, and gmp_printf and gmp_fprintf by calls to mpz_out_str. * mini-gmp.h, mini-gmp.c: New files, copied from gmp-5.1.1. 2013-04-16 Niels Möller * umac-set-key.c (BE_SWAP32_N): Fixed dummy definition used for big-endian systems. * Makefile.in (TARGETS): Deleted eccdata, it should be build only when public key support is enabled. (clean-here): Exlicitly list it here. * asm.m4 (m4_log2): New macro, similar to the one in gmp. (ALIGN): Changed to take alignment in bytes. Updated all callers, currently used only in x86 and x86_64 files. * umac.h (umac32_ctx, umac64_ctx, umac96_ctx, umac128_ctx): Make block count an uint64_t. Reorder some elements to put short values together. * umac-l2.c (_umac_l2, _umac_l2_final): Make count argument an uint64_t. (_umac_l2): Deleted redundant memcpy. (_umac_l2, _umac_l2_final): Store input buffer at end of the poly64/poly128 state. Deleted l1_out from corresponding context structs, and updated all callers. * configure.ac: Changed version number to 2.7. (LIBNETTLE_MINOR): Bumped library version, to 4.6. (LIBHOGWEED_MINOR): And to 2.4. * Makefile.in (distdir): Include files from armv7 subdirectory. * x86_64/umac-nh-n.asm: New file, 3.5 time speedup. * umac32.c (umac32_digest): Fix nonce caching. * umac64.c (umac64_digest): Likewise. * testsuite/umac-test.c (test_incr): New function. (test_main): Test nonce increment. * misc/umac/umac.py: UMAC reference implementation. * misc/umac/rijndael.py: AES implementation used by umac.py. * misc/umac/mkvectors: Script to generate UMAC test vectors. * misc/umac/vectors.out: Generated test vectors. * umac32.c (umac32_digest): Fix nonce increment, use INCREMENT macro. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. * macros.h (INCREMENT): Allow size == 1. 2013-04-15 Niels Möller * x86_64/umac-nh.asm: New file. 4.4 time speedup. * armv7/umac-nh-n.asm: New file. 2.0-2.3 time speedup. * testsuite/umac-test.c (test_align): Fixed memory leak. 2013-04-12 Niels Möller * armv7/umac-nh.asm: New file. 2.4 time speedup. * armv7/machine.m4 (D0REG, D1REG): New macros. * configure.ac (asm_replace_list): Added umac-nh.asm and umac-nh-n.asm. * testsuite/umac-test.c: Test different alignments for the message. 2013-04-11 Niels Möller * umac-nh-n.c (_umac_nh_n): Rewrote as a single pass over the message data. * examples/nettle-benchmark.c (time_umac): New function. (main): Call it. * umac-set-key.c (_umac_set_key): Drop byteswapping of l3_key2, it can be xored directly to the pad in native byteorder. * umac-l3.c (_umac_l3): Drop key_2 argument, let caller do that xor. Updated all callers. * umac32.c (umac32_digest): Adapt to l3 changes. * umac64.c (umac64_digest): Likewise. * umac96.c (umac96_digest): Likewise. * umac128.c (umac128_digest): Likewise. Initial implementation of umac. * umac.h: New file. * umac-nh.c: New file. * umac-nh-n.c: New file. * umac-poly64.c: New file. * umac-poly128.c: New file. * umac-l2.c: New file. * umac-l3.c: New file. * Makefile.in (nettle_SOURCES): Added umac source files. (HEADERS): Added umac.h. * testsuite/umac-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added umac-test.c. * ecc-mul-a.c (ecc_mul_a): Avoid using mp_bitcnt_t, for compatibility with older GMP versions. * ecc-mul-g.c (ecc_mul_g): Likewise. * eccdata.c (ecc_mul_binary): Likewise. * sec-modinv.c (sec_modinv): Likewise. * x86_64/sha3-permute.asm: Go via memory for moves between general registers and xmm registers. 2013-04-06 Niels Möller From Edgar E. Iglesias: * sha3.c (_sha3_update): Fix condition for when the block buffer is full. 2013-04-04 Niels Möller * ecc-point.c (ecc_point_get): Allow NULL x or y, ignore corresponding coordinate. * nettle.texinfo (Elliptic curves): Document high-level ECDSA support. From Martin Storsjö. Fallback functions for older GMP releases. * gmp-glue.c (mpn_copyd, mpn_copyi, mpn_zero): New functions. * gmp-glue.h: Declare them. (mpn_sqr): Fallback macro. * gmp-glue.h (cnd_add_n, cnd_sub_n): Moved here, define in terms of mpn_cnd_add_n and mpn_sub_n if available, otherwise in terms of mpn_addmul_1 and mpn_submul_1. This seems to be an improvement for subtraction, but more questionable for addition. * ecc-internal.h: Include gmp-glue.h. Deleted corresponding include in all files using ecc-internal.h. (cnd_add_n, cnd_sub_n): Moved from here. 2013-04-03 Niels Möller * ecc-point-mul-g.c (ecc_point_mul_g): New file and function. * ecc-point-mul.c (ecc_point_mul): New file and function. * ecc.h: Updated declarations and name mangling. * Makefile.in (hogweed_SOURCES): Added ecc-point-mul.c and ecc-point-mul-g.c. * testsuite/salsa20-test.c (test_main): Tests for salsa20r12, contributed by Nikos Mavrogiannopoulos. 2013-03-26 Niels Möller * armv7/salsa20-core-internal.asm: New file. 45% speedup. 2013-03-25 Niels Möller From Martin Storsjö: * examples/timing.c: New file, extracted from nettle-benchmark.c. * examples/timing.h: New file. * examples/Makefile.in (SOURCES): Added timing.c. (DISTFILES): Added timing.h. (BENCH_OBJS, ECC_BENCH_OBJS, HOGWEED_BENCH_OBJS): Added timing.o. * examples/nettle-benchmark.c: Use timing.h. * examples/hogweed-benchmark.c: Likewise. * examples/ecc-benchmark.c: Likewise. From Nikos Mavrogiannopoulos: * salsa20r12-crypt.c (salsa20r12_crypt): New file and function. * salsa20.h (salsa20r12_crypt): Declare. * Makefile.in (nettle_SOURCES): Added salsa20r12-crypt.c. From Martin Storsjö: * examples/hogweed-benchmark.c: Include local headers. * testsuite/ecdsa-keygen-test.c: Likewise. * x86_64/sha3-permute.asm: Workaround for Apple's assembler; write movq instructions as movd. * Makefile.in (hogweed_PURE_OBJS): Don't include OPT_ASM_SOURCES twice. 2013-03-15 Niels Möller * armv7/sha3-permute.asm: New file. 4.5 time speedup. * armv7/machine.m4 (QREG): New macro. 2013-03-14 Niels Möller * configure.ac (asm_replace_list): Added sha3-permute.asm, revering 2012-12-30 change. 34% speedup on intel i5, from 2190 cycles for the C implementation down to 1630. * armv7/sha512-compress.asm: Optimized. Keep expanded data in registers, exploit parallelism. Another 70% speedup. * testsuite/sha512-test.c (test_main): Additional test vectors, including some longer than 128 bytes. 2013-03-13 Niels Möller * armv7/sha512-compress.asm: New file, using neon instructions. 2.3 time speedup. * configure.ac (asm_replace_list): Added sha512-compress.asm. * x86_64/machine.m4 (OFFSET64): New macro. * x86_64/sha512-compress.asm: New file, 20% speedup. * sha512-compress.c (ROUND): Eliminated a temporary, analogous to sha256 change below. * x86_64/sha256-compress.asm: New file, 16% speedup (benchmarked on intel i5). 2013-03-11 Niels Möller * armv7/sha256-compress.asm: New file, 25% speedup. * configure.ac (asm_replace_list): Added sha256-compress.asm. * sha256-compress.c (ROUND): Eliminated a temporary. * armv7/sha1-compress.asm: New file, 9% speedup. * testsuite/testutils.c (test_hash): Test different alignments for the hash input. 2013-03-08 Niels Möller * armv7/aes-decrypt-internal.asm: New file, 15% speedup. * armv7/aes-encrypt-internal.asm: New file, 25% speedup. * armv7/aes.m4: New file. 2013-03-07 Niels Möller * gmp-glue.c (mpz_limbs_cmp): Don't use PTR and SIZ macros. * Makefile.in (aesdata, desdata, twofishdata, shadata, gcmdata) (eccdata): Arrange for compiling these programs for running on the build system, also when cross compiling everything else. * config.make.in (CC_FOR_BUILD, EXEEXT_FOR_BUILD): New variables. * configure.ac: Use GMP_PROG_CC_FOR_BUILD and GMP_PROG_EXEEXT_FOR_BUILD. * aclocal.m4 (GMP_PROG_CC_FOR_BUILD, GMP_PROG_CC_FOR_BUILD_WORKS) (GMP_PROG_EXEEXT_FOR_BUILD): New macros, based on GMP's. * aesdata.c: Deleted includes of config.h and nettle-types.h. Use unsigned char and unsigned long instead of stdint.h types. * desdata.c: Deleted includes of config.h and desCode.h. (main): Return 1 on invalid argument. Don't use ROR macro. Use unsigned long instead of uint32_t, and make it work if unsigned long is larger than 32 bits. * gcmdata.c: Deleted include of config.h and use UNUSED macro. * shadata.c: Likewise. * twofishdata.c: Deleted include of nettle-types.h. Use unsigned char instead of stdint.h types. * x86_64/ecc-521-modp.asm: New file. 2.4 time speedup. 2013-03-06 Niels Möller * x86_64/ecc-384-modp.asm: New file, 3 time speedup. * x86_64/ecc-256-redc.asm: New file, 2.5 time speedup. * x86_64/ecc-224-modp.asm: New file, 5 time speedup over C version. 2013-03-05 Niels Möller * configure.ac (asm_optional_list): Added ecc-521-modp.asm. * ecc-521.c: Check HAVE_NATIVE_ecc_521_modp, and use native version if available. * armv7/ecc-521-modp.asm: New file, 2 time speedup over C version. 2013-03-04 Niels Möller * configure.ac (asm_optional_list): Added ecc-384-modp.asm. Deleted bogus reference to $asm_search_list. * ecc-384.c: Check HAVE_NATIVE_ecc_384_modp, and use native version if available. * armv7/ecc-384-modp.asm: New file, 3 time speedup over C version. 2013-03-03 Niels Möller * ecc-256.c: Fixed definition of USE_REDC. 2013-03-01 Niels Möller * ecc-256.c: Check HAVE_NATIVE_ecc_256_redc, and use native version if available. * armv7/ecc-256-redc.asm: New file, 4 time speedup over C version. * testsuite/ecc-redc-test.c: Increased test count. * ecc-224.c: Check HAVE_NATIVE_ecc_224_modp, and use native version if available. * armv7/ecc-224-modp.asm: New file, 4.5 time speedup over C version. * configure.ac (asm_optional_list): Added ecc-224-modp.asm. (OPT_ASM_SOURCES): Fixed assignment. 2013-02-28 Niels Möller * x86_64/ecc-192-modp.asm: Reorganized to reduce number of additions. Use setc instruction. * examples/Makefile.in: Let $(HOGWEED_TARGETS) depend on ../libhogweed.a. * armv7/ecc-192-modp.asm: New file. 2.5 time speedup over C version. 2013-02-27 Niels Möller * ecc-192.c: Check HAVE_NATIVE_ecc_192_modp, and use native version if available. (ecc_192_modp): Fixed carry handling bug in 32-bit version. * x86_64/ecc-192-modp.asm: New file. 3.8 times speedup over C version. * configure.ac (OPT_ASM_SOURCES): New substituted variable. (asm_replace_list, asm_optional_list): New variables. For files in asm_optional_list, also add them to OPT_ASM_SOURCES and define appropriate HAVE_NATIVE_* symbols found. * Makefile.in (OPT_ASM_SOURCES): New variable. Used for setting hogweed_OBJS and hogweed_PURE_OBJS. * testsuite/ecc-mod-test.c: Increased test count. * ecc-384.c (ecc_384_modp): Fixed typo which broke carry handling in the 64-bit version. * examples/ecc-benchmark.c (bench_add_jjj): Typo fix, benchmark the right function. * gmp-glue.h: Check if GMP provides mpz_limbs_read (expected in next release). * gmp-glue.c: Use GMP's mpz_limbs_read and friends if available. Renamed all functions for consistency with GMP. Updated all callers. 2013-02-20 Niels Möller * examples/Makefile.in (HOGWEED_TARGETS): Added hogweed-benchmark$(EXEEXT). (SOURCES): Added hogweed-benchmark.c. (hogweed-benchmark$(EXEEXT)): New target. * examples/hogweed-benchmark.c: New file. * ecdsa-keygen.c (ecdsa_generate_keypair): New file and function. * Makefile.in (hogweed_SOURCES): Added ecdsa-keygen.c. * testsuite/ecdsa-keygen-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-keygen-test.c. * nettle-internal.h (TMP_ALLOC): Added missing parentheses. 2013-02-18 Niels Möller * testsuite/ecdsa-verify-test.c: New testcase. * testsuite/ecdsa-sign-test.c: New testcase. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecdsa-sign-test.c and ecdsa-verify-test.c. * testsuite/testutils.h: Include ecdsa.h. (SHEX): Deleted const cast. * ecc-point.c: New file, struct ecc_point abstraction. * ecc-scalar.c: New file, struct ecc_scalar abstraction. * ecc-random.c (ecc_modq_random, ecc_scalar_random): New file, new functions. * ecc-hash.c (ecc_hash): New file and function. * ecc-ecdsa-sign.c: New file, low-level signing interface. * ecc-ecdsa-verify.c: New file, low-level ecdsa verify. * ecdsa-sign.c: (ecdsa_sign): New file and function. * ecdsa-verify.c (ecdsa_verify): New file and function. * ecdsa.h: New header file. * ecc.h: Declare ecc_point and ecc_scalar functions. * ecc-internal.h: Added declarations. * Makefile.in (hogweed_SOURCES): Added new source files. (HEADERS): Added ecdsa.h. * gmp-glue.c (_mpz_set_mpn): New convenience function. (_mpn_set_base256): New function. (_gmp_alloc_limbs): New function. (_gmp_free_limbs): New function. * gmp-glue.h: Corresponding declarations. Include nettle-stdinh.h. * examples/Makefile.in (HOGWEED_TARGETS): Renamed, was RSA_TARGETS. Added ecc-benchmark$(EXEEXT). (SOURCES): Added ecc-benchmark.c. (ecc-benchmark$(EXEEXT)): New target. * examples/ecc-benchmark.c: New file, benchmarking ecc primitives. 2013-02-15 Niels Möller Integrate ecc_mul_a. * ecc-a-to-j.c: New file. * ecc-add-jjj.c: New file. * ecc-mul-a.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. * testsuite/ecc-mul-a-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-a-test.c. * testsuite/testutils.c: Removed redundant includes. (die): New function. Integrate ecc_mul_g. * ecc.h: New file. * ecc-j-to-a.c: New file. * ecc-size.c: New file. * ecc-add-jja.c: New file. * ecc-dup-jj.c: New file. * ecc-mul-g.c: New file. * sec-tabselect.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc.h * testsuite/ecc-mul-g-test.c: New file. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mul-g-test.c. * testsuite/testutils.c (xalloc_limbs): New function. (test_mpn): New function. (test_ecc_point): New function. (test_ecc_mul_a): New function. (test_ecc_mul_j): New function. * testsuite/testutils.h: Corresponding declarations. Integrate ECC internals. * ecc-curve.h: New file. * ecc-internal.h: New file. * cnd-copy.c: New file. * ecc-192.c: New file. * ecc-224.c: New file. * ecc-256.c: New file. * ecc-384.c: New file. * ecc-521.c: New file. * ecc-generic-modp.c: New file. * ecc-generic-modq.c: New file. * ecc-generic-redc.c: New file. * ecc-mod.c: New file. * ecc-modp.c: New file. * ecc-modq.c: New file. * sec-add-1.c: New file. * sec-modinv.c: New file. * sec-sub-1.c: New file. * Makefile.in (hogweed_SOURCES): Added new files. (HEADERS): Added ecc-curve.h. (DISTFILES): Added ecc-internal.h. * testsuite/ecc-mod-test.c: New file. * testsuite/ecc-modinv-test.c: New file. * testsuite/ecc-redc-test.c: New file. * testsuite/testutils.c (ecc_curves): New constant array. * testsuite/testutils.h: Include ecc-related headers. Declare ecc_curves array. * testsuite/Makefile.in (TS_HOGWEED_SOURCES): Added ecc-mod-test.c ecc-modinv-test.c ecc-redc-test.c. * gmp-glue.c: New file, mpn <-> mpz conversions. * gmp-glue.h: New file. * Makefile.in: Added to hogweed_SOURCES and DISTFILES, respectively. * eccdata.c: New program, for generating ECC-related tables. * Makefile.in (ecc-192.h, ecc-224.h, ecc-256.h, ecc-384.h) (ecc-512.h): New generated files. 2013-02-19 Niels Möller * armv7/memxor.asm (memxor): Software pipelining for the aligned case. Runs at 6 cycles (0.5 cycles per byte). Delayed push of registers until we know how many registers we need. (memxor3): Use 3-way unrolling also for aligned memxor3. Runs at 8 cycles (0.67 cycles per byte) 2013-02-14 Niels Möller * configure.ac: Find GMP's GMP_NUMB_BITS. Substitute in Makefile. * config.make.in (GMP_NUMB_BITS): New variable. * examples/rsa-keygen.c (uint_arg): New function. (main): New options -s and -e, to specify key size and public exponent. Increased default key size to 2048. 2013-02-12 Niels Möller * armv7/memxor.asm (memxor): Optimized aligned case, using 3-way unrolling. 2013-02-06 Niels Möller * armv7/memxor.asm (memxor, memxor3): Optimized aligned case, now runs at 0.75 cycles/byte. * armv7/README: New file. * armv7/machine.m4: New (empty) file. * armv7/memxor.asm: Initial assembly implementation. * config.m4.in: Substitute ASM_TYPE_PROGBITS as TYPE_PROGBITS. * config.make.in: Added .s to the suffix list. * Makefile.in (.asm.s): Use a separate make target for .asm preprocessing. Include asm.d, which the corresponding dependencies. * configure.ac (asm_file_list): Collect assembly files into this variable. (asm.d): Make config.status write dependencies for .s files into asm.d. (ASM_ALIGN_LOG): Set to "no" when appropriate. (ASM_TYPE_FUNCTION): Default to "@function". (ASM_TYPE_PROGBITS): New substituted variable, set in the same way as ASM_TYPE_FUNCTION. (ASM_MARK_NOEXEC_STACK): Use TYPE_PROGBITS. (asm_path): Set up asm_path for armv7. * asm.m4: Use changecom to disable m4 quoting. Use divert to suppress output. 2013-02-05 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures, after the nettle_mpz_random change below. * testsuite/dsa-test.c (test_main): Likewise. Also fixed the dsa256 test to actually use the expected signature. 2013-01-31 Niels Möller * bignum-random.c (nettle_mpz_random): Increased number of extra bits to 64, following FIPS 186-3. 2013-01-16 Niels Möller * Released nettle-2.6. 2013-01-12 Niels Möller * configure.ac: Use AC_LANG_SOURCE. 2013-01-02 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.5. (LIBHOGWEED_MINOR): And to 2.3. * examples/Makefile.in: Explicit rules for building objects in parent directory. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2013-01-01 Niels Möller * nettle.texinfo (Recommended hash functions): Document additional sha3 functions. * examples/nettle-benchmark.c (main): Benchmark additional sha3 functions. 2012-12-30 Niels Möller * sha3-224.c, sha3-224-meta.c: New files. * sha3-384.c, sha3-384-meta.c: New files. * sha3-512.c, sha3-512-meta.c: New files. * sha3.h: Prototypes for sha3 with sizes 224, 384 and 512. * nettle-meta.h: Declare nettle_sha3_224, nettle_sha3_384 and nettle_sha3_512. * Makefile.in (nettle_SOURCES): Added new sha3 files. * testsuite/sha3-224-test.c: New file. * testsuite/sha3-384-test.c: New file. * testsuite/sha3-512-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added new sha3 test files. * configure.ac: Disabled use of sha3-permute.asm. 2012-12-20 Niels Möller From Tim Rühsen: * testsuite/des-compat-test.c (pt): Use proper prototype, use const. * testsuite/testutils.c (test_dsa_key): Deleted spurious semicolon. 2012-12-15 Niels Möller Based on a patch from Alon Bar-Lev: * Makefile.in (LIBTARGETS, SHLIBTARGET): Define as empty if static or shared libraries, respectively, are disabled. (TARGETS): Deleted @IF_SHARED@ conditional, now in the definition of SHLIBTARGET. From Alon Bar-Lev: * configure.ac: Check for ar program. New option --disable-static. * config.make.in (AR): Use configured value. 2012-12-13 Niels Möller * x86_64/sha3-permute.asm: Rewrote, to keep all state in registers. 2400 cycles on x86_64, only slightly faster than the current C code. 2012-12-09 Niels Möller * sha3-permute.c (sha3_permute): Rewrote to do permutation in place. 80% speedup on x86_64, 2500 cycles. 2012-12-04 Niels Möller * ctr.c (ctr_crypt): Fix bug reported by Tim Kosse. Don't increment the counter when length is zero (was broken for the in-place case). * testsuite/ctr-test.c (test_main): Added test with zero-length data. * testsuite/testutils.c (test_cipher_ctr): Check the ctr value after encrypt and decrypt. 2012-12-03 Niels Möller * sha3-permute.c (sha3_permute): Optimized, to reduce number of passes over the data. 20% speedup on x86_64, 4700 cycles. * configure.ac: Added sha3-permute.asm. * x86_64/sha3-permute.asm: New file. 30% speedup over current C code, 4300 cycles. * nettle.texinfo (Hash functions): Split into several sections, separating recommended hash functions and legacy hash functions. Document sha3-256. 2012-12-02 Niels Möller Split sha.h into new files sha1.h and sha2.h. Replaced all internal usage of sha.h in all files. * sha.h: Kept for compatibility, just includes both new files. * sha1.h: New file. * sha2.h: New file. * Makefile.in (HEADERS): Added sha1.h and sha2.h. 2012-11-28 Niels Möller From Fredrik Thulin: * testsuite/pbkdf2-test.c (test_main): Add PBKDF2-HMAC-SHA512 test cases. 2012-11-15 Niels Möller * sha3-permute.c (sha3_permute): Use ULL suffix on round constants. Avoid passing shift count 0 to ROTL64. * sha3.c (sha3_absorb): Fixed big-endian code. Need macros.h. * macros.h (LE_READ_UINT64): New macro. 2012-11-13 Niels Möller * sha3-permute.c (sha3_permute): Micro optimizations. Partial unrolling. Use lookup table for the permutation. On an x86_64, execution time reduced from appr. 13000 cycles to appr. 6000. * examples/nettle-benchmark.c (TIME_CYCLES): New macro. (bench_sha1_compress, bench_salsa20_core): Use it. (bench_sha3_permute): New function. (main): Call bench_sha3_permute. 2012-11-12 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha3_256. * sha3-permute.c: New file. Permutation function for sha3, aka Keccak. * sha3.h: New header file. * sha3.c: New file, absorption and padding for sha3. * sha3-256.c: New file. * sha3-256-meta.c: New file. * nettle-meta.h (nettle_sha3_256): Declare. * Makefile.in (nettle_SOURCES): Added sha3 files. (HEADERS): Added sha3.h. * testsuite/sha3.awk: New file. Script to extract test vectors. * testsuite/sha3-256-test.c: New file. * testsuite/sha3-permute-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha3-permute-test.c and sha3-256-test.c. (DISTFILES): Added sha3.awk. * testsuite/.test-rules.make: Added sha3 targets. * macros.h (LE_WRITE_UINT64): New macro. * write-le64.c (_nettle_write_le64): New file and function. * nettle-write.h (_nettle_write_le64): Declare. Also deleted declaration of non-existent _nettle_write_be64. * Makefile.in (nettle_SOURCES): Added write-le64.c. * macros.h (ROTL64): New macro, moved from... * sha512-compress.c (ROTL64): ... old location, deleted. * serpent-internal.h [HAVE_NATIVE_64_BIT] (DROTL32): Renamed from... (ROTL64): ... old name. (DRSHIFT32): Renamed from ... (RSHIFT64): ... old name. * serpent-encrypt.c (LINEAR_TRANSFORMATION64): Updated for above renames. * serpent-decrypt.c (LINEAR_TRANSFORMATION64_INVERSE): Likewise. 2012-11-11 Niels Möller From Nikos Mavrogiannopoulos: * nettle.texinfo (Hash functions): Added documentation for gosthash94. * examples/nettle-benchmark.c (main): Benchmark gosthash94. 2012-11-10 Niels Möller * nettle.texinfo (nettle_hashes, nettle_ciphers): Use deftypevr, not deftypevrx. Spotted by Nikos Mavrogiannopoulos. 2012-11-08 Niels Möller Gost hash function, ported from Aleksey Kravchenko's rhash library by Nikos Mavrogiannopoulos. * gosthash94.c: New file. * gosthash94.h: New file. * gosthash94-meta.c: New file. * nettle-meta.h (nettle_gosthash94): Declare. * Makefile.in (nettle_SOURCES): Added gosthash94.c and gosthash94-meta.c. (HEADERS): Added gosthash94.h. * testsuite/gosthash94-test.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gosthash94-test.c. 2012-10-29 Niels Möller From Martin Storsjö: * configure.ac (dummy-dep-files): Avoid non-posix \|-operator in sed regexp. 2012-10-29 Niels Möller * x86_64/salsa20-core-internal.asm: New file. * configure.ac: Added salsa20-core-internal.asm. * examples/nettle-benchmark.c (bench_salsa20_core): New function. 2012-10-27 Niels Möller * testsuite/Makefile.in (TS_SOURCES, CXX_SOURCES): Include sources unconditionally. (TS_CXX): Moved @IF_CXX@ conditional here. (DISTFILES): Use $(SOURCES), which now includes all C source files. testutils.c was lost in a the 2012-09-20 change. * x86_64/salsa20-crypt.asm: Include x86_64/salsa20.m4. Make all exits go via .Lend and W64_EXIT. * x86_64/salsa20.m4: New file, extracted from x86_64/salsa20-crypt.asm. 2012-10-26 Niels Möller * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LIBS): Add $(CFLAGS) on the link command line. Reported by Dennis Clarke. 2012-10-03 Niels Möller From: Nikos Mavrogiannopoulos: * testsuite/testutils.c (test_hash): On failure, print the expected and returned hash values. 2012-09-23 Niels Möller * Makefile.in (nettle_SOURCES): Added salsa20-core-internal.c. * salsa20-core-internal.c (_salsa20_core): New file and function, extracted from salsa20_crypt. * salsa20.h (_salsa20_core): Declare it. * salsa20-crypt.c (salsa20_crypt): Use _salsa20_core. 2012-09-21 Niels Möller * pbkdf2.c (pbkdf2): assert that iterations > 0. Reorganized loops. * nettle.texinfo (Cipher functions): Stress that the salsa20 hash function is not suitable as a general hash function. 2012-09-20 Simon Josefsson * pbkdf2-hmac-sha1.c, pbkdf2-hmac-sha256.c: New files. * pbkdf2.h (pbkdf2_hmac_sha1, pbkdf2_hmac_sha256): New prototypes. * Makefile.in (nettle_SOURCES): Add pbkdf2-hmac-sha1.c and pbkdf2-hmac-sha256.c. * nettle.texinfo (Key derivation functions): Improve. * testsuite/pbkdf2-test.c (test_main): Test new functions. 2012-09-20 Niels Möller * pbkdf2.c (pbkdf2): Reordered arguments, for consistency. * pbkdf2.h (PBKDF2): Analogous reordering. * testsuite/pbkdf2-test.c: Adapted to new argument order. Also use LDATA for the salt. * nettle.texinfo (Key derivation functions): Updated documented pbkdf2 prototype. * testsuite/Makefile.in (VALGRIND): New variable, to make valgrind checking easier. * configure.ac: New substitution IF_CXX, replacing CXX_TESTS. (dummy-dep-files): Handle .cxx files. * testsuite/Makefile.in: Use IF_CXX. Include dependency file for cxx-test.o. 2012-09-19 Niels Möller From Tim Rühsen: * examples/rsa-encrypt.c (main): Added missing mpz_clear. * examples/rsa-keygen.c (main): Added missing deallocation. * testsuite/meta-hash-test.c (test_main): Validate NETTLE_MAX_HASH_DIGEST_SIZE. * pbkdf2.h (PBKDF2): New macro. * testsuite/pbkdf2-test.c: Use it. 2012-09-12 Simon Josefsson * NEWS: Mention addition of PBKDF2. * pbkdf2.c (pbkdf2): New file and function. * pbkdf2.h: Declare it. * Makefile.in (nettle_SOURCES): Add pbkdf2.c. (HEADERS): Add pbkdf2.h. * nettle.texinfo (Key derivation functions): New section. * testsuite/pbkdf2-test.c: New test case. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Add pbkdf2-test.c. * testsuite/.test-rules.make (pbkdf2-test): New target. 2012-09-16 Niels Möller * testsuite/: Overhaul of testsuite, affecting almost all files. + Use struct tstring for allocated strings, and deallocate before exit. + Changed most test functions to take struct tstring as arguments. + Made all test_main return on success. * testsuite/testutils.h (struct tstring): New struct type. (H2, HL, MEMEQH, SUCCESS): Deleted macros. (SHEX, SDATA): New macros. (H): Redefined to track storage. * testsuite/testutils.c (tstring_alloc): New function. (tstring_clear): New function. (tstring_data): New function. (tstring_hex): New function. (tstring_print_hex): New function. (decode_hex_length): Made static. (decode_hex): Made static. No return value, abort on error. (main): Expect test_main to return, and call tstring_clear before exit. (test_dsa_key): Added missing mpz_clear. (test_mac): Deleted unused function. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/yarrow-test.c (open_file): Don't leak filename. (test_main): fclose input file properly. * testsuite/sexp-format-test.c (test_main): Added missing calls to nettle_buffer_clear and mpz_clear. * testsuite/serpent-test.c (tstring_hex_reverse): New function, replacing... (decode_hex_reverse): ... deleted function. (RHEX): New macro, replacing... (RH, RHL): ... deleted macros. * testsuite/rsa2sexp-test.c (test_main): Added missing nettle_buffer_clear. * testsuite/random-prime-test.c (test_main): Added missing mpz_clear. * realloc.c (nettle_realloc): Only call libc realloc if length > 0, otherwise call free. Fixes a small memory leak. (nettle_xrealloc): Likewise. * run-tests (test_program): Don't quote $EMULATOR; allow it to expand to program and arguments (e.g., valgrind). * tools/pkcs1-conv.c (convert_public_key): Added missing calls to dsa_public_key_clear and rsa_public_key_clear. (main): Added missing nettle_buffer_clear. 2012-09-10 Niels Möller * examples/eratosthenes.c (main): Explicitly deallocate storage before exit. * examples/io.c (read_file): Explicitly treat an empty file as an error. Rearrange loop, check for short fread return value. * desdata.c: Don't declare printf, include instead. Also deleted casts of printf return value. From Tim Rühsen: * examples/nettle-benchmark.c (die): Use PRINTF_STYLE attribute. * pgp-encode.c (pgp_put_rsa_sha1_signature): Deleted unused variable. * rsa2openpgp.c (rsa_keypair_to_openpgp): Likewise. * examples/base16enc.c (main): Deleted useless allocations. 2012-09-07 Niels Möller * examples/nettle-benchmark.c (die): Add NORETURN attribute. Patch from Tim Rühsen. * tools/misc.h (die, werror): Use PRINTF_STYLE and NORETURN macros for attributes. Patch from Tim Rühsen. * examples/io.h (werror): Use PRINTF_STYLE macro. 2012-08-22 Niels Möller From Sam Thursfield : * configure.ac: Make documentation optional, to avoid requiring TeX. New option --disable-documentation, and Makefile substitution IF_DOCUMENTATION. * Makefile.in: Use IF_DOCUMENTATION. 2012-07-12 Niels Möller * asm.m4 (ALIGN): Use << operator rather than **, with m4 eval. The latter is not supported by BSD m4. 2012-07-07 Niels Möller Copyright headers: Updated FSF address. Patch from David Woodhouse. * examples/Makefile.in (BENCH_LIBS): Added -lm, needed for the ldexp function. Reported by Anthony G. Basile. * configure.ac: Changed version number to 2.6. * Released nettle-2.5. 2012-07-05 Niels Möller * x86_64/salsa20-crypt.asm (salsa20_crypt): Write the 64-bit movq instructions as "movd", since that makes the osx assembler happier. Assembles to the same machine code on gnu/linux. 2012-07-03 Niels Möller * aclocal.m4 (LSH_FUNC_ALLOCA): In the config.h boilerplate, include malloc.h if it exists, also when compiling with gcc. Needed for cross-compiling with --host=i586-mingw32msvc. * examples/base16dec.c: Don't #include files using , we don't want to pick up installed versions. On windows, include , needed for _setmode. * examples/base16enc.c: Likewise. * examples/base64dec.c: Likewise. * examples/base64enc.c: Likewise * nettle.texinfo (Cipher functions): Document Salsa20. 2012-06-25 Niels Möller * pkcs1.c (_pkcs1_signature_prefix): Renamed function, adding a leading underscore. Updated all callers. * bignum-next-prime.c (nettle_next_prime): Consistently use the type nettle_random_func * (rather then just nettle_random_func) when passing the function pointer as argument. Similar change for nettle_progress_func. Should have been done for the 2.0 release, but a few arguments were overlooked. * bignum-random-prime.c (_nettle_generate_pocklington_prime) (nettle_random_prime): Likewise. * bignum-random.c (nettle_mpz_random_size, nettle_mpz_random): Likewise. * dsa-keygen.c (dsa_generate_keypair): Likewise. * dsa-sha1-sign.c (dsa_sha1_sign_digest, dsa_sha1_sign): Likewise. * dsa-sha256-sign.c (dsa_sha256_sign_digest, dsa_sha256_sign): Likewise. * dsa-sign.c (_dsa_sign): Likewise. * pkcs1-encrypt.c (pkcs1_encrypt): Likewise. * rsa-blind.c (_rsa_blind): Likewise. * rsa-decrypt-tr.c (rsa_decrypt_tr): Likewise. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa-keygen.c (rsa_generate_keypair): Likewise. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Similarly, use the type nettle_crypt_func * rather than just nettle_crypt_func. * ctr.c (ctr_crypt): Likewise. * gcm.c (gcm_set_key): Likewise. * testsuite/des-compat-test.c (test_main): Disable declarations of disabled functions and variables, to avoid warnings. No verbose output unless verbose flag is set. 2012-06-09 Niels Möller * examples/Makefile.in (SOURCES): Added base16dec.c, forgotten earlier. General pkcs1 signatures, with a "DigestInfo" input. Suggested by Nikos Mavrogiannopoulos. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-digest.c, rsa-pkcs1-sign.c, rsa-pkcs1-sign-tr.c, and rsa-pkcs1-verify.c. * pkcs1-rsa-digest.c (pkcs1_rsa_digest_encode): New file and function. * pkcs1.h: Declare it. * rsa-pkcs1-verify.c (rsa_pkcs1_verify): New file and function. * rsa-pkcs1-sign.c (rsa_pkcs1_sign): New file and function. * rsa-pkcs1-sign-tr.c (rsa_pkcs1_sign_tr): New file and function, contributed by Nikos Mavrogiannopoulos. * rsa.h: Declare new functions. * rsa.h (_rsa_blind, _rsa_unblind): Declare functions. * rsa-blind.c (_rsa_blind, _rsa_unblind): Functions moved to a separate file, renamed and made non-static. Moved from... * rsa-decrypt-tr.c: ... here. 2012-06-03 Niels Möller * testsuite/pkcs1-test.c (test_main): Include leading zero in expected result. * pkcs1.c (pkcs1_signature_prefix): Return pointer to where the digest should be written. Let the size input be the key size in octets, rather then key size - 1. * pkcs1-rsa-*.c: Updated for above. * rsa-*-sign.c, rsa-*-verify.c: Pass key->size, not key->size - 1. 2012-05-18 Niels Möller * pkcs1-encrypt.c (pkcs1_encrypt): New file and function. * rsa-encrypt.c (rsa_encrypt): Use pkcs1_encrypt. 2012-05-09 Niels Möller * rsa-decrypt-tr.c (rsa_decrypt_tr): Added missing mpz_clear, spotted by Nikos Mavrogiannopoulos. 2012-05-07 Niels Möller * nettle-types.h (_STDINT_HAVE_INT_FAST32_T): Define here, to force nettle-stdint.h to not try to define the int_fast*_t types. Avoids compilation problems with gnutls on SunOS-5.8, where the definitions here collide with gnulib's. 2012-04-23 Niels Möller * nettle-internal.h (NETTLE_MAX_BIGNUM_SIZE): New constant. Based on NETTLE_MAX_BIGNUM_BITS, rounded upwards. Replaced all uses of NETTLE_MAX_BIGNUM_BITS. 2012-04-19 Niels Möller * list-obj-sizes.awk: Use decimal rather than hexadecimal output. (hex2int): Use local variables. 2012-04-18 Niels Möller * x86_64/salsa20-crypt.asm: New file. 2012-04-17 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): Check that salsa20_crypt doesn't write beyond the given destination area. (test_salsa20): Likewise. * salsa20-crypt.c: Renamed file, from... * salsa20.c: ... old name. * x86_64/machine.m4 (WREG): New macro. * salsa20.c (salsa20_hash): Deleted function, inlined into salsa20_crypt. (salsa20_set_key, salsa20_set_iv): Moved, to... * salsa20-set-key.c: ...new file. 2012-04-15 Niels Möller * testsuite/salsa20-test.c (test_salsa20_stream): New function. (test_main): Tests for encrypting more than one block at a time. 2012-04-14 Niels Möller * examples/io.c (write_file): Use write_string. * examples/Makefile.in (base64enc): New targets. Also added missing io.o dependency to several other targets. (base64dec, base16enc, base16dec): Likewise. * examples/base64enc.c: New file, based on example code contributed by Jeronimo Pellegrini. * examples/base64dec.c: Likewise. * examples/base16enc.c: Likewise. * examples/base16dec.c: Likewise. * examples/rsa-encrypt.c (process_file): Reorganized fread loop. (usage): New function. (main): Implemented --help option. * examples/rsa-decrypt.c (process_file): Improved error message for too short input file. * aes-set-decrypt-key.c (gf2_log, gf2_exp): Deleted tables. (mult, inv_mix_column): Deleted functions. (mtable): New table. (MIX_COLUMN): New macro. (aes_invert_key): Use MIX_COLUMN and mtable. * aesdata.c (compute_mtable): New table, for the inv mix column operation in aes_invert_key. 2012-04-13 Niels Möller * aes-set-encrypt-key.c (aes_set_encrypt_key): Use LE_READ_UINT32. Tabulate the needed "round constants". (xtime): Deleted function. * aes-internal.h (SUBBYTE): Cast to uint32_t. Use B0, ..., B3 macros. 2012-04-09 Niels Möller Timing resistant RSA decryption, based on RSA blinding code contributed by Nikos Mavrogiannopoulos. * rsa-decrypt-tr.c (rsa_decrypt_tr): New function. (rsa_blind): Helper function. (rsa_unblind): Helper function. * rsa.h: Declare rsa_decrypt_tr. Some cleanups, no longer include nettle-meta.h, more consistent declarations of function pointer arguments. * testsuite/rsa-encrypt-test.c (test_main): Test rsa_decrypt_tr. Check for writes past the end of the message area. * Makefile.in (hogweed_SOURCES): Added pkcs1-decrypt.c. * rsa-decrypt.c (rsa_decrypt): Use pkcs1_decrypt. * pkcs1-decrypt.c (pkcs1_decrypt): New file and function, extracted from rsa_decrypt. 2012-04-01 Niels Möller * salsa20.c (LE_SWAP32): Typo fix for big-endian case. (QROUND): New macro. (salsa20_hash): Use it. 2012-03-31 Niels Möller * salsa20.c: (salsa20_set_iv): Deleted size argument, only one size allowed. (U8TO32_LITTLE): Deleted macro. Use LE_READ_UINT32 instead, which avoids unaligned reads. (salsa20_set_key): Rearranged slightly, to avoid unnecessary byte-to-word conversions. (LE_SWAP32): Renamed macro from... (U32TO32_LITTLE): ... old name. (U32TO8_LITTLE): Deleted macro. (salsa20_wordtobyte): Renamed function to... (salsa20_hash): ... new name. Changed output argument from byte array to word array. Use memxor3, which brings a considerable performance gain. * nettle-internal.c (salsa20_set_key_hack): Updated salsa20_set_iv call. * testsuite/salsa20-test.c (test_salsa20): Deleted iv_length argument, updated all calls. * salsa20.h (SALSA20_BLOCK_SIZE): New constant. (_SALSA20_INPUT_LENGTH): New constant. * salsa20.c: Use these constants. * salsa20.c (ROTL32): Deleted macro, use the one from macros.h instead, with reversed order of arguments. (ROTATE, XOR, PLUS, PLUSONE): Deleted macros, use ROTL32 and builtin operators directly. Unification of rotation macros. * macros.h (ROTL32): New macro, to replace (almost) all other rotation macros. * aes-set-encrypt-key.c: Include macros.h. (aes_set_encrypt_key): Use ROTL32. * aes-internal.h (ROTBYTE, ROTRBYTE): Deleted macros. * camellia-internal.h (ROL32): Deleted macro. (ROTL128): Renamed for consistency, from... (ROL128): ... old name. * camellia-crypt-internal.c: Updated for renamed rotation macros. * camellia-set-encrypt-key.c: Likewise. * cast128.c (ROL): Deleted macro. (F1, F2, F3): Updated to use ROTL32 (reversed order of arguments). Also added proper do { ... } while (0) wrappers. * ripemd160-compress.c (ROL32): Deleted macro. (R): Updated to use ROTL32 (reversed order of arguments). * serpent-internal.h (ROL32): Deleted macro. (ROTL64): Renamed (from ROL64) and reorderd arguments, for consistency. (RSHIFT64): Reordered arguments, for consistency. * serpent-decrypt.c: Updated for renamed rotation macros, with reversed argument order. * serpent-encrypt.c: Likewise. * serpent-set-key.c: Likewise. * sha1-compress.c (ROTL): Deleted macro, use ROTL32 instead. * sha256-compress.c (ROTR): Deleted macro. Replaced by ROTL32, with complemented shift count. (SHR): Deleted macro, use plain shift operator instead. * sha512-compress.c (ROTR): Deleted macro, replaced by... (ROTL64): ...new macro, with complemented shift count (SHR): Deleted macro, use plain shift operator instead. (S0, S1, s0, s1): Updated accordingly. 2012-03-30 Niels Möller * nettle-internal.c (nettle_salsa20): Cipher struct for benchmarking only. Sets a fix zero IV, and ignores block size. * nettle-internal.h (nettle_salsa20): Declare it. * examples/nettle-benchmark.c (block_cipher_p): New function. (time_cipher): Use block_cipher_p. (main): Include salsa20 in benchmark. * Makefile.in (soname link): Fixed logic. (nettle_SOURCES): Removed nettle-internal.c, so that it's not part of the library... (internal_SOURCES): ...and put it here. * testsuite/Makefile.in (TEST_OBJS): Added ../nettle-internal.o. * examples/Makefile.in (BENCH_OBJS): New variable, to simplify the nettle-benchmark rule. Also link with ../nettle-internal.o. 2012-03-29 Niels Möller Implementation of Salsa20, contributed by Simon Josefsson. * salsa20.h: New file. * salsa20.c: New file. * Makefile.in (nettle_SOURCES): Added salsa20.c (HEADERS): Added salsa20.h. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added salsa20-test.c. * testsuite/salsa20-test.c: New test case. * Makefile.in (soname links): Adding missing space before ]. 2012-03-23 Niels Möller * arcfour.h (arcfour_stream): Deleted obsolete prototype. 2012-03-05 Niels Möller * configure.ac (enable_shared): Build shared libraries by default. 2012-03-04 Niels Möller * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.4. (LIBHOGWEED_MINOR): And to 2.2. 2012-02-27 Niels Möller * list-obj-sizes.awk: Recognize elf64 objects. * Makefile.in (.texinfo.dvi): Pass -b option to texi2dvi. * Makefile.in (TARGETS): Added twofishdata. (SOURCES): Added twofishdata.c. (twofishdata): New rule. * twofish.c (q0, q1): Made const, and reformatted to match the twofishdata program. * twofishdata.c: Resurrected old file. Used to be called generate_q.c, when the twofish code was contributed back in 1999. * nettle.texinfo: Documentation for base16 and base64 encoding. Text contributed by Jeronimo Pellegrini , back in April 2006. 2012-02-18 Niels Möller * run-tests, getopt.c, getopt1.c, getopt.h: These files were moved to the top-level in the conversion to an independent git repository. They used to be symlinks to lsh files, from the subdirectories which use them. * Makefile.in: Build and distribute getopt files. Distribute run-tests script. * examples/Makefile.in: Adapt to getopt files and the run-tests script now located in the parent directory. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * index.html: Converted to xhtml (from lsh repository, change dated 2012-02-03). Updated git instructions. * nettle.texinfo: Updated charset declaration. * misc/plan.html: Likewise. 2012-01-17 Niels Möller * testsuite/Makefile.in (DISTFILES): Added setup-env. * examples/rsa-decrypt.c (main): Use _setmode rather than setmode, suggested by Eli Zaretskii. Affects windows builds only. * examples/rsa-encrypt.c: Likewise. * Makefile.in ($(LIBNETTLE_FORLINK)): Always create a .lib symlink to the library file. Use LN_S. ($(LIBHOGWEED_FORLINK)): Likewise. (install-shared-nettle): Use LN_S. (install-shared-hogweed): Likewise. * configure.ac: Use AC_PROG_LN_S. * config.make.in (LN_S): New substitution. * testsuite/setup-env: New file. Wine workaround. Can't get ../.lib into wine's dll search path, so create additional symlinks. * testsuite/teardown-env: ...and delete them here. Also delete file testtmp. * examples/setup-env: Similar links setup here. * examples/teardown-env: ... and deleted. 2012-01-07 Niels Möller * examples/Makefile.in (check): Add ../.lib to PATH, like in testsuite/Makefile. Needed for w*ndows. Reported by Eli Zaretskii. 2011-11-25 Niels Möller From Martin Storsjö: * x86_64/machine.m4 (W64_ENTRY, W64_EXIT): New macros for supporting W64 ABI. * x86_64: Updated all assembly files to use them. * configure.ac (W64_ABI): New variable, set when compiling for W64 ABI (64-bit M$ windows). * config.m4.in (W64_ABI): Define, from configure substitution. 2011-11-24 Niels Möller From Martin Storsjö: * examples/Makefile.in (check): Pass $(EMULATOR) and $(EXEEXT) in the environment of run-tests. * examples/rsa-encrypt-test: Use $EXEEXT and $EMULATOR. * examples/rsa-sign-test: Likewise. * examples/rsa-verify-test: Likewise. * examples/setup-env: Likewise. * testsuite/Makefile.in (check): Pass $(EXEEXT) in the environment of run-tests. * testsuite/pkcs1-conv-test: Use $EXEEXT and $EMULATOR. Ignore \r in rsa-sign output. * examples/rsa-decrypt.c (main) [WIN32]: Set stdout/stdin to binary mode. * examples/rsa-encrypt.c (main): Likewise. 2011-11-24 Niels Möller * configure.ac (HAVE_NATIVE_64_BIT): Workaround to get it set to 1 on w64. * serpent-internal.h (ROL64): Use (uint64_t) 1 rather than 1L, for M$ w64. (RSHIFT64): Likewise. Also added a missing parenthesis. 2011-11-24 Niels Möller From Martin Storsjö: * testsuite/symbols-test: Use $NM, falling back to nm if undefined. * testsuite/Makefile.in (check): Pass $(NM) in the environment of run-tests. * config.make.in (NM): Set NM. * testsuite/sexp-conv-test: Use $EMULATOR when running test programs. Also ignore \r for output in the non-canonical output formats. * testsuite/Makefile.in (check): Pass $(EMULATOR) in the environment of run-tests. * configure.ac (EMULATOR): New substituted variable. Set to wine or wine64 when cross compiling for windows, otherwise empty. * config.make.in (EMULATOR): Set from autoconf value. 2011-11-20 Niels Möller * x86/camellia-crypt-internal.asm: Take ALIGNOF_UINT64_T into account when getting the offset for the subkeys. Differs between w32 and other systems. w32 problem identified by Martin Storsjö. * config.m4.in: Define ALIGNOF_UINT64_T (from configure). * configure.ac: Check alignment of uint64_t, and also use AC_SUBST for use in config.m4.in. 2011-11-19 Niels Möller Cygwin/mingw32 improvements contributed by Martin Storsjö: * Makefile.in (IMPLICIT_TARGETS): New variable for DLL link libraries. (clean-here): Delete the DLL import libraries. * configure.ac: Setup installation of DLL files in $bindir. (IF_DLL, LIBNETTLE_FILE_SRC, LIBHOGWEED_FILE_SRC): New substitutions. * config.make.in (LIBNETTLE_FILE_SRC): Substitute new autoconf variable. (LIBHOGWEED_FILE_SRC): Likewise. * Makefile.in (install-dll-nettle, uninstall-dll-nettle): New target for installing the DLL file in $bindir. (install-shared-nettle): Conditionally depend on install-dll-nettle. Use LIBNETTLE_FILE_SRC. (uninstall-shared-nettle): Conditionally depend on install-dll-nettle. (various hogweed targets): Analogous changes. * configure.ac: Unify shared lib setup for cygwin and mingw. 2011-10-31 Niels Möller * configure.ac (LIBHOGWEED_LIBS): Typo fix for the darwin case. Spotted by Martin Storsjö. 2011-10-25 Niels Möller * configure.ac (LIBHOGWEED_LIBS): cygwin fix, added libnettle.dll.a. Reported by Volker Zell. 2011-10-18 Niels Möller * configure.ac: Improved setup för darwin shared libraries. Patch contributed by Ryan Schmidt. 2011-10-03 Niels Möller * x86_64/memxor.asm: Implemented sse2-loop. Configured at compile time, and currently disabled. * testsuite/testutils.h (ASSERT): Write message to stderr. * testsuite/memxor-test.c: Use 16-byte alignment for "fully aligned" operands. 2011-09-03 Niels Möller * x86/camellia-crypt-internal.asm: Use "l"-suffix on instructions more consistently. Reportedly, freebsd and netbsd systems with clang are more picky about this. * configure.ac: Changed version number to 2.5. * Released nettle-2.4. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.3. * gcm-aes.c: Include config.h. * tools/nettle-lfib-stream.c: Likewise. * ripemd160-compress.c: Added missing include of config.h. Needed for correct operation on big-endian systems. 2011-09-02 Niels Möller * configure.ac: Changed version number to 2.4. * Released nettle-2.3. 2011-08-30 Niels Möller * testsuite/hmac-test.c: Added tests for hmac-ripemd160. * hmac.h: Declare hmac-ripemd160 related functions. * Makefile.in (nettle_SOURCES): Added hmac-ripemd160.c. 2011-08-30 Niels Möller * nettle.texinfo (Hash functions): Document ripemd-160. * hmac-ripemd160.c: New file. * hmac.h: Declare hmac-ripemd160 functions. 2011-08-29 Niels Möller * sha256.c (sha256_update): Updated MD_UPDATE call for new conventions. (sha256_write_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * sha512.c: Analogous changes. * sha1.c (COMPRESS): New macro. (sha1_update): Updated MD_UPDATE call for new conventions. (sha1_digest): Use MD_PAD rather than MD_FINAL, and insert the length manually. * ripemd160.c (ripemd160_init): Use memcpy for initializing the state vector. (COMPRESS): New macro. (ripemd160_update): Use MD_UPDATE. (ripemd160_digest): Inline ripemd160_final processing. Use MD_PAD and _nettle_write_le32. (ripemd160_final): Deleted function. * ripemd160.h (struct ripemd160_ctx): Use a 64-bit block count. Renamed digest to state. * md5.c (md5_init): Use memcpy for initializing the state vector. (COMPRESS): New macro, wrapping _nettle_md5_compress. (md5_update): Use MD_UPDATE. (md5_digest): Inline md5_final processing. Use MD_PAD and _nettle_write_le32. (md5_final): Deleted. * md5.h (struct md5_ctx): Renamed some fields, for consistency. * md4.h (struct md4_ctx): Renamed some fields, for consistency. * md4.c (md4_init): Use memcpy for initializing the state vector. (md4_update): Use MD_UPDATE. (md4_digest): Inline md4_final processing, using MD_PAD. Use _nettle_write_le32. (md4_block): Renamed, to... (md4_compress): ... new name. Take ctx pinter as argument. (md4_final): Deleted function. * md2.c (md2_update): Use MD_UPDATE. * macros.h (MD_UPDATE): Added incr argument. Invoke compression function with ctx pointer as argument, rather than ctx->state. (MD_FINAL): Just pad, don't store length field. Renamed to MD_PAD. (MD_PAD): Analogous change of compression invocations. * sha512.c: (COMPRESS): New macro wrapping _nettle_sha512_compress. (sha512_update): Use MD_UPDATE. (sha512_final): Deleted function. (sha512_write_digest): Use MD_FINAL. * sha256.c (COMPRESS): New macro wrapping _nettle_sha256_compress. (SHA256_INCR): Deleted macro. (sha256_update): Use MD_UPDATE. (sha256_final): Deleted function. (sha256_write_digest): New function, replacing sha256_final, and using MD_FINAL. (sha256_digest): Use sha256_write_digest. (sha224_digest): Likewise. * tools/nettle-hash.c (list_algorithms): Fixed typo in header. * sha1.c (SHA1_DATA_LENGTH): Deleted unused macro. (sha1_init): Use memcpy to initialize the state vector. (SHA1_INCR): Deleted macro. (sha1_update): Use MD_UPDATE macro, to reduce code duplication. (sha1_digest): Use MD_FINAL macro. (sha1_final): Deleted function. * sha.h (struct sha1_ctx): Renamed attribute digest to state. * macros.h (MD_UPDATE): New macro. (MD_FINAL): New macro. 2011-08-28 Niels Möller * ripemd160.c (ripemd160_final): Use LE_WRITE_UINT32. Deleted byte swapping at the end, leaving it to ripemd160_digest. (ripemd160_digest): Use _nettle_write_le32. * Makefile.in (nettle_SOURCES): Added write-le32.c. * md5.c (md5_digest): Use _nettle_write_le32. * write-le32.c (_nettle_write_le32): New file and function. * ripemd160-compress.c (ROL32): Renamed macro (was "rol"). Deleted x86 version using inline assembly; at least gcc-4.4.5 recognizes shift-and-or expressions which are in fact rotations. (_nettle_ripemd160_compress): Use LE_READ_UINT32. * configure.ac (LIBNETTLE_MINOR): Bumped library version, to 4.2. * testsuite/meta-hash-test.c: Updated for the addition of ripemd-160. * testsuite/.test-rules.make: Added rule for ripemd160-test. * examples/nettle-benchmark.c (main): Benchmark ripemd-160. 2011-08-28 Niels Möller RIPEMD-160 hash function. Ported from libgcrypt by Andres Mejia. * testsuite/ripemd160-test.c: New file. * ripemd160.h: New file. * nettle-meta.h: Declare nettle_ripemd160. * ripemd160.c: New file, ported from libgcrypt. * ripemd160-compress.c: Likewise. * ripemd160-meta.c: New file. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added ripemd160-test.c. * nettle-meta-hashes.c (nettle_hashes): Added nettle_ripemd160. * Makefile.in (nettle_SOURCES): Added ripemd160.c, ripemd160-compress.c, and ripemd160-meta.c. (HEADERS): Added ripemd160.h. 2011-08-10 Niels Möller * nettle.texinfo: Fixed mis-placed const in various prototypes. Spotted by Tatsuhiro Tsujikawa. 2011-07-24 Niels Möller * Makefile.in (PKGCONFIG_FILES, pkgconfigdir): New variables. (DISTFILES): Added nettle.pc.in and hogweed.pc.in. (nettle.pc, hogweed.pc): New targets (invoking config.status). (install-pkgconfig, uninstall-pkgconfig): New targets. (install-here): Depend on install-pkgconfig. (uninstall-here): Depend on uninstall-pkgconfig. (distclean-here): Delete nettle.pc and hogweed.pc. 2011-07-20 Niels Möller * configure.ac: Generate nettle.pc and hogweed.pc. * nettle.pc.in, hogweed.pc.in: New files. 2011-07-17 Niels Möller * nettle-internal.h: Added missing extern declarations. 2011-07-11 Niels Möller * configure.ac: Changed version number to 2.3. * Released nettle-2.2. * Makefile.in (DISTFILES): Distribute COPYING.LIB, not COPYING, 2011-07-07 Niels Möller * tools/misc.h (werror): Removed incorrect noreturn attribute from declaration. * examples/io.c (read_file): Bug fix, in dependence of initial size on max_size. 2011-07-01 Niels Möller * cbc.c (CBC_BUFFER_LIMIT): Reduced to 512 bytes. (cbc_decrypt): For in-place operation, use overlapping memxor3 and eliminate a memcpy. * ctr.c (ctr_crypt): Reorganized to call the encryption function with several blocks at a time. Handle the case of a single block specially. * x86_64/memxor.asm: Added ALIGN for shifting loop. Deleted obsolete ifelse. 2011-06-30 Niels Möller * configure.ac: Link in serpent-decrypt.asm, if found. * x86_64/serpent-decrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * x86_64/serpent-encrypt.asm: Include serpent.m4. Deleted a redundant label. * x86_64/serpent.m4: New file, with serpent-related macros. 2011-06-29 Niels Möller * x86_64/serpent-decrypt.asm: Wrote main (32-bit) loop. (SBOX0I, SBOX1I, SBOX7I): Fixed bugs. * nettle.texinfo (Copyright): Updated for license change to LGPLv2+. Updated copyright info on serpent. * NEWS: Updated information for nettle-2.2. * x86_64/serpent-decrypt.asm: New file. * x86_64/serpent-encrypt.asm: Fixed .file pseudo op. * testsuite/testutils.c (test_cipher_ctr): Display more info on failure. * examples/nettle-benchmark.c (bench_ctr): New function. (time_cipher): Also benchmark CTR mode. * configure.ac (LIBNETTLE_MINOR): Updated library version number to 4.1. (LIBHOGWEED_MINOR): And to 2.1. 2011-06-22 Niels Möller * configure.ac: Use pwd -P when examining lib directories. Link in serpent-encrypt.asm, if found. 2011-06-21 Niels Möller * serpent-decrypt.c (SBOX3_INVERSE): Eliminated temporaries. (SBOX4_INVERSE): Likewise. (SBOX5_INVERSE): Likewise. (SBOX6_INVERSE): Likewise. (SBOX7_INVERSE): Likewise. (All SBOX_INVERSE-macros): Deleted type argument, and updated users. 2011-06-20 Niels Möller * serpent-decrypt.c: Renamed arguments in sbox macros. (SBOX0_INVERSE): Eliminated temporaries. (SBOX1_INVERSE): Likewise. (SBOX2_INVERSE): Likewise. * x86_64/serpent-encrypt.asm: Added an SSE2 loop, doing four blocks at a time in parallel. * testsuite/serpent-test.c (test_main): Added some more multiple block tests. 2011-06-15 Niels Möller * configure.ac (libdir): On 64-bit Linux, we used to assume that libraries are installed according to the FHS. Since at least Fedora and Gentoo follow the FHS convention, while at least Debian doesn't, we have to try to figure out which convention is used. 2011-06-14 Niels Möller * x86_64/serpent-encrypt.asm: Slight simplification of loop logic. * x86_64/serpent-encrypt.asm: New file. 2011-06-12 Niels Möller * testsuite/serpent-test.c (test_main): Added tests with multiple blocks at a time. * serpent-encrypt.c (SBOX6): Renamed arguments. Eliminated temporaries. (SBOX7): Likewise. (All SBOX-macros): Deleted type argument, and updated users. * configure.ac: Display summary at the end of configure.. (asm_path): Set only if enable_assember is yes. 2011-06-10 Niels Möller * serpent-encrypt.c (SBOX5): Renamed arguments. Eliminated temporaries. 2011-06-09 Niels Möller * serpent-encrypt.c (SBOX4): Renamed arguments. Eliminated temporaries. * configure.ac (LIBNETTLE_LINK, LIBHOGWEED_LINK): Cygwin fix, from Vincent Torri. 2011-06-08 Niels Möller * examples/eratosthenes.c (find_first_one): Fixed c99-style declaration. Reported by Sebastian Reitenbach. (find_first_one): Declare the lookup table as static const, and use unsigned char rather than unsigned.. 2011-06-07 Niels Möller * serpent-encrypt.c (SBOX0): Renamed arguments. Eliminated temporaries. (SBOX1): Likewise. (SBOX2): Likewise. (SBOX3): Likewise. 2011-06-06 Niels Möller * Makefile.in (DISTFILES): Added serpent-internal.h. (nettle_SOURCES): Replaced serpent.c by serpent-set-key.c, serpent-encrypt.c, and serpent-decrypt.c. * serpent.c: Replaced by several new files. * serpent-set-key.c: New file. * serpent-encrypt.c: New file. * serpent-decrypt.c: New file. * serpent-internal.h: New file. * serpent.c [HAVE_NATIVE_64_BIT]: Process two blocks at a time in parallel. Measured speedup of 10%--25% (higher for encryption) on x86_64. 2011-06-01 Niels Möller * serpent.c (ROUNDS): Deleted macro. (serpent_block_t): Deleted array typedef. (KEYXOR): New macro, replacing BLOCK_XOR. (BLOCK_COPY, SBOX, SBOX_INVERSE): Deleted macros. (LINEAR_TRANSFORMATION): Use four separate arguments. (LINEAR_TRANSFORMATION_INVERSE): Likewise. (ROUND): Take separate arguments for all input and output words. (ROUND_INVERSE): Likewise. (ROUND_LAST, ROUND_FIRST_INVERSE): Deleted macros. (serpent_set_key): Moved loop termination test. (serpent_encrypt): Rewrote with unrolling of just eight rounds, and without serpent_block_t. (serpent_decrypt): Likewise. * serpent.c: Added do { ... } while (0) around block macros. (serpent_key_t): Deleted array typedef. (ROL32, ROR32): Renamed macros, were rol and ror. (KS_RECURRENCE, KS): New macros. (serpent_key_pad): Renamed, from... (serpent_key_prepare): ...old name. (serpent_subkeys_generate): Deleted function. (serpent_set_key): Rewrote the generation of subkeys. Reduced both temporary storage and code size (less unrolling) 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Enabled test with short, 40-bit, key. * serpent.c (byte_swap_32): Deleted macro. (serpent_key_prepare): Use LE_READ_UINT32. Don't require aligned input, and support arbitrary key sizes. 2011-05-30 Simon Josefsson * serpent.c: Rewrite, based on libgcrypt code. License changed from GPL to LGPL. * serpent_sboxes.h: Removed. * Makefile.in: Drop serpent_sboxes.h. 2011-05-31 Niels Möller * testsuite/serpent-test.c (test_main): Added some tests for padding of keys of length which is not a multiple of four bytes. 2011-05-30 Simon Josefsson * testsuite/serpent-test.c (test_main): Add test vectors from libgcrypt. 2011-05-21 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Avoid double init of mpz variable. Spotted by Nikos Mavrogiannopoulos. 2011-05-06 Niels Möller * configure.ac: Fix link flags for shared libraries on Solaris, which needs -h to set the soname. Patch contributed by Dagobert Michelsen. 2011-05-06 Niels Möller * configure.ac: New configure option --enable-gcov. * arcfour.h (arcfour_stream): Deleted obsolete define. 2011-04-27 Niels Möller * tools/nettle-hash.c (find_algorithm): Require exact match. 2011-04-15 Niels Möller Reverted broken byte-order change from 2001-06-17: * serpent.c (serpent_set_key): Use correct byteorder. (serpent_encrypt): Likewise. (serpent_decrypt): Likewise. * testsuite/serpent-test.c (decode_hex_reverse): New function. (RH, RHL): New macros. (test_main): Byte reverse inputs and outputs for the testvectors taken from the serpent submission package. Enable test vectors from http://www.cs.technion.ac.il/~biham/Reports/Serpent/. 2011-03-23 Niels Möller * tools/sexp-conv.c (xalloc): Deleted function, now it's in misc.c instead. * configure.ac: Use LSH_FUNC_STRERROR. * tools/Makefile.in (TARGETS): Added nettle-hash, and related build rules. (SOURCES): Added nettle-hash.c. * tools/misc.c (xalloc): New function. * tools/pkcs1-conv.c (main): Made the OPT_* constants local, and fixed numerical values to start with non-ASCII 0x300. * tools/nettle-hash.c: New file. 2011-03-23 Niels Möller Contributed by Daniel Kahn Gillmor: * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added meta-hash-test.c, meta-cipher-test.c, and meta-armor-test.c. * testsuite/meta-hash-test.c: New file. * testsuite/meta-cipher-test.c: New file. * testsuite/meta-armor-test.c: New file. * nettle.texinfo: Document nettle_hashes and nettle_ciphers. * nettle-meta.h: Declare algorithm lists nettle_ciphers, nettle_hashes, nettle_armors. * Makefile.in (nettle_SOURCES): Added nettle-meta-hashes.c, nettle-meta-ciphers.c, and nettle-meta-armors.c. * nettle-meta-armors.c: New file. * nettle-meta-ciphers.c: New file. * nettle-meta-hashes.c: New file. 2011-02-18 Niels Möller * arcfour.c (arcfour_stream): Deleted function. It's not very useful, and neither documented nor tested. 2011-02-16 Niels Möller * cbc.h (CBC_ENCRYPT): Avoid using NULL; we don't ensure that it is defined. (CBC_DECRYPT): Likewise. * gcm-aes.c (gcm_aes_set_iv): Use GCM_SET_IV. (gcm_aes_set_key): Deleted cast. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. (gcm_aes_update): One less argument to GCM_UPDATE. * gcm.h (GCM_SET_KEY): Added cast to nettle_crypt_func *. Help compiler type checking despite this cast. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (GCM_SET_IV): New macro, for completeness. (GCM_UPDATE): Deleted unused argument encrypt. 2011-02-14 Niels Möller * nettle.texinfo: Split node on cipher modes, and started on the GCM documentation. * testsuite/gcm-test.c (test_gcm_aes): Deleted function, replaced by test_aead. (test_main): Use test_aead. * testsuite/testutils.c (test_aead): New function, replacing test_gcm_aes and before that test_cipher_gcm. * nettle-internal.c (nettle_gcm_aes128): New const struct. (nettle_gcm_aes192): Likewise. (nettle_gcm_aes256): Likewise. * nettle-internal.h (struct nettle_aead): Tentative interface for authenticated encryption with associated data. * examples/nettle-benchmark.c (time_gcm): Renamed. Updated for gcm_aes_auth to gcm_aes_update renaming. Benchmark both encryption and hashing. (time_gmac): ...old name. * nettle-internal.c (des_set_key_hack): Don't touch the bits parity, since thay are now ignored. (des3_set_key_hack): Likewise. * cast128-meta.c (nettle_cast128): Don't pass keysize. * nettle-meta.h (_NETTLE_CIPHER_FIX): Deleted keysize parameter derived from the appropriate constant instead. * testsuite/gcm-test.c (test_gcm_aes): Updated for gcm_aes_auth to gcm_aes_update renaming. 2011-02-13 Niels Möller * gcm.h (GCM_UPDATE): Renamed, from... (GCM_AUTH): ...old name. * gcm-aes.c (gcm_aes_update): Renamed, from... (gcm_aes_auth): ...old name. * gcm.c (gcm_update): Renamed, and fixed an assert. From... (gcm_auth): ...old name. * gcm.h (GCM_TABLE_BITS): Increase table size to 8 bits, corresponding to 4 KByte of key-dependent tables. 2011-02-10 Niels Möller * x86_64/memxor.asm: New file. Improves performance by 22% for the unaligned01 case and 35% for the unaligned12 case, benchmarked on Intel SU1400. * examples/nettle-benchmark.c (cgt_works_p): New function. (cgt_time_start): Likewise. (cgt_time_end): Likewise. (clock_time_start): Likewise. (clock_time_end): Likewise. (time_function): Read clock via function pointers time_start and time_end, so we can select method at runtime. (xalloc): Use die function. (main): Choose timing function. If available, try clock_gettime, and fall back to clock if it doesn't exist. * examples/nettle-benchmark.c (die): New function. (TIME_END, TIME_START): Check return value from clock_gettime. * gcm.h (union gcm_block): Use correct length for w array. * testsuite/gcm-test.c (test_main): Added the rest of the testcases from the spec. 2011-02-09 Niels Möller * testsuite/gcm-test.c (test_main): Enabled testcases 5 and 6, with different IV lengths. * gcm-aes.c (gcm_aes_set_iv): Updated for gcm_set_iv change. * gcm.c (gcm_hash_sizes): New function. (gcm_set_iv): Added support for IVs of arbitrary size. Needed another argument, for the hash subkey. (gcm_digest): Use gcm_hash_sizes. * examples/nettle-benchmark.c (time_gmac): Use gcm_aes interface. * testsuite/gcm-test.c (test_gcm_aes): New function, replacing test_cipher_gcm and using the new gcm_aes interface. (test_main): Updated to use test_gcm_aes. * testsuite/testutils.c (test_cipher_gcm): Deleted function. * Makefile.in (nettle_SOURCES): Added gcm-aes.c. * gcm.c (gcm_set_key): Replaced context argument by a struct gcm_key *. (gcm_hash): Replaced context argument by a struct gcm_key * and a pointer to the hashing state block. (gcm_auth): Added struct gcm_key * argument. (gcm_encrypt): Likewise. (gcm_decrypt): Likewise. (gcm_digest): Likewise. * gcm-aes.c: New file. (gcm_aes_set_key): New function. (gcm_aes_set_iv): Likewise. (gcm_aes_auth): Likewise. (gcm_aes_encrypt): Likewise. (gcm_aes_decrypt): Likewise. (gcm_aes_digest): Likewise. * gcm.h (struct gcm_key): Moved the key-dependent and message-independent state to its own struct. (struct gcm_ctx): ... and removed it here. (GCM_CTX): New macro. (GCM_SET_KEY): Likewise. (GCM_AUTH): Likewise. (GCM_ENCRYPT): Likewise. (GCM_DECRYPT): Likewise. (GCM_DIGEST): Likewise. (struct gcm_aes_ctx): New struct. 2011-02-08 Niels Möller * gcm.h (struct gcm_ctx): The hash key is now always an array, named h, with array size depending on GCM_TABLE_BITS. * gcm.c (gcm_gf_shift): Added a separate result argument. (gcm_gf_mul): Compile bitwise version only when GCM_TABLE_BITS == 0. Simplified interface with just two arguments pointing to complete blocks. (gcm_gf_shift_4, gcm_gf_shift_8): Renamed table-based functions, from... (gcm_gf_shift_chunk): ... old name. (gcm_gf_mul): Renamed both table-based versions and made the argument types compatible with the bitwise gcm_gf_mul. (gcm_gf_mul_chunk): ... the old name. (gcm_set_key): Initialize the table using adds and shifts only. When GCM_TABLE_BITS > 0, this eliminates the only use of the bitwise multiplication. (gcm_hash): Simplified, now that we have the same interface for gcm_gf_mul, regardless of table size. * gcm.c (GHASH_POLYNOMIAL): Use unsigned long for this constant. (gcm_gf_shift_chunk): Fixed bugs for the big endian 64-bit case, e.g., sparc64. For both 4-bit and 8-bit tables. * gcm.c: Use the new union gcm_block for all gf operations. * gcm.h (union gcm_block): New union, used to enforce alignment. 2011-02-07 Niels Möller * gcm.c (gcm_gf_shift_chunk) : Bug fix for little-endian 8-bit tables. * gcm.c (gcm_gf_mul_chunk): Special case first and last iteration. (gcm_gf_add): New function, a special case of memxor. Use it for all memxor calls with word-aligned 16 byte blocks. Improves performance to 152 cycles/byte with no tables, 28 cycles per byte with 4-bit tables and 10.5 cycles per byte with 8-bit tables. Introduced 8-bit tables. If enabled, gives gmac performance of 19 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift_chunk): New implementation for 8-bit tables. (gcm_gf_mul_chunk): Likewise. (gcm_set_key): Generate 8-bit tables. * Makefile.in (SOURCES): Added gcmdata.c. * gcm.h (GCM_TABLE_BITS): Set to 4. 2011-02-06 Niels Möller * Makefile.in (TARGETS): Added gcmdata. (gcmdata): New rule. Introduced 4-bit tables. Gives gmac performance of 45 cycles per byte (still on intel x86_64). * gcm.c (gcm_gf_shift): Renamed. Tweaked little-endian masks. (gcm_rightshift): ... old name. (gcm_gf_mul): New argument for the output. Added length argument for one of the inputs (implicitly padding with zeros). (shift_table): New table (in 4-bit and 8-bit versions), generated by gcmdata. (gcm_gf_shift_chunk): New function shifting 4 bits at a time. (gcm_gf_mul_chunk): New function processing 4 bits at a time. (gcm_set_key): Generation of 4-bit key table. (gcm_hash): Use tables, when available. * gcmdata.c (main): New file. * gcm.c (gcm_rightshift): Moved the reduction of the shifted out bit here. (gcm_gf_mul): Updated for gcm_rightshift change. Improves gmac performance to 181 cycles/byte. * gcm.c (gcm_gf_mul): Rewrote. Still uses the bitwise algorithm from the specification, but with separate byte and bit loops. Improves gmac performance a bit further, to 227 cycles/byte. * gcm.c (gcm_rightshift): Complete rewrite, to use word rather than byte operations. Improves gmac performance from 830 cycles / byte to (still poor) 268 cycles per byte on intel x86_64. 2011-02-05 Niels Möller * examples/nettle-benchmark.c (time_gmac): New function. (main): Call time_gmac. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added gcm-test.c. * testsuite/testutils.c (test_cipher_gcm): New function, contributed by Nikos Mavrogiannopoulos. * testsuite/gcm-test.c: New file, contributed by Nikos Mavrogiannopoulos. * Makefile.in (nettle_SOURCES): Added gcm.c. (HEADERS): Added gcm.h. * gcm.c: New file, contributed by Nikos Mavrogiannopoulos. * gcm.h: New file, contributed by Nikos Mavrogiannopoulos. * macros.h (INCREMENT): New macro, moved from ctr.c. Deleted third argument. * ctr.c: Use INCREMENT macro from macros.h, deleted local version. 2011-01-07 Niels Möller * testsuite/Makefile.in (check): Add ../.lib to PATH, since that's where w*ndows looks for dlls. * testsuite/testutils.c (test_cipher_stream): More debug output on failure. 2010-12-14 Niels Möller * nettle-types.h: Deleted some unnecessary parenthesis from function typedefs. (nettle_realloc_func): Moved typedef here... * realloc.h: ...from here. * buffer.c (nettle_buffer_init_realloc): Use an explicit pointer for realloc argument. 2010-12-07 Niels Möller * nettle.texinfo (Copyright): Updated info on blowfish. 2010-11-26 Niels Möller Reapplied optimizations (150% speedup on x86_32) and other fixes, relicensing them as LGPL. * blowfish.c (do_encrypt): Renamed, to... (encrypt): ...new name. (F): Added context argument. Shift input explicitly, instead of reading individual bytes via memory. (R): Added context argument. (encrypt): Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. (initial_ctx): Arrange constants into a struct, to simplify key setup. (blowfish_set_key): Some simplification. 2010-11-26 Simon Josefsson * blowfish.c: New version ported from libgcrypt. License changed from GPL to LGPL. 2010-11-25 Niels Möller * Makefile.in (install-shared-nettle): Use INSTALL_DATA, which clears the execute permission bits. (install-shared-hogweed): Likewise. 2010-11-16 Niels Möller * configure.ac: Updated gmp url. 2010-11-01 Niels Möller * tools/misc.c (werror): Don't call exit (copy&paste-error). 2010-10-26 Niels Möller * examples/rsa-encrypt.c (main): No extra message for bad options. * examples/rsa-keygen.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/next-prime.c (main): Deleted -?, and fixed handling of bad options. * examples/random-prime.c (main): Likewise. 2010-10-22 Niels Möller * examples/nettle-benchmark.c (main): Added long options. Deleted -?, and fixed handling of bad options. * examples/eratosthenes.c (main): Added long options. Deleted -?, and fixed handling of bad options. Renamed -s to -q (long option --quiet). * tools/pkcs1-conv.c (main): Deleted short alias -? for --help, and fixed handling of bad options. * tools/sexp-conv.c (parse_options): Likewise. 2010-10-06 Niels Möller * memxor.c (memxor3): Optimized. (memxor3_common_alignment): New function. (memxor3_different_alignment_b): New function. (memxor3_different_alignment_ab): New function. (memxor3_different_alignment_all): New function. * examples/nettle-benchmark.c (time_function): Reorganized, to reduce overhead. (time_memxor): Also benchmark memxor3. * x86_64/memxor.asm: New file. * examples/nettle-benchmark.c (overhead): New global variable. (time_function): Compensate for call overhead. (bench_nothing, time_overhead): New functions. (time_memxor): Tweaked src size, making it an integral number of words. (main): Call time_overhead. 2010-10-01 Niels Möller * x86_64/camellia-crypt-internal.asm (ROUND): Reordered sbox lookups. * testsuite/memxor-test.c: Also test memxor3. 2010-09-30 Niels Möller * configure.ac: Link in memxor.asm, if found. * testsuite/testutils.c (test_cipher_cbc): Print more info when failing. * testsuite/memxor-test.c (test_xor): Added verbose printout. * examples/nettle-benchmark.c (time_memxor): Count size of unsigned long as "block size" for memxor. 2010-09-24 Niels Möller * testsuite/.test-rules.make: Added rule for memxor-test. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added memxor-test.c * testsuite/memxor-test.c: New file. * memxor.c (memxor_common_alignment): New function. (memxor_different_alignment): New function. (memxor): Optimized to do word-operations rather than byte operations. * configure.ac (HAVE_NATIVE_64_BIT): New config.h define. Partial revert of 2010-09-20 changes. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reintroduce CAMELLIA_F_HALF_INV, for 32-bit machines. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Two variants, differing in where addition of the key is done. * x86/camellia-crypt-internal.asm: Moved addition of key. 2010-09-22 Niels Möller * examples/nettle-benchmark.c (BENCH_INTERVAL): Changed unit to seconds. (time_function): Use clock_gettime with CLOCK_PROCESS_CPUTIME_ID, if available. This gives better accuracy, at least on recent linux. (BENCH_INTERVAL): Reduced to 0.1 s. (struct bench_memxor_info): New struct. (bench_memxor): New function. (time_memxor): New function. (main): Use time_memxor. Added optional argument used to limit the algorithms being benchmarked. (GET_CYCLE_COUNTER): Define also for x86_64. (time_memxor): Improved display. * examples/Makefile.in (nettle-benchmark): Link using $(BENCH_LIBS) rather than $(LIBS). * configure.ac: Check for clock_gettime, and add -lrt to BENCH_LIBS if needed. 2010-09-20 Niels Möller * configure.ac: Less quoting when invoking $CC, to allow CC="gcc -m32". * x86/camellia-crypt-internal.asm (ROUND): Adapted to new key convention, moving key xor to the end. * camellia-set-encrypt-key.c (CAMELLIA_F_HALF_INV): Deleted macro. (camellia_set_encrypt_key): Deleted the CAMELLIA_F_HALF_INV operations intended for moving the key xor into the middle of the round. * camellia-crypt-internal.c (CAMELLIA_ROUNDSM): Moved addition of key to the end, to use a 64-bit xor operation. * x86_64/camellia-crypt-internal.asm: New file. * x86_64/machine.m4 (LREG, HREG, XREG): New macros. 2010-09-17 Niels Möller * configure.ac: Support shared libraries (dlls) with mingw32. Contributed by David Hoyt. 2010-07-25 Niels Möller * configure.ac: Changed version number to nettle-2.2. * Released nettle-2.1. * configure.ac: Use camellia-crypt-internal.asm, if available. Bumped soname to libnettle.so.4, and reset LIBNETTLE_MINOR to zero. * x86/machine.m4 (LREG, HREG): Moved macros here, from... * x86/aes.m4: ...here. * x86/camellia-crypt-internal.asm: New file. * nettle.texinfo: Updated and expanded section on DSA. Document aes_invert_key, and camellia. Added missing functions rsa_sha512_verify and rsa_sha512_verify_digest. * camellia.h (struct camellia_ctx): Eliminate the two unused subkeys, and renumber the remaining ones. * camellia-crypt-internal.c (_camellia_crypt): Updated for renumbered subkeys. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Likewise. * camellia-set-decrypt-key.c (camellia_invert_key): Likewise. * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Inline the expansion of camellia_setup128 and camellia_setup256, keeping the unexpanded key in scalar variables. (camellia_setup128): Deleted. (camellia_setup256): Deleted. 2010-07-24 Niels Möller * camellia-set-encrypt-key.c (camellia_set_encrypt_key): Reduced code size, no complete loop unroll. Use one loop for each phase of the post-processing. * testsuite/camellia-test.c: New tests for camellia_invert_key. * testsuite/aes-test.c: New tests for aes_invert_key. * aes.h (aes_invert_key): Declare it. * aes-set-decrypt-key.c (aes_invert_key): New function, key inversion code extracted from aes_set_decrypt_key. (aes_set_decrypt_key): Use aes_invert_key. * camellia-set-encrypt-key.c (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. (camellia_set_encrypt_key): Moved subkey post-processing code here, and reduce code duplication between 128-bit keys and larger keys. * camellia.c: Deleted file, split into several new files... * camellia-table.c (_camellia_table): New file with the constant sbox tables. * camellia-set-encrypt-key.c: New file. (camellia_setup128): Generate unmodified subkeys according to the spec. Moved clever combination of subkeys to camellia_set_encrypt_key. (camellia_setup256): Likewise. * camellia-set-decrypt-key.c: New file. (camellia_invert_key): Key inversion function. (camellia_set_decrypt_key): New key setup function. * camellia-internal.h: New file. * camellia-crypt.c (camellia_crypt): New file, new wrapper function passing the sbox table to _camellia_crypt. * camellia-crypt-internal.c (_camellia_crypt): New file, with main encrypt/decrypt function. * Makefile.in (nettle_SOURCES): Updated list of camellia source files. (DISTFILES): Added camellia-internal.h. 2010-07-20 Niels Möller * camellia-meta.c: Use _NETTLE_CIPHER_SEP_SET_KEY. * camellia.h (struct camellia_ctx): Replaced flag camellia128 by expanded key length nkeys. * camellia.c (camellia_set_encrypt_key): Renamed, from... (camellia_set_key): ... old name. (camellia_invert_key): New function. (camellia_set_decrypt_key): New function, using camellia_invert_key. (camellia_crypt): Renamed, from... (camellia_encrypt): ... old name. (camellia_decrypt): Deleted, no longer needed. camellia_crypt used for both encryption and decryption. * nettle-meta.h (_NETTLE_CIPHER_SEP_SET_KEY): New macro. * dsa-keygen.c: Removed unnecessary include of memxor.h. * camellia.c: Rewrote to use 64-bit type for subkeys and use 64-bit operations throughout. Performance on x86_32, when compiled with gcc-4.4.4, is reduced by roughly 15%, this should be fixed later. * camellia.h (struct camellia_ctx): Use type uint64_t for subkeys. 2010-07-07 Niels Möller * aes.h (aes_encrypt, aes_decrypt): Declare ctx argument as const. Also updated implementation. * blowfish.h (blowfish_encrypt, blowfish_decrypt): Likewise. * cast128.h (cast128_encrypt, cast128_decrypt): Likewise. * serpent.h (serpent_encrypt, serpent_decrypt): Likewise. * twofish.h (twofish_encrypt, twofish_decrypt): Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added camellia-test.c. * examples/nettle-benchmark.c: Added camellia ciphers. * Makefile.in (nettle_SOURCES): Added camellia.c and camellia-meta.c. (HEADERS): Added camellia.h. * nettle-meta.h (nettle_camellia128): Declare. (nettle_camellia192): Likewise. (nettle_camellia256): Likewise. * camellia-meta.c: New file. * camellia.h: Rewrote interface to match nettle conventions. * camellia.c: Converted to nettle conventions. (camellia_encrypt128, camellia_encrypt256): Unified to new function... (camellia_encrypt): ...New function, with a loop doing 6 regular rounds, one FL round and one FLINV round per iteration, with iteration count depending on the key size. (camellia_decrypt128, camellia_decrypt256): Similarly unified as... (camellia_decrypt): ...New function, analogous to camellia_encrypt. 2010-07-06 Niels Möller * camellia.c, camellia.h: New files, copied from http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. * testsuite/camellia-test.c: New file. 2010-07-05 Niels Möller * nettle.texinfo: Document new conventions for weak key and des parity checks. Document des_check_parity. * testsuite/des-test.c (test_weak): Don't check the deleted status attribute. * des-compat.c (des_key_sched): Rewrote error checking logic for the case of non-zero des_check_key. * des3.c (des3_set_key): Changed weak key detection logic. Complete key setup also for weak keys, and don't set the status attribute. * des.c (des_set_key): New iteration logic, to keep key pointer unchanged. Moved weak key check to the end, and don't set the status attribute. (des_encrypt): Ignore status attribute. (des_decrypt): Likewise. * des.h (enum des_error): Deleted. (struct des_ctx): Deleted status attribute. (struct des3_ctx): Likewise. * blowfish.c (initial_ctx): Deleted status value. (blowfish_encrypt): Ignore status attribute. (blowfish_decrypt): Likewise. (blowfish_set_key): Return result from weak key check, without setting the status attribute. * blowfish.h (enum blowfish_error): Deleted. (struct blowfish_ctx): Deleted status attribute. * Makefile.in (des_headers): Deleted parity.h. 2010-06-30 Niels Möller * testsuite/des-test.c (test_des): New function. (test_weak): New function. (test_main): Use test_des and test_weak. Added tests for all the weak keys. Added some tests with invalid (to be ignored) parity bits. * des.c (parity_16): New smaller parity table. (des_check_parity): New function. (des_fix_parity): Use parity_16. (des_weak_p): New weak-key detection. Ignores parity bits, and uses a hash table. (des_set_key): Deleted parity checking code. Replaced old weak-key detection code by a call to des_weak_p. 2010-06-04 Niels Möller * testsuite/testutils.c (test_dsa_key): Updated for new name DSA_SHA1_MIN_P_BITS. * dsa-keygen.c (dsa_generate_keypair): Use DSA_SHA1_MIN_P_BITS and DSA_SHA256_MIN_P_BITS. * dsa.h (DSA_MIN_P_BITS, DSA_Q_OCTETS, DSA_Q_BITS): Renamed to... (DSA_SHA1_MIN_P_BITS, DSA_SHA1_Q_OCTETS, DSA_SHA1_Q_BITS): New names. * sexp2dsa.c (dsa_keypair_from_sexp_alist): New argument q_bits. Renamed parameter limit to p_max_bits. (dsa_sha1_keypair_from_sexp): Renamed, was dsa_keypair_from_sexp. Updated to call dsa_keypair_from_sexp_alist with the new argument. (dsa_sha256_keypair_from_sexp): New function. (dsa_signature_from_sexp): New argument q_bits. * der2dsa.c (dsa_params_from_der_iterator): Enforce 160-bit limit on q. Renamed parameter limit to p_max_bits. (dsa_openssl_private_key_from_der_iterator): Enforce 160-bit limit on q and x. Renamed parameter limit to p_max_bits. 2010-06-03 Niels Möller * testsuite/dsa-test.c (test_main): Added test for dsa-sha256. 2010-06-02 Niels Möller * testsuite/dsa-test.c (test_main): Provide expected value of the signature. * testsuite/testutils.c (test_dsa160): Added argument for expected signature. (test_dsa256): Likewise. 2010-06-01 Niels Möller * testsuite/rsa-keygen-test.c (test_main): Updated expected signatures. * examples/random-prime.c (main): Updated for nettle_random_prime change. * testsuite/random-prime-test.c (test_main): Likewise. * rsa-keygen.c (bignum_random_prime): Deleted function. (rsa_generate_keypair): Use new nettle_random_prime. Generate secret factors p and q with the two most significant bits set. * dsa-keygen.c (dsa_generate_keypair): Updated for changes in nettle_random_prime and _nettle_generate_pocklington_prime. Invoke progress callback. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New argument top_bits_set, to optionally generate primes with the two most significant bits set. Reordered argument list. (nettle_random_prime): Likewise, added top_bits_set argument. Invoke progress callback when a prime is generated. 2010-05-26 Niels Möller * dsa-keygen.c (dsa_generate_keypair): Use _nettle_generate_pocklington_prime. Deleted old key generation code. * bignum-random-prime.c (_nettle_generate_pocklington_prime): Also return the used r. Updated caller. * examples/random-prime.c (main): Allow sizes down to 3 bits. * bignum-random-prime.c (_nettle_generate_pocklington_prime): New function. Rely on mpz_probab_prime_p (for lack of a trial division function) for trial division. (nettle_random_prime): Rewritten. Uses the prime table for the smallest sizes, then trial division using a new set of tables, and then Maurer's algorithm, calling the new _nettle_generate_pocklington_prime for the final search. 2010-05-25 Niels Möller * testsuite/dsa-test.c (test_main): Updated for dsa testing changes. * testsuite/dsa-keygen-test.c (test_main): Test dsa256. * testsuite/testutils.h (struct nettle_mac): New struct, currently unused. * testsuite/testutils.c (test_mac): New function (currently not used). (test_dsa): Replaced by two new functions... (test_dsa160): New function. (test_dsa256): New function. (test_dsa_key): New argument q_size. (DSA_VERIFY): Generalized. * dsa-keygen.c (dsa_generate_keypair): Rewritten, now generating primes using Pocklington's theorem. Takes both p_size and q_size as arguments. 2010-05-20 Niels Möller * bignum-random-prime.c (miller_rabin_pocklington): Fixed broken logic when Miller-rabin succeeds early. 2010-04-09 Niels Möller * bignum-next-prime.c: Include stdlib.h, needed for alloca on freebsd. * hmac.c: Likewise. * examples/Makefile.in (SOURCES): Added random-prime.c. * examples/random-prime.c: New program. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Moved knuth-lfib-test.c, cbc-test.c, ctr-test.c, hmac-test.c here, from TS_HOGWEED_SOURCES. (TS_HOGWEED_SOURCES): Added random-prime-test.c. * testsuite/random-prime-test.c: New test case. * examples/next-prime.c (main): With no command line arguments. exit after dislaying usage message. * examples/io.c (simple_random): Free buffer when done. * configure.ac: Changed message, say CC is the recommended way to configure the ABI. * bignum-random.c: Deleted test of HAVE_LIBGMP. * bignum.c: Likewise. * sexp2bignum.c: Likewise. * Makefile.in (hogweed_SOURCES): Added bignum-random-prime.c. * bignum-random-prime.c (nettle_random_prime): New file, new function. 2010-03-31 Niels Möller * examples/nettle-benchmark.c (main): Benchmark sha224. 2010-03-30 Niels Möller * testsuite/testutils.c (DSA_VERIFY): Updated for dsa_sha1_verify rename. (test_dsa): Check return value from dsa_sha1_sign. * Makefile.in (hogweed_SOURCES): Added dsa-sha1-sign.c, dsa-sha1-verify.c, dsa-sha256-sign.c, and dsa-sha256-verify.c. * dsa.h: Updated and added dsa declarations. * dsa-sha256-verify.c (dsa_sha256_verify_digest): New file, new function. (dsa_sha256_verify): New function. * dsa-sha256-sign.c (dsa_sha256_sign_digest): New file, new function. (dsa_sha256_sign): New function. * dsa-sha1-verify.c (dsa_sha1_verify_digest): New file. Moved and renamed function, from dsa_verify_digest, rewrote to use _dsa_verify. (dsa_sha1_verify): Analogous change, renamed from dsa_verify. * dsa-sha1-sign.c (dsa_sha1_sign_digest): New file. Moved and renamed function, from dsa_sign_digest, rewrote to use _dsa_sign, and added return value. (dsa_sha1_sign): Analogous change, renamed from dsa_sign. * dsa-verify.c (_dsa_verify): New general verification function, for any hash. * dsa-sign.c (_dsa_sign): New general signing function, for any hash. Returns success code, like the rsa signture functions. 2010-03-29 Niels Möller * configure.ac (ABI): Attempt to use a better, ABI-dependant, default value for libdir. * x86/md5-compress.asm: Fixed function name in epilogue. * asm.m4 (EPILOGUE): Use . to refer to current address. * configure.ac (ABI): Detect which ABI the compiler is using. On x86_64, also check for __arch64__. 2010-03-28 Niels Möller * configure.ac (asm_path): For x86_64, check if compiler is generating 32-bit code. 2010-03-27 Niels Möller * testsuite/hmac-test.c (test_main): Rewrote rest of tests to use HMAC_TEST, and added more tests from Daniel Kahn Gillmor and from RFC 4231. * Makefile.in (nettle_SOURCES): Added hmac-sha224.c and hmac-sha384.c. * hmac.h: Added declarations of hmac-sha224 and hmac-sha384. * hmac-sha224.c: New file. 2010-03-26 Niels Möller * testsuite/hmac-test.c (HMAC_TEST): New macro. (test_main): Use HMAC_TEST for the md5 and sha1 tests, and add test vectors from Daniel Kahn Gillmor. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha224-test.c. * Makefile.in (nettle_SOURCES): Added sha224-meta.c and write-be32.c. (DISTFILES): Added nettle-write.h. * sha.h: Added declarations for sha224. Some are aliases for the corresponding sha256 definition. * sha256.c (sha256_digest): Use _nettle_write_be32. (sha224_init): New function. (sha224_digest): New function. * sha1.c (sha1_digest): Use _nettle_write_be32. * nettle-internal.h (NETTLE_MAX_HASH_BLOCK_SIZE) (NETTLE_MAX_HASH_DIGEST_SIZE): Increased, to take sha512 into account. * nettle-write.h: New file. * write-be32.c (_nettle_write_be32): New file, new function. * sha224-meta.c: New file. 2010-03-25 Niels Möller * hmac-sha384.c: New file. * testsuite/sha224-test.c: New file. * testsuite/md4-test.c (test_main): More test vectors, provided by Daniel Kahn Gillmor. * testsuite/md5-test.c (test_main): Likewise. * testsuite/sha1-test.c (test_main): Likewise. * testsuite/sha256-test.c (test_main): Likewise. * testsuite/sha384-test.c (test_main): Likewise. * testsuite/sha512-test.c (test_main): Likewise. * configure.ac: Bumped version numbers. Package version nettle-2.1, library versions libnettle.so.3.1, libhogweed.so.2.0. * examples/nettle-benchmark.c (main): Benchmark sha384. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha384-test.c. * testsuite/sha384-test.c: New file. * Makefile.in (nettle_SOURCES): Added sha384-meta.c. * sha384-meta.c: New file. * sha.h: Added declarations for sha384. Some are aliases for the corresponding sha512 definition. * sha512.c (sha512_write_digest): New function. (sha512_digest): Use it. (sha384_init): New function. (sha384_digest): New function. 2010-03-24 Niels Möller * sha512.c: (sha512_digest): Simplified handling of any final partial word of the digest. * sha512.c: Reorganized to use _nettle_sha512_compress. * sha512-compress.c (_nettle_sha512_compress): Compression function extracted from sha512.c to a new file. * Makefile.in (nettle_SOURCES): Added sha256-compress.c and sha512-compress.c. * sha256.c: Reorganized to use _nettle_sha256_compress. * sha256-compress.c (_nettle_sha256_compress): Compression function extracted from sha256.c to a new file. * examples/nettle-benchmark.c (main): Benchmark sha512. * rsa-keygen.c (rsa_generate_keypair): Ensure that bit size of e is less than bit size of n, and check for the unlikely case p = q. * rsa.h (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Reduced, to correspond to pkcs#1 encryption of single byte messagees. * pgp-encode.c (pgp_put_rsa_sha1_signature): Check return value from rsa_sha1_sign. * rsa-compat.c (R_SignFinal): Likewise. * rsa-md5-sign.c (rsa_md5_sign): Check and propagate return value from pkcs1_rsa_md5_encode. (rsa_md5_sign_digest): Check and propagate return value from pkcs1_rsa_md5_encode_digest. * rsa-md5-verify.c (rsa_md5_verify): Check return value from pkcs1_rsa_md5_encode. (rsa_md5_verify_digest): Check return value from pkcs1_rsa_md5_encode_digest. * rsa-sha1-sign.c: Analogous changes. * rsa-sha1-verify.c: Analogous changes. * rsa-sha256-sign.c: Analogous changes. * rsa-sha256-verify.c: Analogous changes. * rsa-sha512-sign.c: Analogous changes. * rsa-sha512-verify.c: Analogous changes. * pkcs1-rsa-md5.c (pkcs1_rsa_md5_encode) (pkcs1_rsa_md5_encode_digest): Added return value. Check and propagate return value from pkcs1_signature_prefix. * pkcs1-rsa-sha256.c (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): Likewise. * pkcs1-rsa-sha1.c (pkcs1_rsa_sha1_encode) (pkcs1_rsa_sha1_encode_digest): Likewise. * pkcs1-rsa-sha512.c (pkcs1_rsa_sha512_encode) (pkcs1_rsa_sha512_encode_digest): Likewise. * pkcs1.c (pkcs1_signature_prefix): Interface change, take both the total size and digest size as arguments, and return a status code to say if the size was large enough. * testsuite/Makefile.in: Added hogweed dependency for the test programs. 2010-03-23 Niels Möller * testsuite/rsa-test.c (test_main): Test signing with sha512. * testsuite/testutils.c (test_rsa_sha512): New function. * Makefile.in (hogweed_SOURCES): Added pkcs1-rsa-sha512.c, rsa-sha512-sign.c and rsa-sha512-verify.c. * rsa.h: Added prototypes for sha512-related functions. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased. * pkcs1.h: Added prototypes for sha512-related functions. * rsa-sha512-verify.c: New file. * rsa-sha512-sign.c: New file. * pkcs1-rsa-sha512.c: New file. 2010-03-22 Niels Möller * Makefile.in (nettle_SOURCES): Added hmac-sha512.c. * testsuite/hmac-test.c (test_main): Added test cases for hmac-sha512. * hmac.h: Declare functions sha512-related functions. * hmac-sha512.c (hmac_sha512_set_key): New file. Basic sha512 support. * testsuite/Makefile.in (TS_NETTLE_SOURCES): Added sha512-test.c. * testsuite/sha512-test.c: New file. * macros.h (READ_UINT64, WRITE_UINT64): New macros. * Makefile.in (nettle_SOURCES): Added sha512.c and sha512-meta.c. * sha.h: Added sha512-related declarations. * nettle-meta.h: Likewise. * sha512-meta.c: New file. * sha512.c: New file. 2010-03-06 Niels Möller * Makefile.in (distdir): Include x86_64 assembler files. 2010-01-20 Niels Möller * configure.ac: Check for mpz_powm_sec. 2010-01-13 Niels Möller * Makefile.in ($(LIBHOGWEED_FORLINK)): Depend on $(LIBNETTLE_FORLINK). * configure.ac (LIBHOGWEED_LIBS): Added -lnettle -lgmp for the default case. Follows debian, and also makes dlopen of libhogweed.so work, without having to use RTLD_GLOBAL. (LIBHOGWEED_LINK): Added -L., to find our libnettle.so. 2009-10-21 Niels Möller * tools/Makefile.in (pkcs1-conv$(EXEEXT)): Added dependency on ../libhogweed.a. 2009-10-19 Niels Möller * tools/pkcs1-conv.c: Updated for dsa/der interface change. * der2dsa.c (dsa_public_key_from_der_iterators): Split into two new functions... (dsa_params_from_der_iterator): New function. (dsa_public_key_from_der_iterator): New function. (dsa_openssl_private_key_from_der_iterator): Renamed, was dsa_private_key_from_der_iterator. (dsa_openssl_private_key_from_der): Likewise. * dsa.h: Corresponding changees to prototypes and #defines. 2009-10-12 Niels Möller * sexp-format.c: Removed conditioning on HAVE_LIBGMP. * tools/pkcs1-conv.c: Support for DSA keys, contributed by Magnus Holmgren. * Makefile.in (hogweed_SOURCES): Added dsa2sexp.c and der2dsa.c. * der2dsa.c: New file, contributed by Magnus Holmgren. * dsa2sexp.c: Likewise. * dsa.h: Added prototypes. * configure.ac (LIBHOGWEED_MINOR): Bumped libhogweed minor version, now it's 1.1. * testsuite/rsa2sexp-test.c (test_main): Updated testcase for "rsa-pkcs1". 2009-10-11 Niels Möller * rsa2sexp.c (rsa_keypair_to_sexp): Changed default algorithm name to "rsa-pkcs1". 2009-09-20 Niels Möller * x86/sha1-compress.asm: Improved performance by 17% on AMD K7, by letting loopmix scramble the instruction order. 2009-09-15 Niels Möller * x86/sha1-compress.asm: Cleanup, removing old cruft. Slight improvement to ROUND_F1_NOEXP. Slight reduction of dependency-chains. 2009-08-25 Niels Möller * x86/sha1-compress.asm: Eliminated tmp variable for f3 rounds. * examples/nettle-benchmark.c (bench_sha1_compress): New function, for precise benchmarking of the compression function. 2009-06-08 Niels Möller * Released nettle-2.0. 2009-06-04 Niels Möller * configure.ac: Set version to 2.0 2009-05-30 Niels Möller * Makefile.in (.texinfo.info): Don't use a temporary output file $@T, trust makeinfo to remove output file on errors. 2009-05-19 Niels Möller * nettle.texinfo: Changed license to public domain. 2009-05-11 Niels Möller * nettle.texinfo: Fixes from Karl Berry. Added some more index terms. 2009-03-06 Niels Möller * x86_64/aes-encrypt-internal.asm: Reduced unrolling. Keep state in %eax--%edx only. * x86_64/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4 (MOVE_HREG): Deleted, no longer needed. (AES_STORE): Reduced offsets. (AES_ROUND): Use HREG directly, not MOVE_HREG. * x86_64/aes-decrypt-internal.asm: Rearrange register allocation. Put SA--SD in %eax--%edx, so the second byte can be accessed as %ah-%dh. TD is not needed, SD can be reused. Use the register that is saved for the outer loop counter, getting it off the stack. * x86_64/aes-encrypt-internal.asm: Likewise. * x86_64/aes.m4 (HREG, MOVE_HREG): New macros. (XREG): Fixed bug in handling of %r8 and %r9. (AES_ROUND): Use MOVE_HREG. 2009-02-10 Niels Möller * base16-meta.c (base16_encode_update_wrapper): Mark ctx argument as UNUSED. * testsuite/sexp-conv-test: Updated testcases for improved handling of comments. * tools/sexp-conv.c (sexp_convert_item): Use sexp_put_soft_newline to terminate comments, and modify indentation for the case that a list starts with a comment. * tools/output.c (sexp_output_init): Initialize soft_newline. (sexp_put_raw_char): Clear soft_newline. (sexp_put_newline): Check and reset soft_newline. (sexp_put_soft_newline): New function. * tools/output.h (struct sexp_output): Removed union with single element, and updated all users. New attribute soft_newline. 2008-12-22 Niels Möller * Makefile.in ($(des_headers)): Create files in $(srcdir). 2008-11-28 Niels Möller * testsuite/cxx-test.cxx: Include . 2008-11-22 Niels Möller * yarrow256.c (yarrow256_fast_reseed): Set ctx->seeded = 1, so that it is set if and only if the aes context has been initialized with aes_set_encrypt_key. (yarrow256_seed): No need to set ctx->seeded here. (yarrow256_update): Likewise. 2008-11-04 Niels Möller * examples/next-prime.c (main): Avoid using gmp_fprintf, to stay compatible with gmp-3.1. 2008-11-01 Niels Möller * nettle.texinfo: Updated for 2.0. New section on linking. * nettle-types.h, nettle-meta.h: Moved all typedefs for function types to nettle-types.h. Use non-pointer types, so that the types can be used to declare functions. Updated all users. 2008-10-31 Niels Möller * testsuite/yarrow-test.c (test_main): Updated for seed file changes. * sha-example.c (display_hex): Use %02x, not %2x. 2008-10-30 Niels Möller * tools/sexp-conv.c (main): Fixed file locking. 2008-10-25 Niels Möller * configure.ac: Set version to 2.0rc1. * examples/Makefile.in (next-prime$(EXEEXT)): Added -lnettle to linker. 2008-10-24 Niels Möller * sha256.c (ROUND): Simplified macro. * yarrow256.c (yarrow256_fast_reseed): Renamed (was yarrow_fast_reseed) and made non-static. Don't generate seed file here, let the application use yarrow256_random instead. (yarrow256_slow_reseed): Renamed (was yarrow_slow_reseed) and made non-static. (yarrow256_force_reseed): Deleted function, use yarrow256_slow_reseed instead. For backwards compatibility, yarrow.h defines yarrow256_force_reseed as an alias for that function. * yarrow.h (struct yarrow256_ctx): Deleted seed_file buffer. 2008-09-17 Niels Möller * x86/arcfour-crypt.asm: Improved loop logic, and unrolled loop twice. Gave a modest speedup. 2008-09-15 Niels Möller * yarrow256.c (yarrow256_seed): Disallow length == 0. * base64-decode.c (decode_table): Added vertical tab (VT) and form feed (FF) as white space characters. * x86_64/aes-decrypt-internal.asm: New file. 2008-09-13 Niels Möller * x86/aes-encrypt-internal.asm: Replaced pushl and popl in the loop with movl. Eliminated redundant movl. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes.m4: New file. * x86/aes-encrypt-internal.asm: Updated for AES_FINAL_ROUND. Only three times through the substitution loop. * x86/aes-decrypt-internal.asm: Likewise. * x86_64/aes-encrypt-internal.asm: Likewise. * x86/aes.m4 (AES_FINAL_ROUND): Do the substitution on the least significant byte here. * x86/aes-encrypt-internal.asm: Updated use of AES_SUBST_BYTE. USe decl for outer loop. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4 (LREG, HREG): New macros. (AES_SUBST_BYTE): Take state registers as argument. Use LREG to get the corresponding byte register. (AES_ROUND): Use movzbl together with LREG and HREG. (AES_SUBST_BYTE): Likewise. 2008-09-10 Niels Möller * x86_64/sha1-compress.asm: Avoid using registers %rbx and %rbp, which must be preserved. 2008-09-08 Niels Möller * Makefile.in (stamp-h.in): Use $(AUTOHEADER). * x86_64/sha1-compress.asm: New x86_64 assembler, based on the x86 version. * configure.ac (asm_path): Set up asm_path for x86_64. * x86_64/machine.m4: New file, new directory. 2008-08-28 Niels Möller * examples/eratosthenes.c (main): Rewrote block-wise sieving to use less memory. New options -s and -v. 2008-08-27 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): Use printf. Updated testcases with comments; comments are now preserved. * tools/sexp-conv.c (sexp_convert_item): Keep comments in advanced output. (parse_options): New --lock option. (main): Optionally lock output file. * tools/parse.c (sexp_check_token): Removed check for "any" token. All callers specify the token they expect. (sexp_parse): Pass on comment tokens. * tools/output.c (sexp_put_data): Made non-static. * tools/input.c (sexp_get_comment): New function. (sexp_get_token): Use sexp_get_comment. * tools/misc.h (enum sexp_token): Start enumeration with zero, zero is no longer used to mean any type. New type SEXP_COMMENT. * configure.ac: Check for fcntl file locking. 2008-08-26 Niels Möller * Makefile.in (tags-here): Put TAGS file in the source directory. * examples/Makefile.in (tags): Likewise. * testsuite/Makefile.in (tags): Likewise. * tools/Makefile.in (tags): Likewise. 2008-02-29 Niels Möller * examples/Makefile.in (SOURCES): Added next-prime.c. 2008-01-05 Niels Möller * examples/Makefile.in (TARGETS): Added eratosthenes and next-prime. (next-prime, eratosthenes): New rules. (nettle-benchmark): Don't rely on $@. * examples/eratosthenes.c (find_first_one): Optimized, using slightly larger table. (main): Use atol, rather than atoi. * testsuite/symbols-test: Check symbols also in libhogweed. * examples/next-prime.c: New file. Deleted code for detailed timing. * Makefile.in (hogweed_SOURCES): Added bignum-next-prime.c. (DISTFILES): Added prime-list.h. (hogweed_OBJS): Removed $(LIBOBJS). * bignum-next-prime.c (nettle_next_prime): Renamed function, for name space reasons. Was bignum_next_prime. Updated call in rsa-keygen.c. (primes): Use prime-list.h. (nettle_next_prime): Skip Fermat test. Use mpz_millerrabin directly, rather than mpz_probab_prime_p, when the former is available. * bignum.h (nettle_next_prime): New prototype. * rsa-keygen.c (bignum_next_prime): Deleted, moved to bignum-next-prime.c. Call with a larger prime limit, this improves the running time of lsh-keygen by roughly 25%. * prime-list.h: List of odd primes < 2^16. * configure.ac: Check for sizeof(long). 2008-01-03 Niels Möller * examples/nettle-benchmark.c (main): Removed incorrect UNUSED from declaration. * bignum-next-prime.c: Moved the bignum_next_prime function to a separate file. 2007-09-08 Niels Möller * sparc64/aes-encrypt-internal.asm: The directory with the aes.m4 include file was renamed from "sparc" to "sparc32". Updated include. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc32/aes-encrypt-internal.asm: Likewise. * sparc32/aes-decrypt-internal.asm: Likewise. 2007-09-07 Niels Möller * examples/read_rsa_key.c: Include stdlib.h. 2007-06-02 Niels Möller * Makefile.in: Typo fixes to install targets, spotted by Magnus Holmgren. 2007-05-14 Niels Möller * configure.ac: Fixed copy-and-paste errors in shared library name setup. * config.make.in (LIBNETTLE_SONAME, LIBHOGWEED_SONAME): Define. * Makefile.in (libnettle.so, libhogweed.so): Fixed rules. * Makefile.in: Split nettle library into two files, libnettle.a and libhogweed.a, and similarly for the shared libraries. * configure.ac: Bumped nettle so-versions to 3.0. Set hogweed so-versions to 1.0. New makefile conditionals IF_SHARED and IF_HOGWEED. Renamed WITH_PUBLIC_KEY to WITH_HOGWEED. Deleted SHLIBTARGET, SHLIBINSTALL, RSA_EXAMPLES and RSA_TOOLS. * config.make.in: Updated for hogweed split. * C source files: Don't use WITH_PUBLIC_KEY / WITH_HOGWEED, the Makefile sorts out which files should be compiled. * pgp.h: Include bignum.h, don't pretend to work without bignums. * pgp-encode.c (pgp_put_mpi, pgp_put_public_rsa_key) (pgp_put_rsa_sha1_signature): Define unconditionally. Removed the checking of HAVE_LIBGMP and WITH_PUBLIC_KEY. * examples/io.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * examples/io.c (read_rsa_key): Deleted, moved to... * examples/read_rsa_key.c: New file, extracted from io.c. * examples/Makefile.in: Use IF_HOGWEED instead of RSA_EXAMPLES. Link appropriate programs with -lhogweed. (SOURCES): Added read_rsa_key.c. * tools/Makefile.in (pkcs1-conv): Use IF_HOGWEED, not @RSA_TOOLS@, for configuration. Link with -lhogweed. * testsuite/testutils.h: Use WITH_HOGWEED, not WITH_PUBLIC_KEY. * testsuite/testutils.c: Likewise. * testsuite/Makefile.in (TS_NETTLE_SOURCES, TS_HOGWEED_SOURCES): Separate test cases using nettle and those also using hogweed. 2007-04-05 Niels Möller * Moved in CVS tree. Also renamed directory sparc to sparc32. 2007-02-24 Niels Möller * Makefile.in (clean-here): Remove .lib directory. (distclean-here): Remove machine.m4. 2006-12-05 Niels Möller * configure.ac: AC_PREREQ 2.61, for AC_PROG_MKDIR_P. * config.make.in (datarootdir): New directory variable (for autoconf-2.61). 2006-11-28 Niels Möller * configure.ac: Bumped version to 1.16. * Released nettle-1.15. 2006-11-27 Niels Möller * NEWS: New entry for nettle-1.15. * configure.ac (SHLIBMINOR): Bumped version. Library name is now libnettle.so.2.6. * sha256.c: Changed copyright notice to use the LGPL. * Makefile.in (DISTFILES): Added COPYING.LIB. * COPYING.LIB: New file (previously only the plain GPL was included in the distribution). * nettle.texinfo: Updated vor nettle-1.15. * testsuite/rsa-test.c (test_main): Use test_rsa_sha256. * testsuite/testutils.c (test_rsa_sha256): New function. * testsuite/Makefile.in (DISTFILES): Replaces rfc1750.txt by gold-bug.txt. * rsa.h (rsa_sha256_sign, rsa_sha256_verify) (rsa_sha256_sign_digest, rsa_sha256_verify_digest): New declarations. (RSA_MINIMUM_N_OCTETS, RSA_MINIMUM_N_BITS): Increased to 62 octets and 489 bits, respectively, for supporting sha256. * pkcs1.h (pkcs1_rsa_sha256_encode) (pkcs1_rsa_sha256_encode_digest): New declarations and name mangling symbols. * Makefile.in (nettle_SOURCES): Added pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c. * pkcs1-rsa-sha256.c, rsa-sha256-sign.c, rsa-sha256-verify.c: New files. * COPYING, INSTALL, install-sh, texinfo.tex: Updated files, from automake-1.10. 2006-11-27 Niels Möller * tools/Makefile.in (install): Use MKDIR_P to create installation directory. Install only one file at a time. * Makefile.in (MKDIR_P): Use MKDIR_P for creating installation directories. * configure.ac: Use AC_PROG_MKDIR_P. 2006-11-24 Niels Möller * testsuite/yarrow-test.c (test_main): Use gold-bug.txt as input file, instead of rfc1750.txt. * testsuite/gold-bug.txt: New test input file for yarrow-test. The copyright on this short story by Edgar Allan Poe has expired. * testsuite/rfc1750.txt: Deleted file. Debian considers RFC:s non-free, and it was expired anyway. Replaced by gold-bug.txt. 2006-11-24 Niels Möller * Almost all header files: Added C++ guards. * configure.ac: Test if the system has any C++ compiler. * config.make.in (CXX, CXXFLAGS, COMPILE_CXX, LINK_CXX): New variables. * testsuite/Makefile.in: New variables TS_C and TS_CXX. Setup for compiling the C++ file cxx-test.cxx. * testsuite/cxx-test.cxx: New testcase, trying to use nettle from a C++ program. 2006-08-28 Niels Möller * index.html: Added section on language bindings. 2006-06-10 Niels Möller * configure.ac: Darwin shared library support, from Grant Robinsson. 2006-05-18 Niels Möller * src/nettle/x86/aes.asm: Deleted unused file. * aes-decrypt.c (_aes_decrypt_table): Deleted the indexing array, previously commented out. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * Makefile.in (.texinfo.info, .dvi.ps): Use more quotes with basename. (install-here, install-shared, install-info, install-headers): Use plain mkdir, not $(INSTALL) -d. 2006-05-16 Niels Möller Merged from the lsh experimental branch. 2006-04-26 Niels Möller * examples/rsa-decrypt.c: Don't include "getopt.h", since it's not used. * examples/nettle-benchmark.c: Include "getopt.h". * examples/Makefile.in (GETOPT_OBJS): New variable. (rsa-keygen, rsa-encrypt, nettle-benchmark): Depend on and link with $(GETOPT_OBJS). * x86/aes-decrypt-internal.asm: Use ALIGN. * x86/aes-encrypt-internal.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * x86/md5-compress.asm: Likewise. * x86/sha1-compress.asm: Likewise. * config.m4.in (ASM_ALIGN_LOG): Substitute. * configure.ac (ASM_ALIGN_LOG): Check if .align directive is logarithmic. * asm.m4 (ALIGN): New macro. Takes a logarithmic argument, and expands to a .align directive. 2006-04-21 Niels Möller * nettle.texinfo (Public-key algorithms): Say that the public key operations are undocumented, not unsupported. Reported by Jeronimo Pellegrini. 2006-04-08 Niels Möller * tools/pkcs1-conv.c (read_pem): Fixed c99-style declaration. Reported by Henrik Grubbström. 2006-01-31 Niels Möller * examples/rsa-verify.c: Fixed typo in usage message. 2005-12-05 Niels Möller * configure.ac: Bumped version to 1.15, * Released nettle-1.14. * NEWS: Updated for 1.14. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.5, soname still libnettle.so.2. 2005-11-28 Niels Möller * config.make.in (INSTALL): Don't substitute INSTALL, INSTALL_DATA and friends here, to get a correct a relative filename for install-sh when used in tools/Makefile. * tools/Makefile.in (INSTALL): Substitute INSTALL, INSTALL_DATA and friends here. * Makefile.in (INSTALL): Likewise. 2005-11-27 Niels Möller * Makefile.in (.texinfo.pdf): New rule. Avoid dependency on intermediate .dvi and .ps files. * testsuite/Makefile.in (clean): Delete sha1-huge-test. * Makefile.in (install-info, install-headers): Don't use $< and $?; Solaris make doesn't support them in explicit rules. 2005-11-26 Niels Möller * testsuite/Makefile.in: Include .test-rules.make, which contains the rules for all the test executables. (test-rules): New rule, to update this file. (DISTFILES): Added $(EXTRA_SOURCES). * testsuite/.test-rules.make: Automatically generated file for building the test programs. 2005-11-25 Niels Möller * configure.ac: Disable assembler when compiling with rntcl. * tools/Makefile.in (pkcs1_conv_SOURCES): New variable. (pkcs1-conv): Link with getopt.o and getopt1.o. * Makefile.in (aesdata, desdata, shadata): Use explicit rules for executables. * testsuite/Makefile.in: Use %-rules for building the -test executables, in addition to the suffix rules. Hopefully, this should make all of GNU make, BSD make and Solaris make happy. Use $(EXEEXT) and $(OBJEXT) more consistently. * examples/Makefile.in: Use explicit rules for all executable targets. Use $(EXEEXT) and $(OBJEXT) more consistently. 2005-11-25 Niels Möller * testsuite/Makefile.in: Avoid using single-suffix rule to build executables. 2005-11-24 Niels Möller * Makefile.in (distdir): Use [ -f, not [ -e, since the latter is less portable, and not supported by Solaris /bin/sh. 2005-11-23 Niels Möller * testsuite/Makefile.in (DISTFILES): Added teardown-env. * testsuite/teardown-env: New file. Delete files created by the testsuite. 2005-11-21 Niels Möller * testsuite/testutils.c (main): Fixed check for -v option. Spotted by Goran K. 2005-11-21 Niels Möller * ctr.h (CTR_CTX, CTR_CRYPT): Fixed bugs, spotted by Goran K. 2005-11-20 Niels Möller * Makefile.in (nettle_SOURCES): Added der2rsa.c. * testsuite/Makefile.in (TS_SH): Added pkcs1-conv-test. * tools/Makefile.in (TARGETS): Added @RSA_TOOLS@. (SOURCES): Added pkcs1-conv.c. (pkcs1-conv): New rule. * tools/pkcs1-conv.c: New program. * testsuite/pkcs1-conv-test: New file. * examples/rsa-verify-test: Use rsa-sign to create signature. * examples/io.c (read_file): Fixed spelling in error message. * rsa.h (rsa_public_key_from_der_iterator) (rsa_private_key_from_der_iterator, rsa_keypair_from_der): Declare functions. * der2rsa.c: New file. * der-iterator.c (asn1_der_iterator_init): Initialize length and data. (asn1_der_iterator_next): Support for lengths >= 0x80. (asn1_der_decode_constructed_last, asn1_der_decode_bitstring) (asn1_der_decode_bitstring_last): New functions. (asn1_der_get_bignum): Check for non-mininal encodings. * configure.ac (RSA_TOOLS): New substituted variable. Includes pkcs1-conv, when public-key support is enabled. * bignum.h (nettle_asn1_der_get_bignum): Include nettle_-prefix in declaration. * asn1.h: Added name mangling defines, and a few new declarations. 2005-11-13 Niels Möller * Makefile.in (nettle_SOURCES): Added der-iterator.c. (HEADERS): Added asn1.h. * bignum.h (asn1_der_get_bignum): Declare function. * der-iterator.c: New file. * asn1.h: New file. 2005-11-07 Niels Möller * examples/nettle-benchmark.c: Check HAVE_UNISTD_H. * examples/Makefile.in (TARGETS): Use $(EXEEXT). * tools/Makefile.in (TARGETS, sexp-conv, nettle-lfib-stream): Likewise. * configure.ac: Use $host_cpu, not $host, when setting up the assembler path. Use $host_os, not uname, when setting up shared library flags. * Makefile.in (des.$(OBJEXT)): Use OBJEXT. * config.guess, config.sub: In the CVS tree, moved files to the lsh top-level directory. 2005-10-23 Niels Möller * sparc64/arcfour-crypt.asm: New file, almost the same as sparc/arcfour-crypt.asm. * examples/nettle-benchmark.c (display): Use two decimal places. * sparc/arcfour-crypt.asm: Reorganized. Main loop unrolled four times. Uses aligned 32-bit write accesses at DST. Still uses 8-bit read accesses at SRC; could be improved int he case that SRC and DST have compatible alignment. 2005-10-19 Niels Möller * testsuite/arcfour-test.c (test_main): New testcase with 512 bytes of data. 2005-10-19 Niels Möller * sparc/arcfour-crypt.asm: Fixed bug, spotted by Mikael Kalms. We must order the store at [CTX+I] before the load of [CTX+SI+SJ]. 2005-10-18 Niels Möller * sparc/arcfour-crypt.asm: Special unrolled code if SRC and DST have compatible alignment. Improves performance by 20%, but I'm not sure it's worth the extra complexity. * bignum.c (nettle_mpz_from_octets): Removed sign argument. If mpz_import is available, define nettle_mpz_from_octets as a macro calling mpz_import. (nettle_mpz_from_octets): Start by setting x to zero; callers no longer need to do that. (nettle_mpz_set_str_256_s): New logic for the handling of negative numbers. Convert in the same way as for positive numbers, and then subtract the appropriate power of two. 2005-10-17 Niels Möller * bignum.c (nettle_mpz_from_octets): Improved loop. Removed the digit temporary (suggested by Torbjörn Granlund). * sparc/arcfour-crypt.asm: Improved instruction scheduling. * sparc/arcfour-crypt.asm: Bugfix, use lduh and stuh. * sparc/arcfour-crypt.asm: New file. * sparc64/aes.asm: Deleted unused file. * x86/arcfour-crypt.asm: Use ARCFOUR_I and ARCFOUR_J * asm.m4 (ARCFOUR): New struct. 2005-10-17 Niels Möller * aes-internal.h (struct aes_table): Deleted idx and sparc_idx arrays. * aes-encrypt-table.c (_aes_encrypt_table): Likewise. * aes-decrypt.c (_aes_decrypt_table): Likewise. * asm.m4 (AES): Likewise 2005-10-16 Niels Möller * tools/input.c (sexp_get_char): Use unsigned for the done flag. * sparc64/aes-encrypt-internal.asm: Include sparc/aes.m4. * sparc64/aes-decrypt-internal.asm: Likewise. * sparc64/machine.m4: Use .register pseudo op to say that we use %g2 and %g3 as scratch registers. * sparc/aes-encrypt-internal.asm: Explicitly include sparc/aes.m4. * sparc/aes-decrypt-internal.asm: Likewise. * sparc/aes.m4: New file. Moved aes-related macros here... * sparc/machine.m4: ... removed aes macros. * x86/aes-encrypt-internal.asm: Explicitly include x86/aes.m4. * x86/aes-decrypt-internal.asm: Likewise. * x86/aes.m4: New file. Moved aes-related macros here, from... * x86/machine.m4: ... removed aes macros. * sparc64/aes-encrypt-internal.asm: New file. * sparc64/aes-decrypt-internal.asm: New file. * sparc64/machine.m4: Include the same aes macros used for sparc32. (BIAS): Define magic stack bias constant. * sparc/aes-encrypt-internal.asm, sparc/aes-decrypt-internal.asm: Reduced frame size to 104 bytes, since we no longer need wtxt and tmp on the stack. * sparc/aes.asm: Deleted old aes implementation. * sparc/aes-decrypt-internal.asm: New file. * sparc/machine.m4: Don't use m4 eval, instead rely on the assembler's arithmetic. * sparc/machine.m4 (AES_FINAL_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (TMP3): A third temporary register. (AES_FINAL_ROUND): Prepared for scheduling. * sparc/machine.m4 (AES_ROUND): Deleted unused argument T. Updated all calls in aes-encrypt-internal.asm. * sparc/machine.m4 (AES_ROUND): New loop invariants T0-T3, to avoid the additions of the AES_TABLEx constants in the inner loop. * sparc/machine.m4 (AES_ROUND): Better scheduling, by interleaving independent operations. * sparc/machine.m4 (AES_ROUND): Alternate between using TMP1 and TMP2, to prepare for scheduling. * sparc/aes-encrypt-internal.asm: Renamed Ti -> Xi. * sparc/aes-encrypt-internal.asm: Fixed bugs. Now passes the testsuite. * sparc/machine.m4 (AES_ROUND, AES_FINAL_ROUND): Bugfixes. Put NOPs in the load dely slots. * sparc/aes-encrypt-internal.asm: Implemented. Not yet working, and not optimized. * sparc/machine.m4: Use TMP1 and TMP2, so we don't need to pass them as arguments. (AES_FINAL_ROUND): New macro. 2005-10-15 Niels Möller * configure.ac (OBJDUMP): Substitute the program false if objdump is not found. * asm.m4 (PROLOGUE): Use TYPE_FUNCTION. * config.m4.in: Substitute ASM_TYPE_FUNCTION as TYPE_FUNCTION. * configure.ac (ASM_ELF_STYLE): Check for %function and #function, but not for @function. (ASM_TYPE_FUNCTION): New substituted variable. * configure.ac (ASM_ELF_STYLE): Fixed .type foo,@function statement used when checking for pseudo operations. * sparc/machine.m4 (AES_LOAD, AES_ROUND): Started writing new AES macros. * sparc/aes-encrypt-internal.asm: New file. 2005-10-14 Niels Möller * x86/aes-decrypt.asm, x86/aes-encrypt.asm: Deleted files. * x86/aes-decrypt-internal.asm: New file. * x86/machine.m4: Changed AES macros, to handle a table register. Also take more of the used registers as argument. * x86/aes-encrypt-internal.asm: Rewritten to match new interface, with the table pointer as an argument. Unlike the old code, this should really be position independent. * configure.ac: When looking for assembler files, link in aes-encrypt-internal.asm and aes-decrypt-internal.asm. Don't look for aes.asm, aes-encrypt.asm and aes-decrypt.asm. * configure.ac (OBJDUMP): Use AC_CHECK_TOOL to check for objdump. (ASM_MARK_NOEXEC_STACK): Use $OBJDUMP when examining the object file. * Makefile.in (nettle_SOURCES): Removed aes.c, aes-decrypt-table.c. Added aes-decrypt-internal.c and aes-encrypt-internal.c. * aes.c, aes-decrypt-table.c: Deleted files. * aes-decrypt.c (_aes_decrypt_table): Moved table here, and made static. * aes-internal.h (_aes_decrypt_table): Don't declare, it's no longer globally visible. * aes-decrypt-internal.c (_nettle_aes_decrypt): New AES decryption function, analogous to _nettle_aes_encrypt. 2005-10-14 Niels Möller * aes-internal.h (AES_ROUND, AES_FINAL_ROUND): New macros. * aes-encrypt-internal.c (_nettle_aes_encrypt): New AES encryption function, avoiding the table-based indexing. * sha1-compress.c: Added debugging code. * md5-compress.c: Likewise. 2005-10-13 Niels Möller * config.m4.in (ASM_MARK_NOEXEC_STACK): Use a diversion, to substitute the value of ASM_MARK_NOEXEC_STACK at the end of each assembler file. * configure.ac (ASM_MARK_NOEXEC_STACK): Check if the C compiler generates a .note.GNU-stack section. If so, we should do the same in our assembler files. * sparc64/aes.asm: New file. Copy of sparc/aes.asm, with minor changes to the stack frame layout. Patch contributed by Henrik Grubbström. Not yet tested. * x86/md5-compress.asm: Skip copying of input to the stack, and don't allocate space for it. (F1): Fixed bug. * testsuite/md5-test.c: Document intermediate values for first test case. * configure.ac (asm_path): Check for sparc64, and use sparc64 subdirectory. Link in md5-compress.asm, if it exists. 2005-10-13 Niels Möller * x86/md5-compress.asm (REF): Fixed calculation of offset. 2005-10-12 Niels Möller * x86/machine.m4 (OFFSET): Moved macro, used to be in... * x86/sha1-compress.asm (OFFSET): ... removed macro. * x86/md5-compress.asm: New file, with first attempt at md5 assembler. Not yet working. 2005-10-11 Niels Möller * Makefile.in (nettle_SOURCES): Added md5-compress.c. * md5.c: Reorganized to use _nettle_md5_compress, in analogy with sha1.c. * md5-compress.c (_nettle_md5_compress): New file and new function. 2005-10-10 Niels Möller * testsuite/Makefile.in (EXTRA_SOURCES, EXTRA_TARGETS): New variables, for test cases that are not run by default. * testsuite/sha1-huge-test.c (test_main): New test case, with a very large sha1 input. * testsuite/testutils.c (test_hash_large): New function. * sha1.c (sha1_block): Deleted function; inlined where used. (SHA1_INCR): New macro for incrementing the block count. 2005-10-06 Niels Möller * configure.ac: Bumped version to 1.14. * Released nettle-1.13. * configure.ac: Check for openssl/aes.h. * Makefile.in (distdir): Use a loop to pick up the contents of $(DISTFILES) from source and build directories. For some reason, $? failed to find stamp-h.in in the source directory. 2005-10-05 Niels Möller * x86/aes-decrypt.asm: Use C_NAME(_nettle_aes_decrypt_table) when using the AES_SUBST_BYTE macro. Use PROLOGUE and EPILOGUE. * x86/sha1-compress.asm: Use PROLOGUE and EPILOGUE. * x86/arcfour-crypt.asm: Likewise. * x86/aes-encrypt.asm: Likewise. * config.m4.in (ELF_STYLE): Substitute configure's ASM_ELF_STYLE. * asm.m4 (PROLOGUE, EPILOGUE): New macros, checking the value of ELF_STYLE. So far, used and tested only for the x86 assembler files, and needed to make the assembler happy both with ELF (linux, solaris) and COFF (windows). * configure.ac (NM): Use AC_CHECK_TOOL to check for nm. (ASM_SYMBOL_PREFIX): Use $NM when examining the object file. (ASM_ELF_STYLE): New variable. Set to 'yes' if assembling a file with ELF-style .type and .size pseudo ops works. * Makefile.in (TARGETS, DISTFILES): Added nettle.pdf. (.texinfo.dvi, .dvi.ps, .ps.pdf): New targets, to build nettle.pdf. (DOCTARGETS): New variable with targets that shouldn't be deleted by make clean. (maintainer-clean-here): New target. Deletes generated documentation files. * nettle.texinfo: Define AUTHOR with accents, when running in TeX mode, which doesn't handle latin-1 properly. Set UPDATED-FOR to 1.13. Updated copyright years, and introduced a COPYRIGHT-YEARS symbol. Updated copyright section, to mention assembler implementations. (Cipher modes): Transformed the Cipher Block Chaining to a section Cipher modes, describing both CBC and the new CTR mode. * src/nettle/x86/aes_tables.asm: Deleted unused file. * x86/aes.asm: Deleted contents. This file is needed just to override aes.c, which isn't needed for the x86 implementation. * configure.ac (SHLIBMINOR): Increased minor number. Library version is now libnettle.so.2.4, soname still libnettle.so.2. * examples/nettle-benchmark.c (main): Reordered hash benchmarks. * x86/sha1-compress.asm (EXPAND): Use % 16 instead of & 15 to compute offsets mod 16, since m4 on FreeBSD 49.RELEASE and NetBSD doesn't implement & correctly in eval. 2005-10-03 Niels Möller * x86/sha1-compress.asm (OFFSET): New macro. (F3): Eliminated a movl. (ROUND): New argument, for k. When using F3, it's TMP3, on the stack, otherwise, it is kept in TMP2, a register. 2005-10-03 Niels Möller * examples/nettle-openssl.c: Use correct block sizes for openssl ciphers. * examples/nettle-benchmark.c: Also display cycles per block. 2005-10-02 Niels Möller * sha1-compress.c (_nettle_sha1_compress): Updated to new interface. Now responsible for byte conversion. * x86/sha1-compress.asm (_nettle_sha1_compress): Do byte order conversion, and store the input data on the stack. This leaves one more register free for other uses. * examples/nettle-benchmark.c: Now display cycles/byte, if the -f option is used to say what the clock frequency is. * sha1.c (sha1_block): Don't convert data from uint8_t to uint32_t, that's now the responsibility of _nettle_sha1_compress. * sha.h (_nettle_sha1_compress): Changed interface. Second argument is now a pointer to the input data in unaligned, big-endian form. 2005-09-28 Niels Möller * sha1.c (sha1_final): Call sha1_block, don't call the compression function _nettle_sha1_compress directly. * nettle-internal.h (nettle_openssl_md5) (nettle_openssl_sha1): Declare. * examples/nettle-benchmark.c (main): Benchmark openssl md5 and sha1. * examples/nettle-openssl.c (nettle_openssl_md5) (nettle_openssl_sha1): Added glue for openssl hash functions. * nettle-internal.h (nettle_openssl_aes128, nettle_openssl_aes192) (nettle_openssl_aes256, nettle_openssl_arcfour128): Declare. * examples/nettle-benchmark.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. Benchmark openssl's aes and arcfour code. * examples/nettle-openssl.c: Updated openssl des glue to use the new openssl des interface. Added glue for arcfour and aes. 2005-09-27 Niels Möller * nettle.texinfo (RSA): Improved text about the RSA patent. Use @documentencoding ISO-8859-1. 2005-09-07 Niels Möller * tools/sexp-conv.c (parse_options): New option --raw-hash, for compatibility with lsh-1.x. Equivalent to --hash. 2005-09-06 Niels Möller * tools/sexp-conv.c (main): With --hash, output a newline after each hash. 2005-07-02 Niels Möller * testsuite/Makefile.in (TS_SOURCES): Added ctr-test.c. * testsuite/testutils.c (test_cipher_ctr): New function. * testsuite/ctr-test.c: New file. * testsuite/cbc-test.c (test_main): Use static const for msg. * Makefile.in (nettle_SOURCES): Added ctr.c. (HEADERS): Added ctr.h. (HEADERS): Added nettle-types.h. (INSTALL_HEADERS): Install nettle-stdint.h. (distclean-here): Delete nettle-stdint.h, not nettle-types.h. * ctr.c (ctr_crypt): New file, new function. * memxor.c (memxor3): New function, suggested by Adam Langley. * nettle-internal.h (NETTLE_MAX_CIPHER_BLOCK_SIZE): New constant. * nettle.texinfo (Cipher functions): Fixed typo in prototype for arctwo_encrypt (noticed by Adam Langley). * nettle-meta.h: No longer needs to include cbc.h. * cbc.h (nettle_crypt_func): Moved typedef to nettle-types.h. (CBC_ENCRYPT, CBC_DECRYPT): Deleted older #if:ed out versions. * configure.ac (AX_CREATE_STDINT_H): Use the file name nettle-stdint.h, not nettle-types.h. * nettle-types.h: New file. Automatically generated declarations are now in nettle-stdint.h. 2005-03-17 Niels Möller * config.guess: Support Solaris on x86_64. Fix by Henrik Grubbström. 2005-01-03 Niels Möller * examples/io.h: Include RSA declarations only when public key algorithms are enabled. Problem reported by Meilof Veeningen . 2004-12-07 Niels Möller * Makefile.in: Install directories, using $(INSTALL) -d, only if they don't exist already. 2004-12-05 Niels Möller * config.make.in (.PRECIOUS): Reverted earlier change. We need .PRECIOUS to stop GNU make from deleting object files for the test programs. 2004-12-02 Niels Möller * Makefile.in (.SUFFIXES): Moved from Makefile.in to... * config.make.in (.SUFFIXES): ... here. This helps compilation with BSD make. * testsuite/Makefile.in (.SUFFIXES): Deleted target. * config.make.in (.c): Disable default rule for BSD-make. * Makefile.in (all check install uninstall) (clean distclean mostlyclean maintainer-clean): Don't use the -C flag when invoking make, for compatibility with Solaris make. 2004-12-02 Niels Möller * Makefile.in (aesdata, desdata): Commented out the explicit targets. (shadata): Avoid using $< in non-pattern rule. 2004-12-01 Niels Möller * config.make.in: Added a default target. 2004-11-29 Niels Möller * testsuite/Makefile.in: Use .$(OBJEXT). Explicitly set .SUFFIXES. * Makefile.in: Use .$(OBJEXT). 2004-11-28 Niels Möller * tools/Makefile.in (nettle-lfib-stream): Avoid using $< in non-suffix rule. * Makefile.in (distdir): Handle absolute $distdir. Avoid using the GNU extension $^. * examples/Makefile.in: Avoid using the GNU extension $^. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. 2004-11-24 Niels Möller * configure.ac: Fixed typo, preventing the creation of dependency files. 2004-11-23 Niels Möller * Makefile.in: Use DEP_INCLUDE. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * examples/Makefile.in: Likewise. * configure.ac (dummy-dep-files): Generate only of dependency tracking is enabled. 2004-11-18 Niels Möller * Makefile.in (clean-here): The clean target should not delete the dependency files. Moved to the distclean target. * examples/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * configure.ac (ASM_SYMBOL_PREFIX): Fixed test. (dummy-dep-files): Added quotes to sed command. 2004-11-17 Niels Möller * testsuite/symbols-test: Try plain nm if nm -g doesn't work. * x86/sha1-compress.asm: Use C_NAME for global symbols. * x86/aes-encrypt.asm: Likewise. * x86/aes-decrypt.asm: Likewise. * x86/arcfour-crypt.asm: Likewise. * Makefile.in (config.m4): New rule. * config.m4.in (C_NAME): New macro. * configure.ac (ASM_SYMBOL_PREFIX): Check if global symbols have a leading underscore. 2004-11-16 Niels Möller * Deleted getopt.c, getopt.h and getopt1.c from the CVS tree. Link them from shared copies in lsh/misc instead. 2004-11-14 Niels Möller * Makefile.in (DEP_FILES): Try include with only one macro argument to be expanted. * configure.ac (dummy-dep-files): Create dummy dependency files, so that they can be included by the makefiles. 2004-11-13 Niels Möller * Makefile.in: Don't use -include, as it's GNU make specific. * examples/Makefile.in, tools/Makefile.in, testsuite/Makefile.in: Likewise. * examples/nettle-openssl.c: Check WITH_OPENSSL, not HAVE_LIBCRYPTO. * configure.ac: Check for individual openssl headers blowfish.h, cast.h, des.h. Renamed symbol HAVE_LIBCRYPTO to WITH_OPENSSL. New configure option --disable-openssl. 2004-11-04 Niels Möller * configure.ac: Bumped version to 1.13. * Released nettle-1.12. 2004-11-04 Niels Möller * nettle.texinfo (UPDATED-FOR): Bumped to 1.12. 2004-11-02 Niels Möller * nettle.texinfo (Cipher functions): Updated AES documentation, for aes_set_encrypt_key and aes_set_decrypt_key. (UPDATED-FOR): Set to 1.11. I think the manual should be updated with all user-visible changes. * aclocal.m4 (LSH_DEPENDENCY_TRACKING): Need extra quoting in case pattern. (This file really lives in the lsh tree, as lsh/acinclude.m4. For a complete ChangeLog, see lsh/Changelog). 2004-10-26 Niels Möller * configure.ac: Bumped version to 1.12. * Released nettle-1.11. * Makefile.in (clean-here): Delete *.s files. (PRE_CPPFLAGS): Use this variable, not INCLUDES. Removed -I$(srcdir). * x86/arcfour-crypt.asm: Use movzbl when extending %cl to 32 bits. 2004-10-24 Niels Möller * x86/arcfour-crypt.asm: Reverted the latest two changes; update bost src and dst pointers in the loop, and use plain addb when updating j. These two previous changes slowed the code down on AMD Duron. 2004-10-21 Niels Möller * Makefile.in (install-shared): Use $(INSTALL_PROGRAM). * configure.ac (SHLIBMINOR): Updated, shared library version is now libnettle.so.2.3, soname still libnettle.so.2. * Makefile.in (DISTFILES): Added asm.m4. 2004-10-21 Niels Möller * examples/Makefile.in: Deleted all configure-related rules, except the one rebuilding this Makefile. One should run make at top level if other configure related files change. * tools/Makefile.in: Likewise. * testsuite/Makefile.in: Likewise. * configure.ac: Replaced AC_OUTPUT(list...) with an AC_OUTPUT without arguments, and AC_CONFIG_FILES listing the files. * Makefile.in: Changed the assembler rules as suffix rules. Rewrote the configure-related rules, mostly based on the example in the autoconf manual. 2004-10-20 Niels Möller * examples/nettle-openssl.c (NCOMPAT): Disable openssl backwards compatibility. * config.make.in: Insert $(PRE_CPPFLAGS) and $(PRE_LDFLAGS) before $(CPPFLAGS) and $(LDFLAGS). This mechanism replaces $(INCLUDES). * examples/Makefile.in (PRE_CPPFLAGS, PRE_LDFLAGS): Use these flags to get -I.. and -L.. early on the command line. * testsuite/Makefile.in: Likewise * tools/Makefile.in: Likewise. 2004-10-20 Niels Möller * Makefile.in: In the assembler rules, there's no need to look in $(srcdir) for the input file. * x86/arcfour-crypt.asm: Reduced inner loop by one instruction, by precomputing the offset between src and dst. * tools/Makefile.in (.c.$(OBJEXT)): Removed redundant -I.. flag. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replaced addb -> addl + andl $0xff, improving speed on PPro by another 15%. 2004-10-20 Niels Möller * tools/Makefile.in (install): Support DESTDIR. (uninstall): New target. * testsuite/Makefile.in (uninstall): New dummy target. * config.sub: Copied from automake-1.8.5. * examples/Makefile.in (SOURCES): Added rsa-sign.c and rsa-verify.c. (DISTFILES): Added getopt.h. (install uninstall): New dummy targets. * config.make.in (.PHONY): Added more targets. * Makefile.in (.texinfo.info, .texinfo.html): New targets. Added support for uninstall and DESTDIR. Various fixes to install and distcheck. * examples/Makefile.in (INCLUDES): Added -I flags. (distdir): Use $^ to refer to the files. (distclean): New target. * testsuite/Makefile.in: Likewise. * tools/Makefile.in: Likewise. * Makefile.in (INCLUDES): Need -I flags for VPATH build. (clean distclean mostlyclean maintainer-clean): Clean subdirectories first. (DISTFILES): Added a bunch of files. (des_headers): Added desCore rules. (install-here): Split off target install-headers, which uses $^ to refer to the files. (distdir): Use $^ to refer to the files. distcheck): Fixes. * config.make.in (COMPILE): Add $(INCLUDE) to the line. 2004-10-19 Niels Möller Stop using automake. Replaced each Makefile.am with a hand-written Makefile.in. * configure.ac: New output variable CCPIC_MAYBE. New output file config.make. Replaced automake constructions. * .bootstrap: Don't run aclocal and automake. * config.make.in: New file, with shared Makefile variables and rules. 2004-10-18 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Replace incb -> incl + andl, to improve speed on PPro and PII. Suggested by Fredrik Olsson. 2004-10-08 Niels Möller * examples/rsa-encrypt-test: Avoid reading and executing a file at the same time. * examples/setup-env: Likewise. 2004-10-06 Niels Möller * testsuite/symbols-test: Ignore __i686.get_pc_thunk.bx and similar symbols. 2004-10-05 Niels Möller * twofish.c (q_table): Use a const pointer array. * sexp2dsa.c (dsa_keypair_from_sexp_alist): Use a const pointer array for the keywords. (dsa_signature_from_sexp): Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): Likewise. (rsa_keypair_from_sexp): Likewise. * sexp.c (sexp_iterator_check_types): Use an argument of type "const uint8_t * const *" for the types list. (sexp_iterator_assoc): Likewise, for the keys list. * list-obj-sizes.awk: Fixes to handle multiple .data and .rodata sections. Also fixed to handle the last file correctly. 2004-09-23 Niels Möller * configure.ac (SHLIBLINK, SHLIBLIBS): On cygwin, linking needs -Wl,--whole-archive $(OBJECTS) -Wl,--no-whole-archive $(LIBS). 2004-09-22 Niels Möller * configure.ac: Setup SHLIBFORLINK and friends for cygwin. * list-obj-sizes.awk: Strip *_a-prefix from all file names. * Makefile.am (libnettle_a_SOURCES): List only .c files. Headers moved to noinst_HEADERS. (SHLIBOBJECTS): Substitute from libnettle_a_SOURCES, not am_libnettle_a_OBJECTS, since the latter includes libnettle_a-prefixes with some automake versions. (SHLIBSONAME): Check if this name is empty, which is the case on cygwin, before using it. 2004-08-31 Niels Möller * configure.ac: New command line option --disable-pic. Use LSH_CCPIC. * Makefile.am (libnettle_a_CFLAGS): Added $(CCPIC), to attempt to build also the static library as position independent code. 2004-08-24 Niels Möller * des-compat.c (des_cbc_cksum): Pad input with NUL's, if it's not an integral number of blocks. 2004-08-24 Niels Möller * testsuite/arctwo-test.c, arctwo.h, arctwo.c (arctwo_set_key_ekb): Fixed typo; it should be "ekb", not "ebk". Integrated arctwo patch from Simon Josefsson. * testsuite/Makefile.am (noinst_PROGRAMS): Added arctwo-test. * Makefile.am (libnettleinclude_HEADERS): Added arctwo.h. (libnettle_a_SOURCES): Added arctwo.c, arctwo.h and arctwo-meta.c. * nettle-meta.h (nettle_arctwo40, nettle_arctwo64) (nettle_arctwo64, nettle_arctwo_gutmann128): Declare ciphers. * arctwo-meta.c, arctwo.c, arctwo.h, testsuite/arctwo-test.c: New files. * macros.h (LE_READ_UINT16, LE_WRITE_UINT16): New macros. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added collision, found in 2004. (test_main): Added second collision. 2004-08-23 Niels Möller * testsuite/md5-test.c (test_main): Added first half of a collision test case. * des-compat.c (des_cbc_cksum): Changed input argument to be of type const uint8_t * (was const des_cblock *). * des-compat.h (const_des_cblock): New bogus type. Disabled use of const, for compatibility with openssl. 2004-06-08 Niels Möller * aesdata.c: Renamed log and ilog to gf2_log and gf2_exp. 2004-04-07 Niels Möller * aes-set-encrypt-key.c (log, ilog): Deleted unused tables. * aes-set-decrypt-key.c (gf2_log, gf2_exp, mult): Renamed tables, were log and ilog. 2004-03-20 Niels Möller * configure.ac: Use AC_CONFIG_AUX_DIR([.]). 2004-03-18 Niels Möller * examples/io.c (read_file): Display a message if fopen fails. 2004-03-05 Niels Möller * Released nettle-1.10. * configure.ac (SHLIBMINOR): Shared library version is now 2.2. 2004-03-04 Niels Möller * testsuite/symbols-test: Pass -g flag to nm. 2004-03-02 Niels Möller * configure.ac: Fixed EXEEXT workaround. 2004-03-02 Niels Möller * configure.ac: Added workaround to get the correct $(EXEEXT)='' when compiling with rntcl. 2004-03-02 Niels Möller * testsuite/Makefile.am (noinst_PROGRAMS): Put test program list here, to let automake add $(EXEEXT). * configure.ac (RSA_EXAMPLES): Append $(EXEEXT) to the filenames. 2004-03-01 Niels Möller * examples/rsa-keygen.c, examples/rsa-encrypt.c, examples/rsa-decrypt.c: Include "getopt.h" instead of . * examples/Makefile.am (rsa_encrypt_SOURCES, rsa_decrypt_SOURCES) (rsa_keygen_SOURCES): Added getopt.h, getopt.c and getopt1.c. * examples/getopt.h, examples/getopt.c, examples/getopt1.c: New files. * testsuite/des-compat-test.c: Don't include . * testsuite/testutils.c (main): Don't use getopt. Then we don't need to include . 2004-03-01 Niels Möller * config.guess: Copied from automake-1.8.2. Hacked to recognize Windows_NT (and Windows_95 and Windows_98) running on "x86" and "686". * install-sh: Removed from CVS repository. Let automake supply it. 2004-02-26 Niels Möller * nettle-meta.h (nettle_crypt_func): Typedef moved to cbc.h. Include cbc.h instead. * des-compat.c: Reverted const change, now all the des_key_sched arguments are not const. This is also what openssl's interface looks like. (cbc_crypt_func): Deleted typedef, use nettle_crypt_func instead. * cbc.h (nettle_crypt_func): Moved typedef here. * cbc.c (cbc_encrypt, cbc_decrypt_internal, cbc_decrypt): Use it for typing the f argument. Reverted the const change, for compatibility with nettle_crypt_func. 2004-02-25 Niels Möller * testsuite/des-compat-test.c: Use des_cblock for typing more of the variables. Use const. Got rid of most of the explicit casts. Disabled the input/output alignment tests. * des.c (des_encrypt, des_decrypt): Use a const context pointer. * des3.c (des3_encrypt, des3_decrypt): Likewise. * cbc.c (cbc_encrypt, cbc_decrypt): Use a _const_ void *ctx argument. * des-compat.c: Use const for all unchanged arguments. (des_key_sched): Use a copy of the key if we need to fix the parity. * testsuite/des-compat-test.c (C_Block, Key_schedule): Deleted defines. Deleted some of the explicit casts. * des-compat.c (des_cbc_cksum): Dereference DST pointer. 2004-02-25 Niels Möller * pgp.h: Include nettle-types.h. 2004-02-24 Niels Möller * testsuite/symbols-test: Allow symbols starting with double underscores, like on darwin. 2004-02-17 Niels Möller * Makefile.am: Protected %-rules used for building pure objects, and for assembler files, by automake conditionals. Needed for makes such as tru64's, which tries to understand %-patterns, but doesn't get it right. (SUFFIXES): Added .html. (.texinfo.html): Rewrote rule to use a traditional suffix target. * configure.ac (enable_assembler): Explicitly set enable_assembler=no, on architectures where we have no assembler files. (ENABLE_ASSEMBLER, ENABLE_SHARED): New automake conditionals. * testsuite/testutils.c (xalloc): xalloc(0) should work also on systems where malloc(0) returns NULL. 2004-02-16 Niels Möller * Makefile.am (%.o: %.asm): Added comment about OSF1 make problem. 2004-02-15 Niels Möller * testsuite/testutils.h: #include nettle-types.h instead of inttypes.h. 2004-02-12 Niels Möller * examples/rsa-encrypt-test: Use -r option when invoking rsa-encrypt. Needed for the test to work on systems with no /dev/urandom. 2004-02-12 Niels Möller * configure.ac (CPPFLAGS, LDFLAGS): No spaces after -I and -L, as some C compilers, in particular True64 cc, don't like that. 2004-02-08 Niels Möller * configure.ac: Bumped version number to 1.10. 2004-02-07 Niels Möller * Released nettle-1.9. * configure.ac (SHLIBMINOR): Bumped, library version is now 2.1. * testsuite/sexp-format-test.c: Include bignum.h only if HAVE_LIBGMP. * testsuite/rsa-encrypt-test.c: Include rsa.h only if WITH_PUBLIC_KEY. * testsuite/pkcs1-test.c: Include pkcs1.h only if WITH_PUBLIC_KEY. * pgp-encode.c [!HAVE_LIBGMP]: Kludge around the pgp.h's dependency on gmp.h. (pgp_put_mpi): Condition on HAVE_LIBGMP. * pgp.h: Don't include bignum.h, to make it possible to compile the non-bignum parts of pgp-encode.c without bignum support. Needs to be fixed properly before the pgp interface is advertised. * tools/sexp-conv.c (xalloc): New function. (main): Use xalloc. * tools/output.c (sexp_put_digest): Use TMP_DECL instead of alloca. * testsuite/testutils.c (xalloc): New function. Made all other functions use xalloc instead of alloca. * examples/rsa-keygen.c (main): Use xalloc for allocation. * examples/rsa-encrypt.c (write_bignum): Likewise. * examples/rsa-decrypt.c (read_bignum): Likewise. * testsuite/yarrow-test.c (open_file): Likewise. * testsuite/rsa-encrypt-test.c (test_main): Likewise. * testsuite/bignum-test.c (test_bignum): Likewise. * examples/nettle-openssl.c: When calling des_key_sched and des_ecb_encrypt, cst arguments to (void *). Openssl's typedefs des_cblock and const_des_cblock are too broken. * examples/nettle-benchmark.c (xalloc): New function. Use instead of alloca, for better portability. * examples/io.c (xalloc): New function. * Makefile.am (nodist_libnettleinclude_HEADERS): nettle-types.h should not be distributed. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Rename round -> ROUND. * x86/sha1-compress.asm: Store the magic constants on stack. Accessing them via %esp should be a little faster than using large immediate operands. * Makefile.am (EXTRA_DIST, DISTCLEANFILES): Handle sha1-compress.asm. * configure.ac: Use assembler file sha1-compress.asm if available. * x86/sha1-compress.asm (EXPAND): Fixed the rotation part of the data expansion. 2004-02-06 Niels Möller * x86/sha1-compress.asm: Assembler implementation of sha1_compress. (Not yet working). * Makefile.am (libnettle_a_SOURCES): Added sha1-compress.c. * sha1.c (sha1_transform): Function renamed to sha1_compress, and moved to... * sha1-compress.c: ... New file. 2004-02-05 Niels Möller * examples/rsa-encrypt.c (process_file): Copy the leftover to the start of the buffer, when preparing for the final processing. * examples/nettle-benchmark.c (bench_hash, time_hash): New functions. (main): Benchmark hash functions too. (BENCH_BLOCK): Increased 10K. (BENCH_INTERVAL): Decreased to 0.25s. * examples/nettle-benchmark.c (time_function): Loop around calling f, until 1s has elapsed. Returns seconds per call. Updated bench functions to not loop themselves. (display): Updated MB/s calculation. * testsuite/arcfour-test.c (test_main): Use test_cipher_stream. * testsuite/testutils.c (test_cipher_stream): New function, that tries dividing the input into varying size blocks before processing. * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Bug fix, half of the S array swap was forgotten. * arcfour.c (arcfour_stream): Likewise. * arcfour-crypt.c (arcfour_crypt): Likewise. 2004-02-05 Niels Möller * x86/arcfour-crypt.asm (nettle_arcfour_crypt): Must store the new i, j at the end of the loop. * Makefile.am (EXTRA_DIST): Make sure x86 assembler files are distributed. (DISTCLEANFILES): And that the symlinks and .s files are deleted. * x86/aes-encrypt.asm, x86/aes-decrypt.asm, x86/arcfour-crypt.asm: Fixed debug information. * x86/arcfour-crypt.asm: New file. About three times faster than the optimized C code. * configure.ac: Use assembler file arcfour-crypt.asm if available. * arcfour.c (arcfour_crypt): Moved function too... * arcfour-crypt.c (arcfour_crypt): New file. * arcfour.c (arcfour_crypt): Optimization suggested by Jonas Walldén. Makes arcfour up to 50% faster on x86 and ppc, and probably on other architectures as well. 2004-01-31 Niels Möller * configure.ac (AX_CREATE_STDINT_H): Also look for uint32_t and friends in sys/types.h. 2004-01-11 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added bignum.h, memxor.h, pkcs1.h and rsa-compat.h. * configure.ac: Bumped version to 1.9. 2004-01-10 Niels Möller * Released nettle-1.8. * examples/teardown-env: Delete more test files. * nettle.texinfo (Hash functions): Documented md2 and md4. * configure.ac (SHLIBMAJOR): Bumped to 2. 2004-01-09 Niels Möller * examples/rsa-encrypt-test: New testcase. * examples/rsa-encrypt.c, examples/rsa-session.h: Expanded the comment describing the file format, and moved to rsa-session.h. * examples/rsa-decrypt.c (process_file): Finished this function. (main): Initialize x. Check the size of the session key after rsa decryption. * examples/io.c (write_string): Treat short item count as an error. 2004-01-08 Niels Möller * index.html: Added instructions for CVS access. * dsa-keygen.c (dsa_nist_gen): Fixed declaration/statement order. * rsa-keygen.c (bignum_next_prime): Fixed off-by-one error when comparing input to the largest listed prime. General cleanup, as prime_limit > 0 always. Use TMP_DECL and TMP_ALLOC. * nettle-internal.h (TMP_DECL, TMP_ALLOC): New macros. When alloca is unavailable, they work by allocating a fix amount of stack and imposing a hard limit on what can be allocated. Updated all users of alloca. 2004-01-07 Niels Möller * nettle-types.h: New (generated) file, to be used instead of including directly. Updated all users of inttypes.h. * Makefile.am (DISTCLEANFILES, libnettleinclude_HEADERS): Added nettle-types.h. * configure.ac (AX_CREATE_STDINT_H): Create nettle-types.h. 2003-11-16 Niels Möller * yarrow256.c (yarrow256_seed): Use const for the seed_file input. 2003-11-12 Niels Möller * list-obj-sizes.awk: New function for decoding hex values, with a new function hex2int. Also implemented calculation of total storage, removed the dependence on the .comment section, and use the $FILTER environment variable as a regexp for restricting the object files that are considered. 2003-09-21 Niels Möller * testsuite/rsa-encrypt-test.c (test_main): Don't use gmp_printf, as it seems it's only available with the newer gmp. Use mpz_out_str instead. 2003-09-19 Niels Möller * examples/Makefile.am (EXTRA_DIST): Added rsa-session.h. * tools/nettle-lfib-stream.c: New tool, which outputs a sequence of pseudorandom (non-cryptographic) bytes, using Knuth's lagged fibonacci generator. * examples/rsa-decrypt.c: Fixes to get the file to compile. It won't work yet. * examples/Makefile.am (EXTRA_PROGRAMS): Added rsa-encrypt and rsa-decrypt. * examples/io.c (write_file): New function. (write_string): Simplified error check, it's no real point in calling ferror unless we also call fflush. * examples/rsa-keygen.c (main): Check return value from simple_random. * examples/rsa-decrypt.c, examples/rsa-encrypt.c, examples/rsa-session.h: New files, demonstrating rsa encryption and decryption. * configure.ac (RSA_EXAMPLES): Added rsa-encrypt and rsa-decrypt. 2003-09-01 Niels Möller * testsuite/testutils.c (print_hex): Use const. 2003-08-30 Niels Möller * md2.c, md2.h: Added reference to RFC 1319. * md4.c, md4.h: Added reference to RFC 1320 2003-08-26 Niels Möller * Makefile.am: Added md2 and md5 files. Deleted the print-path hack. * configure.ac: Bumped version to 1.8. * testsuite/testutils.c (test_rsa_set_key_1): New function. * testsuite/rsa-test.c (test_main): Use it. * testsuite/dsa-keygen-test.c: Deleted definition of UNUSED, it's now in config.h. * testsuite/rsa-keygen-test.c: Likewise. * testsuite/Makefile.am (TS_PROGS): Added rsa-encrypt-test, md4-test, and md2-test. * testsuite/rsa-encrypt-test.c, testsuite/md4-test.c, testsuite/md2-test.c: New test cases. * nettle-meta.h: Declare nettle_md2 and nettle_md4. * md5.c: Reorderd functions, putting md5_final at the end. * md2.c, md2.h, md2-meta.c: New files, implemented md2. * md4.c, md4.h, md4-meta.c: New files, implemented md4. 2003-08-17 Niels Möller * desCode.h (des_keymap, des_bigmap): Deleted extern declarations, they conficted with the static definition in des.c. Reported by Simon Josefsson. * des.c (DesSmallFipsEncrypt, DesSmallFipsDecrypt): Moved definitions after the definition of the des_kemap array. 2003-08-11 Niels Möller * rsa-encrypt.c (rsa_encrypt): Bugfix contributed by leg@terra.com.br. 2003-06-10 Niels Möller * Makefile.am (EXTRA_DIST): Distribute sha-example.c. 2003-06-05 Niels Möller * Makefile.am (DISTCLEANFILES): Delete .s files. 2003-05-27 Niels Möller * testsuite/symbols-test: And allow symbols that start at the beginning of the line, as output by AIX nm. 2003-05-26 Niels Möller * testsuite/symbols-test: Allow symbols to start with a dot. 2003-05-14 Niels Möller * pgp.h (enum pgp_subpacket_tag): Copied values from RFC 2440. Renamed PGP_SUBPACKET_ISSUER to PGP_SUBPACKET_ISSUER_KEY_ID. 2003-05-13 Niels Möller * pgp.h: Do proper namemangling for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Fixed nettle_mpz_get_str_256 call. 2003-05-12 Niels Möller * rsa2openpgp.c (rsa_keypair_to_openpgp): Some bugfixes. * pgp.h (enum pgp_subpacket_tag): New enum. Definition is bogus and needs to be fixed. Added forward declarations of structs, and prototypes for pgp_put_public_rsa_key and pgp_put_rsa_sha1_signature. * pgp-encode.c (pgp_put_mpi): Take a const mpz_t argument. Gugfix, use nettle_mpz_get_str_256. (pgp_put_public_rsa_key, pgp_put_rsa_sha1_signature): Constification. Some bugfixes. * Use "config.h", not . * Reordered includes in most or all .c-files. All should now include config.h. 2003-05-12 Niels Möller * configure.ac: Use LSH_FUNC_ALLOCA. 2003-04-25 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added hmac-sha256.c. * testsuite/hmac-test.c (test_main): Added tests for hmac-sha256, from draft-ietf-ipsec-ciph-sha-256-01.txt. * hmac-sha256.c (hmac_sha256_digest): New file. 2003-04-22 Niels Möller * sha-example.c (display_hex): Simplified by using printf better. * nettle.texinfo (Example): Use @verbatiminclude to include the example program. * sha-example.c: Example program, for inclusion in the manual. Fixed bugs reported by Mark Arking. 2003-04-14 Niels Möller * x86/aes-encrypt.asm (nettle_aes_encrypt): Fixed references to _nettle_aes_encrypt_table. * x86/aes-decrypt.asm (nettle_aes_decrypt): Fixed references to _nettle_aes_decrypt_table. 2003-04-12 Niels Möller * testsuite/Makefile.am (TS_SH): New test case symbols-test. (EXTRA_PROGRAMS): Added testutils, as a kludge to get automake to track dependencies for testutils.o. * x86/aes-encrypt.asm (nettle_aes_encrypt): Renamed function to use the nettle_ prefix. * x86/aes-decrypt.asm (nettle_aes_decrypt): Likewise. * sparc/aes.asm (_nettle_aes_crypt): Likewise. * examples/Makefile.am (EXTRA_PROGRAMS): Add "io", as a kludge to get automake to track dependencies for io.o. (LDADD): Added ../libnettle.a, for the dependency. * des-compat.c: Use names with the nettle_ prefix when using Nettle's des functions. * base16-meta.c (base16_encode_update): Need to undef before redefining. * New name mangling, to reduce the risk of link collisions. All functions (except memxor) now use a nettle_ or _nettle prefix when seen by the linker. For most functions, the header file that declares a function also use #define to provide a shorter more readable name without the prefix. 2003-03-11 Niels Möller * Released nettle-1.7. * configure.ac: Bumped version to 1.7. * nettle.texinfo (DSA): New section. (RSA): Updated documentation. 2003-03-02 Niels Möller * examples/nettle-benchmark.c (time_cipher): Don't use GNU C non-constant initializers. 2003-02-23 Niels Moller * configure.ac: Use LSH_GCC_ATTRIBUTES. 2003-02-19 Niels Möller * acinclude.m4: Deleted file from cvs, use a link to lsh's acinclude.m4 instead. 2003-02-16 Niels Möller * Makefile.am (libnettleinclude_HEADERS): Added macros.h. * tools/Makefile.am (EXTRA_DIST): Added getopt.h. 2003-02-14 Niels Möller * Makefile.am (print_path): Added target to print the used PATH, for debugging. (print-path): Moved dependency to all-local. 2003-02-11 Niels Möller * buffer.c (nettle_buffer_copy): Bug fix, it didn't return any value. 2003-02-11 Niels Möller * testsuite/sexp-format-test.c (test_main): Added test for %( and %). * sexp-format.c (sexp_vformat): Handle %( and %). * realloc.c (nettle_xrealloc): Fixed out-of-memory check. * configure.ac (SHLIBMAJOR): Bumped version number to 1. * buffer.c (nettle_buffer_init_realloc): New function. * buffer-init.c (nettle_buffer_init): Use nettle_buffer_init_realloc. 2003-02-10 Niels Möller * testsuite/sexp-format-test.c (test_main): New test with tokens in the format string. (test_main): Test space-searated literals too. * rsa2sexp.c (rsa_keypair_to_sexp): New argument ALGORITHM_NAME. * examples/rsa-keygen.c (main): Updated call to rsa_keypair_to_sexp. * testsuite/rsa2sexp-test.c (test_main): Likewise. * sexp-format.c (sexp_vformat): Allow whitespace in format string. * rsa2sexp.c (rsa_keypair_to_sexp): Use literals with sexp_format. * sexp-format.c (format_string): New function. (sexp_vformat): Implemented support for literals in the format string. 2003-02-06 Niels Möller * testsuite/sexp-conv-test (print_raw, print_nl): New functions. The testfunctions use these instead of using echo directly. Use the test input '3:"\x' instead of '2:"\', to be friendlier to sysv echo. 2003-02-05 Niels Möller * des-compat.h (des_set_key): Different name mangling, if this file is included, des_set_key should refer to a function that behaves like openssl's. * des-compat.c (des_key_sched, des_is_weak_key): Use the name nettle_des_set_key for referring to Nettle's function. * des.h (des_set_key): Name mangling, linker symbols should use a "nettle_" prefix, and this one collided with openssl. Perhaps all symbols should be mangled in a similar way, but that's for later. * configure.ac (LDFLAGS): --with-lib-path should add to LDFLAGS, not replace it. 2003-01-30 Niels Möller * tools/output.c (sexp_put_string): Fixed handling of escapable characters. The code generated random escape sequences for characters in the 0x10-0x1f range. * testsuite/sexp-conv-test: More tests for hex and base64 input and output. 2003-01-30 Niels Möller * sexp2bignum.c (nettle_mpz_set_sexp): Call sexp_iterator_next on success. That means the iterator argument can't be const. 2003-01-29 Niels Möller * tools/Makefile.am (LDADD): Add libnettle.a, for the dependency. 2003-01-27 Niels Möller * sexp2dsa.c (dsa_signature_from_sexp): New function. RSA renaming. Updated all callers. * rsa-sign.c (rsa_private_key_init, rsa_private_key_clear) (rsa_private_key_prepare): Renamed functions. * rsa.c (rsa_public_key_init, rsa_public_key_clear) (rsa_public_key_prepare): Renamed functions. 2003-01-23 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added new rsa and pkcs1 files. Removed old rsa_md5.c and rsa_sha1.c. * testsuite/Makefile.am (TS_PROGS): Added pkcs1-test. * dsa-verify.c (dsa_verify_digest): New function. (dsa_verify): Most of the code moved to dsa_verify_digest, which is used here. * dsa-sign.c (dsa_sign_digest): New function. (dsa_sign): Most of the code moved to dsa_sign_digest, which is used here. * dsa.c (_dsa_hash): Deleted function. * rsa_md5.c, rsa_sha1.c: Deleted files, contents spread over several files for signing and verification. * rsa-sign.c, rsa-sha1-verify.c, rsa-sha1-sign.c, rsa-md5-verify.c, rsa-md5-sign.c: New files. * rsa-sha1-verify.c (rsa_sha1_verify_digest): New function. * rsa-sha1-sign.c (rsa_sha1_sign_digest): New function. * rsa-md5-verify.c (rsa_md5_verify_digest): New function. * rsa-md5-sign.c (rsa_md5_sign_digest): New function. * rsa-verify.c (_rsa_verify): New file, new function. * rsa.c (_rsa_check_size): Renamed from rsa_check_size, and made non-static. Private key functions moved to rsa-sign.c. * pkcs1.c, pkcs1.h, pkcs1-rsa-md5.c, pkcs1-rsa-sha1.c: New files. (pkcs1_signature_prefix): New function. * testsuite/pkcs1-test.c: New test. 2003-01-22 Niels Möller * examples/Makefile.am (nettle_benchmark_LDADD): Use OPENSSL_LIBFLAGS. * configure.ac (OPENSSL_LIBFLAGS): If libcrypto is found, add -lcrypto to OPENSSL_LIBFLAGS, not the plain LDFLAGS. 2003-01-20 Niels Möller * testsuite/Makefile.am (CLEANFILES): Delete test.in, test1.out and test2.out. 2003-01-17 Niels Möller * examples/Makefile.am (AM_CPPFLAGS): Use AM_CPPFLAGS instead of AM_CFLAGS. * testsuite/Makefile.am (AM_CPPFLAGS): Likewise. 2003-01-16 Niels Möller * testsuite/Makefile.am (check): Can't use quotes around $(srcdir). 2003-01-14 Niels Möller * testsuite/Makefile.am (check): Don't use "run-tests" as a target, as it's confused with the file with the same name. * .bootstrap: Added missing #! /bin/sh. 2003-01-12 Niels Möller * buffer.c (nettle_buffer_reset): New function. (nettle_buffer_copy): New function. * tools/input.c, tools/input.h, tools/output.c, tools/output.h, tools/parse.c, tools/parse.h, tools/misc.c, tools/misc.h: Moved parts ov sexp-conv.c to separate files * tools/sexp-conv.c (sexp_convert_list): Inlined into sexp_convert_item. * tools/sexp-conv.c (struct sexp_input): Deleted string attribute. Changed all related functions to take a struct nettle_buffer * argument instead. (struct sexp_compound_token): New struct. (sexp_compound_token_init, sexp_compound_token_clear): New functions. (struct sexp_parser): Added a struct sexp_compound_token attribute, as a temporary measure. (sexp_parse): Take a struct sexp_compound_token * as argument. Updated all callers. Simplified handling of display types and transport encoding. * tools/sexp-conv.c (struct sexp_parser): Renamed struct (was struct sexp_parse_state). Added input pointer. Updated users to not pass around both parser and input. (sexp_check_token): handle token == 0. (sexp_parse): Simplified a little by calling sexp_check_token unconditionally. * tools/sexp-conv.c (sexp_convert_string): Deleted function. (sexp_skip_token): Likewise. * tools/sexp-conv.c (enum sexp_token): New constant SEXP_DISPLAY. Start constants from 1, to keep 0 free for special uses. (struct sexp_parse_state): New struct for keeping track of parser state. (sexp_parse_init): New function. (sexp_check_token): New function, replacing sexp_skip_token. (sexp_parse): New function. (sexp_convert_item): Simplified by using sexp_parse. (sexp_convert_list): Use sexp_parse. (main): Likewise. 2003-01-08 Niels Möller * tools/sexp-conv.c (parse_options): Initialize prefer_hex. 2003-01-07 Niels Möller * Makefile.am (des_headers): Refer to the desdata binary using $(EXEEXT). 2003-01-01 Niels Möller * testsuite/sexp-conv-test: New tests for hex and base64 literal output. * tools/sexp-conv.c (sexp_put_string): Print binary strings using either hex or base 64 (in advanced mode). (parse_options): Implemented -s hex, for output using hex rather than base64. 2002-12-30 Niels Möller * testsuite/rsa2sexp-test.c: Don't include rsa.h (done by testutils.h, if enabled). * testsuite/sexp2rsa-test.c: Likewise. * rsa-decrypt.c: Make compilation conditional on WITH_PUBLIC_KEY. * rsa-encrypt.c: Likewise. * rsa-compat.c: Likewise. 2002-12-04 Niels Möller * testsuite/Makefile.am (LDADD): Added path to ../libnettle.a, which is redundant except for the dependency. 2002-12-04 Niels Möller * testsuite/sexp-format-test.c (test_main): Use %0s instead of %z. New test for %t. * sexp-format.c (format_length_string): Deleted function. (format_string): Deleted function. (sexp_vformat): New %t specifier, formatting an optional display type. Deleted %z specifier. Instead, introduced a new modifier "0" that can be used with %s, %l and %t, which says that the data is NUL-terminated. * rsa2sexp.c (rsa_keypair_to_sexp): Use %0s rather than %z, when formatting s-expressions. * buffer.c (nettle_buffer_grow): Fixed assertion. 2002-11-22 Niels Möller * buffer.c: Include assert.h. 2002-11-21 Niels Möller * testsuite/testutils.c (print_hex): Add line breaks. * Makefile.am (libnettleinclude_HEADERS): Added realloc.h. (libnettle_a_SOURCES): Added buffer-init.c and realloc.c. * sexp.c (sexp_iterator_exit_lists): New function, #if:ed out for now. * desdata.c: Include config.h, to get definition of UNUSED. * shadata.c: Likewise. * buffer.c (nettle_buffer_grow): New function, replacing grow_realloc. (nettle_buffer_clear): Rewritten to use buffer->realloc. * buffer.h (struct nettle_buffer): Replaced the GROW function pointer with a nettle_realloc_func pointer and a void *realloc_ctx. (NETTLE_BUFFER_GROW): Deleted macro, use function instead. * buffer-init.c (nettle_buffer_init): Moved to a separate file. * realloc.c (nettle_realloc): New function. (nettle_xrealloc): New function. * realloc.h (nettle_realloc_func): New typedef. * configure.ac: Check for gcc:s __attribute__. 2002-11-16 Niels Möller * sexp2dsa.c, sexp2rsa.c: (macro GET): Check sign of parsed numbers. * sexp2bignum.c (nettle_mpz_set_sexp): In the first check against limit, added some margin to allow for sign octets. 2002-11-15 Niels Möller * testsuite/testutils.h (LDATA): Use sizeof instead of strlen. Now handles strings including NUL-characters. But works only with literals and character arrays, no char pointers. (LLENGTH): New macro, computing length the same way as LDATA. * testsuite/sexp-test.c (test_main): Test sexp_iterator_get_uint32. * testsuite/sexp-format-test.c (test_main): Check that %i and %b generate leading zeroes when needed. Check that %b handles negative numbers. * testsuite/rsa2sexp-test.c (test_main): Updated test, one leading zero is needed in the private key expression. In verbose mode, print the generated keys. * testsuite/sexp2rsa-test.c (test_main): Added a leading zero in the private key expression. * testsuite/bignum-test.c (test_bignum): Use nettle_mpz_init_set_str_256_s. (test_size): New function. (test_main): Test size computation and formatting of negative numbers. * sexp2bignum.c (nettle_mpz_set_sexp): Use nettle_mpz_set_str_256_s, to handle negative numbers correctly. * sexp-format.c (sexp_vformat): For %i, output a leading zero when needed to get a correct, positive, sign. For %b, use nettle_mpz_sizeinbase_256_s, to handle negative numbers properly. * bignum.c (nettle_mpz_sizeinbase_256_s): New function. (nettle_mpz_sizeinbase_256_u): New name, was nettle_mpz_sizeinbase_256. Updated all callers. (nettle_mpz_to_octets): New function. (nettle_mpz_get_str_256): Handle negative numbers. (nettle_mpz_from_octets): New function. (nettle_mpz_set_str_256_u): New name, was nettle_mpz_set_str_256. (nettle_mpz_init_set_str_256_u): New name, was nettle_mpz_init_set_str_256. (nettle_mpz_set_str_256_s): New function, handling negative two's complement numbers. (nettle_mpz_init_set_str_256_s): And an init variant. * sexp.c (sexp_iterator_get_uint32): New function. 2002-11-10 Niels Möller * testsuite/sexp-conv-test: Use input files without any trailing newline character, in order to stress the end of file handling. * tools/sexp-conv.c (sexp_get_token_string): Fixed end of file handling. (sexp_get_string): Fixed end of encoding/end of file handling. (parse_options): Check for negative width and complain. * tools/sexp-conv.c: Use supplied getopt. (werror): New function. (sexp_output_hash_init): New function. (sexp_put_char): Made base64 linebreaking configurable. Implemented hashing. (sexp_put_code_start, sexp_put_code_end): Don't output any delimiters here. (sexp_put_string): Output base64 delimiters. (sexp_put_digest): New function. (sexp_convert_item): Output transport delimiters. (sexp_convert_file): Deleted function, folded with main. (parse_options): New function. (main): Implemented --hash and --once, needed by lsh-authorize. * sexp.h (struct sexp_iterator): New field start. * sexp.c (sexp_iterator_subexpr): New function. (sexp_iterator_parse): Initialize ITERATOR->start. * sexp-format.c (sexp_vformat): Abort if format string contains unhandled characters. 2002-11-08 Niels Möller * des-compat.c (des_ecb3_encrypt): Don't use struct initialization (c89 doesn't allow non-constant initializers). Reported by James Ralston. (des_ede3_cbc_encrypt): Likewise. * examples/nettle-openssl.c: Moved from the top-level directory. Should *not* be included in the nettle library. 2002-11-08 Niels Möller * testsuite/testutils.c (test_dsa_key): Bugfix for renamed DSA constant (noted by James Ralston). 2002-11-07 Niels Möller * testsuite/run-tests: Copied new version rom lsh/src/testsuite. This version handles test scripts located in $srcdir. * examples/Makefile.am (AM_CFLAGS): We need -I$(top_srcdir). * tools/Makefile.am (AM_CFLAGS): Likewise. * testsuite/Makefile.am (AM_CFLAGS): Likewise. 2002-11-07 Niels Möller * Makefile.am (SUBDIRS): Added tools. (libnettle_a_SOURCES): Added sexp-transport-format.c, sexp2bignum.c, sexp2dsa.c. * sexp2dsa.c (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New file, new functions. * rsa2sexp.c (rsa_keypair_to_sexp): %s -> %z renaming. * sexp-transport.c (sexp_transport_iterator_first): Fixed bug, length was mishandled. * sexp-transport-format.c (sexp_transport_format, sexp_transport_vformat): New file, new functions. * sexp-format.c (sexp_format): Return length of output. Allow buffer == NULL, and only compute the needed length in this case. Renamed %s to %z. New format specifiers %s, %i, and %l. (sexp_vformat): New function. (format_prefix): Rewrote to not use snprintf. * sexp2rsa.c (rsa_keypair_from_sexp): New limit argument. Use nettle_mpz_set_sexp. * dsa-keygen.c (dsa_generate_keypair): Added some newlines to progress display. Use DSA_P_MIN_BITS. * dsa.h (DSA_MIN_P_BITS): New constant (was DSA_MINIMUM_BITS). (DSA_Q_OCTETS, DSA_Q_BITS): New constants. (dsa_keypair_from_sexp_alist, dsa_keypair_from_sexp): New prototypes. * configure.ac: Output tools/Makefile. * sexp2bignum.c (nettle_mpz_set_sexp): New file, and new function. Moved from sexp2rsa.c:get_value. * examples/io.c (read_rsa_key): New limit argument in call of rsa_keypair_from_sexp_alist. * examples/Makefile.am (noinst_PROGRAMS): Removed sexp-conv. * tools/sexp-conv.c: Moved file from examples directory. * testsuite/Makefile.am (TS_SH): New variable. Added sexp-conv-test. * testsuite/testutils.h (LDUP): New macro. * testsuite/sexp2rsa-test.c (test_main): New limit argument in call of rsa_keypair_from_sexp_alist. * testsuite/sexp-test.c (test_main): Added test for lengths with more than one digit. Added tests for transport mode decoding. * testsuite/sexp-format-test.c (test_main): Added tests for %i and %l. * testsuite/sexp-conv-test: Moved test from examples directory. Updated path to sexp-conv, now in ../tools/sexp-conv. 2002-11-03 Niels Möller * sexp-format.c, sexp_format.c: Renamed sexp_format.c to sexp-format.c. * Makefile.am (libnettle_a_SOURCES): Renamed sexp_format.c to sexp-format.c. * examples/Makefile.am: Don't set CFLAGS or CPPFLAGS explicitly, let automake handle that. * testsuite/Makefile.am: Likewise. * sexp2rsa.c (rsa_keypair_from_sexp_alist): New function. (rsa_keypair_from_sexp): Use it. 2002-11-01 Niels Möller * examples/Makefile.am (LDADD): Use -lnettle, instead of an explicit filename libnettle.a, so that we will use the shared library, if it exists. (AM_LDFLAGS): Added -L.., so we can find -lnettle. (run-tests): Set LD_LIBRARY_PATH to ../.lib, when running the testsuite. * testsuite/Makefile.am: Similar changes. * Makefile.am (LIBOBJS): Put @LIBOBJS@ into the make variable LIBOBJS. (CLEANFILES): Delete libnettle.so. (clean-local): Delete the .lib linkfarm. ($(SHLIBFORLINK)): When building libnettle.so, create a link from .lib/$SHLIBSONAME. Needed at runtime, for the testsuite. 2002-11-01 Niels Möller * configure.ac: Fixed definitions using SHLIBMAJOR and SHLIBMINOR. Also AC_SUBST SHLIBMAJOR and SHLIBMINOR. Reported by James Ralston. 2002-10-31 Niels Möller * examples/sexp-conv.c(sexp_put_list_start): Deleted function. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_puts): Likewise. * examples/sexp-conv.c (sexp_get_quoted_string): Deleted function. Merged with sexp_get_String. (sexp_get_hex_string): Likewise. (sexp_get_base64_string): Likewise. (sexp_get_string): Do hex and base64 decoding. * examples/sexp-conv.c (enum sexp_char_type): New enum, for end markers in the input strem. (struct sexp_input): Deleted LEVEL attribute. Deleted all usage of it. (sexp_get_raw_char): Use INPUT->c and INPUT->ctype to store results. Deleted OUT argument. (sexp_get_char): Likewise. Also removed the INPUT->coding->decode_final call, for symmetry. (sexp_input_end_coding): Call INPUT->coding->decode_final. (sexp_next_char): New function. (sexp_push_char): New function. (sexp_get_token_char): Deleted function. (sexp_get_quoted_char): Simplified. Deleted output argument. (sexp_get_quoted_string): Simplified. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string_length): Skip the character that terminates the string. (sexp_get_token): Cleared upp calling conventions. Always consume the final character of the token. (sexp_convert_list): Take responsibility for converting the start and end of the list. (sexp_convert_file): Call sexp_get_char first, to get the token reading started. (sexp_convert_item): Cleared up calling conventions. Should be called with INPUT->token being the first token of the expression, and returns with INPUT->token being the final token of the expression. Return value changed to void.. * examples/sexp-conv-test: Added test for transport mode input. * examples/sexp-conv.c (sexp_get_char): Use the nettle_armor interface for decoding. (sexp_input_start_coding): New function. (sexp_input_end_coding): New function. (sexp_get_base64_string): Rewrote to use sexp_input_start_coding and sexp_input_end_coding. (sexp_get_token): Generate SEXP_TRANSPORT_START tokens. (sexp_convert_list): Lists are ended only by SEXP_LIST_END. (sexp_convert_item): Implemented transport mode, using sexp_input_start_coding and sexp_input_end_coding. 2002-10-30 Niels Möller * Makefile.am: Added base16 files. * examples/sexp-conv-test: New tests for transport output. * examples/sexp-conv.c: Deleted hex functions, moved to Nettle's base16 files. (struct sexp_output): Represent the current encoding as a nettle_armor pointer and a state struct. (sexp_output_init): Deleted MODE argument. Now passed to functions that need it. (sexp_get_char): Updated to new base64 conventions. (sexp_get_base64_string): Likewise. (sexp_put_raw_char): New function. (sexp_put_newline): Use sexp_put_raw_char. (sexp_put_char): Use nettle_armor interface for encoding data. Use OUTPUT->coding_indent for line breaking, so the INDENT argument was deleted. (sexp_put_code_start): New function, replacing sexp_put_base64_start. (sexp_put_code_end): New function, replacing sexp_put_base64_end. (sexp_put_data): Deleted argument INDENT. (sexp_puts): Likewise. (sexp_put_length): Likewise. (sexp_put_list_start): Likewise. (sexp_put_list_end): Likewise. (sexp_put_display_start): Likewise. (sexp_put_display_end): Likewise. (sexp_put_string): Likewise. Also changed base64 handling. (sexp_convert_string): Deleted argument INDENT. New argument MODE_OUT. (sexp_convert_list): New argument MODE_OUT. (sexp_convert_file): Likewise. (sexp_convert_item): Likewise. Also handle output in transport mode. (match_argument): Simple string comparison. (main): Adapted to above changes. * testsuite/testutils.c (test_armor): Allocate a larger buffer CHECK, to make decode_update happy. Updated to new base64 conventions. * testsuite/base64-test.c (test_main): Fixed overlap test to not change the base64 before decoding. Updated to new base64 conventions. * testsuite/Makefile.am (TS_PROGS): Added base16-test. * testsuite/base16-test.c: New test. * sexp-transport.c (sexp_transport_iterator_first): Updated to new conventions for base64_decode_update and base64_decode_final. * nettle-meta.h: Updated ascii armor declarations. New declaration for nettle_base16. * base64-decode.c (base64_decode_single): Return -1 on error. Also keep track of the number of padding characters ('=') seen. (base64_decode_update): New argument dst_length. Return -1 on error. (base64_decode_status): Renamed function... (base64_decode_final): ... to this. * base64.h (struct base64_decode_ctx): Deleted STATUS attribute. Added PADDING attribute. * base16.h, base16-encode.c, base16-decode.c, base16-meta.c: New files. 2002-10-28 Niels Möller * examples/sexp-conv.c (struct hex_decode_ctx): New hex decoding functions. (sexp_get_raw_char): New function. (sexp_get_char): Use sexp_get_raw_char. 2002-10-26 Niels Möller * examples/sexp-conv.c (sexp_put_length): Bugfix, don't output any leading zero. (main): Implemented -s option. * examples/sexp-conv-test: Test for echo -n vs echo '\c'. Added a few tests for canonical output. 2002-10-25 Niels Möller * examples/sexp-conv.c (struct sexp_input): Deleted the mode from the state, that should be passed as argument to relevant functions. Instead, introduces enum sexp_coding, to say if base64 coding is in effect. (struct sexp_output): Added coding attribute. (sexp_put_char): Use output->coding. (sexp_put_base64_start): Likewise. (sexp_put_base64_end): Likewise. * base64-decode.c (base64_decode_single): Simplified, got rid of the done variable. 2002-10-25 Niels Möller * examples/sexp-conv.c (sexp_put_newline): Return void, die on error. (sexp_put_char, sexp_put_data, sexp_puts, sexp_put_length, sexp_put_base64_start, sexp_put_base64_end, sexp_put_string, sexp_put_list_start, sexp_put_list_end, sexp_put_display_start, sexp_put_display_end, sexp_convert_string, sexp_convert_list, sexp_skip_token): Likewise. (sexp_convert_item): Die on error. 2002-10-24 Niels Möller * examples/sexp-conv-test: Doesn't need echo -n anymore. * examples/sexp-conv.c (die): New function. (struct sexp_input): Deleted field ITEM. (sexp_get_char): Die on failure, never return -1. (sexp_get_quoted_char): Likewise. (sexp_get_quoted_string): Die on failure, no returned value. (sexp_get_base64_string): Likewise. (sexp_get_token_string): Likewise. (sexp_get_string): Likewise. (sexp_get_string_length): Likewise. (sexp_get_token): Likewise. (sexp_convert_string): Adapted to sexp_get_token. (sexp_convert_list): Likewise. (sexp_convert_file): New function. (main): Use sexp_convert_file. 2002-10-23 Niels Möller * examples/Makefile.am (TS_PROGS): Added sexp-conv-test. * examples/sexp-conv.c (sexp_input_init): Initialize input->string properly. (sexp_get_char): Fixed non-transport case. (sexp_get_quoted_char): Fixed default case. (sexp_get_token): Loop over sexp_get_char (needed for handling of white space). Don't modify input->level. Fixed the code that skips comments. (sexp_put_char): Fixed off-by-one bug in assertion. (sexp_put_string): Fixed escape handling for output of quoted strings. (sexp_convert_list): Prettier output, hanging indent after the first list element. (sexp_skip_token): New function. (sexp_convert_item): Use sexp_skip_token to skip the end of a "[display-type]". 2002-10-22 Niels Möller * examples/sexp-conv-test: New test program. * examples/Makefile.am (noinst_PROGRAMS): Added sexp-conv. * examples/sexp-conv.c (sexp_convert_list): New function. (sexp_convert_item): New function. (main): New function. Compiles and runs now, but doesn't work. * base64-decode.c (base64_decode_single): New function. (base64_decode_update): Use base64_decode_single. * examples/sexp-conv.c: Added output functions. 2002-10-21 Pontus Sköld * base64-encode.c (base64_encode_raw): Fixed null statement amongst variable declarations, broke compilation for non C99 compilers. 2002-10-21 Niels Möller * examples/sexp-conv.c: New sexp conversion program. 2002-10-21 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added sexp-format-transport.c. * sexp-transport.c (sexp_transport_iterator_first): New file and function. * sexp.h (sexp_transport_iterator_first): Added protoype. * sexp.c (sexp_iterator_next): Abort if iterator type is boogus. 2002-10-19 Niels Möller * testsuite/testutils.c (test_armor): Updated to new armor conventions. * testsuite/base64-test.c (test_main): Test BASE64_ENCODE_LENGTH and BASE64_DECODE_LENGTH. Updated test of base64_encode_raw (used to be base64_encode). * base64.h (BASE64_ENCODE_LENGTH, BASE64_DECODE_LENGTH): Fixed and documented macros. * base64-meta.c (base64_encode_length, base64_decode_length): New functions, corresponding to the macros with the same name. * Makefile.am (libnettle_a_SOURCES): base64.c replaced by base64-encode.c and base64-decode.c. * pgp-encode.c (pgp_armor): Use new base64 conventions. * nettle-meta.h: Updated nettle_armor definitions. * base64.h: Major reorganization. * base64.c: Deleted file, contents moved to base64-encode.c or base64-decode.c. * base64-encode.c: New file. New supporting both encode-at-once and streamed operation. * base64-decode.c: New file. 2002-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added dsa-keygen-test. * dsa-keygen.c: Call the progress callback only if it's non-NULL. * Makefile.am (libnettle_a_SOURCES): Added bignum-random.c and dsa-keygen.c. * testsuite/testutils.c (test_dsa_key): New function to sanity check a dsa keypair. * testsuite/dsa-test.c (test_main): Call dsa_test_key. * testsuite/dsa-keygen-test.c: New test case. * dsa.h (DSA_MINIMUM_BITS): New constant. * bignum.h (nettle_mpz_random, nettle_mpz_random_size): Added prototypes. * dsa-keygen.c: New file. * bignum-random.c: New file. (nettle_mpz_random): New function, moved from... * dsa-sign.c (nettle_mpz_random): ... here. Also changed argument ordering and updated callers. * bignum-random.c: (nettle_mpz_random_size): New function, renamed and moved here from... * rsa-keygen.c (bignum_random_size): ... here. Updated all callers. * testsuite/testutils.c (test_dsa): Needs both public and private key as arguments. * testsuite/dsa-test.c (test_main): Updated to changes of the private key struct. * testsuite/Makefile.am (TS_PROGS): Added dsa-test. * rsa-decrypt.c (rsa_decrypt): Constification. * rsa-encrypt.c (rsa_encrypt): Likewise. * rsa.c (rsa_compute_root): Likewise. * rsa_md5.c (rsa_md5_sign): Likewise. (rsa_md5_verify): Likewise. * rsa_sha1.c (rsa_sha1_sign): Likewise. (rsa_sha1_verify): Likewise. * dsa-verify.c (dsa_verify): Use const for the public key argument. * dsa-sign.c (dsa_sign): Needs the public key as argument, in addition to the private key. Use const. * dsa.h (struct dsa_private_key): Don't include the public information here. * dsa.c (dsa_private_key_init, dsa_private_key_clear): Updated to new struct dsa_private_key. * dsa-sign.c (dsa_sign): Bugfix, added missing mpz_init call. * Makefile.am (libnettle_a_SOURCES): Added dsa files. (libnettleinclude_HEADERS): Added dsa.h. * testsuite/testutils.c (test_dsa): New function. * testsuite/dsa-test.c: New test. * dsa.h, dsa.c, dsa-sign.c, dsa-verify.c: New files. * nettle-meta.h: Moved the nettle_random_func and nettle_progress_func typedefs here... * rsa.h: ... from here. 2002-10-07 Niels Möller * sexp.h (enum sexp_type): Deleted SEXP_START. * sexp.c (sexp_iterator_parse): New function, similar to the old sexp_iterator_next, but independent of the previous value of the iterator->type. (sexp_iterator_first): Use sexp_iterator_parse. (sexp_iterator_next): Likewise. (sexp_iterator_enter_list): Use sexp_iterator_parse. SEXP_START not needed anymore. (sexp_iterator_exit_list): Likewise. 2002-10-06 Niels Möller * sexp2rsa.c (get_value): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_assoc): Advance the iterator to the element after a matching tag, before recording it. * testsuite/sexp-test.c (test_main): Updated test. * testsuite/sexp-test.c (test_main): No need to call sexp_iterator_next after sexp_iterator_exit_list. * sexp2rsa.c (rsa_keypair_from_sexp): No need to call sexp_iterator_next anymore. * sexp.c (sexp_iterator_next): Updated to new sexp_iterator_exit_list. (sexp_iterator_exit_list): Return with iterator pointing to the element after the list. (sexp_iterator_check_type): Call sexp_iterator_next before returning. (sexp_iterator_check_types): Likewise. (sexp_iterator_assoc): Rearranged calls of sexp_iterator_next. * sexp.c (sexp_iterator_enter_list): Call sexp_iterator_next to get to the first element of the list. Updated callers. * base64.c (base64_encode_group): New function, used by openpgp armoring code. * Makefile.am: Added openpgp files. * sexp2rsa.c (rsa_keypair_from_sexp): Use sexp_iterator_first. * testsuite/sexp-test.c (test_main): Likewise. * sexp.c (sexp_iterator_init): Made this function static. (sexp_iterator_first): New, friendlier, initialization function. * pgp-encode.c: New file. Functions for writing openpgp data packets. * pgp.h: New file, with pgp related declarations. * rsa2openpgp.c (rsa_keypair_to_openpgp): New file, new function. 2002-10-04 Niels Möller * examples/rsa-keygen.c: Use malloc, instead of asprintf. 2002-10-03 Niels Möller * Released nettle-1.6. * NEWS: Note the aes api change. * examples/Makefile.am (EXTRA_DIST): Distribute setup-env and teardown-env. 2002-10-02 Niels Möller * examples/rsa-keygen.c (main): Comment on the lax security of the private key file. * index.html: Added link to mailing list. 2002-10-02 Niels Möller * Makefile.am: Fixed assembler rules, and shared libraries. * configure.ac: Fixed the enable-shared option. 2002-10-01 Niels Möller * configure.ac: New option --enable-shared, and a first attempt at building a shared library (*without* using libtool). * Makefile.am: A first attempt at rules for building a shared libnettle.so. 2002-10-01 Niels Möller * examples/run-tests (test_program): Use basename. * examples/teardown-env: Delete some more files. * examples/run-tests (test_program): Strip directory part of displayed name. * examples/Makefile.am (TS_PROGS): New variable. Run tests. * examples/io.c (read_file): Bug fix, used to overwrite pointer. * examples/rsa-keygen.c (main): Bug fix, private key wasn't written properly. * testsuite/Makefile.am: Some cleanup of make check. * examples/setup-env, examples/teardown-env: Test environment scripts. * examples/rsa-verify-test, examples/rsa-sign-test: New test cases. * examples/run-tests: New file (copied from lsh testsuite). * examples/Makefile.am: Use EXTRA_PROGRAMS and @RSA_EXAMPLES@. * examples/rsa-sign.c: No need to include config.h. Use werror instead of fprintf. * examples/rsa-verify.c: Likewise. * examples/rsa-keygen.c: Likewise. * examples/io.h: Forward declare struct rsa_public_key and struct rsa_private_key, to avoid dependences on config.h. * configure.ac (RSA_EXAMPLES): New substituted variable, controlling which example programs to build. * examples/rsa-verify.c: New example program. * examples/rsa-keygen.c: Use functions from io.c. * examples/rsa-sign.c: Likewise. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-verify. (LDADD): Added io.o. * configure.ac: New define WITH_PUBLIC_KEY, and new configure flag --disable-public-key. Updated rsa-files to check for that, rather than for HAVE_LIBGMP. * examples/io.c, examples/io.c: New files. Miscellaneous functions used by the example programs. * base64.h (BASE64_DECODE_LENGTH): Comment fix. 2002-09-30 Niels Möller * sexp2rsa.c (rsa_keypair_from_sexp): Bugfix: Call rsa_prepare_public_key and rsa_prepare_private_key. * examples/Makefile.am (noinst_PROGRAMS): Added rsa-sign. * examples/rsa-sign.c: New example program. * testsuite/base64-test.c (test_main): Test encoding and decoding in place. * base64.c (base64_encode): Encode from the end of the data towards the start, in order to support overlapping areas. (base64_encode): Broke out some common code from the switch.. 2002-09-30 Niels Möller * sexp_format.c (sexp_format): Don't mix code and declarations. 2002-09-29 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added buffer-test sexp-format-test rsa2sexp-test sexp2rsa-test. * testsuite/sexp-test.c (test_main): Updated calls to sexp_iterator_assoc. * testsuite/testutils.h (MEMEQH): New macro. * testsuite/sexp2rsa-test.c: New test. * testsuite/sexp-format-test.c: New test. * testsuite/rsa2sexp-test.c: New test. * testsuite/buffer-test.c: New test. * testsuite/testutils.c (test_rsa_key): Copied this function from... testsuite/rsa-keygen-test.c: ... here. * examples/rsa-keygen.c: New file. * Makefile.am: Added new source files and headers buffer.h, buffer.c, sexp_format.c, sexp2rsa.c, rsa2sexp.c. * rsa.h (rsa_keypair_to_sexp, rsa_keypair_from_sexp): New prototypes. * rsa2sexp.c, sexp2rsa.c: New files. * sexp.c (sexp_iterator_assoc): Don't enter the list, associate keys within the current list. Still exit the list when done. (sexp_iterator_assoc): Represent keys as plain NUL-terminated strings. (sexp_iterator_check_type, sexp_iterator_check_types): New functions. * sexp_format.c: New file, implementing an sexp canonical syntax formatter. * buffer.c, buffer.h: New files, implementing a bare-bones string stream. * bignum.c (nettle_mpz_sizeinbase_256): New function. 2002-09-28 Niels Möller * sexp.c (sexp_iterator_assoc): Return 0 for missing or duplicate keys. Now passes all the tests. * sexp.c (sexp_iterator_simple): Bugfixes. Check earlier that length doesn't grow too large. (sexp_iterator_next): Skip the current list only if type is SEXP_LIST. Handle ')'. (sexp_iterator_enter_list): Set type to SEXP_START. (sexp_iterator_exit_list): Likewise. Don't skip the ')' here. (sexp_iterator_assoc): Bug fix. * testsuite/sexp-test.c (test_main): Reordered sexp_iterator_assoc tests. * nettle.texinfo (Randomness): Documented that yarrow256_init can be called with a zero number of sources. * testsuite/testutils.h (ASSERT): New macro. * testsuite/sexp-test.c: Test sexp parser. * Makefile.am (SUBDIRS): Added sexp files. * sexp.c, sexp.h: New files, implementing an sexp-parser. 2002-08-27 Niels Möller * Makefile.am (DISTCLEANFILES): make distclean should delete the assembler-related symlinks. 2002-08-26 Niels Möller * Makefile.am (%.o: %.asm): Create an empty (and unused) dependency file, to make the make/automake dependency tracking happier. 2002-07-18 Niels Möller * examples/nettle-benchmark.c (main): Try openssl's ciphers as well, if available. * Makefile.am (libnettle_a_SOURCES): Added nettle-openssl.c. * nettle-openssl.c: New file. * nettle-internal.h: Declare openssl glue ciphers. * des-compat.h: Extra name-mangling, to avoid collisions in case a program links with both nettle and libcrypto (the nettle-benchmark program does). * configure.ac: Don't use -ggdb3 with gcc-2.96. Check for openssl's libcrypto (for benchmarking). 2002-05-16 Niels Möller * sparc/aes.asm: Deleted registers i and t3. (_aes_crypt): Moved some registers around. We now use input registers only for arguments, local registers for loop invariants, output registers for temporaries and loop variables, and no global registers at all. * sparc/aes.asm (AES_FINAL_ROUND): New macro. (_aes_crypt): Use AES_FINAL_ROUND for the first word of the final round. (_aes_crypt): And for the rest of the final round. (AES_FINAL_ROUND): Don't update dst, just access it offseted by i. (_aes_crypt): Add 16 to dst at the end of the final round. (AES_ROUND): Use ldub, not ld + and, to get the third byte of wtxt. (AES_ROUND): Use ldub, not lduh + and, to get the second byte of a word. (AES_ROUND): Reordered instructions, so that we can save one register. (AES_ROUND): Eliminated use of t3. (AES_FINAL_ROUND): Eliminated ands. (AES_FINAL_ROUND): Reordered, so that we can save one register. (AES_FINAL_ROUND): Eliminated t3. (AES_LOAD): New macro. (_aes_crypt): Unrolled source loop. (_aes_crypt): Use AES_LOAD macro. (_aes_crypt): Deleted cruft from the old source loop. (AES_LOAD): Eliminated t3. 2002-05-15 Niels Möller * sparc/aes.asm (AES_ROUND): New macro. (_aes_crypt): Use AES_ROUND for first word of the round function. (_aes_crypt): And for the rest of the round function. * sparc/aes.asm (_aes_crypt): Deleted a bunch of additions, after accessing IDX1. * aes-internal.h (struct aes_table): sparc_idx[0] should now contain index values shifted by the size of a word, and with 2 added. This saves some additions in the sparc assembler code. Updates aes-encrypt-table.c and aes-decrypt-table.c. * sparc/aes.asm (_aes_crypt): Unrolled final loop, preparing for optimizations. (_aes_crypt): Eliminated i from forst copy of the loop. Some cleanup. (_aes_crypt): And from second copy. (_aes_crypt): And from third. (_aes_crypt): And fourth. (_aes_crypt): Eliminated updates of i from the loop. (_aes_crypt): Access IDX1 and IDX3 through the T pointer, saving two registers. * aes-internal.h (struct aes_table): Renamed the shift_idx field to sparc_idx, as it will be tweaked to improve the sparc code. Also reduced its size to [2][4]. (IDX_FACTOR): Deleted constant. * aes-encrypt-table.c (_aes_encrypt_table): Adapted initializer of sparc_idx. * aes-decrypt-table.c (_aes_decrypt_table): Likewise. * asm.m4: Deleted AES_SIDX2, to match struct aes_table. * sparc/aes.asm (_aes_crypt): Unrolled the inner loop, preparing for optimizations suggested by Marcus Comstedt. (_aes_crypt): Eliminated i from the first copy of the inner loop. (_aes_crypt): And from the second copy. (_aes_crypt): And from the third copy. (_aes_crypt): And from the fourth copy. (_aes_crypt): Renamed .Linner_loop to .Lround_loop. (_aes_crypt): Eliminated the loop variable i from the unrolled loop. (_aes_crypt): Deleted moves of constants into t2. 2002-05-15 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Use AES_SUBST_BYTE. * x86/aes-decrypt.asm (aes_decrypt): Likewise. (aes_decrypt): Use AES_STORE. (aes_decrypt): Deleted first xchgl instruction into, permuting the AES_ROUND calls instead. (aes_decrypt): Likewise for the final round. (aes_decrypt): Got rid if the xchgl instruction after the final round, folding it into the final round. * x86/machine.m4: Renamed AES_LAST_ROUND to AES_FINAL_ROUND. Updated users. * x86/aes-decrypt.asm (aes_decrypt): Use the AES_LOAD macro. (aes_decrypt): Start using AES_ROUND. (aes_decrypt): Use AES_LAST_ROUND. * x86/aes-decrypt.asm (aes_decrypt): Moved function to a separate file... * x86/aes.asm: ... from here. * x86/aes.asm (aes_decrypt): Use _aes_decrypt_table instead of itbl1-4. Commented out the inclusion of aes_tables.asm. (aes_decrypt): Use _aes_decrypt_table instead of isbox. * x86/aes-decrypt.asm: New file, empty at the start. * Makefile.am (libnettle_a_SOURCES): Added aes-decrypt-table.c. * aes-decrypt.c (_aes_decrypt_table): Moved from this file... * aes-decrypt-table.c (_aes_decrypt_table): ... to a new file. * testsuite/aes-test.out: New file, with the output of testsuite/aes-test, when aes.c has been compiled with debugging printouts of intermediate state. 2002-05-15 Niels Möller * sparc/aes.asm: (_aes_crypt): Restore %fp at end of function, to make %fp available for other uses. * sparc/aes.asm: The frame setup was broken. Tried to fix it. Reverted to revision 1.70 + minor changes from the head revision. * x86/aes-encrypt.asm (aes_encrypt): Use test instead of cmpl $0,. * x86/machine.m4 (AES_SUBST_BYTE): New macro. * sparc/aes.asm: wtxt needs no register of it's own, as its pointed to by %sp. %g5 moved to %l0, the register previously allocated for wtxt, so that we stay clean of the reserved %g registers. 2002-05-14 Niels Möller * sparc/aes.asm: Avoid using %g6 and %g7, as they are reserved for operating sytem use. Use %i5 and %o7 instead. Also moved %g4 to %g1. (_aes_crypt): Allocate only 32 bytes local storage on the stack. Calculate wtxt and tmp using offsets from %sp, not %fp. 2002-05-14 Niels Möller * x86/aes-encrypt.asm (aes_encrypt): Replaced first quarter of the round function with an invocation of AES_ROUND. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the rest of the round function. * x86/machine.m4 (AES_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_LOAD macro. * x86/machine.m4 (AES_LOAD): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use AES_STORE. * x86/machine.m4 (AES_STORE): New macro. * x86/aes-encrypt.asm (aes_encrypt): Use the AES_LAST_ROUND macro for the first column of the final round. (aes_encrypt): Similarly for the second column. (aes_encrypt): Similarly for the third and fourth column. (aes_encrypt): Deleted xchgl instruction in final round, by reordering the second and fourth round. * x86/machine.m4 (AES_LAST_ROUND): New macro. * x86/aes-encrypt.asm (aes_encrypt): Move code here... * x86/aes.asm: ...from here. * x86/aes.asm: Use addl and subl, not add and sub. Replaced references to dtbl1-4 with references to _aes_encrypt_table. * configure.ac (asm_path): Enable x86 assembler. * x86/aes.asm (aes_decrypt): Adapted to the current interface. Notably, the order of the subkeys was reversed. Single block encrypt/decrypt works now. (aes_encrypt, aes_decrypt): Added an outer loop, so that we can encrypt more than one block at a time. 2002-05-07 Niels Möller * configure.ac: Generate config.m4. * x86/aes.asm: Use C for comments, include the tables using include_src, and commented out the key setup functions. Fixed the processing of the first handling of the round function. Now, encryption of a single block works! Multiple blocks, and decryption, is still broken. * x86/machine.m4: New file (empty). * x86/aes-encrypt.asm: New file, empty for now. * Makefile.am (%.asm): Added asm.m4, machine.m4 and config.m4 to the m4 command line. (libnettle_a_SOURCES): Added aes-encrypt-table.c. * sparc/aes.asm: No need to include asm.m4, that is taken care of by the Makefile. * config.m4.in: New file, configuration for asm.m4. * asm.m4 (C, include_src): New macros. * aes-encrypt-table.c: New file, table moved out from aes-encrypt.c. 2002-05-06 Niels Möller * configure.ac (CFLAGS): Don't enable -Waggregate-return. 2002-05-05 Niels Möller * configure.ac: Pass no arguments to AM_INIT_AUTOMAKE. 2002-05-05 Niels Möller * configure.ac: Update for automake-1.6. * configure.ac: Renamed file, used to be configure.in. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Added missing single quote. 2002-03-20 Niels Möller * testsuite/run-tests (test_program): Test the exit status of the right process. 2002-03-19 Pontus Sköld * testsuite/run-tests: Removed /bin/bashisms to use with /bin/sh. 2002-03-18 Niels Möller * rsa-keygen.c (rsa_generate_keypair): Output a newline after a non-empty line of 'e':s (bad e was chosen, try again). 2002-03-16 Niels Möller * configure.in (asm_path): AC_CONFIG_LINKS adds $srcdir automatically. 2002-03-14 Niels Möller * sparc/aes.asm, x86/aes.asm: Added copyright notice. * Makefile.am (libnettle_a_SOURCES): Added aes-internal.h. (EXTRA_DIST): Added assembler files. * configure.in (asm_path): Use $srcdir when looking for the files. * configure.in (asm_path): For now, disable x86 assembler code. Bumped version to 1.6. 2002-02-25 Niels Möller * sparc/aes.asm (_aes_crypt): Moved increment of src into the source_loop. Also fixed stop condition, the loop was run 5 times, not 4, as it should. (_aes_crypt): Use src directly when accessing the source data, don't use %o5. (_aes_crypt): Renamed variables in source_loop. (_aes_crypt): Changed stop condition in source_loop to not depend on i. Finally reduced the source_loop to 16 instructions. Also increased the alignment of the code to 16. (_aes_crypt): In final_loop, use preshifted indices. (_aes_crypt): In final_loop, construct the result in t0. Use t0-t3 for intermediate values. (_aes_crypt): In final_loop, use the register idx. (_aes_crypt): In final_loop, keep i multiplied by 4. Use key to get to the current roundkey. (_aes_crypt): In final_loop, use i for indexing. (_aes_crypt): Update dst in the output loop. This yields a delay slot that isn't filled yet. (_aes_crypt): Decrement round when looping, saving yet some instructions. (_aes_crypt): Reformatted code as blocks of four instructions each. (_aes_crypt): Copy the addresses of the indexing tables into registers at the start. No more need for the idx register. (_aes_crypt): Deleted idx register. (_aes_crypt): Some peep hole optimizations, duplicating some instructions to fill nop:s, and put branch instructions on even word addresses. 2002-02-22 Niels Möller * sparc/aes.asm (_aes_crypt): Moved some more additions out of the inner loop, using additional registers. (_aes_crypt): Deleted one more addition from the inner loop, by using the subkey pointer. 2002-02-19 Niels Möller * configure.in (asm_path): Renamed "path" to "asm_path". Also look for a machine.m4. 2002-02-16 Niels Möller * sparc/aes.asm: Use that IDX2(j) == j ^ 2 * Makefile.am (libnettle_a_SOURCES): Reordered aes-decrypt.c and aes-encrypt.c. For some strange reason it makes the benchmark go faster... * sparc/aes.asm (_aes_crypt): Use double-buffering, and no separate loop for adding the round key. (round): Keep round index muliplied by 16, so it can be used directly for indexing the subkeys. (_aes_crypt): In the final loop, use ctx+round to access the subkeys, no need for an extra register. 2002-02-15 Niels Möller * sparc/aes.asm (_aes_crypt): Renaming variables, allocating locals starting from %l0. (_aes_crypt): Consistently use %l4, aka i, as the variable for the innermost loops. (_aes_crypt): Moved reading of ctx->nrounds out of the loop. (_aes_crypt): In final_loop, deleted a redundant mov, and use i as loop variable. (_aes_crypt): Started renumbering registers in the inner loop. The computation for the table[j] sub-expression should be kept in register %o[j]. (_aes_crypt): Renamed more variables in the inner loop. Now the primary variables are t0, t1, t2, t3. * sparc/aes.asm (_aes_crypt): Swapped register %i0 and %o5, %i1 and %o0, %i2 and %o4, %i3 and %o3, %i4 and %o2. (_aes_crypt): wtxt was stored in both %l1 and %l2 for the entire function. Freed %l2 for other uses. (_aes_crypt): Likewise for tmp, freeing register %o1. * sparc/machine.m4: New file, for sparc-specific macros. * sparc/aes.asm (_aes_crypt): Hacked the source_loop, to get rid of yet another redundant loop variable, and one instruction. (_aes_crypt): Strength reduce loop variable in the inner loop, getting rid of one register. (_aes_crypt): Use pre-shifted indices (aes_table.idx_shift), to avoid some shifts in the inner loop. (_aes_crypt): Don't check for nrounds==0 at the start of the loop. * asm.m4: Define and use structure-defining macros. * Makefile.am (%.asm): Use a GNU pattern rule, to make %.o depend on both %.asm and asm.m4. * aes-internal.h (struct aes_table): New subtable idx_shift. Updated tables in aes_encrypt.c and aes_decrypt.c. * asm.m4: Use eval to compute values. * sparc/aes.asm (_aes_crypt): Deleted commented out old version of the code. * asm.m4: Added constants for individual rows of the aes table. * aes.c (IDX0, IDX1, IDX2, IDX3): New macros, encapsualting the structure of the idx table. * asm.m4: Define various aes struct offsets. * testsuite/cbc-test.c (test_cbc_bulk): Use aes_set_encrypt_key and aes_set_decrypt_key. * sparc/aes.asm (_aes_crypt): Use symbolic names for the fucntion arguments. 2002-02-14 Niels Möller * sparc/aes.asm: Copied gcc assembler code for _aes_crypt. * aesdata.c: New program for generating AES-related tables. * testsuite/testutils.c (print_hex): New function (moved from yarrow-test.c). * testsuite/rsa-keygen-test.c (progress): Declare the ctx argument as UNUSED. * testsuite/cbc-test.c (test_cbc_bulk): New function, testing CBC with larger blocks. * yarrow256.c: Replaced uses of aes_set_key with aes_set_encrypt_key. * nettle-meta.h (_NETTLE_CIPHER_SEP): New macro, useful for algorithms with separate encyption and decryption key setup. * aes-internal.h (struct aes_table): New structure, including all constant tables needed by the unified encryption or decryption function _aes_crypt. * aes.c (_aes_crypt): New function, which unifies encryption and decryption. AES key setup now uses two separate functions for setting encryption and decryption keys. Applications that don't do decryption need no inverted subkeys and no code to generate them. Similarly, the tables (about 4K each for encryption and decryption), are put into separate files. * aes.h (struct aes_ctx): Deleted space for inverse subkeys. For decryption, the inverse subkeys replace the normal subkeys, and they are stored _in the order they are used_. * aes-set-key.c (aes_set_key): Deleted file, code moved... * aes-set-decrypt-key.c, aes-set-encrypt-key.c: New files, separated normal and inverse key setup. * aes-tables.c: Deleted, tables moved elsewhere... * aes-encrypt.c, aes-decrypt.c: New files; moved encryption and decryption funktions, and needed tables, into separate files. 2002-02-13 Niels Möller * aes.c (aes_encrypt): Don't unroll the innerloop. (aes_encrypt): Don't unroll the loop for the final round. (aes_decrypt): Likewise, no loop unrolling. * aes-set-key.c (aes_set_key): Reversed the order of the inverted subkeys. They are now stored in the same order as they are used. * aes-tables.c (itable): New bigger table, generated by aesdata.c. * aes.c (aes_decrypt): Rewrote to use the bigger tables. 2002-02-12 Niels Möller * aes.c (aes_encrypt): Interleave computation and output in the final round. * aes-internal.h (AES_SMALL): New macro. * aes.c (aes_encrypt): Optionally use smaller rotating inner loop. * aes-tables.c (dtbl): Replaced with table generated by aesdata. * aes.c (aes_encrypt): Rewrite, now uses larger tables in order to avoid rotates. * sparc/aes.asm (aes_encrypt): Strength reduced on j, getting rid of one register and one instruction in the inner loop. * sparc/aes.asm (idx, aes_encrypt): Multiplied tabled values by 4, making it possible to get rid of some shifts in the inner loop. * configure.in: Fixed spelling of --enable-assembler. Commented out debug echo:s. * asm.m4: New file. For now, only doing changequote and changecom. * sparc/aes.asm (aes_encrypt): Added comments. (aes_encrypt): Cut off redundant instruction per block, also saving one redundant register pointing to idx. (idx_row): New macro. Include asm.m4. 2002-02-11 Niels Möller * sparc/aes.asm (key_addition_8to32): Cleaned up. Deleted gcc-generated debugging information. * sparc/aes.asm (key_addition32): First attempt at optimization. Made it slower ;-) * sparc/aes.asm (key_addition32): Unrolled loop, gained 4% speed, payed four instructions compared to gcc generated code. * Makefile.am (.asm.o): New rule for assembling via m4. (libnettle_a_SOURCES): Added new rsa and aes files. * configure.in: New command line option --enable-assembler. Selects assembler code depending on the host system. * rsa-decrypt.c, rsa-encrypt.c: New files for rsa pkcs#1 encryption. * aes-set-key.c, aes-tables.c: New files, split off from aes.c. Tables are now not static, but use a _aes_ prefix on their names. * aes-internal.h: New file. * cast128-meta.c (_NETTLE_CIPHER_FIX): Use _NETTLE_CIPHER_FIX. * cbc.c (cbc_decrypt_internal): New function, doing the real CBC procesing and requiring that src != dst. (cbc_decrypt): Use cbc_decrypt_internal. If src == dst, use a buffer of limited size to copy the ciphertext. * nettle-internal.c (nettle_blowfish128): Fixed definition, with key size in bits. * nettle-meta.h (_NETTLE_CIPHER_FIX): New macro, suitable for ciphers with a fixed key size. * examples/nettle-benchmark.c (display): New function for displaying the results, including MB/s figures. * sparc/aes.asm: New file. Not yet tuned in any way (it's just the code generated by gcc). 2002-02-11 Niels Möller * x86/aes.asm, x86/aes_tables.asm: New assembler implementation by Rafael Sevilla. 2002-02-06 Niels Möller Applied patch from Dan Egnor improving the base64 code. * base64.h (BASE64_ENCODE_LENGTH): New macro. (struct base64_ctx): New context struct, for decoding. (BASE64_DECODE_LENGTH): New macro. * base64.c (base64_decode_init): New function. (base64_decode_update): New function, replacing base64_decode. Takes a struct base64_ctx argument. * nettle-meta.h: Updated nettle_armor, and related typedefs and macros. * testsuite/testutils.c (test_armor): Updated. * configure.in: Use AC_PREREQ(2.50). 2002-02-01 Niels Möller * Released nettle-1.5. 2002-01-31 Niels Möller * acinclude.m4: Commented out gmp-related macros, they're probably not needed anymore. 2002-01-31 Niels Möller * configure.in: Added command line options --with-lib-path and --with-include-path. Use the RPATH-macros to get correct flags for linking the test programs with gmp. * acinclude.m4: New file. 2002-01-31 Niels Möller * nettle.texinfo (Randomness): New subsection on Yarrow. 2002-01-30 Niels Möller * nettle.texinfo (Randomness): New chapter. Spell checking and ispell configuration. * md5.c: Added reference to RFC 1321. 2002-01-24 Niels Möller * nettle.texinfo (Public-key algorithms): Minor fixes. 2002-01-22 Niels Möller * nettle.texinfo (Nettle soup): New chapter. (Hash functions): New subsection on struct nettle_hash. (Hash functions): New subsection on struct nettle_cipher. (Keyed hash functions): New section, describing MAC:s and HMAC. (Public-key algorithms): New chapter. * testsuite/testutils.c (test_armor): New function. * testsuite/base64-test.c: New testcase. * testsuite/Makefile.am (TS_PROGS): Added base64-test. * nettle-meta.h (struct nettle_armor): New struct. * configure.in: Bumped version to 1.5. * Makefile.am (libnettle_a_SOURCES): Added base64 files, and some missing header files. * base64.c, base64.h, base64-meta.c: New files, hacked by Dan Egnor. 2002-01-16 Niels Möller * testsuite/yarrow-test.c: Deleted ran_array code, use knuth-lfib.h instead. * testsuite/testutils.c (test_rsa_md5, test_rsa_sha1): Moved functions here... * testsuite/rsa-test.c: ...from here. * testsuite/rsa-keygen-test.c: New file. * testsuite/knuth-lfib-test.c: New file. * Makefile.am (libnettle_a_SOURCES): Added knuth-lfib.c and rsa-keygen.c. * rsa-keygen.c: New file. * rsa.h (RSA_MINIMUM_N_OCTETS): New constant. (RSA_MINIMUM_N_BITS): New constant. (nettle_random_func, nettle_progress_func): New typedefs. Perhaps they don't really belong in this file. (rsa_generate_keypair): Added progress-callback argument. * macros.h (READ_UINT24, WRITE_UINT24, READ_UINT16, WRITE_UINT16): New macros. * knuth-lfib.c, knuth-lfib.h: New files, implementing a non-cryptographic prng. 2002-01-15 Niels Möller * hmac-sha1.c: New file. 2002-01-14 Niels Möller * configure.in: Bumped version to 1.1. * testsuite/hmac-test.c (test_main): Added hmac-sha1 test cases. * rsa.c (rsa_init_private_key, rsa_clear_private_key): Handle d. * rsa.h (struct rsa_private_key): Reintroduced d attribute, to be used only for key generation output. (rsa_generate_keypair): Wrote a prototype. * Makefile.am (libnettle_a_SOURCES): Added hmac-sha1.c and nettle-internal.h. * des.c: Use static const for all tables. (des_set_key): Use a new const * variable for the parity procesing, for constness reasons. * list-obj-sizes.awk: New file. * nettle-internal.c, nettle-internal.h: New files. * testsuite/Makefile.am (TS_PROGS): Added hmac-test. Deleted old m4-stuff. * testsuite/testutils.h (LDATA): Moved this macro here,... * testsuite/rsa-test.c: ... from here. * testsuite/hmac-test.c: New file. * hmac.h: General cleanup. Added declarations of hmac-md5, hmac-sha1 and hmac-sha256. * hmac.c: Bug fixes. * hmac-md5.c: First working version. * Makefile.am (libnettle_a_SOURCES): Added hmac.c and hmac-md5.c. (libnettleinclude_HEADERS): Added hmac.h. * testsuite/rsa-test.c: Also test a 777-bit key. * rsa.c (rsa_check_size): Changed argument to an mpz_t. Updated callers. (rsa_prepare_private_key): Compute the size of the key by computing n = p * q. * rsa-compat.c: Adapted to new private key struct. * rsa_md5.c: Likewise. * rsa_sha1.c: Likewise. * rsa.c (rsa_check_size): New function, for computing and checking the size of the modulo in octets. (rsa_prepare_public_key): Usa rsa_check_size. (rsa_init_private_key): Removed code handling n, e and d. (rsa_clear_private_key): Likewise. (rsa_compute_root): Always use CRT. * rsa.h (struct rsa_private_key): Deleted public key and d from the struct, as they are not needed. Added size attribute. 2002-01-12 Niels Möller * Makefile.am: Added *-meta files. * rsa.c (rsa_init_public_key): New function. (rsa_clear_public_key): Likewise. (rsa_init_private_key): Likewise. (rsa_clear_private_key): Likewise. * aes-meta.c: New file. * arcfour-meta.c: New file. * cast128-meta.c: New file. * serpent-meta.c: New file. * twofish-meta.c: New file. * examples/nettle-benchmark.c: Use the interface in nettle-meta.h. 2002-01-11 Niels Möller Don't use m4 for generating test programs, it's way overkill. Use the C preprocessor instead. * testsuite/*-test.c: New file. * hmac.c, hmac.h, hmac-md5.c: New files. Defined structures describing the algoriths. Useful for code that wants to treat an algorithm as a black box. * nettle-meta.h, md5-meta.c, sha1-meta.c, sha256-meta.c: New files. 2002-01-09 Niels Möller * rsa-compat.c: Updated for new md5 and rsa conventions. * rsa_md5.c: Represent a signature as an mpz_t, not a string. Updated calls of md5 functions. * rsa_sha1.c: Likewise. * rsa.c (rsa_prepare_public_key): Renamed function, was rsa_init_public_key. (rsa_prepare_private_key): Renamed function, was rsa_init_private_key. * nettle.texinfo (Hash functions): Update for the changed interface without *_final. Document sha256. * testsuite/md5-test.m4, testsuite/sha1-test.m4, testsuite/sha256-test.m4, testsuite/yarrow-test.c: Updated for new hash function interface. * yarrow256.c: Removed calls of sha256_final and and some calls of sha256_init. * md5-compat.c (MD5Final): Call only md5_digest. * md5.c (md5_digest): Call md5_final and md5_init. (md5_final): Declared static. sha1.c, sha256.c: Analogous changes. * bignum.c (nettle_mpz_get_str_256): Declare the input argument const. 2001-12-14 Niels Möller * Makefile.am (EXTRA_DIST): Added $(des_headers). Changed dependencies for $(des_headers) to depend only on the source file desdata.c, not on the executable. 2001-12-12 Niels Möller * testsuite/yarrow-test.c (main): Updated testcase to match fixed generator. Send verbose output to stdout, not stderr. * yarrow256.c (yarrow_slow_reseed): Bug fix, update the fast pool with the digest of the slow pool. (yarrow256_init): Initialize seed_file and counter to zero, to ease debugging. 2001-12-07 Niels Möller * bignum.c (nettle_mpz_get_str_256): Fixed handling of leading zeroes. 2001-12-05 Niels Möller * testsuite/yarrow-test.c (main): Updated test to match the fixed key event estimator. * yarrow_key_event.c (yarrow_key_event_estimate): Fixed handling of timing info. * nettle.texinfo (Copyright): Say that under certain circumstances, Nettle can be used as if under the LGPL. * README: Added a paragraph on copyright. 2001-11-15 Niels Möller * yarrow256.c (yarrow256_force_reseed): New function. 2001-11-14 Niels Möller * testsuite/yarrow-test.c (main): Use yarrow256_is_seeded. * yarrow256.c (yarrow256_needed_sources): New function. (yarrow256_is_seeded): New function. (yarrow256_update): Use yarrow256_needed_sources. 2001-11-14 Niels Möller * testsuite/yarrow-test.out: Updated, to match the seed-file aware generator. * testsuite/yarrow-test.c: Updated expected_output. Check the seed file contents at the end. * yarrow256.c (yarrow256_seed): New function. (yarrow_fast_reseed): Create new seed file contents. 2001-11-13 Niels Möller * yarrow.h: Deleted yarrow160 declarations. 2001-11-02 Niels Möller * yarrow256.c (yarrow256_init): Fixed order of code and declarations. 2001-10-30 Niels Möller * rsa-compat.h: Added real prototypes and declarations. * Makefile.am (libnettle_a_SOURCES): Added rsa-compat.h and rsa-compat.c. * rsa-compat.c: New file, implementing RSA ref signature and verification functions. * configure.in: Check for libgmp. Deleted tests for SIZEOF_INT and friends. * rsa_sha1.c: New file, PKCS#1 rsa-sha1 signatures. * rsa_md5.c: New file, PKCS#1 rsa-md5 signatures. * rsa.c: New file with general rsa functions. * Makefile.am (libnettle_a_SOURCES): Added rsa and bignum files. * bignum.c, bignum.h: New file, with base256 functions missing in gmp. * testsuite/Makefile.am: Added bignum-test. * testsuite/run-tests (test_program): Check the exit code more carefully, and treat 77 as skip. This convention was borrowed from autotest. * testsuite/macros.m4: New macro SKIP which exits with code 77. * testsuite/bignum-test.m4: New file. 2001-10-15 Niels Möller * testsuite/Makefile.am (EXTRA_DIST): Include rfc1750.txt in the distribution. 2001-10-14 Niels Möller * testsuite/des-test.m4: Added testcase taken from applied cryptography. * testsuite/yarrow-test.c: Use sha256 instead of sha1 for checking input and output. Updated the expected values. * yarrow256.c (YARROW_RESEED_ITERATIONS): New constant. (yarrow_iterate): New function. (yarrow_fast_reseed): Call yarrow_iterate. * testsuite/yarrow-test.c: Added verbose flag, disabled by default. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: Added more ciphers. * Makefile.am (SUBDIRS): Added the examples subdir. * configure.in: Output examples/Makefile. 2001-10-12 Niels Möller * examples/nettle-benchmark.c: New benchmarking program. 2001-10-10 Niels Möller * testsuite/yarrow-test.c: Open rfc1750.txt. Hash input and output, and compare to expected values. * testsuite/Makefile.am (CFLAGS): Don't disable optimization. (run-tests): Set srcdir in the environment when running run-tests. * testsuite/rfc1750.txt: Added this rfc as test input for yarrow. * yarrow_key_event.c (yarrow_key_event_estimate): Check if previous is zero. (yarrow_key_event_init): Initialize previous to zero. * yarrow256.c: Added debug some output. * testsuite/yarrow-test.c (main): Better output of entropy estimates at the end. 2001-10-09 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added yarrow-test. * testsuite/yarrow-test.c: New file. * yarrow256.c (yarrow256_init): Initialize the sources. (yarrow256_random): Fixed loop condition. * yarrow.h (YARROW_KEY_EVENT_BUFFER): New constant. * yarrow_key_event.c: New file. * Makefile.am (libnettle_a_SOURCES): Added yarrow_key_event.c. 2001-10-08 Niels Möller * yarrow.h (struct yarrow_key_event_ctx): New struct. * yarrow256.c (yarrow_fast_reseed): Generate two block of output using the old key and feed into the pool. * yarrow.h (struct yarrow256_ctx): Deleted buffer, index and block_count. * yarrow256.c (yarrow_fast_reseed): New function. (yarrow_slow_reseed): New function. (yarrow256_update): Check seed/reseed thresholds. (yarrow_gate): New function, extracted from yarrow_generate_block_with_gate which was deleted. (yarrow_generate_block_with_gate): Deleted function. (yarrow256_random): Don't buffer any output, instead gate after each request. (YARROW_GATE_THRESHOLD): Deleted constant. 2001-10-07 Niels Möller * Makefile.am: Added yarrow files. * yarrow256.c: New file, implementing Yarrow. Work in progress. * sha256.c: New file, implementing sha256. * testsuite/Makefile.am (CFLAGS): Added sha256-test. * testsuite/sha256-test.m4: New testcases for sha256. * shadata.c: New file, for generating sha256 constants. * sha.h: Renamed sha1.h to sha.h, and added declarations for sha256. 2001-10-05 Niels Möller * testsuite/aes-test.m4: Added a comment with NIST test vectors. 2001-10-04 Niels Möller * rsa.h, rsa-compat.h, yarrow.h: New files. 2001-09-25 Niels Möller * Released version 1.0. 2001-09-25 Niels Möller * sha1.c: Include stdlib.h, for abort. * md5.c: Include string.h, for memcpy. * testsuite/Makefile.am (M4_FILES): New variable. Explicitly list those C source files that should be generated by m4. * configure.in: Changed package name from "libnettle" to "nettle". * Makefile.am (EXTRA_DIST): Added .bootstrap. * AUTHORS: Added a reference to the manual. 2001-09-25 Niels Möller * des-compat.c (des_cbc_cksum): Bug fix, local variable was declared in the middle of a block. 2001-09-19 Niels Möller * nettle.texinfo (Compatibility functions): New section, mentioning md5-compat.h and des-compat.h. 2001-09-18 Niels Möller * index.html: New file. 2001-09-16 Niels Möller * nettle.texinfo: Added description of des3. Minor fixes. * testsuite/des-compat-test.c (cbc_data): Shorten to 32 bytes (4 blocks), the last block of zeroes wasn't used anyway. * des-compat.c (des_compat_des3_decrypt): Decrypt in the right order. (des_ncbc_encrypt): Bug fixed. (des_cbc_encrypt): Rewritten as a wrapper around des_ncbc_encrypt. 2001-09-14 Niels Möller * testsuite/des-compat-test.c: New file, copied from libdes (freeswan). All implemented functions but des_cbc_cksum seems to work now. * testsuite/Makefile.am (TS_PROGS): Added des-compat-test. * des-compat.c: Added libdes typedef:s. Had to remove all use of const in the process. (des_check_key): New global variable, checked by des_set_key. * des.c (des_set_key): Go on and expand the key even if it is weak. * des-compat.c (des_cbc_cksum): Implemented. (des_key_sched): Fixed return values. 2001-09-11 Niels Möller * Makefile.am: Added des-compat.c and des-compat.h * des-compat.c: Bugfixes, more functions implemented. * des-compat.h: Define DES_ENCRYPT and DES_DECRYPT. Bugfixes. 2001-09-10 Niels Möller * nettle.texinfo (Copyright): Added copyright information for serpent. (Miscellaneous functions): Started writing documentation on the CBC functions. (Cipher Block Chaining): This section more or less complete now. 2001-09-09 Niels Möller * testsuite/cbc-test.m4: Record intermediate values in a comment. * testsuite/des3-test.m4: Likewise. * testsuite/aes-test.m4: Added test case that appeared broken in the cbc test. * cbc.c (cbc_encrypt): Bug fix, encrypt block *after* XOR:ing the iv. * Makefile.am (libnettleinclude_HEADERS): Added cbc.h. Deleted des3.h. (libnettle_a_SOURCES): Added des3.c. * testsuite/Makefile.am (TS_PROGS): Added des3-test and cbc-test. * testsuite/cbc-test.m4: New testcase. * testsuite/des3-test.m4: New testcase. * cbc.h (CBC_CTX): New macro. (CBC_ENCRYPT): New macro. (CBC_DECRYPT): New macro. * des.c (des_fix_parity): New function. * des3.c: New file, implementing triple des. 2001-09-06 Niels Möller * cbc.c, cbc.h: New files, for general CBC encryption. * des-compat.h: Added some prototypes. 2001-09-05 Niels Möller * testsuite/Makefile.am (TS_PROGS): Added md5-compat-test. * README: Copied introduction from the manual. * configure.in: Bumped version to 1.0. * Makefile.am (libnettleinclude_HEADERS): Added missing includes. (libnettle_a_SOURCES): Added md5-compat.c and md5-compat.h. * md5-compat.c, md5-compat.h: New files, implementing an RFC 1321-style interface. 2001-09-02 Niels Möller * twofish.c (twofish_decrypt): Fixed for();-bug in the block-loop. Spotted by Jean-Pierre. (twofish_encrypt): Likewise. 2001-07-03 Niels Möller * testsuite/testutils.c: Include string.h. * twofish.c: Include string.h. 2001-06-17 Niels Möller * Makefile.am (des_headers): Dont use $(srcdir)/-prefixes as that seems to break with GNU make 3.79.1. * testsuite/testutils.c, testsuite/testutils.h: Use , not . Include . 2001-06-17 Niels Möller * Use , not . * blowfish.h (BLOWFISH_MAX_KEY_SIZE): Fixed, should be 56. * Fixed copyright notices. * Makefile.am (libnettle_a_SOURCES): Added desinfo.h and desCode.h. (info_TEXINFOS): Added manual. (EXTRA_DIST): Added nettle.html. (%.html): Added rule for building nettle.html. * nettle.texinfo: New manual. * configure.in: Bumped version to 0.2. * testsuite/Makefile.am (TS_PROGS): Added cast128 test. * Added CAST128. * testsuite/serpent-test.m4: Added a few rudimentary tests extracted from the serpent package. * twofish.c: Adapted to nettle. Made constant tables const. Deleted bytes_to_word and word_to_bytes; use LE_READ_UINT32 and LE_WRITE_UINT32 instead. (twofish_selftest): Deleted. Moved the tests to the external testsuite. (twofish_set_key): Don't silently truncate too large keys. * sha1.c (sha1_update): Use unsigned for length. * serpent.c (serpent_set_key): Read the key backwards. Fixed padding (but there are no test vectors for key_size not a multiple of 4). (serpent_encrypt): Read and write data in the strange order used by the reference implementation. (serpent_decrypt): Likewise. * macros.h (FOR_BLOCKS): New macro, taken from lsh. * blowfish.h (struct blowfish_ctx): Use a two-dimensional array for s. * blowfish.c (initial_ctx): Arrange constants into a struct, to simplify key setup. (F): Deleted all but one definitions of the F function/macro. Added a context argument, and use that to find the subkeys. (R): Added context argument, and use that to find the subkeys. (blowfish_set_key): Some simplification. (encrypt): Deleted code for non-standard number of rounds. Deleted a bunch of local variables. Using the context pointer for everything should consume less registers. (decrypt): Likewise. * Makefile.am (libnettle_a_SOURCES): Added twofish. 2001-06-16 Niels Möller * testsuite/blowfish-test.m4: Fixed test. * Added twofish implementation. * blowfish.h (struct blowfish_ctx): Use the correct size for the p array. 2001-06-15 Niels Möller * testsuite/blowfish-test.m4: Fixed testcase, use correct key length. * Makefile.am (libnettle_a_SOURCES): Added blowfish files. ($(des_headers)): Strip directory part when passing file name to desdata. * testsuite/blowfish-test.m4: Added one test, from GNUPG. * Created blowfish.c and blowfish.h (from GNUPG via LSH). Needs more work. * aes.h: Fixed copyright notice to not mention GNU MP. XXX: Review all nettle copyrights. * testsuite/Makefile.am (TS_PROGS): Added tests for twofish and blowfish. 2001-06-13 Niels Möller * Makefile.am (libnettle_a_SOURCES): Added serpent files. 2001-06-12 Niels Möller * des.c (des_encrypt, des_decrypt): Assert that the key setup was successful. * testsuite/Makefile.am (TS_PROGS): Added tests for des and sha1. * testsuite/sha1-test.m4: New file. * testsuite/des-test.m4: New file. * Added sha1 files. * Added desCore files. * Makefile.am: Added desCore and sha1. 2001-04-17 Niels Möller * install-sh: Copied the standard install script. * testsuite/Makefile.am (CFLAGS): Disable optimization. Add $(top_srcdir) to the include path. (EXTRA_DIST): Added testutils.h, testutils.c and run-tests. (run-tests): Fixed path to run-tests. * Makefile.am (EXTRA_DIST): Added memxor.h. (libnettleinclude_HEADERS): Install headers in $(libnettleincludedir). 2001-04-13 Niels Möller * Initial checkin. nettle-3.10/ecc-mod-inv.c0000644000175000017500000000746114633602171014234 0ustar nissenisse/* ecc-mod-inv.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" static void cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n) { mp_limb_t cy = (cnd != 0); mp_limb_t mask = -cy; mp_size_t i; for (i = 0; i < n; i++) { mp_limb_t r = (ap[i] ^ mask) + cy; cy = r < cy; rp[i] = r; } } /* Compute a^{-1} mod m, with running time depending only on the size. Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}. Also needs (m+1)/2, and m must be odd. Needs 3n limbs of scratch space. */ /* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more scratch need since it doesn't precompute (m+1)/2. */ void ecc_mod_inv (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *in_ap, mp_limb_t *scratch) { #define ap scratch #define bp (scratch + n) #define up (scratch + 2*n) mp_size_t n = m->size; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned i; /* Maintain a = u * orig_a (mod m) b = v * orig_a (mod m) and b odd at all times. Initially, a = a_orig, u = 1 b = m, v = 0 */ assert (ap != vp); up[0] = 1; mpn_zero (up+1, n - 1); mpn_copyi (bp, m->m, n); mpn_zero (vp, n); mpn_copyi (ap, in_ap, n); for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; ) { mp_limb_t odd, swap, cy; /* Always maintain b odd. The logic of the iteration is as follows. For a, b: odd = a & 1 a -= odd * b if (underflow from a-b) { b += a, assigns old a a = B^n-a } a /= 2 For u, v: if (underflow from a - b) swap u, v u -= odd * v if (underflow from u - v) u += m u /= 2 if (a one bit was shifted out) u += (m+1)/2 As long as a > 0, the quantity (bitsize of a) + (bitsize of b) is reduced by at least one bit per iteration, hence after (bit_size of orig_a) + (bit_size of m) - 1 iterations we surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then also v = orig_a^{-1} (mod m) */ assert_maybe (bp[0] & 1); odd = ap[0] & 1; swap = mpn_cnd_sub_n (odd, ap, ap, bp, n); mpn_cnd_add_n (swap, bp, bp, ap, n); cnd_neg (swap, ap, ap, n); mpn_cnd_swap (swap, up, vp, n); cy = mpn_cnd_sub_n (odd, up, up, vp, n); cy -= mpn_cnd_add_n (cy, up, up, m->m, n); assert_maybe (cy == 0); cy = mpn_rshift (ap, ap, n, 1); assert_maybe (cy == 0); cy = mpn_rshift (up, up, n, 1); cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n); assert_maybe (cy == 0); } assert_maybe ( (ap[0] | ap[n-1]) == 0); #undef ap #undef bp #undef up } nettle-3.10/ecc-mod.c0000644000175000017500000000624614633602171013442 0ustar nissenisse/* ecc-mod.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc-internal.h" /* Computes r <-- x mod m, input 2*m->size, output m->size. It's * allowed to have rp == xp or rp == xp + m->size, but no other kind * of overlap is allowed. */ void ecc_mod (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp) { mp_limb_t hi; mp_size_t mn = m->size; mp_size_t bn = m->B_size; mp_size_t sn = mn - bn; mp_size_t rn = 2*mn; mp_size_t i; unsigned shift; assert (bn < mn); /* FIXME: Could use mpn_addmul_2. */ /* Eliminate sn limbs at a time */ if (m->B[bn-1] < ((mp_limb_t) 1 << (GMP_NUMB_BITS - 1))) { /* Multiply sn + 1 limbs at a time, so we get a mn+1 limb product. Then we can absorb the carry in the high limb */ while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i <= sn; i++) xp[rn+i-1] = mpn_addmul_1 (xp + rn - mn - 1 + i, m->B, bn, xp[rn+i-1]); xp[rn-1] = xp[rn+sn-1] + mpn_add_n (xp + rn - sn - 1, xp + rn - sn - 1, xp + rn - 1, sn); } } else { while (rn > 2 * mn - bn) { rn -= sn; for (i = 0; i < sn; i++) xp[rn+i] = mpn_addmul_1 (xp + rn - mn + i, m->B, bn, xp[rn+i]); hi = mpn_add_n (xp + rn - sn, xp + rn - sn, xp + rn, sn); hi = mpn_cnd_add_n (hi, xp + rn - mn, xp + rn - mn, m->B, mn); assert_maybe (hi == 0); } } assert (rn > mn); rn -= mn; assert (rn <= sn); for (i = 0; i < rn; i++) xp[mn+i] = mpn_addmul_1 (xp + i, m->B, bn, xp[mn+i]); hi = mpn_add_n (xp + bn, xp + bn, xp + mn, rn); if (rn < sn) hi = sec_add_1 (xp + bn + rn, xp + bn + rn, sn - rn, hi); shift = m->size * GMP_NUMB_BITS - m->bit_size; if (shift > 0) { /* Combine hi with top bits, add in */ hi = (hi << shift) | (xp[mn-1] >> (GMP_NUMB_BITS - shift)); xp[mn-1] = (xp[mn-1] & (((mp_limb_t) 1 << (GMP_NUMB_BITS - shift)) - 1)) + mpn_addmul_1 (xp, m->B_shifted, mn-1, hi); /* FIXME: Can this copying be eliminated? */ if (rp != xp) mpn_copyi (rp, xp, mn); } else { hi = mpn_cnd_add_n (hi, rp, xp, m->B, mn); assert_maybe (hi == 0); } } nettle-3.10/cbc.c0000644000175000017500000001056014633602171012654 0ustar nissenisse/* cbc.c Cipher block chaining mode. Copyright (C) 2001, 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "cbc.h" #include "memxor.h" #include "nettle-internal.h" void cbc_encrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); for ( ; length; length -= block_size, src += block_size, dst += block_size) { memxor(iv, src, block_size); f(ctx, block_size, dst, iv); memcpy(iv, dst, block_size); } } /* Don't allocate any more space than this on the stack */ #define CBC_BUFFER_LIMIT 512 void cbc_decrypt(const void *ctx, nettle_cipher_func *f, size_t block_size, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % block_size)); if (!length) return; if (src != dst) { /* Decrypt in ECB mode */ f(ctx, length, dst, src); /* XOR the cryptotext, shifted one block */ memxor(dst, iv, block_size); memxor(dst + block_size, src, length - block_size); memcpy(iv, src + length - block_size, block_size); } else { /* For in-place CBC, we decrypt into a temporary buffer of size * at most CBC_BUFFER_LIMIT, and process that amount of data at * a time. */ /* NOTE: We assume that block_size <= CBC_BUFFER_LIMIT, and we depend on memxor3 working from the end of the area, allowing certain overlapping operands. */ TMP_DECL(buffer, uint8_t, CBC_BUFFER_LIMIT); TMP_DECL(initial_iv, uint8_t, NETTLE_MAX_CIPHER_BLOCK_SIZE); size_t buffer_size; if (length <= CBC_BUFFER_LIMIT) buffer_size = length; else buffer_size = CBC_BUFFER_LIMIT - (CBC_BUFFER_LIMIT % block_size); TMP_ALLOC(buffer, buffer_size); TMP_ALLOC(initial_iv, block_size); for ( ; length > buffer_size; length -= buffer_size, dst += buffer_size) { f(ctx, buffer_size, buffer, dst); memcpy(initial_iv, iv, block_size); memcpy(iv, dst + buffer_size - block_size, block_size); memxor3(dst + block_size, buffer + block_size, dst, buffer_size - block_size); memxor3(dst, buffer, initial_iv, block_size); } f(ctx, length, buffer, dst); memcpy(initial_iv, iv, block_size); /* Copies last block */ memcpy(iv, dst + length - block_size, block_size); /* Writes all but first block, reads all but last block. */ memxor3(dst + block_size, buffer + block_size, dst, length - block_size); /* Writes first block. */ memxor3(dst, buffer, initial_iv, block_size); } } #if 0 #include "twofish.h" #include "aes.h" static void foo(void) { struct CBC_CTX(struct twofish_ctx, TWOFISH_BLOCK_SIZE) ctx; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, dst, src); } static void foo2(void) { struct twofish_ctx ctx; uint8_t iv[TWOFISH_BLOCK_SIZE]; uint8_t src[TWOFISH_BLOCK_SIZE]; uint8_t dst[TWOFISH_BLOCK_SIZE]; CBC_ENCRYPT2(&ctx, twofish_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); /* Should result in a warning */ CBC_ENCRYPT2(&ctx, aes_encrypt, TWOFISH_BLOCK_SIZE, iv, TWOFISH_BLOCK_SIZE, dst, src); } #endif nettle-3.10/camellia128-crypt.c0000644000175000017500000000316514633602171015271 0ustar nissenisse/* camellia128-crypt.c Crypt function for the camellia block cipher. Copyright (C) 2010, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "camellia-internal.h" /* The main point on this function is to help the assembler implementations of _nettle_camellia_crypt to get the table pointer. For PIC code, the details can be complex and system dependent. */ void camellia128_crypt(const struct camellia128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % CAMELLIA_BLOCK_SIZE) ); _nettle_camellia_crypt(_CAMELLIA128_NKEYS, ctx->keys, &_nettle_camellia_table, length, dst, src); } nettle-3.10/base16.h0000644000175000017500000000603114633602172013212 0ustar nissenisse/* base16.h Hex encoding and decoding, following spki conventions (i.e. allowing whitespace between digits). Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_BASE16_H_INCLUDED #define NETTLE_BASE16_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define base16_encode_single nettle_base16_encode_single #define base16_encode_update nettle_base16_encode_update #define base16_decode_init nettle_base16_decode_init #define base16_decode_single nettle_base16_decode_single #define base16_decode_update nettle_base16_decode_update #define base16_decode_final nettle_base16_decode_final /* Base16 encoding */ /* Maximum length of output for base16_encode_update. */ #define BASE16_ENCODE_LENGTH(length) ((length) * 2) /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */ void base16_encode_single(char *dst, uint8_t src); /* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */ void base16_encode_update(char *dst, size_t length, const uint8_t *src); /* Base16 decoding */ /* Maximum length of output for base16_decode_update. */ /* We have at most 4 buffered bits, and a total of (length + 1) * 4 bits. */ #define BASE16_DECODE_LENGTH(length) (((length) + 1) / 2) struct base16_decode_ctx { unsigned char word; /* Leftover bits */ unsigned char bits; /* Number buffered bits */ }; void base16_decode_init(struct base16_decode_ctx *ctx); /* Decodes a single byte. Returns amount of output (0 or 1), or -1 on * errors. */ int base16_decode_single(struct base16_decode_ctx *ctx, uint8_t *dst, char src); /* Returns 1 on success, 0 on error. DST should point to an area of * size at least BASE16_DECODE_LENGTH(length). The amount of data * generated is returned in *DST_LENGTH. */ int base16_decode_update(struct base16_decode_ctx *ctx, size_t *dst_length, uint8_t *dst, size_t src_length, const char *src); /* Returns 1 on success. */ int base16_decode_final(struct base16_decode_ctx *ctx); #ifdef __cplusplus } #endif #endif /* NETTLE_BASE16_H_INCLUDED */ nettle-3.10/hkdf.h0000644000175000017500000000335614633602172013054 0ustar nissenisse/* hkdf.h TLS PRF code (RFC-5246, RFC-2246). Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_HKDF_H_INCLUDED #define NETTLE_HKDF_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define hkdf_extract nettle_hkdf_extract #define hkdf_expand nettle_hkdf_expand void hkdf_extract(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t secret_size, const uint8_t *secret, uint8_t *dst); void hkdf_expand(void *mac_ctx, nettle_hash_update_func *update, nettle_hash_digest_func *digest, size_t digest_size, size_t info_size, const uint8_t *info, size_t length, uint8_t *dst); #ifdef __cplusplus } #endif #endif /* NETTLE_HKDF_H_INCLUDED */ nettle-3.10/ripemd160.c0000644000175000017500000001612614633602171013640 0ustar nissenisse/* ripemd160.c RIPE-MD160 Copyright (C) 1998, 2001, 2002, 2003 Free Software Foundation, Inc. Copyright (C) 2011 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ripemd160.h" #include "ripemd160-internal.h" #include "macros.h" #include "nettle-write.h" /********************************* * RIPEMD-160 is not patented, see (as of 2011-08-28) * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html * Note that the code uses Little Endian byteorder, which is good for * 386 etc, but we must add some conversion when used on a big endian box. * * * Pseudo-code for RIPEMD-160 * * RIPEMD-160 is an iterative hash function that operates on 32-bit words. * The round function takes as input a 5-word chaining variable and a 16-word * message block and maps this to a new chaining variable. All operations are * defined on 32-bit words. Padding is identical to that of MD4. * * * RIPEMD-160: definitions * * * nonlinear functions at bit level: exor, mux, -, mux, - * * f(j, x, y, z) = x XOR y XOR z (0 <= j <= 15) * f(j, x, y, z) = (x AND y) OR (NOT(x) AND z) (16 <= j <= 31) * f(j, x, y, z) = (x OR NOT(y)) XOR z (32 <= j <= 47) * f(j, x, y, z) = (x AND z) OR (y AND NOT(z)) (48 <= j <= 63) * f(j, x, y, z) = x XOR (y OR NOT(z)) (64 <= j <= 79) * * * added constants (hexadecimal) * * K(j) = 0x00000000 (0 <= j <= 15) * K(j) = 0x5A827999 (16 <= j <= 31) int(2**30 x sqrt(2)) * K(j) = 0x6ED9EBA1 (32 <= j <= 47) int(2**30 x sqrt(3)) * K(j) = 0x8F1BBCDC (48 <= j <= 63) int(2**30 x sqrt(5)) * K(j) = 0xA953FD4E (64 <= j <= 79) int(2**30 x sqrt(7)) * K'(j) = 0x50A28BE6 (0 <= j <= 15) int(2**30 x cbrt(2)) * K'(j) = 0x5C4DD124 (16 <= j <= 31) int(2**30 x cbrt(3)) * K'(j) = 0x6D703EF3 (32 <= j <= 47) int(2**30 x cbrt(5)) * K'(j) = 0x7A6D76E9 (48 <= j <= 63) int(2**30 x cbrt(7)) * K'(j) = 0x00000000 (64 <= j <= 79) * * * selection of message word * * r(j) = j (0 <= j <= 15) * r(16..31) = 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8 * r(32..47) = 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12 * r(48..63) = 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2 * r(64..79) = 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13 * r0(0..15) = 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12 * r0(16..31)= 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2 * r0(32..47)= 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13 * r0(48..63)= 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14 * r0(64..79)= 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11 * * * amount for rotate left (rol) * * s(0..15) = 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8 * s(16..31) = 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12 * s(32..47) = 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5 * s(48..63) = 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12 * s(64..79) = 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6 * s'(0..15) = 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6 * s'(16..31)= 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11 * s'(32..47)= 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5 * s'(48..63)= 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8 * s'(64..79)= 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11 * * * initial value (hexadecimal) * * h0 = 0x67452301; h1 = 0xEFCDAB89; h2 = 0x98BADCFE; h3 = 0x10325476; * h4 = 0xC3D2E1F0; * * * RIPEMD-160: pseudo-code * * It is assumed that the message after padding consists of t 16-word blocks * that will be denoted with X[i][j], with 0 <= i <= t-1 and 0 <= j <= 15. * The symbol [+] denotes addition modulo 2**32 and rol_s denotes cyclic left * shift (rotate) over s positions. * * * for i := 0 to t-1 { * A := h0; B := h1; C := h2; D = h3; E = h4; * A' := h0; B' := h1; C' := h2; D' = h3; E' = h4; * for j := 0 to 79 { * T := rol_s(j)(A [+] f(j, B, C, D) [+] X[i][r(j)] [+] K(j)) [+] E; * A := E; E := D; D := rol_10(C); C := B; B := T; * T := rol_s'(j)(A' [+] f(79-j, B', C', D') [+] X[i][r'(j)] [+] K'(j)) [+] E'; * A' := E'; E' := D'; D' := rol_10(C'); C' := B'; B' := T; * } * T := h1 [+] C [+] D'; h1 := h2 [+] D [+] E'; h2 := h3 [+] E [+] A'; * h3 := h4 [+] A [+] B'; h4 := h0 [+] B [+] C'; h0 := T; * } */ /* Some examples: * "" 9c1185a5c5e9fc54612808977ee8f548b2258d31 * "a" 0bdc9d2d256b3ee9daae347be6f4dc835a467ffe * "abc" 8eb208f7e05d987a9b044a8e98c6b087f15a0bfc * "message digest" 5d0689ef49d2fae572b881b123a85ffa21595f36 * "a...z" f71c27109c692c1b56bbdceb5b9d2865b3708dbc * "abcdbcde...nopq" 12a053384a9c0c88e405a06c27dcf49ada62eb2b * "A...Za...z0...9" b0e20b6e3116640286ed3a87a5713079b21f5189 * 8 times "1234567890" 9b752e45573d4b39f4dbd3323cab82bf63326bfb * 1 million times "a" 52783243c1697bdbe16d37f97f68f08325dc1528 */ void ripemd160_init(struct ripemd160_ctx *ctx) { static const uint32_t iv[_RIPEMD160_DIGEST_LENGTH] = { 0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } #define COMPRESS(ctx, data) (_nettle_ripemd160_compress((ctx)->state, (data))) /* Update the message digest with the contents * of DATA with length LENGTH. */ void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, COMPRESS, ctx->count++); } void ripemd160_digest(struct ripemd160_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; assert(length <= RIPEMD160_DIGEST_SIZE); MD_PAD(ctx, 8, COMPRESS); /* There are 2^9 bits in one block */ bit_count = (ctx->count << 9) | (ctx->index << 3); \ /* append the 64 bit count */ LE_WRITE_UINT64(ctx->block + 56, bit_count); _nettle_ripemd160_compress(ctx->state, ctx->block); _nettle_write_le32(length, digest, ctx->state); ripemd160_init(ctx); } nettle-3.10/pkcs1.h0000644000175000017500000000576614633602172013170 0ustar nissenisse/* pkcs1.h PKCS1 embedding. Copyright (C) 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_PKCS1_H_INCLUDED #define NETTLE_PKCS1_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define pkcs1_rsa_digest_encode nettle_pkcs1_rsa_digest_encode #define pkcs1_rsa_md5_encode nettle_pkcs1_rsa_md5_encode #define pkcs1_rsa_md5_encode_digest nettle_pkcs1_rsa_md5_encode_digest #define pkcs1_rsa_sha1_encode nettle_pkcs1_rsa_sha1_encode #define pkcs1_rsa_sha1_encode_digest nettle_pkcs1_rsa_sha1_encode_digest #define pkcs1_rsa_sha256_encode nettle_pkcs1_rsa_sha256_encode #define pkcs1_rsa_sha256_encode_digest nettle_pkcs1_rsa_sha256_encode_digest #define pkcs1_rsa_sha512_encode nettle_pkcs1_rsa_sha512_encode #define pkcs1_rsa_sha512_encode_digest nettle_pkcs1_rsa_sha512_encode_digest #define pkcs1_encrypt nettle_pkcs1_encrypt #define pkcs1_decrypt nettle_pkcs1_decrypt struct md5_ctx; struct sha1_ctx; struct sha256_ctx; struct sha512_ctx; int pkcs1_encrypt (size_t key_size, /* For padding */ void *random_ctx, nettle_random_func *random, size_t length, const uint8_t *message, mpz_t m); int pkcs1_decrypt (size_t key_size, const mpz_t m, size_t *length, uint8_t *message); int pkcs1_rsa_digest_encode(mpz_t m, size_t key_size, size_t di_length, const uint8_t *digest_info); int pkcs1_rsa_md5_encode(mpz_t m, size_t length, struct md5_ctx *hash); int pkcs1_rsa_md5_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha1_encode(mpz_t m, size_t length, struct sha1_ctx *hash); int pkcs1_rsa_sha1_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha256_encode(mpz_t m, size_t length, struct sha256_ctx *hash); int pkcs1_rsa_sha256_encode_digest(mpz_t m, size_t length, const uint8_t *digest); int pkcs1_rsa_sha512_encode(mpz_t m, size_t length, struct sha512_ctx *hash); int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t length, const uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_PKCS1_H_INCLUDED */ nettle-3.10/siv-gcm.c0000644000175000017500000001432514633602171013475 0ustar nissenisse/* siv-gcm.c AES-GCM-SIV, RFC8452 Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "siv-gcm.h" #include "ghash-internal.h" #include "block-internal.h" #include "nettle-internal.h" #include "macros.h" #include "memops.h" #include "ctr-internal.h" #include #define MIN(a,b) (((a) < (b)) ? (a) : (b)) static void siv_gcm_derive_keys (const void *ctx, nettle_cipher_func *f, size_t key_size, size_t nlength, const uint8_t *nonce, union nettle_block16 *auth_key, uint8_t *encryption_key) { union nettle_block16 block; union nettle_block16 out; size_t i; block16_zero (&block); memcpy (block.b + 4, nonce, MIN(nlength, SIV_GCM_NONCE_SIZE)); f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); auth_key->u64[0] = out.u64[0]; block.b[0] = 1; f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); auth_key->u64[1] = out.u64[0]; assert (key_size % 8 == 0 && key_size / 8 + 2 <= UINT8_MAX); for (i = 0; i < key_size; i += 8) { block.b[0]++; f (ctx, SIV_GCM_BLOCK_SIZE, out.b, block.b); memcpy (encryption_key + i, out.b, 8); } } static nettle_fill16_func siv_gcm_fill; static void siv_gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint32_t c; c = LE_READ_UINT32(ctr); for (; blocks-- > 0; buffer++, c++) { memcpy(buffer->b + 4, ctr + 4, SIV_GCM_BLOCK_SIZE - 4); LE_WRITE_UINT32(buffer->b, c); } LE_WRITE_UINT32(ctr, c); } static void siv_ghash_pad_update (struct gcm_key *ctx, union nettle_block16 *state, size_t length, const uint8_t *data) { size_t blocks; blocks = length / SIV_GCM_BLOCK_SIZE; if (blocks > 0) { data = _siv_ghash_update (ctx, state, blocks, data); length &= 0xf; } if (length > 0) { uint8_t block[SIV_GCM_BLOCK_SIZE]; memset (block + length, 0, SIV_GCM_BLOCK_SIZE - length); memcpy (block, data, length); _siv_ghash_update (ctx, state, 1, block); } } static void siv_gcm_authenticate (const void *ctx, const struct nettle_cipher *nc, const union nettle_block16 *authentication_key, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, const uint8_t *mdata, uint8_t *tag) { union nettle_block16 state; struct gcm_key siv_ghash_key; union nettle_block16 block; _siv_ghash_set_key (&siv_ghash_key, authentication_key); block16_zero (&state); siv_ghash_pad_update (&siv_ghash_key, &state, alength, adata); siv_ghash_pad_update (&siv_ghash_key, &state, mlength, mdata); block.u64[0] = bswap64_if_be (alength * 8); block.u64[1] = bswap64_if_be (mlength * 8); _siv_ghash_update (&siv_ghash_key, &state, 1, block.b); block16_bswap (&state, &state); memxor (state.b, nonce, SIV_GCM_NONCE_SIZE); state.b[15] &= 0x7f; nc->encrypt (ctx, SIV_GCM_BLOCK_SIZE, tag, state.b); } void siv_gcm_encrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t clength, uint8_t *dst, const uint8_t *src) { union nettle_block16 authentication_key; TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE); uint8_t ctr[SIV_GCM_DIGEST_SIZE]; uint8_t *tag = dst + clength - SIV_GCM_BLOCK_SIZE; assert (clength >= SIV_GCM_DIGEST_SIZE); assert (nlength == SIV_GCM_NONCE_SIZE); TMP_ALLOC(encryption_key, nc->key_size); siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce, &authentication_key, encryption_key); /* Calculate authentication tag. */ nc->set_encrypt_key (ctr_ctx, encryption_key); siv_gcm_authenticate (ctr_ctx, nc, &authentication_key, nonce, alength, adata, clength - SIV_GCM_BLOCK_SIZE, src, tag); /* Encrypt the plaintext. */ /* The initial counter block is the tag with the most significant bit of the last byte set to one. */ memcpy (ctr, tag, SIV_GCM_DIGEST_SIZE); ctr[15] |= 0x80; _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, ctr, clength - SIV_GCM_BLOCK_SIZE, dst, src); } int siv_gcm_decrypt_message (const struct nettle_cipher *nc, const void *ctx, void *ctr_ctx, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t mlength, uint8_t *dst, const uint8_t *src) { union nettle_block16 authentication_key; TMP_DECL(encryption_key, uint8_t, NETTLE_MAX_CIPHER_KEY_SIZE); union nettle_block16 state; uint8_t tag[SIV_GCM_DIGEST_SIZE]; assert (nlength == SIV_GCM_NONCE_SIZE); TMP_ALLOC(encryption_key, nc->key_size); siv_gcm_derive_keys (ctx, nc->encrypt, nc->key_size, nlength, nonce, &authentication_key, encryption_key); memcpy (state.b, src + mlength, SIV_GCM_DIGEST_SIZE); /* The initial counter block is the tag with the most significant bit of the last byte set to one. */ state.b[15] |= 0x80; /* Decrypt the ciphertext. */ nc->set_encrypt_key (ctr_ctx, encryption_key); _nettle_ctr_crypt16 (ctr_ctx, nc->encrypt, siv_gcm_fill, state.b, mlength, dst, src); /* Calculate authentication tag. */ siv_gcm_authenticate (ctr_ctx, nc, &authentication_key, nonce, alength, adata, mlength, dst, tag); return memeql_sec (tag, src + mlength, SIV_GCM_DIGEST_SIZE); } nettle-3.10/md4.c0000644000175000017500000001313614633602171012613 0ustar nissenisse/* md4.c The MD4 hash function, described in RFC 1320. Copyright (C) 2003 Niels Möller, Marcus Comstedt This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Based on the public domain md5 code, and modified by Marcus Comstedt */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "md4.h" #include "macros.h" #include "nettle-write.h" /* A block, treated as a sequence of 32-bit words. */ #define MD4_DATA_LENGTH 16 static void md4_transform(uint32_t *digest, const uint32_t *data); static void md4_compress(struct md4_ctx *ctx, const uint8_t *block); /* FIXME: Could be an alias for md5_init */ void md4_init(struct md4_ctx *ctx) { /* Same constants as for md5. */ const uint32_t iv[_MD4_DIGEST_LENGTH] = { 0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476, }; memcpy(ctx->state, iv, sizeof(ctx->state)); ctx->count = 0; ctx->index = 0; } void md4_update(struct md4_ctx *ctx, size_t length, const uint8_t *data) { MD_UPDATE(ctx, length, data, md4_compress, ctx->count++); } void md4_digest(struct md4_ctx *ctx, size_t length, uint8_t *digest) { uint64_t bit_count; uint32_t data[MD4_DATA_LENGTH]; unsigned i; assert(length <= MD4_DIGEST_SIZE); MD_PAD(ctx, 8, md4_compress); for (i = 0; i < MD4_DATA_LENGTH - 2; i++) data[i] = LE_READ_UINT32(ctx->block + 4*i); /* There are 512 = 2^9 bits in one block * Little-endian order => Least significant word first */ bit_count = (ctx->count << 9) | (ctx->index << 3); data[MD4_DATA_LENGTH-2] = bit_count; data[MD4_DATA_LENGTH-1] = bit_count >> 32; md4_transform(ctx->state, data); _nettle_write_le32(length, digest, ctx->state); md4_init(ctx); } /* MD4 functions */ #define F(x, y, z) (((y) & (x)) | ((z) & ~(x))) #define G(x, y, z) (((y) & (x)) | ((z) & (x)) | ((y) & (z))) #define H(x, y, z) ((x) ^ (y) ^ (z)) #define ROUND(f, w, x, y, z, data, s) \ ( w += f(x, y, z) + data, w = w<>(32-s) ) /* Perform the MD4 transformation on one full block of 16 32-bit words. */ static void md4_transform(uint32_t *digest, const uint32_t *data) { uint32_t a, b, c, d; a = digest[0]; b = digest[1]; c = digest[2]; d = digest[3]; ROUND(F, a, b, c, d, data[ 0], 3); ROUND(F, d, a, b, c, data[ 1], 7); ROUND(F, c, d, a, b, data[ 2], 11); ROUND(F, b, c, d, a, data[ 3], 19); ROUND(F, a, b, c, d, data[ 4], 3); ROUND(F, d, a, b, c, data[ 5], 7); ROUND(F, c, d, a, b, data[ 6], 11); ROUND(F, b, c, d, a, data[ 7], 19); ROUND(F, a, b, c, d, data[ 8], 3); ROUND(F, d, a, b, c, data[ 9], 7); ROUND(F, c, d, a, b, data[10], 11); ROUND(F, b, c, d, a, data[11], 19); ROUND(F, a, b, c, d, data[12], 3); ROUND(F, d, a, b, c, data[13], 7); ROUND(F, c, d, a, b, data[14], 11); ROUND(F, b, c, d, a, data[15], 19); ROUND(G, a, b, c, d, data[ 0] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 4] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 8] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[12] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 1] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 5] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[ 9] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[13] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 2] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 6] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[10] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[14] + 0x5a827999, 13); ROUND(G, a, b, c, d, data[ 3] + 0x5a827999, 3); ROUND(G, d, a, b, c, data[ 7] + 0x5a827999, 5); ROUND(G, c, d, a, b, data[11] + 0x5a827999, 9); ROUND(G, b, c, d, a, data[15] + 0x5a827999, 13); ROUND(H, a, b, c, d, data[ 0] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 8] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 4] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[12] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 2] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[10] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 6] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[14] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 1] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[ 9] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 5] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[13] + 0x6ed9eba1, 15); ROUND(H, a, b, c, d, data[ 3] + 0x6ed9eba1, 3); ROUND(H, d, a, b, c, data[11] + 0x6ed9eba1, 9); ROUND(H, c, d, a, b, data[ 7] + 0x6ed9eba1, 11); ROUND(H, b, c, d, a, data[15] + 0x6ed9eba1, 15); digest[0] += a; digest[1] += b; digest[2] += c; digest[3] += d; } static void md4_compress(struct md4_ctx *ctx, const uint8_t *block) { uint32_t data[MD4_DATA_LENGTH]; unsigned i; /* Endian independent conversion */ for (i = 0; i<16; i++, block += 4) data[i] = LE_READ_UINT32(block); md4_transform(ctx->state, data); } nettle-3.10/cbc-aes192-encrypt.c0000644000175000017500000000307114633602171015337 0ustar nissenisse/* cbc-aes192-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes192_encrypt void _nettle_cbc_aes192_encrypt_c(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes192_encrypt _nettle_cbc_aes192_encrypt_c #endif void cbc_aes192_encrypt(const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes192_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-3.10/pkcs1-rsa-sha512.c0000644000175000017500000000564014633602171014735 0ustar nissenisse/* pkcs1-rsa-sha512.c PKCS stuff for rsa-sha512. Copyright (C) 2001, 2003, 2006, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "rsa.h" #include "bignum.h" #include "pkcs1.h" #include "hogweed-internal.h" #include "gmp-glue.h" /* From RFC 3447, Public-Key Cryptography Standards (PKCS) #1: RSA * Cryptography Specifications Version 2.1. * * id-sha512 OBJECT IDENTIFIER ::= * {joint-iso-itu-t(2) country(16) us(840) organization(1) * gov(101) csor(3) nistalgorithm(4) hashalgs(2) 3} */ static const uint8_t sha512_prefix[] = { /* 19 octets prefix, 64 octets hash, total 83 */ 0x30, 81, /* SEQUENCE */ 0x30, 13, /* SEQUENCE */ 0x06, 9, /* OBJECT IDENTIFIER */ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0, /* NULL */ 0x04, 64 /* OCTET STRING */ /* Here comes the raw hash value, 64 octets */ }; int pkcs1_rsa_sha512_encode(mpz_t m, size_t key_size, struct sha512_ctx *hash) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { sha512_digest(hash, SHA512_DIGEST_SIZE, p); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } int pkcs1_rsa_sha512_encode_digest(mpz_t m, size_t key_size, const uint8_t *digest) { uint8_t *p; TMP_GMP_DECL(em, uint8_t); TMP_GMP_ALLOC(em, key_size); p = _pkcs1_signature_prefix(key_size, em, sizeof(sha512_prefix), sha512_prefix, SHA512_DIGEST_SIZE); if (p) { memcpy(p, digest, SHA512_DIGEST_SIZE); nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } else { TMP_GMP_FREE(em); return 0; } } nettle-3.10/arcfour.h0000644000175000017500000000365014633602172013576 0ustar nissenisse/* arcfour.h The arcfour/rc4 stream cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCFOUR_H_INCLUDED #define NETTLE_ARCFOUR_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arcfour128_set_key nettle_arcfour128_set_key #define arcfour_set_key nettle_arcfour_set_key #define arcfour_crypt nettle_arcfour_crypt /* Minimum and maximum keysizes, and a reasonable default. In * octets.*/ #define ARCFOUR_MIN_KEY_SIZE 1 #define ARCFOUR_MAX_KEY_SIZE 256 #define ARCFOUR_KEY_SIZE 16 #define ARCFOUR128_KEY_SIZE 16 struct arcfour_ctx { uint8_t S[256]; uint8_t i; uint8_t j; }; void arcfour_set_key(struct arcfour_ctx *ctx, size_t length, const uint8_t *key); void arcfour128_set_key(struct arcfour_ctx *ctx, const uint8_t *key); void arcfour_crypt(struct arcfour_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCFOUR_H_INCLUDED */ nettle-3.10/aes256-decrypt.c0000644000175000017500000000325714633602171014607 0ustar nissenisse/* aes256-decrypt.c Decryption function for aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes256_decrypt void _nettle_aes256_decrypt_c(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes256_decrypt _nettle_aes256_decrypt_c #endif void nettle_aes256_decrypt(const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_decrypt(_AES256_ROUNDS, ctx->keys + 4 * _AES256_ROUNDS, &_nettle_aes_decrypt_table, length, dst, src); } nettle-3.10/rsa-pss-sha512-verify.c0000644000175000017500000000371414633602171016023 0ustar nissenisse/* rsa-pss-sha512-verify.c Verifying signatures created with RSA and SHA-384/SHA-512, with PSS padding. Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pss.h" int rsa_pss_sha384_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha384, salt_length, digest)); mpz_clear (m); return res; } int rsa_pss_sha512_verify_digest(const struct rsa_public_key *key, size_t salt_length, const uint8_t *digest, const mpz_t signature) { int res; mpz_t m; mpz_init (m); res = (_rsa_verify_recover(key, m, signature) && pss_verify_mgf1(m, mpz_sizeinbase(key->n, 2) - 1, &nettle_sha512, salt_length, digest)); mpz_clear (m); return res; } nettle-3.10/ocb-aes128.c0000644000175000017500000000740214633602171013672 0ustar nissenisse/* ocb-aes128.c Copyright (C) 2022 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "ocb.h" void ocb_aes128_set_encrypt_key (struct ocb_aes128_encrypt_key *ocb_key, const uint8_t *key) { aes128_set_encrypt_key (&ocb_key->encrypt, key); ocb_set_key (&ocb_key->ocb, &ocb_key->encrypt, (nettle_cipher_func *) aes128_encrypt); } void ocb_aes128_set_decrypt_key (struct ocb_aes128_encrypt_key *ocb_key, struct aes128_ctx *decrypt, const uint8_t *key) { ocb_aes128_set_encrypt_key (ocb_key, key); aes128_invert_key (decrypt, &ocb_key->encrypt); } void ocb_aes128_set_nonce (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t tag_length, size_t nonce_length, const uint8_t *nonce) { ocb_set_nonce (ctx, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, tag_length, nonce_length, nonce); } void ocb_aes128_update (struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, const uint8_t *data) { ocb_update (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, length, data); } void ocb_aes128_encrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *dst, const uint8_t *src) { ocb_encrypt (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, length, dst, src); } void ocb_aes128_decrypt(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t length, uint8_t *dst, const uint8_t *src) { ocb_decrypt (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, decrypt, (nettle_cipher_func *) aes128_decrypt, length, dst, src); } void ocb_aes128_digest(struct ocb_ctx *ctx, const struct ocb_aes128_encrypt_key *key, size_t length, uint8_t *digest) { ocb_digest (ctx, &key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, length, digest); } void ocb_aes128_encrypt_message (const struct ocb_aes128_encrypt_key *key, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t clength, uint8_t *dst, const uint8_t *src) { ocb_encrypt_message (&key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, nlength, nonce, alength, adata, tlength, clength, dst, src); } int ocb_aes128_decrypt_message (const struct ocb_aes128_encrypt_key *key, const struct aes128_ctx *decrypt, size_t nlength, const uint8_t *nonce, size_t alength, const uint8_t *adata, size_t tlength, size_t mlength, uint8_t *dst, const uint8_t *src) { return ocb_decrypt_message (&key->ocb, &key->encrypt, (nettle_cipher_func *) aes128_encrypt, &decrypt, (nettle_cipher_func *) aes128_decrypt, nlength, nonce, alength, adata, tlength, mlength, dst, src); } nettle-3.10/hmac-sha256-meta.c0000644000175000017500000000245514633602171014773 0ustar nissenisse/* hmac-sha256-meta.c Copyright (C) 2020 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_sha256_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_sha256_set_key (ctx, SHA256_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_sha256 = _NETTLE_HMAC(hmac_sha256, SHA256); nettle-3.10/sha3-384-meta.c0000644000175000017500000000230214633602171014216 0ustar nissenisse/* sha3-384-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_384 = _NETTLE_HASH(sha3_384, SHA3_384); nettle-3.10/sha3-permute.c0000644000175000017500000001241414633602171014442 0ustar nissenisse/* sha3-permute.c The sha3 permutation function (aka Keccak). Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "sha3.h" #include "sha3-internal.h" #include "macros.h" #define SHA3_ROUNDS 24 /* For fat builds */ #if HAVE_NATIVE_sha3_permute void _nettle_sha3_permute_c(struct sha3_state *state); #define nettle_sha3_permute _nettle_sha3_permute_c #endif void sha3_permute (struct sha3_state *state) { static const uint64_t rc[SHA3_ROUNDS] = { 0x0000000000000001ULL, 0X0000000000008082ULL, 0X800000000000808AULL, 0X8000000080008000ULL, 0X000000000000808BULL, 0X0000000080000001ULL, 0X8000000080008081ULL, 0X8000000000008009ULL, 0X000000000000008AULL, 0X0000000000000088ULL, 0X0000000080008009ULL, 0X000000008000000AULL, 0X000000008000808BULL, 0X800000000000008BULL, 0X8000000000008089ULL, 0X8000000000008003ULL, 0X8000000000008002ULL, 0X8000000000000080ULL, 0X000000000000800AULL, 0X800000008000000AULL, 0X8000000080008081ULL, 0X8000000000008080ULL, 0X0000000080000001ULL, 0X8000000080008008ULL, }; /* Original permutation: 0,10,20, 5,15, 16, 1,11,21, 6, 7,17, 2,12,22, 23, 8,18, 3,13, 14,24, 9,19, 4 Rotation counts: 0, 1, 62, 28, 27, 36, 44, 6, 55, 20, 3, 10, 43, 25, 39, 41, 45, 15, 21, 8, 18, 2, 61, 56, 14, */ /* In-place implementation. Permutation done as a long sequence of 25 moves "following" the permutation. T <-- 1 1 <-- 6 6 <-- 9 9 <-- 22 22 <-- 14 14 <-- 20 20 <-- 2 2 <-- 12 12 <-- 13 13 <-- 19 19 <-- 23 23 <-- 15 15 <-- 4 4 <-- 24 24 <-- 21 21 <-- 8 8 <-- 16 16 <-- 5 5 <-- 3 3 <-- 18 18 <-- 17 17 <-- 11 11 <-- 7 7 <-- 10 10 <-- T */ uint64_t C[5], D[5], T, X; unsigned i, y; #define A state->a C[0] = A[0] ^ A[5+0] ^ A[10+0] ^ A[15+0] ^ A[20+0]; C[1] = A[1] ^ A[5+1] ^ A[10+1] ^ A[15+1] ^ A[20+1]; C[2] = A[2] ^ A[5+2] ^ A[10+2] ^ A[15+2] ^ A[20+2]; C[3] = A[3] ^ A[5+3] ^ A[10+3] ^ A[15+3] ^ A[20+3]; C[4] = A[4] ^ A[5+4] ^ A[10+4] ^ A[15+4] ^ A[20+4]; for (i = 0; i < SHA3_ROUNDS; i++) { D[0] = C[4] ^ ROTL64(1, C[1]); D[1] = C[0] ^ ROTL64(1, C[2]); D[2] = C[1] ^ ROTL64(1, C[3]); D[3] = C[2] ^ ROTL64(1, C[4]); D[4] = C[3] ^ ROTL64(1, C[0]); A[0] ^= D[0]; X = A[ 1] ^ D[1]; T = ROTL64(1, X); X = A[ 6] ^ D[1]; A[ 1] = ROTL64 (44, X); X = A[ 9] ^ D[4]; A[ 6] = ROTL64 (20, X); X = A[22] ^ D[2]; A[ 9] = ROTL64 (61, X); X = A[14] ^ D[4]; A[22] = ROTL64 (39, X); X = A[20] ^ D[0]; A[14] = ROTL64 (18, X); X = A[ 2] ^ D[2]; A[20] = ROTL64 (62, X); X = A[12] ^ D[2]; A[ 2] = ROTL64 (43, X); X = A[13] ^ D[3]; A[12] = ROTL64 (25, X); X = A[19] ^ D[4]; A[13] = ROTL64 ( 8, X); X = A[23] ^ D[3]; A[19] = ROTL64 (56, X); X = A[15] ^ D[0]; A[23] = ROTL64 (41, X); X = A[ 4] ^ D[4]; A[15] = ROTL64 (27, X); X = A[24] ^ D[4]; A[ 4] = ROTL64 (14, X); X = A[21] ^ D[1]; A[24] = ROTL64 ( 2, X); X = A[ 8] ^ D[3]; A[21] = ROTL64 (55, X); /* row 4 done */ X = A[16] ^ D[1]; A[ 8] = ROTL64 (45, X); X = A[ 5] ^ D[0]; A[16] = ROTL64 (36, X); X = A[ 3] ^ D[3]; A[ 5] = ROTL64 (28, X); X = A[18] ^ D[3]; A[ 3] = ROTL64 (21, X); /* row 0 done */ X = A[17] ^ D[2]; A[18] = ROTL64 (15, X); X = A[11] ^ D[1]; A[17] = ROTL64 (10, X); /* row 3 done */ X = A[ 7] ^ D[2]; A[11] = ROTL64 ( 6, X); /* row 1 done */ X = A[10] ^ D[0]; A[ 7] = ROTL64 ( 3, X); A[10] = T; /* row 2 done */ D[0] = ~A[1] & A[2]; D[1] = ~A[2] & A[3]; D[2] = ~A[3] & A[4]; D[3] = ~A[4] & A[0]; D[4] = ~A[0] & A[1]; A[0] ^= D[0] ^ rc[i]; C[0] = A[0]; A[1] ^= D[1]; C[1] = A[1]; A[2] ^= D[2]; C[2] = A[2]; A[3] ^= D[3]; C[3] = A[3]; A[4] ^= D[4]; C[4] = A[4]; for (y = 5; y < 25; y+= 5) { D[0] = ~A[y+1] & A[y+2]; D[1] = ~A[y+2] & A[y+3]; D[2] = ~A[y+3] & A[y+4]; D[3] = ~A[y+4] & A[y+0]; D[4] = ~A[y+0] & A[y+1]; A[y+0] ^= D[0]; C[0] ^= A[y+0]; A[y+1] ^= D[1]; C[1] ^= A[y+1]; A[y+2] ^= D[2]; C[2] ^= A[y+2]; A[y+3] ^= D[3]; C[3] ^= A[y+3]; A[y+4] ^= D[4]; C[4] ^= A[y+4]; } } #undef A } nettle-3.10/base64url-encode.c0000644000175000017500000000254114633602171015167 0ustar nissenisse/* base64url-encode.c Copyright (C) 2015 Amos Jeffries, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base64.h" void base64url_encode_init(struct base64_encode_ctx *ctx) { static const char base64url_encode_table[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" "abcdefghijklmnopqrstuvwxyz" "0123456789-_"; ctx->word = ctx->bits = 0; ctx->alphabet = base64url_encode_table; } nettle-3.10/gostdsa-sign.c0000644000175000017500000000434214633602172014531 0ustar nissenisse/* gostdsa-sign.c Copyright (C) 2015 Dmitry Eremin-Solenikov Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "gostdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void gostdsa_sign (const struct ecc_scalar *key, void *random_ctx, nettle_random_func *random, size_t digest_length, const uint8_t *digest, struct dsa_signature *signature) { /* At most 936 bytes. */ TMP_DECL(k, mp_limb_t, ECC_MAX_SIZE + ECC_GOSTDSA_SIGN_ITCH (ECC_MAX_SIZE)); mp_limb_t size = key->ecc->p.size; mp_limb_t *rp = mpz_limbs_write (signature->r, size); mp_limb_t *sp = mpz_limbs_write (signature->s, size); TMP_ALLOC (k, size + ECC_GOSTDSA_SIGN_ITCH (size)); /* Timing reveals the number of rounds through this loop, but the timing is still independent of the secret k finally used. */ do { do { ecc_mod_random (&key->ecc->q, k, random_ctx, random, k + size); } while (mpn_zero_p(k, size)); ecc_gostdsa_sign (key->ecc, key->p, k, digest_length, digest, rp, sp, k + size); mpz_limbs_finish (signature->r, size); mpz_limbs_finish (signature->s, size); } while (mpz_sgn (signature->r) == 0 || mpz_sgn (signature->s) == 0); } nettle-3.10/ecc-random.c0000644000175000017500000000446014633602171014137 0ustar nissenisse/* ecc-random.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" #include "nettle-internal.h" static int ecdsa_in_range (const struct ecc_modulo *m, const mp_limb_t *xp, mp_limb_t *scratch) { /* Check if 0 < x < q, with data independent timing. */ return !sec_zero_p (xp, m->size) & (mpn_sub_n (scratch, xp, m->m, m->size) != 0); } void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch) { uint8_t *buf = (uint8_t *) scratch; unsigned nbytes = (m->bit_size + 7)/8; /* The bytes ought to fit in the scratch area, unless we have very unusual limb and byte sizes. */ assert (nbytes <= m->size * sizeof (mp_limb_t)); do { random (ctx, nbytes, buf); buf[0] &= 0xff >> (nbytes * 8 - m->bit_size); mpn_set_base256 (xp, m->size, buf, nbytes); } while (!ecdsa_in_range (m, xp, scratch)); } void ecc_scalar_random (struct ecc_scalar *x, void *random_ctx, nettle_random_func *random) { TMP_DECL (scratch, mp_limb_t, ECC_MOD_RANDOM_ITCH (ECC_MAX_SIZE)); TMP_ALLOC (scratch, ECC_MOD_RANDOM_ITCH (x->ecc->q.size)); ecc_mod_random (&x->ecc->q, x->p, random_ctx, random, scratch); } nettle-3.10/base16-encode.c0000644000175000017500000000315714633602171014445 0ustar nissenisse/* base16-encode.c Hex encoding. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "base16.h" static const uint8_t hex_digits[16] = "0123456789abcdef"; #define DIGIT(x) (hex_digits[(x) & 0xf]) /* Encodes a single byte. Always stores two digits in dst[0] and dst[1]. */ void base16_encode_single(char *dst, uint8_t src) { dst[0] = DIGIT(src/0x10); dst[1] = DIGIT(src); } /* Always stores BASE16_ENCODE_LENGTH(length) digits in dst. */ void base16_encode_update(char *dst, size_t length, const uint8_t *src) { size_t i; for (i = 0; i #include "macros.h" #include "memxor.h" #include "block-internal.h" static void drbg_ctr_aes256_output (const struct aes256_ctx *key, union nettle_block16 *V, size_t n, uint8_t *dst) { for (; n >= AES_BLOCK_SIZE; n -= AES_BLOCK_SIZE, dst += AES_BLOCK_SIZE) { INCREMENT(AES_BLOCK_SIZE, V->b); aes256_encrypt (key, AES_BLOCK_SIZE, dst, V->b); } if (n > 0) { union nettle_block16 block; INCREMENT(AES_BLOCK_SIZE, V->b); aes256_encrypt (key, AES_BLOCK_SIZE, block.b, V->b); memcpy (dst, block.b, n); } } /* provided_data is either NULL or a pointer to DRBG_CTR_AES256_SEED_SIZE (= 48) bytes. */ static void drbg_ctr_aes256_update (struct aes256_ctx *key, union nettle_block16 *V, const uint8_t *provided_data) { union nettle_block16 tmp[3]; drbg_ctr_aes256_output (key, V, DRBG_CTR_AES256_SEED_SIZE, tmp[0].b); if (provided_data) memxor (tmp[0].b, provided_data, DRBG_CTR_AES256_SEED_SIZE); aes256_set_encrypt_key (key, tmp[0].b); block16_set (V, &tmp[2]); } void drbg_ctr_aes256_init (struct drbg_ctr_aes256_ctx *ctx, uint8_t *seed_material) { static const uint8_t zero_key[AES256_KEY_SIZE] = {0}; aes256_set_encrypt_key (&ctx->key, zero_key); block16_zero (&ctx->V); drbg_ctr_aes256_update (&ctx->key, &ctx->V, seed_material); } void drbg_ctr_aes256_random (struct drbg_ctr_aes256_ctx *ctx, size_t n, uint8_t *dst) { drbg_ctr_aes256_output (&ctx->key, &ctx->V, n, dst); drbg_ctr_aes256_update (&ctx->key, &ctx->V, NULL); } nettle-3.10/sha.h0000644000175000017500000000242414633602172012706 0ustar nissenisse/* sha.h This file is deprecated, and provided only for backwards compatibility with earlier versions of Nettle. Please use sha1.h and/or sha2.h instead. Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_SHA_H_INCLUDED #define NETTLE_SHA_H_INCLUDED #include "sha1.h" #include "sha2.h" #endif /* NETTLE_SHA_H_INCLUDED */ nettle-3.10/ecc-mul-g-eh.c0000644000175000017500000000523214633602171014270 0ustar nissenisse/* ecc-mul-g-eh.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch) { /* Scratch need determined by the ecc_add_eh call. Current total is 7 * ecc->p.size, at most 392 bytes (for curve448). */ #define tp scratch #define scratch_out (scratch + 3*ecc->p.size) unsigned k, c; unsigned i, j; unsigned bit_rows; k = ecc->pippenger_k; c = ecc->pippenger_c; bit_rows = (ecc->p.bit_size + k - 1) / k; /* x = 0, y = 1, z = 1 */ mpn_zero (r, 3*ecc->p.size); r[ecc->p.size] = r[2*ecc->p.size] = 1; for (i = k; i-- > 0; ) { ecc->dup (ecc, r, r, scratch); for (j = 0; j * c < bit_rows; j++) { unsigned bits; /* Avoid the mp_bitcnt_t type for compatibility with older GMP versions. */ unsigned bit_index; /* Extract c bits from n, stride k, starting at i + kcj, ending at i + k (cj + c - 1)*/ for (bits = 0, bit_index = i + k*(c*j+c); bit_index > i + k*c*j; ) { mp_size_t limb_index; unsigned shift; bit_index -= k; limb_index = bit_index / GMP_NUMB_BITS; if (limb_index >= ecc->p.size) continue; shift = bit_index % GMP_NUMB_BITS; bits = (bits << 1) | ((np[limb_index] >> shift) & 1); } mpn_sec_tabselect (tp, (ecc->pippenger_table + (2*ecc->p.size * (mp_size_t) j << c)), 2*ecc->p.size, 1<add_hh (ecc, r, r, tp, scratch_out); } } #undef tp #undef scratch_out } nettle-3.10/sha512-compress.c0000644000175000017500000001366714633602171014774 0ustar nissenisse/* sha512-compress.c The compression function of the sha512 hash function. Copyright (C) 2001, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #ifndef SHA512_DEBUG # define SHA512_DEBUG 0 #endif #if SHA512_DEBUG # include # define DEBUG(i) \ fprintf(stderr, "%2d: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", \ i, A, B, C, D ,E, F, G, H) #else # define DEBUG(i) #endif #include #include #include #include "sha2.h" #include "sha2-internal.h" #include "macros.h" /* A block, treated as a sequence of 64-bit words. */ #define SHA512_DATA_LENGTH 16 /* For fat builds */ #if HAVE_NATIVE_sha512_compress void _nettle_sha512_compress_c (uint64_t *state, const uint8_t *input, const uint64_t *k); #define _nettle_sha512_compress _nettle_sha512_compress_c #endif /* The SHA512 functions. The Choice function is the same as the SHA1 function f1, and the majority function is the same as the SHA1 f3 function, and the same as for SHA256. */ #define Choice(x,y,z) ( (z) ^ ( (x) & ( (y) ^ (z) ) ) ) #define Majority(x,y,z) ( ((x) & (y)) ^ ((z) & ((x) ^ (y))) ) #define S0(x) (ROTL64(36,(x)) ^ ROTL64(30,(x)) ^ ROTL64(25,(x))) #define S1(x) (ROTL64(50,(x)) ^ ROTL64(46,(x)) ^ ROTL64(23,(x))) #define s0(x) (ROTL64(63,(x)) ^ ROTL64(56,(x)) ^ ((x) >> 7)) #define s1(x) (ROTL64(45,(x)) ^ ROTL64(3,(x)) ^ ((x) >> 6)) /* The initial expanding function. The hash function is defined over an 64-word expanded input array W, where the first 16 are copies of the input data, and the remaining 64 are defined by W[ t ] = s1(W[t-2]) + W[t-7] + s0(W[i-15]) + W[i-16] This implementation generates these values on the fly in a circular buffer. */ #define EXPAND(W,i) \ ( W[(i) & 15 ] += (s1(W[((i)-2) & 15]) + W[((i)-7) & 15] + s0(W[((i)-15) & 15])) ) /* The prototype SHA sub-round. The fundamental sub-round is: T1 = h + S1(e) + Choice(e,f,g) + K[t] + W[t] T2 = S0(a) + Majority(a,b,c) a' = T1+T2 b' = a c' = b d' = c e' = d + T1 f' = e g' = f h' = g but this is implemented by unrolling the loop 8 times and renaming the variables ( h, a, b, c, d, e, f, g ) = ( a, b, c, d, e, f, g, h ) each iteration. This code is then replicated 8, using the next 8 values from the W[] array each time */ /* It's crucial that DATA is only used once, as that argument will * have side effects. */ #define ROUND(a,b,c,d,e,f,g,h,k,data) do { \ h += S1(e) + Choice(e,f,g) + k + data; \ d += h; \ h += S0(a) + Majority(a,b,c); \ } while (0) void _nettle_sha512_compress(uint64_t *state, const uint8_t *input, const uint64_t *k) { uint64_t data[SHA512_DATA_LENGTH]; uint64_t A, B, C, D, E, F, G, H; /* Local vars */ unsigned i; uint64_t *d; for (i = 0; i < SHA512_DATA_LENGTH; i++, input += 8) { data[i] = READ_UINT64(input); } /* Set up first buffer and local data buffer */ A = state[0]; B = state[1]; C = state[2]; D = state[3]; E = state[4]; F = state[5]; G = state[6]; H = state[7]; /* Heavy mangling */ /* First 16 subrounds that act on the original data */ DEBUG(-1); for (i = 0, d = data; i<16; i+=8, k += 8, d+= 8) { ROUND(A, B, C, D, E, F, G, H, k[0], d[0]); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[1], d[1]); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[2], d[2]); ROUND(F, G, H, A, B, C, D, E, k[3], d[3]); ROUND(E, F, G, H, A, B, C, D, k[4], d[4]); ROUND(D, E, F, G, H, A, B, C, k[5], d[5]); ROUND(C, D, E, F, G, H, A, B, k[6], d[6]); DEBUG(i+6); ROUND(B, C, D, E, F, G, H, A, k[7], d[7]); DEBUG(i+7); } for (; i<80; i += 16, k+= 16) { ROUND(A, B, C, D, E, F, G, H, k[ 0], EXPAND(data, 0)); DEBUG(i); ROUND(H, A, B, C, D, E, F, G, k[ 1], EXPAND(data, 1)); DEBUG(i+1); ROUND(G, H, A, B, C, D, E, F, k[ 2], EXPAND(data, 2)); DEBUG(i+2); ROUND(F, G, H, A, B, C, D, E, k[ 3], EXPAND(data, 3)); ROUND(E, F, G, H, A, B, C, D, k[ 4], EXPAND(data, 4)); ROUND(D, E, F, G, H, A, B, C, k[ 5], EXPAND(data, 5)); ROUND(C, D, E, F, G, H, A, B, k[ 6], EXPAND(data, 6)); ROUND(B, C, D, E, F, G, H, A, k[ 7], EXPAND(data, 7)); ROUND(A, B, C, D, E, F, G, H, k[ 8], EXPAND(data, 8)); ROUND(H, A, B, C, D, E, F, G, k[ 9], EXPAND(data, 9)); ROUND(G, H, A, B, C, D, E, F, k[10], EXPAND(data, 10)); ROUND(F, G, H, A, B, C, D, E, k[11], EXPAND(data, 11)); ROUND(E, F, G, H, A, B, C, D, k[12], EXPAND(data, 12)); ROUND(D, E, F, G, H, A, B, C, k[13], EXPAND(data, 13)); ROUND(C, D, E, F, G, H, A, B, k[14], EXPAND(data, 14)); DEBUG(i+14); ROUND(B, C, D, E, F, G, H, A, k[15], EXPAND(data, 15)); DEBUG(i+15); } /* Update state */ state[0] += A; state[1] += B; state[2] += C; state[3] += D; state[4] += E; state[5] += F; state[6] += G; state[7] += H; #if SHA512_DEBUG fprintf(stderr, "99: %8lx %8lx %8lx %8lx\n %8lx %8lx %8lx %8lx\n", state[0], state[1], state[2], state[3], state[4], state[5], state[6], state[7]); #endif } nettle-3.10/camellia-crypt-internal.c0000644000175000017500000001274214633602171016651 0ustar nissenisse/* camellia-crypt-internal.c Copyright (C) 2006,2007 NTT (Nippon Telegraph and Telephone Corporation). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * Algorithm Specification * http://info.isl.ntt.co.jp/crypt/eng/camellia/specifications.html */ /* Based on camellia.c ver 1.2.0, see http://info.isl.ntt.co.jp/crypt/eng/camellia/dl/camellia-LGPL-1.2.0.tar.gz. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "camellia-internal.h" #include "macros.h" #define CAMELLIA_FL(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ __xl ^= (__xr | __kr); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #define CAMELLIA_FLINV(x, k) do { \ uint32_t __xl, __xr, __kl, __kr, __t; \ __xl = (x) >> 32; \ __xr = (x) & 0xffffffff; \ __kl = (k) >> 32; \ __kr = (k) & 0xffffffff; \ __xl ^= (__xr | __kr); \ __t = __xl & __kl; \ __xr ^= ROTL32(1, __t); \ (x) = ((uint64_t) __xl << 32) | __xr; \ } while (0) #if HAVE_NATIVE_64_BIT #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= (k); \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #else /* !HAVE_NATIVE_64_BIT */ #define CAMELLIA_ROUNDSM(T, x, k, y) do { \ uint32_t __il, __ir; \ __ir \ = T->sp1110[(x) & 0xff] \ ^ T->sp0222[((x) >> 24) & 0xff] \ ^ T->sp3033[((x) >> 16) & 0xff] \ ^ T->sp4404[((x) >> 8) & 0xff]; \ /* ir == (t6^t7^t8),(t5^t7^t8),(t5^t6^t8),(t5^t6^t7) */ \ __il \ = T->sp1110[ (x) >> 56] \ ^ T->sp0222[((x) >> 48) & 0xff] \ ^ T->sp3033[((x) >> 40) & 0xff] \ ^ T->sp4404[((x) >> 32) & 0xff]; \ /* il == (t1^t3^t4),(t1^t2^t4),(t1^t2^t3),(t2^t3^t4) */ \ __il ^= (k) >> 32; \ __ir ^= (k) & 0xffffffff; \ __ir ^= __il; \ /* ir == (t1^t3^t4^t6^t7^t8),(t1^t2^t4^t5^t7^t8), \ (t1^t2^t3^t5^t6^t8),(t2^t3^t4^t5^t6^t7) \ == y1,y2,y3,y4 */ \ __il = ROTL32(24, __il); \ /* il == (t2^t3^t4),(t1^t3^t4),(t1^t2^t4),(t1^t2^t3) */ \ __il ^= __ir; \ /* il == (t1^t2^t6^t7^t8),(t2^t3^t5^t7^t8), \ (t3^t4^t5^t6^t8),(t1^t4^t5^t6^t7) \ == y5,y6,y7,y8 */ \ y ^= ((uint64_t) __ir << 32) | __il; \ } while (0) #endif void _nettle_camellia_crypt(unsigned nkeys, const uint64_t *keys, const struct camellia_table *T, size_t length, uint8_t *dst, const uint8_t *src) { FOR_BLOCKS(length, dst, src, CAMELLIA_BLOCK_SIZE) { uint64_t i0,i1; unsigned i; i0 = READ_UINT64(src); i1 = READ_UINT64(src + 8); /* pre whitening but absorb kw2*/ i0 ^= keys[0]; /* main iteration */ CAMELLIA_ROUNDSM(T, i0, keys[1], i1); CAMELLIA_ROUNDSM(T, i1, keys[2], i0); CAMELLIA_ROUNDSM(T, i0, keys[3], i1); CAMELLIA_ROUNDSM(T, i1, keys[4], i0); CAMELLIA_ROUNDSM(T, i0, keys[5], i1); CAMELLIA_ROUNDSM(T, i1, keys[6], i0); for (i = 0; i < nkeys - 8; i+= 8) { CAMELLIA_FL(i0, keys[i+7]); CAMELLIA_FLINV(i1, keys[i+8]); CAMELLIA_ROUNDSM(T, i0, keys[i+9], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+10], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+11], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+12], i0); CAMELLIA_ROUNDSM(T, i0, keys[i+13], i1); CAMELLIA_ROUNDSM(T, i1, keys[i+14], i0); } /* post whitening but kw4 */ i1 ^= keys[i+7]; WRITE_UINT64(dst , i1); WRITE_UINT64(dst + 8, i0); } } nettle-3.10/rsa-sha1-verify.c0000644000175000017500000000341514633602171015047 0ustar nissenisse/* rsa-sha1-verify.c Verifying signatures created with RSA and SHA1. Copyright (C) 2001, 2003 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "rsa.h" #include "rsa-internal.h" #include "bignum.h" #include "pkcs1.h" int rsa_sha1_verify(const struct rsa_public_key *key, struct sha1_ctx *hash, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode(m, key->size, hash) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } int rsa_sha1_verify_digest(const struct rsa_public_key *key, const uint8_t *digest, const mpz_t s) { int res; mpz_t m; mpz_init(m); res = (pkcs1_rsa_sha1_encode_digest(m, key->size, digest) && _rsa_verify(key, m, s)); mpz_clear(m); return res; } nettle-3.10/gcm-aes192.c0000644000175000017500000000455614633602171013705 0ustar nissenisse/* gcm-aes192.c Galois counter mode using AES192 as the underlying cipher. Copyright (C) 2011, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "gcm.h" #include "gcm-internal.h" void gcm_aes192_set_key(struct gcm_aes192_ctx *ctx, const uint8_t *key) { GCM_SET_KEY(ctx, aes192_set_encrypt_key, aes192_encrypt, key); } void gcm_aes192_set_iv (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *iv) { GCM_SET_IV (ctx, length, iv); } void gcm_aes192_update (struct gcm_aes192_ctx *ctx, size_t length, const uint8_t *data) { GCM_UPDATE (ctx, length, data); } void gcm_aes192_encrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_encrypt ((struct gcm_key *)ctx, _AES192_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_ENCRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_decrypt(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { size_t done = _gcm_aes_decrypt ((struct gcm_key *)ctx, _AES192_ROUNDS, length, dst, src); ctx->gcm.data_size += done; length -= done; src += done; dst += done; GCM_DECRYPT(ctx, aes192_encrypt, length, dst, src); } void gcm_aes192_digest(struct gcm_aes192_ctx *ctx, size_t length, uint8_t *digest) { GCM_DIGEST(ctx, aes192_encrypt, length, digest); } nettle-3.10/aes128-encrypt.c0000644000175000017500000000323614633602171014614 0ustar nissenisse/* aes128-encrypt.c Encryption function for the aes/rijndael block cipher. Copyright (C) 2002, 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_encrypt void _nettle_aes128_encrypt_c(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_aes128_encrypt _nettle_aes128_encrypt_c #endif void nettle_aes128_encrypt(const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src) { assert(!(length % AES_BLOCK_SIZE) ); _nettle_aes_encrypt(_AES128_ROUNDS, ctx->keys, &_nettle_aes_encrypt_table, length, dst, src); } nettle-3.10/ecdsa-keygen.c0000644000175000017500000000344514633602172014471 0ustar nissenisse/* ecdsa-keygen.c Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "ecdsa.h" #include "ecc-internal.h" #include "nettle-internal.h" void ecdsa_generate_keypair (struct ecc_point *pub, struct ecc_scalar *key, void *random_ctx, nettle_random_func *random) { TMP_DECL(p, mp_limb_t, 3*ECC_MAX_SIZE + ECC_MUL_G_ITCH (ECC_MAX_SIZE)); const struct ecc_curve *ecc = pub->ecc; mp_size_t itch = 3*ecc->p.size + ecc->mul_g_itch; assert (key->ecc == ecc); assert (ecc->h_to_a_itch <= ecc->mul_g_itch); TMP_ALLOC (p, itch); ecc_mod_random (&ecc->q, key->p, random_ctx, random, p); ecc->mul_g (ecc, p, key->p, p + 3*ecc->p.size); ecc->h_to_a (ecc, 0, pub->p, p, p + 3*ecc->p.size); } nettle-3.10/cbc-aes128-encrypt.c0000644000175000017500000000307014633602171015335 0ustar nissenisse/* cbc-aes128-encrypt.c Copyright (C) 2021 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "cbc.h" /* For fat builds */ #if HAVE_NATIVE_cbc_aes128_encrypt void _nettle_cbc_aes128_encrypt_c(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); # define nettle_cbc_aes128_encrypt _nettle_cbc_aes128_encrypt_c #endif void cbc_aes128_encrypt(const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src) { cbc_encrypt(ctx, (nettle_cipher_func *) aes128_encrypt, AES_BLOCK_SIZE, iv, length, dst, src); } nettle-3.10/der-iterator.c0000644000175000017500000001576214633602171014537 0ustar nissenisse/* der-iterator.c Parsing of ASN.1 DER encoded objects. Copyright (C) 2005 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "bignum.h" #include "asn1.h" #include "macros.h" /* Basic DER syntax: (reference: A Layman's Guide to a Subset of ASN.1, BER, and DER, http://luca.ntop.org/Teaching/Appunti/asn1.html) The DER header contains a tag and a length. First, the tag. cls is the class number, c is one if the object is "constructed" and zero if it is primitive. The tag is represented either using a single byte, 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_______tag_| 0 <= tag <= 30 or multiple bytes 7 6 5 4 3 2 1 0 _____________________ |_cls_|_c_|_1_1_1_1_1_| followed by the real tag number, in base 128, with all but the final byte having the most significant bit set. The tag must be represented with as few bytes as possible. High tag numbers are currently *not* supported. Next, the length, either a single byte with the most significant bit clear, or 7 6 5 4 3 2 1 0 _________________ |_1_|___________k_| followed by k additional bytes that give the length, in network byte order. The length must be encoded using as few bytes as possible, and k = 0 is reserved for the "indefinite length form" which is not supported. After the length comes the contets. For primitive objects (c == 0), it's depends on the type. For constructed objects, it's a concatenation of the DER encodings of zero or more other objects. */ enum { TAG_MASK = 0x1f, CLASS_MASK = 0xc0, CONSTRUCTED_MASK = 0x20, }; /* Initializes the iterator, but one has to call next to get to the * first element. */ static void asn1_der_iterator_init(struct asn1_der_iterator *iterator, size_t length, const uint8_t *input) { iterator->buffer_length = length; iterator->buffer = input; iterator->pos = 0; iterator->type = 0; iterator->length = 0; iterator->data = NULL; } #define LEFT(i) ((i)->buffer_length - (i)->pos) #define NEXT(i) ((i)->buffer[(i)->pos++]) /* Gets type and length of the next object. */ enum asn1_iterator_result asn1_der_iterator_next(struct asn1_der_iterator *i) { uint8_t tag; if (!LEFT(i)) return ASN1_ITERATOR_END; tag = NEXT(i); if (!LEFT(i)) return ASN1_ITERATOR_ERROR; if ( (tag & TAG_MASK) == TAG_MASK) { /* FIXME: Long tags not supported */ return ASN1_ITERATOR_ERROR; } i->length = NEXT(i); if (i->length & 0x80) { unsigned k = i->length & 0x7f; unsigned j; const uint8_t *data = i->buffer + i->pos; if (k == 0) /* Indefinite encoding. Not supported. */ return ASN1_ITERATOR_ERROR; if (LEFT(i) < k) return ASN1_ITERATOR_ERROR; if (k > sizeof(i->length)) return ASN1_ITERATOR_ERROR; i->pos += k; i->length = data[0]; if (i->length == 0 || (k == 1 && i->length < 0x80)) return ASN1_ITERATOR_ERROR; for (j = 1; j < k; j++) i->length = (i->length << 8) | data[j]; } if (LEFT(i) < i->length) return ASN1_ITERATOR_ERROR; i->data = i->buffer + i->pos; i->pos += i->length; i->type = tag & TAG_MASK; i->type |= (tag & CLASS_MASK) << (ASN1_CLASS_SHIFT - 6); if (tag & CONSTRUCTED_MASK) { i->type |= ASN1_TYPE_CONSTRUCTED; return ASN1_ITERATOR_CONSTRUCTED; } else return ASN1_ITERATOR_PRIMITIVE; } enum asn1_iterator_result asn1_der_iterator_first(struct asn1_der_iterator *i, size_t length, const uint8_t *input) { asn1_der_iterator_init(i, length, input); return asn1_der_iterator_next(i); } enum asn1_iterator_result asn1_der_decode_constructed(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type & ASN1_TYPE_CONSTRUCTED); return asn1_der_iterator_first(contents, i->length, i->data); } enum asn1_iterator_result asn1_der_decode_constructed_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_constructed(i, i); } /* Decoding a DER object which is wrapped in a bit string. */ enum asn1_iterator_result asn1_der_decode_bitstring(struct asn1_der_iterator *i, struct asn1_der_iterator *contents) { assert(i->type == ASN1_BITSTRING); /* First byte is the number of padding bits, which must be zero. */ if (i->length == 0 || i->data[0] != 0) return ASN1_ITERATOR_ERROR; return asn1_der_iterator_first(contents, i->length - 1, i->data + 1); } enum asn1_iterator_result asn1_der_decode_bitstring_last(struct asn1_der_iterator *i) { if (LEFT(i) > 0) return ASN1_ITERATOR_ERROR; return asn1_der_decode_bitstring(i, i); } int asn1_der_get_uint32(struct asn1_der_iterator *i, uint32_t *x) { /* Big endian, two's complement, minimum number of octets (except 0, which is encoded as a single octet */ uint32_t value = 0; size_t length = i->length; unsigned k; if (!length || length > 5) return 0; if (i->data[length - 1] >= 0x80) /* Signed number */ return 0; if (length > 1 && i->data[length -1] == 0 && i->data[length -2] < 0x80) /* Non-minimal number of digits */ return 0; if (length == 5) { if (i->data[4]) return 0; length--; } for (value = k = 0; k < length; k++) value = (value << 8) | i->data[k]; *x = value; return 1; } /* NOTE: This is the only function in this file which needs bignums. One could split this file in two, one in libnettle and one in libhogweed. */ int asn1_der_get_bignum(struct asn1_der_iterator *i, mpz_t x, unsigned max_bits) { if (i->length > 1 && ((i->data[0] == 0 && i->data[1] < 0x80) || (i->data[0] == 0xff && i->data[1] >= 0x80))) /* Non-minimal number of digits */ return 0; /* Allow some extra here, for leading sign octets. */ if (max_bits && (8 * i->length > (16 + max_bits))) return 0; nettle_mpz_set_str_256_s(x, i->length, i->data); /* FIXME: How to interpret a max_bits for negative numbers? */ if (max_bits && mpz_sizeinbase(x, 2) > max_bits) return 0; return 1; } nettle-3.10/knuth-lfib.c0000644000175000017500000001001314633602171014161 0ustar nissenisse/* knuth-lfib.c The "lagged fibonacci" pseudorandomness generator, described in Knuth, TAoCP, 3.6 Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* This file includes code copied verbatim from Knuth's TAoCP. Technically, doing that probably requires asking for the author's explicit permission. I'd expect such a request to be granted, but I haven't asked, because I don't want to distract him from more important and interesting work. */ /* NOTE: This generator is totally inappropriate for cryptographic * applications. It is useful for generating deterministic but * random-looking test data, and is used by the Nettle testsuite. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "knuth-lfib.h" #include "macros.h" #define KK _KNUTH_LFIB_KK #define LL 37 #define MM (1UL << 30) #define TT 70 void knuth_lfib_init(struct knuth_lfib_ctx *ctx, uint32_t seed) { uint32_t t,j; uint32_t x[2*KK - 1]; uint32_t ss = (seed + 2) & (MM-2); for (j = 0; j= MM) ss -= (MM-2); } for (;j< 2*KK-1; j++) x[j] = 0; x[1]++; ss = seed & (MM-1); for (t = TT-1; t; ) { for (j = KK-1; j>0; j--) x[j+j] = x[j]; for (j = 2*KK-2; j > KK-LL; j-= 2) x[2*KK-1-j] = x[j] & ~1; for (j = 2*KK-2; j>=KK; j--) if (x[j] & 1) { x[j-(KK-LL)] = (x[j - (KK-LL)] - x[j]) & (MM-1); x[j-KK] = (x[j-KK] - x[j]) & (MM-1); } if (ss & 1) { for (j=KK; j>0; j--) x[j] = x[j-1]; x[0] = x[KK]; if (x[KK] & 1) x[LL] = (x[LL] - x[KK]) & (MM-1); } if (ss) ss >>= 1; else t--; } for (j=0; jx[j+KK-LL] = x[j]; for (; jx[j-LL] = x[j]; ctx->index = 0; } /* Get's a single number in the range 0 ... 2^30-1 */ uint32_t knuth_lfib_get(struct knuth_lfib_ctx *ctx) { uint32_t value; assert(ctx->index < KK); value = ctx->x[ctx->index]; ctx->x[ctx->index] -= ctx->x[(ctx->index + KK - LL) % KK]; ctx->x[ctx->index] &= (MM-1); ctx->index = (ctx->index + 1) % KK; return value; } /* NOTE: Not at all optimized. */ void knuth_lfib_get_array(struct knuth_lfib_ctx *ctx, size_t n, uint32_t *a) { unsigned i; for (i = 0; i= 3; n-=3, dst += 3) { uint32_t value = knuth_lfib_get(ctx); /* Xor the most significant octet (containing 6 significant bits) * into the lower octet. */ value ^= (value >> 24); WRITE_UINT24(dst, value); } if (n) { /* We need one or two octets more */ uint32_t value = knuth_lfib_get(ctx); switch (n) { case 1: *dst++ = value & 0xff; break; case 2: WRITE_UINT16(dst, value); break; default: abort(); } } } nettle-3.10/eax-aes128-meta.c0000644000175000017500000000341014633602171014623 0ustar nissenisse/* eax-aes128-meta.c Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eax.h" #include "nettle-meta.h" static nettle_set_key_func eax_aes128_set_nonce_wrapper; static void eax_aes128_set_nonce_wrapper (void *ctx, const uint8_t *nonce) { eax_aes128_set_nonce (ctx, EAX_IV_SIZE, nonce); } const struct nettle_aead nettle_eax_aes128 = { "eax_aes128", sizeof(struct eax_aes128_ctx), EAX_BLOCK_SIZE, AES128_KEY_SIZE, EAX_IV_SIZE, EAX_DIGEST_SIZE, (nettle_set_key_func *) eax_aes128_set_key, (nettle_set_key_func *) eax_aes128_set_key, eax_aes128_set_nonce_wrapper, (nettle_hash_update_func *) eax_aes128_update, (nettle_crypt_func *) eax_aes128_encrypt, (nettle_crypt_func *) eax_aes128_decrypt, (nettle_hash_digest_func *) eax_aes128_digest }; nettle-3.10/pbkdf2-hmac-sha1.c0000644000175000017500000000300514633602171015031 0ustar nissenisse/* pbkdf2-hmac-sha1.c PKCS #5 PBKDF2 used with HMAC-SHA1, see RFC 2898. Copyright (C) 2012 Simon Josefsson This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_sha1 (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_sha1_ctx sha1ctx; hmac_sha1_set_key (&sha1ctx, key_length, key); PBKDF2 (&sha1ctx, hmac_sha1_update, hmac_sha1_digest, SHA1_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.10/fat-setup.h0000644000175000017500000002141614633602172014045 0ustar nissenisse/* fat-setup.h Copyright (C) 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Fat library initialization works as follows. The main function is fat_init. We try to do initialization only once, but since it is idempotent, there's no harm if it is in some cases called multiple times from several threads. For correctness, we rely on atomic writes, but not on memory barriers or any other synchronization mechanism. The fat_init function checks the cpuid flags, and sets function pointers, e.g, _nettle_aes_encrypt_vec, to point to the appropriate implementation. To get everything hooked in, we use a belt-and-suspenders approach. We try to register fat_init as a constructor function to be called at load time. If this is unavailable or non-working, we instead arrange fat_init to be called lazily. For the actual indirection, there are two cases. * If ifunc support is available, function pointers are statically initialized to NULL, and we register resolver functions, e.g., _nettle_aes_encrypt_resolve, which call fat_init, and then return the function pointer, e.g., the value of _nettle_aes_encrypt_vec. * If ifunc is not available, we have to define a wrapper function to jump via the function pointer. (FIXME: For internal calls, we could do this as a macro). We statically initialize each function pointer to point to a special initialization function, e.g., _nettle_aes_encrypt_init, which calls fat_init, and then invokes the right function. This way, all pointers are setup correctly at the first call to any fat function. And atomic writes are required for correctness in the case that several threads do "first call to any fat function" at the same time. */ #if HAVE_GCC_ATTRIBUTE # define CONSTRUCTOR __attribute__ ((constructor)) #else # define CONSTRUCTOR # if defined (__sun) # pragma init(fat_init) # endif #endif /* Disable use of ifunc for now. Problem is, there's no guarantee that one can call any libc functions from the ifunc resolver. On x86 and x86_64, the corresponding IRELATIVE relocs are supposed to be processed last, but that doesn't seem to happen, and its a platform-specific feature. To trigger problems, simply try dlopen ("libnettle.so", RTLD_NOW), which crashes in an uninitialized plt entry. */ #undef HAVE_LINK_IFUNC #if !HAVE_SECURE_GETENV #define secure_getenv(s) NULL #endif #define ENV_VERBOSE "NETTLE_FAT_VERBOSE" #define ENV_OVERRIDE "NETTLE_FAT_OVERRIDE" struct chacha_ctx; struct salsa20_ctx; /* DECLARE_FAT_FUNC(name, ftype) * * name is the public function, e.g., _nettle_aes_encrypt. * ftype is its type, e.g., aes_crypt_internal_func. * * DECLARE_FAT_VAR(name, type, var) * * name is name without _nettle prefix. * type is its type. * var is the variant, used as a suffix on the symbol name. * * DEFINE_FAT_FUNC(name, rtype, prototype, args) * * name is the public function. * rtype its return type. * prototype is the list of formal arguments, with types. * args contain the argument list without any types. */ #if HAVE_LINK_IFUNC #define IFUNC(resolve) __attribute__ ((ifunc (resolve))) #define DECLARE_FAT_FUNC(name, ftype) \ ftype name IFUNC(#name"_resolve"); \ static ftype *name##_vec = NULL; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ static void_func * name##_resolve(void) \ { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_resolve\n"); \ if (!name##_vec) \ fat_init(); \ return (void_func *) name##_vec; \ } #else /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC(name, ftype) \ ftype name; \ static ftype name##_init; \ static ftype *name##_vec = name##_init; #define DEFINE_FAT_FUNC(name, rtype, prototype, args) \ rtype name prototype \ { \ return name##_vec args; \ } \ static rtype name##_init prototype { \ if (getenv (ENV_VERBOSE)) \ fprintf (stderr, "libnettle: "#name"_init\n"); \ if (name##_vec == name##_init) \ fat_init(); \ assert (name##_vec != name##_init); \ return name##_vec args; \ } #endif /* !HAVE_LINK_IFUNC */ #define DECLARE_FAT_FUNC_VAR(name, type, var) \ type _nettle_##name##_##var; typedef void void_func (void); struct aes_table; typedef void aes_crypt_internal_func (unsigned rounds, const uint32_t *keys, const struct aes_table *T, size_t length, uint8_t *dst, const uint8_t *src); typedef void aes_invert_internal_func (unsigned rounds, uint32_t *dst, const uint32_t *src); struct gcm_key; typedef void ghash_set_key_func (struct gcm_key *ctx, const union nettle_block16 *key); typedef const uint8_t * ghash_update_func (const struct gcm_key *ctx, union nettle_block16 *state, size_t blocks, const uint8_t *data); typedef size_t gcm_aes_crypt_func (struct gcm_key *key, unsigned rounds, size_t len, uint8_t *dst, const uint8_t *src); typedef void *(memxor_func)(void *dst, const void *src, size_t n); typedef void *(memxor3_func)(void *dst_in, const void *a_in, const void *b_in, size_t n); typedef void salsa20_core_func (uint32_t *dst, const uint32_t *src, unsigned rounds); typedef void salsa20_crypt_func (struct salsa20_ctx *ctx, unsigned rounds, size_t length, uint8_t *dst, const uint8_t *src); typedef void sha1_compress_func(uint32_t *state, const uint8_t *input); typedef const uint8_t * sha256_compress_n_func(uint32_t *state, const uint32_t *k, size_t blocks, const uint8_t *input); struct sha3_state; typedef void sha3_permute_func (struct sha3_state *state); typedef void sha512_compress_func (uint64_t *state, const uint8_t *input, const uint64_t *k); typedef uint64_t umac_nh_func (const uint32_t *key, unsigned length, const uint8_t *msg); typedef void umac_nh_n_func (uint64_t *out, unsigned n, const uint32_t *key, unsigned length, const uint8_t *msg); typedef void chacha_core_func(uint32_t *dst, const uint32_t *src, unsigned rounds); typedef void chacha_crypt_func(struct chacha_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct poly1305_ctx; typedef void poly1305_set_key_func(struct poly1305_ctx *ctx, const uint8_t *key); typedef void poly1305_digest_func(struct poly1305_ctx *ctx, union nettle_block16 *s); typedef void poly1305_block_func(struct poly1305_ctx *ctx, const uint8_t *m, unsigned high); typedef const uint8_t * poly1305_blocks_func(struct poly1305_ctx *ctx, size_t blocks, const uint8_t *m); struct aes128_ctx; typedef void aes128_set_key_func (struct aes128_ctx *ctx, const uint8_t *key); typedef void aes128_invert_key_func (struct aes128_ctx *dst, const struct aes128_ctx *src); typedef void aes128_crypt_func (const struct aes128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes192_ctx; typedef void aes192_set_key_func (struct aes192_ctx *ctx, const uint8_t *key); typedef void aes192_invert_key_func (struct aes192_ctx *dst, const struct aes192_ctx *src); typedef void aes192_crypt_func (const struct aes192_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); struct aes256_ctx; typedef void aes256_set_key_func (struct aes256_ctx *ctx, const uint8_t *key); typedef void aes256_invert_key_func (struct aes256_ctx *dst, const struct aes256_ctx *src); typedef void aes256_crypt_func (const struct aes256_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes128_encrypt_func (const struct aes128_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes192_encrypt_func (const struct aes192_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); typedef void cbc_aes256_encrypt_func (const struct aes256_ctx *ctx, uint8_t *iv, size_t length, uint8_t *dst, const uint8_t *src); nettle-3.10/umac.h0000644000175000017500000001272014633602172013060 0ustar nissenisse/* umac.h UMAC message authentication code (RFC-4418). Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_UMAC_H_INCLUDED #define NETTLE_UMAC_H_INCLUDED #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define umac32_set_key nettle_umac32_set_key #define umac64_set_key nettle_umac64_set_key #define umac96_set_key nettle_umac96_set_key #define umac128_set_key nettle_umac128_set_key #define umac32_set_nonce nettle_umac32_set_nonce #define umac64_set_nonce nettle_umac64_set_nonce #define umac96_set_nonce nettle_umac96_set_nonce #define umac128_set_nonce nettle_umac128_set_nonce #define umac32_update nettle_umac32_update #define umac64_update nettle_umac64_update #define umac96_update nettle_umac96_update #define umac128_update nettle_umac128_update #define umac32_digest nettle_umac32_digest #define umac64_digest nettle_umac64_digest #define umac96_digest nettle_umac96_digest #define umac128_digest nettle_umac128_digest #include "nettle-types.h" #include "aes.h" #define UMAC_KEY_SIZE AES128_KEY_SIZE #define UMAC32_DIGEST_SIZE 4 #define UMAC64_DIGEST_SIZE 8 #define UMAC96_DIGEST_SIZE 12 #define UMAC128_DIGEST_SIZE 16 #define UMAC_BLOCK_SIZE 1024 #define UMAC_MIN_NONCE_SIZE 1 #define UMAC_MAX_NONCE_SIZE AES_BLOCK_SIZE /* For backwards compatibility */ #define UMAC_DATA_SIZE UMAC_BLOCK_SIZE /* Subkeys and state for UMAC with tag size 32*n bits. */ #define _UMAC_STATE(n) \ uint32_t l1_key[UMAC_BLOCK_SIZE/4 + 4*((n)-1)]; \ /* Keys in 32-bit pieces, high first */ \ uint32_t l2_key[6*(n)]; \ uint64_t l3_key1[8*(n)]; \ uint32_t l3_key2[(n)]; \ /* AES cipher for encrypting the nonce */ \ struct aes128_ctx pdf_key; \ /* The l2_state consists of 2*n uint64_t, for poly64 \ and poly128 hashing, followed by n additional \ uint64_t used as an input buffer. */ \ uint64_t l2_state[3*(n)]; \ /* Input to the pdf_key, zero-padded and low bits \ cleared if appropriate. */ \ uint8_t nonce[AES_BLOCK_SIZE]; \ unsigned short nonce_length /* For incrementing */ /* Buffering */ #define _UMAC_BUFFER \ unsigned index; \ /* Complete blocks processed */ \ uint64_t count; \ uint8_t block[UMAC_BLOCK_SIZE] #define _UMAC_NONCE_CACHED 0x80 struct umac32_ctx { _UMAC_STATE(1); /* Low bits and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE / 4]; _UMAC_BUFFER; }; struct umac64_ctx { _UMAC_STATE(2); /* Low bit and cache flag. */ unsigned short nonce_low; /* Previous padding block */ uint32_t pad_cache[AES_BLOCK_SIZE/4]; _UMAC_BUFFER; }; struct umac96_ctx { _UMAC_STATE(3); _UMAC_BUFFER; }; struct umac128_ctx { _UMAC_STATE(4); _UMAC_BUFFER; }; /* The _set_key function initialize the nonce to zero. */ void umac32_set_key (struct umac32_ctx *ctx, const uint8_t *key); void umac64_set_key (struct umac64_ctx *ctx, const uint8_t *key); void umac96_set_key (struct umac96_ctx *ctx, const uint8_t *key); void umac128_set_key (struct umac128_ctx *ctx, const uint8_t *key); /* Optional, if not used, messages get incrementing nonces starting from zero. */ void umac32_set_nonce (struct umac32_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac64_set_nonce (struct umac64_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac96_set_nonce (struct umac96_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac128_set_nonce (struct umac128_ctx *ctx, size_t nonce_length, const uint8_t *nonce); void umac32_update (struct umac32_ctx *ctx, size_t length, const uint8_t *data); void umac64_update (struct umac64_ctx *ctx, size_t length, const uint8_t *data); void umac96_update (struct umac96_ctx *ctx, size_t length, const uint8_t *data); void umac128_update (struct umac128_ctx *ctx, size_t length, const uint8_t *data); /* The _digest functions increment the nonce */ void umac32_digest (struct umac32_ctx *ctx, size_t length, uint8_t *digest); void umac64_digest (struct umac64_ctx *ctx, size_t length, uint8_t *digest); void umac96_digest (struct umac96_ctx *ctx, size_t length, uint8_t *digest); void umac128_digest (struct umac128_ctx *ctx, size_t length, uint8_t *digest); /* Internal functions */ #define UMAC_POLY64_BLOCKS 16384 #define UMAC_P64_OFFSET 59 #define UMAC_P64 (- (uint64_t) UMAC_P64_OFFSET) #define UMAC_P128_OFFSET 159 #define UMAC_P128_HI (~(uint64_t) 0) #define UMAC_P128_LO (-(uint64_t) UMAC_P128_OFFSET) #ifdef __cplusplus } #endif #endif /* NETTLE_UMAC_H_INCLUDED */ nettle-3.10/aes-set-encrypt-key.c0000644000175000017500000000321614633602171015736 0ustar nissenisse/* aes-set-encrypt-key.c Key setup for the aes/rijndael block cipher. Copyright (C) 2000, 2001, 2002 Rafael R. Sevilla, Niels Möller Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes.h" void aes_set_encrypt_key(struct aes_ctx *ctx, size_t key_size, const uint8_t *key) { switch (key_size) { default: abort(); case AES128_KEY_SIZE: aes128_set_encrypt_key(&ctx->u.ctx128, key); break; case AES192_KEY_SIZE: aes192_set_encrypt_key(&ctx->u.ctx192, key); break; case AES256_KEY_SIZE: aes256_set_encrypt_key(&ctx->u.ctx256, key); break; } ctx->key_size = key_size; } nettle-3.10/libhogweed.map.in0000644000175000017500000000102314633602172015171 0ustar nissenisse# libhogweed.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every hogweed # library major number change. That is taken care by # auto-generating the file. HOGWEED_@LIBHOGWEED_MAJOR@ { global: @HOGWEED_EXTRA_SYMBOLS@ nettle_*; local: *; }; # Internal symbols which are to be used only for unit or other # testing. Compatibility may break across releases. HOGWEED_INTERNAL_@LIBHOGWEED_MAJOR@_@LIBNETTLE_MINOR@ { global: _nettle_*; local: *; }; nettle-3.10/ripemd160.h0000644000175000017500000000405014633602172013637 0ustar nissenisse/* ripemd160.h RIPEMD-160 hash function. Copyright (C) 2011 Andres Mejia This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_RIPEMD160_H_INCLUDED #define NETTLE_RIPEMD160_H_INCLUDED #ifdef __cplusplus extern "C" { #endif #include "nettle-types.h" /* Name mangling */ #define ripemd160_init nettle_ripemd160_init #define ripemd160_update nettle_ripemd160_update #define ripemd160_digest nettle_ripemd160_digest /* RIPEMD160 */ #define RIPEMD160_DIGEST_SIZE 20 #define RIPEMD160_BLOCK_SIZE 64 /* For backwards compatibility */ #define RIPEMD160_DATA_SIZE RIPEMD160_BLOCK_SIZE /* Digest is kept internally as 5 32-bit words. */ #define _RIPEMD160_DIGEST_LENGTH 5 struct ripemd160_ctx { uint32_t state[_RIPEMD160_DIGEST_LENGTH]; uint64_t count; /* 64-bit block count */ unsigned int index; uint8_t block[RIPEMD160_BLOCK_SIZE]; }; void ripemd160_init(struct ripemd160_ctx *ctx); void ripemd160_update(struct ripemd160_ctx *ctx, size_t length, const uint8_t *data); void ripemd160_digest(struct ripemd160_ctx *ctx, size_t length, uint8_t *digest); #ifdef __cplusplus } #endif #endif /* NETTLE_RIPEMD160_H_INCLUDED */ nettle-3.10/ecc.h0000644000175000017500000001127214633602172012666 0ustar nissenisse/* ecc.h Copyright (C) 2013 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_H_INCLUDED #define NETTLE_ECC_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define ecc_point_init nettle_ecc_point_init #define ecc_point_clear nettle_ecc_point_clear #define ecc_point_set nettle_ecc_point_set #define ecc_point_get nettle_ecc_point_get #define ecc_point_mul nettle_ecc_point_mul #define ecc_point_mul_g nettle_ecc_point_mul_g #define ecc_scalar_init nettle_ecc_scalar_init #define ecc_scalar_clear nettle_ecc_scalar_clear #define ecc_scalar_set nettle_ecc_scalar_set #define ecc_scalar_get nettle_ecc_scalar_get #define ecc_scalar_random nettle_ecc_scalar_random #define ecc_point_mul nettle_ecc_point_mul #define ecc_bit_size nettle_ecc_bit_size #define ecc_size nettle_ecc_size #define ecc_size_a nettle_ecc_size_a #define ecc_size_j nettle_ecc_size_j struct ecc_curve; /* High level interface, for ECDSA, DH, etc */ /* Represents a point on the ECC curve */ struct ecc_point { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; /* Represents a non-zero scalar, an element of Z_q^*, where q is the group order of the curve. */ struct ecc_scalar { const struct ecc_curve *ecc; /* Allocated using the same allocation function as GMP. */ mp_limb_t *p; }; void ecc_point_init (struct ecc_point *p, const struct ecc_curve *ecc); void ecc_point_clear (struct ecc_point *p); /* Fails and returns zero if the point is not on the curve. */ int ecc_point_set (struct ecc_point *p, const mpz_t x, const mpz_t y); void ecc_point_get (const struct ecc_point *p, mpz_t x, mpz_t y); void ecc_scalar_init (struct ecc_scalar *s, const struct ecc_curve *ecc); void ecc_scalar_clear (struct ecc_scalar *s); /* Fails and returns zero if the scalar is not in the proper range. */ int ecc_scalar_set (struct ecc_scalar *s, const mpz_t z); void ecc_scalar_get (const struct ecc_scalar *s, mpz_t z); /* Generates a random scalar, suitable as an ECDSA private key or a ECDH exponent. */ void ecc_scalar_random (struct ecc_scalar *s, void *random_ctx, nettle_random_func *random); /* Computes r = n p */ void ecc_point_mul (struct ecc_point *r, const struct ecc_scalar *n, const struct ecc_point *p); /* Computes r = n g */ void ecc_point_mul_g (struct ecc_point *r, const struct ecc_scalar *n); /* Low-level interface */ /* Points on a curve are represented as arrays of mp_limb_t, with curve-specific representation. For the secp curves, we use Jacobian coordinates (possibly in Montgomery form for mod multiplication). For curve25519 we use homogeneous coordinates on an equivalent Edwards curve. The suffix "_h" denotes this internal representation. Since we use additive notation for the groups, the infinity point on the curve is denoted 0. The infinity point can be represented with x = y = 0 in affine coordinates, and Z = 0 in Jacobian coordinates. However, note that most of the ECC functions do *not* support infinity as an input or output. */ /* Returns the bit size of a single coordinate (and of the prime p). */ unsigned ecc_bit_size (const struct ecc_curve *ecc); /* Returns the size of a single coordinate. */ mp_size_t ecc_size (const struct ecc_curve *ecc); /* Size of a point, using affine coordinates x, y. */ mp_size_t ecc_size_a (const struct ecc_curve *ecc); /* Size of a point, using jacobian coordinates X, Y and Z. */ mp_size_t ecc_size_j (const struct ecc_curve *ecc); /* FIXME: Define a generic ecc_dup, ecc_add, for any type of curve. Do they need to handle infinity points? */ #ifdef __cplusplus } #endif #endif /* NETTLE_ECC_H_INCLUDED */ nettle-3.10/gcm.c0000644000175000017500000001432414633602171012675 0ustar nissenisse/* gcm.c Galois counter mode, specified by NIST, http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf See also the gcm paper at http://www.cryptobarn.com/papers/gcm-spec.pdf. Copyright (C) 2011 Katholieke Universiteit Leuven Copyright (C) 2011, 2013, 2018 Niels Möller Copyright (C) 2018 Red Hat, Inc. Contributed by Nikos Mavrogiannopoulos This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "gcm.h" #include "ghash-internal.h" #include "memxor.h" #include "nettle-internal.h" #include "macros.h" #include "ctr-internal.h" #include "block-internal.h" #include "bswap-internal.h" /* Initialization of GCM. * @ctx: The context of GCM * @cipher: The context of the underlying block cipher * @f: The underlying cipher encryption function */ void gcm_set_key(struct gcm_key *key, const void *cipher, nettle_cipher_func *f) { static const union nettle_block16 zero_block; union nettle_block16 key_block; f (cipher, GCM_BLOCK_SIZE, key_block.b, zero_block.b); _ghash_set_key (key, &key_block); } /* Call _ghash_update, with zero padding of any partial final block. */ static void gcm_hash (const struct gcm_key *key, union nettle_block16 *x, size_t length, const uint8_t *data) { data = _ghash_update (key, x, length / GCM_BLOCK_SIZE, data); length &= (GCM_BLOCK_SIZE - 1); if (length > 0) { union nettle_block16 block; block16_zero (&block); memcpy (block.b, data, length); _ghash_update (key, x, 1, block.b); } } static void gcm_hash_sizes(const struct gcm_key *key, union nettle_block16 *x, uint64_t auth_size, uint64_t data_size) { union nettle_block16 buffer; data_size *= 8; auth_size *= 8; buffer.u64[0] = bswap64_if_le (auth_size); buffer.u64[1] = bswap64_if_le (data_size); _ghash_update (key, x, 1, buffer.b); } /* NOTE: The key is needed only if length != GCM_IV_SIZE */ void gcm_set_iv(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *iv) { if (length == GCM_IV_SIZE) { memcpy (ctx->iv.b, iv, GCM_BLOCK_SIZE - 4); ctx->iv.b[GCM_BLOCK_SIZE - 4] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 3] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 2] = 0; ctx->iv.b[GCM_BLOCK_SIZE - 1] = 1; } else { block16_zero(&ctx->iv); gcm_hash(key, &ctx->iv, length, iv); gcm_hash_sizes(key, &ctx->iv, 0, length); } ctx->ctr = ctx->iv; /* Increment the rightmost 32 bits. */ INCREMENT (4, ctx->ctr.b + GCM_BLOCK_SIZE - 4); /* Reset the rest of the message-dependent state. */ block16_zero(&ctx->x); ctx->auth_size = ctx->data_size = 0; } void gcm_update(struct gcm_ctx *ctx, const struct gcm_key *key, size_t length, const uint8_t *data) { assert(ctx->auth_size % GCM_BLOCK_SIZE == 0); assert(ctx->data_size == 0); gcm_hash(key, &ctx->x, length, data); ctx->auth_size += length; } static nettle_fill16_func gcm_fill; #if WORDS_BIGENDIAN static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, mid; uint32_t lo; size_t i; hi = READ_UINT64(ctr); mid = (uint64_t) READ_UINT32(ctr + 8) << 32; lo = READ_UINT32(ctr + 12); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = mid + lo++; } WRITE_UINT32(ctr + 12, lo); } #elif HAVE_BUILTIN_BSWAP64 /* Assume __builtin_bswap32 is also available */ static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint64_t hi, mid; uint32_t lo; size_t i; hi = LE_READ_UINT64(ctr); mid = LE_READ_UINT32(ctr + 8); lo = READ_UINT32(ctr + 12); for (i = 0; i < blocks; i++) { buffer[i].u64[0] = hi; buffer[i].u64[1] = mid + ((uint64_t)__builtin_bswap32(lo) << 32); lo++; } WRITE_UINT32(ctr + 12, lo); } #else static void gcm_fill(uint8_t *ctr, size_t blocks, union nettle_block16 *buffer) { uint32_t c; c = READ_UINT32(ctr + GCM_BLOCK_SIZE - 4); for (; blocks-- > 0; buffer++, c++) { memcpy(buffer->b, ctr, GCM_BLOCK_SIZE - 4); WRITE_UINT32(buffer->b + GCM_BLOCK_SIZE - 4, c); } WRITE_UINT32(ctr + GCM_BLOCK_SIZE - 4, c); } #endif void gcm_encrypt (struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); gcm_hash(key, &ctx->x, length, dst); ctx->data_size += length; } void gcm_decrypt(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *dst, const uint8_t *src) { assert(ctx->data_size % GCM_BLOCK_SIZE == 0); gcm_hash(key, &ctx->x, length, src); _nettle_ctr_crypt16(cipher, f, gcm_fill, ctx->ctr.b, length, dst, src); ctx->data_size += length; } void gcm_digest(struct gcm_ctx *ctx, const struct gcm_key *key, const void *cipher, nettle_cipher_func *f, size_t length, uint8_t *digest) { union nettle_block16 buffer; assert (length <= GCM_BLOCK_SIZE); gcm_hash_sizes(key, &ctx->x, ctx->auth_size, ctx->data_size); f (cipher, GCM_BLOCK_SIZE, buffer.b, ctx->iv.b); block16_xor (&buffer, &ctx->x); memcpy (digest, buffer.b, length); return; } nettle-3.10/ed25519-sha512-sign.c0000644000175000017500000000357714633602172015075 0ustar nissenisse/* ed25519-sha512-sign.c Copyright (C) 2014, 2015 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "eddsa.h" #include "eddsa-internal.h" #include "ecc-internal.h" #include "sha2.h" void ed25519_sha512_sign (const uint8_t *pub, const uint8_t *priv, size_t length, const uint8_t *msg, uint8_t *signature) { const struct ecc_curve *ecc = &_nettle_curve25519; mp_size_t itch = ecc->q.size + _eddsa_sign_itch (ecc); mp_limb_t *scratch = gmp_alloc_limbs (itch); #define k2 scratch #define scratch_out (scratch + ecc->q.size) struct sha512_ctx ctx; uint8_t digest[SHA512_DIGEST_SIZE]; sha512_init (&ctx); _eddsa_expand_key (ecc, &_nettle_ed25519_sha512, &ctx, priv, digest, k2); _eddsa_sign (ecc, &_nettle_ed25519_sha512, &ctx, pub, digest + ED25519_KEY_SIZE, k2, length, msg, signature, scratch_out); gmp_free_limbs (scratch, itch); #undef k1 #undef k2 #undef scratch_out } nettle-3.10/balloon-sha256.c0000644000175000017500000000322214633602171014556 0ustar nissenisse/* balloon-sha256.c Balloon password-hashing algorithm. Copyright (C) 2022 Zoltan Fridrich Copyright (C) 2022 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "balloon.h" #include "sha2.h" void balloon_sha256(size_t s_cost, size_t t_cost, size_t passwd_length, const uint8_t *passwd, size_t salt_length, const uint8_t *salt, uint8_t *scratch, uint8_t *dst) { struct sha256_ctx ctx; sha256_init(&ctx); balloon(&ctx, (nettle_hash_update_func*)sha256_update, (nettle_hash_digest_func*)sha256_digest, SHA256_DIGEST_SIZE, s_cost, t_cost, passwd_length, passwd, salt_length, salt, scratch, dst); } nettle-3.10/pbkdf2-hmac-gosthash94.c0000644000175000017500000000312514633602171016175 0ustar nissenisse/* pbkdf2-hmac-gosthash94.c PKCS #5 PBKDF2 used with HMAC-GOSTHASH94CP. Copyright (C) 2016 Dmitry Eremin-Solenikov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "pbkdf2.h" #include "hmac.h" void pbkdf2_hmac_gosthash94cp (size_t key_length, const uint8_t *key, unsigned iterations, size_t salt_length, const uint8_t *salt, size_t length, uint8_t *dst) { struct hmac_gosthash94cp_ctx gosthash94cpctx; hmac_gosthash94cp_set_key (&gosthash94cpctx, key_length, key); PBKDF2 (&gosthash94cpctx, hmac_gosthash94cp_update, hmac_gosthash94cp_digest, GOSTHASH94CP_DIGEST_SIZE, iterations, salt_length, salt, length, dst); } nettle-3.10/cast128.h0000644000175000017500000000425214633602172013321 0ustar nissenisse/* cast128.h The CAST-128 block cipher. Copyright (C) 2001, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_CAST128_H_INCLUDED #define NETTLE_CAST128_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define cast5_set_key nettle_cast5_set_key #define cast128_set_key nettle_cast128_set_key #define cast128_encrypt nettle_cast128_encrypt #define cast128_decrypt nettle_cast128_decrypt #define CAST128_BLOCK_SIZE 8 /* Variable key size between 40 and 128. */ #define CAST5_MIN_KEY_SIZE 5 #define CAST5_MAX_KEY_SIZE 16 #define CAST128_KEY_SIZE 16 struct cast128_ctx { unsigned rounds; /* Number of rounds to use, 12 or 16 */ /* Expanded key, rotations (5 bits only) and 32-bit masks. */ unsigned char Kr[16]; uint32_t Km[16]; }; /* Using variable key size. */ void cast5_set_key(struct cast128_ctx *ctx, size_t length, const uint8_t *key); void cast128_set_key(struct cast128_ctx *ctx, const uint8_t *key); void cast128_encrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void cast128_decrypt(const struct cast128_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_CAST128_H_INCLUDED */ nettle-3.10/des.h0000644000175000017500000000555214633602172012713 0ustar nissenisse/* des.h The des block cipher. And triple des. Copyright (C) 1992 Dana L. How Copyright (C) 2001 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* * des - fast & portable DES encryption & decryption. * Copyright (C) 1992 Dana L. How * Please see the file `../lib/descore.README' for the complete copyright * notice. * * Slightly edited by Niels Möller, 1997 */ #ifndef NETTLE_DES_H_INCLUDED #define NETTLE_DES_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Namespace mangling */ #define des_set_key nettle_des_set_key #define des_encrypt nettle_des_encrypt #define des_decrypt nettle_des_decrypt #define des_check_parity nettle_des_check_parity #define des_fix_parity nettle_des_fix_parity #define des3_set_key nettle_des3_set_key #define des3_encrypt nettle_des3_encrypt #define des3_decrypt nettle_des3_decrypt #define DES_KEY_SIZE 8 #define DES_BLOCK_SIZE 8 /* Expanded key length */ #define _DES_KEY_LENGTH 32 struct des_ctx { uint32_t key[_DES_KEY_LENGTH]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des_set_key(struct des_ctx *ctx, const uint8_t *key); void des_encrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des_decrypt(const struct des_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); int des_check_parity(size_t length, const uint8_t *key); void des_fix_parity(size_t length, uint8_t *dst, const uint8_t *src); #define DES3_KEY_SIZE 24 #define DES3_BLOCK_SIZE DES_BLOCK_SIZE struct des3_ctx { struct des_ctx des[3]; }; /* Returns 1 for good keys and 0 for weak keys. */ int des3_set_key(struct des3_ctx *ctx, const uint8_t *key); void des3_encrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void des3_decrypt(const struct des3_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_DES_H_INCLUDED */ nettle-3.10/shake128.c0000644000175000017500000000370614633602171013457 0ustar nissenisse/* shake128.c The SHAKE128 hash function, arbitrary length output. Copyright (C) 2017 Daiki Ueno Copyright (C) 2017 Red Hat, Inc. This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "sha3.h" #include "sha3-internal.h" void sha3_128_init (struct sha3_128_ctx *ctx) { memset (ctx, 0, offsetof (struct sha3_128_ctx, block)); } void sha3_128_update (struct sha3_128_ctx *ctx, size_t length, const uint8_t *data) { ctx->index = _nettle_sha3_update (&ctx->state, SHA3_128_BLOCK_SIZE, ctx->block, ctx->index, length, data); } void sha3_128_shake (struct sha3_128_ctx *ctx, size_t length, uint8_t *dst) { _nettle_sha3_shake (&ctx->state, sizeof (ctx->block), ctx->block, ctx->index, length, dst); sha3_128_init (ctx); } void sha3_128_shake_output (struct sha3_128_ctx *ctx, size_t length, uint8_t *digest) { ctx->index = _nettle_sha3_shake_output (&ctx->state, sizeof (ctx->block), ctx->block, ctx->index, length, digest); } nettle-3.10/run-tests0000755000175000017500000000531714633602172013660 0ustar nissenisse#! /bin/sh # Copyright (C) 2000-2002, 2004, 2005, 2011, 2012, 2016, 2020 Niels Möller # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License along # with this program; if not, write to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. failed=0 all=0 debug='no' testflags='' if [ -z "$srcdir" ] ; then srcdir=`pwd` fi export srcdir if [ -n "$TEST_SHLIB_DIR" ] ; then # Prepend to LD_LIBRARY_PATH, if it is alredy set. LD_LIBRARY_PATH="${TEST_SHLIB_DIR}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}" # For MACOS DYLD_LIBRARY_PATH="$TEST_SHLIB_DIR" # For Windows PATH="${TEST_SHLIB_DIR}:${PATH}" # For Wine WINEPATH="${TEST_SHLIB_DIR}${WINEPATH:+;$WINEPATH}" export LD_LIBRARY_PATH export DYLD_LIBRARY_PATH export PATH export WINEPATH fi # When used in make rules, we sometimes get the filenames VPATH # expanded, but usually not. find_program () { case "$1" in */*) echo "$1" ;; *) if [ -x "$1" ] ; then echo "./$1" elif [ -x "$1.exe" ] ; then echo "./$1.exe" else echo "$srcdir/$1" fi ;; esac } env_program () { if [ -x "$1" ] ; then if "$1"; then : ; else echo FAIL: $1 exit 1 fi fi } test_program () { testname=`basename "$1" .exe` testname=`basename "$testname" -test` if [ -z "$EMULATOR" ] || head -1 "$1" | grep '^#!' > /dev/null; then "$1" $testflags else $EMULATOR "$1" $testflags fi case "$?" in 0) echo PASS: $testname all=`expr $all + 1` ;; 77) echo SKIP: $testname ;; *) echo FAIL: $testname failed=`expr $failed + 1` all=`expr $all + 1` ;; esac } env_program `find_program setup-env` while test $# != 0 do case "$1" in --debug) debug=yes ;; -v) testflags='-v' ;; -*) echo >&2 'Unknown option `'"$1'" exit 1 ;; *) break ;; esac shift done for f in "$@" ; do test_program `find_program "$f"`; done if [ $failed -eq 0 ] ; then banner="All $all tests passed" else banner="$failed of $all tests failed" fi dashes=`echo "$banner" | sed s/./=/g` echo "$dashes" echo "$banner" echo "$dashes" if [ "x$debug" = xno ] ; then env_program `find_program teardown-env` fi [ "$failed" -eq 0 ] nettle-3.10/sha224-meta.c0000644000175000017500000000224514633602171014055 0ustar nissenisse/* sha224-meta.c Copyright (C) 2002, 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha2.h" const struct nettle_hash nettle_sha224 = _NETTLE_HASH(sha224, SHA224); nettle-3.10/pss.c0000644000175000017500000001244114633602171012732 0ustar nissenisse/* pss.c PKCS#1 RSA-PSS padding (RFC-3447). Copyright (C) 2017 Daiki Ueno This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include "pss.h" #include "pss-mgf1.h" #include "bignum.h" #include "gmp-glue.h" #include "memxor.h" #include "nettle-internal.h" /* Masks to clear the leftmost N bits. */ static const uint8_t pss_masks[8] = { 0xFF, 0x7F, 0x3F, 0x1F, 0xF, 0x7, 0x3, 0x1 }; static const uint8_t pss_pad[8] = {0, 0, 0, 0, 0, 0, 0, 0}; /* Format the PKCS#1 PSS padding for given salt and digest, using * pss_mgf1() as the mask generation function. * * The encoded messsage is stored in M, and the consistency can be * checked with pss_verify_mgf1(), which takes the encoded message, * the length of salt, and the digest. */ int pss_encode_mgf1(mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *salt, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); size_t key_size = (bits + 7) / 8; size_t j; TMP_GMP_ALLOC(em, key_size); TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) { TMP_GMP_FREE(em); return 0; } /* Compute M'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); /* Store H in EM, right after maskedDB. */ hash->digest(state, hash->digest_size, em + key_size - hash->digest_size - 1); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, em + key_size - hash->digest_size - 1); pss_mgf1(state, hash, key_size - hash->digest_size - 1, em); /* Compute maskedDB and store it in front of H in EM. */ j = key_size - salt_length - hash->digest_size - 2; em[j++] ^= 1; memxor(em + j, salt, salt_length); j += salt_length; /* Store the trailer field following H. */ j += hash->digest_size; em[j] = 0xbc; /* Clear the leftmost 8 * emLen - emBits of the leftmost octet in EM. */ *em &= pss_masks[(8 * key_size - bits)]; nettle_mpz_set_str_256_u(m, key_size, em); TMP_GMP_FREE(em); return 1; } /* Check the consistency of given PKCS#1 PSS encoded message, created * with pss_encode_mgf1(). * * Returns 1 if the encoded message is consistent, 0 if it is * inconsistent. */ int pss_verify_mgf1(const mpz_t m, size_t bits, const struct nettle_hash *hash, size_t salt_length, const uint8_t *digest) { TMP_GMP_DECL(em, uint8_t); TMP_DECL(h2, uint8_t, NETTLE_MAX_HASH_DIGEST_SIZE); TMP_DECL_ALIGN(state, NETTLE_MAX_HASH_CONTEXT_SIZE); uint8_t *h, *db, *salt; size_t key_size = (bits + 7) / 8; size_t j; int ret = 0; /* Allocate twice the key size to store the intermediate data DB * following the EM value. */ TMP_GMP_ALLOC(em, key_size * 2); TMP_ALLOC(h2, hash->digest_size); TMP_ALLOC_ALIGN(state, hash->context_size); if (key_size < hash->digest_size + salt_length + 2) goto cleanup; if (mpz_sizeinbase(m, 2) > bits) goto cleanup; nettle_mpz_get_str_256(key_size, em, m); /* Check the trailer field. */ if (em[key_size - 1] != 0xbc) goto cleanup; /* Extract H. */ h = em + (key_size - hash->digest_size - 1); /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM * must all equal to zero. Always true here, thanks to the above * check on the bit size of m. */ assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0); /* Compute dbMask. */ hash->init(state); hash->update(state, hash->digest_size, h); db = em + key_size; pss_mgf1(state, hash, key_size - hash->digest_size - 1, db); /* Compute DB. */ memxor(db, em, key_size - hash->digest_size - 1); *db &= pss_masks[(8 * key_size - bits)]; for (j = 0; j < key_size - salt_length - hash->digest_size - 2; j++) if (db[j] != 0) goto cleanup; /* Check the octet right after PS is 0x1. */ if (db[j] != 0x1) goto cleanup; salt = db + j + 1; /* Compute H'. */ hash->init(state); hash->update(state, sizeof(pss_pad), pss_pad); hash->update(state, hash->digest_size, digest); hash->update(state, salt_length, salt); hash->digest(state, hash->digest_size, h2); /* Check if H' = H. */ if (memcmp(h2, h, hash->digest_size) != 0) goto cleanup; ret = 1; cleanup: TMP_GMP_FREE(em); return ret; } nettle-3.10/der2dsa.c0000644000175000017500000000767414633602171013465 0ustar nissenisse/* der2dsa.c Decoding of DSA keys in OpenSSL and X.509.1 format. Copyright (C) 2005, 2009 Niels Möller, Magnus Holmgren Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa.h" #include "bignum.h" #include "asn1.h" #define GET(i, x, l) \ (asn1_der_iterator_next((i)) == ASN1_ITERATOR_PRIMITIVE \ && (i)->type == ASN1_INTEGER \ && asn1_der_get_bignum((i), (x), (l)) \ && mpz_sgn((x)) > 0) /* If q_bits > 0, q is required to be of exactly this size. */ int dsa_params_from_der_iterator(struct dsa_params *params, unsigned max_bits, unsigned q_bits, struct asn1_der_iterator *i) { /* Dss-Parms ::= SEQUENCE { p INTEGER, q INTEGER, g INTEGER } */ if (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, params->p, max_bits) && mpz_sgn(params->p) > 0) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, q_bits ? q_bits : p_bits) && (q_bits == 0 || mpz_sizeinbase(params->q, 2) == q_bits) && mpz_cmp (params->q, params->p) < 0 && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_public_key_from_der_iterator(const struct dsa_params *params, mpz_t pub, struct asn1_der_iterator *i) { /* DSAPublicKey ::= INTEGER */ return (i->type == ASN1_INTEGER && asn1_der_get_bignum(i, pub, mpz_sizeinbase (params->p, 2)) && mpz_sgn(pub) > 0 && mpz_cmp(pub, params->p) < 0); } int dsa_openssl_private_key_from_der_iterator(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, struct asn1_der_iterator *i) { /* DSAPrivateKey ::= SEQUENCE { version Version, p INTEGER, q INTEGER, g INTEGER, pub_key INTEGER, -- y priv_key INTEGER, -- x } */ uint32_t version; if (i->type == ASN1_SEQUENCE && asn1_der_decode_constructed_last(i) == ASN1_ITERATOR_PRIMITIVE && i->type == ASN1_INTEGER && asn1_der_get_uint32(i, &version) && version == 0 && GET(i, params->p, p_max_bits)) { unsigned p_bits = mpz_sizeinbase (params->p, 2); return (GET(i, params->q, DSA_SHA1_Q_BITS) && GET(i, params->g, p_bits) && mpz_cmp (params->g, params->p) < 0 && GET(i, pub, p_bits) && mpz_cmp (pub, params->p) < 0 && GET(i, priv, DSA_SHA1_Q_BITS) && asn1_der_iterator_next(i) == ASN1_ITERATOR_END); } else return 0; } int dsa_openssl_private_key_from_der(struct dsa_params *params, mpz_t pub, mpz_t priv, unsigned p_max_bits, size_t length, const uint8_t *data) { struct asn1_der_iterator i; enum asn1_iterator_result res; res = asn1_der_iterator_first(&i, length, data); return (res == ASN1_ITERATOR_CONSTRUCTED && dsa_openssl_private_key_from_der_iterator(params, pub, priv, p_max_bits, &i)); } nettle-3.10/aes128-set-encrypt-key.c0000644000175000017500000000274614633602171016200 0ustar nissenisse/* aes128-set-encrypt-key.c Copyright (C) 2013, Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "aes-internal.h" /* For fat builds */ #if HAVE_NATIVE_aes128_set_encrypt_key void _nettle_aes128_set_encrypt_key_c(struct aes128_ctx *ctx, const uint8_t *key); # define nettle_aes128_set_encrypt_key _nettle_aes128_set_encrypt_key_c #endif void nettle_aes128_set_encrypt_key(struct aes128_ctx *ctx, const uint8_t *key) { _nettle_aes_set_key (_AES128_ROUNDS, AES128_KEY_SIZE / 4, ctx->keys, key); } nettle-3.10/getopt.c0000644000175000017500000010153414633602172013432 0ustar nissenisse/* Getopt for GNU. NOTE: getopt is part of the C library, so if you don't know what "Keep this file name-space clean" means, talk to drepper@gnu.org before changing it! Copyright (C) 1987-2014 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. The GNU C Library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with the GNU C Library; if not, see . */ /* This tells Alpha OSF/1 not to define a getopt prototype in . Ditto for AIX 3.2 and . */ #ifndef _NO_PROTO # define _NO_PROTO #endif #ifdef HAVE_CONFIG_H # include #endif #include #include #include #include /* Comment out all this code if we are using the GNU C Library, and are not actually compiling the library itself. This code is part of the GNU C Library, but also included in many other GNU distributions. Compiling and linking in this code is a waste when using the GNU C library (especially if it is a shared library). Rather than having every GNU program understand `configure --with-gnu-libc' and omit the object files, it is simpler to just do this in the source for each such file. */ #define GETOPT_INTERFACE_VERSION 2 #if !defined _LIBC && defined __GLIBC__ && __GLIBC__ >= 2 # include # if _GNU_GETOPT_INTERFACE_VERSION == GETOPT_INTERFACE_VERSION # define ELIDE_CODE # endif #endif #ifndef ELIDE_CODE #ifdef VMS # include #endif #ifdef _LIBC # include #else /* The glibc version includes "gettext.h" here, but Nettle currently doesn't have that. */ # define _(msgid) msgid #endif #if defined _LIBC # include #endif #ifndef attribute_hidden # define attribute_hidden #endif /* This version of `getopt' appears to the caller like standard Unix `getopt' but it behaves differently for the user, since it allows the user to intersperse the options with the other arguments. As `getopt' works, it permutes the elements of ARGV so that, when it is done, all the options precede everything else. Thus all application programs are extended to handle flexible argument order. Setting the environment variable POSIXLY_CORRECT disables permutation. Then the behavior is completely standard. GNU application programs can use a third alternative mode in which they can distinguish the relative order of options and other arguments. */ #include "getopt.h" #include "getopt_int.h" /* For communication from `getopt' to the caller. When `getopt' finds an option that takes an argument, the argument value is returned here. Also, when `ordering' is RETURN_IN_ORDER, each non-option ARGV-element is returned here. */ char *optarg; /* Index in ARGV of the next element to be scanned. This is used for communication to and from the caller and for communication between successive calls to `getopt'. On entry to `getopt', zero means this is the first call; initialize. When `getopt' returns -1, this is the index of the first of the non-option elements that the caller should itself scan. Otherwise, `optind' communicates from one call to the next how much of ARGV has been scanned so far. */ /* 1003.2 says this must be 1 before any call. */ int optind = 1; /* Callers store zero here to inhibit the error message for unrecognized options. */ int opterr = 1; /* Set to an option character which was unrecognized. This must be initialized on some systems to avoid linking in the system's own getopt implementation. */ int optopt = '?'; /* Keep a global copy of all internal members of getopt_data. */ static struct _getopt_data getopt_data; #ifndef __GNU_LIBRARY__ /* Avoid depending on library functions or files whose names are inconsistent. */ #ifndef getenv extern char *getenv (); #endif #endif /* not __GNU_LIBRARY__ */ #ifdef _LIBC /* Stored original parameters. XXX This is no good solution. We should rather copy the args so that we can compare them later. But we must not use malloc(3). */ extern int __libc_argc; extern char **__libc_argv; /* Bash 2.0 gives us an environment variable containing flags indicating ARGV elements that should not be considered arguments. */ # ifdef USE_NONOPTION_FLAGS /* Defined in getopt_init.c */ extern char *__getopt_nonoption_flags; # endif # ifdef USE_NONOPTION_FLAGS # define SWAP_FLAGS(ch1, ch2) \ if (d->__nonoption_flags_len > 0) \ { \ char __tmp = __getopt_nonoption_flags[ch1]; \ __getopt_nonoption_flags[ch1] = __getopt_nonoption_flags[ch2]; \ __getopt_nonoption_flags[ch2] = __tmp; \ } # else # define SWAP_FLAGS(ch1, ch2) # endif #else /* !_LIBC */ # define SWAP_FLAGS(ch1, ch2) #endif /* _LIBC */ /* Exchange two adjacent subsequences of ARGV. One subsequence is elements [first_nonopt,last_nonopt) which contains all the non-options that have been skipped so far. The other is elements [last_nonopt,optind), which contains all the options processed since those non-options were skipped. `first_nonopt' and `last_nonopt' are relocated so that they describe the new indices of the non-options in ARGV after they are moved. */ static void exchange (char **argv, struct _getopt_data *d) { int bottom = d->__first_nonopt; int middle = d->__last_nonopt; int top = d->optind; char *tem; /* Exchange the shorter segment with the far end of the longer segment. That puts the shorter segment into the right place. It leaves the longer segment in the right place overall, but it consists of two parts that need to be swapped next. */ #if defined _LIBC && defined USE_NONOPTION_FLAGS /* First make sure the handling of the `__getopt_nonoption_flags' string can work normally. Our top argument must be in the range of the string. */ if (d->__nonoption_flags_len > 0 && top >= d->__nonoption_flags_max_len) { /* We must extend the array. The user plays games with us and presents new arguments. */ char *new_str = malloc (top + 1); if (new_str == NULL) d->__nonoption_flags_len = d->__nonoption_flags_max_len = 0; else { memset (__mempcpy (new_str, __getopt_nonoption_flags, d->__nonoption_flags_max_len), '\0', top + 1 - d->__nonoption_flags_max_len); d->__nonoption_flags_max_len = top + 1; __getopt_nonoption_flags = new_str; } } #endif while (top > middle && middle > bottom) { if (top - middle > middle - bottom) { /* Bottom segment is the short one. */ int len = middle - bottom; int i; /* Swap it with the top part of the top segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[top - (middle - bottom) + i]; argv[top - (middle - bottom) + i] = tem; SWAP_FLAGS (bottom + i, top - (middle - bottom) + i); } /* Exclude the moved bottom segment from further swapping. */ top -= len; } else { /* Top segment is the short one. */ int len = top - middle; int i; /* Swap it with the bottom part of the bottom segment. */ for (i = 0; i < len; i++) { tem = argv[bottom + i]; argv[bottom + i] = argv[middle + i]; argv[middle + i] = tem; SWAP_FLAGS (bottom + i, middle + i); } /* Exclude the moved top segment from further swapping. */ bottom += len; } } /* Update records for the slots the non-options now occupy. */ d->__first_nonopt += (d->optind - d->__last_nonopt); d->__last_nonopt = d->optind; } /* Initialize the internal data when the first call is made. */ static const char * _getopt_initialize (int argc, char *const *argv, const char *optstring, struct _getopt_data *d, int posixly_correct) { /* Start processing options with ARGV-element 1 (since ARGV-element 0 is the program name); the sequence of previously skipped non-option ARGV-elements is empty. */ d->__first_nonopt = d->__last_nonopt = d->optind; d->__nextchar = NULL; d->__posixly_correct = posixly_correct | !!getenv ("POSIXLY_CORRECT"); /* Determine how to handle the ordering of options and nonoptions. */ if (optstring[0] == '-') { d->__ordering = RETURN_IN_ORDER; ++optstring; } else if (optstring[0] == '+') { d->__ordering = REQUIRE_ORDER; ++optstring; } else if (d->__posixly_correct) d->__ordering = REQUIRE_ORDER; else d->__ordering = PERMUTE; #if defined _LIBC && defined USE_NONOPTION_FLAGS if (!d->__posixly_correct && argc == __libc_argc && argv == __libc_argv) { if (d->__nonoption_flags_max_len == 0) { if (__getopt_nonoption_flags == NULL || __getopt_nonoption_flags[0] == '\0') d->__nonoption_flags_max_len = -1; else { const char *orig_str = __getopt_nonoption_flags; int len = d->__nonoption_flags_max_len = strlen (orig_str); if (d->__nonoption_flags_max_len < argc) d->__nonoption_flags_max_len = argc; __getopt_nonoption_flags = (char *) malloc (d->__nonoption_flags_max_len); if (__getopt_nonoption_flags == NULL) d->__nonoption_flags_max_len = -1; else memset (__mempcpy (__getopt_nonoption_flags, orig_str, len), '\0', d->__nonoption_flags_max_len - len); } } d->__nonoption_flags_len = d->__nonoption_flags_max_len; } else d->__nonoption_flags_len = 0; #endif return optstring; } /* Scan elements of ARGV (whose length is ARGC) for option characters given in OPTSTRING. If an element of ARGV starts with '-', and is not exactly "-" or "--", then it is an option element. The characters of this element (aside from the initial '-') are option characters. If `getopt' is called repeatedly, it returns successively each of the option characters from each of the option elements. If `getopt' finds another option character, it returns that character, updating `optind' and `nextchar' so that the next call to `getopt' can resume the scan with the following option character or ARGV-element. If there are no more option characters, `getopt' returns -1. Then `optind' is the index in ARGV of the first ARGV-element that is not an option. (The ARGV-elements have been permuted so that those that are not options now come last.) OPTSTRING is a string containing the legitimate option characters. If an option character is seen that is not listed in OPTSTRING, return '?' after printing an error message. If you set `opterr' to zero, the error message is suppressed but we still return '?'. If a char in OPTSTRING is followed by a colon, that means it wants an arg, so the following text in the same ARGV-element, or the text of the following ARGV-element, is returned in `optarg'. Two colons mean an option that wants an optional arg; if there is text in the current ARGV-element, it is returned in `optarg', otherwise `optarg' is set to zero. If OPTSTRING starts with `-' or `+', it requests different methods of handling the non-option ARGV-elements. See the comments about RETURN_IN_ORDER and REQUIRE_ORDER, above. Long-named options begin with `--' instead of `-'. Their names may be abbreviated as long as the abbreviation is unique or is an exact match for some defined option. If they have an argument, it follows the option name in the same ARGV-element, separated from the option name by a `=', or else the in next ARGV-element. When `getopt' finds a long-named option, it returns 0 if that option's `flag' field is nonzero, the value of the option's `val' field if the `flag' field is zero. The elements of ARGV aren't really const, because we permute them. But we pretend they're const in the prototype to be compatible with other systems. LONGOPTS is a vector of `struct option' terminated by an element containing a name which is zero. LONGIND returns the index in LONGOPT of the long-named option found. It is only valid when a long-named option has been found by the most recent call. If LONG_ONLY is nonzero, '-' as well as '--' can introduce long-named options. */ int _getopt_internal_r (int argc, char *const *argv, const char *optstring, const struct option *longopts, int *longind, int long_only, struct _getopt_data *d, int posixly_correct) { int print_errors = d->opterr; if (argc < 1) return -1; d->optarg = NULL; if (d->optind == 0 || !d->__initialized) { if (d->optind == 0) d->optind = 1; /* Don't scan ARGV[0], the program name. */ optstring = _getopt_initialize (argc, argv, optstring, d, posixly_correct); d->__initialized = 1; } else if (optstring[0] == '-' || optstring[0] == '+') optstring++; if (optstring[0] == ':') print_errors = 0; /* Test whether ARGV[optind] points to a non-option argument. Either it does not have option syntax, or there is an environment flag from the shell indicating it is not an option. The later information is only used when the used in the GNU libc. */ #if defined _LIBC && defined USE_NONOPTION_FLAGS # define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0' \ || (d->optind < d->__nonoption_flags_len \ && __getopt_nonoption_flags[d->optind] == '1')) #else # define NONOPTION_P (argv[d->optind][0] != '-' || argv[d->optind][1] == '\0') #endif if (d->__nextchar == NULL || *d->__nextchar == '\0') { /* Advance to the next ARGV-element. */ /* Give FIRST_NONOPT & LAST_NONOPT rational values if OPTIND has been moved back by the user (who may also have changed the arguments). */ if (d->__last_nonopt > d->optind) d->__last_nonopt = d->optind; if (d->__first_nonopt > d->optind) d->__first_nonopt = d->optind; if (d->__ordering == PERMUTE) { /* If we have just processed some options following some non-options, exchange them so that the options come first. */ if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange ((char **) argv, d); else if (d->__last_nonopt != d->optind) d->__first_nonopt = d->optind; /* Skip any additional non-options and extend the range of non-options previously skipped. */ while (d->optind < argc && NONOPTION_P) d->optind++; d->__last_nonopt = d->optind; } /* The special ARGV-element `--' means premature end of options. Skip it like a null option, then exchange with previous non-options as if it were an option, then skip everything else like a non-option. */ if (d->optind != argc && !strcmp (argv[d->optind], "--")) { d->optind++; if (d->__first_nonopt != d->__last_nonopt && d->__last_nonopt != d->optind) exchange ((char **) argv, d); else if (d->__first_nonopt == d->__last_nonopt) d->__first_nonopt = d->optind; d->__last_nonopt = argc; d->optind = argc; } /* If we have done all the ARGV-elements, stop the scan and back over any non-options that we skipped and permuted. */ if (d->optind == argc) { /* Set the next-arg-index to point at the non-options that we previously skipped, so the caller will digest them. */ if (d->__first_nonopt != d->__last_nonopt) d->optind = d->__first_nonopt; return -1; } /* If we have come to a non-option and did not permute it, either stop the scan or describe it to the caller and pass it by. */ if (NONOPTION_P) { if (d->__ordering == REQUIRE_ORDER) return -1; d->optarg = argv[d->optind++]; return 1; } /* We have found another option-ARGV-element. Skip the initial punctuation. */ d->__nextchar = (argv[d->optind] + 1 + (longopts != NULL && argv[d->optind][1] == '-')); } /* Decode the current option-ARGV-element. */ /* Check whether the ARGV-element is a long option. If long_only and the ARGV-element has the form "-f", where f is a valid short option, don't consider it an abbreviated form of a long option that starts with f. Otherwise there would be no way to give the -f short option. On the other hand, if there's a long option "fubar" and the ARGV-element is "-fu", do consider that an abbreviation of the long option, just like "--fu", and not "-f" with arg "u". This distinction seems to be the most useful approach. */ if (longopts != NULL && (argv[d->optind][1] == '-' || (long_only && (argv[d->optind][2] || !strchr (optstring, argv[d->optind][1]))))) { char *nameend; unsigned int namelen; const struct option *p; const struct option *pfound = NULL; struct option_list { const struct option *p; struct option_list *next; } *ambig_list = NULL; int exact = 0; int indfound = -1; int option_index; for (nameend = d->__nextchar; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; namelen = nameend - d->__nextchar; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) if (!strncmp (p->name, d->__nextchar, namelen)) { if (namelen == (unsigned int) strlen (p->name)) { /* Exact match found. */ pfound = p; indfound = option_index; exact = 1; break; } else if (pfound == NULL) { /* First nonexact match found. */ pfound = p; indfound = option_index; } else if (long_only || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) { /* Second or later nonexact match found. */ struct option_list *newp = alloca (sizeof (*newp)); newp->p = p; newp->next = ambig_list; ambig_list = newp; } } if (ambig_list != NULL && !exact) { if (print_errors) { struct option_list first; first.p = pfound; first.next = ambig_list; ambig_list = &first; #if defined _LIBC char *buf = NULL; size_t buflen = 0; FILE *fp = open_memstream (&buf, &buflen); if (fp != NULL) { fprintf (fp, _("%s: option '%s' is ambiguous; possibilities:"), argv[0], argv[d->optind]); do { fprintf (fp, " '--%s'", ambig_list->p->name); ambig_list = ambig_list->next; } while (ambig_list != NULL); fputc_unlocked ('\n', fp); if (__builtin_expect (fclose (fp) != EOF, 1)) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } } #else fprintf (stderr, _("%s: option '%s' is ambiguous; possibilities:"), argv[0], argv[d->optind]); do { fprintf (stderr, " '--%s'", ambig_list->p->name); ambig_list = ambig_list->next; } while (ambig_list != NULL); fputc ('\n', stderr); #endif } d->__nextchar += strlen (d->__nextchar); d->optind++; d->optopt = 0; return '?'; } if (pfound != NULL) { option_index = indfound; d->optind++; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) d->optarg = nameend + 1; else { if (print_errors) { #if defined _LIBC char *buf; int n; #endif if (argv[d->optind - 1][1] == '-') { /* --option */ #if defined _LIBC n = __asprintf (&buf, _("\ %s: option '--%s' doesn't allow an argument\n"), argv[0], pfound->name); #else fprintf (stderr, _("\ %s: option '--%s' doesn't allow an argument\n"), argv[0], pfound->name); #endif } else { /* +option or -option */ #if defined _LIBC n = __asprintf (&buf, _("\ %s: option '%c%s' doesn't allow an argument\n"), argv[0], argv[d->optind - 1][0], pfound->name); #else fprintf (stderr, _("\ %s: option '%c%s' doesn't allow an argument\n"), argv[0], argv[d->optind - 1][0], pfound->name); #endif } #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->__nextchar += strlen (d->__nextchar); d->optopt = pfound->val; return '?'; } } else if (pfound->has_arg == 1) { if (d->optind < argc) d->optarg = argv[d->optind++]; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '--%s' requires an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option '--%s' requires an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); d->optopt = pfound->val; return optstring[0] == ':' ? ':' : '?'; } } d->__nextchar += strlen (d->__nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) { *(pfound->flag) = pfound->val; return 0; } return pfound->val; } /* Can't find it as a long option. If this is not getopt_long_only, or the option starts with '--' or is not a valid short option, then it's an error. Otherwise interpret it as a short option. */ if (!long_only || argv[d->optind][1] == '-' || strchr (optstring, *d->__nextchar) == NULL) { if (print_errors) { #if defined _LIBC char *buf; int n; #endif if (argv[d->optind][1] == '-') { /* --option */ #if defined _LIBC n = __asprintf (&buf, _("%s: unrecognized option '--%s'\n"), argv[0], d->__nextchar); #else fprintf (stderr, _("%s: unrecognized option '--%s'\n"), argv[0], d->__nextchar); #endif } else { /* +option or -option */ #if defined _LIBC n = __asprintf (&buf, _("%s: unrecognized option '%c%s'\n"), argv[0], argv[d->optind][0], d->__nextchar); #else fprintf (stderr, _("%s: unrecognized option '%c%s'\n"), argv[0], argv[d->optind][0], d->__nextchar); #endif } #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->__nextchar = (char *) ""; d->optind++; d->optopt = 0; return '?'; } } /* Look at and handle the next short option-character. */ { char c = *d->__nextchar++; char *temp = strchr (optstring, c); /* Increment `optind' when we start to process its last character. */ if (*d->__nextchar == '\0') ++d->optind; if (temp == NULL || c == ':' || c == ';') { if (print_errors) { #if defined _LIBC char *buf; int n; #endif #if defined _LIBC n = __asprintf (&buf, _("%s: invalid option -- '%c'\n"), argv[0], c); #else fprintf (stderr, _("%s: invalid option -- '%c'\n"), argv[0], c); #endif #if defined _LIBC if (n >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #endif } d->optopt = c; return '?'; } /* Convenience. Treat POSIX -W foo same as long option --foo */ if (temp[0] == 'W' && temp[1] == ';') { char *nameend; const struct option *p; const struct option *pfound = NULL; int exact = 0; int ambig = 0; int indfound = 0; int option_index; if (longopts == NULL) goto no_longs; /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ d->optind++; } else if (d->optind == argc) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("%s: option requires an argument -- '%c'\n"), argv[0], c) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); #endif } d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; return c; } else /* We already incremented `d->optind' once; increment it again when taking next ARGV-elt as argument. */ d->optarg = argv[d->optind++]; /* optarg is now the argument, see if it's in the table of longopts. */ for (d->__nextchar = nameend = d->optarg; *nameend && *nameend != '='; nameend++) /* Do nothing. */ ; /* Test all long options for either exact match or abbreviated matches. */ for (p = longopts, option_index = 0; p->name; p++, option_index++) if (!strncmp (p->name, d->__nextchar, nameend - d->__nextchar)) { if ((unsigned int) (nameend - d->__nextchar) == strlen (p->name)) { /* Exact match found. */ pfound = p; indfound = option_index; exact = 1; break; } else if (pfound == NULL) { /* First nonexact match found. */ pfound = p; indfound = option_index; } else if (long_only || pfound->has_arg != p->has_arg || pfound->flag != p->flag || pfound->val != p->val) /* Second or later nonexact match found. */ ambig = 1; } if (ambig && !exact) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("%s: option '-W %s' is ambiguous\n"), argv[0], d->optarg) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option '-W %s' is ambiguous\n"), argv[0], d->optarg); #endif } d->__nextchar += strlen (d->__nextchar); d->optind++; return '?'; } if (pfound != NULL) { option_index = indfound; if (*nameend) { /* Don't test has_arg with >, because some C compilers don't allow it to be used on enums. */ if (pfound->has_arg) d->optarg = nameend + 1; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '-W %s' doesn't allow an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("\ %s: option '-W %s' doesn't allow an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); return '?'; } } else if (pfound->has_arg == 1) { if (d->optind < argc) d->optarg = argv[d->optind++]; else { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option '-W %s' requires an argument\n"), argv[0], pfound->name) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("\ %s: option '-W %s' requires an argument\n"), argv[0], pfound->name); #endif } d->__nextchar += strlen (d->__nextchar); return optstring[0] == ':' ? ':' : '?'; } } else d->optarg = NULL; d->__nextchar += strlen (d->__nextchar); if (longind != NULL) *longind = option_index; if (pfound->flag) { *(pfound->flag) = pfound->val; return 0; } return pfound->val; } no_longs: d->__nextchar = NULL; return 'W'; /* Let the application handle it. */ } if (temp[1] == ':') { if (temp[2] == ':') { /* This is an option that accepts an argument optionally. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; d->optind++; } else d->optarg = NULL; d->__nextchar = NULL; } else { /* This is an option that requires an argument. */ if (*d->__nextchar != '\0') { d->optarg = d->__nextchar; /* If we end this ARGV-element by taking the rest as an arg, we must advance to the next element now. */ d->optind++; } else if (d->optind == argc) { if (print_errors) { #if defined _LIBC char *buf; if (__asprintf (&buf, _("\ %s: option requires an argument -- '%c'\n"), argv[0], c) >= 0) { _IO_flockfile (stderr); int old_flags2 = ((_IO_FILE *) stderr)->_flags2; ((_IO_FILE *) stderr)->_flags2 |= _IO_FLAGS2_NOTCANCEL; __fxprintf (NULL, "%s", buf); ((_IO_FILE *) stderr)->_flags2 = old_flags2; _IO_funlockfile (stderr); free (buf); } #else fprintf (stderr, _("%s: option requires an argument -- '%c'\n"), argv[0], c); #endif } d->optopt = c; if (optstring[0] == ':') c = ':'; else c = '?'; } else /* We already incremented `optind' once; increment it again when taking next ARGV-elt as argument. */ d->optarg = argv[d->optind++]; d->__nextchar = NULL; } } return c; } } int _getopt_internal (int argc, char *const *argv, const char *optstring, const struct option *longopts, int *longind, int long_only, int posixly_correct) { int result; getopt_data.optind = optind; getopt_data.opterr = opterr; result = _getopt_internal_r (argc, argv, optstring, longopts, longind, long_only, &getopt_data, posixly_correct); optind = getopt_data.optind; optarg = getopt_data.optarg; optopt = getopt_data.optopt; return result; } int getopt (int argc, char *const *argv, const char *optstring) { return _getopt_internal (argc, argv, optstring, (const struct option *) 0, (int *) 0, 0, 0); } #ifdef _LIBC int __posix_getopt (int argc, char *const *argv, const char *optstring) { return _getopt_internal (argc, argv, optstring, (const struct option *) 0, (int *) 0, 0, 1); } #endif #endif /* Not ELIDE_CODE. */ #ifdef TEST /* Compile with -DTEST to make an executable for use in testing the above definition of `getopt'. */ int main (int argc, char **argv) { int c; int digit_optind = 0; while (1) { int this_option_optind = optind ? optind : 1; c = getopt (argc, argv, "abc:d:0123456789"); if (c == -1) break; switch (c) { case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': case '8': case '9': if (digit_optind != 0 && digit_optind != this_option_optind) printf ("digits occur in two different argv-elements.\n"); digit_optind = this_option_optind; printf ("option %c\n", c); break; case 'a': printf ("option a\n"); break; case 'b': printf ("option b\n"); break; case 'c': printf ("option c with value '%s'\n", optarg); break; case '?': break; default: printf ("?? getopt returned character code 0%o ??\n", c); } } if (optind < argc) { printf ("non-option ARGV-elements: "); while (optind < argc) printf ("%s ", argv[optind++]); printf ("\n"); } exit (0); } #endif /* TEST */ nettle-3.10/hmac-streebog-meta.c0000644000175000017500000000310514633602171015566 0ustar nissenisse/* hmac-streebog-meta.c Copyright (C) 2020 Dmitry Baryshkov This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "hmac.h" static void hmac_streebog256_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_streebog256_set_key (ctx, STREEBOG256_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_streebog256 = _NETTLE_HMAC(hmac_streebog256, STREEBOG256); static void hmac_streebog512_set_key_wrapper (void *ctx, const uint8_t *key) { hmac_streebog512_set_key (ctx, STREEBOG512_DIGEST_SIZE, key); } const struct nettle_mac nettle_hmac_streebog512 = _NETTLE_HMAC(hmac_streebog512, STREEBOG512); nettle-3.10/sha3-224-meta.c0000644000175000017500000000230214633602171014207 0ustar nissenisse/* sha3-224-meta.c Copyright (C) 2012 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "nettle-meta.h" #include "sha3.h" #include "sha3-internal.h" const struct nettle_hash nettle_sha3_224 = _NETTLE_HASH(sha3_224, SHA3_224); nettle-3.10/ecc-internal.h0000644000175000017500000004051214633602172014477 0ustar nissenisse/* ecc-internal.h Copyright (C) 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ /* Development of Nettle's ECC support was funded by the .SE Internet Fund. */ #ifndef NETTLE_ECC_INTERNAL_H_INCLUDED #define NETTLE_ECC_INTERNAL_H_INCLUDED #include "nettle-types.h" #include "bignum.h" #include "ecc-curve.h" #include "gmp-glue.h" /* Name mangling */ #define ecc_pp1_redc _nettle_ecc_pp1_redc #define ecc_pm1_redc _nettle_ecc_pm1_redc #define ecc_mod_zero_p _nettle_ecc_mod_zero_p #define ecc_mod_equal_p _nettle_ecc_mod_equal_p #define ecc_mod_add _nettle_ecc_mod_add #define ecc_mod_sub _nettle_ecc_mod_sub #define ecc_mod_mul_1 _nettle_ecc_mod_mul_1 #define ecc_mod_addmul_1 _nettle_ecc_mod_addmul_1 #define ecc_mod_submul_1 _nettle_ecc_mod_submul_1 #define ecc_mod_mul _nettle_ecc_mod_mul #define ecc_mod_sqr _nettle_ecc_mod_sqr #define ecc_mod_mul_canonical _nettle_ecc_mod_mul_canonical #define ecc_mod_sqr_canonical _nettle_ecc_mod_sqr_canonical #define ecc_mod_pow_2k _nettle_ecc_mod_pow_2k #define ecc_mod_pow_2k_mul _nettle_ecc_mod_pow_2k_mul #define ecc_mod_random _nettle_ecc_mod_random #define ecc_mod _nettle_ecc_mod #define ecc_mod_inv _nettle_ecc_mod_inv #define ecc_a_to_j _nettle_ecc_a_to_j #define ecc_j_to_a _nettle_ecc_j_to_a #define ecc_eh_to_a _nettle_ecc_eh_to_a #define ecc_dup_jj _nettle_ecc_dup_jj #define ecc_add_jja _nettle_ecc_add_jja #define ecc_add_jjj _nettle_ecc_add_jjj #define ecc_nonsec_add_jjj _nettle_ecc_nonsec_add_jjj #define ecc_dup_eh _nettle_ecc_dup_eh #define ecc_add_eh _nettle_ecc_add_eh #define ecc_add_ehh _nettle_ecc_add_ehh #define ecc_dup_th _nettle_ecc_dup_th #define ecc_add_th _nettle_ecc_add_th #define ecc_add_thh _nettle_ecc_add_thh #define ecc_mul_g _nettle_ecc_mul_g #define ecc_mul_a _nettle_ecc_mul_a #define ecc_mul_g_eh _nettle_ecc_mul_g_eh #define ecc_mul_a_eh _nettle_ecc_mul_a_eh #define ecc_mul_m _nettle_ecc_mul_m #define cnd_copy _nettle_cnd_copy #define sec_add_1 _nettle_sec_add_1 #define sec_sub_1 _nettle_sec_sub_1 #define sec_modinv _nettle_sec_modinv #define curve25519_eh_to_x _nettle_curve25519_eh_to_x #define curve448_eh_to_x _nettle_curve448_eh_to_x /* For asserts that are incompatible with sc tests. Currently used only by ECC code. */ #if WITH_EXTRA_ASSERTS # define assert_maybe(x) assert(x) #else # define assert_maybe(x) ((void)(x)) #endif extern const struct ecc_curve _nettle_secp_192r1; extern const struct ecc_curve _nettle_secp_224r1; extern const struct ecc_curve _nettle_secp_256r1; extern const struct ecc_curve _nettle_secp_384r1; extern const struct ecc_curve _nettle_secp_521r1; /* Keep this structure internal for now. It's misnamed (since it's really implementing the equivalent twisted Edwards curve, with different coordinates). And we're not quite ready to provide general ecc operations over an arbitrary type of curve. */ extern const struct ecc_curve _nettle_curve25519; extern const struct ecc_curve _nettle_curve448; /* GOST curves, visible with underscore prefix for now */ extern const struct ecc_curve _nettle_gost_gc256b; extern const struct ecc_curve _nettle_gost_gc512a; #define ECC_MAX_SIZE ((521 + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS) /* Window size for ecc_mul_a. Using 4 bits seems like a good choice, for both Intel x86_64 and ARM Cortex A9. For the larger curves, of 384 and 521 bits, we could improve speed by a few percent if we go up to 5 bits, but I don't think that's worth doubling the storage. */ #define ECC_MUL_A_WBITS 4 /* And for ecc_mul_a_eh */ #define ECC_MUL_A_EH_WBITS 4 struct ecc_modulo; /* Reduces from 2*ecc->size to ecc->size. */ /* Required to return a result < 2q. This property is inherited by mod_mul and mod_sqr. May clobber input xp. rp may point to the start or the middle of the xp area, but no other overlap is allowed. */ typedef void ecc_mod_func (const struct ecc_modulo *m, mp_limb_t *rp, mp_limb_t *xp); typedef void ecc_mod_inv_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, mp_limb_t *scratch); /* Computes the square root of ap mod p. No overlap between input and output. */ typedef int ecc_mod_sqrt_func (const struct ecc_modulo *m, mp_limb_t *vp, const mp_limb_t *ap, mp_limb_t *scratch); /* Computes the square root of (u/v) (mod p). */ typedef int ecc_mod_sqrt_ratio_func (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *up, const mp_limb_t *vp, mp_limb_t *scratch); /* Allows in-place operation with r == p, but not r == q */ typedef void ecc_add_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); typedef void ecc_dup_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); typedef void ecc_mul_g_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); typedef void ecc_mul_func (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); typedef void ecc_h_to_a_func (const struct ecc_curve *ecc, int flags, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); struct ecc_modulo { unsigned short bit_size; unsigned short size; unsigned short B_size; unsigned short redc_size; unsigned short invert_itch; unsigned short sqrt_itch; unsigned short sqrt_ratio_itch; const mp_limb_t *m; /* B^size mod m. Expected to have at least 32 leading zeros (equality for secp_256r1). */ const mp_limb_t *B; /* 2^{bit_size} - m. When different from B above, for numbers of interest, usually B has trailing zeros and this is B shifted right. */ const mp_limb_t *B_shifted; /* For ecc_mod_sub: B^size - 2m, if that doesn't underflow. Otherwise, same as B */ const mp_limb_t *Bm2m; /* m +/- 1, for redc, excluding redc_size low limbs. */ const mp_limb_t *redc_mpm1; /* (m+1)/2 */ const mp_limb_t *mp1h; ecc_mod_func *mod; ecc_mod_func *reduce; /* For moduli where we use redc, the invert and sqrt functions work with inputs and outputs in redc form. */ ecc_mod_inv_func *invert; ecc_mod_sqrt_func *sqrt; ecc_mod_sqrt_ratio_func *sqrt_ratio; }; /* Represents an elliptic curve of the form y^2 = x^3 - 3x + b (mod p) */ struct ecc_curve { /* The prime p. */ struct ecc_modulo p; /* Group order. Currently, many functions rely on q.size == p.size. */ struct ecc_modulo q; unsigned short use_redc; unsigned short pippenger_k; unsigned short pippenger_c; unsigned short add_hh_itch; unsigned short add_hhh_itch; unsigned short dup_itch; unsigned short mul_itch; unsigned short mul_g_itch; unsigned short h_to_a_itch; ecc_add_func *add_hh; ecc_add_func *add_hhh; ecc_dup_func *dup; ecc_mul_func *mul; ecc_mul_g_func *mul_g; ecc_h_to_a_func *h_to_a; /* Curve constant */ const mp_limb_t *b; /* For redc, same as B mod p, otherwise 1. */ const mp_limb_t *unit; /* Tables for multiplying by the generator, size determined by k and c. The first 2^c entries are defined by T[ j_0 + j_1 2 + ... + j_{c-1} 2^{c-1} ] = j_0 g + j_1 2^k g + ... + j_{c-1} 2^{k(c-1)} g The following entries differ by powers of 2^{kc}, T[i] = 2^{kc} T[i-2^c] */ const mp_limb_t *pippenger_table; }; ecc_mod_func ecc_mod; ecc_mod_func ecc_pp1_redc; ecc_mod_func ecc_pm1_redc; ecc_mod_inv_func ecc_mod_inv; /* Side channel silent. Requires that x < 2m, so checks if x == 0 or x == p */ int ecc_mod_zero_p (const struct ecc_modulo *m, const mp_limb_t *xp); /* Requires that a < 2m, and ref < m, needs m->size limbs of scratch space. Overlap, a == scratch or ref == scratch, is allowed. */ int ecc_mod_equal_p (const struct ecc_modulo *m, const mp_limb_t *a, const mp_limb_t *ref, mp_limb_t *scratch); void ecc_mod_add (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); /* If inputs are in the range 0 <= a, b < 2m, then so is the output. */ void ecc_mod_sub (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp); void ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t b); void ecc_mod_addmul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); void ecc_mod_submul_1 (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t b); /* The mul and sqr function need 2*m->size limbs at tp. rp may overlap ap or bp, and may equal tp or tp + m->size, but no other overlap with tp is allowed. */ void ecc_mod_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); void ecc_mod_sqr (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp); /* These mul and sqr functions produce a canonical result, 0 <= R < M. Requirements on input and output areas are similar to the above functions, except that it is *not* allowed to pass rp = tp + m->size. */ void ecc_mod_mul_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, const mp_limb_t *bp, mp_limb_t *tp); void ecc_mod_sqr_canonical (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *ap, mp_limb_t *tp); /* R <-- X^{2^k} mod M. Needs 2*ecc->size limbs of scratch space, same overlap requirements as mul and sqr above. */ void ecc_mod_pow_2k (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, mp_limb_t *tp); /* R <-- X^{2^k} Y mod M. Similar requirements as ecc_mod_pow_2k, but rp and yp can't overlap. */ void ecc_mod_pow_2k_mul (const struct ecc_modulo *m, mp_limb_t *rp, const mp_limb_t *xp, unsigned k, const mp_limb_t *yp, mp_limb_t *tp); /* R <-- X^{2^k + 1}. Here, rp and xp must not overlap. */ #define ecc_mod_pow_2kp1(m, rp, xp, k, tp) \ ecc_mod_pow_2k_mul (m, rp, xp, k, xp, tp) /* mod q operations. */ void ecc_mod_random (const struct ecc_modulo *m, mp_limb_t *xp, void *ctx, nettle_random_func *random, mp_limb_t *scratch); /* Converts a point P in affine coordinates into a point R in jacobian coordinates. */ void ecc_a_to_j (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p); /* Converts a point P in jacobian coordinates into a point R in affine coordinates. If op == 1, produce x coordinate only. If op == 2, produce the x coordinate only, and also reduce it modulo q. */ void ecc_j_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Converts a point P in homogeneous coordinates on an Edwards curve to affine coordinates. Meaning of op is the same as for ecc_j_to_a. */ void ecc_eh_to_a (const struct ecc_curve *ecc, int op, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Group operations */ /* Point doubling, with jacobian input and output. Corner cases: Correctly sets R = 0 (r_Z = 0) if p = 0 or 2p = 0. */ void ecc_dup_jj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); /* Point addition, with jacobian output, one jacobian input and one affine input. Corner cases: Fails for the cases P = Q != 0 Duplication of non-zero point P = 0, Q != 0 or P != 0, Q = 0 One input zero Correctly gives R = 0 if P = Q = 0 or P = -Q. */ void ecc_add_jja (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point addition with Jacobian input and output. */ void ecc_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Variant that handles the checks for the special cases P = ±Q. Returns 1 on success, 0 if result is infinite. Not side-channel silent, so must not be used with secret inputs. */ int ecc_nonsec_add_jjj (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Point doubling on a twisted Edwards curve, with homogeneous cooordinates. */ void ecc_dup_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); void ecc_add_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_add_ehh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_dup_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, mp_limb_t *scratch); void ecc_add_th (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); void ecc_add_thh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *p, const mp_limb_t *q, mp_limb_t *scratch); /* Computes N * the group generator. N is an array of ecc_size() limbs. It must be in the range 0 < N < group order, then R != 0, and the algorithm can work without any intermediate values getting to zero. */ void ecc_mul_g (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); /* Computes N * P. The scalar N is the same as for ecc_mul_g. P is a non-zero point on the curve, in affine coordinates. Output R is a non-zero point, in Jacobian coordinates. */ void ecc_mul_a (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void ecc_mul_g_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, mp_limb_t *scratch); void ecc_mul_a_eh (const struct ecc_curve *ecc, mp_limb_t *r, const mp_limb_t *np, const mp_limb_t *p, mp_limb_t *scratch); void ecc_mul_m (const struct ecc_modulo *m, mp_limb_t a24, unsigned bit_low, unsigned bit_high, mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, mp_limb_t *scratch); /* The cnd argument must be 1 or 0. */ void cnd_copy (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n); mp_limb_t sec_add_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); mp_limb_t sec_sub_1 (mp_limb_t *rp, mp_limb_t *ap, mp_size_t n, mp_limb_t b); void curve25519_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); void curve448_eh_to_x (mp_limb_t *xp, const mp_limb_t *p, mp_limb_t *scratch); /* Current scratch needs: */ #define ECC_MOD_INV_ITCH(size) (3*(size)) #define ECC_J_TO_A_ITCH(size, inv) ((size)+(inv)) #define ECC_EH_TO_A_ITCH(size, inv) ((size)+(inv)) #define ECC_DUP_JJ_ITCH(size) (4*(size)) #define ECC_DUP_EH_ITCH(size) (3*(size)) #define ECC_DUP_TH_ITCH(size) (3*(size)) #define ECC_ADD_JJA_ITCH(size) (5*(size)) #define ECC_ADD_JJJ_ITCH(size) (5*(size)) #define ECC_ADD_EH_ITCH(size) (4*(size)) #define ECC_ADD_EHH_ITCH(size) (4*(size)) #define ECC_ADD_TH_ITCH(size) (4*(size)) #define ECC_ADD_THH_ITCH(size) (4*(size)) #define ECC_MUL_G_ITCH(size) (8*(size)) #define ECC_MUL_G_EH_ITCH(size) (7*(size)) #if ECC_MUL_A_WBITS == 0 #define ECC_MUL_A_ITCH(size) (11*(size)) #else #define ECC_MUL_A_ITCH(size) \ (((3 << ECC_MUL_A_WBITS) + 8) * (size)) #endif #if ECC_MUL_A_EH_WBITS == 0 #define ECC_MUL_A_EH_ITCH(size) (10*(size)) #else #define ECC_MUL_A_EH_ITCH(size) \ (((3 << ECC_MUL_A_EH_WBITS) + 7) * (size)) #endif #define ECC_MUL_M_ITCH(size) (8*(size)) #define ECC_ECDSA_SIGN_ITCH(size) (11*(size)) #define ECC_GOSTDSA_SIGN_ITCH(size) (11*(size)) #define ECC_MOD_RANDOM_ITCH(size) (size) #define ECC_HASH_ITCH(size) (1+(size)) #endif /* NETTLE_ECC_INTERNAL_H_INCLUDED */ nettle-3.10/ecc-mul-m.c0000644000175000017500000001022114633602171013676 0ustar nissenisse/* ecc-mul-m.c Point multiplication using Montgomery curve representation. Copyright (C) 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "ecc.h" #include "ecc-internal.h" void ecc_mul_m (const struct ecc_modulo *m, mp_limb_t a24, unsigned bit_low, unsigned bit_high, mp_limb_t *qx, const uint8_t *n, const mp_limb_t *px, mp_limb_t *scratch) { unsigned i; mp_limb_t swap; #define x2 (scratch) #define z2 (scratch + m->size) #define x3 (scratch + 2*m->size) #define z3 (scratch + 3*m->size) /* Formulas from RFC 7748: A = x_2 + z_2 AA = A^2 B = x_2 - z_2 BB = B^2 E = AA - BB C = x_3 + z_3 D = x_3 - z_3 DA = D * A CB = C * B x_3 = (DA + CB)^2 z_3 = x_1 * (DA - CB)^2 x_2 = AA * BB z_2 = E * (AA + a24 * E) For pure doubling, we use: A = x_2 + z_2 AA = A^2 B = x_2 - z_2 BB = B^2 E = AA - BB x3 = AA * BB z3 = E * (AA + a24 * E) */ #define A (scratch + 4*m->size) #define AA A #define D (scratch + 5*m->size) #define DA D #define tp (scratch + 6*m->size) /* For the doubling formulas. */ #define B D #define BB D #define E D /* Initialize, x2 = px, z2 = 1 */ mpn_copyi (x2, px, m->size); z2[0] = 1; mpn_zero (z2+1, m->size - 1); /* Get x3, z3 from doubling. Since most significant bit is forced to 1. */ ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, B, x2, z2); ecc_mod_sqr (m, AA, A, tp); ecc_mod_sqr (m, BB, B, tp); ecc_mod_mul (m, x3, AA, BB, tp); ecc_mod_sub (m, E, AA, BB); ecc_mod_addmul_1 (m, AA, E, a24); ecc_mod_mul (m, z3, E, AA, tp); for (i = bit_high, swap = 0; i >= bit_low; i--) { mp_limb_t bit = (n[i/8] >> (i & 7)) & 1; mpn_cnd_swap (swap ^ bit, x2, x3, 2*m->size); swap = bit; ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, D, x3, z3); ecc_mod_mul (m, DA, D, A, tp); ecc_mod_sqr (m, AA, A, tp); /* Store B, BB and E at z2 */ ecc_mod_sub (m, z2, x2, z2); /* B */ /* Store C and CB at z3 */ ecc_mod_add (m, z3, x3, z3); /* C */ ecc_mod_mul (m, z3, z3, z2, tp); /* CB */ ecc_mod_sqr (m, z2, z2, tp); /* BB */ /* Finish x2 */ ecc_mod_mul (m, x2, AA, z2, tp); ecc_mod_sub (m, z2, AA, z2); /* E */ /* Finish z2 */ ecc_mod_addmul_1 (m, AA, z2, a24); ecc_mod_mul (m, z2, z2, AA, tp); /* Finish x3 */ ecc_mod_add (m, x3, DA, z3); ecc_mod_sqr (m, x3, x3, tp); /* Finish z3 */ ecc_mod_sub (m, z3, DA, z3); /* DA - CB */ ecc_mod_sqr (m, z3, z3, tp); ecc_mod_mul (m, z3, z3, px, tp); } mpn_cnd_swap (swap, x2, x3, 2*m->size); /* Do the low zero bits, just duplicating x2 */ for (i = 0; i < bit_low; i++) { ecc_mod_add (m, A, x2, z2); ecc_mod_sub (m, B, x2, z2); ecc_mod_sqr (m, AA, A, tp); ecc_mod_sqr (m, BB, B, tp); ecc_mod_mul (m, x2, AA, BB, tp); ecc_mod_sub (m, E, AA, BB); ecc_mod_addmul_1 (m, AA, E, a24); ecc_mod_mul (m, z2, E, AA, tp); } assert (m->invert_itch <= 7 * m->size); m->invert (m, x3, z2, z3 + m->size); ecc_mod_mul_canonical (m, qx, x2, x3, z3); } nettle-3.10/camellia128-meta.c0000644000175000017500000000274614633602171015062 0ustar nissenisse/* camellia128-meta.c Copyright (C) 2010, 2013, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include "nettle-meta.h" #include "camellia.h" const struct nettle_cipher nettle_camellia128 = { "camellia128", sizeof(struct camellia128_ctx), CAMELLIA_BLOCK_SIZE, CAMELLIA128_KEY_SIZE, (nettle_set_key_func *) camellia128_set_encrypt_key, (nettle_set_key_func *) camellia128_set_decrypt_key, (nettle_cipher_func *) camellia128_crypt, (nettle_cipher_func *) camellia128_crypt }; nettle-3.10/libnettle.map.in0000644000175000017500000000076114633602172015052 0ustar nissenisse# libnettle.map.in -- linker version script. -*- ld-script -*- # # The symbol version must be updated on every nettle # library major number change. That is taken care by # auto-generating the file. NETTLE_@LIBNETTLE_MAJOR@ { global: nettle_*; local: *; }; # Internal symbols which are to be used only for unit or other # testing. Compatibility may break across releases. NETTLE_INTERNAL_@LIBNETTLE_MAJOR@_@LIBNETTLE_MINOR@ { global: _nettle_*; local: *; }; nettle-3.10/arctwo.h0000644000175000017500000000570514633602172013437 0ustar nissenisse/* arctwo.h The arctwo/rfc2268 block cipher. Copyright (C) 2004 Simon Josefsson Copyright (C) 2002, 2004, 2014 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #ifndef NETTLE_ARCTWO_H_INCLUDED #define NETTLE_ARCTWO_H_INCLUDED #include "nettle-types.h" #ifdef __cplusplus extern "C" { #endif /* Name mangling */ #define arctwo_set_key nettle_arctwo_set_key #define arctwo_set_key_ekb nettle_arctwo_set_key_ekb #define arctwo_set_key_gutmann nettle_arctwo_set_key_gutmann #define arctwo40_set_key nettle_arctwo40_set_key #define arctwo64_set_key nettle_arctwo64_set_key #define arctwo128_set_key nettle_arctwo128_set_key #define arctwo128_set_key_gutmann nettle_arctwo128_set_key_gutmann #define arctwo_encrypt nettle_arctwo_encrypt #define arctwo_decrypt nettle_arctwo_decrypt #define ARCTWO_BLOCK_SIZE 8 /* Variable key size from 1 byte to 128 bytes. */ #define ARCTWO_MIN_KEY_SIZE 1 #define ARCTWO_MAX_KEY_SIZE 128 #define ARCTWO_KEY_SIZE 8 struct arctwo_ctx { uint16_t S[64]; }; /* Key expansion function that takes the "effective key bits", 1-1024, as an explicit argument. 0 means maximum key bits. */ void arctwo_set_key_ekb (struct arctwo_ctx *ctx, size_t length, const uint8_t * key, unsigned ekb); /* Equvivalent to arctwo_set_key_ekb, with ekb = 8 * length */ void arctwo_set_key (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo40_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo64_set_key (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo128_set_key (struct arctwo_ctx *ctx, const uint8_t *key); /* Equvivalent to arctwo_set_key_ekb, with ekb = 1024 */ void arctwo_set_key_gutmann (struct arctwo_ctx *ctx, size_t length, const uint8_t *key); void arctwo128_set_key_gutmann (struct arctwo_ctx *ctx, const uint8_t *key); void arctwo_encrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); void arctwo_decrypt (struct arctwo_ctx *ctx, size_t length, uint8_t *dst, const uint8_t *src); #ifdef __cplusplus } #endif #endif /* NETTLE_ARCTWO_H_INCLUDED */ nettle-3.10/buffer.c0000644000175000017500000000602414633602171013376 0ustar nissenisse/* buffer.c A bare-bones string stream. Copyright (C) 2002 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include #include #include #include "buffer.h" int nettle_buffer_grow(struct nettle_buffer *buffer, size_t length) { assert(buffer->size <= buffer->alloc); if (buffer->size + length > buffer->alloc) { size_t alloc; uint8_t *p; if (!buffer->realloc) return 0; alloc = buffer->alloc * 2 + length + 100; p = buffer->realloc(buffer->realloc_ctx, buffer->contents, alloc); if (!p) return 0; buffer->contents = p; buffer->alloc = alloc; } return 1; } void nettle_buffer_init_realloc(struct nettle_buffer *buffer, void *realloc_ctx, nettle_realloc_func *realloc) { buffer->contents = NULL; buffer->alloc = 0; buffer->realloc = realloc; buffer->realloc_ctx = realloc_ctx; buffer->size = 0; } void nettle_buffer_init_size(struct nettle_buffer *buffer, size_t length, uint8_t *space) { buffer->contents = space; buffer->alloc = length; buffer->realloc = NULL; buffer->realloc_ctx = NULL; buffer->size = 0; } void nettle_buffer_clear(struct nettle_buffer *buffer) { if (buffer->realloc) buffer->realloc(buffer->realloc_ctx, buffer->contents, 0); buffer->contents = NULL; buffer->alloc = 0; buffer->size = 0; } void nettle_buffer_reset(struct nettle_buffer *buffer) { buffer->size = 0; } uint8_t * nettle_buffer_space(struct nettle_buffer *buffer, size_t length) { uint8_t *p; if (!nettle_buffer_grow(buffer, length)) return NULL; p = buffer->contents + buffer->size; buffer->size += length; return p; } int nettle_buffer_write(struct nettle_buffer *buffer, size_t length, const uint8_t *data) { uint8_t *p = nettle_buffer_space(buffer, length); if (p) { memcpy(p, data, length); return 1; } else return 0; } int nettle_buffer_copy(struct nettle_buffer *dst, const struct nettle_buffer *src) { return nettle_buffer_write(dst, src->size, src->contents); } nettle-3.10/dsa-sha256-verify.c0000644000175000017500000000327414633602171015210 0ustar nissenisse/* dsa-sha256-verify.c The DSA publickey algorithm, using SHA-256 (FIPS186-3). Copyright (C) 2010 Niels Möller This file is part of GNU Nettle. GNU Nettle is free software: you can redistribute it and/or modify it under the terms of either: * the GNU Lesser General Public License as published by the Free Software Foundation; either version 3 of the License, or (at your option) any later version. or * the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. or both in parallel, as here. GNU Nettle is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received copies of the GNU General Public License and the GNU Lesser General Public License along with this program. If not, see http://www.gnu.org/licenses/. */ #if HAVE_CONFIG_H # include "config.h" #endif #include "dsa-compat.h" int dsa_sha256_verify_digest(const struct dsa_public_key *key, const uint8_t *digest, const struct dsa_signature *signature) { return dsa_verify((const struct dsa_params *) key, key->y, SHA256_DIGEST_SIZE, digest, signature); } int dsa_sha256_verify(const struct dsa_public_key *key, struct sha256_ctx *hash, const struct dsa_signature *signature) { uint8_t digest[SHA256_DIGEST_SIZE]; sha256_digest(hash, sizeof(digest), digest); return dsa_verify((const struct dsa_params *) key, key->y, sizeof(digest), digest, signature); }